Add license checks to action HTTP APIs #59153
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mikecote
added
Feature:Alerting
release_note:skip
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
mikecote
force-pushed
the
actions/ensure-action-type-function
branch
2 times, most recently
from
92d80dd
to
a50ae68
Compare
mikecote
force-pushed
the
actions/ensure-action-type-function
branch
from
a50ae68
to
bf35822
Compare
I always worry about 403's, as they are so closely tied to security-related unauthorized scenarios, but of course the HTTP response itself isn't really tied to authn/authz. But, it seems like the best thing for now.
Ya, I think my thinking here was that we wanted to discriminate between errors caused by the action itself, vs errors generated by Kibana. So a "service error" would always return a 200, but indicate the error in the response. I don't think we neccessarily have to do that in this case. In fact, it could be confusing, since it could be implied the 403 came from the service. Seems like we should return a 403 status code from this one, rather than the 200.
Ya, |
This makes sense, I went ahead and made the change here: a78c999. Below is a sample response from the updated API when it returns a 403 status:
I will create a test suite with basic license, make sure the built ins for gold can't be created (copy tests from |
Test suite has been created here: c5c7f1b. |
|
retest |
…to actions/ensure-action-type-function
|
@YulNaumenko @pmuellr I had to change a bit more code than I expected to make the tests (hopefully) pass. Feel free to take a look at the new commits since your last review. |
|
retest |
…to actions/ensure-action-type-function
|
Changes LGTM |
…to actions/ensure-action-type-function
…to actions/ensure-action-type-function
|
CI failure seems unrelated / flaky, going to merge into feature branch regardless to unblock follow up PRs. Will test stability in the feature branch and follow up accordingly if master doesn't have the issue. |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
mikecote
added a commit
that referenced
this pull request
Mar 20, 2020
* Define minimum license required for each action type (#58668) * Add minimum required license * Require at least gold license as a minimum license required on third party action types * Use strings for license references * Ensure license type is valid * Fix some tests * Add servicenow to gold * Add tests * Set license requirements on other built in action types * Use jest.Mocked<ActionType> instead * Change servicenow to platinum Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> * Make actions config mock and license state mock use factory pattern and jest mocks (#59370) * Add license checks to action HTTP APIs (#59153) * Initial work * Handle errors in update action API * Add unit tests for APIs * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Add license checks within alerting / actions framework (#59699) * Initial work * Handle errors in update action API * Add unit tests for APIs * Verify action type before scheduling action task * Make actions plugin.execute throw error if action type is disabled * Bug fixes * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Stop action task from re-running when license check fails * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Fix confusing assertion * Add comment explaining double mock * Log warning when alert action isn't scheduled * Disable action types in UI when license doesn't support it (#59819) * Initial work * Handle errors in update action API * Add unit tests for APIs * Verify action type before scheduling action task * Make actions plugin.execute throw error if action type is disabled * Bug fixes * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Stop action task from re-running when license check fails * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Return enabledInConfig and enabledInLicense from actions get types API * Disable cards that have invalid license in create connector flyout * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Disable when creating alert action * Return minimumLicenseRequired in /types API * Disable row in connectors when action type is disabled * Fix failing jest test * Some refactoring * Card in edit alert flyout * Sort action types by name * Add tooltips to create connector action type selector * Add tooltips to alert flyout action type selector * Add get more actions link in alert flyout * Add callout when creating a connector * Typos * remove float right and use flexgroup * replace pixels with eui variables * turn on sass lint for triggers_actions_ui dir * trying to add padding around cards * Add callout in edit alert screen when some actions are disabled * improve card selection for Add Connector flyout * Fix cards for create connector * Add tests * ESLint issue * Cleanup * Cleanup pt2 * Fix type check errors * moving to 3-columns cards for connector selection * Change re-enable to enable terminology * Revert "Change re-enable to enable terminology" This reverts commit b497dfd. * Add re-enable comment * Remove unecessary fragment * Add type to actionTypeNodes * Fix EuiLink to not have opacity of 0.7 when not hovered * design cleanup in progress * updating classNames * using EuiIconTip * Remove label on icon tip * Fix failing jest test Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com> * Add index to .index action type test * PR feedback * Add isErrorThatHandlesItsOwnResponse Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com>
mikecote
added a commit
to mikecote/kibana
that referenced
this pull request
Mar 20, 2020
* Define minimum license required for each action type (elastic#58668) * Add minimum required license * Require at least gold license as a minimum license required on third party action types * Use strings for license references * Ensure license type is valid * Fix some tests * Add servicenow to gold * Add tests * Set license requirements on other built in action types * Use jest.Mocked<ActionType> instead * Change servicenow to platinum Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> * Make actions config mock and license state mock use factory pattern and jest mocks (elastic#59370) * Add license checks to action HTTP APIs (elastic#59153) * Initial work * Handle errors in update action API * Add unit tests for APIs * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Add license checks within alerting / actions framework (elastic#59699) * Initial work * Handle errors in update action API * Add unit tests for APIs * Verify action type before scheduling action task * Make actions plugin.execute throw error if action type is disabled * Bug fixes * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Stop action task from re-running when license check fails * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Fix confusing assertion * Add comment explaining double mock * Log warning when alert action isn't scheduled * Disable action types in UI when license doesn't support it (elastic#59819) * Initial work * Handle errors in update action API * Add unit tests for APIs * Verify action type before scheduling action task * Make actions plugin.execute throw error if action type is disabled * Bug fixes * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Stop action task from re-running when license check fails * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Return enabledInConfig and enabledInLicense from actions get types API * Disable cards that have invalid license in create connector flyout * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Disable when creating alert action * Return minimumLicenseRequired in /types API * Disable row in connectors when action type is disabled * Fix failing jest test * Some refactoring * Card in edit alert flyout * Sort action types by name * Add tooltips to create connector action type selector * Add tooltips to alert flyout action type selector * Add get more actions link in alert flyout * Add callout when creating a connector * Typos * remove float right and use flexgroup * replace pixels with eui variables * turn on sass lint for triggers_actions_ui dir * trying to add padding around cards * Add callout in edit alert screen when some actions are disabled * improve card selection for Add Connector flyout * Fix cards for create connector * Add tests * ESLint issue * Cleanup * Cleanup pt2 * Fix type check errors * moving to 3-columns cards for connector selection * Change re-enable to enable terminology * Revert "Change re-enable to enable terminology" This reverts commit b497dfd. * Add re-enable comment * Remove unecessary fragment * Add type to actionTypeNodes * Fix EuiLink to not have opacity of 0.7 when not hovered * design cleanup in progress * updating classNames * using EuiIconTip * Remove label on icon tip * Fix failing jest test Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com> * Add index to .index action type test * PR feedback * Add isErrorThatHandlesItsOwnResponse Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com>
mikecote
added a commit
that referenced
this pull request
Mar 20, 2020
* Define minimum license required for each action type (#58668) * Add minimum required license * Require at least gold license as a minimum license required on third party action types * Use strings for license references * Ensure license type is valid * Fix some tests * Add servicenow to gold * Add tests * Set license requirements on other built in action types * Use jest.Mocked<ActionType> instead * Change servicenow to platinum Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> * Make actions config mock and license state mock use factory pattern and jest mocks (#59370) * Add license checks to action HTTP APIs (#59153) * Initial work * Handle errors in update action API * Add unit tests for APIs * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Add license checks within alerting / actions framework (#59699) * Initial work * Handle errors in update action API * Add unit tests for APIs * Verify action type before scheduling action task * Make actions plugin.execute throw error if action type is disabled * Bug fixes * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Stop action task from re-running when license check fails * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Fix confusing assertion * Add comment explaining double mock * Log warning when alert action isn't scheduled * Disable action types in UI when license doesn't support it (#59819) * Initial work * Handle errors in update action API * Add unit tests for APIs * Verify action type before scheduling action task * Make actions plugin.execute throw error if action type is disabled * Bug fixes * Make action executor throw when action type isn't enabled * Add test suite for basic license * Fix ESLint errors * Stop action task from re-running when license check fails * Fix failing tests * Attempt 1 to fix CI * ESLint fixes * Return enabledInConfig and enabledInLicense from actions get types API * Disable cards that have invalid license in create connector flyout * Create sendResponse function on ActionTypeDisabledError * Make disabled action types by config return 403 * Remove switch case * Fix ESLint * Disable when creating alert action * Return minimumLicenseRequired in /types API * Disable row in connectors when action type is disabled * Fix failing jest test * Some refactoring * Card in edit alert flyout * Sort action types by name * Add tooltips to create connector action type selector * Add tooltips to alert flyout action type selector * Add get more actions link in alert flyout * Add callout when creating a connector * Typos * remove float right and use flexgroup * replace pixels with eui variables * turn on sass lint for triggers_actions_ui dir * trying to add padding around cards * Add callout in edit alert screen when some actions are disabled * improve card selection for Add Connector flyout * Fix cards for create connector * Add tests * ESLint issue * Cleanup * Cleanup pt2 * Fix type check errors * moving to 3-columns cards for connector selection * Change re-enable to enable terminology * Revert "Change re-enable to enable terminology" This reverts commit b497dfd. * Add re-enable comment * Remove unecessary fragment * Add type to actionTypeNodes * Fix EuiLink to not have opacity of 0.7 when not hovered * design cleanup in progress * updating classNames * using EuiIconTip * Remove label on icon tip * Fix failing jest test Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com> * Add index to .index action type test * PR feedback * Add isErrorThatHandlesItsOwnResponse Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Andrea Del Rio <delrio.andre@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this PR, I'm implementing step 4, 9 and 14 of my license check implementation proposal: #54946 (comment). It was discussed further that response status of 403 would make more sense which is included in this PR.
I did notice the execute API always returns status of 200 but will contain the error information within the response. By design, theensureActionTypeEnabledvalidation gets wrapped in a try catch and then returns the error in a JSON structure. I'm thinking of staying consistent instead of adding a special scenario. Would be curious of other's think?EDIT: Execute API now returns 403 errors for license checks.
A few extra changes with this PR:
license_api_access.tsfile toverify_api_access.tsin order to match what it exportsYou will notice there isn't any functional tests. It would require creating different configurations for each license (basic, gold, etc) and adding CI time of > 5-10 minutes per configuration. I have focused heavily on unit tests for these but would be curious to know what others think?EDIT: Functional tests are now in place.
Below are the APIs and their new responses that will return in such scenario:
POST /api/action
Status Code: 403 Forbidden
PUT /api/action/{id}
Status Code: 403 Forbidden
POST /api/action/{id}/_execute
Status Code: 403 Forbidden