Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[EDR Workflows] Fix Endpoint list RBAC problems #199803

Merged

Conversation

gergoabraham
Copy link
Contributor

@gergoabraham gergoabraham commented Nov 12, 2024

Summary

This PR fixes multiple Endpoint list privilege issues. It can be reviewed commit-by-commit so the fixes are mostly separated (although some solutions and tests are reused, hence the reason to have them in one pr):

  • a3311ad fixes issue when during onboarding (no hosts, policies are indiferent) calls are made to GET api/fleet/package_policies without correct privilege (needs policy management READ or fleet:READ+integration:READ), and causes Forbidden page. (issue)
    UI: we display the usual 'onboarding without correct privileges' UI for users
image
  • 63ca011 fixes issue when during onboarding (no hosts, no policies) the Add Elastic Defend button was shown when user had Fleet:ALL and Integrations:READ privilege, while both should be ALL in order to be able to create an integration policy (issue)
    UI: the 'Add Elastic Defend' button is hidden, so the result is the same as above
Screen.Recording.2024-12-04.at.15.39.56.mov
  • ffafa14 fixes issue when after having hosts in Endpoint list and we're calling POST api/fleet/package_policies/_bulk_get without privilege (needs policy management READ or fleet:READ+integration:READ), which does not cause any visible issue, but is logged to dev console (issue)

some additions:

Checklist

Delete any items that are not applicable to this PR.

@gergoabraham gergoabraham added release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution labels Nov 12, 2024
@gergoabraham gergoabraham self-assigned this Nov 12, 2024
@gergoabraham gergoabraham force-pushed the fix-endpoint-list-rbac-problems branch from 7468e6c to 63ca011 Compare November 22, 2024 17:48
@gergoabraham
Copy link
Contributor Author

💔 Build Failed

Failed CI Steps

Metrics [docs]

✅ unchanged

History

cc @gergoabraham

the test above is an acceptance test for desired behaviour, showing all 3 privilege issues in endpoint list which are fixed with this PR

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@gergoabraham gergoabraham marked this pull request as ready for review November 25, 2024 11:30
@gergoabraham gergoabraham requested a review from a team as a code owner November 25, 2024 11:30
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@gergoabraham gergoabraham added the backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) label Nov 25, 2024
@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@paul-tavares
Copy link
Contributor

hey @gergoabraham - thanks for working on this... could you post some screen captures of the UI for when the user has no authz to create integrations? especially around the views where changes were made.

Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @gergoabraham - did a code review (only - did not run it locally) and left a few questions

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@gergoabraham
Copy link
Contributor Author

hey @gergoabraham - thanks for working on this... could you post some screen captures of the UI for when the user has no authz to create integrations? especially around the views where changes were made.

added a screenshot and a video to the issue description 🎥

Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes and screen captures. 👍

Comment on lines 187 to 188
cy.getByTestSubj('policyNameCellLink', { timeout: 3000 }).should('exist');
cy.getByTestSubj('policyNameCellLink', { timeout: 3000 }).within(() => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Timeout seems low here (3s)... was this intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for catching that! it was not intentional to keep them. i shortened the timeouts at the start of implementation, so the test used as an acceptance test capturing the bugs fails faster on my machine and on CI, but now we don't need these ✅
99a2c18

@gergoabraham gergoabraham requested review from a team, pzl and szwarckonrad and removed request for ashokaditya and a team December 5, 2024 08:14
Copy link
Contributor

@szwarckonrad szwarckonrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, code LGTM. Thanks for extensive test coverage :)

Comment on lines 129 to 134
it(`should set canAccessFleet to ${value} if \`fleet.all\` is ${value}`, () => {
fleetAuthz.fleet.all = value;
expect(calculateEndpointAuthz(licenseService, fleetAuthz, userRoles).canAccessFleet).toBe(
value
);
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be a duplication of the one on line 100?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed it is! 🦅 👁️ !
9810335

* @param capabilities Capabilities from coreStart.application
*/
export const canFetchPackageAndAgentPolicies = (capabilities: Capabilities): boolean => {
const canReadPolicyManagement = (capabilities.siem?.readPolicyManagement ?? false) as boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: const canReadPolicyManagement = Boolean(capabilities.siem?.readPolicyManagement);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here I see why using Boolean() helps, as we can get rid off the nullish coalescing operator, but...

95eb39f

(fleetv2?.agent_policies_read === true ||
fleetv2?.agent_policies_read === undefined)) as boolean;

const canReadIntegrations = capabilities.fleet?.read as boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: const canReadIntegrations = Boolean(capabilities.fleet?.read);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here, i don't. i'm curious about your opinion: why do you prefer the Boolean() constructor to the as boolean type assertion here?

(changed anyway : ) 95eb39f)


const fleetv2 = capabilities.fleetv2;
const canReadFleetAgentPolicies = (fleetv2?.read &&
(fleetv2?.agent_policies_read === true ||
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: A little bit hard to follow these conditions, wouldn't it come down to
(capabilities.fleetv2?.agent_policies_read ?? true) ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it comes to that. the idea was to be able to read it as we accept either true or undefined, but yeah, maybe simply a fallback to the true value is more readable
de27c61

@gergoabraham gergoabraham enabled auto-merge (squash) December 9, 2024 14:39
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 10, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 14.7MB 14.7MB +1.5KB

History

cc @gergoabraham

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

There are no new commits on the base branch.

@gergoabraham gergoabraham merged commit 2fa8f47 into elastic:main Dec 10, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12254468101

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 10, 2024
## Summary

This PR fixes multiple Endpoint list privilege issues. It can be
reviewed commit-by-commit so the fixes are mostly separated (although
some solutions and tests are reused, hence the reason to have them in
one pr):
- a3311ad fixes issue when during
onboarding (no hosts, policies are indiferent) calls are made to `GET
api/fleet/package_policies` without correct privilege (needs policy
management READ or fleet:READ+integration:READ), and causes `Forbidden`
page. ([issue](elastic/security-team#10581))
_UI_: we display the usual 'onboarding without correct privileges' UI
for users
<img width="1958" alt="image"
src="https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3">

- 63ca011 fixes issue when during
onboarding (no hosts, no policies) the `Add Elastic Defend` button was
shown when user had `Fleet:ALL` and `Integrations:READ` privilege, while
both should be `ALL` in order to be able to create an integration policy
([issue](elastic/security-team#10765))
_UI_: the 'Add Elastic Defend' button is hidden, so the result is the
same as above

https://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1

- ffafa14 fixes issue when after having
hosts in Endpoint list and we're calling `POST
api/fleet/package_policies/_bulk_get` without privilege (needs policy
management READ or fleet:READ+integration:READ), which does not cause
any visible issue, but is logged to dev console
([issue](elastic/security-team#10580))

some additions:
- c7021b3 adds an acceptance test for
all 3 issues above, with failing test run
[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).
- 8e10847 enables policy list
integration test, this closes elastic#169133

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit 2fa8f47)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 10, 2024
)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] Fix Endpoint list RBAC problems
(#199803)](#199803)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Gergő
Ábrahám","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-10T10:46:03Z","message":"[EDR
Workflows] Fix Endpoint list RBAC problems (#199803)\n\n##
Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It
can be\r\nreviewed commit-by-commit so the fixes are mostly separated
(although\r\nsome solutions and tests are reused, hence the reason to
have them in\r\none pr):\r\n- a3311ad
fixes issue when during\r\nonboarding (no hosts, policies are
indiferent) calls are made to `GET\r\napi/fleet/package_policies`
without correct privilege (needs policy\r\nmanagement READ or
fleet:READ+integration:READ), and causes `Forbidden`\r\npage.
([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_:
we display the usual 'onboarding without correct privileges' UI\r\nfor
users\r\n<img width=\"1958\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n-
63ca011 fixes issue when
during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend`
button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ`
privilege, while\r\nboth should be `ALL` in order to be able to create
an integration
policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_:
the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame
as
above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n-
ffafa14 fixes issue when after
having\r\nhosts in Endpoint list and we're calling
`POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs
policy\r\nmanagement READ or fleet:READ+integration:READ), which does
not cause\r\nany visible issue, but is logged to dev
console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome
additions:\r\n- c7021b3 adds an
acceptance test for\r\nall 3 issues above, with failing test
run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n-
8e10847 enables policy
list\r\nintegration test, this closes #169133\r\n\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","backport:prev-minor"],"title":"[EDR Workflows] Fix Endpoint
list RBAC
problems","number":199803,"url":"https://github.com/elastic/kibana/pull/199803","mergeCommit":{"message":"[EDR
Workflows] Fix Endpoint list RBAC problems (#199803)\n\n##
Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It
can be\r\nreviewed commit-by-commit so the fixes are mostly separated
(although\r\nsome solutions and tests are reused, hence the reason to
have them in\r\none pr):\r\n- a3311ad
fixes issue when during\r\nonboarding (no hosts, policies are
indiferent) calls are made to `GET\r\napi/fleet/package_policies`
without correct privilege (needs policy\r\nmanagement READ or
fleet:READ+integration:READ), and causes `Forbidden`\r\npage.
([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_:
we display the usual 'onboarding without correct privileges' UI\r\nfor
users\r\n<img width=\"1958\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n-
63ca011 fixes issue when
during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend`
button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ`
privilege, while\r\nboth should be `ALL` in order to be able to create
an integration
policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_:
the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame
as
above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n-
ffafa14 fixes issue when after
having\r\nhosts in Endpoint list and we're calling
`POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs
policy\r\nmanagement READ or fleet:READ+integration:READ), which does
not cause\r\nany visible issue, but is logged to dev
console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome
additions:\r\n- c7021b3 adds an
acceptance test for\r\nall 3 issues above, with failing test
run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n-
8e10847 enables policy
list\r\nintegration test, this closes #169133\r\n\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199803","number":199803,"mergeCommit":{"message":"[EDR
Workflows] Fix Endpoint list RBAC problems (#199803)\n\n##
Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It
can be\r\nreviewed commit-by-commit so the fixes are mostly separated
(although\r\nsome solutions and tests are reused, hence the reason to
have them in\r\none pr):\r\n- a3311ad
fixes issue when during\r\nonboarding (no hosts, policies are
indiferent) calls are made to `GET\r\napi/fleet/package_policies`
without correct privilege (needs policy\r\nmanagement READ or
fleet:READ+integration:READ), and causes `Forbidden`\r\npage.
([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_:
we display the usual 'onboarding without correct privileges' UI\r\nfor
users\r\n<img width=\"1958\"
alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n-
63ca011 fixes issue when
during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend`
button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ`
privilege, while\r\nboth should be `ALL` in order to be able to create
an integration
policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_:
the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame
as
above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n-
ffafa14 fixes issue when after
having\r\nhosts in Endpoint list and we're calling
`POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs
policy\r\nmanagement READ or fleet:READ+integration:READ), which does
not cause\r\nany visible issue, but is logged to dev
console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome
additions:\r\n- c7021b3 adds an
acceptance test for\r\nall 3 issues above, with failing test
run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n-
8e10847 enables policy
list\r\nintegration test, this closes #169133\r\n\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566"}}]}]
BACKPORT-->

Co-authored-by: Gergő Ábrahám <[email protected]>
@gergoabraham gergoabraham deleted the fix-endpoint-list-rbac-problems branch December 10, 2024 12:54
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
## Summary

This PR fixes multiple Endpoint list privilege issues. It can be
reviewed commit-by-commit so the fixes are mostly separated (although
some solutions and tests are reused, hence the reason to have them in
one pr):
- a3311ad fixes issue when during
onboarding (no hosts, policies are indiferent) calls are made to `GET
api/fleet/package_policies` without correct privilege (needs policy
management READ or fleet:READ+integration:READ), and causes `Forbidden`
page. ([issue](elastic/security-team#10581))
_UI_: we display the usual 'onboarding without correct privileges' UI
for users
<img width="1958" alt="image"
src="https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3">


- 63ca011 fixes issue when during
onboarding (no hosts, no policies) the `Add Elastic Defend` button was
shown when user had `Fleet:ALL` and `Integrations:READ` privilege, while
both should be `ALL` in order to be able to create an integration policy
([issue](elastic/security-team#10765))
_UI_: the 'Add Elastic Defend' button is hidden, so the result is the
same as above


https://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1


- ffafa14 fixes issue when after having
hosts in Endpoint list and we're calling `POST
api/fleet/package_policies/_bulk_get` without privilege (needs policy
management READ or fleet:READ+integration:READ), which does not cause
any visible issue, but is logged to dev console
([issue](elastic/security-team#10580))

some additions:
- c7021b3 adds an acceptance test for
all 3 issues above, with failing test run
[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).
- 8e10847 enables policy list
integration test, this closes elastic#169133


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

---------

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.18.0 v9.0.0
Projects
None yet
5 participants