[Fleet] Require AgentPolicies:All to add a fleet server (#193014)

elastic · Sep 17, 2024 · 193935c · 193935c
1 parent 558c6fd
commit 193935c
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 2 deletions.
diff --git a/x-pack/plugins/fleet/common/authz.ts b/x-pack/plugins/fleet/common/authz.ts
@@ -117,7 +117,8 @@ export const calculateAuthz = ({
         allSettings: fleet.settings?.all ?? false,
         allAgentPolicies: fleet.agentPolicies?.all ?? false,
         addAgents: fleet.agents?.all ?? false,
-        addFleetServers: (fleet.agents?.all && fleet.settings?.all) ?? false,
+        addFleetServers:
+          (fleet.agents?.all && fleet.agentPolicies?.all && fleet.settings?.all) ?? false,
         // Setup is needed to access the Fleet UI
         setup:
           hasFleetAll ||

diff --git a/...lications/fleet/sections/settings/components/settings_page/fleet_server_hosts_section.tsx b/...lications/fleet/sections/settings/components/settings_page/fleet_server_hosts_section.tsx
@@ -59,7 +59,7 @@ export const FleetServerHostsSection: React.FunctionComponent<FleetServerHostsSe
         fleetServerHosts={fleetServerHosts}
         deleteFleetServerHost={deleteFleetServerHost}
       />
-      {authz.fleet.allSettings && authz.fleet.allAgents ? (
+      {authz.fleet.addFleetServers ? (
         <>
           <EuiSpacer size="s" />
           <EuiButtonEmpty

diff --git a/x-pack/plugins/fleet/server/services/security/security.test.ts b/x-pack/plugins/fleet/server/services/security/security.test.ts
@@ -886,4 +886,57 @@ describe('getAuthzFromRequest', () => {
       expect(res.fleet.readAgents).toBe(false);
     });
   });
+
+  describe('Fleet addFleetServer', () => {
+    beforeEach(() => {
+      mockSecurity.authz.mode.useRbacForRequest.mockReturnValue(true);
+    });
+    it('should authorize user with Fleet:Agents:All Fleet:AgentsPolicies:All Fleet:Settings:All', async () => {
+      checkPrivileges.mockResolvedValue({
+        privileges: {
+          kibana: [
+            {
+              resource: 'default',
+              privilege: 'api:fleet-agents-all',
+              authorized: true,
+            },
+            {
+              resource: 'default',
+              privilege: 'api:fleet-agent-policies-all',
+              authorized: true,
+            },
+            {
+              resource: 'default',
+              privilege: 'api:fleet-settings-all',
+              authorized: true,
+            },
+          ],
+          elasticsearch: {} as any,
+        },
+        hasAllRequested: true,
+        username: 'test',
+      });
+      const res = await getAuthzFromRequest({} as any);
+      expect(res.fleet.addFleetServers).toBe(true);
+    });
+
+    it('should not authorize user with only Fleet:Agents:All', async () => {
+      checkPrivileges.mockResolvedValue({
+        privileges: {
+          kibana: [
+            {
+              resource: 'default',
+              privilege: 'api:fleet-agents-all',
+              authorized: true,
+            },
+          ],
+          elasticsearch: {} as any,
+        },
+        hasAllRequested: true,
+        username: 'test',
+      });
+      const res = await getAuthzFromRequest({} as any);
+      expect(res.fleet.addFleetServers).toBe(false);
+    });
+  });
 });