diff --git a/x-pack/plugins/security/server/lib/authorization/mode.js b/x-pack/plugins/security/server/lib/authorization/mode.js index 7486f4fa5218c8..c6d5bc9332901d 100644 --- a/x-pack/plugins/security/server/lib/authorization/mode.js +++ b/x-pack/plugins/security/server/lib/authorization/mode.js @@ -3,53 +3,32 @@ * or more contributor license agreements. Licensed under the Elastic License; * you may not use this file except in compliance with the Elastic License. */ -import { GLOBAL_RESOURCE } from '../../../common/constants'; -import { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer'; - -const hasAnyPrivileges = privileges => { - return Object.values(privileges).some(hasPrivilege => hasPrivilege === true); -}; - -const hasAnyResourcePrivileges = resourcePrivileges => { - return Object.values(resourcePrivileges).some(resource => hasAnyPrivileges(resource)); -}; export function authorizationModeFactory( - actions, - checkPrivilegesWithRequest, + application, config, log, - plugins, - savedObjects, + shieldClient, xpackInfoFeature, ) { const useRbacForRequestCache = new WeakMap(); - // TODO: This logic will change once we have the ES API to list all privileges - // and is not covered by unit tests currently const shouldUseRbacForRequest = async (request) => { if (!config.get('xpack.security.authorization.legacyFallback.enabled')) { return true; } - const adminCluster = plugins.elasticsearch.getCluster('admin'); - const { callWithInternalUser } = adminCluster; + const { callWithRequest } = shieldClient; - const internalSavedObjectsRepository = savedObjects.getSavedObjectsRepository( - callWithInternalUser - ); + const getUserPrivilegesResponse = await callWithRequest(request, 'shield.getUserPrivileges'); - const checkPrivileges = checkPrivilegesWithRequest(request); - if (!plugins.spaces) { - const { privileges } = await checkPrivileges.globally(actions.login); - return hasAnyPrivileges(privileges); - } + // Superusers have `*` and all other roles will have the explicit application. + // We aren't using wildcards at this time, so if the user somehow specifies them + // using the ES apis directly (which is documented as unsupported) they won't work here. + const result = getUserPrivilegesResponse.applications + .some(entry => entry.application === '*' || entry.application === application); - const { saved_objects: spaceSavedObjects } = await internalSavedObjectsRepository.find({ type: 'space' }); - const spaceResources = spaceSavedObjects.map(space => spaceApplicationPrivilegesSerializer.resource.serialize(space.id)); - const allResources = [GLOBAL_RESOURCE, ...spaceResources]; - const { resourcePrivileges } = await checkPrivileges.atResources(allResources, actions.login); - return hasAnyResourcePrivileges(resourcePrivileges); + return result; }; const isRbacEnabled = () => xpackInfoFeature.getLicenseCheckResults().allowRbac; @@ -62,7 +41,7 @@ export function authorizationModeFactory( } if (!isRbacEnabled()) { - useRbacForRequestCache.set(request, true); + useRbacForRequestCache.set(request, false); return; } diff --git a/x-pack/plugins/security/server/lib/authorization/mode.test.js b/x-pack/plugins/security/server/lib/authorization/mode.test.js index f107a6fd242b96..6b7c5952a98d29 100644 --- a/x-pack/plugins/security/server/lib/authorization/mode.test.js +++ b/x-pack/plugins/security/server/lib/authorization/mode.test.js @@ -6,6 +6,8 @@ import { authorizationModeFactory } from './mode'; +const application = 'kibana-.kibana'; + const createMockConfig = (settings) => { const mockConfig = { get: jest.fn() @@ -30,12 +32,16 @@ const createMockXpackInfoFeature = (allowRbac) => { }; }; +const createMockShieldClient = (getUserPrivilegesResponse) => ({ + callWithRequest: jest.fn().mockReturnValue(getUserPrivilegesResponse) +}); + describe(`#initialize`, () => { test(`can't be initialized twice for the same request`, async () => { const mockConfig = createMockConfig(); const mockLogger = createMockLogger(); const mockXpackInfoFeature = createMockXpackInfoFeature(); - const mode = authorizationModeFactory({}, {}, mockConfig, mockLogger, {}, {}, mockXpackInfoFeature); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature); const request = {}; await mode.initialize(request); @@ -50,7 +56,7 @@ describe(`#useRbacForRequest`, () => { const mockConfig = createMockConfig(); const mockLogger = createMockLogger(); const mockXpackInfoFeature = createMockXpackInfoFeature(); - const mode = authorizationModeFactory({}, {}, mockConfig, mockLogger, {}, {}, mockXpackInfoFeature); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature); const request = {}; const result = mode.useRbacForRequest(request); @@ -63,13 +69,124 @@ describe(`#useRbacForRequest`, () => { 'xpack.security.authorization.legacyFallback.enabled': false, }); const mockLogger = createMockLogger(); - const mockXpackInfoFeature = createMockXpackInfoFeature(); - const mode = authorizationModeFactory({}, {}, mockConfig, mockLogger, {}, {}, mockXpackInfoFeature); + const mockXpackInfoFeature = createMockXpackInfoFeature(true); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature); const request = {}; await mode.initialize(request); const result = mode.useRbacForRequest(request); expect(result).toBe(true); - expect(mockLogger).not.toHaveBeenCalled(); + }); + + test(`returns false if xpackInfoFeature.getLicenseCheckResults().allowRbac is false`, async () => { + const mockConfig = createMockConfig({ + 'xpack.security.authorization.legacyFallback.enabled': true, + }); + const mockLogger = createMockLogger(); + const mockXpackInfoFeature = createMockXpackInfoFeature(false); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature); + const request = {}; + + await mode.initialize(request); + const result = mode.useRbacForRequest(request); + expect(result).toBe(false); + }); + + test(`returns false if shieldClient getUserPrivileges returns no applications`, async () => { + const mockConfig = createMockConfig({ + 'xpack.security.authorization.legacyFallback.enabled': true, + }); + const mockLogger = createMockLogger(); + const mockXpackInfoFeature = createMockXpackInfoFeature(true); + const mockShieldClient = createMockShieldClient({ + applications: [] + }); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature); + const request = { + headers: { + foo: 'bar' + } + }; + + await mode.initialize(request); + const result = mode.useRbacForRequest(request); + expect(result).toBe(false); + expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges'); + }); + + test(`returns false if shieldClient getUserPrivileges returns incorrect application`, async () => { + const mockConfig = createMockConfig({ + 'xpack.security.authorization.legacyFallback.enabled': true, + }); + const mockLogger = createMockLogger(); + const mockXpackInfoFeature = createMockXpackInfoFeature(true); + const mockShieldClient = createMockShieldClient({ + applications: [{ + application: 'kibana-.kibana-marketing' + }] + }); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature); + const request = { + headers: { + foo: 'bar' + } + }; + + await mode.initialize(request); + const result = mode.useRbacForRequest(request); + expect(result).toBe(false); + expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges'); + }); + + test(`returns true if shieldClient getUserPrivileges returns * and incorrect application`, async () => { + const mockConfig = createMockConfig({ + 'xpack.security.authorization.legacyFallback.enabled': true, + }); + const mockLogger = createMockLogger(); + const mockXpackInfoFeature = createMockXpackInfoFeature(true); + const mockShieldClient = createMockShieldClient({ + applications: [{ + application: 'kibana-.kibana-marketing' + }, { + application: '*' + }] + }); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature); + const request = { + headers: { + foo: 'bar' + } + }; + + await mode.initialize(request); + const result = mode.useRbacForRequest(request); + expect(result).toBe(true); + expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges'); + }); + + test(`returns true if shieldClient getUserPrivileges returns matching application and incorrect application`, async () => { + const mockConfig = createMockConfig({ + 'xpack.security.authorization.legacyFallback.enabled': true, + }); + const mockLogger = createMockLogger(); + const mockXpackInfoFeature = createMockXpackInfoFeature(true); + const mockShieldClient = createMockShieldClient({ + applications: [{ + application: 'kibana-.kibana-marketing' + }, { + application + }] + }); + const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature); + const request = { + headers: { + foo: 'bar' + } + }; + + await mode.initialize(request); + const result = mode.useRbacForRequest(request); + expect(result).toBe(true); + expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges'); }); }); diff --git a/x-pack/plugins/security/server/lib/authorization/service.js b/x-pack/plugins/security/server/lib/authorization/service.js index 845cedb2273c87..d7ce77a03fd33d 100644 --- a/x-pack/plugins/security/server/lib/authorization/service.js +++ b/x-pack/plugins/security/server/lib/authorization/service.js @@ -17,13 +17,11 @@ export function createAuthorizationService(server, xpackInfoFeature) { const application = `kibana-${config.get('kibana.index')}`; const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(actions, application, shieldClient); const mode = authorizationModeFactory( - actions, - checkPrivilegesWithRequest, + application, config, (...args) => server.log(...args), - server.plugins, - server.savedObjects, - xpackInfoFeature + shieldClient, + xpackInfoFeature, ); return { diff --git a/x-pack/plugins/security/server/lib/authorization/service.test.js b/x-pack/plugins/security/server/lib/authorization/service.test.js index 512593f3079d68..f753e1170fc91a 100644 --- a/x-pack/plugins/security/server/lib/authorization/service.test.js +++ b/x-pack/plugins/security/server/lib/authorization/service.test.js @@ -64,12 +64,10 @@ test(`calls server.expose with exposed services`, () => { expect(actionsFactory).toHaveBeenCalledWith(mockConfig); expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockActions, application, mockShieldClient); expect(authorizationModeFactory).toHaveBeenCalledWith( - mockActions, - mockCheckPrivilegesWithRequest, + application, mockConfig, expect.any(Function), - mockServer.plugins, - mockServer.savedObjects, + mockShieldClient, mockXpackInfoFeature, ); }); diff --git a/x-pack/server/lib/esjs_shield_plugin.js b/x-pack/server/lib/esjs_shield_plugin.js index 016ade902029c5..bcab31b554c9d4 100644 --- a/x-pack/server/lib/esjs_shield_plugin.js +++ b/x-pack/server/lib/esjs_shield_plugin.js @@ -258,6 +258,19 @@ method: 'PUT' }); + /** + * Perform a [shield.getUserPrivileges](Retrieve a user's list of privileges) request + * + */ + shield.getUserPrivileges = ca({ + params: {}, + urls: [ + { + fmt: '/_xpack/security/user/_privileges' + } + ] + }); + /** * Asks Elasticsearch to prepare SAML authentication request to be sent to * the 3rd-party SAML identity provider. diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts index 85dcda1214ad4e..593bf098b08012 100644 --- a/x-pack/test/saved_object_api_integration/common/suites/get.ts +++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts @@ -81,18 +81,22 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest) }); }; - const createExpectSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => { - return createExpectNotFound(spaceAwareId, spaceId); - }; - - const createExpectSpaceAwareRbacForbidden = () => (resp: { [key: string]: any }) => { + const createExpectRbacForbidden = (type: string) => (resp: { [key: string]: any }) => { expect(resp.body).to.eql({ error: 'Forbidden', - message: `Unable to get visualization, missing action:saved_objects/visualization/get`, + message: `Unable to get ${type}, missing action:saved_objects/${type}/get`, statusCode: 403, }); }; + const createExpectSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => { + return createExpectNotFound(spaceAwareId, spaceId); + }; + + const expectSpaceAwareRbacForbidden = createExpectRbacForbidden('visualization'); + const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden('globaltype'); + const expectDoesntExistRbacForbidden = createExpectRbacForbidden('visualization'); + const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: { [key: string]: any; }) => { @@ -174,8 +178,10 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest) createExpectNotSpaceAwareRbacForbidden, createExpectNotSpaceAwareResults, createExpectSpaceAwareNotFound, - createExpectSpaceAwareRbacForbidden, createExpectSpaceAwareResults, + expectSpaceAwareRbacForbidden, + expectNotSpaceAwareRbacForbidden, + expectDoesntExistRbacForbidden, getTest, }; } diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts index eaa374098bd339..34c1cc583ae461 100644 --- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts +++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts @@ -17,10 +17,11 @@ export default function({ getService }: TestInvoker) { const { createExpectDoesntExistNotFound, createExpectLegacyForbidden, - createExpectSpaceAwareRbacForbidden, createExpectSpaceAwareResults, createExpectNotSpaceAwareResults, - createExpectNotSpaceAwareRbacForbidden, + expectSpaceAwareRbacForbidden, + expectNotSpaceAwareRbacForbidden, + expectDoesntExistRbacForbidden, getTest, } = getTestSuiteFactory(esArchiver, supertest); @@ -255,15 +256,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectSpaceAwareRbacForbidden(), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectNotSpaceAwareRbacForbidden(), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectSpaceAwareRbacForbidden(), + response: expectDoesntExistRbacForbidden, }, }, }); diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts index 4e7d9ea6fb148f..07d074860e6d90 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts @@ -109,9 +109,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectRbacForbidden, }, }, }); @@ -121,9 +119,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectRbacForbidden, }, }, }); @@ -133,9 +129,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectRbacForbidden, }, }, }); @@ -145,9 +139,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectRbacForbidden, }, }, }); diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts index 9376eb6b5995ff..8e7ebbc1fc3290 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts @@ -13,10 +13,12 @@ export default function({ getService }: TestInvoker) { const supertest = getService('supertestWithoutAuth'); const esArchiver = getService('esArchiver'); - const { bulkGetTest, createExpectLegacyForbidden, createExpectResults } = bulkGetTestSuiteFactory( - esArchiver, - supertest - ); + const { + bulkGetTest, + createExpectLegacyForbidden, + createExpectResults, + expectRbacForbidden, + } = bulkGetTestSuiteFactory(esArchiver, supertest); describe('_bulk_get', () => { bulkGetTest(`user with no access`, { @@ -104,9 +106,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectRbacForbidden, }, }, }); @@ -116,9 +116,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectRbacForbidden, }, }, }); @@ -128,9 +126,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectRbacForbidden, }, }, }); @@ -140,9 +136,7 @@ export default function({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectRbacForbidden, }, }, }); diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts index 3bceeeeee33b2d..f76cf9d7bcd1d0 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/create.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/create.ts @@ -145,15 +145,11 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, }, }); @@ -163,15 +159,11 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, }, }); @@ -181,15 +173,11 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, }, }); @@ -199,15 +187,11 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, }, }); diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts index 27b2375ae9129e..9c7b986b0250b4 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/delete.ts @@ -179,21 +179,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectRbacSpaceAwareForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectRbacNotSpaceAwareForbidden, }, invalidId: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectRbacInvalidIdForbidden, }, }, }); @@ -203,21 +197,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectRbacSpaceAwareForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectRbacNotSpaceAwareForbidden, }, invalidId: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectRbacInvalidIdForbidden, }, }, }); @@ -227,21 +215,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectRbacSpaceAwareForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectRbacNotSpaceAwareForbidden, }, invalidId: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectRbacInvalidIdForbidden, }, }, }); @@ -251,21 +233,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectRbacSpaceAwareForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectRbacNotSpaceAwareForbidden, }, invalidId: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectRbacInvalidIdForbidden, }, }, }); diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts index ee664e43375c07..66c7948b0bd6a6 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/find.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/find.ts @@ -318,37 +318,27 @@ export default function({ getService }: TestInvoker) { spaceAwareType: { description: 'only the visualization', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, notSpaceAwareType: { description: 'only the globaltype', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: createExpectRbacForbidden('globaltype'), }, unknownType: { description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, pageBeyondTotal: { description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, unknownSearchField: { description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, noType: { description: 'bad request, type is required', @@ -364,37 +354,27 @@ export default function({ getService }: TestInvoker) { spaceAwareType: { description: 'only the visualization', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, notSpaceAwareType: { description: 'only the globaltype', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: createExpectRbacForbidden('globaltype'), }, unknownType: { description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, pageBeyondTotal: { description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, unknownSearchField: { description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, noType: { description: 'bad request, type is required', @@ -408,39 +388,29 @@ export default function({ getService }: TestInvoker) { user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, tests: { spaceAwareType: { - description: 'forbidden login and find visualization message', + description: 'only the visualization', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, notSpaceAwareType: { description: 'only the globaltype', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: createExpectRbacForbidden('globaltype'), }, unknownType: { - description: 'forbidden login and find wigwags message', + description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, pageBeyondTotal: { - description: 'forbidden login and find visualization message', + description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, unknownSearchField: { - description: 'forbidden login and find wigwags message', + description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, noType: { description: 'bad request, type is required', @@ -454,39 +424,29 @@ export default function({ getService }: TestInvoker) { user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER, tests: { spaceAwareType: { - description: 'forbidden login and find visualization message', + description: 'only the visualization', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, notSpaceAwareType: { description: 'only the globaltype', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: createExpectRbacForbidden('globaltype'), }, unknownType: { - description: 'forbidden login and find wigwags message', + description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, pageBeyondTotal: { - description: 'forbidden login and find visualization message', + description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: createExpectRbacForbidden('visualization'), }, unknownSearchField: { - description: 'forbidden login and find wigwags message', + description: 'empty result', statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: createExpectRbacForbidden('wigwags'), }, noType: { description: 'bad request, type is required', diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts index 48698a56f892fc..2b1921f8b9ff9f 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/get.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/get.ts @@ -18,6 +18,9 @@ export default function({ getService }: TestInvoker) { createExpectLegacyForbidden, createExpectSpaceAwareResults, createExpectNotSpaceAwareResults, + expectSpaceAwareRbacForbidden, + expectNotSpaceAwareRbacForbidden, + expectDoesntExistRbacForbidden, getTest, } = getTestSuiteFactory(esArchiver, supertest); @@ -171,21 +174,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); @@ -195,21 +192,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); @@ -219,21 +210,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); @@ -243,21 +228,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts index de506b4186e056..b7ffd43877cc8f 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/update.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/update.ts @@ -180,21 +180,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); @@ -204,21 +198,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); @@ -228,21 +216,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, }); @@ -252,21 +234,15 @@ export default function({ getService }: TestInvoker) { tests: { spaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectSpaceAwareRbacForbidden, }, notSpaceAware: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectNotSpaceAwareRbacForbidden, }, doesntExist: { statusCode: 403, - response: createExpectLegacyForbidden( - AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username - ), + response: expectDoesntExistRbacForbidden, }, }, });