elastic · kobelb · Jun 7, 2018 · Jun 6, 2018 · Jun 6, 2018 · Jun 6, 2018
diff --git a/src/server/saved_objects/service/lib/repository.js b/src/server/saved_objects/service/lib/repository.js
@@ -19,7 +19,7 @@
 
 import uuid from 'uuid';
 
-import { getRootType } from '../../../mappings';
+import { getRootType, getRootPropertiesObjects } from '../../../mappings';
 import { getSearchDsl } from './search_dsl';
 import { trimIdPrefix } from './trim_id_prefix';
 import { includedFields } from './included_fields';
@@ -406,6 +406,10 @@ export class SavedObjectsRepository {
  };
  }
 
+ getTypes() {
+ return Object.keys(getRootPropertiesObjects(this._mappings));
+ }
+
  async _writeToCluster(method, params) {
  try {
  await this._onBeforeWrite();

diff --git a/src/server/saved_objects/service/lib/repository.test.js b/src/server/saved_objects/service/lib/repository.test.js
@@ -632,6 +632,83 @@ describe('SavedObjectsRepository', () => {
  });
  });
 
+ describe('#getTypes', () => {
+ it(`returns no types if mappings have no types`, () => {
+ const mappings = {
+ doc: {
+ properties: {
+ 'updated_at': {
+ type: 'date'
+ },
+ }
+ }
+ };
+
+ savedObjectsRepository = new SavedObjectsRepository({
+ index: '.kibana-test',
+ mappings,
+ callCluster: callAdminCluster,
+ onBeforeWrite
+ });
+
+ const types = savedObjectsRepository.getTypes();
+ expect(types).toEqual([]);
+ });
+
+ it(`returns single type defined in mappings`, () => {
+ const mappings = {
+ doc: {
+ properties: {
+ 'updated_at': {
+ type: 'date'
+ },
+ 'index-pattern': {
+ properties: {}
+ }
+ }
+ }
+ };
+
+ savedObjectsRepository = new SavedObjectsRepository({
+ index: '.kibana-test',
+ mappings,
+ callCluster: callAdminCluster,
+ onBeforeWrite
+ });
+
+ const types = savedObjectsRepository.getTypes();
+ expect(types).toEqual(['index-pattern']);
+ });
+
+ it(`returns multiple types defined in mappings`, () => {
+ const mappings = {
+ doc: {
+ properties: {
+ 'updated_at': {
+ type: 'date'
+ },
+ 'index-pattern': {
+ properties: {}
+ },
+ 'visualization': {
+ properties: {}
+ },
+ }
+ }
+ };
+
+ savedObjectsRepository = new SavedObjectsRepository({
+ index: '.kibana-test',
+ mappings,
+ callCluster: callAdminCluster,
+ onBeforeWrite
+ });
+
+ const types = savedObjectsRepository.getTypes();
+ expect(types).toEqual(['index-pattern', 'visualization']);
+ });
+ });
+
  describe('onBeforeWrite', () => {
  it('blocks calls to callCluster of requests', async () => {
  onBeforeWrite.returns(delay(500));

diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -6,6 +6,10 @@
 
 import { get, uniq } from 'lodash';
 
+const getPrivilege = (type, action) => {
+ return `action:saved_objects/${type}/${action}`;
+};
+
 export class SecureSavedObjectsClient {
  constructor(options) {
  const {
@@ -51,11 +55,38 @@ export class SecureSavedObjectsClient {
  }
 
  async find(options = {}) {
- await this._performAuthorizationCheck(options.type, 'find', {
- options,
- });
+ const action = 'find';
 
- return await this._repository.find(options);
+ // when we have the type or types, it makes our life easy
+ if (options.type) {
+ await this._performAuthorizationCheck(options.type, action, { options });
+ return await this._repository.find(options);
+ }
+
+ // otherwise, we have to filter for only their authorized types
+ const types = this._repository.getTypes();
+ const typesToPrivilegesMap = new Map(types.map(type => [type, getPrivilege(type, action)]));
+ const hasPrivilegesResult = await this._hasSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
+ const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
+ .filter(([ , privilege]) => !hasPrivilegesResult.missing.includes(privilege))
+ .map(([type]) => type);
+
+ if (authorizedTypes.length === 0) {
+ this._auditLogger.savedObjectsAuthorizationFailure(
+ hasPrivilegesResult.username,
+ action,
+ types,
+ hasPrivilegesResult.missing,
+ { options }
+ );
+ throw this.errors.decorateForbiddenError(new Error(`Not authorized to find saved_object`));
+ }
+ this._auditLogger.savedObjectsAuthorizationSuccess(hasPrivilegesResult.username, action, authorizedTypes, { options });
+
+ return await this._repository.find({
+ ...options,
+ type: authorizedTypes
+ });
  }
 
  async bulkGet(objects = []) {
@@ -89,15 +120,8 @@ export class SecureSavedObjectsClient {
 
  async _performAuthorizationCheck(typeOrTypes, action, args) {
  const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
- const actions = types.map(type => `action:saved_objects/${type}/${action}`);
-
- let result;
- try {
- result = await this._hasPrivileges(actions);
- } catch(error) {
- const { reason } = get(error, 'body.error', {});
- throw this.errors.decorateGeneralError(error, reason);
- }
+ const privileges = types.map(type => getPrivilege(type, action));
+ const result = await this._hasSavedObjectPrivileges(privileges);
 
  if (result.success) {
  this._auditLogger.savedObjectsAuthorizationSuccess(result.username, action, types, args);
@@ -107,4 +131,13 @@ export class SecureSavedObjectsClient {
  throw this.errors.decorateForbiddenError(new Error(msg));
  }
  }
+
+ async _hasSavedObjectPrivileges(privileges) {
+ try {
+ return await this._hasPrivileges(privileges);
+ } catch(error) {
+ const { reason } = get(error, 'body.error', {});
+ throw this.errors.decorateGeneralError(error, reason);
+ }
+ }
 }