Fixes to /fleet/queries/run endpoint

[getvictor]

Fixes to /fleet/queries/run endpoint:

• now returns 403 for an unauthorized user
• now returns 400 when query_ids or host_ids are not specified

#11446 and #11901

Checklist for submitter

If some of the following don't apply, delete the relevant line.

API clarifications are in a separate PR #14956

• Changes file added for user-visible changes in changes/ or orbit/changes/.
  See Changes files for more information.
• Added/updated tests
• Manual QA for all new/changed functionality

[lucasmrod]

Let's check with the product team what the expected behavior is when sending multiple query_ids and the user is not authorized to run some of them:

• Should the request fail and no queries be executed?
• Should the request not fail and only run the queries that the user is authorized to run?

API: https://fleetdm.com/docs/rest-api/rest-api#parameters97

@noahtalerman @rachaelshaw

[noahtalerman]

@marko-lisica did we define a similar behavior for running MDM commands that we can borrow here?

[getvictor]

Current behavior for mix of authorized/unauthorized live queries is that user will get back an array of results. Good results will be valid, and unauthorized results will have "error":"forbidden"

[lucasmrod]

Sounds good. Could we take the chance to document this behavior in the rest-api.md?

[lucasmrod]

(Can be done later on another PR.)

[rachaelshaw]

After chatting with Victor about it earlier, this behavior of mixed results makes sense to me, but I definitely agree we should document the behavior. @getvictor if you don't mind adding that to this PR, that'd be awesome. Or I'd be happy to take a stab at it after this is merged, just let me know

[marko-lisica]

@noahtalerman In the CLI we have error message for this use case - figma link. Regarding API, seems there's 403: forbidden error, but not sure when do we return this one.

[getvictor]

@rachaelshaw I added PR #14956 for rest-api.md updates.

[lucasmrod]

LGTM, but left a question regarding expected behavior. (Please let me know if this was defined somewhere and I missed it.)

[codecov]

Codecov Report

Attention: 6 lines in your changes are missing coverage. Please review.

Comparison is base (5391b68) 58.85% compared to head (f4c7df1) 58.87%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14909      +/-   ##
==========================================
+ Coverage   58.85%   58.87%   +0.02%     
==========================================
  Files         953      953              
  Lines       80241    80274      +33     
  Branches     2222     2222              
==========================================
+ Hits        47223    47265      +42     
+ Misses      29341    29336       -5     
+ Partials     3677     3673       -4     

Flag	Coverage Δ
backend	59.52% <83.78%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
server/service/live_queries.go	76.92% <100.00%> (+3.47%)	⬆️
server/utils.go	41.93% <100.00%> (+7.78%)	⬆️
server/authz/errors.go	21.87% <0.00%> (-4.06%)	⬇️

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[lucasmrod]

Out of curiosity: Is there a bug or just a sanity check to not cause unnecessary load?

[getvictor]

Small bug. User can specify the same host twice, but service will only return 1 result. So, TargetedHostCount(2) will never match RespondedHostCount(1).