Resolving issue when initially registering privileges

elastic · Jul 5, 2018 · 1f48041 · 1f48041
1 parent 19ddaea
commit 1f48041
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.js
@@ -4,16 +4,26 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { difference, isEqual } from 'lodash';
+import { difference, isEmpty, isEqual } from 'lodash';
 import { buildPrivilegeMap } from './privileges';
 import { getClient } from '../../../../../server/lib/get_client_shield';
 
+
+
 export async function registerPrivilegesWithCluster(server) {
   const config = server.config();
   const kibanaVersion = config.get('pkg.version');
   const application = config.get('xpack.security.rbac.application');
   const savedObjectTypes = server.savedObjects.types;
 
+  const shouldRemovePrivileges = (existingPrivileges, expectedPrivileges) => {
+    if (isEmpty(existingPrivileges)) {
+      return false;
+    }
+
+    return difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0;
+  };
+
   const expectedPrivileges = {
     [application]: buildPrivilegeMap(savedObjectTypes, application, kibanaVersion)
   };
@@ -35,7 +45,7 @@ export async function registerPrivilegesWithCluster(server) {
     // remove unspecified privileges. We don't currently have a need to remove privileges, as this would be a
     // backwards compatibility issue, and we'd have to figure out how to migrate roles, so we're throwing an Error if we
     // unintentionally get ourselves in this position.
-    if (difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0) {
+    if (shouldRemovePrivileges(existingPrivileges, expectedPrivileges)) {
       throw new Error(`Privileges are missing and can't be removed, currently.`);
     }
 

diff --git a/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js b/x-pack/plugins/security/server/lib/privileges/privilege_action_registry.test.js
@@ -128,6 +128,11 @@ const registerPrivilegesWithClusterTest = (description, {
           throw throwErrorWhenGettingPrivileges;
         }
 
+        // ES returns an empty object if we don't have any privileges
+        if (!existingPrivileges) {
+          return {};
+        }
+
         return {
           [defaultApplication]: existingPrivileges
         };
@@ -172,6 +177,16 @@ registerPrivilegesWithClusterTest(`passes saved object types, application and ki
   },
 });
 
+registerPrivilegesWithClusterTest(`inserts privileges when we don't have any existing privileges`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: null,
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
 registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges values don't match`, {
   expectedPrivileges: {
     expected: true