Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAM] Add missing privilege to alerting read operations #166603

Merged
merged 6 commits into from
Sep 22, 2023
Merged

[RAM] Add missing privilege to alerting read operations #166603

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b873f5a
Add missing privilege to alerting read operations
umbopepato Sep 18, 2023
4dfd018
Fix failing alerting tests
umbopepato Sep 18, 2023
297bdb2
Merge branch 'main' into 158957-alerting-privs-missing
umbopepato Sep 18, 2023
819f95a
Add action error log integration tests
umbopepato Sep 20, 2023
0b3dce7
Merge branch 'main' into 158957-alerting-privs-missing
umbopepato Sep 20, 2023
fb68a8c
Merge branch 'main' into 158957-alerting-privs-missing
umbopepato Sep 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions ...ugins/security/server/authorization/privileges/feature_privilege_builder/alerting.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/getActionErrorLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
Expand Down Expand Up @@ -174,6 +175,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/getActionErrorLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
Expand Down Expand Up @@ -221,6 +223,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/getActionErrorLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
Expand Down Expand Up @@ -325,6 +328,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/getActionErrorLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
Expand Down Expand Up @@ -389,6 +393,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/getActionErrorLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
Expand All @@ -412,6 +417,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:readonly-alert-type/my-feature/rule/getRuleState",
"alerting:readonly-alert-type/my-feature/rule/getAlertSummary",
"alerting:readonly-alert-type/my-feature/rule/getExecutionLog",
"alerting:readonly-alert-type/my-feature/rule/getActionErrorLog",
"alerting:readonly-alert-type/my-feature/rule/find",
"alerting:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:readonly-alert-type/my-feature/rule/runSoon",
Expand Down Expand Up @@ -504,6 +510,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/getActionErrorLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
Expand All @@ -527,6 +534,7 @@ describe(`feature_privilege_builder`, () => {
"alerting:readonly-alert-type/my-feature/rule/getRuleState",
"alerting:readonly-alert-type/my-feature/rule/getAlertSummary",
"alerting:readonly-alert-type/my-feature/rule/getExecutionLog",
"alerting:readonly-alert-type/my-feature/rule/getActionErrorLog",
"alerting:readonly-alert-type/my-feature/rule/find",
"alerting:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:readonly-alert-type/my-feature/rule/runSoon",
Expand Down
1 change: 1 addition & 0 deletions ...ck/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ const readOperations: Record<AlertingEntity, string[]> = {
'getRuleState',
'getAlertSummary',
'getExecutionLog',
'getActionErrorLog',
'find',
'getRuleExecutionKPI',
'runSoon',
Expand Down
108 changes: 104 additions & 4 deletions ...lerting_api_integration/security_and_spaces/group2/tests/alerting/get_action_error_log.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,20 @@
import expect from '@kbn/expect';

import { ESTestIndexTool } from '@kbn/alerting-api-integration-helpers';
import { Spaces } from '../../../scenarios';
import { getUrlPrefix, ObjectRemover, getTestRuleData, getEventLog } from '../../../../common/lib';
import { Spaces, UserAtSpaceScenarios } from '../../../scenarios';
import {
getUrlPrefix,
ObjectRemover,
getTestRuleData,
getEventLog,
getConsumerUnauthorizedErrorMessage,
} from '../../../../common/lib';
import { FtrProviderContext } from '../../../../common/ftr_provider_context';

// eslint-disable-next-line import/no-default-export
export default function createGetActionErrorLogTests({ getService }: FtrProviderContext) {
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const retry = getService('retry');
const es = getService('es');
const esTestIndexTool = new ESTestIndexTool(es, retry);
Expand All @@ -33,6 +40,98 @@ export default function createGetActionErrorLogTests({ getService }: FtrProvider
await objectRemover.removeAll();
});

for (const scenario of UserAtSpaceScenarios) {
const { user, space } = scenario;
describe(scenario.id, () => {
it('gets action error logs for rules with action errors with appropriate authorization', async () => {
const { body: createdConnector } = await supertest
.post(`${getUrlPrefix(space.id)}/api/actions/connector`)
.set('kbn-xsrf', 'foo')
.send({
name: 'connector that throws',
connector_type_id: 'test.throw',
config: {},
secrets: {},
})
.expect(200);
objectRemover.add(space.id, createdConnector.id, 'action', 'actions');

const { body: createdRule } = await supertest
.post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
.set('kbn-xsrf', 'foo')
.send(
getTestRuleData({
rule_type_id: 'test.cumulative-firing',
actions: [
{
id: createdConnector.id,
group: 'default',
params: {},
},
],
})
)
.expect(200);
objectRemover.add(space.id, createdRule.id, 'rule', 'alerting');

await waitForEvents(
createdRule.id,
'alerting',
new Map([['execute', { gte: 1 }]]),
space.id
);
await waitForEvents(
createdRule.id,
'actions',
new Map([['execute', { gte: 1 }]]),
space.id
);

const response = await supertestWithoutAuth
.get(
`${getUrlPrefix(space.id)}/internal/alerting/rule/${
createdRule.id
}/_action_error_log?date_start=${dateStart}`
)
.auth(user.username, user.password);

switch (scenario.id) {
case 'no_kibana_privileges at space1':
case 'space_1_all at space2':
expect(response.statusCode).to.eql(403);
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'get',
'test.cumulative-firing',
'alertsFixture'
),
statusCode: 403,
});
break;
case 'global_read at space1':
case 'superuser at space1':
case 'space_1_all at space1':
case 'space_1_all_alerts_none_actions at space1':
case 'space_1_all_with_restricted_fixture at space1':
expect(response.statusCode).to.eql(200);
expect(response.body.totalErrors).to.eql(1);
expect(response.body.errors.length).to.eql(1);

for (const errors of response.body.errors) {
expect(errors.type).to.equal('actions');
expect(errors.message).to.equal(
`action execution failure: test.throw:${createdConnector.id}: connector that throws - an error occurred while running the action: this action is intended to fail; retry: true`
);
}
break;
default:
throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
}
});
});
}

it('gets action error logs from an alternate space', async () => {
const { body: createdConnector } = await supertest
.post(`${getUrlPrefix(Spaces[1].id)}/api/actions/connector`)
Expand Down Expand Up @@ -99,12 +198,13 @@ export default function createGetActionErrorLogTests({ getService }: FtrProvider
{
gte: number;
}
>
>,
spaceId = Spaces[1].id
) {
await retry.try(async () => {
return await getEventLog({
getService,
spaceId: Spaces[1].id,
spaceId,
type: 'alert',
id,
provider,
Expand Down
Loading