[Fleet] Allow readonly user to access /agent_policies_spaces API (#20…

…3434)
elastic · Dec 10, 2024 · ebcbb0b · ebcbb0b
1 parent 9089dbe
commit ebcbb0b
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/x-pack/plugins/fleet/server/routes/app/index.ts b/x-pack/plugins/fleet/server/routes/app/index.ts
@@ -237,7 +237,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
       path: APP_API_ROUTES.AGENT_POLICIES_SPACES,
       access: 'internal',
       fleetAuthz: {
-        fleet: { allAgentPolicies: true },
+        fleet: { readAgentPolicies: true },
       },
     })
     .addVersion(

diff --git a/x-pack/test/fleet_api_integration/apis/space_awareness/agent_policies.ts b/x-pack/test/fleet_api_integration/apis/space_awareness/agent_policies.ts
@@ -27,6 +27,10 @@ export default function (providerContext: FtrProviderContext) {
       username: testUsers.fleet_all_int_all.username,
       password: testUsers.fleet_all_int_all.password,
     });
+    const apiClientReadOnly = new SpaceTestApiClient(supertestWithoutAuth, {
+      username: testUsers.fleet_read_only.username,
+      password: testUsers.fleet_read_only.password,
+    });
 
     let defaultSpacePolicy1: CreateAgentPolicyResponse;
     let spaceTest1Policy1: CreateAgentPolicyResponse;
@@ -113,5 +117,19 @@ export default function (providerContext: FtrProviderContext) {
         expect(res.item.id).to.eql(`${TEST_SPACE_1}-fleet-server-policy`);
       });
     });
+
+    describe('GET /agent_policies_spaces', () => {
+      it('should return all spaces user can write agent policies to', async () => {
+        const res = await apiClient.getAgentPoliciesSpaces();
+
+        expect(res.items.map(({ id }: { id: string }) => id)).to.eql(['default', 'test1']);
+      });
+
+      it('should return no spaces for user with readonly access', async () => {
+        const res = await apiClientReadOnly.getAgentPoliciesSpaces();
+
+        expect(res.items.map(({ id }: { id: string }) => id)).to.eql([]);
+      });
+    });
   });
 }
diff --git a/x-pack/test/fleet_api_integration/apis/space_awareness/api_helper.ts b/x-pack/test/fleet_api_integration/apis/space_awareness/api_helper.ts
@@ -179,6 +179,18 @@ export class SpaceTestApiClient {
 
     return res;
   }
+
+  async getAgentPoliciesSpaces(spaceId?: string) {
+    const { body: res } = await this.supertest
+      .get(`${this.getBaseUrl(spaceId)}/internal/fleet/agent_policies_spaces`)
+      .auth(this.auth.username, this.auth.password)
+      .set('kbn-xsrf', 'xxxx')
+      .set('elastic-api-version', '1')
+      .expect(200);
+
+    return res;
+  }
+
   // Enrollment API Keys
   async getEnrollmentApiKey(
     keyId: string,