Skip to content

Commit

Permalink
Only validate the permissions on unencrypted requests
Browse files Browse the repository at this point in the history
  • Loading branch information
@afharo
afharo committed Feb 24, 2022
1 parent 2a5497b commit 6b200bf
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
23 changes: 22 additions & 1 deletion src/plugins/telemetry/server/routes/telemetry_usage_stats.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ describe('registerTelemetryUsageStatsRoutes', () => {
});
});

it('returns 403 when the user does not have enough permissions', async () => {
it('returns 403 when the user does not have enough permissions to request unencrypted telemetry', async () => {
const getSecurityMock = jest.fn().mockReturnValue({
authz: {
checkPrivilegesWithRequest: () => ({
Expand All @@ -118,6 +118,27 @@ describe('registerTelemetryUsageStatsRoutes', () => {
expect(mockResponse.forbidden).toBeCalled();
});

it('returns 200 when the user does not have enough permissions to request unencrypted telemetry but it requests encrypted', async () => {
const getSecurityMock = jest.fn().mockReturnValue({
authz: {
checkPrivilegesWithRequest: () => ({
globally: () => ({ hasAllRequested: false }),
}),
},
});
registerTelemetryUsageStatsRoutes(
mockRouter,
telemetryCollectionManager,
true,
getSecurityMock
);
const { mockResponse } = await runRequest(mockRouter, {
refreshCache: false,
unencrypted: false,
});
expect(mockResponse.ok).toBeCalled();
});

it.todo('always returns an empty array on errors on encrypted payload');
it.todo('returns the actual request error object when in development mode');
it.todo('returns forbidden on unencrypted and ES returns 403 in getStats');
Expand Down
2 changes: 1 addition & 1 deletion src/plugins/telemetry/server/routes/telemetry_usage_stats.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ export function registerTelemetryUsageStatsRoutes(
const { unencrypted, refreshCache } = req.body;

const security = getSecurity();
if (security) {
if (security && unencrypted) {
const { hasAllRequested } = await security.authz
.checkPrivilegesWithRequest(req)
.globally({ kibana: 'decryptedTelemetry' });
Expand Down

0 comments on commit 6b200bf

Please sign in to comment.