elastic · jonathan-buttner · Jun 4, 2021 · Jun 3, 2021 · Jun 4, 2021
diff --git a/x-pack/test/case_api_integration/common/fixtures/plugins/security_solution/server/plugin.ts b/x-pack/test/case_api_integration/common/fixtures/plugins/security_solution/server/plugin.ts
@@ -54,6 +54,39 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
  },
  },
  });
+
+ features.registerKibanaFeature({
+ id: 'testDisabledFixtureID',
+ name: 'TestDisabledFixture',
+ app: ['kibana'],
+ category: { id: 'cases-fixtures', label: 'Cases Fixtures' },
+ // testDisabledFixture is disabled in space1
+ cases: ['testDisabledFixture'],
+ privileges: {
+ all: {
+ app: ['kibana'],
+ cases: {
+ all: ['testDisabledFixture'],
+ },
+ savedObject: {
+ all: [],
+ read: [],
+ },
+ ui: [],
+ },
+ read: {
+ app: ['kibana'],
+ cases: {
+ read: ['testDisabledFixture'],
+ },
+ savedObject: {
+ all: [],
+ read: [],
+ },
+ ui: [],
+ },
+ },
+ });
  }
  public start() {}
  public stop() {}

diff --git a/x-pack/test/case_api_integration/common/lib/authentication/roles.ts b/x-pack/test/case_api_integration/common/lib/authentication/roles.ts
@@ -46,6 +46,31 @@ export const globalRead: Role = {
  },
 };
 
+export const testDisabledPluginAll: Role = {
+ name: 'test_disabled_plugin_all',
+ privileges: {
+ elasticsearch: {
+ indices: [
+ {
+ names: ['*'],
+ privileges: ['all'],
+ },
+ ],
+ },
+ kibana: [
+ {
+ feature: {
+ testDisabledFixtureID: ['all'],
+ securitySolutionFixture: ['all'],
+ actions: ['all'],
+ actionsSimulators: ['all'],
+ },
+ spaces: ['space1'],
+ },
+ ],
+ },
+};
+
 export const securitySolutionOnlyAll: Role = {
  name: 'sec_only_all',
  privileges: {
@@ -149,6 +174,7 @@ export const roles = [
  securitySolutionOnlyRead,
  observabilityOnlyAll,
  observabilityOnlyRead,
+ testDisabledPluginAll,
 ];
 
 /**

diff --git a/x-pack/test/case_api_integration/common/lib/authentication/spaces.ts b/x-pack/test/case_api_integration/common/lib/authentication/spaces.ts
@@ -10,7 +10,7 @@ import { Space } from './types';
 const space1: Space = {
  id: 'space1',
  name: 'Space 1',
- disabledFeatures: [],
+ disabledFeatures: ['testDisabledFixtureID'],
 };
 
 const space2: Space = {

diff --git a/x-pack/test/case_api_integration/common/lib/authentication/users.ts b/x-pack/test/case_api_integration/common/lib/authentication/users.ts
@@ -16,6 +16,7 @@ import {
  securitySolutionOnlyReadSpacesAll,
  observabilityOnlyAllSpacesAll,
  observabilityOnlyReadSpacesAll,
+ testDisabledPluginAll,
 } from './roles';
 import { User } from './types';
 
@@ -25,6 +26,12 @@ export const superUser: User = {
  roles: ['superuser'],
 };
 
+export const testDisabled: User = {
+ username: 'test_disabled',
+ password: 'test_disabled',
+ roles: [testDisabledPluginAll.name],
+};
+
 export const secOnly: User = {
  username: 'sec_only',
  password: 'sec_only',
@@ -83,6 +90,7 @@ export const users = [
  obsSecRead,
  globalRead,
  noKibanaPrivileges,
+ testDisabled,
 ];
 
 /**

diff --git a/x-pack/test/case_api_integration/common/lib/utils.ts b/x-pack/test/case_api_integration/common/lib/utils.ts
@@ -273,12 +273,17 @@ export const createSubCaseComment = async ({
  return { newSubCaseInfo: caseConnector.body.data, modifiedSubCases: closedSubCases };
 };
 
+type ConfigRequestParams = Partial<CaseConnector> & {
+ overrides?: Record<string, unknown>;
+};
+
 export const getConfigurationRequest = ({
  id = 'none',
  name = 'none',
  type = ConnectorTypes.none,
  fields = null,
-}: Partial<CaseConnector> = {}): CasesConfigureRequest => {
+ overrides,
+}: ConfigRequestParams = {}): CasesConfigureRequest => {
  return {
  connector: {
  id,
@@ -288,6 +293,7 @@ export const getConfigurationRequest = ({
  } as CaseConnector,
  closure_type: 'close-by-user',
  owner: 'securitySolutionFixture',
+ ...overrides,
  };
 };
 

diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts
@@ -285,10 +285,27 @@ export default ({ getService }: FtrProviderContext): void => {
  );
 
  /**
- * We expect a 404 because the bulkGet inside the delete
- * route should return a 404 when requesting a case from
- * a different space.
- * */
+ * secOnly does not have access to space2 so it should 403
+ */
+ await deleteCases({
+ supertest: supertestWithoutAuth,
+ caseIDs: [postedCase.id],
+ expectedHttpCode: 403,
+ auth: { user: secOnly, space: 'space2' },
+ });
+ });
+
+ it('should NOT delete a case created in space2 by making a request to space1', async () => {
+ const postedCase = await createCase(
+ supertestWithoutAuth,
+ getPostCaseRequest({ owner: 'securitySolutionFixture' }),
+ 200,
+ {
+ user: superUser,
+ space: 'space2',
+ }
+ );
+
  await deleteCases({
  supertest: supertestWithoutAuth,
  caseIDs: [postedCase.id],

diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/post_case.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/post_case.ts
@@ -32,6 +32,7 @@ import {
  obsOnlyRead,
  obsSecRead,
  noKibanaPrivileges,
+ testDisabled,
 } from '../../../../common/lib/authentication/users';
 import { FtrProviderContext } from '../../../../common/ftr_provider_context';
 
@@ -240,6 +241,22 @@ export default ({ getService }: FtrProviderContext): void => {
  });
 
  describe('rbac', () => {
+ it('returns a 403 when attempting to create a case with an owner that was from a disabled feature in the space', async () => {
+ const theCase = ((await createCase(
+ supertestWithoutAuth,
+ getPostCaseRequest({ owner: 'testDisabledFixture' }),
+ 403,
+ {
+ user: testDisabled,
+ space: 'space1',
+ }
+ )) as unknown) as { message: string };
+
+ expect(theCase.message).to.eql(
+ 'Unauthorized to create case with owners: "testDisabledFixture"'
+ );
+ });
+
  it('User: security solution only - should create a case', async () => {
  const theCase = await createCase(
  supertestWithoutAuth,

diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts
@@ -320,6 +320,37 @@ export default ({ getService }: FtrProviderContext): void => {
  auth: { user: superUser, space: 'space2' },
  });
 
+ await deleteComment({
+ supertest: supertestWithoutAuth,
+ caseId: postedCase.id,
+ commentId: commentResp.comments![0].id,
+ auth: { user: secOnly, space: 'space2' },
+ expectedHttpCode: 403,
+ });
+
+ await deleteAllComments({
+ supertest: supertestWithoutAuth,
+ caseId: postedCase.id,
+ auth: { user: secOnly, space: 'space2' },
+ expectedHttpCode: 403,
+ });
+ });
+
+ it('should NOT delete a comment created in space2 by making a request to space1', async () => {
+ const postedCase = await createCase(
+ supertestWithoutAuth,
+ getPostCaseRequest({ owner: 'securitySolutionFixture' }),
+ 200,
+ { user: superUser, space: 'space2' }
+ );
+
+ const commentResp = await createComment({
+ supertest: supertestWithoutAuth,
+ caseId: postedCase.id,
+ params: postCommentUserReq,
+ auth: { user: superUser, space: 'space2' },
+ });
+
  await deleteComment({
  supertest: supertestWithoutAuth,
  caseId: postedCase.id,

diff --git a/...k/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts b/...k/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts
@@ -224,6 +224,32 @@ export default ({ getService }: FtrProviderContext): void => {
  }
  );
 
+ await updateConfiguration(
+ supertestWithoutAuth,
+ configuration.id,
+ {
+ closure_type: 'close-by-pushing',
+ version: configuration.version,
+ },
+ 403,
+ {
+ user: secOnly,
+ space: 'space2',
+ }
+ );
+ });
+
+ it('should NOT update a configuration created in space2 by making a request to space1', async () => {
+ const configuration = await createConfiguration(
+ supertestWithoutAuth,
+ { ...getConfigurationRequest(), owner: 'securitySolutionFixture' },
+ 200,
+ {
+ user: superUser,
+ space: 'space2',
+ }
+ );
+
  await updateConfiguration(
  supertestWithoutAuth,
  configuration.id,

diff --git a/...ck/test/case_api_integration/security_and_spaces/tests/common/configure/post_configure.ts b/...ck/test/case_api_integration/security_and_spaces/tests/common/configure/post_configure.ts
@@ -28,6 +28,7 @@ import {
  globalRead,
  obsSecRead,
  superUser,
+ testDisabled,
 } from '../../../../common/lib/authentication/users';
 
 // eslint-disable-next-line import/no-default-export
@@ -196,6 +197,22 @@ export default ({ getService }: FtrProviderContext): void => {
  });
 
  describe('rbac', () => {
+ it('returns a 403 when attempting to create a configuration with an owner that was from a disabled feature in the space', async () => {
+ const configuration = ((await createConfiguration(
+ supertestWithoutAuth,
+ getConfigurationRequest({ overrides: { owner: 'testDisabledFixture' } }),
+ 403,
+ {
+ user: testDisabled,
+ space: 'space1',
+ }
+ )) as unknown) as { message: string };
+
+ expect(configuration.message).to.eql(
+ 'Unauthorized to create case configuration with owners: "testDisabledFixture"'
+ );
+ });
+
  it('User: security solution only - should create a configuration', async () => {
  const configuration = await createConfiguration(
  supertestWithoutAuth,

diff --git a/x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts b/x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts
@@ -46,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
  expect(comment).to.eql(patchedCase.comments![0]);
  });
 
- it('should not get a comment in space2', async () => {
+ it('should not get a comment in space2 when it was created in space1', async () => {
  const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1);
  const patchedCase = await createComment({
  supertest,