From 193935cbf25c96ae1e6952f7233f001053e60a59 Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Tue, 17 Sep 2024 08:13:54 -0400 Subject: [PATCH] [Fleet] Require AgentPolicies:All to add a fleet server (#193014) --- x-pack/plugins/fleet/common/authz.ts | 3 +- .../fleet_server_hosts_section.tsx | 2 +- .../server/services/security/security.test.ts | 53 +++++++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/fleet/common/authz.ts b/x-pack/plugins/fleet/common/authz.ts index 7399eb98a583b..409c5eac01d65 100644 --- a/x-pack/plugins/fleet/common/authz.ts +++ b/x-pack/plugins/fleet/common/authz.ts @@ -117,7 +117,8 @@ export const calculateAuthz = ({ allSettings: fleet.settings?.all ?? false, allAgentPolicies: fleet.agentPolicies?.all ?? false, addAgents: fleet.agents?.all ?? false, - addFleetServers: (fleet.agents?.all && fleet.settings?.all) ?? false, + addFleetServers: + (fleet.agents?.all && fleet.agentPolicies?.all && fleet.settings?.all) ?? false, // Setup is needed to access the Fleet UI setup: hasFleetAll || diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/settings/components/settings_page/fleet_server_hosts_section.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/settings/components/settings_page/fleet_server_hosts_section.tsx index 51d1a0f98340e..bae62ce412e35 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/settings/components/settings_page/fleet_server_hosts_section.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/settings/components/settings_page/fleet_server_hosts_section.tsx @@ -59,7 +59,7 @@ export const FleetServerHostsSection: React.FunctionComponent - {authz.fleet.allSettings && authz.fleet.allAgents ? ( + {authz.fleet.addFleetServers ? ( <> { expect(res.fleet.readAgents).toBe(false); }); }); + + describe('Fleet addFleetServer', () => { + beforeEach(() => { + mockSecurity.authz.mode.useRbacForRequest.mockReturnValue(true); + }); + it('should authorize user with Fleet:Agents:All Fleet:AgentsPolicies:All Fleet:Settings:All', async () => { + checkPrivileges.mockResolvedValue({ + privileges: { + kibana: [ + { + resource: 'default', + privilege: 'api:fleet-agents-all', + authorized: true, + }, + { + resource: 'default', + privilege: 'api:fleet-agent-policies-all', + authorized: true, + }, + { + resource: 'default', + privilege: 'api:fleet-settings-all', + authorized: true, + }, + ], + elasticsearch: {} as any, + }, + hasAllRequested: true, + username: 'test', + }); + const res = await getAuthzFromRequest({} as any); + expect(res.fleet.addFleetServers).toBe(true); + }); + + it('should not authorize user with only Fleet:Agents:All', async () => { + checkPrivileges.mockResolvedValue({ + privileges: { + kibana: [ + { + resource: 'default', + privilege: 'api:fleet-agents-all', + authorized: true, + }, + ], + elasticsearch: {} as any, + }, + hasAllRequested: true, + username: 'test', + }); + const res = await getAuthzFromRequest({} as any); + expect(res.fleet.addFleetServers).toBe(false); + }); + }); });