Skip to content

Commit

Permalink
use ensureProperArtifactPageAuthzAccess() for validating access to …
Browse files Browse the repository at this point in the history 
…artifacts
  • Loading branch information
@paul-tavares
paul-tavares committed Jul 27, 2023
1 parent b5b2cd9 commit 1a54923
Show file tree
Hide file tree
Showing 3 changed files with 119 additions and 39 deletions.
32 changes: 14 additions & 18 deletions ..._suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts
View file
Expand Up @@ -11,6 +11,7 @@ import { login } from '../../../tasks/login';
import { ServerlessRoleName } from '../../../../../../../shared/lib';
import {
EndpointArtifactPageId,
ensureProperArtifactPageAuthzAccess,
getArtifactListEmptyStateAddButton,
getEndpointManagementPageList,
getEndpointManagementPageMap,
Expand Down Expand Up @@ -132,10 +133,9 @@ describe(
getNoPrivilegesPage().should('not.exist');
});

for (const { url, title, id } of artifactPagesFullAccess) {
for (const { title, id } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand Down Expand Up @@ -218,10 +218,9 @@ describe(
login('rule_author');
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand All @@ -236,10 +235,10 @@ describe(
});

it(`should have Read access only to: Host Isolation Exceptions`, () => {
cy.visit(pageById.hostIsolationExceptions.url);
getArtifactListEmptyStateAddButton(
ensureProperArtifactPageAuthzAccess(
'read',
pageById.hostIsolationExceptions.id as EndpointArtifactPageId
).should('not.exist');
);
});

it('should NOT have access to Fleet', () => {
Expand Down Expand Up @@ -271,10 +270,9 @@ describe(
login('soc_manager');
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand Down Expand Up @@ -319,10 +317,9 @@ describe(
login('endpoint_operations_analyst');
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand Down Expand Up @@ -363,10 +360,9 @@ describe(
login(roleName);
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand Down
45 changes: 25 additions & 20 deletions ...uites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts
View file
Expand Up @@ -14,6 +14,7 @@ import {
getEndpointManagementPageMap,
getEndpointManagementPageList,
EndpointArtifactPageId,
ensureProperArtifactPageAuthzAccess,
} from '../../../screens/endpoint_management';
import {
ensurePermissionDeniedScreen,
Expand Down Expand Up @@ -97,16 +98,17 @@ describe(
getNoPrivilegesPage().should('not.exist');
});

for (const { url, title, id } of artifactPagesFullAccess) {
for (const { title, id } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

it(`should NOT have access to Host Isolation Exceptions`, () => {
cy.visit(pageById.hostIsolationExceptions.url);
getNoPrivilegesPage().should('exist');
ensureProperArtifactPageAuthzAccess(
'none',
pageById.hostIsolationExceptions.id as EndpointArtifactPageId
);
});

it('should NOT have access to Fleet', () => {
Expand Down Expand Up @@ -158,10 +160,9 @@ describe(
login('rule_author');
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand All @@ -176,8 +177,10 @@ describe(
});

it(`should NOT have access to Host Isolation Exceptions`, () => {
cy.visit(pageById.hostIsolationExceptions.url);
getNoPrivilegesPage().should('exist');
ensureProperArtifactPageAuthzAccess(
'none',
pageById.hostIsolationExceptions.id as EndpointArtifactPageId
);
});

it('should NOT have access to Fleet', () => {
Expand All @@ -198,10 +201,9 @@ describe(
login('soc_manager');
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand All @@ -213,8 +215,10 @@ describe(
}

it(`should NOT have access to Host Isolation Exceptions`, () => {
cy.visit(pageById.hostIsolationExceptions.url);
getNoPrivilegesPage().should('exist');
ensureProperArtifactPageAuthzAccess(
'none',
pageById.hostIsolationExceptions.id as EndpointArtifactPageId
);
});

it('should NOT have access to Fleet', () => {
Expand Down Expand Up @@ -243,10 +247,9 @@ describe(
login(roleName);
});

for (const { id, url, title } of artifactPagesFullAccess) {
for (const { id, title } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => {
cy.visit(url);
getArtifactListEmptyStateAddButton(id as EndpointArtifactPageId).should('exist');
ensureProperArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
});
}

Expand All @@ -258,8 +261,10 @@ describe(
}

it(`should NOT have access to Host Isolation Exceptions`, () => {
cy.visit(pageById.hostIsolationExceptions.url);
getNoPrivilegesPage().should('exist');
ensureProperArtifactPageAuthzAccess(
'none',
pageById.hostIsolationExceptions.id as EndpointArtifactPageId
);
});

it('should have access to Fleet', () => {
Expand Down
81 changes: 80 additions & 1 deletion ...rverless/functional/test_suites/security/cypress/screens/endpoint_management/artifacts.ts
View file
Expand Up @@ -5,17 +5,96 @@
* 2.0.
*/

import { EndpointArtifactPageId } from './page_reference';
import { DeepReadonly } from 'utility-types';
import { subj as testSubjSelector } from '@kbn/test-subj-selector';
import {
EndpointArtifactPageId,
EndpointManagementPageMap,
getEndpointManagementPageMap,
} from './page_reference';

type UserAuthzAccessLevel = 'all' | 'read' | 'none';

const artifactPageTopTestSubjPrefix: Readonly<Record<EndpointArtifactPageId, string>> = {
trustedApps: 'trustedAppsListPage',
eventFilters: 'EventFiltersListPage',
hostIsolationExceptions: 'hostIsolationExceptionsListPage',
blocklist: 'blocklistPage',
};
const pagesById: DeepReadonly<EndpointManagementPageMap> = getEndpointManagementPageMap();

const createSubjectSelector = (selectorSuffix: string, pageId?: EndpointArtifactPageId): string => {
if (pageId) {
return testSubjSelector(`${artifactPageTopTestSubjPrefix[pageId]}${selectorSuffix}`);
}

return Object.values(artifactPageTopTestSubjPrefix)
.map((testSubjPrefix) => testSubjSelector(testSubjPrefix + selectorSuffix))
.join(',');
};

export const getArtifactListEmptyStateAddButton = (
artifactType: keyof typeof artifactPageTopTestSubjPrefix
): Cypress.Chainable => {
return cy.getByTestSubj(`${artifactPageTopTestSubjPrefix[artifactType]}-emptyState-addButton`);
};

export const isArtifactPageShowingEmptyState = (
pageId?: EndpointArtifactPageId
): Cypress.Chainable<boolean> => {
const emptyPageSelector = createSubjectSelector('-emptyState', pageId);
const otherPossiblePageViews = [
createSubjectSelector('-list', pageId),
testSubjSelector('noPrivilegesPage'),
].join(',');
let found: boolean = false;

return cy
.getByTestSubj('pageContainer')
.waitUntil(($pageContainer) => {
if ($pageContainer.find(emptyPageSelector).length > 0) {
found = true;
return true;
}

if ($pageContainer.find(otherPossiblePageViews).length > 0) {
found = false;
return true;
}

return false;
})
.then(() => {
return found;
});
};

/**
* Validates to ensure that the user has the given access level to an artifact page.
* @param accessLevel
* @param visitPage If defined, then the page (id) provided will first be `visit`ed and then auth is checked
*/
export const ensureProperArtifactPageAuthzAccess = (
accessLevel: UserAuthzAccessLevel,
visitPage?: EndpointArtifactPageId
): Cypress.Chainable => {
if (visitPage) {
cy.visit(pagesById[visitPage]);
}

isArtifactPageShowingEmptyState().then((isEmptyState) => {
const addButtonSelector = isEmptyState
? createSubjectSelector('-emptyState-addButton', visitPage)
: createSubjectSelector('-pageAddButton', visitPage);

if (accessLevel === 'all') {
cy.get(addButtonSelector).should('exist');
} else if (accessLevel === 'read') {
cy.get(addButtonSelector).should('not.exist');
} else {
cy.getByTestSubj('noPrivilegesPage').should('exist');
}
});

return cy.getByTestSubj('pageContainer');
};

0 comments on commit 1a54923

Please sign in to comment.