[Cases] Cleaning up RBAC integration tests

x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts

@@ -285,10 +285,27 @@ export default ({ getService }: FtrProviderContext): void => {
  );
 
  /**
- * We expect a 404 because the bulkGet inside the delete
- * route should return a 404 when requesting a case from
- * a different space.
- * */
+ * secOnly does not have access to space2 so it should 403
+ */
+ await deleteCases({
+ supertest: supertestWithoutAuth,
+ caseIDs: [postedCase.id],
+ expectedHttpCode: 403,
+ auth: { user: secOnly, space: 'space2' },
+ });
+ });
+
+ it('should NOT delete a case created in space2 by making a request to space1', async () => {
+ const postedCase = await createCase(
+ supertestWithoutAuth,
+ getPostCaseRequest({ owner: 'securitySolutionFixture' }),
+ 200,
+ {
+ user: superUser,
+ space: 'space2',
+ }
+ );
+
  await deleteCases({
  supertest: supertestWithoutAuth,
  caseIDs: [postedCase.id],

x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts

@@ -320,6 +320,37 @@ export default ({ getService }: FtrProviderContext): void => {
  auth: { user: superUser, space: 'space2' },
  });
 
+ await deleteComment({
+ supertest: supertestWithoutAuth,
+ caseId: postedCase.id,
+ commentId: commentResp.comments![0].id,
+ auth: { user: secOnly, space: 'space2' },
+ expectedHttpCode: 403,
+ });
+
+ await deleteAllComments({
+ supertest: supertestWithoutAuth,
+ caseId: postedCase.id,
+ auth: { user: secOnly, space: 'space2' },
+ expectedHttpCode: 403,
+ });
+ });
+
+ it('should NOT delete a comment created in space2 by making a request to space1', async () => {
+ const postedCase = await createCase(
+ supertestWithoutAuth,
+ getPostCaseRequest({ owner: 'securitySolutionFixture' }),
+ 200,
+ { user: superUser, space: 'space2' }
+ );
+
+ const commentResp = await createComment({
+ supertest: supertestWithoutAuth,
+ caseId: postedCase.id,
+ params: postCommentUserReq,
+ auth: { user: superUser, space: 'space2' },
+ });
+
  await deleteComment({
  supertest: supertestWithoutAuth,
  caseId: postedCase.id,

x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts

@@ -224,6 +224,32 @@ export default ({ getService }: FtrProviderContext): void => {
  }
  );
 
+ await updateConfiguration(
+ supertestWithoutAuth,
+ configuration.id,
+ {
+ closure_type: 'close-by-pushing',
+ version: configuration.version,
+ },
+ 403,
+ {
+ user: secOnly,
+ space: 'space2',
+ }
+ );
+ });
+
+ it('should NOT update a configuration created in space2 by making a request to space1', async () => {
+ const configuration = await createConfiguration(
+ supertestWithoutAuth,
+ { ...getConfigurationRequest(), owner: 'securitySolutionFixture' },
+ 200,
+ {
+ user: superUser,
+ space: 'space2',
+ }
+ );
+
  await updateConfiguration(
  supertestWithoutAuth,
  configuration.id,

x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts

@@ -46,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
  expect(comment).to.eql(patchedCase.comments![0]);
  });
 
- it('should not get a comment in space2', async () => {
+ it('should not get a comment in space2 when it was created in space1', async () => {
  const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1);
  const patchedCase = await createComment({
  supertest,