-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases #194898
[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases #194898
Conversation
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Focussed on features plugin and left a few nits that would be nice to address before merging.
createComment?: readonly string[]; | ||
reopenCases?: readonly string[]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: missing doc comments like other interface members
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update, although I think the grammar for all of these doc blocks is a little unclear. Proposed change for all of them: "List of case owners whose users should have settings access when granted this privilege.", "List of case owners whose users should have comment creation access when granted this privilege." etc. cc @cnasikas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me. Also could you please add a comment on top of the update
to mention that it does not include reopening a case?
@@ -151,6 +151,14 @@ function mergeWithSubFeatures( | |||
mergedConfig.cases?.settings ?? [], | |||
subFeaturePrivilege.cases?.settings ?? [] | |||
), | |||
createComment: mergeArrays( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: would you mind including these in the relevant unit test in x-pack/plugins/features/server/feature_privilege_iterator/feature_privilege_iterator.test.ts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ya will update, although that seems like something that typescript should catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for adding unit tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Obs shared LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks okay, will also try to test it later today
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey! I did a first pass of the PR focusing mostly on the backend code. I left some comments.
@@ -171,6 +171,8 @@ export const DELETE_CASES_CAPABILITY = 'delete_cases' as const; | |||
export const PUSH_CASES_CAPABILITY = 'push_cases' as const; | |||
export const CASES_SETTINGS_CAPABILITY = 'cases_settings' as const; | |||
export const CASES_CONNECTORS_CAPABILITY = 'cases_connectors' as const; | |||
export const REOPEN_CASES_CAPABILITY = 'reopen_cases' as const; | |||
export const COMMENT_CASES_CAPABILITY = 'create_comment' as const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super nit: COMMENT_CASES_CAPABILITY
-> CREATE_COMMENT_CAPABILITY
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
createComment?: readonly string[]; | ||
reopenCases?: readonly string[]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me. Also could you please add a comment on top of the update
to mention that it does not include reopening a case?
@@ -151,6 +151,14 @@ function mergeWithSubFeatures( | |||
mergedConfig.cases?.settings ?? [], | |||
subFeaturePrivilege.cases?.settings ?? [] | |||
), | |||
createComment: mergeArrays( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for adding unit tests.
@@ -148,6 +148,8 @@ export enum SecuritySubFeatureId { | |||
export enum CasesSubFeatureId { | |||
deleteCases = 'deleteCasesSubFeature', | |||
casesSettings = 'casesSettingsSubFeature', | |||
addComment = 'addCommentSubFeature', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Let's stick with the createComment*
terminology.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
const createCommentOperations = ['createComment'] as const; | ||
const reopenOperations = ['reopenCases'] as const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Because they are single operations I think it is better if we do const createComment = 'createComment'
etc. Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer actually if we left this as is for consistency in the getCasesPrivilege
fn and the way allOperations
is built. Also the naming paradigm operations
maintains that consistency as well. Willing to make the change if you'd still like us to, but think this way is a bit simpler
@@ -51,15 +51,15 @@ describe('useStatusAction', () => { | |||
}, | |||
Object { | |||
"data-test-subj": "cases-bulk-action-status-in-progress", | |||
"disabled": false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep the test with disabled: false
and then add some tests that test the disabled behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -52,47 +52,6 @@ describe('useBulkActions', () => { | |||
Object { | |||
"id": 0, | |||
"items": Array [ | |||
Object { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep the test without removing the actions and then add some tests that test the disabled behavior.
const canChangeStatus = useMemo(() => { | ||
// User has full permissions | ||
if (permissions.update && permissions.reopenCases) { | ||
return false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we return true
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, had to rethink this a bit
// User has full permissions | ||
if (permissions.update && permissions.reopenCases) { | ||
return false; | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: What do you think of escaping early the if statements?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rethought this file a bit. Hopefully it makes more sense now
import { useCasesContext } from '../cases_context/use_cases_context'; | ||
import { CaseStatuses } from '../../../common/types/domain'; | ||
|
||
export const useUserPermissions = ({ status }: { status?: CaseStatuses }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: status
-> statusToAuthorize
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
obs-ux-management changes LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security Threat Hunting Explore code LGTM
8ec412d
to
10d7756
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks! Left a few minor nits.
notice: i18n.translate( | ||
'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCase.deprecationMessage', | ||
{ | ||
defaultMessage: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note
We don’t need to do anything right now, but eventually, when we start displaying this to our users, we might need to rephrase it since interactive users won’t understand what CASES_FEATURE_ID_V2
means.
minimal: [ | ||
{ | ||
feature: FEATURE_ID_V2, | ||
privileges: ['minimal_all', 'create_comment', 'case_reopen'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we sorted this out! We only need minimal_all
, create_comment
, case_reopen
.
@@ -97,6 +123,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => { | |||
delete: [APP_ID], | |||
}, | |||
ui: capabilities.delete, | |||
replacedBy: [{ feature: FEATURE_ID_V2, privileges: ['cases_delete'] }], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use const here (same for settings)?
replacedBy: [{ feature: FEATURE_ID_V2, privileges: ['cases_delete'] }], | |
replacedBy: [{ feature: FEATURE_ID_V2, privileges: [CASES_DELETE_SUB_PRIVILEGE_ID] }], |
@@ -148,15 +148,15 @@ export default function catalogueTests({ getService }: FtrProviderContext) { | |||
expect(uiCapabilities.value!.catalogue).to.eql(expected); | |||
break; | |||
} | |||
case 'global_read at nothing_space': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: do you need this change? I believe these xxx at nothing_space
should stay where they were, under the corresponding the nothing_space has no Kibana features enabled,....
comment.
@@ -80,11 +80,11 @@ export default function navLinksTests({ getService }: FtrProviderContext) { | |||
navLinksBuilder.only('kibana', 'foo', 'management') | |||
); | |||
break; | |||
case 'foo_all at nothing_space': |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: same comment here, there is no need to re-order these case
branches.
@@ -504,6 +506,9 @@ soc_manager: | |||
- feature_siem.execute_operations_all | |||
- feature_siem.scan_operations_all | |||
- feature_securitySolutionCases.all | |||
- feature_securitySolutionCasesV2.all | |||
- feature_observabilityCases.all | |||
- feature_observabilityCasesV2.all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not quite sure why we need both v1 and v2 privileges in this file, cannot we just keep v2 ones?
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
@azasypkin good catch, those were intended to be done in conjunction with https://github.com/elastic/elasticsearch-controller/pull/762 but since we are going to merge this pr, and then after the next serverless release, convert to v2 instead of having both defined at once, I removed them in 3aa925d |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
Unreferenced deprecated APIs
History
|
Starting backport for target branches: 8.x |
…eopen cases (elastic#194898) ## Summary This pr adds 2 new sub feature permissions to the cases plugin in stack/security/observability, that behave as follows. The first is for controlling the ability to reopen cases. When Cases has the read permission, and the reopen permission is not enabled, users have permissions as before. When enabled, users can move cases from closed to open/in progress, but nothing else. If a user has all and this permission, they can do anything as before, if the option is unselected, they can change case properties, and change a case from open to anything, in progress to anything, but if the case is closed, are unable to reopen it. The 2nd permission is 'Add comment'. When enabled and the user has case read permissions, users can add comments, but not make any other changes to the case. When the user has read and this deselected, read functions as before. When a user has this permission and cases is all, this functions as all. When they have all but this permission is deselected, the user can do everything normally, except add cases comments. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Michael Olorunnisola <[email protected]> Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 0afae42)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
… and reopen cases (#194898) (#200807) # Backport This will backport the following commits from `main` to `8.x`: - [[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases (#194898)](#194898) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kevin Qualters","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-19T19:15:38Z","message":"[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases (#194898)\n\n## Summary\r\n\r\nThis pr adds 2 new sub feature permissions to the cases plugin in\r\nstack/security/observability, that behave as follows. The first is for\r\ncontrolling the ability to reopen cases. When Cases has the read\r\npermission, and the reopen permission is not enabled, users have\r\npermissions as before. When enabled, users can move cases from closed to\r\nopen/in progress, but nothing else. If a user has all and this\r\npermission, they can do anything as before, if the option is unselected,\r\nthey can change case properties, and change a case from open to\r\nanything, in progress to anything, but if the case is closed, are unable\r\nto reopen it.\r\n\r\nThe 2nd permission is 'Add comment'. When enabled and the user has case\r\nread permissions, users can add comments, but not make any other changes\r\nto the case. When the user has read and this deselected, read functions\r\nas before. When a user has this permission and cases is all, this\r\nfunctions as all. When they have all but this permission is deselected,\r\nthe user can do everything normally, except add cases comments.\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Michael Olorunnisola <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"0afae423443ba13c47a263c4cbc270ea09942148","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","release_note:feature","ci:project-deploy-observability","Team:obs-ux-management","apm:review","backport:version","v8.17.0"],"title":"[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases","number":194898,"url":"https://github.com/elastic/kibana/pull/194898","mergeCommit":{"message":"[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases (#194898)\n\n## Summary\r\n\r\nThis pr adds 2 new sub feature permissions to the cases plugin in\r\nstack/security/observability, that behave as follows. The first is for\r\ncontrolling the ability to reopen cases. When Cases has the read\r\npermission, and the reopen permission is not enabled, users have\r\npermissions as before. When enabled, users can move cases from closed to\r\nopen/in progress, but nothing else. If a user has all and this\r\npermission, they can do anything as before, if the option is unselected,\r\nthey can change case properties, and change a case from open to\r\nanything, in progress to anything, but if the case is closed, are unable\r\nto reopen it.\r\n\r\nThe 2nd permission is 'Add comment'. When enabled and the user has case\r\nread permissions, users can add comments, but not make any other changes\r\nto the case. When the user has read and this deselected, read functions\r\nas before. When a user has this permission and cases is all, this\r\nfunctions as all. When they have all but this permission is deselected,\r\nthe user can do everything normally, except add cases comments.\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Michael Olorunnisola <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"0afae423443ba13c47a263c4cbc270ea09942148"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194898","number":194898,"mergeCommit":{"message":"[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases (#194898)\n\n## Summary\r\n\r\nThis pr adds 2 new sub feature permissions to the cases plugin in\r\nstack/security/observability, that behave as follows. The first is for\r\ncontrolling the ability to reopen cases. When Cases has the read\r\npermission, and the reopen permission is not enabled, users have\r\npermissions as before. When enabled, users can move cases from closed to\r\nopen/in progress, but nothing else. If a user has all and this\r\npermission, they can do anything as before, if the option is unselected,\r\nthey can change case properties, and change a case from open to\r\nanything, in progress to anything, but if the case is closed, are unable\r\nto reopen it.\r\n\r\nThe 2nd permission is 'Add comment'. When enabled and the user has case\r\nread permissions, users can add comments, but not make any other changes\r\nto the case. When the user has read and this deselected, read functions\r\nas before. When a user has this permission and cases is all, this\r\nfunctions as all. When they have all but this permission is deselected,\r\nthe user can do everything normally, except add cases comments.\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Michael Olorunnisola <[email protected]>\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"0afae423443ba13c47a263c4cbc270ea09942148"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Kevin Qualters <[email protected]>
… tests for failing case (#201517) ## Summary Currently, the partitionPatchRequest in x-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a case properly if a case is being re-opened, instead of an else if in the loop comparing cases to cases in the request, the status logic should be outside of this set of if statements. If a case is being re-opened, the final else is never run, and casesToAuthorize is 0. This results in ensureAuthorized being called with an empty array of entities, and so the check always succeeds. To fix this, reopenedCases is still populated in the same loop, just not when casesToAuthorize logic is running as well. Also adds some missing tests for this and the create comment permission as requested in #194898. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
… tests for failing case (elastic#201517) ## Summary Currently, the partitionPatchRequest in x-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a case properly if a case is being re-opened, instead of an else if in the loop comparing cases to cases in the request, the status logic should be outside of this set of if statements. If a case is being re-opened, the final else is never run, and casesToAuthorize is 0. This results in ensureAuthorized being called with an empty array of entities, and so the check always succeeds. To fix this, reopenedCases is still populated in the same loop, just not when casesToAuthorize logic is running as well. Also adds some missing tests for this and the create comment permission as requested in elastic#194898. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 1c3bcea)
…gration tests for failing case (#201517) (#201554) # Backport This will backport the following commits from `main` to `8.17`: - [[Cases] Fix an issue with the reopen case permission, add integration tests for failing case (#201517)](#201517) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kevin Qualters","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-25T11:12:43Z","message":"[Cases] Fix an issue with the reopen case permission, add integration tests for failing case (#201517)\n\n## Summary\r\n\r\nCurrently, the partitionPatchRequest in\r\nx-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a\r\ncase properly if a case is being re-opened, instead of an else if in the\r\nloop comparing cases to cases in the request, the status logic should be\r\noutside of this set of if statements. If a case is being re-opened, the\r\nfinal else is never run, and casesToAuthorize is 0. This results in\r\nensureAuthorized being called with an empty array of entities, and so\r\nthe check always succeeds. To fix this, reopenedCases is still populated\r\nin the same loop, just not when casesToAuthorize logic is running as\r\nwell. Also adds some missing tests for this and the create comment\r\npermission as requested in\r\nhttps://github.com//pull/194898.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"1c3bceacc06f5f8a01a2ffde2ec24f114717b396","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:ResponseOps","v9.0.0","Team:Threat Hunting:Investigations","backport:version","v8.17.0"],"title":"[Cases] Fix an issue with the reopen case permission, add integration tests for failing case","number":201517,"url":"https://github.com/elastic/kibana/pull/201517","mergeCommit":{"message":"[Cases] Fix an issue with the reopen case permission, add integration tests for failing case (#201517)\n\n## Summary\r\n\r\nCurrently, the partitionPatchRequest in\r\nx-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a\r\ncase properly if a case is being re-opened, instead of an else if in the\r\nloop comparing cases to cases in the request, the status logic should be\r\noutside of this set of if statements. If a case is being re-opened, the\r\nfinal else is never run, and casesToAuthorize is 0. This results in\r\nensureAuthorized being called with an empty array of entities, and so\r\nthe check always succeeds. To fix this, reopenedCases is still populated\r\nin the same loop, just not when casesToAuthorize logic is running as\r\nwell. Also adds some missing tests for this and the create comment\r\npermission as requested in\r\nhttps://github.com//pull/194898.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"1c3bceacc06f5f8a01a2ffde2ec24f114717b396"}},"sourceBranch":"main","suggestedTargetBranches":["8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201517","number":201517,"mergeCommit":{"message":"[Cases] Fix an issue with the reopen case permission, add integration tests for failing case (#201517)\n\n## Summary\r\n\r\nCurrently, the partitionPatchRequest in\r\nx-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a\r\ncase properly if a case is being re-opened, instead of an else if in the\r\nloop comparing cases to cases in the request, the status logic should be\r\noutside of this set of if statements. If a case is being re-opened, the\r\nfinal else is never run, and casesToAuthorize is 0. This results in\r\nensureAuthorized being called with an empty array of entities, and so\r\nthe check always succeeds. To fix this, reopenedCases is still populated\r\nin the same loop, just not when casesToAuthorize logic is running as\r\nwell. Also adds some missing tests for this and the create comment\r\npermission as requested in\r\nhttps://github.com//pull/194898.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"1c3bceacc06f5f8a01a2ffde2ec24f114717b396"}},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Kevin Qualters <[email protected]>
…eopen cases (elastic#194898) ## Summary This pr adds 2 new sub feature permissions to the cases plugin in stack/security/observability, that behave as follows. The first is for controlling the ability to reopen cases. When Cases has the read permission, and the reopen permission is not enabled, users have permissions as before. When enabled, users can move cases from closed to open/in progress, but nothing else. If a user has all and this permission, they can do anything as before, if the option is unselected, they can change case properties, and change a case from open to anything, in progress to anything, but if the case is closed, are unable to reopen it. The 2nd permission is 'Add comment'. When enabled and the user has case read permissions, users can add comments, but not make any other changes to the case. When the user has read and this deselected, read functions as before. When a user has this permission and cases is all, this functions as all. When they have all but this permission is deselected, the user can do everything normally, except add cases comments. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Michael Olorunnisola <[email protected]> Co-authored-by: kibanamachine <[email protected]>
… tests for failing case (elastic#201517) ## Summary Currently, the partitionPatchRequest in x-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a case properly if a case is being re-opened, instead of an else if in the loop comparing cases to cases in the request, the status logic should be outside of this set of if statements. If a case is being re-opened, the final else is never run, and casesToAuthorize is 0. This results in ensureAuthorized being called with an empty array of entities, and so the check always succeeds. To fix this, reopenedCases is still populated in the same loop, just not when casesToAuthorize logic is running as well. Also adds some missing tests for this and the create comment permission as requested in elastic#194898. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
…eopen cases (elastic#194898) ## Summary This pr adds 2 new sub feature permissions to the cases plugin in stack/security/observability, that behave as follows. The first is for controlling the ability to reopen cases. When Cases has the read permission, and the reopen permission is not enabled, users have permissions as before. When enabled, users can move cases from closed to open/in progress, but nothing else. If a user has all and this permission, they can do anything as before, if the option is unselected, they can change case properties, and change a case from open to anything, in progress to anything, but if the case is closed, are unable to reopen it. The 2nd permission is 'Add comment'. When enabled and the user has case read permissions, users can add comments, but not make any other changes to the case. When the user has read and this deselected, read functions as before. When a user has this permission and cases is all, this functions as all. When they have all but this permission is deselected, the user can do everything normally, except add cases comments. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Michael Olorunnisola <[email protected]> Co-authored-by: kibanamachine <[email protected]>
… tests for failing case (elastic#201517) ## Summary Currently, the partitionPatchRequest in x-pack/plugins/cases/server/client/cases/bulk_update.ts will not check a case properly if a case is being re-opened, instead of an else if in the loop comparing cases to cases in the request, the status logic should be outside of this set of if statements. If a case is being re-opened, the final else is never run, and casesToAuthorize is 0. This results in ensureAuthorized being called with an empty array of entities, and so the check always succeeds. To fix this, reopenedCases is still populated in the same loop, just not when casesToAuthorize logic is running as well. Also adds some missing tests for this and the create comment permission as requested in elastic#194898. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Summary
This pr adds 2 new sub feature permissions to the cases plugin in stack/security/observability, that behave as follows. The first is for controlling the ability to reopen cases. When Cases has the read permission, and the reopen permission is not enabled, users have permissions as before. When enabled, users can move cases from closed to open/in progress, but nothing else. If a user has all and this permission, they can do anything as before, if the option is unselected, they can change case properties, and change a case from open to anything, in progress to anything, but if the case is closed, are unable to reopen it.
The 2nd permission is 'Add comment'. When enabled and the user has case read permissions, users can add comments, but not make any other changes to the case. When the user has read and this deselected, read functions as before. When a user has this permission and cases is all, this functions as all. When they have all but this permission is deselected, the user can do everything normally, except add cases comments.
Checklist