Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] [Detections] Disable edit button when user does not have actions privileges w/ rule + actions #80220

Merged
merged 17 commits into from
Oct 19, 2020

Conversation

dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Oct 12, 2020

Summary

When a user with no actions privileges visits the rule details page of a rule with actions, the following capabilities will be disabled on the UI:

Edit Rule Settings button

"Edit Rule Settings" button will be greyed out similarly to when the a user does not have CRUD privileges for SIEM.

Screen Shot 2020-10-13 at 3 41 41 PM

and on the all rules table:

Screen Shot 2020-10-13 at 4 46 20 PM

Activate switch

Disabling the activate switch on rules with actions on all rules table

Screen Shot 2020-10-14 at 9 56 07 AM

Disabling the activate switch on rules with actions on rule details page

Screen Shot 2020-10-14 at 10 14 04 AM

Duplicate rule

Disable duplicate ability on all rules table

Screen Shot 2020-10-14 at 11 07 30 AM

Disable duplicate ability on rule details page

Screen Shot 2020-10-14 at 11 15 52 AM

Bulk actions

Disable the bulk functionality of duplicate, activate, deactivate

Screen Shot 2020-10-14 at 6 42 30 PM

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dhurley14 dhurley14 self-assigned this Oct 12, 2020
@dhurley14 dhurley14 marked this pull request as ready for review October 12, 2020 23:07
@dhurley14 dhurley14 requested review from a team as code owners October 12, 2020 23:07
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@spong
Copy link
Member

spong commented Oct 12, 2020

We'll have to account for a the Edit rule settings link from the All Rules table as well. Since this requires knowledge of whether or not a Rule has actions, if we can't fetch that as part of the overall rule data, we may want to just lock down the edit rules page similar as to what we do with immutable rules (tabs disabled), and put a banner at the top explaining why. This also covers the case for manually entering the URL (or clicking a saved link).

Side question -- did there end up being any API-layer checks preventing users from modifying a rule with actions if they don't have actions privileges?

@dhurley14
Copy link
Contributor Author

Okay I'll make those updates for the all rules table too. As for api-side, the user would see a 403 error on the api if they attempt to edit a rule with an action and don't have privileges. So no, I have not made modifications on the api side to prevent users from editing. I can though if that would make for a better user experience.

@spong
Copy link
Member

spong commented Oct 13, 2020

Looks like we'll need to disable the duplicate action as well since it hits the actions API. We could allow duplication sans actions, but to keep this fix simple for 7.10 let's just disable the duplicate action and we can re-visit finer grained permissions as needed.

Rule Details / All Rules

@spong
Copy link
Member

spong commented Oct 13, 2020

nit: Would be nice to disable the Save changes button since it will result in an error, but not a big deal since the user needs to paste in the URL to get to this page in the first place.

@spong
Copy link
Member

spong commented Oct 13, 2020

When we chatted earlier I thought we determined activate/deactivate would function without actions permissions, but I'm seeing it error out attempting to deactivate -- is this correct?

@dhurley14
Copy link
Contributor Author

@spong Yeah I am also seeing this behavior. I was thinking that since the enable API route for the alerting framework was a separate call from updating that this would not have been a problem. I tested this situation outside of our code using the alerting _enable API and got the same response.

$ curl -s -k   -H 'Content-Type: application/json'   -H 'kbn-xsrf: 123'   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}   -X POST ${KIBANA_URL}${SPACE_URL}/api/alerts/alert/fe195d20-0a21-4c76-87ea-e2ae03e1355a/_enable   | jq -S .;
{
  "error": "Forbidden",
  "message": "Unauthorized to execute actions",
  "statusCode": 403
}

This is my oversight. I actually had not tested this before we spoke but I assumed it would work since they were separate api's. After looking at the code it makes sense why we would get a 403 back from alerting and why alerting would prevent the enabling of an alert + action for a user that does not have any privileges for actions, otherwise the action would silently fail to execute since that new user's api key would be used to execute the alert + action. I'm assuming I should disable the enable switch for rules and use the same tooltip as the "Edit Rule" button?

@spong
Copy link
Member

spong commented Oct 14, 2020

Thanks for all the fixes here @dhurley14! 🙂

In testing the latest I found one last touch point for activate/deactivate and that's with the bulk actions:

We've already got a few permissions checks around the bulk actions, so should be fairly straightforward to add something like:

  const containsActions = selectedRuleIds.some(
    (id) => rules.find((r) => r.id === id)?.actions?.length > 0 ?? false
  );

around here:

const containsEnabled = selectedRuleIds.some(
(id) => rules.find((r) => r.id === id)?.enabled ?? false
);

And then disable the Activate/Deactivate/Duplicate actions if containsActions === true

@dhurley14 dhurley14 force-pushed the prevent-updates-no-actions branch from 88e2ba4 to a754926 Compare October 14, 2020 22:04
if (rule == null) {
return true;
}
if (rule.actions != null && rule.actions.length > 0 && isBoolean(privileges)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Could simplify with if you want:

Suggested change
if (rule.actions != null && rule.actions.length > 0 && isBoolean(privileges)) {
if (rule.actions?.length > 0 > 0 && isBoolean(privileges)) {

await duplicateRulesAction([rule], [rule.id], noop, dispatchToaster);
}}
>
{i18nActions.DUPLICATE_RULE}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Could move EuiToolTip to wrap this instead of EuiContextMenuItem in the event we end up adding a tooltip to the next menu item as well (to prevent the styling issue). This also ensure's all top level components have a key as well.

Comment on lines 57 to 71
const canBulkActivateRulesWithActions = selectedRuleIds.every((id) => {
const found = rules.find((rule) => rule.id === id);
if (found != null) {
if (found.actions.length > 0) {
if (canEditRuleWithActions(found, hasActionsPrivileges)) {
return true;
} else {
return false;
}
} else {
return true;
}
}
return true;
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit difficult to follow -- to determine the value of canBulkActivateRulesWithActions, we really just need to know if the user hasActionsPrivileges, and if any of the selected rules have actions, right?

With this logic we're going to loop over every rule even if the first rule has actions and the user doesn't have permissions, even though that's enough to know that we need to disable any bulk_action that requires action privileges.

Still making use of your canEditRuleWithActions() function, we can invert the check using some() such that we'll bail early as soon as we find one rule with actions and the user doesn't hasActionsPrivileges.

  const missingActionPrivileges = selectedRuleIds.some((id) => {
    return !canEditRuleWithActions(
      rules.find((rule) => rule.id === id),
      hasActionsPrivileges
    );
  });

Going further, if the user hasActionsPrivileges we don't even have to check if any rule has actions, so we can short circuit even earlier! At the expense of readability of course... 😅

  const missingActionPrivileges =
    !hasActionsPrivileges &&
    selectedRuleIds.some((id) => {
      return !canEditRuleWithActions(
        rules.find((rule) => rule.id === id),
        hasActionsPrivileges
      );
    });

And then you can replace !canBulkActivateRulesWithActions with missingActionPrivileges, which reads a bit easier too since it avoids negation (although it adds one back into the calculation, but that can't be avoided since we're inverting our check).

Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few nits for readability (which is tough with all these permissions checks), but overall LGTM! 👍

Thanks for taking care of all these corner cases too @dhurley14 -- this is going to be really helpful for our users! And as we chatted about (#80601), outside of this bugfix we can probably clean up a lot of this readability logic by having a custom actions component that takes a common set of privileges and determines its disabled state from that. That'll be a good refactor for a future release 🙂

@dhurley14 dhurley14 force-pushed the prevent-updates-no-actions branch from 4a2e6a5 to f1733c4 Compare October 15, 2020 17:52
@dhurley14 dhurley14 force-pushed the prevent-updates-no-actions branch from 8c769dd to c89f412 Compare October 19, 2020 14:38
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

@kbn/optimizer bundle module count

id before after diff
securitySolution 2057 2058 +1

async chunks size

id before after diff
securitySolution 8.1MB 8.1MB +6.1KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@dhurley14 dhurley14 merged commit 2f01a09 into elastic:master Oct 19, 2020
@dhurley14 dhurley14 deleted the prevent-updates-no-actions branch October 19, 2020 19:45
dhurley14 added a commit to dhurley14/kibana that referenced this pull request Oct 19, 2020
…ot have actions privileges w/ rule + actions (elastic#80220)

* disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges

* adds tooltip to explain why the edit rule button is disabled

* prevent user from editing rules with actions on the all rules table

* adds tooltip to appear on all rules table

* updates tests for missing params and missing mock of useKibana

* disable activate switch on all rules table and rule details page

* remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record

* disable duplicate rule functionality for rules with actions

* fix positioning of tooltips and add tooltip to rule duplicate button in overflow button

* update tests

* WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled

* add eui tool tip as child of of each context menu item

* PR feedback and utilize map of rule ids to rules to replace usage of array.finds

* update snapshot

* fix mocks

* fix mocks

* update wording with feedback from design team

Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
dhurley14 added a commit to dhurley14/kibana that referenced this pull request Oct 19, 2020
…ot have actions privileges w/ rule + actions (elastic#80220)

* disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges

* adds tooltip to explain why the edit rule button is disabled

* prevent user from editing rules with actions on the all rules table

* adds tooltip to appear on all rules table

* updates tests for missing params and missing mock of useKibana

* disable activate switch on all rules table and rule details page

* remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record

* disable duplicate rule functionality for rules with actions

* fix positioning of tooltips and add tooltip to rule duplicate button in overflow button

* update tests

* WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled

* add eui tool tip as child of of each context menu item

* PR feedback and utilize map of rule ids to rules to replace usage of array.finds

* update snapshot

* fix mocks

* fix mocks

* update wording with feedback from design team

Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Oct 20, 2020
…lout-for-warm-and-cold-tier

* 'master' of github.com:elastic/kibana: (126 commits)
  Add cumulative sum expression function (elastic#80129)
  [APM] Fix link to trace (elastic#80993)
  Provide url rewritten in onPreRouting interceptor (elastic#80810)
  limit renovate to npm packages
  Fix bug in logs UI link (elastic#80943)
  [Monitoring] Fix bug with setup mode appearing on pages it shouldn't (elastic#80343)
  [Security Solution][Detection Engine] Fixes false positives caused by empty records in threat list
  docs test (elastic#81080)
  Fixed alerts ui test timeout issue, related to the multiple server calls for delete all alerts, by reducing the number of alerts to the two and increasing retry timeout. (elastic#81067)
  [APM] Fix service map highlighted edge on node select (elastic#80791)
  Fix typo in toast, slight copy adjustment. (elastic#80843)
  [Security Solution] reduce optimizer limits (elastic#80997)
  [maps] 7.10 documentation updates (elastic#79917)
  [Workplace Search] Fix Group Prioritization route and clean up design (elastic#80903)
  [Enterprise Search] Added reusable HiddenText component to Credentials (elastic#80033)
  Upgrade EUI to v29.5.0 (elastic#80753)
  [Maps] Fix layer-flash when changing style (elastic#80948)
  [Security Solution] [Detections] Disable edit button when user does not have actions privileges w/ rule + actions (elastic#80220)
  [Enterprise Search] Handle loading state on Credentials page (elastic#80035)
  [Monitoring] Fix cluster listing page in how it handles global state (elastic#78979)
  ...
dhurley14 added a commit that referenced this pull request Oct 20, 2020
…does not have actions privileges w/ rule + actions (#80220) (#81055)

* disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges

* adds tooltip to explain why the edit rule button is disabled

* prevent user from editing rules with actions on the all rules table

* adds tooltip to appear on all rules table

* updates tests for missing params and missing mock of useKibana

* disable activate switch on all rules table and rule details page

* remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record

* disable duplicate rule functionality for rules with actions

* fix positioning of tooltips and add tooltip to rule duplicate button in overflow button

* update tests

* WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled

* add eui tool tip as child of of each context menu item

* PR feedback and utilize map of rule ids to rules to replace usage of array.finds

* update snapshot

* fix mocks

* fix mocks

* update wording with feedback from design team

Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>

Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
dhurley14 added a commit that referenced this pull request Oct 20, 2020
… does not have actions privileges w/ rule + actions (#80220) (#81056)

* disable edit button only when there is an action present on the rule to be edited, but the user attempting the edit does not have actions privileges

* adds tooltip to explain why the edit rule button is disabled

* prevent user from editing rules with actions on the all rules table

* adds tooltip to appear on all rules table

* updates tests for missing params and missing mock of useKibana

* disable activate switch on all rules table and rule details page

* remove as casting in favor of a boolean type guard to ensure actions.show capabilities are a boolean even though tye are typed as a boolean | Record

* disable duplicate rule functionality for rules with actions

* fix positioning of tooltips and add tooltip to rule duplicate button in overflow button

* update tests

* WIP - display bulk actions dropdown options as disabled + add tooltips describing why they are disabled

* add eui tool tip as child of of each context menu item

* PR feedback and utilize map of rule ids to rules to replace usage of array.finds

* update snapshot

* fix mocks

* fix mocks

* update wording with feedback from design team

Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>

Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 22, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine fixed release_note:enhancement review Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants