WIP Add case connector API tag and remove push permission from essent…

…ials
elastic · Jul 27, 2023 · b69804f · b69804f
1 parent 0a72ab4
commit b69804f
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 8 deletions.
diff --git a/x-pack/plugins/cases/common/constants/index.ts b/x-pack/plugins/cases/common/constants/index.ts
@@ -173,6 +173,11 @@ export const SUGGEST_USER_PROFILES_API_TAG = 'casesSuggestUserProfiles';
  */
 export const BULK_GET_USER_PROFILES_API_TAG = 'bulkGetUserProfiles';
 
+/**
+ * This tag is registered for ALL cases connector write/update/push capabilities
+ */
+export const CASES_CONNECTOR_API_TAG = 'caseConnector';
+
 /**
  * User profiles
  */

diff --git a/x-pack/plugins/cases/common/utils/api_tags.ts b/x-pack/plugins/cases/common/utils/api_tags.ts
@@ -5,7 +5,11 @@
  * 2.0.
  */
 
-import { BULK_GET_USER_PROFILES_API_TAG, SUGGEST_USER_PROFILES_API_TAG } from '../constants';
+import {
+  BULK_GET_USER_PROFILES_API_TAG,
+  CASES_CONNECTOR_API_TAG,
+  SUGGEST_USER_PROFILES_API_TAG,
+} from '../constants';
 import { HttpApiTagOperation } from '../constants/types';
 import type { Owner } from '../constants/types';
 import { constructFilesHttpOperationTag } from '../files';
@@ -16,7 +20,13 @@ export const getApiTags = (owner: Owner) => {
   const read = constructFilesHttpOperationTag(owner, HttpApiTagOperation.Read);
 
   return {
-    all: [SUGGEST_USER_PROFILES_API_TAG, BULK_GET_USER_PROFILES_API_TAG, create, read] as const,
+    all: [
+      SUGGEST_USER_PROFILES_API_TAG,
+      BULK_GET_USER_PROFILES_API_TAG,
+      CASES_CONNECTOR_API_TAG,
+      create,
+      read,
+    ] as const,
     read: [SUGGEST_USER_PROFILES_API_TAG, BULK_GET_USER_PROFILES_API_TAG, read] as const,
     delete: [deleteTag] as const,
   };

diff --git a/x-pack/plugins/cases/server/routes/api/cases/push_case.ts b/x-pack/plugins/cases/server/routes/api/cases/push_case.ts
@@ -14,6 +14,9 @@ import { createCasesRoute } from '../create_cases_route';
 export const pushCaseRoute: CaseRoute = createCasesRoute({
   method: 'post',
   path: CASE_PUSH_URL,
+  routerOptions: {
+    tags: ['access:caseConnector'],
+  },
   handler: async ({ context, request, response }) => {
     try {
       const caseContext = await context.cases;

diff --git a/x-pack/plugins/cases/server/routes/api/configure/get_connectors.ts b/x-pack/plugins/cases/server/routes/api/configure/get_connectors.ts
@@ -15,6 +15,9 @@ import { createCasesRoute } from '../create_cases_route';
 export const getConnectorsRoute = createCasesRoute({
   method: 'get',
   path: `${CASE_CONFIGURE_CONNECTORS_URL}/_find`,
+  routerOptions: {
+    tags: ['access:caseConnector'],
+  },
   handler: async ({ context, response }) => {
     try {
       const caseContext = await context.cases;

diff --git a/x-pack/plugins/cases/server/routes/api/types.ts b/x-pack/plugins/cases/server/routes/api/types.ts
@@ -40,7 +40,7 @@ interface CaseRouteHandlerArguments<P, Q, B> {
   kibanaVersion: PluginInitializerContext['env']['packageInfo']['version'];
 }
 
-type CaseRouteTags = 'access:casesSuggestUserProfiles';
+type CaseRouteTags = 'access:casesSuggestUserProfiles' | 'access:caseConnector';
 
 export interface CaseRoute<P = unknown, Q = unknown, B = unknown> {
   method: 'get' | 'post' | 'put' | 'delete' | 'patch';

diff --git a/x-pack/plugins/security_solution/server/lib/app_features/security_cases_kibana_features.ts b/x-pack/plugins/security_solution/server/lib/app_features/security_cases_kibana_features.ts
@@ -13,7 +13,10 @@ import {
   createUICapabilities as createCasesUICapabilities,
   getApiTags as getCasesApiTags,
 } from '@kbn/cases-plugin/common';
-import { CASES_CONNECTOR_CAPABILITY } from '@kbn/cases-plugin/common/constants';
+import {
+  CASES_CONNECTOR_CAPABILITY,
+  CASES_CONNECTOR_API_TAG,
+} from '@kbn/cases-plugin/common/constants';
 import type { AppFeaturesCasesConfig, BaseKibanaFeatureConfig } from './types';
 import { APP_ID, CASES_FEATURE_ID } from '../../../common/constants';
 import { CasesSubFeatureId } from './security_cases_kibana_sub_features';
@@ -30,6 +33,9 @@ export const getCasesBaseKibanaFeature = (): BaseKibanaFeatureConfig => {
   const casesReadUICapabilities = casesCapabilities.read.filter(
     (capability) => capability !== CASES_CONNECTOR_CAPABILITY
   );
+  const casesAllAPICapabilities = casesApiTags.all.filter(
+    (capability) => capability !== CASES_CONNECTOR_API_TAG
+  );
 
   return {
     id: CASES_FEATURE_ID,
@@ -43,14 +49,13 @@ export const getCasesBaseKibanaFeature = (): BaseKibanaFeatureConfig => {
     cases: [APP_ID],
     privileges: {
       all: {
-        api: casesApiTags.all,
+        api: casesAllAPICapabilities,
         app: [CASES_FEATURE_ID, 'kibana'],
         catalogue: [APP_ID],
         cases: {
           create: [APP_ID],
           read: [APP_ID],
           update: [APP_ID],
-          push: [APP_ID],
         },
         savedObject: {
           all: [...filesSavedObjectTypes],
@@ -92,10 +97,14 @@ export const getCasesAppFeaturesConfig = (): AppFeaturesCasesConfig => ({
   [AppFeatureCasesKey.casesConnectors]: {
     privileges: {
       all: {
-        ui: [CASES_CONNECTOR_CAPABILITY],
+        api: [CASES_CONNECTOR_API_TAG], // Add cases connector write/update/push API privileges
+        ui: [CASES_CONNECTOR_CAPABILITY], // Add cases connector UI privileges
+        cases: {
+          push: [APP_ID], // Add cases connector push privileges
+        },
       },
       read: {
-        ui: [CASES_CONNECTOR_CAPABILITY],
+        ui: [CASES_CONNECTOR_CAPABILITY], // Add cases connector UI privileges
       },
     },
   },