Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cloud Security][Tech Debt] Make sure all of our APIs apply authorization #184075

Closed
4 tasks
animehart opened this issue May 23, 2024 · 6 comments · Fixed by #186937 or #189687
Closed
4 tasks

[Cloud Security][Tech Debt] Make sure all of our APIs apply authorization #184075

animehart opened this issue May 23, 2024 · 6 comments · Fixed by #186937 or #189687
Assignees
@animehart
Labels
8.16 candidate Team:Cloud Security Cloud Security team related technical debt Improvement of the software architecture and operational architecture

Comments

@animehart
Copy link
Contributor

animehart commented May 23, 2024
edited
Loading

Describe the feature:

Currently not all of our APIs has the way to check if user has the permission to use that or not , we most check if user can access a certain feature or not via the UI or frontend, which means users might still be able to access the feature by doing API Call.

So far only benchmark, status and vulnerabilities_dashboard api that has this checks. We should add this checks to other APIs that we have to make sure only user with correct permission can use the feature

How to test:

  • Create a user role with read access to Security and All access for Integration, Fleet and Saved Data management. Then assign this role to a new user
  • Create a user role with All access for Integration, Fleet and Saved Data management. Then assign this role to a new user.
  • Try calling the API as user created on step 1 and they should be able to receive non 403 status code
  • Try calling the API as user created on step 2 and they should receive 403 status code

Definition of Done:

  • Add tags to the APIs that doesn't have it yet ( to check for permission)
  • Fix any broken UI or Front end related issue that might be caused by this change
  • Make sure the FTR still works
  • Add tests for both cases when user has minimal credentials and user that doesn't has security credentials
@animehart animehart added the Team:Cloud Security Cloud Security team related label May 23, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

@animehart animehart added the technical debt Improvement of the software architecture and operational architecture label May 23, 2024
@kfirpeled kfirpeled changed the title [Cloud Security][Tech Debt] Make sure all of our APIs have the right access [Cloud Security][Tech Debt] Make sure all of our APIs apply authorization Jun 5, 2024
@animehart animehart linked a pull request Jul 5, 2024 that will close this issue
[Cloud Security] Adding Auth check on API #186937
Merged
@oren-zohar
Copy link
Contributor

@kfirpeled @animehart How can we verify this?

@animehart
Copy link
Contributor Author

@oren-zohar
sorry for the late reply, but I forgot to Update the ticket that this will be for 8.16.0 (the PR I merge is for 8.16.0)

@kfirpeled
Copy link
Contributor

kfirpeled commented Jul 31, 2024
edited
Loading

bulk action is actualy makes updates to data, it is not read privelege. but all

@animehart can you fix this??

@kfirpeled kfirpeled reopened this Jul 31, 2024
@animehart animehart linked a pull request Jul 31, 2024 that will close this issue
[Cloud Security] Fix Auth check on API #189687
Merged
@kfirpeled
Copy link
Contributor

Can't be tested on serverless security project

In order to test this, we need to define a role without security permissions. This cannot be accomplished when using serverless project.
Only on ESS

On the other projects search and o11y the cloud_security_posture plugin shouldn't be available. In other words, these endpoints are not declared and are not accessible. @acorretti, would you like me to test that use case? In my opinion it is redundant.

I attach here a known issue that was reproduced while verifying this issue: #188354

@acorretti
Copy link

@kfirpeled No need if the plugin isn't available. I agree it's redundant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@animehart animehart

Labels
8.16 candidate Team:Cloud Security Cloud Security team related technical debt Improvement of the software architecture and operational architecture
Projects
None yet
Milestone
No milestone
5 participants
@acorretti @animehart @elasticmachine @kfirpeled @oren-zohar