Update 4 Software > details pages with desired empty state for 404 responses

[jacobshandling]

As discussed on 2/16 with @noahtalerman @rachaelshaw @getvictor @mostlikelee, to prevent leaking information from higher permissions scopes, we want to display the same generic empty state on these pages in both the cases where the entity doesn't exist and where the user doesn't have access to it. The API will return 404 in both cases.

Manual testing done on endpoints:

Global admin /software/titles/:id does not exist - 404

GET https://localhost:8080/api/v1/fleet/software/titles/99999999

Global admin /software/titles/:id on 'No Team' - 200

GET https://localhost:8080/api/v1/fleet/software/titles/5984

Global admin /software/titles/:id?team_id team does not exist - 404

GET https://localhost:8080/api/v1/fleet/software/titles/5984?team_id=99999

Global admin /software/titles/:id?team_id does not exist on that team - 404

GET https://localhost:8080/api/v1/fleet/software/titles/5984?team_id=1

Global admin /software/titles/:id?team_id does not exist anywhere - 404

GET https://localhost:8080/api/v1/fleet/software/titles/999999?team_id=1

Team admin /software/titles/:id does not exit - 404

GET https://localhost:8080/api/v1/fleet/software/titles/99999999

Team admin /software/titles/:id on 'No Team' - 403

GET https://localhost:8080/api/v1/fleet/software/titles/5984

Team admin /software/titles/:id?team_id team does not exist - 403

GET https://localhost:8080/api/v1/fleet/software/titles/5984?team_id=99999

Team admin /software/titles/:id?team_id does not exist on that team - 404

GET https://localhost:8080/api/v1/fleet/software/titles/5984?team_id=1

Team admin /software/titles/:id?team_id does not exist anywhere - 404

GET https://localhost:8080/api/v1/fleet/software/titles/999999?team_id=1

Team admin /software/titles/:id?team_id another team - 403

GET https://localhost:8080/api/v1/fleet/software/titles/5984?team_id=2

Global admin /software/versions/:id does not exist - 404

GET https://localhost:8080/api/v1/fleet/software/versions/99999999

Global admin /software/versions/:id on 'No Team' - 200

GET https://localhost:8080/api/v1/fleet/software/versions/77568

Global admin /software/versions/:id?team_id team does not exist - 404

GET https://localhost:8080/api/v1/fleet/software/versions/77568?team_id=99999

Global admin /software/versions/:id?team_id does not exist on that team - 404

GET https://localhost:8080/api/v1/fleet/software/versions/77568?team_id=1

Global admin /software/versions/:id?team_id does not exist anywhere - 404

GET https://localhost:8080/api/v1/fleet/software/versions/999999?team_id=1

Team admin /software/versions/:id does not exit - 404

GET https://localhost:8080/api/v1/fleet/software/versions/99999999

Team admin /software/versions/:id on 'No Team' - 403

GET https://localhost:8080/api/v1/fleet/software/versions/77568

Team admin /software/versions/:id?team_id team does not exist - 403

GET https://localhost:8080/api/v1/fleet/software/versions/77568?team_id=99999

Team admin /software/versions/:id?team_id does not exist on that team - 404

GET https://localhost:8080/api/v1/fleet/software/versions/77568?team_id=1

Team admin /software/versions/:id?team_id does not exist anywhere - 404

GET https://localhost:8080/api/v1/fleet/software/versions/999999?team_id=1

Team admin /software/versions/:id?team_id another team - 403

GET https://localhost:8080/api/v1/fleet/software/versions/77568?team_id=2

Global admin /os_versions/:id does not exist - 404

GET https://localhost:8080/api/v1/fleet/os_versions/99999999

Global admin /os_versions/:id on 'No Team' - 200

GET https://localhost:8080/api/v1/fleet/os_versions/5

Global admin /os_versions/:id?team_id team does not exist - 403 (we can change to 404, but this is ok for now)

GET https://localhost:8080/api/v1/fleet/os_versions/5?team_id=99999

Global admin /os_versions/:id?team_id does not exist on that team - 404

GET https://localhost:8080/api/v1/fleet/os_versions/5?team_id=1

Global admin /os_versions/:id?team_id does not exist anywhere - 404

GET https://localhost:8080/api/v1/fleet/os_versions/999999?team_id=1

Team admin /os_versions/:id does not exit - 404

GET https://localhost:8080/api/v1/fleet/os_versions/99999999

Team admin /os_versions/:id on 'No Team' - 200 (should be 403)

GET https://localhost:8080/api/v1/fleet/os_versions/5
Filed bug: #17117

Team admin /os_versions/:id?team_id team does not exist - 403

GET https://localhost:8080/api/v1/fleet/os_versions/5?team_id=99999

Team admin /os_versions/:id?team_id does not exist on that team - 404

GET https://localhost:8080/api/v1/fleet/os_versions/5?team_id=1

Team admin /os_versions/:id?team_id does not exist anywhere - 404

GET https://localhost:8080/api/v1/fleet/os_versions/999999?team_id=1

Team admin /os_versions/:id?team_id another team - 403

GET https://localhost:8080/api/v1/fleet/os_versions/5?team_id=2

[ghernandez345]

@noahtalerman there seems to be two competing requirements for the software permissions. This issue says we are meant to show a 404 when a user doesn't have permissions to see software but @roperzh and I did work recently for this issue that says we should show a 403 page and API return a 403 with a permission error message when user does not have permission to view a software.

Which of these is the correct desired functionality? I imagine a 403 would give a better user experience as they know why they cant access the resource, but if security is more of a concern for customers should @roperzh and I undo the work we merged in and just always show 404 in API and UI?

cc @rachaelshaw @marko-lisica

[noahtalerman]

did work recently for #16052 that says we should show a 403 page and API return a 403 with a permission error message when user does not have permission to view a software.

@ghernandez345 that's right. @jacobshandling and @mostlikelee I forgot about this when we chatted about always showing a 404 on Friday. Apologies.

I think we should prioritize speed and better UX over security here.

If I'm understanding, the following is a smaller change and it's consistent w/ the software details pages (title and version):

If the vuln or OS doesn't exist for a specific team, show a 403 in the UI and API (GET /software/vulnerabilities/:cve and GET /software/os/:id).

@jacobshandling and @mostlikelee is that right?

If yes, I think we pivot to showing a 403.

If y'all have any concerns with this change, let's hop on a call to hash it out.

cc @rachaelshaw

[jacobshandling]

Thanks for the catch @ghernandez345. @noahtalerman that is a very small change on the frontend, yes.

There have already been been multiple rounds of not only spec revisions with this ticket, but wasted effort implementing and re-implementing them as they change. We have been yanked in one and then another direction repeatedly. Since it won't go out until the next release, if any further revisions come up it may be wise to take a step back and give a clear-headed think through this feature in its entirety, security implications, how it might impact other features like the one @ghernandez345 mentioned, before continuing to work on it.

cc @sharon-fdm

[noahtalerman]

wasted effort implementing and re-implementing them as they change

@jacobshandling thanks for calling this out. Apologies for this. This is mainly on me. We didn't spend enough time on permissions before bringing the story to estimation.

Good learning for moving faster in the future: we want product and engineering to be aligned on permissions, and their resulting API responses and UI states, before we start writing code.

cc @rachaelshaw @ghernandez345 @mostlikelee @sharon-fdm @lukeheath

[sharon-fdm]

@noahtalerman would you like to take it back to PRODUCT?

[getvictor]

So the backend API should change like the following, using fleet/software/titles/:id as example? Change all 404 to 403, or just some?

Global admin:

• id that does not exist -> change from 404 to 403
• id that exists on 'No Team' -> 200
• id?team_id=99 team does not exist -> change from 404 to 403
• id?team_id=1 id that does not exist on that team -> change from 404 to 403
• id?team_id=1 id that does not exist anywhere -> change from 404 to 403

Team admin (team_id=1):

• id that does not exist -> keep 403
• id that exists on 'No Team' -> keep 403
• id?team_id=99 team does not exist -> keep 403
• id?team_id=1 id that does not exist on that team -> change from 404 to 403
• id?team_id=1 id that does not exist anywhere -> change from 404 to 403
• id?team_id=2 another team -> keep 403

[noahtalerman]

@getvictor thanks for the list!

I think up to @rachaelshaw.

I've butt in here too quickly a couple too many times.

My 2 cents: If we can display the expected UI, I don't think we need to make any changes to the status codes for the global user (admin) and the team user (admin).

[jacobshandling]

per @getvictor's guidance, updating the frontend to handle both 403 and 404 on these pages in the same way