diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js index a89f2b23f8f72e..6785859e42fbfb 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js @@ -146,6 +146,32 @@ export default function ({ getService }) { } }); + bulkGetTest(`kibana dual-privileges user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + }, + tests: { + default: { + statusCode: 200, + response: expectResults, + }, + } + }); + + bulkGetTest(`kibana dual-privileges dashboard only user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + }, + tests: { + default: { + statusCode: 200, + response: expectResults, + }, + } + }); + bulkGetTest(`kibana rbac user`, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js index 0a37bf5a47a382..6a949004371f8f 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js @@ -117,6 +117,32 @@ export default function ({ getService }) { } }); + createTest(`kibana dual-privileges user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + }, + tests: { + default: { + statusCode: 200, + response: expectResults, + }, + } + }); + + createTest(`kibana dual-privileges dashboard only user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + }, + tests: { + default: { + statusCode: 403, + response: expectRbacForbidden, + }, + } + }); + createTest(`kibana rbac user`, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js index f1f693046f74be..5885eb7919c7bd 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js @@ -133,6 +133,40 @@ export default function ({ getService }) { } }); + deleteTest(`kibana dual-privileges user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + }, + tests: { + actualId: { + statusCode: 200, + response: expectEmpty, + }, + invalidId: { + statusCode: 404, + response: expectNotFound, + } + } + }); + + deleteTest(`kibana dual-privileges dashboard only user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + }, + tests: { + actualId: { + statusCode: 403, + response: expectRbacForbidden, + }, + invalidId: { + statusCode: 403, + response: expectRbacForbidden, + } + } + }); + deleteTest(`kibana rbac user`, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js index 26e43bba21cf05..5bb42acacd3920 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js @@ -329,6 +329,74 @@ export default function ({ getService }) { } }); + findTest(`kibana dual-privileges user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + }, + tests: { + normal: { + description: 'only the visualization', + statusCode: 200, + response: expectVisualizationResults, + }, + unknownType: { + description: 'empty result', + statusCode: 200, + response: createExpectEmpty(1, 20, 0), + }, + pageBeyondTotal: { + description: 'empty result', + statusCode: 200, + response: createExpectEmpty(100, 100, 1), + }, + unknownSearchField: { + description: 'empty result', + statusCode: 200, + response: createExpectEmpty(1, 20, 0), + }, + noType: { + description: 'all objects', + statusCode: 200, + response: expectResultsWithValidTypes, + }, + }, + }); + + findTest(`kibana dual-privileges dashboard only user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + }, + tests: { + normal: { + description: 'only the visualization', + statusCode: 200, + response: expectVisualizationResults, + }, + unknownType: { + description: 'forbidden find wigwags message', + statusCode: 403, + response: createExpectRbacForbidden('wigwags'), + }, + pageBeyondTotal: { + description: 'empty result', + statusCode: 200, + response: createExpectEmpty(100, 100, 1), + }, + unknownSearchField: { + description: 'forbidden find wigwags message', + statusCode: 403, + response: createExpectRbacForbidden('wigwags'), + }, + noType: { + description: 'all objects', + statusCode: 200, + response: expectResultsWithValidTypes, + }, + } + }); + findTest(`kibana rbac user`, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js index 23c3c0b5aaa35c..b640d120555932 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js @@ -140,6 +140,40 @@ export default function ({ getService }) { } }); + getTest(`kibana dual-privileges user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + }, + tests: { + exists: { + statusCode: 200, + response: expectResults, + }, + doesntExist: { + statusCode: 404, + response: expectNotFound, + }, + } + }); + + getTest(`kibana dual-privileges dashboard only user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + }, + tests: { + exists: { + statusCode: 200, + response: expectResults, + }, + doesntExist: { + statusCode: 404, + response: expectNotFound, + }, + } + }); + getTest(`kibana rbac user`, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js index 013c0df3436019..bdbd23f6dabdf4 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js @@ -32,6 +32,36 @@ export default function ({ loadTestFile, getService }) { } }); + await supertest.put('/api/security/role/kibana_dual_privileges_user') + .send({ + elasticsearch: { + indices: [{ + names: ['.kibana'], + privileges: ['manage', 'read', 'index', 'delete'] + }] + }, + kibana: [ + { + privileges: ['all'] + } + ] + }); + + await supertest.put('/api/security/role/kibana_dual_privileges_dashboard_only_user') + .send({ + elasticsearch: { + indices: [{ + names: ['.kibana'], + privileges: ['read', 'view_index_metadata'] + }] + }, + kibana: [ + { + privileges: ['read'] + } + ] + }); + await supertest.put('/api/security/role/kibana_rbac_user') .send({ kibana: [ @@ -80,6 +110,26 @@ export default function ({ loadTestFile, getService }) { } }); + await es.shield.putUser({ + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + body: { + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + roles: ['kibana_dual_privileges_user'], + full_name: 'a kibana dual_privileges user', + email: 'a_kibana_dual_privileges_user@elastic.co', + } + }); + + await es.shield.putUser({ + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + body: { + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + roles: ["kibana_dual_privileges_dashboard_only_user"], + full_name: 'a kibana dual_privileges dashboard only user', + email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co', + } + }); + await es.shield.putUser({ username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, body: { diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js index 8b140fd3b2a30c..5b158a6c8bf377 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js @@ -21,6 +21,14 @@ export const AUTHENTICATION = { USERNAME: 'a_kibana_legacy_dashboard_only_user', PASSWORD: 'password' }, + KIBANA_DUAL_PRIVILEGES_USER: { + USERNAME: 'a_kibana_dual_privileges_user', + PASSWORD: 'password' + }, + KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER: { + USERNAME: 'a_kibana_dual_privileges_dashboard_only_user', + PASSWORD: 'password' + }, KIBANA_RBAC_USER: { USERNAME: 'a_kibana_rbac_user', PASSWORD: 'password' diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js index 4b50600ba60c16..a4a17ba67fd5eb 100644 --- a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js +++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js @@ -157,6 +157,40 @@ export default function ({ getService }) { } }); + updateTest(`kibana dual-privileges user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, + }, + tests: { + exists: { + statusCode: 200, + response: expectResults, + }, + doesntExist: { + statusCode: 404, + response: expectNotFound, + }, + } + }); + + updateTest(`kibana dual-privileges dashboard only user`, { + auth: { + username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, + password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + }, + tests: { + exists: { + statusCode: 403, + response: expectRbacForbidden, + }, + doesntExist: { + statusCode: 403, + response: expectRbacForbidden, + }, + } + }); + updateTest(`kibana rbac user`, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,