-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
# Backport This will backport the following commits from `main` to `8.16`: - [[Authz] OAS Descriptions for Route Authz (#197001)](#197001) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Sid","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-28T14:12:23Z","message":"[Authz] OAS Descriptions for Route Authz (#197001)\n\nCloses https://github.com/elastic/kibana/issues/191714\r\n\r\n## Summary\r\n\r\nUpdate process router to generate authz descriptions based on the new\r\nRoute Security objects.\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"a1684580bc3d6a54dc7e4375384ebaee1410b186","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Security","enhancement","Feature:Security/Authorization","Feature:Hardening","v9.0.0","backport:prev-major"],"number":197001,"url":"https://github.com/elastic/kibana/pull/197001","mergeCommit":{"message":"[Authz] OAS Descriptions for Route Authz (#197001)\n\nCloses https://github.com/elastic/kibana/issues/191714\r\n\r\n## Summary\r\n\r\nUpdate process router to generate authz descriptions based on the new\r\nRoute Security objects.\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"a1684580bc3d6a54dc7e4375384ebaee1410b186"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197001","number":197001,"mergeCommit":{"message":"[Authz] OAS Descriptions for Route Authz (#197001)\n\nCloses https://github.com/elastic/kibana/issues/191714\r\n\r\n## Summary\r\n\r\nUpdate process router to generate authz descriptions based on the new\r\nRoute Security objects.\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"a1684580bc3d6a54dc7e4375384ebaee1410b186"}},{"url":"https://github.com/elastic/kibana/pull/198055","number":198055,"branch":"8.x","state":"OPEN"}]}] BACKPORT-->
- Loading branch information
1 parent
8c36e4a
commit e1e98ad
Showing
8 changed files
with
218 additions
and
5 deletions.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
packages/kbn-router-to-openapispec/src/extract_authz_description.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the "Elastic License | ||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side | ||
* Public License v 1"; you may not use this file except in compliance with, at | ||
* your election, the "Elastic License 2.0", the "GNU Affero General Public | ||
* License v3.0 only", or the "Server Side Public License, v 1". | ||
*/ | ||
|
||
import { schema } from '@kbn/config-schema'; | ||
import { extractAuthzDescription } from './extract_authz_description'; | ||
import { InternalRouterRoute } from './type'; | ||
import { RouteSecurity } from '@kbn/core-http-server'; | ||
|
||
describe('extractAuthzDescription', () => { | ||
it('should return empty if route does not require privileges', () => { | ||
const route: InternalRouterRoute = { | ||
path: '/foo', | ||
options: { access: 'internal' }, | ||
handler: jest.fn(), | ||
validationSchemas: { request: { body: schema.object({}) } }, | ||
method: 'get', | ||
isVersioned: false, | ||
}; | ||
const description = extractAuthzDescription(route.security); | ||
expect(description).toBe(''); | ||
}); | ||
|
||
it('should return route authz description for simple privileges', () => { | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: ['manage_spaces'], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe('[Authz] Route required privileges: ALL of [manage_spaces].'); | ||
}); | ||
|
||
it('should return route authz description for privilege groups', () => { | ||
{ | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: [{ allRequired: ['console'] }], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe('[Authz] Route required privileges: ALL of [console].'); | ||
} | ||
{ | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: [ | ||
{ | ||
anyRequired: ['manage_spaces', 'taskmanager'], | ||
}, | ||
], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe( | ||
'[Authz] Route required privileges: ANY of [manage_spaces OR taskmanager].' | ||
); | ||
} | ||
{ | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: [ | ||
{ | ||
allRequired: ['console', 'filesManagement'], | ||
anyRequired: ['manage_spaces', 'taskmanager'], | ||
}, | ||
], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe( | ||
'[Authz] Route required privileges: ALL of [console, filesManagement] AND ANY of [manage_spaces OR taskmanager].' | ||
); | ||
} | ||
}); | ||
}); |
60 changes: 60 additions & 0 deletions
60
packages/kbn-router-to-openapispec/src/extract_authz_description.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the "Elastic License | ||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side | ||
* Public License v 1"; you may not use this file except in compliance with, at | ||
* your election, the "Elastic License 2.0", the "GNU Affero General Public | ||
* License v3.0 only", or the "Server Side Public License, v 1". | ||
*/ | ||
|
||
import type { AuthzEnabled, AuthzDisabled, InternalRouteSecurity } from '@kbn/core-http-server'; | ||
|
||
interface PrivilegeGroupValue { | ||
allRequired: string[]; | ||
anyRequired: string[]; | ||
} | ||
|
||
export const extractAuthzDescription = (routeSecurity: InternalRouteSecurity | undefined) => { | ||
if (!routeSecurity) { | ||
return ''; | ||
} | ||
if (!('authz' in routeSecurity) || (routeSecurity.authz as AuthzDisabled).enabled === false) { | ||
return ''; | ||
} | ||
|
||
const privileges = (routeSecurity.authz as AuthzEnabled).requiredPrivileges; | ||
|
||
const groupedPrivileges = privileges.reduce<PrivilegeGroupValue>( | ||
(groups, privilege) => { | ||
if (typeof privilege === 'string') { | ||
groups.allRequired.push(privilege); | ||
|
||
return groups; | ||
} | ||
groups.allRequired.push(...(privilege.allRequired ?? [])); | ||
groups.anyRequired.push(...(privilege.anyRequired ?? [])); | ||
|
||
return groups; | ||
}, | ||
{ | ||
anyRequired: [], | ||
allRequired: [], | ||
} | ||
); | ||
|
||
const getPrivilegesDescription = (allRequired: string[], anyRequired: string[]) => { | ||
const allDescription = allRequired.length ? `ALL of [${allRequired.join(', ')}]` : ''; | ||
const anyDescription = anyRequired.length ? `ANY of [${anyRequired.join(' OR ')}]` : ''; | ||
|
||
return `${allDescription}${allDescription && anyDescription ? ' AND ' : ''}${anyDescription}`; | ||
}; | ||
|
||
const getDescriptionForRoute = () => { | ||
const allRequired = [...groupedPrivileges.allRequired]; | ||
const anyRequired = [...groupedPrivileges.anyRequired]; | ||
|
||
return `Route required privileges: ${getPrivilegesDescription(allRequired, anyRequired)}.`; | ||
}; | ||
|
||
return `[Authz] ${getDescriptionForRoute()}`; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters