elastic · vadimkibana · May 13, 2024 · May 13, 2024 · May 13, 2024 · May 13, 2024
@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { coreMock } from '@kbn/core/public/mocks';
+import { createOpts } from './kibana_connection_details_provider';
+
+describe('createOpts()', () => {
+  it('allows editing API keys, when user can manage own API keys', async () => {
+    const props = await createOpts({
+      start: {
+        core: coreMock.createStart(),
+        plugins: {
+          security: {
+            authz: {
+              getCurrentUserApiKeyPrivileges: jest
+                .fn()
+                .mockResolvedValue({ canManageOwnApiKeys: true }),
+            },
+          } as any,
+        },
+      },
+    });
+    const hasPermission = await props.apiKeys!.hasPermission();
+
+    expect(hasPermission).toBe(true);
+  });
+
+  it('does not allow editing API keys, when user can manage own API keys', async () => {
+    const props = await createOpts({
+      start: {
+        core: coreMock.createStart(),
+        plugins: {
+          security: {
+            authz: {
+              getCurrentUserApiKeyPrivileges: jest
+                .fn()
+                .mockResolvedValue({ canManageOwnApiKeys: false }),
+            },
+          } as any,
+        },
+      },
+    });
+    const hasPermission = await props.apiKeys!.hasPermission();
+
+    expect(hasPermission).toBe(false);
+  });
+});
@@ -11,15 +11,18 @@ import type { CoreStart } from '@kbn/core-lifecycle-browser';
 import type { CloudStart } from '@kbn/cloud-plugin/public';
 import type { SharePluginStart } from '@kbn/share-plugin/public';
 import type { CreateAPIKeyParams, CreateAPIKeyResult } from '@kbn/security-plugin-types-server';
+import type { SecurityPluginStart } from '@kbn/security-plugin-types-public';
 import { ConnectionDetailsOptsProvider } from '../context';
 import { ConnectionDetailsOpts } from '../types';
 import { useAsyncMemo } from '../hooks/use_async_memo';
 
-const createOpts = async (props: KibanaConnectionDetailsProviderProps) => {
+export const createOpts = async (props: KibanaConnectionDetailsProviderProps) => {
   const { options, start } = props;
   const { http, docLinks } = start.core;
   const locator = start.plugins?.share?.url?.locators.get('MANAGEMENT_APP_LOCATOR');
   const manageKeysLink = await locator?.getUrl({ sectionId: 'security', appId: 'api_keys' });
+  const security = start.plugins?.security;
+
   const result: ConnectionDetailsOpts = {
     ...options,
     navigateToUrl: start.core.application
@@ -65,7 +68,18 @@ const createOpts = async (props: KibanaConnectionDetailsProviderProps) => {
           },
         };
       },
-      hasPermission: async () => true,
+      hasPermission: security
+        ? async () => {
+            try {
+              return (await security.authz.getCurrentUserApiKeyPrivileges()).canManageOwnApiKeys;
+            } catch (error) {
+              if (error instanceof Error && error.message === 'Forbidden') {
+                return false;
+              }
+              throw error;
+            }
+          }
+        : async () => true,
       ...options?.apiKeys,
     },
   };
@@ -87,6 +101,7 @@ export interface KibanaConnectionDetailsProviderProps {
     plugins?: {
       cloud?: CloudStart;
       share?: SharePluginStart;
+      security?: SecurityPluginStart;
     };
   };
 }

@@ -22,5 +22,7 @@
     "@kbn/cloud-plugin",
     "@kbn/share-plugin",
     "@kbn/security-plugin-types-server",
+    "@kbn/security-plugin-types-public",
+    "@kbn/core",
   ]
 }
@@ -10,6 +10,17 @@ export interface AuthorizationServiceSetup {
    * Determines if role management is enabled.
    */
   isRoleManagementEnabled: () => boolean | undefined;
+
+  /**
+   * Retrieve current user's API key privileges.
+   */
+  getCurrentUserApiKeyPrivileges: () => Promise<AuthorizationCurrentUserApiKeyPrivilegesResponse>;
+}
+
+export interface AuthorizationCurrentUserApiKeyPrivilegesResponse {
+  canManageApiKeys: boolean;
+  canManageCrossClusterApiKeys: boolean;
+  canManageOwnApiKeys: boolean;
 }
 
 /**

@@ -26,8 +26,10 @@ export const authenticationMock = {
 export const authorizationMock = {
   createSetup: (): jest.Mocked<AuthorizationServiceSetup> => ({
     isRoleManagementEnabled: jest.fn(),
+    getCurrentUserApiKeyPrivileges: jest.fn(),
   }),
   createStart: (): jest.Mocked<AuthorizationServiceStart> => ({
     isRoleManagementEnabled: jest.fn(),
+    getCurrentUserApiKeyPrivileges: jest.fn(),
   }),
 };
@@ -5,18 +5,30 @@
  * 2.0.
  */
 
+import type { HttpSetup } from '@kbn/core/public';
 import type { AuthorizationServiceSetup } from '@kbn/security-plugin-types-public';
+import type { AuthorizationCurrentUserApiKeyPrivilegesResponse } from '@kbn/security-plugin-types-public/src/authorization/authorization_service';
 
 import type { ConfigType } from '../config';
 
 interface SetupParams {
   config: ConfigType;
+  http: HttpSetup;
 }
 
 export class AuthorizationService {
-  public setup({ config }: SetupParams): AuthorizationServiceSetup {
+  public setup({ config, http }: SetupParams): AuthorizationServiceSetup {
     const isRoleManagementEnabled = () => config.roleManagementEnabled;
 
-    return { isRoleManagementEnabled };
+    const getCurrentUserApiKeyPrivileges = async () => {
+      const { canManageApiKeys, canManageCrossClusterApiKeys, canManageOwnApiKeys } =
+        (await http.get(
+          '/internal/security/api_key'
+        )) as AuthorizationCurrentUserApiKeyPrivilegesResponse;
+
+      return { canManageApiKeys, canManageCrossClusterApiKeys, canManageOwnApiKeys };
+    };
+
+    return { isRoleManagementEnabled, getCurrentUserApiKeyPrivileges };
 const areAPIKeysEnabled = async () => 
 apiKeys: { 
 const areAPIKeysEnabled = async () => 
 apiKeys: { 
   }
 }
@@ -40,7 +40,10 @@ describe('Security Plugin', () => {
         })
       ).toEqual({
         authc: { getCurrentUser: expect.any(Function), areAPIKeysEnabled: expect.any(Function) },
-        authz: { isRoleManagementEnabled: expect.any(Function) },
+        authz: {
+          isRoleManagementEnabled: expect.any(Function),
+          getCurrentUserApiKeyPrivileges: expect.any(Function),
+        },
         license: {
           isLicenseAvailable: expect.any(Function),
           isEnabled: expect.any(Function),
@@ -126,6 +129,7 @@ describe('Security Plugin', () => {
             "getCurrentUser": [Function],
           },
           "authz": Object {
+            "getCurrentUserApiKeyPrivileges": [Function],
             "isRoleManagementEnabled": [Function],
           },
           "navControlService": Object {

@@ -115,6 +115,7 @@ export class SecurityPlugin
 
     this.authz = this.authorizationService.setup({
       config: this.config,
+      http: core.http,
     });
 
     this.securityApiClients = {