[8.16] [Security GenAI] Fetching Assistant Knowledge Base fails when …

…current user's username contains a : character (#11159) (#200131) (#200610)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Security GenAI] Fetching Assistant Knowledge Base fails when current
user's username contains a : character (#11159)
(#200131)](#200131)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2024-11-18T16:24:04Z","message":"[Security
GenAI] Fetching Assistant Knowledge Base fails when current user's
username contains a : character (#11159) (#200131)\n\n##
Summary\r\n\r\nOriginal bug:
[internal\r\nlink](https://github.com/elastic/security-team/issues/11159)\r\n\r\n**This
PR fixes the next bug**:\r\nWhen the user is logged in with a username
that contains a `:`\r\ncharacter, fetching Knowlege Base entries fails
with an error. This is\r\npreventing customers from viewing their
created KB entries. This problem\r\naffects ECE customers using the SSO
login option.\r\n\r\nThere were a similar bugfix which inspired this
one\r\nhttps://github.com//pull/181709\r\n\r\nThere is no
easy way to reproduce this but you can try and change the\r\nline in
question so that the faulty username is used instead of the
one\r\npassed in.\r\n\r\n@MadameSheema Do you know a way to login
locally with the username that\r\ncontains a `:` character? As mentioned
above this situation is possible\r\nwith the ECE customers using SSO
login.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"aa0dcdcf0164a916d569ac269e87bb3179c467c2","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:
SecuritySolution","Team:Security Generative
AI","backport:version","v8.17.0","v8.16.1"],"title":"[Security GenAI]
Fetching Assistant Knowledge Base fails when current user's username
contains a : character
(#11159)","number":200131,"url":"https://github.com/elastic/kibana/pull/200131","mergeCommit":{"message":"[Security
GenAI] Fetching Assistant Knowledge Base fails when current user's
username contains a : character (#11159) (#200131)\n\n##
Summary\r\n\r\nOriginal bug:
[internal\r\nlink](https://github.com/elastic/security-team/issues/11159)\r\n\r\n**This
PR fixes the next bug**:\r\nWhen the user is logged in with a username
that contains a `:`\r\ncharacter, fetching Knowlege Base entries fails
with an error. This is\r\npreventing customers from viewing their
created KB entries. This problem\r\naffects ECE customers using the SSO
login option.\r\n\r\nThere were a similar bugfix which inspired this
one\r\nhttps://github.com//pull/181709\r\n\r\nThere is no
easy way to reproduce this but you can try and change the\r\nline in
question so that the faulty username is used instead of the
one\r\npassed in.\r\n\r\n@MadameSheema Do you know a way to login
locally with the username that\r\ncontains a `:` character? As mentioned
above this situation is possible\r\nwith the ECE customers using SSO
login.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"aa0dcdcf0164a916d569ac269e87bb3179c467c2"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200131","number":200131,"mergeCommit":{"message":"[Security
GenAI] Fetching Assistant Knowledge Base fails when current user's
username contains a : character (#11159) (#200131)\n\n##
Summary\r\n\r\nOriginal bug:
[internal\r\nlink](https://github.com/elastic/security-team/issues/11159)\r\n\r\n**This
PR fixes the next bug**:\r\nWhen the user is logged in with a username
that contains a `:`\r\ncharacter, fetching Knowlege Base entries fails
with an error. This is\r\npreventing customers from viewing their
created KB entries. This problem\r\naffects ECE customers using the SSO
login option.\r\n\r\nThere were a similar bugfix which inspired this
one\r\nhttps://github.com//pull/181709\r\n\r\nThere is no
easy way to reproduce this but you can try and change the\r\nline in
question so that the faulty username is used instead of the
one\r\npassed in.\r\n\r\n@MadameSheema Do you know a way to login
locally with the username that\r\ncontains a `:` character? As mentioned
above this situation is possible\r\nwith the ECE customers using SSO
login.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following
conditions. \r\n\r\nReviewers should verify this PR satisfies this list
as well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"aa0dcdcf0164a916d569ac269e87bb3179c467c2"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>

x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/utils.test.ts

@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { AuthenticatedUser } from '@kbn/core-security-common';
+import { getKBUserFilter } from './utils';
+
+describe('Utils', () => {
+  describe('getKBUserFilter', () => {
+    it('should return global filter when user is null', () => {
+      const filter = getKBUserFilter(null);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* })');
+    });
+
+    it('should return global filter when `username` and `profile_uid` are undefined', () => {
+      const filter = getKBUserFilter({} as AuthenticatedUser);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* })');
+    });
+
+    it('should return global filter when `username` is undefined', () => {
+      const filter = getKBUserFilter({ profile_uid: 'fake_user_id' } as AuthenticatedUser);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* } OR users: {id: fake_user_id})');
+    });
+
+    it('should return global filter when `profile_uid` is undefined', () => {
+      const filter = getKBUserFilter({ username: 'user1' } as AuthenticatedUser);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* } OR users: {name: "user1"})');
+    });
+
+    it('should return global filter when `username` has semicolon', () => {
+      const filter = getKBUserFilter({
+        username: 'user:1',
+        profile_uid: 'fake_user_id',
+      } as AuthenticatedUser);
+      expect(filter).toEqual(
+        '(NOT users: {name:* OR id:* } OR (users: {name: "user:1"} OR users: {id: fake_user_id}))'
+      );
+    });
+  });
+});

x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/utils.ts

@@ -11,7 +11,7 @@ export const getKBUserFilter = (user: AuthenticatedUser | null) => {
   // Only return the current users entries and all other global entries (where user[] is empty)
   const globalFilter = 'NOT users: {name:* OR id:* }';
 
-  const nameFilter = user?.username ? `users: {name: ${user?.username}}` : '';
+  const nameFilter = user?.username ? `users: {name: "${user?.username}"}` : '';
   const idFilter = user?.profile_uid ? `users: {id: ${user?.profile_uid}}` : '';
   const userFilter =
     user?.username && user?.profile_uid