Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed a problem updating the API host registry #6995

Merged
merged 8 commits into from
Sep 19, 2024
Merged

Fixed a problem updating the API host registry #6995

merged 8 commits into from
Sep 19, 2024

Conversation

Desvelao
Copy link
Member

@Desvelao Desvelao commented Sep 17, 2024

Description

This pull request fixes some problems related to user authentication.

  • Fix a problem updating the API host registry data thorugh the POST /api/check-stored-api endpoint.

This problem could cause the authentication in the Wazuh server used the internal user instead of the current user when the run_as was enabled.

  • Ensure the usage of POST /security/user/authenticate/run_as or POST /security/user/authenticate depending on the API host configuration run_as setting and its ability to execute with the internal user instead of trusting on the authentication context
  • Fix when the run_as: false for a server API host, any login of a user caused the internal user token was replaced by the obtained for the logged user.

Issues Resolved

R1551

Evidence

Test

Legend:
⚫: none
🟢: pass
🟡: warning
🔴: fail
⚪: not applicable

UI

Test Chrome Firefox Safari
With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions
With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host
With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions

Details

⚫ With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions

Chrome - ⚫

Firefox - ⚫

Safari - ⚫

⚫ With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host

Chrome - ⚫

Firefox - ⚫

Safari - ⚫

⚫ With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions

Chrome - ⚫

Firefox - ⚫

Safari - ⚫

Check List

  • All tests pass
    • yarn test:jest
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

…k-stored-api endpoint

The allow_run_as missing data in the API host registry could cause the
authentication used the internal user instead of the context of logger
user when run_as was enabled.
@Desvelao Desvelao self-assigned this Sep 17, 2024
@Desvelao Desvelao marked this pull request as ready for review September 17, 2024 11:36
…ng to the configuration of run_as

- Ensure the user authentication uses the related endpoint according to the configuration of run_as
  Move the logic to decide the authentication (user or not run_as) to asCurrentUser.authenticate
- Fix when the `run_as: false` for a server API host, any login of an user caused the
  internal user token was replaced by the obtained for the logged user.
@chantal-kelm chantal-kelm self-requested a review September 17, 2024 15:00
Copy link
Member

@chantal-kelm chantal-kelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Chrome Firefox Safari
With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions 🟢
With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host 🟢
With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions 🟢

Details

🟢 With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions

Chrome - 🟢

Captura de pantalla 2024-09-17 a la(s) 12 44 58 p  m Captura de pantalla 2024-09-17 a la(s) 12 45 47 p  m

Firefox - ⚫

Safari - ⚫

🟢 With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host

Chrome - 🟢

Captura de pantalla 2024-09-17 a la(s) 12 53 57 p  m Captura de pantalla 2024-09-17 a la(s) 12 54 38 p  m

Firefox - ⚫

Safari - ⚫

🟢 With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions

Chrome - 🟢

Captura de pantalla 2024-09-17 a la(s) 12 47 57 p  m

Firefox - ⚫

Safari - ⚫

@JuanGarriuz JuanGarriuz self-requested a review September 18, 2024 06:52
@JuanGarriuz
Copy link
Member

JuanGarriuz commented Sep 18, 2024

Test

Legend:
⚫: none
🟢: pass
🟡: warning
🔴: fail
⚪: not applicable

UI

Test Chrome Firefox Safari
With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions 🟢
With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host 🟢
With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions 🟢

Details

🟢 With an API host entry with run_as enabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has no permissions

Chrome - 🟢

image

Firefox - ⚫

Safari - ⚫

🟢 With an API host entry with run_as disabled, create an user without permissions related to server API or indexer, login with the new user and ensure the authentication token has the same permissions than the internal user of the server API host

Chrome - 🟢

image
Firefox - ⚫

Safari - ⚫

🟢 With an API host entry with run_as enabled, create an user with permissions related to server API, login and ensure the authentication token has the specified permissions

Chrome - 🟢

image

Firefox - ⚫

Safari - ⚫

Copy link
Member

@JuanGarriuz JuanGarriuz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!

Copy link
Contributor

Wazuh Core plugin code coverage (Jest) test % values
Statements 45.5% ( 400 / 879 )
Branches 41.09% ( 157 / 382 )
Functions 43.87% ( 136 / 310 )
Lines 45.69% ( 398 / 871 )

Copy link
Contributor

Wazuh Check Updates plugin code coverage (Jest) test % values
Statements 76.44% ( 172 / 225 )
Branches 58.65% ( 61 / 104 )
Functions 61.7% ( 29 / 47 )
Lines 76.44% ( 172 / 225 )

Copy link
Contributor

Main plugin code coverage (Jest) test % values
Statements 13.8% ( 4069 / 29480 )
Branches 9.16% ( 1765 / 19264 )
Functions 13.45% ( 959 / 7127 )
Lines 13.97% ( 3965 / 28366 )

@asteriscos asteriscos merged commit c3d75ea into 4.9.1 Sep 19, 2024
5 checks passed
@asteriscos asteriscos deleted the bug/r-1551 branch September 19, 2024 11:44
Desvelao added a commit that referenced this pull request Sep 19, 2024
- Create HTTP client based on old services
- Create HTTP client request interceptor: request
- Create HTTP client generic: GenericRequest
- Create HTTP client server: WzRequest, ApiCheck and WzAuthentication
- Enhance server API backend client
  See #6995
- Rename ILogger type to Logger
Desvelao added a commit that referenced this pull request Dec 10, 2024
* feat(http): create http frontend client

- Create HTTP client based on old services
- Create HTTP client request interceptor: request
- Create HTTP client generic: GenericRequest
- Create HTTP client server: WzRequest, ApiCheck and WzAuthentication
- Enhance server API backend client
  See #6995
- Rename ILogger type to Logger

* fix: add VSCode settings file

* chore: remove comment

* feat: add suggestions of code review

* feat(core): add TableData and ServerTable components to core plugin

- Add TableData component (based on TableData of main plugin)
- Add ServerTable component (based on TableWzAPI of main plugin)
  - Add SearchBar (copied from main plugin)
  - Add FileSaver (copied from main plugin)

* test(core): fix ExportTableCsv test

* chore(prettier): fix some code syntax

* chore(prettier): fix some code syntax

* chore: remove console.log

* feat(core): enhance typing

* fix(http): move type definitions

* fix: tests

* fix: move types

* chore(changelog): add entry)

* fix(lint): code lint

* fix(prettier): code prettier

* fix(lint): code lint

* fix(lint): code lint

* Update plugins/wazuh-core/public/services/http/server-client.ts

Co-authored-by: Guido Modarelli <[email protected]>

* fix(http): review suggestions

* fix(http): review suggestions

* fix(http): fix options paramenter in http client

* fix(lint): simplify arrow-body-style configuration in ESLint settings

* fix(types): enhance SearchBarQueryLanguage and refine query language initialization logic

* fix(lint): update ESLint rules for unicorn and TypeScript to improve code quality and reduce false positives

* fix(lint): refine ESLint rules and clean up code with consistent error handling and improved variable naming conventions

* fix(lint): add rule for optional chaining and update WazuhApiCtrl for consistent use of optional chaining operator throughout

* fix(lint): simplify state update with optional chaining and improve clarity in search bar component code structure

* fix(lint): optimize settings update and clean up settings grouping logic for improved readability and performance in configuration.ts

* fix(lint): enhance rule for optional chaining to include empty ObjectExpression for better code quality and consistency

* fix(lint): simplify array mapping in AQL tests for improved readability and consistency in test case logic

* fix(lint): refactor object mapping in AQL component for improved readability and consistency across query suggestion logic

* fix(lint): streamline object mapping in WQL for enhanced readability and consistency across query language component logic

* fix(lint): simplify object mapping in TableData for improved readability and consistency across data table component logic

* fix(lint): refactor object mapping in ExportTableCsv for improved readability and consistency across export functionality logic

* fix(lint): refactor error handling in GenericRequest for improved readability and consistency in HTTP client logic

* fix(lint): streamline error message extraction in WzRequest for improved readability and consistency in HTTP response handling

* fix(lint): add rule for optional chaining with empty array expressions for improved code quality in logical expressions

* fix(lint): refactor token extraction using optional chaining for improved readability in ServerAPIClient response handling

* fix(enum): remove redundant enum definition for plugin settings, improving code clarity in configuration service file

* fix(lint): add rule for empty functions in test files to enhance code quality in TypeScript testing configuration

* fix(refactor): optimize settings categorization logic for clarity and maintainability in configuration service file

* fix(lint): remove unused variable warnings and improve code readability in suggest input and AQL test files

* fix(lint): eliminate unnecessary eslint-disable comments and enhance type safety in query language AQL component

* fix(refactor): enhance search bar query language structure and type safety, ensuring consistent initialization and prop typing

* fix(lint): turn off 'default-param-last' rule and clean up related eslint-disable comments in query language test files

* fix(lint): remove unused variables and clean up eslint-disable comments in WQL query language tests for better readability

* fix(lint): update enum formatting rules in eslint config for improved consistency and clarity in variable naming conventions

* fix(aql): refactor token types to use enums and constants for improved clarity and maintainability in AQL query language code

* fix(lint): expand ESLint variable rule to include boolean, number, and string types for enhanced linting versatility

* fix(types): update UseStateStorageHook to default type 'any' for improved flexibility in hook implementation

* fix(lint): add camelCase and PascalCase formats for object literal methods to ESLint rules for improved consistency in naming conventions

* fix(lint): include camelCase and PascalCase formats for variable names in ESLint rules for improved naming consistency

* fix(lint): update unused variable handling in table-data component to adhere to ESLint rules for cleaner code consistency

* fix(lint): enhance withServices HOC to set displayName for better debugging and component identification consistency

* fix(lint): remove unused eslint disables and update callback parameter naming for better adherence to coding standards

* fix(lint): remove unnecessary eslint-disable comment in server-table-data component for improved code clarity and standards compliance

* fix(lint): clean up request-interceptor by removing unused eslint-disable comments and improving parameter naming for clarity

* fix(lint): remove unnecessary eslint-disable comment from configuration-store for enhanced code clarity and standards compliance

* fix(lint): remove unnecessary eslint-disable comments from configuration and search-bar components for improved code clarity and standards compliance

* fix(lint): remove unused eslint-disable comment from search-bar component to enhance code clarity and maintain coding standards

* fix(lint): remove unused eslint-disable comment from wql.test.tsx to improve code clarity and maintain coding standards

* fix(code): replace WQL.id with WQL_ID in query language file for better consistency and clarity in code structure

* fix(lint): remove unused eslint-disable comment from server-client.ts to enhance code clarity and maintain coding standards

* fix(lint): eliminate unused eslint-disable comments in wql.tsx to enhance code readability and maintain coding standards

* fix(lint): remove unnecessary eslint-disable comment in wql.tsx to improve code readability and maintain standards

* fix(types): replace hardcoded id with WQL_ID in ISearchBarModeWQL interface for improved type safety and consistency

* fix(lint): refactor conditional logic in wql.tsx to improve code clarity and maintain consistent formatting standards

* fix(api): use WAZUH_ERROR_DAEMONS_NOT_READY constant for error messaging consistency in WazuhApiCtrl error handling

* fix(api): update WazuhApiCtrl to use WAZUH_ERROR_CODES for consistent error messaging across server responses

* fix(lint): update eslint config to enforce UPPER_CASE for enum and add naming convention for constants files

* fix(settings-validator): refactor class to object, update methods for consistent argument handling and improve readability

* fix(lint): enhance eslint config to allow UPPER_CASE, camelCase, and PascalCase for global variables in naming conventions

* fix(constants): update import path and refactor configuration constants for improved readability and consistency with naming conventions

* fix(wazuh-api): replace WAZUH_ERROR_CODES with WAZUH_ERROR_DAEMONS_NOT_READY for improved clarity and error handling consistency

* fix(constants): rename pluginPlatformRequestHeaders to PLUGIN_PLATFORM_REQUEST_HEADERS for improved consistency in naming conventions

* fix(constants): refactor query language constants and improve code consistency by utilizing centralized definitions and types

---------

Co-authored-by: Guido Modarelli <[email protected]>
Co-authored-by: Guido Modarelli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants