Skip to content

Commit

Permalink
Adding tests for space permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonathan-buttner
jonathan-buttner committed Jun 3, 2021
1 parent 739fd6f commit ead6edf
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 5 deletions.
25 changes: 21 additions & 4 deletions x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,10 +285,27 @@ export default ({ getService }: FtrProviderContext): void => {
);

/**
* We expect a 404 because the bulkGet inside the delete
* route should return a 404 when requesting a case from
* a different space.
* */
* secOnly does not have access to space2 so it should 403
*/
await deleteCases({
supertest: supertestWithoutAuth,
caseIDs: [postedCase.id],
expectedHttpCode: 403,
auth: { user: secOnly, space: 'space2' },
});
});

it('should NOT delete a case created in space2 by making a request to space1', async () => {
const postedCase = await createCase(
supertestWithoutAuth,
getPostCaseRequest({ owner: 'securitySolutionFixture' }),
200,
{
user: superUser,
space: 'space2',
}
);

await deleteCases({
supertest: supertestWithoutAuth,
caseIDs: [postedCase.id],
Expand Down
31 changes: 31 additions & 0 deletions x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,37 @@ export default ({ getService }: FtrProviderContext): void => {
auth: { user: superUser, space: 'space2' },
});

await deleteComment({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
commentId: commentResp.comments![0].id,
auth: { user: secOnly, space: 'space2' },
expectedHttpCode: 403,
});

await deleteAllComments({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
auth: { user: secOnly, space: 'space2' },
expectedHttpCode: 403,
});
});

it('should NOT delete a comment created in space2 by making a request to space1', async () => {
const postedCase = await createCase(
supertestWithoutAuth,
getPostCaseRequest({ owner: 'securitySolutionFixture' }),
200,
{ user: superUser, space: 'space2' }
);

const commentResp = await createComment({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
params: postCommentUserReq,
auth: { user: superUser, space: 'space2' },
});

await deleteComment({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
Expand Down
26 changes: 26 additions & 0 deletions ...k/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,32 @@ export default ({ getService }: FtrProviderContext): void => {
}
);

await updateConfiguration(
supertestWithoutAuth,
configuration.id,
{
closure_type: 'close-by-pushing',
version: configuration.version,
},
403,
{
user: secOnly,
space: 'space2',
}
);
});

it('should NOT update a configuration created in space2 by making a request to space1', async () => {
const configuration = await createConfiguration(
supertestWithoutAuth,
{ ...getConfigurationRequest(), owner: 'securitySolutionFixture' },
200,
{
user: superUser,
space: 'space2',
}
);

await updateConfiguration(
supertestWithoutAuth,
configuration.id,
Expand Down
2 changes: 1 addition & 1 deletion x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
expect(comment).to.eql(patchedCase.comments![0]);
});

it('should not get a comment in space2', async () => {
it('should not get a comment in space2 when it was created in space1', async () => {
const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1);
const patchedCase = await createComment({
supertest,
Expand Down

0 comments on commit ead6edf

Please sign in to comment.