Skip to content

Commit

Permalink
Feature Disable Wazuh by roles (#3222)
Browse files Browse the repository at this point in the history
  • Loading branch information
asteriscos authored May 13, 2021
1 parent edbcebd commit ec895b6
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ All notable changes to the Wazuh app project will be documented in this file.
- Changed default `wazuh.monitoring.creation` app setting from `d` to `w` [#3174](https://github.com/wazuh/wazuh-kibana-app/pull/3174)
- Changed default `wazuh.monitoring.shards` app setting from `2` to `1` [#3174](https://github.com/wazuh/wazuh-kibana-app/pull/3174)
- Redirect to group details using the `group` query param in the URL [#3184](https://github.com/wazuh/wazuh-kibana-app/pull/3184)
- Configuration to disable Wazuh App access from X-Pack/ODFE role [#3222](https://github.com/wazuh/wazuh-kibana-app/pull/3222)
- Added confirmation message when closing a form [#3221](https://github.com/wazuh/wazuh-kibana-app/pull/3221)

### Changed
Expand Down
16 changes: 14 additions & 2 deletions public/plugin.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { AppMountParameters, CoreSetup, CoreStart, Plugin, PluginInitializerContext } from 'kibana/public';
import { BehaviorSubject } from 'rxjs';
import { AppMountParameters, CoreSetup, CoreStart, AppUpdater, Plugin, PluginInitializerContext } from 'kibana/public';
import {
setDataPlugin,
setHttp,
Expand Down Expand Up @@ -31,7 +32,8 @@ export class WazuhPlugin implements Plugin<WazuhSetup, WazuhStart, WazuhSetupPlu
constructor(private readonly initializerContext: PluginInitializerContext) {}
public initializeInnerAngular?: () => void;
private innerAngularInitialized: boolean = false;

private stateUpdater = new BehaviorSubject<AppUpdater>(() => ({}));

public setup(core: CoreSetup, plugins: WazuhSetupPlugins): WazuhSetup {
core.application.register({
id: `wazuh`,
Expand All @@ -54,8 +56,17 @@ export class WazuhPlugin implements Plugin<WazuhSetup, WazuhStart, WazuhSetupPlu

await this.initializeInnerAngular();

//Check is user has Wazuh disabled
const response = await core.http.get(`/api/check-wazuh`);

params.element.classList.add('dscAppWrapper');
const unmount = await renderApp(innerAngularName, params.element);

//Update if user has Wazuh disabled
this.stateUpdater.next(() => {
if(response.isWazuhDisabled) unmount();
return { status: response.isWazuhDisabled }
})
return () => {
unmount();
};
Expand All @@ -66,6 +77,7 @@ export class WazuhPlugin implements Plugin<WazuhSetup, WazuhStart, WazuhSetupPlu
order: 0,
euiIconType: core.http.basePath.prepend('/plugins/wazuh/assets/icon_blue.png'),
},
updater$: this.stateUpdater
});
return {};
}
Expand Down
28 changes: 27 additions & 1 deletion server/controllers/wazuh-api.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,14 @@ import jwtDecode from 'jwt-decode';
import { KibanaRequest, RequestHandlerContext, KibanaResponseFactory } from 'src/core/server';
import { APIUserAllowRunAs, CacheInMemoryAPIUserAllowRunAs, API_USER_STATUS_RUN_AS } from '../lib/cache-api-user-has-run-as';
import { getCookieValueByName } from '../lib/cookie';
import { SecurityObj } from '../lib/security-factory';
import { getConfiguration } from '../lib/get-configuration';

export class WazuhApiCtrl {
manageHosts: ManageHosts
updateRegistry: UpdateRegistry

constructor() {
// this.monitoringInstance = new Monitoring(server, true);
this.manageHosts = new ManageHosts();
this.updateRegistry = new UpdateRegistry();
}
Expand Down Expand Up @@ -1043,4 +1044,29 @@ export class WazuhApiCtrl {
return ErrorResponse(error.message || error, 3035, 500, response);
}
}
/**
* Check if user assigned roles disable Wazuh Plugin
* @param context
* @param request
* @param response
* @returns {object} Returns { isWazuhDisabled: boolean parsed integer }
*/
async isWazuhDisabled(context: RequestHandlerContext, request: KibanaRequest, response: KibanaResponseFactory) {
try {

const disabledRoles = ( await getConfiguration() )['disabled_roles'] || [];
const wazuhSecurity = SecurityObj(context.wazuh.plugins);
const data = (await wazuhSecurity.getCurrentUser(request, context)).authContext;

const isWazuhDisabled = +data.roles.some((role) => disabledRoles.includes(role));

return response.ok({
body: { isWazuhDisabled }
});
} catch (error) {
log('wazuh-api:isWazuhDisabled', error.message || error);
return ErrorResponse(error.message || error, 3035, 500, response);
}

}
}
6 changes: 6 additions & 0 deletions server/lib/initial-wazuh-config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@ export const initialWazuhConfig: string = `---
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Disable roles -------------------------------
#
# Defines which Elasticsearch roles disable Wazuh
# disabled_roles:
# - wazuh_disabled
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
Expand Down
8 changes: 8 additions & 0 deletions server/routes/wazuh-api.ts
Original file line number Diff line number Diff line change
Expand Up @@ -145,4 +145,12 @@ export function WazuhApiRoutes(router: IRouter) {
},
async (context, request, response) => ctrl.getSyscollector(context, request, response)
);

// Return logged in user has wazuh disabled by role
router.get({
path: '/api/check-wazuh',
validate: false
},
async (context, request, response) => ctrl.isWazuhDisabled(context, request, response)
);
}

0 comments on commit ec895b6

Please sign in to comment.