Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require gold license for ECS audit logging #85537

Merged
merged 3 commits into from
Dec 10, 2020
Merged

Require gold license for ECS audit logging #85537

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2fa89a9
Require gold license for ECS audit logging
thomheymann Dec 10, 2020
2a98ba9
Fix unit test
thomheymann Dec 10, 2020
eb8645f
Add suggestions from code review
thomheymann Dec 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions x-pack/plugins/security/common/licensing/license_features.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ export interface SecurityLicenseFeatures {
*/
readonly allowAuditLogging: boolean;

/**
* Indicates whether we allow logging of legacy audit events.
* @deprecated
*/
readonly allowLegacyAuditLogging: boolean;

/**
* Indicates whether we allow users to define document level security in roles.
*/
Expand Down
43 changes: 26 additions & 17 deletions x-pack/plugins/security/common/licensing/license_service.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ describe('license features', function () {
allowRbac: false,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowLegacyAuditLogging: false,
});
});

Expand All @@ -48,6 +49,7 @@ describe('license features', function () {
allowRbac: false,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowLegacyAuditLogging: false,
});
});

Expand All @@ -69,6 +71,7 @@ describe('license features', function () {
Object {
"allowAccessAgreement": false,
"allowAuditLogging": false,
"allowLegacyAuditLogging": false,
"allowLogin": false,
"allowRbac": false,
"allowRoleDocumentLevelSecurity": false,
Expand All @@ -90,6 +93,7 @@ describe('license features', function () {
Object {
"allowAccessAgreement": true,
"allowAuditLogging": true,
"allowLegacyAuditLogging": true,
"allowLogin": true,
"allowRbac": true,
"allowRoleDocumentLevelSecurity": true,
Expand Down Expand Up @@ -128,6 +132,7 @@ describe('license features', function () {
allowRbac: true,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowLegacyAuditLogging: false,
});
expect(getFeatureSpy).toHaveBeenCalledTimes(1);
expect(getFeatureSpy).toHaveBeenCalledWith('security');
Expand All @@ -153,12 +158,13 @@ describe('license features', function () {
allowRbac: false,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowLegacyAuditLogging: false,
});
});

it('should allow role mappings, access agreement and sub-feature privileges, but not DLS/FLS if license = gold', () => {
it('should allow all basic features for standard license', () => {
const mockRawLicense = licenseMock.createLicense({
license: { mode: 'gold', type: 'gold' },
license: { mode: 'standard', type: 'standard' },
features: { security: { isEnabled: true, isAvailable: true } },
});

Expand All @@ -170,19 +176,20 @@ describe('license features', function () {
showLogin: true,
allowLogin: true,
showLinks: true,
showRoleMappingsManagement: true,
allowAccessAgreement: true,
showRoleMappingsManagement: false,
allowAccessAgreement: false,
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
allowRbac: true,
allowSubFeaturePrivileges: true,
allowAuditLogging: true,
allowSubFeaturePrivileges: false,
allowAuditLogging: false,
allowLegacyAuditLogging: true,
});
});

it('should allow to login, allow RBAC, role mappings, access agreement, sub-feature privileges, and DLS if license >= platinum', () => {
it('should allow role mappings, access agreement, sub-feature privileges and audit logging, but not DLS/FLS if license = gold', () => {
const mockRawLicense = licenseMock.createLicense({
license: { mode: 'platinum', type: 'platinum' },
license: { mode: 'gold', type: 'gold' },
features: { security: { isEnabled: true, isAvailable: true } },
});

Expand All @@ -196,17 +203,18 @@ describe('license features', function () {
showLinks: true,
showRoleMappingsManagement: true,
allowAccessAgreement: true,
allowRoleDocumentLevelSecurity: true,
allowRoleFieldLevelSecurity: true,
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
allowRbac: true,
allowSubFeaturePrivileges: true,
allowAuditLogging: true,
allowLegacyAuditLogging: true,
});
});

it('should allow all basic features + audit logging for standard license', () => {
it('should allow to login, allow RBAC, role mappings, access agreement, sub-feature privileges, and DLS if license >= platinum', () => {
const mockRawLicense = licenseMock.createLicense({
license: { mode: 'standard', type: 'standard' },
license: { mode: 'platinum', type: 'platinum' },
features: { security: { isEnabled: true, isAvailable: true } },
});

Expand All @@ -218,13 +226,14 @@ describe('license features', function () {
showLogin: true,
allowLogin: true,
showLinks: true,
showRoleMappingsManagement: false,
allowAccessAgreement: false,
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
showRoleMappingsManagement: true,
allowAccessAgreement: true,
allowRoleDocumentLevelSecurity: true,
allowRoleFieldLevelSecurity: true,
allowRbac: true,
allowSubFeaturePrivileges: false,
allowSubFeaturePrivileges: true,
allowAuditLogging: true,
allowLegacyAuditLogging: true,
});
});
});
5 changes: 4 additions & 1 deletion x-pack/plugins/security/common/licensing/license_service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ export class SecurityLicenseService {
showRoleMappingsManagement: false,
allowAccessAgreement: false,
allowAuditLogging: false,
allowLegacyAuditLogging: false,
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
allowRbac: false,
Expand All @@ -98,6 +99,7 @@ export class SecurityLicenseService {
showRoleMappingsManagement: false,
allowAccessAgreement: false,
allowAuditLogging: false,
allowLegacyAuditLogging: false,
allowRoleDocumentLevelSecurity: false,
allowRoleFieldLevelSecurity: false,
allowRbac: false,
Expand All @@ -114,7 +116,8 @@ export class SecurityLicenseService {
showLinks: true,
showRoleMappingsManagement: isLicenseGoldOrBetter,
allowAccessAgreement: isLicenseGoldOrBetter,
allowAuditLogging: isLicenseStandardOrBetter,
allowAuditLogging: isLicenseGoldOrBetter,
allowLegacyAuditLogging: isLicenseStandardOrBetter,
allowSubFeaturePrivileges: isLicenseGoldOrBetter,
// Only platinum and trial licenses are compliant with field- and document-level security.
allowRoleDocumentLevelSecurity: isLicensePlatinumOrBetter,
Expand Down
12 changes: 6 additions & 6 deletions x-pack/plugins/security/server/audit/audit_service.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -358,7 +358,7 @@ describe('#getLogger', () => {

const licenseWithFeatures = licenseMock.create();
licenseWithFeatures.features$ = new BehaviorSubject({
allowAuditLogging: true,
allowLegacyAuditLogging: true,
} as SecurityLicenseFeatures).asObservable();

const auditService = new AuditService(logger).setup({
Expand Down Expand Up @@ -388,7 +388,7 @@ describe('#getLogger', () => {

const licenseWithFeatures = licenseMock.create();
licenseWithFeatures.features$ = new BehaviorSubject({
allowAuditLogging: true,
allowLegacyAuditLogging: true,
} as SecurityLicenseFeatures).asObservable();

const auditService = new AuditService(logger).setup({
Expand Down Expand Up @@ -426,7 +426,7 @@ describe('#getLogger', () => {

const licenseWithFeatures = licenseMock.create();
licenseWithFeatures.features$ = new BehaviorSubject({
allowAuditLogging: false,
allowLegacyAuditLogging: false,
} as SecurityLicenseFeatures).asObservable();

const auditService = new AuditService(logger).setup({
Expand All @@ -452,7 +452,7 @@ describe('#getLogger', () => {

const licenseWithFeatures = licenseMock.create();
licenseWithFeatures.features$ = new BehaviorSubject({
allowAuditLogging: true,
allowLegacyAuditLogging: true,
} as SecurityLicenseFeatures).asObservable();

const auditService = new AuditService(logger).setup({
Expand Down Expand Up @@ -481,7 +481,7 @@ describe('#getLogger', () => {
const licenseWithFeatures = licenseMock.create();

const features$ = new BehaviorSubject({
allowAuditLogging: false,
allowLegacyAuditLogging: false,
} as SecurityLicenseFeatures);

licenseWithFeatures.features$ = features$.asObservable();
Expand All @@ -505,7 +505,7 @@ describe('#getLogger', () => {

// perform license upgrade
features$.next({
allowAuditLogging: true,
allowLegacyAuditLogging: true,
} as SecurityLicenseFeatures);

auditLogger.log(eventType, message);
Expand Down
8 changes: 5 additions & 3 deletions x-pack/plugins/security/server/audit/audit_service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,11 @@ export class AuditService {
getSpaceId,
}: AuditServiceSetupParams): AuditServiceSetup {
if (config.enabled && !config.appender) {
this.licenseFeaturesSubscription = license.features$.subscribe(({ allowAuditLogging }) => {
this.allowAuditLogging = allowAuditLogging;
});
this.licenseFeaturesSubscription = license.features$.subscribe(
({ allowLegacyAuditLogging }) => {
this.allowAuditLogging = allowLegacyAuditLogging;
}
);
}

// Configure logging during setup and when license changes
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/security/server/routes/views/login.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ describe('Login view routes', () => {
showRoleMappingsManagement: true,
allowSubFeaturePrivileges: true,
allowAuditLogging: true,
allowLegacyAuditLogging: true,
showLogin: true,
});

Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/security/server/usage_collector/security_usage_collector.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ describe('Security UsageCollector', () => {
license.getFeatures.mockReturnValue({
allowAccessAgreement,
allowAuditLogging,
allowLegacyAuditLogging: allowAuditLogging,
allowRbac,
} as SecurityLicenseFeatures);
return license;
Expand Down
10 changes: 8 additions & 2 deletions x-pack/plugins/security/server/usage_collector/security_usage_collector.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,12 @@ export function registerSecurityUsageCollector({ usageCollection, config, licens
},
},
fetch: () => {
const { allowRbac, allowAccessAgreement, allowAuditLogging } = license.getFeatures();
const {
allowRbac,
allowAccessAgreement,
allowAuditLogging,
allowLegacyAuditLogging,
} = license.getFeatures();
if (!allowRbac) {
return {
auditLoggingEnabled: false,
Expand All @@ -87,7 +92,8 @@ export function registerSecurityUsageCollector({ usageCollection, config, licens
};
}

const auditLoggingEnabled = allowAuditLogging && config.audit.enabled;
const auditLoggingEnabled =
(allowAuditLogging || allowLegacyAuditLogging) && config.audit.enabled;
const loginSelectorEnabled = config.authc.selector.enabled;
const authProviderCount = config.authc.sortedProviders.length;
const enabledAuthProviders = [
Expand Down