Skip to content

Commit

Permalink
[Security GenAI] Fetching Assistant Knowledge Base fails when current…
Browse files Browse the repository at this point in the history
… user's username contains a : character (elastic#11159) (elastic#200131)

## Summary

Original bug: [internal
link](elastic/security-team#11159)

**This PR fixes the next bug**:
When the user is logged in with a username that contains a `:`
character, fetching Knowlege Base entries fails with an error. This is
preventing customers from viewing their created KB entries. This problem
affects ECE customers using the SSO login option.

There were a similar bugfix which inspired this one
elastic#181709

There is no easy way to reproduce this but you can try and change the
line in question so that the faulty username is used instead of the one
passed in.

@MadameSheema Do you know a way to login locally with the username that
contains a `:` character? As mentioned above this situation is possible
with the ECE customers using SSO login.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
  • Loading branch information
2 people authored and jesuswr committed Nov 18, 2024
1 parent d3d711d commit 3e227c7
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { AuthenticatedUser } from '@kbn/core-security-common';
import { getKBUserFilter } from './utils';

describe('Utils', () => {
describe('getKBUserFilter', () => {
it('should return global filter when user is null', () => {
const filter = getKBUserFilter(null);
expect(filter).toEqual('(NOT users: {name:* OR id:* })');
});

it('should return global filter when `username` and `profile_uid` are undefined', () => {
const filter = getKBUserFilter({} as AuthenticatedUser);
expect(filter).toEqual('(NOT users: {name:* OR id:* })');
});

it('should return global filter when `username` is undefined', () => {
const filter = getKBUserFilter({ profile_uid: 'fake_user_id' } as AuthenticatedUser);
expect(filter).toEqual('(NOT users: {name:* OR id:* } OR users: {id: fake_user_id})');
});

it('should return global filter when `profile_uid` is undefined', () => {
const filter = getKBUserFilter({ username: 'user1' } as AuthenticatedUser);
expect(filter).toEqual('(NOT users: {name:* OR id:* } OR users: {name: "user1"})');
});

it('should return global filter when `username` has semicolon', () => {
const filter = getKBUserFilter({
username: 'user:1',
profile_uid: 'fake_user_id',
} as AuthenticatedUser);
expect(filter).toEqual(
'(NOT users: {name:* OR id:* } OR (users: {name: "user:1"} OR users: {id: fake_user_id}))'
);
});
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ export const getKBUserFilter = (user: AuthenticatedUser | null) => {
// Only return the current users entries and all other global entries (where user[] is empty)
const globalFilter = 'NOT users: {name:* OR id:* }';

const nameFilter = user?.username ? `users: {name: ${user?.username}}` : '';
const nameFilter = user?.username ? `users: {name: "${user?.username}"}` : '';
const idFilter = user?.profile_uid ? `users: {id: ${user?.profile_uid}}` : '';
const userFilter =
user?.username && user?.profile_uid
Expand Down

0 comments on commit 3e227c7

Please sign in to comment.