-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[EDR Workflows] Fix Endpoint list RBAC problems #199803
Changes from 13 commits
c7021b3
a3311ad
8e10847
47f9d94
63ca011
ffafa14
8ab0f05
a4c9984
72ec5cf
c050ba4
0715246
f81d682
ee762ef
99a2c18
9810335
95eb39f
de27c61
6fe4b3c
d3e7737
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,7 @@ | |
import type { ENDPOINT_PRIVILEGES, FleetAuthz } from '@kbn/fleet-plugin/common'; | ||
|
||
import { omit } from 'lodash'; | ||
import type { Capabilities } from '@kbn/core-capabilities-common'; | ||
import type { ProductFeaturesService } from '../../../../server/lib/product_features_service'; | ||
import { RESPONSE_CONSOLE_ACTION_COMMANDS_TO_REQUIRED_AUTHZ } from '../response_actions/constants'; | ||
import type { LicenseService } from '../../../license'; | ||
|
@@ -99,10 +100,19 @@ export const calculateEndpointAuthz = ( | |
const authz: EndpointAuthz = { | ||
canWriteSecuritySolution, | ||
canReadSecuritySolution, | ||
|
||
// --------------------------------------------------------- | ||
// Coming from Fleet authz | ||
// --------------------------------------------------------- | ||
canAccessFleet: fleetAuthz?.fleet.all ?? false, | ||
canReadFleetAgentPolicies: fleetAuthz?.fleet.readAgentPolicies ?? false, | ||
canWriteFleetAgents: fleetAuthz?.fleet.allAgents ?? false, | ||
canReadFleetAgents: fleetAuthz?.fleet.readAgents ?? false, | ||
canWriteIntegrationPolicies: fleetAuthz?.integrations.writeIntegrationPolicies ?? false, | ||
paul-tavares marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
// --------------------------------------------------------- | ||
// Endpoint & policy management | ||
// --------------------------------------------------------- | ||
canAccessEndpointManagement: hasEndpointManagementAccess, // TODO: is this one deprecated? it is the only place we need to check for superuser. | ||
canCreateArtifactsByPolicy: isPlatinumPlusLicense, | ||
canWriteEndpointList, | ||
|
@@ -166,6 +176,7 @@ export const getEndpointAuthzInitialState = (): EndpointAuthz => { | |
canReadFleetAgentPolicies: false, | ||
canReadFleetAgents: false, | ||
canWriteFleetAgents: false, | ||
canWriteIntegrationPolicies: false, | ||
canAccessEndpointActionsLogManagement: false, | ||
canAccessEndpointManagement: false, | ||
canCreateArtifactsByPolicy: false, | ||
|
@@ -198,3 +209,24 @@ export const getEndpointAuthzInitialState = (): EndpointAuthz => { | |
canWriteEndpointExceptions: false, | ||
}; | ||
}; | ||
|
||
/** | ||
* Duplicate logic to calculate if user has privilege to fetch Agent Policies, | ||
* working only with Capabilities, in order to be able to use it e.g. in middleware. | ||
* | ||
* The logic works with Fleet granular privileges (`subfeaturePrivileges`) both enabled and disabled. | ||
* | ||
* @param capabilities Capabilities from coreStart.application | ||
*/ | ||
export const canFetchPackageAndAgentPolicies = (capabilities: Capabilities): boolean => { | ||
paul-tavares marked this conversation as resolved.
Show resolved
Hide resolved
|
||
const canReadPolicyManagement = (capabilities.siem?.readPolicyManagement ?? false) as boolean; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. here I see why using |
||
|
||
const fleetv2 = capabilities.fleetv2; | ||
const canReadFleetAgentPolicies = (fleetv2?.read && | ||
(fleetv2?.agent_policies_read === true || | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: A little bit hard to follow these conditions, wouldn't it come down to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes, it comes to that. the idea was to be able to read it as we accept either |
||
fleetv2?.agent_policies_read === undefined)) as boolean; | ||
|
||
const canReadIntegrations = capabilities.fleet?.read as boolean; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. here, i don't. i'm curious about your opinion: why do you prefer the (changed anyway : ) 95eb39f) |
||
|
||
return canReadPolicyManagement || (canReadFleetAgentPolicies && canReadIntegrations); | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be a duplication of the one on line 100?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
indeed it is! 🦅 👁️ !
9810335