-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EDR Workflows] Fix Endpoint list RBAC problems #199803
[EDR Workflows] Fix Endpoint list RBAC problems #199803
Conversation
7468e6c
to
63ca011
Compare
the test above is an acceptance test for desired behaviour, showing all 3 privilege issues in endpoint list which are fixed with this PR |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
hey @gergoabraham - thanks for working on this... could you post some screen captures of the UI for when the user has no authz to create integrations? especially around the views where changes were made. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @gergoabraham - did a code review (only - did not run it locally) and left a few questions
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
Show resolved
Hide resolved
@elasticmachine merge upstream |
added a screenshot and a video to the issue description 🎥 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes and screen captures. 👍
cy.getByTestSubj('policyNameCellLink', { timeout: 3000 }).should('exist'); | ||
cy.getByTestSubj('policyNameCellLink', { timeout: 3000 }).within(() => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Timeout seems low here (3s
)... was this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for catching that! it was not intentional to keep them. i shortened the timeouts at the start of implementation, so the test used as an acceptance test capturing the bugs fails faster on my machine and on CI, but now we don't need these ✅
99a2c18
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, code LGTM. Thanks for extensive test coverage :)
it(`should set canAccessFleet to ${value} if \`fleet.all\` is ${value}`, () => { | ||
fleetAuthz.fleet.all = value; | ||
expect(calculateEndpointAuthz(licenseService, fleetAuthz, userRoles).canAccessFleet).toBe( | ||
value | ||
); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be a duplication of the one on line 100?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
indeed it is! 🦅 👁️ !
9810335
* @param capabilities Capabilities from coreStart.application | ||
*/ | ||
export const canFetchPackageAndAgentPolicies = (capabilities: Capabilities): boolean => { | ||
const canReadPolicyManagement = (capabilities.siem?.readPolicyManagement ?? false) as boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: const canReadPolicyManagement = Boolean(capabilities.siem?.readPolicyManagement);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here I see why using Boolean()
helps, as we can get rid off the nullish coalescing operator, but...
(fleetv2?.agent_policies_read === true || | ||
fleetv2?.agent_policies_read === undefined)) as boolean; | ||
|
||
const canReadIntegrations = capabilities.fleet?.read as boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: const canReadIntegrations = Boolean(capabilities.fleet?.read);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here, i don't. i'm curious about your opinion: why do you prefer the Boolean()
constructor to the as boolean
type assertion here?
(changed anyway : ) 95eb39f)
|
||
const fleetv2 = capabilities.fleetv2; | ||
const canReadFleetAgentPolicies = (fleetv2?.read && | ||
(fleetv2?.agent_policies_read === true || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: A little bit hard to follow these conditions, wouldn't it come down to
(capabilities.fleetv2?.agent_policies_read ?? true)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it comes to that. the idea was to be able to read it as we accept either true
or undefined
, but yeah, maybe simply a fallback to the true
value is more readable
de27c61
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
|
@elasticmachine merge upstream |
There are no new commits on the base branch. |
Starting backport for target branches: 8.x |
## Summary This PR fixes multiple Endpoint list privilege issues. It can be reviewed commit-by-commit so the fixes are mostly separated (although some solutions and tests are reused, hence the reason to have them in one pr): - a3311ad fixes issue when during onboarding (no hosts, policies are indiferent) calls are made to `GET api/fleet/package_policies` without correct privilege (needs policy management READ or fleet:READ+integration:READ), and causes `Forbidden` page. ([issue](elastic/security-team#10581)) _UI_: we display the usual 'onboarding without correct privileges' UI for users <img width="1958" alt="image" src="https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3"> - 63ca011 fixes issue when during onboarding (no hosts, no policies) the `Add Elastic Defend` button was shown when user had `Fleet:ALL` and `Integrations:READ` privilege, while both should be `ALL` in order to be able to create an integration policy ([issue](elastic/security-team#10765)) _UI_: the 'Add Elastic Defend' button is hidden, so the result is the same as above https://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1 - ffafa14 fixes issue when after having hosts in Endpoint list and we're calling `POST api/fleet/package_policies/_bulk_get` without privilege (needs policy management READ or fleet:READ+integration:READ), which does not cause any visible issue, but is logged to dev console ([issue](elastic/security-team#10580)) some additions: - c7021b3 adds an acceptance test for all 3 issues above, with failing test run [here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16). - 8e10847 enables policy list integration test, this closes elastic#169133 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 2fa8f47)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
) # Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] Fix Endpoint list RBAC problems (#199803)](#199803) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Gergő Ábrahám","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-10T10:46:03Z","message":"[EDR Workflows] Fix Endpoint list RBAC problems (#199803)\n\n## Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It can be\r\nreviewed commit-by-commit so the fixes are mostly separated (although\r\nsome solutions and tests are reused, hence the reason to have them in\r\none pr):\r\n- a3311ad fixes issue when during\r\nonboarding (no hosts, policies are indiferent) calls are made to `GET\r\napi/fleet/package_policies` without correct privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), and causes `Forbidden`\r\npage. ([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_: we display the usual 'onboarding without correct privileges' UI\r\nfor users\r\n<img width=\"1958\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n- 63ca011 fixes issue when during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend` button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ` privilege, while\r\nboth should be `ALL` in order to be able to create an integration policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_: the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame as above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n- ffafa14 fixes issue when after having\r\nhosts in Endpoint list and we're calling `POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), which does not cause\r\nany visible issue, but is logged to dev console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome additions:\r\n- c7021b3 adds an acceptance test for\r\nall 3 issues above, with failing test run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n- 8e10847 enables policy list\r\nintegration test, this closes #169133\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","backport:prev-minor"],"title":"[EDR Workflows] Fix Endpoint list RBAC problems","number":199803,"url":"https://github.com/elastic/kibana/pull/199803","mergeCommit":{"message":"[EDR Workflows] Fix Endpoint list RBAC problems (#199803)\n\n## Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It can be\r\nreviewed commit-by-commit so the fixes are mostly separated (although\r\nsome solutions and tests are reused, hence the reason to have them in\r\none pr):\r\n- a3311ad fixes issue when during\r\nonboarding (no hosts, policies are indiferent) calls are made to `GET\r\napi/fleet/package_policies` without correct privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), and causes `Forbidden`\r\npage. ([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_: we display the usual 'onboarding without correct privileges' UI\r\nfor users\r\n<img width=\"1958\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n- 63ca011 fixes issue when during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend` button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ` privilege, while\r\nboth should be `ALL` in order to be able to create an integration policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_: the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame as above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n- ffafa14 fixes issue when after having\r\nhosts in Endpoint list and we're calling `POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), which does not cause\r\nany visible issue, but is logged to dev console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome additions:\r\n- c7021b3 adds an acceptance test for\r\nall 3 issues above, with failing test run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n- 8e10847 enables policy list\r\nintegration test, this closes #169133\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199803","number":199803,"mergeCommit":{"message":"[EDR Workflows] Fix Endpoint list RBAC problems (#199803)\n\n## Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It can be\r\nreviewed commit-by-commit so the fixes are mostly separated (although\r\nsome solutions and tests are reused, hence the reason to have them in\r\none pr):\r\n- a3311ad fixes issue when during\r\nonboarding (no hosts, policies are indiferent) calls are made to `GET\r\napi/fleet/package_policies` without correct privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), and causes `Forbidden`\r\npage. ([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_: we display the usual 'onboarding without correct privileges' UI\r\nfor users\r\n<img width=\"1958\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n- 63ca011 fixes issue when during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend` button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ` privilege, while\r\nboth should be `ALL` in order to be able to create an integration policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_: the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame as above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n- ffafa14 fixes issue when after having\r\nhosts in Endpoint list and we're calling `POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), which does not cause\r\nany visible issue, but is logged to dev console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome additions:\r\n- c7021b3 adds an acceptance test for\r\nall 3 issues above, with failing test run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n- 8e10847 enables policy list\r\nintegration test, this closes #169133\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566"}}]}] BACKPORT--> Co-authored-by: Gergő Ábrahám <[email protected]>
## Summary This PR fixes multiple Endpoint list privilege issues. It can be reviewed commit-by-commit so the fixes are mostly separated (although some solutions and tests are reused, hence the reason to have them in one pr): - a3311ad fixes issue when during onboarding (no hosts, policies are indiferent) calls are made to `GET api/fleet/package_policies` without correct privilege (needs policy management READ or fleet:READ+integration:READ), and causes `Forbidden` page. ([issue](elastic/security-team#10581)) _UI_: we display the usual 'onboarding without correct privileges' UI for users <img width="1958" alt="image" src="https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3"> - 63ca011 fixes issue when during onboarding (no hosts, no policies) the `Add Elastic Defend` button was shown when user had `Fleet:ALL` and `Integrations:READ` privilege, while both should be `ALL` in order to be able to create an integration policy ([issue](elastic/security-team#10765)) _UI_: the 'Add Elastic Defend' button is hidden, so the result is the same as above https://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1 - ffafa14 fixes issue when after having hosts in Endpoint list and we're calling `POST api/fleet/package_policies/_bulk_get` without privilege (needs policy management READ or fleet:READ+integration:READ), which does not cause any visible issue, but is logged to dev console ([issue](elastic/security-team#10580)) some additions: - c7021b3 adds an acceptance test for all 3 issues above, with failing test run [here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16). - 8e10847 enables policy list integration test, this closes elastic#169133 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Elastic Machine <[email protected]>
Summary
This PR fixes multiple Endpoint list privilege issues. It can be reviewed commit-by-commit so the fixes are mostly separated (although some solutions and tests are reused, hence the reason to have them in one pr):
GET api/fleet/package_policies
without correct privilege (needs policy management READ or fleet:READ+integration:READ), and causesForbidden
page. (issue)UI: we display the usual 'onboarding without correct privileges' UI for users
Add Elastic Defend
button was shown when user hadFleet:ALL
andIntegrations:READ
privilege, while both should beALL
in order to be able to create an integration policy (issue)UI: the 'Add Elastic Defend' button is hidden, so the result is the same as above
Screen.Recording.2024-12-04.at.15.39.56.mov
POST api/fleet/package_policies/_bulk_get
without privilege (needs policy management READ or fleet:READ+integration:READ), which does not cause any visible issue, but is logged to dev console (issue)some additions:
Checklist
Delete any items that are not applicable to this PR.