-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding authc.areAPIKeysEnabled which uses _xpack/usage #55255
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -164,4 +164,19 @@ export class APIKeys { | |
|
||
return result; | ||
} | ||
|
||
async areEnabled(): Promise<boolean> { | ||
if (!this.license.isEnabled()) { | ||
return false; | ||
} | ||
|
||
// `transport.request` is potentially unsafe when combined with untrusted user input. | ||
// Do not augment with such input. | ||
const result = await this.clusterClient.callAsInternalUser('transport.request', { | ||
method: 'GET', | ||
path: '/_xpack/usage', | ||
}); | ||
|
||
return result.security?.api_key_service?.enabled === true; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. note: the only thing that worries me a bit here is that we don't have a proper ES documentation on the format of this response and it's not clear what BWC guarantees this API has. If format changes this line will "silently" start always returning Ideally I'd have an API integration test (e.g. via plugin-fixture that depends on There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's a great point, let me add API integrations tests specifically for this. |
||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,25 +14,35 @@ import { defineCheckPrivilegesRoutes } from './privileges'; | |
|
||
interface TestOptions { | ||
licenseCheckResult?: LicenseCheck; | ||
apiResponses?: Array<() => Promise<unknown>>; | ||
asserts: { statusCode: number; result?: Record<string, any>; apiArguments?: unknown[][] }; | ||
hasPrivilegesImpl?: () => Promise<unknown>; | ||
areAPIKeysEnabledImpl?: () => Promise<boolean>; | ||
asserts: { | ||
statusCode: number; | ||
result?: Record<string, any>; | ||
}; | ||
} | ||
|
||
describe('Check API keys privileges', () => { | ||
const getPrivilegesTest = ( | ||
description: string, | ||
{ | ||
licenseCheckResult = { state: LICENSE_CHECK_STATE.Valid }, | ||
apiResponses = [], | ||
hasPrivilegesImpl, | ||
areAPIKeysEnabledImpl, | ||
asserts, | ||
}: TestOptions | ||
) => { | ||
test(description, async () => { | ||
const mockRouteDefinitionParams = routeDefinitionParamsMock.create(); | ||
const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); | ||
mockRouteDefinitionParams.clusterClient.asScoped.mockReturnValue(mockScopedClusterClient); | ||
for (const apiResponse of apiResponses) { | ||
mockScopedClusterClient.callAsCurrentUser.mockImplementationOnce(apiResponse); | ||
if (hasPrivilegesImpl) { | ||
mockScopedClusterClient.callAsCurrentUser.mockImplementationOnce(hasPrivilegesImpl); | ||
} | ||
if (areAPIKeysEnabledImpl) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. optional nit: new line between |
||
mockRouteDefinitionParams.authc.areAPIKeysEnabled.mockImplementationOnce( | ||
areAPIKeysEnabledImpl | ||
); | ||
} | ||
|
||
defineCheckPrivilegesRoutes(mockRouteDefinitionParams); | ||
|
@@ -52,17 +62,22 @@ describe('Check API keys privileges', () => { | |
expect(response.status).toBe(asserts.statusCode); | ||
expect(response.payload).toEqual(asserts.result); | ||
|
||
if (Array.isArray(asserts.apiArguments)) { | ||
for (const apiArguments of asserts.apiArguments) { | ||
expect(mockRouteDefinitionParams.clusterClient.asScoped).toHaveBeenCalledWith( | ||
mockRequest | ||
); | ||
expect(mockScopedClusterClient.callAsCurrentUser).toHaveBeenCalledWith(...apiArguments); | ||
} | ||
expect(mockContext.licensing.license.check).toHaveBeenCalledWith('security', 'basic'); | ||
if (hasPrivilegesImpl) { | ||
expect(mockScopedClusterClient.callAsCurrentUser).toHaveBeenCalledWith( | ||
'shield.hasPrivileges', | ||
{ | ||
body: { cluster: ['manage_security', 'manage_api_key'] }, | ||
} | ||
); | ||
} else { | ||
expect(mockScopedClusterClient.callAsCurrentUser).not.toHaveBeenCalled(); | ||
} | ||
expect(mockContext.licensing.license.check).toHaveBeenCalledWith('security', 'basic'); | ||
if (areAPIKeysEnabledImpl) { | ||
expect(mockRouteDefinitionParams.authc.areAPIKeysEnabled).toHaveBeenCalled(); | ||
} else { | ||
expect(mockRouteDefinitionParams.authc.areAPIKeysEnabled).not.toHaveBeenCalled(); | ||
} | ||
}); | ||
}; | ||
|
||
|
@@ -73,18 +88,28 @@ describe('Check API keys privileges', () => { | |
}); | ||
|
||
const error = Boom.notAcceptable('test not acceptable message'); | ||
getPrivilegesTest('returns error from cluster client', { | ||
apiResponses: [ | ||
async () => { | ||
throw error; | ||
getPrivilegesTest('returns error from hasPrivilegesImpl', { | ||
hasPrivilegesImpl: async () => { | ||
throw error; | ||
}, | ||
areAPIKeysEnabledImpl: async () => true, | ||
asserts: { | ||
statusCode: 406, | ||
result: error, | ||
}, | ||
}); | ||
|
||
getPrivilegesTest('returns error from areAPIKeysEnabled', { | ||
hasPrivilegesImpl: async () => ({ | ||
cluster: { | ||
manage_security: true, | ||
manage_api_key: true, | ||
}, | ||
async () => {}, | ||
], | ||
}), | ||
areAPIKeysEnabledImpl: async () => { | ||
throw error; | ||
}, | ||
asserts: { | ||
apiArguments: [ | ||
['shield.hasPrivileges', { body: { cluster: ['manage_security', 'manage_api_key'] } }], | ||
['shield.getAPIKeys', { owner: true }], | ||
], | ||
statusCode: 406, | ||
result: error, | ||
}, | ||
|
@@ -93,92 +118,45 @@ describe('Check API keys privileges', () => { | |
|
||
describe('success', () => { | ||
getPrivilegesTest('returns areApiKeysEnabled and isAdmin', { | ||
apiResponses: [ | ||
async () => ({ | ||
username: 'elastic', | ||
has_all_requested: true, | ||
cluster: { manage_api_key: true, manage_security: true }, | ||
index: {}, | ||
application: {}, | ||
}), | ||
async () => ({ | ||
api_keys: [ | ||
{ | ||
id: 'si8If24B1bKsmSLTAhJV', | ||
name: 'my-api-key', | ||
creation: 1574089261632, | ||
expiration: 1574175661632, | ||
invalidated: false, | ||
username: 'elastic', | ||
realm: 'reserved', | ||
}, | ||
], | ||
}), | ||
], | ||
hasPrivilegesImpl: async () => ({ | ||
cluster: { | ||
manage_security: true, | ||
manage_api_key: true, | ||
}, | ||
}), | ||
areAPIKeysEnabledImpl: async () => true, | ||
asserts: { | ||
apiArguments: [ | ||
['shield.getAPIKeys', { owner: true }], | ||
['shield.hasPrivileges', { body: { cluster: ['manage_security', 'manage_api_key'] } }], | ||
], | ||
statusCode: 200, | ||
result: { areApiKeysEnabled: true, isAdmin: true }, | ||
}, | ||
}); | ||
|
||
getPrivilegesTest( | ||
'returns areApiKeysEnabled=false when getAPIKeys error message includes "api keys are not enabled"', | ||
'returns areApiKeysEnabled=false when authc.areAPIKeysEnabled returns false"', | ||
{ | ||
apiResponses: [ | ||
async () => ({ | ||
username: 'elastic', | ||
has_all_requested: true, | ||
cluster: { manage_api_key: true, manage_security: true }, | ||
index: {}, | ||
application: {}, | ||
}), | ||
async () => { | ||
throw Boom.unauthorized('api keys are not enabled'); | ||
hasPrivilegesImpl: async () => ({ | ||
cluster: { | ||
manage_security: true, | ||
manage_api_key: true, | ||
}, | ||
], | ||
}), | ||
areAPIKeysEnabledImpl: async () => false, | ||
asserts: { | ||
apiArguments: [ | ||
['shield.getAPIKeys', { owner: true }], | ||
['shield.hasPrivileges', { body: { cluster: ['manage_security', 'manage_api_key'] } }], | ||
], | ||
statusCode: 200, | ||
result: { areApiKeysEnabled: false, isAdmin: true }, | ||
}, | ||
} | ||
); | ||
|
||
getPrivilegesTest('returns isAdmin=false when user has insufficient privileges', { | ||
apiResponses: [ | ||
async () => ({ | ||
username: 'elastic', | ||
has_all_requested: true, | ||
cluster: { manage_api_key: false, manage_security: false }, | ||
index: {}, | ||
application: {}, | ||
}), | ||
async () => ({ | ||
api_keys: [ | ||
{ | ||
id: 'si8If24B1bKsmSLTAhJV', | ||
name: 'my-api-key', | ||
creation: 1574089261632, | ||
expiration: 1574175661632, | ||
invalidated: false, | ||
username: 'elastic', | ||
realm: 'reserved', | ||
}, | ||
], | ||
}), | ||
], | ||
hasPrivilegesImpl: async () => ({ | ||
cluster: { | ||
manage_security: false, | ||
manage_api_key: false, | ||
}, | ||
}), | ||
areAPIKeysEnabledImpl: async () => true, | ||
asserts: { | ||
apiArguments: [ | ||
['shield.getAPIKeys', { owner: true }], | ||
['shield.hasPrivileges', { body: { cluster: ['manage_security', 'manage_api_key'] } }], | ||
], | ||
statusCode: 200, | ||
result: { areApiKeysEnabled: true, isAdmin: false }, | ||
}, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I believe
: Promise<boolean>
isn't necessary and should be automatically inferred