[RAC] [RBAC] MVP RBAC for alerts as data

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -19,6 +19,7 @@ const RULE_NAME = 'rule.name' as const;
 const RULE_CATEGORY = 'rule.category' as const;
 const TAGS = 'tags' as const;
 const PRODUCER = `${ALERT_NAMESPACE}.producer` as const;
+const OWNER = `${ALERT_NAMESPACE}.owner` as const;
 const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
 const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
 const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
@@ -40,6 +41,7 @@ const fields = {
   RULE_CATEGORY,
   TAGS,
   PRODUCER,
+  OWNER,
   ALERT_ID,
   ALERT_UUID,
   ALERT_START,
@@ -62,6 +64,7 @@ export {
   RULE_CATEGORY,
   TAGS,
   PRODUCER,
+  OWNER,
   ALERT_ID,
   ALERT_UUID,
   ALERT_START,

x-pack/plugins/lists/server/services/utils/decode_version.ts → packages/kbn-securitysolution-es-utils/src/decode_version/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 // Similar to the src/core/server/saved_objects/version/decode_version.ts

x-pack/plugins/lists/server/services/utils/encode_hit_version.ts → packages/kbn-securitysolution-es-utils/src/encode_hit_version/index.ts

@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 /**

packages/kbn-securitysolution-es-utils/src/index.ts

@@ -8,10 +8,12 @@
 
 export * from './bad_request_error';
 export * from './create_boostrap_index';
+export * from './decode_version';
 export * from './delete_all_index';
 export * from './delete_policy';
 export * from './delete_template';
 export * from './elasticsearch_client';
+export * from './encode_hit_version';
 export * from './get_index_aliases';
 export * from './get_index_count';
 export * from './get_index_exists';

x-pack/plugins/alerting/server/authorization/alerting_authorization.mock.ts

@@ -16,12 +16,13 @@ const createAlertingAuthorizationMock = () => {
     ensureAuthorized: jest.fn(),
     filterByRuleTypeAuthorization: jest.fn(),
     getFindAuthorizationFilter: jest.fn(),
+    getAugmentedRuleTypesWithAuthorization: jest.fn(),
   };
   return mocked;
 };
 
 export const alertingAuthorizationMock: {
-  create: () => AlertingAuthorizationMock;
+  create: () => jest.Mocked<PublicMethodsOf<AlertingAuthorization>>;
 } = {
   create: createAlertingAuthorizationMock,
 };

x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts

@@ -1944,4 +1944,184 @@ describe('AlertingAuthorization', () => {
               `);
     });
   });
+
+  describe('getAugmentedRuleTypesWithAuthorization', () => {
+    const myOtherAppAlertType: RegistryAlertType = {
+      actionGroups: [],
+      actionVariables: undefined,
+      defaultActionGroupId: 'default',
+      minimumLicenseRequired: 'basic',
+      recoveryActionGroup: RecoveredActionGroup,
+      id: 'myOtherAppAlertType',
+      name: 'myOtherAppAlertType',
+      producer: 'alerts',
+      enabledInLicense: true,
+      isExportable: true,
+    };
+    const myAppAlertType: RegistryAlertType = {
+      actionGroups: [],
+      actionVariables: undefined,
+      defaultActionGroupId: 'default',
+      minimumLicenseRequired: 'basic',
+      recoveryActionGroup: RecoveredActionGroup,
+      id: 'myAppAlertType',
+      name: 'myAppAlertType',
+      producer: 'myApp',
+      enabledInLicense: true,
+      isExportable: true,
+    };
+    const mySecondAppAlertType: RegistryAlertType = {
+      actionGroups: [],
+      actionVariables: undefined,
+      defaultActionGroupId: 'default',
+      minimumLicenseRequired: 'basic',
+      recoveryActionGroup: RecoveredActionGroup,
+      id: 'mySecondAppAlertType',
+      name: 'mySecondAppAlertType',
+      producer: 'myApp',
+      enabledInLicense: true,
+      isExportable: true,
+    };
+    const setOfAlertTypes = new Set([myAppAlertType, myOtherAppAlertType, mySecondAppAlertType]);
+
+    test('it returns authorized rule types given a set of feature ids', async () => {
+      const { authorization } = mockSecurity();
+      const checkPrivileges: jest.MockedFunction<
+        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
+      > = jest.fn();
+      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: false,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'find'),
+              authorized: true,
+            },
+          ],
+        },
+      });
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        authorization,
+        alertTypeRegistry,
+        features,
+        auditLogger,
+        getSpace,
+        exemptConsumerIds,
+      });
+      alertTypeRegistry.list.mockReturnValue(setOfAlertTypes);
+
+      await expect(
+        alertAuthorization.getAugmentedRuleTypesWithAuthorization(
+          ['myApp'],
+          [ReadOperations.Find, ReadOperations.Get, WriteOperations.Update],
+          AlertingAuthorizationEntity.Alert
+        )
+      ).resolves.toMatchInlineSnapshot(`
+              Object {
+                "authorizedRuleTypes": Set {
+                  Object {
+                    "actionGroups": Array [],
+                    "actionVariables": undefined,
+                    "authorizedConsumers": Object {
+                      "myApp": Object {
+                        "all": false,
+                        "read": true,
+                      },
+                    },
+                    "defaultActionGroupId": "default",
+                    "enabledInLicense": true,
+                    "id": "myOtherAppAlertType",
+                    "isExportable": true,
+                    "minimumLicenseRequired": "basic",
+                    "name": "myOtherAppAlertType",
+                    "producer": "alerts",
+                    "recoveryActionGroup": Object {
+                      "id": "recovered",
+                      "name": "Recovered",
+                    },
+                  },
+                },
+                "hasAllRequested": false,
+                "username": "some-user",
+              }
+            `);
+    });
+
+    test('it returns all authorized if user has read, get and update alert privileges', async () => {
+      const { authorization } = mockSecurity();
+      const checkPrivileges: jest.MockedFunction<
+        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
+      > = jest.fn();
+      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: false,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'find'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'get'),
+              authorized: true,
+            },
+            {
+              privilege: mockAuthorizationAction('myOtherAppAlertType', 'myApp', 'alert', 'update'),
+              authorized: true,
+            },
+          ],
+        },
+      });
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        authorization,
+        alertTypeRegistry,
+        features,
+        auditLogger,
+        getSpace,
+        exemptConsumerIds,
+      });
+      alertTypeRegistry.list.mockReturnValue(setOfAlertTypes);
+
+      await expect(
+        alertAuthorization.getAugmentedRuleTypesWithAuthorization(
+          ['myApp'],
+          [ReadOperations.Find, ReadOperations.Get, WriteOperations.Update],
+          AlertingAuthorizationEntity.Alert
+        )
+      ).resolves.toMatchInlineSnapshot(`
+              Object {
+                "authorizedRuleTypes": Set {
+                  Object {
+                    "actionGroups": Array [],
+                    "actionVariables": undefined,
+                    "authorizedConsumers": Object {
+                      "myApp": Object {
+                        "all": true,
+                        "read": true,
+                      },
+                    },
+                    "defaultActionGroupId": "default",
+                    "enabledInLicense": true,
+                    "id": "myOtherAppAlertType",
+                    "isExportable": true,
+                    "minimumLicenseRequired": "basic",
+                    "name": "myOtherAppAlertType",
+                    "producer": "alerts",
+                    "recoveryActionGroup": Object {
+                      "id": "recovered",
+                      "name": "Recovered",
+                    },
+                  },
+                },
+                "hasAllRequested": false,
+                "username": "some-user",
+              }
+            `);
+    });
+  });
 });

x-pack/plugins/alerting/server/authorization/alerting_authorization.ts

@@ -124,20 +124,41 @@ export class AlertingAuthorization {
         return new Set();
       });
 
-    this.allPossibleConsumers = this.featuresIds.then((featuresIds) =>
-      featuresIds.size
+    this.allPossibleConsumers = this.featuresIds.then((featuresIds) => {
+      return featuresIds.size
         ? asAuthorizedConsumers([...this.exemptConsumerIds, ...featuresIds], {
             read: true,
             all: true,
           })
-        : {}
-    );
+        : {};
+    });
   }
 
   private shouldCheckAuthorization(): boolean {
     return this.authorization?.mode?.useRbacForRequest(this.request) ?? false;
   }
 
+  /*
+   * This method exposes the private 'augmentRuleTypesWithAuthorization' to be
+   * used by the RAC/Alerts client
+   */
+  public async getAugmentedRuleTypesWithAuthorization(
+    featureIds: readonly string[],
+    operations: Array<ReadOperations | WriteOperations>,
+    authorizationEntity: AlertingAuthorizationEntity
+  ): Promise<{
+    username?: string;
+    hasAllRequested: boolean;
+    authorizedRuleTypes: Set<RegistryAlertTypeWithAuth>;
+  }> {
+    return this.augmentRuleTypesWithAuthorization(
+      this.alertTypeRegistry.list(),
+      operations,
+      authorizationEntity,
+      new Set(featureIds)
+    );
+  }
+
   public async ensureAuthorized({ ruleTypeId, consumer, operation, entity }: EnsureAuthorizedOpts) {
     const { authorization } = this;
 
@@ -339,13 +360,14 @@ export class AlertingAuthorization {
   private async augmentRuleTypesWithAuthorization(
     ruleTypes: Set<RegistryAlertType>,
     operations: Array<ReadOperations | WriteOperations>,
-    authorizationEntity: AlertingAuthorizationEntity
+    authorizationEntity: AlertingAuthorizationEntity,
+    featuresIds?: Set<string>
   ): Promise<{
     username?: string;
     hasAllRequested: boolean;
     authorizedRuleTypes: Set<RegistryAlertTypeWithAuth>;
   }> {
-    const featuresIds = await this.featuresIds;
+    const fIds = featuresIds ?? (await this.featuresIds);
     if (this.authorization && this.shouldCheckAuthorization()) {
       const checkPrivileges = this.authorization.checkPrivilegesDynamicallyWithRequest(
         this.request
@@ -363,7 +385,7 @@ export class AlertingAuthorization {
       // as we can't ask ES for the user's individual privileges we need to ask for each feature
       // and ruleType in the system whether this user has this privilege
       for (const ruleType of ruleTypesWithAuthorization) {
-        for (const feature of featuresIds) {
+        for (const feature of fIds) {
           for (const operation of operations) {
             privilegeToRuleType.set(
               this.authorization!.actions.alerting.get(
@@ -420,7 +442,7 @@ export class AlertingAuthorization {
       return {
         hasAllRequested: true,
         authorizedRuleTypes: this.augmentWithAuthorizedConsumers(
-          new Set([...ruleTypes].filter((ruleType) => featuresIds.has(ruleType.producer))),
+          new Set([...ruleTypes].filter((ruleType) => fIds.has(ruleType.producer))),
           await this.allPossibleConsumers
         ),
       };

x-pack/plugins/alerting/server/index.ts

@@ -34,6 +34,13 @@ export { FindResult } from './alerts_client';
 export { PublicAlertInstance as AlertInstance } from './alert_instance';
 export { parseDuration } from './lib';
 export { getEsErrorMessage } from './lib/errors';
+export {
+  ReadOperations,
+  AlertingAuthorizationFilterType,
+  AlertingAuthorization,
+  WriteOperations,
+  AlertingAuthorizationEntity,
+} from './authorization';
 
 export const plugin = (initContext: PluginInitializerContext) => new AlertingPlugin(initContext);