Check for security first (#73821) (#73934)

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
elastic · Jul 31, 2020 · 6de8764 · 6de8764
1 parent be46a29
commit 6de8764
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 6 deletions.
diff --git a/x-pack/plugins/monitoring/server/lib/setup/collection/__test__/get_collection_status.test.js b/x-pack/plugins/monitoring/server/lib/setup/collection/__test__/get_collection_status.test.js
@@ -10,7 +10,12 @@ import { getCollectionStatus } from '..';
 import { getIndexPatterns } from '../../../cluster/get_index_patterns';
 
 const liveClusterUuid = 'a12';
-const mockReq = (searchResult = {}, securityEnabled = true, userHasPermissions = true) => {
+const mockReq = (
+  searchResult = {},
+  securityEnabled = true,
+  userHasPermissions = true,
+  securityErrorMessage = null
+) => {
   return {
     server: {
       newPlatform: {
@@ -37,12 +42,14 @@ const mockReq = (searchResult = {}, securityEnabled = true, userHasPermissions =
         },
       },
       plugins: {
-        xpack_main: {
+        monitoring: {
           info: {
-            isAvailable: () => true,
-            feature: () => ({
-              isEnabled: () => securityEnabled,
-            }),
+            getSecurityFeature: () => {
+              return {
+                isAvailable: securityEnabled,
+                isEnabled: securityEnabled,
+              };
+            },
           },
         },
         elasticsearch: {
@@ -61,6 +68,11 @@ const mockReq = (searchResult = {}, securityEnabled = true, userHasPermissions =
                   params &&
                   params.path === '/_security/user/_has_privileges'
                 ) {
+                  if (securityErrorMessage !== null) {
+                    return Promise.reject({
+                      message: securityErrorMessage,
+                    });
+                  }
                   return Promise.resolve({ has_all_requested: userHasPermissions });
                 }
                 if (type === 'transport.request' && params && params.path === '/_nodes') {
@@ -245,6 +257,34 @@ describe('getCollectionStatus', () => {
     expect(result.kibana.detected.doesExist).to.be(true);
   });
 
+  it('should work properly with an unknown security message', async () => {
+    const req = mockReq({ hits: { total: { value: 1 } } }, true, true, 'foobar');
+    const result = await getCollectionStatus(req, getIndexPatterns(req.server), liveClusterUuid);
+    expect(result._meta.hasPermissions).to.be(false);
+  });
+
+  it('should work properly with a known security message', async () => {
+    const req = mockReq(
+      { hits: { total: { value: 1 } } },
+      true,
+      true,
+      'no handler found for uri [/_security/user/_has_privileges] and method [POST]'
+    );
+    const result = await getCollectionStatus(req, getIndexPatterns(req.server), liveClusterUuid);
+    expect(result.kibana.detected.doesExist).to.be(true);
+  });
+
+  it('should work properly with another known security message', async () => {
+    const req = mockReq(
+      { hits: { total: { value: 1 } } },
+      true,
+      true,
+      'Invalid index name [_security]'
+    );
+    const result = await getCollectionStatus(req, getIndexPatterns(req.server), liveClusterUuid);
+    expect(result.kibana.detected.doesExist).to.be(true);
+  });
+
   it('should not work if the user does not have the necessary permissions', async () => {
     const req = mockReq({ hits: { total: { value: 1 } } }, true, false);
     const result = await getCollectionStatus(req, getIndexPatterns(req.server), liveClusterUuid);

diff --git a/x-pack/plugins/monitoring/server/lib/setup/collection/get_collection_status.js b/x-pack/plugins/monitoring/server/lib/setup/collection/get_collection_status.js
@@ -233,6 +233,10 @@ function isBeatFromAPM(bucket) {
 }
 
 async function hasNecessaryPermissions(req) {
+  const securityFeature = req.server.plugins.monitoring.info.getSecurityFeature();
+  if (!securityFeature.isAvailable || !securityFeature.isEnabled) {
+    return true;
+  }
   try {
     const { callWithRequest } = req.server.plugins.elasticsearch.getCluster('data');
     const response = await callWithRequest(req, 'transport.request', {
@@ -250,6 +254,9 @@ async function hasNecessaryPermissions(req) {
     ) {
       return true;
     }
+    if (err.message.includes('Invalid index name [_security]')) {
+      return true;
+    }
     return false;
   }
 }