[Cases] RBAC Bugs #101325
Merged
[Cases] RBAC Bugs #101325
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissionsError = i18n.READ_PERMISSIONS_ERROR_MSG; | ||
| } | ||
|
|
||
| // if the error was not permissions related then toast it |
smith
requested changes
Jun 16, 2021
There was a problem hiding this comment.
Looks like this fixes the problems I was having while a read-only user. I'm requesting changes for the setBadge bug (see comment.)
I'm also seeing these in the Kibana logs:
server log [20:45:47.026] [error][cases][plugins] Failed to get connectors: Error: Unauthorized to get actions
server log [20:45:47.027] [error][cases][plugins] Failed to get connectors in route: CaseError: Failed to get connectors: Error: Unauthorized to get actions
server log [20:46:17.594] [error][cases][plugins] Failed to get connectors: Error: Unauthorized to get actions
server log [20:46:17.594] [error][cases][plugins] Failed to get connectors in route: CaseError: Failed to get connectors: Error: Unauthorized to get actions
server log [20:48:17.504] [error][cases][plugins] Failed to get connectors: Error: Unauthorized to get actions
server log [20:48:17.505] [error][cases][plugins] Failed to get connectors in route: CaseError: Failed to get connectors: Error: Unauthorized to get actions
So it looks like we need to prevent the UI from making these requests if not authorized so those don't show up.
|
|
||
| // TODO: figure out if this is really necessary? If I don't add this then navigating from cases to | ||
| // the overview page leaves the glasses icon in the header | ||
| useKibana().services.chrome.setBadge(); |
There was a problem hiding this comment.
I don't think this is related to the breadcrumbs, but it shouldn't be called in the main render body of the component.
I think the correct way to do this would be to call setBadge in a useEffect and return a function from the effect that calls setBadge(undefined) so the badge is removed when the component is unmounted.
|
|
||
| // TODO: figure out if this is really necessary? If I don't add this then navigating from cases to | ||
| // the overview page leaves the glasses icon in the header | ||
| useKibana().services.chrome.setBadge(); |
There was a problem hiding this comment.
Oh I see, you're using an effect in HeaderBadge, I think you need to make that one look like:
useEffect(() => {
setBadge();
return () => { chrome.setBadge(undefined); }
}, [chrome.setBadge, setBadge]);
cnasikas
added
the
bug
cnasikas
reviewed
Jun 16, 2021
| </TestProviders> | ||
| ); | ||
|
|
||
| expect(wrapper.find(`[data-test-subj="sadd-comment"]`).exists()).toBeFalsy(); |
There was a problem hiding this comment.
nit: What s means (first letter of sadd-comment)?
There was a problem hiding this comment.
Nice catch! that data-test-subj definitely wouldn't have existed 😆 should be add-comment
cnasikas
reviewed
Jun 16, 2021
There was a problem hiding this comment.
Great job as always! I really liked your PR 🙂.
I think is best to use a context for variables like userCanCrud instead of using props. A lot of components need that information and having a "global" access to it is very useful. We already have the OwnerProvider so we can rename it and use it for other variables. No need to do it in this PR. I just wanted to point it out.
| disableAlerting, | ||
| userCanCrud = true, |
There was a problem hiding this comment.
I see that userCanCrud is optional on other components also. Here is also being defaulted it to true. I am bit hesitated to have this variable as optional or make assumptions about what the default value should be. It is very easy to omit it by mistake. Maybe having the type as userCanCrud: boolean | null; would enforce us to think about it more. What do you think?
There was a problem hiding this comment.
We could probably just make it a required parameter. I think for this component it's only used in one place 👍
| ); | ||
|
|
||
| await waitFor(() => | ||
| expect( |
There was a problem hiding this comment.
nit: Can this two waitFor combined to one?
| @@ -235,7 +236,7 @@ export const EditConnector = React.memo( | |||
| connectors, | |||
| dataTestSubj: 'caseConnectors', | |||
| defaultValue: selectedConnector, | |||
| disabled, | |||
| disabled: !userCanCrud, | |||
There was a problem hiding this comment.
Shouldn't we hide (not render) the whole DisappearingFlexItem if the user cannot crud?
There was a problem hiding this comment.
I think we need the form to render so that the currentConnector can be initialized so a readonly user can still view the previously configured connector 👍
| !(currentConnector === null && selectedConnector !== 'none') && // Connector has not been deleted. | ||
| !editConnector && ( | ||
| <EuiText size="s"> | ||
| {!editConnector && permissionsError ? ( |
There was a problem hiding this comment.
Is it possible to be on edit connector mode and at the same time have permissionsError? Maybe is best to separate them in two blocks as to me they seem unrelated. Am I missing something?
| !editConnector && | ||
| (currentConnector == null || | ||
| currentConnector?.id === 'none' || | ||
| selectedConnector === 'none') && ( // Connector is none or not defined, or the selected connector is none |
There was a problem hiding this comment.
I think the message will be shown when the selected connector has been deleted. To reproduce that:
- Create a connector and create a case with the connector selected.
- Go to Stack Management -> Rules & Connectors -> Connectors and delete the connector.
- Return back to the case and see if the message is being shown. It should not.
There was a problem hiding this comment.
Good catch, I'll put back the previous logic.
| * | ||
| * @param toastPermissionsErrors boolean controlling whether 403 and 401 errors should be displayed in a toast error | ||
| */ | ||
| export const useConnectors = (toastPermissionsErrors: boolean = true): UseConnectorsResponse => { |
There was a problem hiding this comment.
nit: Do you mind if we change the argument to be an object? It is much easier to read useConnectors({ toastPermissionsErrors: false }) than useConnectors(false).
| getAllCases: jest.fn(), | ||
| getAllCasesSelectorModal: jest.fn(), | ||
| getCaseView: jest.fn(), | ||
| getConfigureCases: jest.fn(), |
There was a problem hiding this comment.
I think is better to leave them as jest.fn() always as they are mocks.
| getRecentCases: jest.fn(), | ||
| }); | ||
|
|
||
| export const casesPluginMock = { |
There was a problem hiding this comment.
I think is good to have them if any other plugin wants to use our mocks as we do with core for example.
| @@ -0,0 +1,37 @@ | |||
| /* | |||
There was a problem hiding this comment.
I see that we don't render any html code. Why it has to be a component and not a hook?
| ) | ||
| ); | ||
|
|
||
| expect(casesMock.getRecentCases).not.toHaveBeenCalled(); |
There was a problem hiding this comment.
Shouldn't we check if the component is does not exists?
There was a problem hiding this comment.
I might be misunderstanding you but I think if we wanted to check that the component exists we'd have to grab the data test subj from the cases plugin and make sure it doesn't exist. I feel like that is relying on implementation details of how the cases plugin implements the recent cases. Doing it like this we ensure that we don't call the cases plugin at all and therefore shouldn't render anything.
I guess another option would be to create an empty wrapper component that defines a data test subj and ensure it doesn't get rendered.
This was referenced Jun 16, 2021
monina-n
approved these changes
Jun 16, 2021
|
@smith thanks for the review
I think these are expected. If the user does not have access to actions and connectors we throw these errors when the cases detail page is viewed. The actions and connectors permissions are configured separately from cases:
We are currently discuss automatically granting read permissions to the actions and connectors if a user is granted read or write access to cases here: #101821 I'll be putting that change up in a different PR. |
smith
approved these changes
Jun 17, 2021
💛 Build succeeded, but was flaky
Test FailuresKibana Pipeline / general / X-Pack Accessibility Tests.x-pack/test/accessibility/apps/roles·ts.Kibana roles page a11y tests a11y test for view privilege summary panelStandard OutStack TraceMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
cnasikas
approved these changes
Jun 22, 2021
jonathan-buttner
added a commit
that referenced
this pull request
Jun 22, 2021
* Adding feature flag for auth * Hiding SOs and adding consumer field * First pass at adding security changes * Consumer as the app's plugin ID * Create addConsumerToSO migration helper * Fix mapping's SO consumer * Add test for CasesActions * Declare hidden types on SO client * Restructure integration tests * Init spaces_only integration tests * Implementing the cases security string * Adding security plugin tests for cases * Rough concept for authorization class * Adding comments * Fix merge * Get requiredPrivileges for classes * Check privillages * Ensure that all classes are available * Success if hasAllRequested is true * Failure if hasAllRequested is false * Adding schema updates for feature plugin * Seperate basic from trial * Enable SIR on integration tests * Starting the plumbing for authorization in plugin * Unit tests working * Move find route logic to case client * Create integration test helper functions * Adding auth to create call * Create getClassFilter helper * Add class attribute to find request * Create getFindAuthorizationFilter * Ensure savedObject is authorized in find method * Include fields for authorization * Combine authorization filter with cases & subcases filter * Fix isAuthorized flag * Fix merge issue * Create/delete spaces & users before and after tests * Add more user and roles * [Cases] Convert filters from strings to KueryNode (#95288) * [Cases] RBAC: Rename class to scope (#95535) * [Cases][RBAC] Rename scope to owner (#96035) * [Cases] RBAC: Create & Find integration tests (#95511) * [Cases] Cases client enchantment (#95923) * [Cases] Authorization and Client Audit Logger (#95477) * Starting audit logger * Finishing auth audit logger * Fixing tests and types * Adding audit event creator * Renaming class to scope * Adding audit logger messages to create and find * Adding comments and fixing import issue * Fixing type errors * Fixing tests and adding username to message * Addressing PR feedback * Removing unneccessary log and generating id * Fixing module issue and remove expect.anything * [Cases] Migrate sub cases routes to a client (#96461) * Adding sub cases client * Move sub case routes to case client * Throw when attempting to access the sub cases client * Fixing throw and removing user ans soclients * [Cases] RBAC: Migrate routes' unit tests to integration tests (#96374) Co-authored-by: Jonathan Buttner <[email protected]> * [Cases] Move remaining HTTP functionality to client (#96507) * Moving deletes and find for attachments * Moving rest of comment apis * Migrating configuration routes to client * Finished moving routes, starting utils refactor * Refactoring utilites and fixing integration tests * Addressing PR feedback * Fixing mocks and types * Fixing integration tests * Renaming status_stats * Fixing test type errors * Adding plugins to kibana.json * Adding cases to required plugin * [Cases] Refactoring authorization (#97483) * Refactoring authorization * Wrapping auth calls in helper for try catch * Reverting name change * Hardcoding the saved object types * Switching ensure to owner array * [Cases] Add authorization to configuration & cases routes (#97228) * [Cases] Attachments RBAC (#97756) * Starting rbac for comments * Adding authorization to rest of comment apis * Starting the comment rbac tests * Fixing some of the rbac tests * Adding some integration tests * Starting patch tests * Working tests for comments * Working tests * Fixing some tests * Fixing type issues from pulling in master * Fixing connector tests that only work in trial license * Attempting to fix cypress * Mock return of array for configure * Fixing cypress test * Cleaning up * Addressing PR comments * Reducing operations * [Cases] Add RBAC to remaining Cases APIs (#98762) * Starting rbac for comments * Adding authorization to rest of comment apis * Starting the comment rbac tests * Fixing some of the rbac tests * Adding some integration tests * Starting patch tests * Working tests for comments * Working tests * Fixing some tests * Fixing type issues from pulling in master * Fixing connector tests that only work in trial license * Attempting to fix cypress * Mock return of array for configure * Fixing cypress test * Cleaning up * Working case update tests * Addressing PR comments * Reducing operations * Working rbac push case tests * Starting stats apis * Working status tests * User action tests and fixing migration errors * Fixing type errors * including error in message * Addressing pr feedback * Fixing some type errors * [Cases] Add space only tests (#99409) * Starting spaces tests * Finishing space only tests * Refactoring createCaseWithConnector * Fixing spelling * Addressing PR feedback and creating alert tests * Fixing mocks * [Cases] Add security only tests (#99679) * Starting spaces tests * Finishing space only tests * Refactoring createCaseWithConnector * Fixing spelling * Addressing PR feedback and creating alert tests * Fixing mocks * Starting security only tests * Adding remainder security only tests * Using helper objects * Fixing type error for null space * Renaming utility variables * Refactoring users and roles for security only tests * Adding sub feature * [Cases] Cleaning up the services and TODOs (#99723) * Cleaning up the service intialization * Fixing type errors * Adding comments for the api * Working test for cases client * Fix type error * Adding generated docs * Adding more docs and cleaning up types * Cleaning up readme * More clean up and links * Changing some file names * Renaming docs * Integration tests for cases privs and fixes (#100038) * [Cases] RBAC on UI (#99478) Co-authored-by: Kibana Machine <[email protected]> * Fixing case ids by alert id route call * [Cases] Fixing UI feature permissions and adding UI tests (#100074) * Integration tests for cases privs and fixes * Fixing ui cases permissions and adding tests * Adding test for collection failure and fixing jest * Renaming variables * Fixing type error * Adding some comments * Validate cases features * Fix new schema * Adding owner param for the status stats * Fix get case status tests * Adjusting permissions text and fixing status * Address PR feedback * Adding top level feature back * Fixing feature privileges * Renaming * Removing uneeded else * Fixing tests and adding cases merge tests * [Cases][Security Solution] Basic license security solution API tests (#100925) * Cleaning up the fixture plugins * Adding basic feature test * renaming to unsecuredSavedObjectsClient (#101215) * [Cases] RBAC Refactoring audit logging (#100952) * Refactoring audit logging * Adding unit tests for authorization classes * Addressing feedback and adding util tests * return undefined on empty array * fixing eslint * conditional rendering the recently created cases * Remove unnecessary Array.from * Cleaning up overview page for permissions * Fixing log message for attachments * hiding add to cases button * Disable the Cases app from the global nav * Hide the add to cases button from detections * Fixing merge * Making progress on removing icons * Hding edit icons on detail view * Trying to get connector error msg tests working * Removing test * Disable error callouts * Fixing spacing and removing cases tab one no read * Adding read only badge * Cleaning up and adding badge * Wrapping in use effect * Default toasting permissions errors * Removing actions icon on comments * Addressing feedback * Fixing type Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Christos Nasikas <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR address various bugs found in the RBAC branch: #95058
The bugs are listed here: #100468
Issues addressed:
Case List Page
...from the tableCase List Page
Case Details Page
...actionsDetail Page
Hide the attach to cases button within timeline
No attach to cases button
Remove the recent cases from the overview page if the user does not have permissions
No recent cases in overview
Remove the add cases link on the overview page if the user only has read permissions
No link
Hide the add to cases icon on the detections table
No icon on detections
Remove Cases from the navigation when the user does not have any permissions for cases
Cases doesn't exist on the sidebar
Cases doesn't exist in the header tabs
Read only glasses
Global Header glasses