-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security solution][Endpoint] API error when edit/create TA by policy and license under platinum #113363
Conversation
@@ -408,10 +454,27 @@ describe('service', () => { | |||
savedObjectClient, | |||
packagePolicyClient, | |||
trustedAppByPolicy.id, | |||
toUpdateTrustedApp(trustedAppByPolicy as MaybeImmutable<TrustedApp>) | |||
toUpdateTrustedApp(trustedAppByPolicy as MaybeImmutable<TrustedApp>), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unrelated code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if we do unit testing for the services and utilities, I'd say that isUserTryingToModifyEffectScopeWithoutPermissions
should have a unit test as well as the current tests are only testing integration but I leave it to your discretion. The code looks good as it is 🐑🐑🐑
Yeah, I didn't add a specific unit test to that function because it's not exported. It's just a private one to keep the code organised. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks 🤩 awesome
Left a few comments, but you can push them to another PR if needed. I'm 👍
🚢
@@ -25,6 +25,15 @@ export class TrustedAppPolicyNotExistsError extends Error { | |||
); | |||
} | |||
} | |||
export class TrustedAppPolicyPermissionsError extends Error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: extend EndpointError
instead as the base class. When you do that, you should not need to set the type
below, as the base class already takes care of it (but instead of type
it uses name
)
|
||
constructor() { | ||
super( | ||
'Your Kibana license has been downgraded. As such, individual policy configuration is no longer supported.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: use the same text as the one that Isolation is using: 'Your license level does not allow for this action'
(here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts#L79)
Also,
- Maybe we should have a generic Endpoint error for license related errors - like a
EndpointLicenseError
inserver/endpoint/errors.ts
? - If you decide to stay with this one - since this seems to be very specific for only license violation, maybe rename the Error to
TrustedAppPolicyLicenseError
?
Either way - this comment can be done in a subsequent PR.
@@ -87,6 +88,11 @@ const errorHandler = <E extends Error>( | |||
return res.badRequest({ body: { message: error.message, attributes: { type: error.type } } }); | |||
} | |||
|
|||
if (error instanceof TrustedAppPolicyPermissionsError) { | |||
logger.error(error); | |||
return res.badRequest({ body: { message: error.message, attributes: { type: error.type } } }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: just send the error
:
return res.badRequest({ body: { message: error.message, attributes: { type: error.type } } }); | |
return res.badRequest({ body: error }); |
).rejects.toBeInstanceOf(TrustedAppPolicyNotExistsError); | ||
}); | ||
|
||
it('should throw wwhen license under platinum and by policy', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra w
in wwhen
😁
return false; | ||
} else if ( | ||
isEqual( | ||
currentTrustedApp.tags.map((policy) => policy.replace('policy:', '')).sort(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one way to avoid this is to use the exceptionListItemToTrustedApp
mapping function in x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/mapping.ts
and change this function's signature so that currentTrustedApp
is of type TrustedApp
…se helper mapping function to avoid use string replace method
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments, but 👍
@@ -40,7 +40,7 @@ export const getExceptionListItemSchemaMock = ( | |||
name: NAME, | |||
namespace_type: NAMESPACE_TYPE, | |||
os_types: [], | |||
tags: ['user added string for a tag', 'malware'], | |||
tags: ['sdasdasd', 'malware'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😄 was this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤦
..._solution/public/management/pages/trusted_apps/view/components/create_trusted_app_flyout.tsx
Show resolved
Hide resolved
@@ -22,3 +22,10 @@ export class EndpointAppContentServicesNotStartedError extends EndpointError { | |||
super('EndpointAppContextService has not been started (EndpointAppContextService.start())'); | |||
} | |||
} | |||
export class EndpointLicenseError extends EndpointError { | |||
public readonly name = 'EndpointLicenseError'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you don't need this. EndpointError#constructor will set it auto-magically 😄
see:
this.name = this.constructor.name; |
x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/handlers.ts
Show resolved
Hide resolved
@@ -36,6 +37,32 @@ export const getTrustedAppByPolicy = function (): TrustedApp { | |||
}; | |||
}; | |||
|
|||
export const getPutTrustedAppByPolicy = function (): ExceptionListItemSchema { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you include the word mock
in the function name?
@elasticmachine merge upstream |
…hanges_to_the_TA_effect_scope_is_to_set_it_to_global-1688
💚 Build SucceededMetrics [docs]Async chunks
Unknown metric groupsReferences to deprecated APIs
History
To update your PR or re-run it, just comment with: |
… and license under platinum (elastic#113363) * New function to check if the effect scope has been changed without right license * Checks if license is under platinum when creating/updating trusted apps by policy * Change error type. Use translations in frontend for api error. Also use helper mapping function to avoid use string replace method * Remove name from constructor and changed mock function name Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
… and license under platinum (#113363) (#113545) * New function to check if the effect scope has been changed without right license * Checks if license is under platinum when creating/updating trusted apps by policy * Change error type. Use translations in frontend for api error. Also use helper mapping function to avoid use string replace method * Remove name from constructor and changed mock function name Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: David Sánchez <davidsansol92@gmail.com>
Summary
For maintainers