Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deleting no longer used privileges #24873

Merged
merged 3 commits into from
Nov 26, 2018
Merged

Deleting no longer used privileges #24873

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
14bf6fb
We can now delete old privileges
kobelb Oct 3, 2018
e298506
Merge remote-tracking branch 'upstream/master' into delete-old-privil…
kobelb Nov 19, 2018
08ac7e9
Logging message when error deleting specific privilege
kobelb Nov 19, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 16 additions & 10 deletions x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,12 @@ export async function registerPrivilegesWithCluster(server) {
});
};

const shouldRemovePrivileges = (existingPrivileges, expectedPrivileges) => {
const getPrivilegesToDelete = (existingPrivileges, expectedPrivileges) => {
if (isEmpty(existingPrivileges)) {
return false;
return [];
}

return difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0;
return difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application]));
};

const privilegeMap = buildPrivilegeMap(savedObjectTypes, actions);
Expand All @@ -75,18 +75,24 @@ export async function registerPrivilegesWithCluster(server) {
return;
}

// The ES privileges POST endpoint only allows us to add new privileges, or update specified privileges; it doesn't
// remove unspecified privileges. We don't currently have a need to remove privileges, as this would be a
// backwards compatibility issue, and we'd have to figure out how to migrate roles, so we're throwing an Error if we
// unintentionally get ourselves in this position.
if (shouldRemovePrivileges(existingPrivileges, expectedPrivileges)) {
throw new Error(`Privileges are missing and can't be removed, currently.`);
const privilegesToDelete = getPrivilegesToDelete(existingPrivileges, expectedPrivileges);
for (const privilegeToDelete of privilegesToDelete) {
server.log(['security', 'debug'], `Deleting Kibana Privilege ${privilegeToDelete} from Elasticearch for ${application}`);
try {
await callCluster('shield.deletePrivilege', {
application,
privilege: privilegeToDelete
});
} catch (err) {
server.log(['security', 'error'], `Error deleting Kibana Privilege ${privilegeToDelete}`);
throw err;
}
}

server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
await callCluster('shield.postPrivileges', {
body: expectedPrivileges
});
server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
kobelb marked this conversation as resolved.
Show resolved Hide resolved
} catch (err) {
server.log(['security', 'error'], `Error registering Kibana Privileges with Elasticsearch for ${application}: ${err.message}`);
throw err;
Expand Down
118 changes: 99 additions & 19 deletions x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ const registerPrivilegesWithClusterTest = (description, {
savedObjectTypes,
privilegeMap,
existingPrivileges,
throwErrorWhenDeletingPrivileges,
errorDeletingPrivilegeName,
throwErrorWhenGettingPrivileges,
throwErrorWhenPuttingPrivileges,
assert
Expand Down Expand Up @@ -67,9 +69,9 @@ const registerPrivilegesWithClusterTest = (description, {
};

const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, error) => {
return (postPrivilegesBody) => {
return (postPrivilegesBody, deletedPrivileges = []) => {
expect(error).toBeUndefined();
expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2);
expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2 + deletedPrivileges.length);
expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.getPrivilege', {
privilege: application,
});
Expand All @@ -79,7 +81,19 @@ const registerPrivilegesWithClusterTest = (description, {
body: postPrivilegesBody,
}
);

for (const deletedPrivilege of deletedPrivileges) {
expect(mockServer.log).toHaveBeenCalledWith(
['security', 'debug'],
`Deleting Kibana Privilege ${deletedPrivilege} from Elasticearch for ${application}`
);
expect(mockCallWithInternalUser).toHaveBeenCalledWith(
'shield.deletePrivilege',
{
application,
privilege: deletedPrivilege
}
);
}
expect(mockServer.log).toHaveBeenCalledWith(
['security', 'debug'],
`Registering Kibana Privileges with Elasticsearch for ${application}`
Expand Down Expand Up @@ -116,6 +130,13 @@ const registerPrivilegesWithClusterTest = (description, {
expect(actualError).toBeInstanceOf(Error);
expect(actualError.message).toEqual(expectedErrorMessage);

if (throwErrorWhenDeletingPrivileges) {
expect(mockServer.log).toHaveBeenCalledWith(
['security', 'error'],
`Error deleting Kibana Privilege ${errorDeletingPrivilegeName}`
);
}

expect(mockServer.log).toHaveBeenCalledWith(
['security', 'error'],
`Error registering Kibana Privileges with Elasticsearch for ${application}: ${expectedErrorMessage}`
Expand All @@ -126,21 +147,37 @@ const registerPrivilegesWithClusterTest = (description, {
test(description, async () => {
const mockServer = createMockServer();
const mockCallWithInternalUser = registerMockCallWithInternalUser()
.mockImplementationOnce(async () => {
if (throwErrorWhenGettingPrivileges) {
throw throwErrorWhenGettingPrivileges;
}
.mockImplementation((api) => {
switch(api) {
case 'shield.getPrivilege': {
if (throwErrorWhenGettingPrivileges) {
throw throwErrorWhenGettingPrivileges;
}

// ES returns an empty object if we don't have any privileges
if (!existingPrivileges) {
return {};
}
// ES returns an empty object if we don't have any privileges
if (!existingPrivileges) {
return {};
}

return existingPrivileges;
})
.mockImplementationOnce(async () => {
if (throwErrorWhenPuttingPrivileges) {
throw throwErrorWhenPuttingPrivileges;
return existingPrivileges;
}
case 'shield.deletePrivilege': {
if (throwErrorWhenDeletingPrivileges) {
throw throwErrorWhenDeletingPrivileges;
}

break;
}
case 'shield.postPrivileges': {
if (throwErrorWhenPuttingPrivileges) {
throw throwErrorWhenPuttingPrivileges;
}

return;
}
default: {
expect(true).toBe(false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: test failures here might be hard to debug. Consider throwing an explicit exception about this unhandled scenario.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we just threw an explicit exception here, it'd potentially be caught by the code using the callWithRequest and lead to rather difficult to understand behavior. I wanted to fail the test explicitly, and this was the most clear solution that I could come up with, even though it isn't really clear at all. I thought about also doing the equivalent of expect(api).toBeInArray(['shield.getPrivilege', 'shield.postPrivileges', 'shield.deletePrivilege'] but figured that'd be equally confusing, and potentially more-so, so I gave up and did this.

}
}
});

Expand Down Expand Up @@ -208,7 +245,7 @@ registerPrivilegesWithClusterTest(`inserts privileges when we don't have any exi
}
});

registerPrivilegesWithClusterTest(`throws error when we should be removing privilege`, {
registerPrivilegesWithClusterTest(`deletes no-longer specified privileges`, {
privilegeMap: {
global: {
foo: ['action:foo'],
Expand Down Expand Up @@ -236,11 +273,32 @@ registerPrivilegesWithClusterTest(`throws error when we should be removing privi
name: 'space_bar',
actions: ['action:not-bar'],
metadata: {},
},
space_baz: {
application,
name: 'space_baz',
actions: ['action:not-baz'],
metadata: {},
}
}
},
assert: ({ expectErrorThrown }) => {
expectErrorThrown(`Privileges are missing and can't be removed, currently.`);
assert: ({ expectUpdatedPrivileges }) => {
expectUpdatedPrivileges({
[application]: {
foo: {
application,
name: 'foo',
actions: ['action:foo'],
metadata: {},
},
space_bar: {
application,
name: 'space_bar',
actions: ['action:bar'],
metadata: {},
}
}
}, [ 'quz', 'space_baz' ]);
}
});

Expand Down Expand Up @@ -434,6 +492,28 @@ registerPrivilegesWithClusterTest(`throws and logs error when errors getting pri
}
});

registerPrivilegesWithClusterTest(`throws and logs error when errors deleting privileges`, {
privilegeMap: {
global: {},
space: {}
},
existingPrivileges: {
[application]: {
foo: {
application,
name: 'foo',
actions: ['action:not-foo'],
metadata: {},
}
}
},
throwErrorWhenDeletingPrivileges: new Error('Error deleting privileges'),
errorDeletingPrivilegeName: 'foo',
assert: ({ expectErrorThrown }) => {
expectErrorThrown('Error deleting privileges');
}
});

registerPrivilegesWithClusterTest(`throws and logs error when errors putting privileges`, {
privilegeMap: {
global: {
Expand Down
17 changes: 17 additions & 0 deletions x-pack/server/lib/esjs_shield_plugin.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,23 @@
}]
});

shield.deletePrivilege = ca({
method: 'DELETE',
urls: [{
fmt: '/_xpack/security/privilege/<%=application%>/<%=privilege%>',
req: {
application: {
type: 'string',
required: true
},
privilege: {
type: 'string',
required: true
}
}
}]
});

shield.postPrivileges = ca({
method: 'POST',
needBody: true,
Expand Down