Merge pull request #6 from dhurley14/rac_fixes_authz_new_routes

[RAC] [Alerts] Fixes rac authz class and adds some scripts for testing

x-pack/plugins/monitoring/kibana.json

@@ -6,6 +6,7 @@
   "requiredPlugins": [
     "licensing",
     "features",
+    "ruleRegistry",
     "data",
     "navigation",
     "kibanaLegacy",

x-pack/plugins/monitoring/server/plugin.ts

@@ -176,6 +176,18 @@ export class MonitoringPlugin
         logger: this.log,
       });
       initInfraSource(config, plugins.infra);
+      router.get({ path: '/monitoring-myfakepath', validate: false }, async (context, req, res) => {
+        try {
+          const racClient = await context.ruleRegistry?.getRacClient();
+          const thing = await racClient?.get({ id: 'hello world', owner: 'observability' });
+          console.error('THE THING!!!', JSON.stringify(thing.body, null, 2));
+          return res.ok({ body: { success: true } });
+        } catch (err) {
+          console.error('monitoring route threw an error');
+          console.error(err);
+          return res.notFound({ body: { message: err.message } });
+        }
+      });
     }
 
     return {
@@ -244,8 +256,30 @@ export class MonitoringPlugin
       }),
       category: DEFAULT_APP_CATEGORIES.management,
       app: ['monitoring', 'kibana'],
+      rac: ['observability'],
       catalogue: ['monitoring'],
-      privileges: null,
+      privileges: {
+        all: {
+          rac: {
+            all: ['observability'],
+          },
+          savedObject: {
+            all: [],
+            read: [],
+          },
+          ui: ['show', 'save', 'alerting:show', 'alerting:save'],
+        },
+        read: {
+          rac: {
+            all: ['observability'],
+          },
+          savedObject: {
+            all: [],
+            read: [],
+          },
+          ui: ['show', 'save', 'alerting:show', 'alerting:save'],
+        },
+      },
       alerting: ALERTS,
       reserved: {
         description: i18n.translate('xpack.monitoring.feature.reserved.description', {

x-pack/plugins/monitoring/server/types.ts

@@ -21,6 +21,7 @@ import type {
   ActionsApiRequestHandlerContext,
 } from '../../actions/server';
 import type { AlertingApiRequestHandlerContext } from '../../alerting/server';
+import { RacApiRequestHandlerContext } from '../../rule_registry/server';
 import {
   PluginStartContract as AlertingPluginStartContract,
   PluginSetupContract as AlertingPluginSetupContract,
@@ -57,6 +58,7 @@ export interface PluginsSetup {
 export interface RequestHandlerContextMonitoringPlugin extends RequestHandlerContext {
   actions?: ActionsApiRequestHandlerContext;
   alerting?: AlertingApiRequestHandlerContext;
+  ruleRegistry?: RacApiRequestHandlerContext;
 }
 
 export interface PluginsStart {

x-pack/plugins/rule_registry/kibana.json

@@ -2,13 +2,7 @@
   "id": "ruleRegistry",
   "version": "8.0.0",
   "kibanaVersion": "kibana",
-  "configPath": [
-    "xpack",
-    "ruleRegistry"
-  ],
-  "requiredPlugins": [
-    "alerting",
-    "features"
-  ],
+  "configPath": ["xpack", "ruleRegistry"],
+  "requiredPlugins": ["alerting", "features", "security"],
   "server": true
 }

x-pack/plugins/rule_registry/server/authorization/rac_authorization.ts

@@ -92,11 +92,15 @@ export class RacAuthorization {
 
     // Does the owner the client sent up match with the KibanaFeatures structure
     const isAvailableOwner = this.featureOwners.has(owner);
+    console.error('PROVIDED OWNER', owner);
     console.error('THIS.FEATUREOWNERS', this.featureOwners);
     console.error('IS AVAILABLE OWNER', isAvailableOwner);
+    console.error('AUTHORIZATION???', authorization);
+    console.error('THIS.SHOULDCHECKAUTHZ', this.shouldCheckAuthorization());
 
     if (authorization != null && this.shouldCheckAuthorization()) {
       const requiredPrivileges = [authorization.actions.rac.get(owner, operation)];
+      console.error('REQUIRED PRIVILEGES', JSON.stringify(requiredPrivileges, null, 2));
       const checkPrivileges = authorization.checkPrivilegesDynamicallyWithRequest(this.request);
       const { hasAllRequested, username, privileges } = await checkPrivileges({
         kibana: requiredPrivileges,

x-pack/plugins/rule_registry/server/rac_client/rac_client.ts

@@ -112,7 +112,13 @@ export class RacClient {
     this.esClient = esClient;
   }
 
-  public async get<Params>({ id }: { id: string }): Promise<unknown> {
+  public async get<Params>({
+    id,
+    owner,
+  }: {
+    id: string;
+    owner: 'securitySolution' | 'observability';
+  }): Promise<unknown> {
     // TODO: type alert for the get method
     const result = await this.esClient.search({
       index: '.siem*',
@@ -124,7 +130,7 @@ export class RacClient {
       await this.authorization.ensureAuthorized(
         // TODO: add spaceid here.. I think
         // result.body._source?.owner,
-        'securitySolution',
+        owner,
         ReadOperations.Get
       );
     } catch (error) {

x-pack/plugins/rule_registry/server/scripts/README.md

@@ -0,0 +1,24 @@
+Users with roles granting them access to monitoring (observability) and siem (security solution) should only be able to access alerts with those roles
+
+```bash
+myterminal~$ ./get_security_solution_alert.sh observer
+{
+  "statusCode": 404,
+  "error": "Not Found",
+  "message": "Unauthorized to get \"rac:8.0.0:securitySolution/get\" alert\""
+}
+myterminal~$ ./get_security_solution_alert.sh 
+{
+  "success": true
+}
+myterminal~$ ./get_observability_alert.sh 
+{
+  "success": true
+}
+myterminal~$ ./get_observability_alert.sh hunter
+{
+  "statusCode": 404,
+  "error": "Not Found",
+  "message": "Unauthorized to get \"rac:8.0.0:observability/get\" alert\""
+}
+```

x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+
+USER=${1:-'observer'}
+
+# Example: ./find_rules.sh
+curl -s -k \
+ -u $USER:changeme \
+ -X GET ${KIBANA_URL}${SPACE_URL}/monitoring-myfakepath | jq .

x-pack/plugins/rule_registry/server/scripts/get_security_solution_alert.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+
+USER=${1:-'hunter'}
+
+# Example: ./find_rules.sh
+curl -s -k \
+ -u $USER:changeme \
+ -X GET ${KIBANA_URL}${SPACE_URL}/security-myfakepath | jq .

x-pack/plugins/rule_registry/server/scripts/hunter/README.md

@@ -0,0 +1,5 @@
+This user can access the monitoring route at http://localhost:5601/security-myfakepath
+
+|        Role         | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
+| :-----------------: | :----------: | :-------------------------------: | :---: | :--------------: | :---------------: | :------------: |
+| Hunter / T3 Analyst | read, write  |               read                | read  |   read, write    |       read        |  read, write   |

x-pack/plugins/rule_registry/server/scripts/hunter/delete_detections_user.sh

@@ -0,0 +1,11 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XDELETE ${ELASTICSEARCH_URL}/_security/user/hunter

x-pack/plugins/rule_registry/server/scripts/hunter/detections_role.json

@@ -0,0 +1,38 @@
+{
+  "elasticsearch": {
+    "cluster": [],
+    "indices": [
+      {
+        "names": [
+          "apm-*-transaction*",
+          "auditbeat-*",
+          "endgame-*",
+          "filebeat-*",
+          "logs-*",
+          "packetbeat-*",
+          "winlogbeat-*"
+        ],
+        "privileges": ["read", "write"]
+      },
+      {
+        "names": [".siem-signals-*"],
+        "privileges": ["read", "write"]
+      },
+      {
+        "names": [".lists*", ".items*"],
+        "privileges": ["read", "write"]
+      }
+    ]
+  },
+  "kibana": [
+    {
+      "feature": {
+        "ml": ["read"],
+        "siem": ["all"],
+        "actions": ["read"],
+        "builtInAlerts": ["all"]
+      },
+      "spaces": ["*"]
+    }
+  ]
+}

x-pack/plugins/rule_registry/server/scripts/hunter/detections_user.json

@@ -0,0 +1,6 @@
+{
+  "password": "changeme",
+  "roles": ["hunter"],
+  "full_name": "Hunter",
+  "email": "detections-reader@example.com"
+}

x-pack/plugins/rule_registry/server/scripts/hunter/get_detections_role.sh

@@ -0,0 +1,11 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XGET ${KIBANA_URL}/api/security/role/hunter | jq -S .

x-pack/plugins/rule_registry/server/scripts/hunter/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as hunterUser from './detections_user.json';
+import * as hunterRole from './detections_role.json';
+export { hunterUser, hunterRole };

x-pack/plugins/rule_registry/server/scripts/hunter/post_detections_role.sh

@@ -0,0 +1,14 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+ROLE=(${@:-./detections_role.json})
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XPUT ${KIBANA_URL}/api/security/role/hunter \
+-d @${ROLE}

x-pack/plugins/rule_registry/server/scripts/hunter/post_detections_user.sh

@@ -0,0 +1,14 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+USER=(${@:-./detections_user.json})
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ ${ELASTICSEARCH_URL}/_security/user/hunter \
+-d @${USER}

x-pack/plugins/rule_registry/server/scripts/observer/README.md

@@ -0,0 +1,5 @@
+This user can access the monitoring route at http://localhost:5601/monitoring-myfakepath
+
+|   Role   | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
+| :------: | :----------: | :-------------------------------: | :---: | :--------------: | :---------------: | :------------: |
+| observer | read, write  |               read                | read  |   read, write    |       read        |  read, write   |

x-pack/plugins/rule_registry/server/scripts/observer/delete_detections_user.sh

@@ -0,0 +1,11 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XDELETE ${ELASTICSEARCH_URL}/_security/user/observer

x-pack/plugins/rule_registry/server/scripts/observer/detections_role.json

@@ -0,0 +1,38 @@
+{
+  "elasticsearch": {
+    "cluster": [],
+    "indices": [
+      {
+        "names": [
+          "apm-*-transaction*",
+          "auditbeat-*",
+          "endgame-*",
+          "filebeat-*",
+          "logs-*",
+          "packetbeat-*",
+          "winlogbeat-*"
+        ],
+        "privileges": ["read", "write"]
+      },
+      {
+        "names": [".siem-signals-*"],
+        "privileges": ["read", "write"]
+      },
+      {
+        "names": [".lists*", ".items*"],
+        "privileges": ["read", "write"]
+      }
+    ]
+  },
+  "kibana": [
+    {
+      "feature": {
+        "ml": ["read"],
+        "monitoring": ["all"],
+        "actions": ["read"],
+        "builtInAlerts": ["all"]
+      },
+      "spaces": ["*"]
+    }
+  ]
+}

x-pack/plugins/rule_registry/server/scripts/observer/detections_user.json

@@ -0,0 +1,6 @@
+{
+  "password": "changeme",
+  "roles": ["observer"],
+  "full_name": "Observer",
+  "email": "monitoring-observer@example.com"
+}

x-pack/plugins/rule_registry/server/scripts/observer/get_detections_role.sh

@@ -0,0 +1,11 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XGET ${KIBANA_URL}/api/security/role/hunter | jq -S .

x-pack/plugins/rule_registry/server/scripts/observer/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as observerUser from './detections_user.json';
+import * as observerRole from './detections_role.json';
+export { observerUser, observerRole };