@jportner is our saviour

elastic · Feb 24, 2022 · 5b48f6e · 5b48f6e
1 parent 6b200bf
commit 5b48f6e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/src/plugins/telemetry/server/routes/telemetry_usage_stats.test.ts b/src/plugins/telemetry/server/routes/telemetry_usage_stats.test.ts
@@ -100,6 +100,11 @@ describe('registerTelemetryUsageStatsRoutes', () => {
     it('returns 403 when the user does not have enough permissions to request unencrypted telemetry', async () => {
       const getSecurityMock = jest.fn().mockReturnValue({
         authz: {
+          actions: {
+            api: {
+              get: jest.fn(),
+            },
+          },
           checkPrivilegesWithRequest: () => ({
             globally: () => ({ hasAllRequested: false }),
           }),
@@ -121,6 +126,11 @@ describe('registerTelemetryUsageStatsRoutes', () => {
     it('returns 200 when the user does not have enough permissions to request unencrypted telemetry but it requests encrypted', async () => {
       const getSecurityMock = jest.fn().mockReturnValue({
         authz: {
+          actions: {
+            api: {
+              get: jest.fn(),
+            },
+          },
           checkPrivilegesWithRequest: () => ({
             globally: () => ({ hasAllRequested: false }),
           }),

diff --git a/src/plugins/telemetry/server/routes/telemetry_usage_stats.ts b/src/plugins/telemetry/server/routes/telemetry_usage_stats.ts
@@ -37,9 +37,13 @@ export function registerTelemetryUsageStatsRoutes(
 
       const security = getSecurity();
       if (security && unencrypted) {
-        const { hasAllRequested } = await security.authz
-          .checkPrivilegesWithRequest(req)
-          .globally({ kibana: 'decryptedTelemetry' });
+        // Normally we would use `options: { tags: ['access:decryptedTelemetry'] }` in the route definition to check authorization for an
+        // API action, however, we want to check this conditionally based on the `unencrypted` parameter. In this case we need to use the
+        // security API directly to check privileges for this action. Note that the 'decryptedTelemetry' API privilege string is only
+        // granted to users that have "Global All" or "Global Read" privileges in Kibana.
+        const { checkPrivilegesWithRequest, actions } = security.authz;
+        const privileges = { kibana: actions.api.get('decryptedTelemetry') };
+        const { hasAllRequested } = await checkPrivilegesWithRequest(req).globally(privileges);
         if (!hasAllRequested) {
           return res.forbidden();
         }