-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed a problem updating the API host registry #6995
Conversation
…k-stored-api endpoint The allow_run_as missing data in the API host registry could cause the authentication used the internal user instead of the context of logger user when run_as was enabled.
…ng to the configuration of run_as - Ensure the user authentication uses the related endpoint according to the configuration of run_as Move the logic to decide the authentication (user or not run_as) to asCurrentUser.authenticate - Fix when the `run_as: false` for a server API host, any login of an user caused the internal user token was replaced by the obtained for the logged user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test | Chrome | Firefox | Safari |
---|---|---|---|
With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions | 🟢 | ⚫ | ⚫ |
With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host | 🟢 | ⚫ | ⚫ |
With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions | 🟢 | ⚫ | ⚫ |
Details
🟢 With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions
Chrome - 🟢
Firefox - ⚫
Safari - ⚫
TestLegend: UI
Details 🟢 With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissionsChrome - 🟢 Firefox - ⚫ Safari - ⚫ 🟢 With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API hostChrome - 🟢 Safari - ⚫ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!!
|
|
|
- Create HTTP client based on old services - Create HTTP client request interceptor: request - Create HTTP client generic: GenericRequest - Create HTTP client server: WzRequest, ApiCheck and WzAuthentication - Enhance server API backend client See #6995 - Rename ILogger type to Logger
* feat(http): create http frontend client - Create HTTP client based on old services - Create HTTP client request interceptor: request - Create HTTP client generic: GenericRequest - Create HTTP client server: WzRequest, ApiCheck and WzAuthentication - Enhance server API backend client See #6995 - Rename ILogger type to Logger * fix: add VSCode settings file * chore: remove comment * feat: add suggestions of code review * feat(core): add TableData and ServerTable components to core plugin - Add TableData component (based on TableData of main plugin) - Add ServerTable component (based on TableWzAPI of main plugin) - Add SearchBar (copied from main plugin) - Add FileSaver (copied from main plugin) * test(core): fix ExportTableCsv test * chore(prettier): fix some code syntax * chore(prettier): fix some code syntax * chore: remove console.log * feat(core): enhance typing * fix(http): move type definitions * fix: tests * fix: move types * chore(changelog): add entry) * fix(lint): code lint * fix(prettier): code prettier * fix(lint): code lint * fix(lint): code lint * Update plugins/wazuh-core/public/services/http/server-client.ts Co-authored-by: Guido Modarelli <[email protected]> * fix(http): review suggestions * fix(http): review suggestions * fix(http): fix options paramenter in http client * fix(lint): simplify arrow-body-style configuration in ESLint settings * fix(types): enhance SearchBarQueryLanguage and refine query language initialization logic * fix(lint): update ESLint rules for unicorn and TypeScript to improve code quality and reduce false positives * fix(lint): refine ESLint rules and clean up code with consistent error handling and improved variable naming conventions * fix(lint): add rule for optional chaining and update WazuhApiCtrl for consistent use of optional chaining operator throughout * fix(lint): simplify state update with optional chaining and improve clarity in search bar component code structure * fix(lint): optimize settings update and clean up settings grouping logic for improved readability and performance in configuration.ts * fix(lint): enhance rule for optional chaining to include empty ObjectExpression for better code quality and consistency * fix(lint): simplify array mapping in AQL tests for improved readability and consistency in test case logic * fix(lint): refactor object mapping in AQL component for improved readability and consistency across query suggestion logic * fix(lint): streamline object mapping in WQL for enhanced readability and consistency across query language component logic * fix(lint): simplify object mapping in TableData for improved readability and consistency across data table component logic * fix(lint): refactor object mapping in ExportTableCsv for improved readability and consistency across export functionality logic * fix(lint): refactor error handling in GenericRequest for improved readability and consistency in HTTP client logic * fix(lint): streamline error message extraction in WzRequest for improved readability and consistency in HTTP response handling * fix(lint): add rule for optional chaining with empty array expressions for improved code quality in logical expressions * fix(lint): refactor token extraction using optional chaining for improved readability in ServerAPIClient response handling * fix(enum): remove redundant enum definition for plugin settings, improving code clarity in configuration service file * fix(lint): add rule for empty functions in test files to enhance code quality in TypeScript testing configuration * fix(refactor): optimize settings categorization logic for clarity and maintainability in configuration service file * fix(lint): remove unused variable warnings and improve code readability in suggest input and AQL test files * fix(lint): eliminate unnecessary eslint-disable comments and enhance type safety in query language AQL component * fix(refactor): enhance search bar query language structure and type safety, ensuring consistent initialization and prop typing * fix(lint): turn off 'default-param-last' rule and clean up related eslint-disable comments in query language test files * fix(lint): remove unused variables and clean up eslint-disable comments in WQL query language tests for better readability * fix(lint): update enum formatting rules in eslint config for improved consistency and clarity in variable naming conventions * fix(aql): refactor token types to use enums and constants for improved clarity and maintainability in AQL query language code * fix(lint): expand ESLint variable rule to include boolean, number, and string types for enhanced linting versatility * fix(types): update UseStateStorageHook to default type 'any' for improved flexibility in hook implementation * fix(lint): add camelCase and PascalCase formats for object literal methods to ESLint rules for improved consistency in naming conventions * fix(lint): include camelCase and PascalCase formats for variable names in ESLint rules for improved naming consistency * fix(lint): update unused variable handling in table-data component to adhere to ESLint rules for cleaner code consistency * fix(lint): enhance withServices HOC to set displayName for better debugging and component identification consistency * fix(lint): remove unused eslint disables and update callback parameter naming for better adherence to coding standards * fix(lint): remove unnecessary eslint-disable comment in server-table-data component for improved code clarity and standards compliance * fix(lint): clean up request-interceptor by removing unused eslint-disable comments and improving parameter naming for clarity * fix(lint): remove unnecessary eslint-disable comment from configuration-store for enhanced code clarity and standards compliance * fix(lint): remove unnecessary eslint-disable comments from configuration and search-bar components for improved code clarity and standards compliance * fix(lint): remove unused eslint-disable comment from search-bar component to enhance code clarity and maintain coding standards * fix(lint): remove unused eslint-disable comment from wql.test.tsx to improve code clarity and maintain coding standards * fix(code): replace WQL.id with WQL_ID in query language file for better consistency and clarity in code structure * fix(lint): remove unused eslint-disable comment from server-client.ts to enhance code clarity and maintain coding standards * fix(lint): eliminate unused eslint-disable comments in wql.tsx to enhance code readability and maintain coding standards * fix(lint): remove unnecessary eslint-disable comment in wql.tsx to improve code readability and maintain standards * fix(types): replace hardcoded id with WQL_ID in ISearchBarModeWQL interface for improved type safety and consistency * fix(lint): refactor conditional logic in wql.tsx to improve code clarity and maintain consistent formatting standards * fix(api): use WAZUH_ERROR_DAEMONS_NOT_READY constant for error messaging consistency in WazuhApiCtrl error handling * fix(api): update WazuhApiCtrl to use WAZUH_ERROR_CODES for consistent error messaging across server responses * fix(lint): update eslint config to enforce UPPER_CASE for enum and add naming convention for constants files * fix(settings-validator): refactor class to object, update methods for consistent argument handling and improve readability * fix(lint): enhance eslint config to allow UPPER_CASE, camelCase, and PascalCase for global variables in naming conventions * fix(constants): update import path and refactor configuration constants for improved readability and consistency with naming conventions * fix(wazuh-api): replace WAZUH_ERROR_CODES with WAZUH_ERROR_DAEMONS_NOT_READY for improved clarity and error handling consistency * fix(constants): rename pluginPlatformRequestHeaders to PLUGIN_PLATFORM_REQUEST_HEADERS for improved consistency in naming conventions * fix(constants): refactor query language constants and improve code consistency by utilizing centralized definitions and types --------- Co-authored-by: Guido Modarelli <[email protected]> Co-authored-by: Guido Modarelli <[email protected]>
Description
This pull request fixes some problems related to user authentication.
POST /api/check-stored-api
endpoint.POST /security/user/authenticate/run_as
orPOST /security/user/authenticate
depending on the API host configurationrun_as
setting and its ability to execute with the internal user instead of trusting on the authentication contextrun_as: false
for a server API host, any login of a user caused the internal user token was replaced by the obtained for the logged user.Issues Resolved
R1551
Evidence
Test
Legend:
⚫: none
🟢: pass
🟡: warning
🔴: fail
⚪: not applicable
UI
Details
⚫ With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions
Chrome - ⚫
Firefox - ⚫
Safari - ⚫
⚫ With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host
Chrome - ⚫
Firefox - ⚫
Safari - ⚫
⚫ With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions
Chrome - ⚫
Firefox - ⚫
Safari - ⚫
Check List
yarn test:jest