Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spaces - Hiding management link #38472

Merged
merged 9 commits into from
Jun 13, 2019
16 changes: 4 additions & 12 deletions src/legacy/server/capabilities/merge_capabilities.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,15 @@
* under the License.
*/

import { merge } from 'lodash';
import { Capabilities } from '../../../core/public';

export const mergeCapabilities = (...sources: Array<Partial<Capabilities>>): Capabilities =>
sources.reduce(
(capabilities: Capabilities, source) => {
Object.entries(source).forEach(([key, value = {}]) => {
capabilities[key] = {
...value,
...capabilities[key],
};
});

return capabilities;
},
merge(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're changing from a shallow merge to a deep merge to support the new management.kibana.spaces flag. Originally, this was intentionally designed as a shallow merge so that plugins would not clobber capabilities which didn't belong to them. While it's true that merge won't allow a plugin to delete capabilities defined by other plugins, the addition of capabilities to other plugin's "buckets" is likely not something we want to encourage/support.

I know we've discussed letting plugins enhance the capabilities of other plugins, but I don't know if this is the way we want to do so. Since management is a defined key of the Capabilities interface, how do you feel about allowing the merge for this key, but not for the rest?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous implementation wasn't preventing duplicate definitions of the same first-level ui capability: https://codepen.io/kobelb/pen/MMWROw?editors=0012. We take advantage of this for building the catalogue ui capabilities: some of them are hard-coded here and we add to this list within the xpack_main plugin here.

While it's true that merge won't allow a plugin to delete capabilities defined by other plugins, the addition of capabilities to other plugin's "buckets" is likely not something we want to encourage/support.

I agree, but I don't believe those restrictions where previously enforced, at least not when using injectDefaultVars (when we first implemented FC) or the new uiCapabilities. We have some enforcement on this within xpack_main here, but this is only for merging the ui capabilities that we derive from the feature registration.

I can look at changing spaces to not use uiCapabilities to define the management section, and instead augment uiCapabilitiesForFeatures, but we'll still need the ability to merge all of these "deeply".

Since management is a defined key of the Capabilities interface, how do you feel about allowing the merge for this key, but not for the rest?

I think the proper solution to this problem is to follow through on #36221 and make it so that each of these "ui capability sections" is able to define it's own rules and so we can enforce these restrictions throughout the system, I was trying to prevent making this a dependency for fixing this specific issue though.

I added tests with 4d21c34 to ensure we aren't clobbering anything, and added additional safeguards. Does this assuage any of your previous concerns?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can look at changing spaces to not use uiCapabilities to define the management section, and instead augment uiCapabilitiesForFeatures, but we'll still need the ability to merge all of these "deeply".

So... we can't do this at the moment because we don't register a "Spaces" feature, and these actions are hard-coded here: https://github.com/elastic/kibana/pull/38472/files#diff-f5ed4149300a16c9d74494d7b470b450R68. I don't know what I was thinking previously.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the proper solution to this problem is to follow through on #36221 and make it so that each of these "ui capability sections" is able to define it's own rules and so we can enforce these restrictions throughout the system, I was trying to prevent making this a dependency for fixing this specific issue though.

Agreed, thanks for the thoughtful followup!

I added tests with 4d21c34 to ensure we aren't clobbering anything, and added additional safeguards. Does this assuage any of your previous concerns?

❤️

{
navLinks: {},
management: {},
catalogue: {},
} as Capabilities
},
...sources
);
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,13 @@ describe('features', () => {
actions.login,
actions.version,
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectManageSpaces ? [actions.space.manage, actions.ui.get('spaces', 'manage')] : []),
...(expectManageSpaces
? [
actions.space.manage,
actions.ui.get('spaces', 'manage'),
actions.ui.get('management', 'kibana', 'spaces'),
]
: []),
actions.app.get('app-1'),
actions.app.get('app-2'),
actions.ui.get('catalogue', 'catalogue-1'),
Expand Down Expand Up @@ -403,7 +409,13 @@ describe('features', () => {
actions.login,
actions.version,
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectManageSpaces ? [actions.space.manage, actions.ui.get('spaces', 'manage')] : []),
...(expectManageSpaces
? [
actions.space.manage,
actions.ui.get('spaces', 'manage'),
actions.ui.get('management', 'kibana', 'spaces'),
]
: []),
actions.ui.get('catalogue', 'bar-catalogue-1'),
actions.ui.get('catalogue', 'bar-catalogue-2'),
actions.ui.get('management', 'bar-management', 'bar-management-1'),
Expand Down Expand Up @@ -614,7 +626,13 @@ describe('features', () => {
actions.login,
actions.version,
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectManageSpaces ? [actions.space.manage, actions.ui.get('spaces', 'manage')] : []),
...(expectManageSpaces
? [
actions.space.manage,
actions.ui.get('spaces', 'manage'),
actions.ui.get('management', 'kibana', 'spaces'),
]
: []),
actions.allHack,
]);
expect(actual).toHaveProperty(`${group}.read`, [actions.login, actions.version]);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ export function privilegesFactory(actions: Actions, xpackMainPlugin: XPackMainPl
actions.api.get('features'),
actions.space.manage,
actions.ui.get('spaces', 'manage'),
actions.ui.get('management', 'kibana', 'spaces'),
...allActions,
actions.allHack,
],
Expand Down
5 changes: 5 additions & 0 deletions x-pack/plugins/spaces/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@ export const spaces = (kibana: Record<string, any>) =>
spaces: {
manage: true,
},
management: {
kibana: {
spaces: true,
},
},
};
},

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ class ManageSpacePageUI extends Component<Props, State> {
const { showAlteringActiveSpaceDialog } = this.state;

return (
<Fragment>
<div data-test-subj="spaces-edit-page">
{this.getFormHeading()}

<EuiSpacer size={'s'} />
Expand Down Expand Up @@ -188,7 +188,7 @@ class ManageSpacePageUI extends Component<Props, State> {
}}
/>
)}
</Fragment>
</div>
);
};

Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/spaces/public/views/management/index.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import routes from 'ui/routes';
import { AdvancedSettingsSubtitle } from './components/advanced_settings_subtitle';
import { AdvancedSettingsTitle } from './components/advanced_settings_title';

const MANAGE_SPACES_KEY = 'manage_spaces';
const MANAGE_SPACES_KEY = 'spaces';
Copy link
Contributor Author

@kobelb kobelb Jun 7, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It felt weird to have the ui capability management.kibana.manage_spaces so I changed this. It's now management.kibana.spaces.


routes.defaults(/\/management/, {
resolve: {
Expand Down
3 changes: 3 additions & 0 deletions x-pack/plugins/spaces/public/views/management/page_routes.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ const reactRootNodeId = 'manageSpacesReactRoot';
routes.when('/management/spaces/list', {
template,
k7Breadcrumbs: getListBreadcrumbs,
requireUICapability: 'spaces.manage',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other management routes use their management.${section}.${feature} UI Capability to control access. Do we want to follow suite here and use management.kibana.spaces?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll change this to be consistent.

controller(
$scope: any,
$http: any,
Expand Down Expand Up @@ -53,6 +54,7 @@ routes.when('/management/spaces/list', {
routes.when('/management/spaces/create', {
template,
k7Breadcrumbs: getCreateBreadcrumbs,
requireUICapability: 'spaces.manage',
controller(
$scope: any,
$http: any,
Expand Down Expand Up @@ -89,6 +91,7 @@ routes.when('/management/spaces/edit', {
routes.when('/management/spaces/edit/:spaceId', {
template,
k7Breadcrumbs: () => getEditBreadcrumbs(),
requireUICapability: 'spaces.manage',
controller(
$scope: any,
$http: any,
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ class SpacesGridPageUI extends Component<Props, State> {

public render() {
return (
<div className="spcGridPage">
<div className="spcGridPage" data-test-subj="spaces-grid-page">
<EuiPageContent horizontalPosition="center">{this.getPageContent()}</EuiPageContent>
<SecureSpaceMessage />
{this.getConfirmDeleteModal()}
Expand Down
175 changes: 175 additions & 0 deletions x-pack/test/functional/apps/spaces/feature_controls/spaces_security.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
import expect from '@kbn/expect';
import { KibanaFunctionalTestDefaultProviders } from '../../../../types/providers';

// eslint-disable-next-line import/no-default-export
export default function({ getPageObjects, getService }: KibanaFunctionalTestDefaultProviders) {
const esArchiver = getService('esArchiver');
const security = getService('security');
const PageObjects = getPageObjects(['common', 'settings', 'security']);
const appsMenu = getService('appsMenu');
const testSubjects = getService('testSubjects');

describe('security feature controls', () => {
before(async () => {
await esArchiver.load('empty_kibana');
});

after(async () => {
await esArchiver.unload('empty_kibana');
});

describe('global all base privilege', () => {
before(async () => {
await security.role.create('global_all_role', {
kibana: [
{
base: ['all'],
spaces: ['*'],
},
],
});

await security.user.create('global_all_user', {
password: 'global_all_user-password',
roles: ['global_all_role'],
full_name: 'test user',
});

await PageObjects.security.logout();

await PageObjects.security.login('global_all_user', 'global_all_user-password', {
expectSpaceSelector: false,
});
});

after(async () => {
await Promise.all([
security.role.delete('global_all_role'),
security.user.delete('global_all_user'),
PageObjects.security.logout(),
]);
});

it('shows management navlink', async () => {
const navLinks = (await appsMenu.readLinks()).map(
(link: Record<string, string>) => link.text
);
expect(navLinks).to.contain('Management');
});

it(`displays Spaces management section`, async () => {
await PageObjects.settings.navigateTo();
await testSubjects.existOrFail('spaces');
});

it(`can navigate to spaces grid page`, async () => {
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/list', {
ensureCurrentUrl: false,
shouldLoginIfPrompted: false,
});

await testSubjects.existOrFail('spaces-grid-page');
});

it(`can navigate to create new space page`, async () => {
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/create', {
ensureCurrentUrl: false,
shouldLoginIfPrompted: false,
});

await testSubjects.existOrFail('spaces-edit-page');
});

it(`can navigate to edit space page`, async () => {
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/edit/default', {
ensureCurrentUrl: false,
shouldLoginIfPrompted: false,
});

await testSubjects.existOrFail('spaces-edit-page');
});
});

describe('default space all base privilege', () => {
before(async () => {
await security.role.create('default_space_all_role', {
kibana: [
{
base: ['all'],
spaces: ['default'],
},
],
});

await security.user.create('default_space_all_user', {
password: 'default_space_all_user-password',
roles: ['default_space_all_role'],
full_name: 'test user',
});

await PageObjects.security.logout();

await PageObjects.security.login(
'default_space_all_user',
'default_space_all_user-password',
{
expectSpaceSelector: false,
}
);
});

after(async () => {
await Promise.all([
security.role.delete('default_space_all_role'),
security.user.delete('default_space_all_user'),
PageObjects.security.logout(),
]);
});

it('shows management navlink', async () => {
const navLinks = (await appsMenu.readLinks()).map(
(link: Record<string, string>) => link.text
);
expect(navLinks).to.contain('Management');
});

it(`doesn't display Spaces management section`, async () => {
await PageObjects.settings.navigateTo();
await testSubjects.existOrFail('objects'); // this ensures we've gotten to the management page
await testSubjects.missingOrFail('spaces');
});

it(`can't navigate to spaces grid page`, async () => {
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/list', {
ensureCurrentUrl: false,
shouldLoginIfPrompted: false,
});

await testSubjects.existOrFail('homeApp');
});

it(`can't navigate to create new space page`, async () => {
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/create', {
ensureCurrentUrl: false,
shouldLoginIfPrompted: false,
});

await testSubjects.existOrFail('homeApp');
});

it(`can't navigate to edit space page`, async () => {
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/edit/default', {
ensureCurrentUrl: false,
shouldLoginIfPrompted: false,
});

await testSubjects.existOrFail('homeApp');
});
});
});
}
1 change: 1 addition & 0 deletions x-pack/test/functional/apps/spaces/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ export default function spacesApp({ loadTestFile }: KibanaFunctionalTestDefaultP
describe('Spaces app', function spacesAppTestSuite() {
this.tags('ciGroup4');

loadTestFile(require.resolve('./feature_controls/spaces_security'));
loadTestFile(require.resolve('./spaces_selection'));
});
}