[8.19] [Attack Discovery][Scheduling] RBAC: Make sure we check Index privileges before we allow user to access them (#226013) (#226424)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[Attack Discovery][Scheduling] RBAC: Make sure we check Index
privileges before we allow user to access them
(#226013)](#226013)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-07-03T13:31:27Z","message":"[Attack
Discovery][Scheduling] RBAC: Make sure we check Index privileges before
we allow user to access them (#226013)\n\n## Summary\n\nWith these
changes we make sure that we do an access control checks\nbefore the
user tries to perform operations on attack discovery
alerts\nindices:\n\n- `.alerts-security.attack.discovery.alerts`\n-
`.internal.alerts-security.attack.discovery.alerts`\n-
`.adhoc.alerts-security.attack.discovery.alerts`\n-
`.internal.adhoc.alerts-security.attack.discovery.alerts`\n\nTo be able
to fetch alerts use has to have `read` elastic search\nprivileges on the
above indices. To modify (create, update, delete)\nalerts user has to
have `write` and `maintenance` (for `refresh: true`\noperations; we use
it to bulk update alerts) privileges for those\nindices.\n\nAlso, as
part of this PR, I realized that we would use `internal user`\n(which is
a `kibana_system` user behind the scene) to perform some of\nthe
operations (`findAttackDiscoveryAlerts`, `getAlertConnectorNames`\nand
`bulkUpdateAttackDiscoveryAlerts`) which should be performed with\nthe
current user rights instead. Those are fixed and we scope
elastic\nsearch operations to current user.\n\n### Testing\n\n#### 1.
Create a user and assign a role `with NO` index privileges for\nthe
above indices\n\n**Expected**:\n* User should not be able to see any
existing attack discovery alerts\n* User should not be able to generate
attack discoveries\n\n#### 2. Create a user and assign a role with
`read` index privileges for\nthe above indices\n\n**Expected**:\n* User
should be able to see existing attack discovery alerts\n* User should
not be able to generate attack discoveries via
\"Generate\"\nbutton\n\n#### 3. Create a user and assign a role with
`write` index privileges\nfor the above indices\n\n**Expected**:\n* User
should be able to see existing attack discovery alerts\n* User should
not be able to generate attack discoveries because the\n`maintenance`
privilege is missing\n\n#### 4. Create a user and assign a role with
`write` and `maintenance`\nindex privileges for the above
indices\n\n**Expected**:\n* User should be able to see existing attack
discovery alerts\n* User should be able to generate attack
discoveries\n\n## NOTES\n\nThe feature is hidden behind the feature flag
(in `kibana.dev.yml`):\n\n```\nfeature_flags.overrides:\n
securitySolution.attackDiscoveryAlertsEnabled: true\n
securitySolution.assistantAttackDiscoverySchedulingEnabled:
true\n```","sha":"d6eb939e00d4ee7400574a69f05c5375605d5099","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","Team:Security Generative
AI","backport:version","v9.1.0","v8.19.0","v9.2.0"],"title":"[Attack
Discovery][Scheduling] RBAC: Make sure we check Index privileges before
we allow user to access
them","number":226013,"url":"https://github.com/elastic/kibana/pull/226013","mergeCommit":{"message":"[Attack
Discovery][Scheduling] RBAC: Make sure we check Index privileges before
we allow user to access them (#226013)\n\n## Summary\n\nWith these
changes we make sure that we do an access control checks\nbefore the
user tries to perform operations on attack discovery
alerts\nindices:\n\n- `.alerts-security.attack.discovery.alerts`\n-
`.internal.alerts-security.attack.discovery.alerts`\n-
`.adhoc.alerts-security.attack.discovery.alerts`\n-
`.internal.adhoc.alerts-security.attack.discovery.alerts`\n\nTo be able
to fetch alerts use has to have `read` elastic search\nprivileges on the
above indices. To modify (create, update, delete)\nalerts user has to
have `write` and `maintenance` (for `refresh: true`\noperations; we use
it to bulk update alerts) privileges for those\nindices.\n\nAlso, as
part of this PR, I realized that we would use `internal user`\n(which is
a `kibana_system` user behind the scene) to perform some of\nthe
operations (`findAttackDiscoveryAlerts`, `getAlertConnectorNames`\nand
`bulkUpdateAttackDiscoveryAlerts`) which should be performed with\nthe
current user rights instead. Those are fixed and we scope
elastic\nsearch operations to current user.\n\n### Testing\n\n#### 1.
Create a user and assign a role `with NO` index privileges for\nthe
above indices\n\n**Expected**:\n* User should not be able to see any
existing attack discovery alerts\n* User should not be able to generate
attack discoveries\n\n#### 2. Create a user and assign a role with
`read` index privileges for\nthe above indices\n\n**Expected**:\n* User
should be able to see existing attack discovery alerts\n* User should
not be able to generate attack discoveries via
\"Generate\"\nbutton\n\n#### 3. Create a user and assign a role with
`write` index privileges\nfor the above indices\n\n**Expected**:\n* User
should be able to see existing attack discovery alerts\n* User should
not be able to generate attack discoveries because the\n`maintenance`
privilege is missing\n\n#### 4. Create a user and assign a role with
`write` and `maintenance`\nindex privileges for the above
indices\n\n**Expected**:\n* User should be able to see existing attack
discovery alerts\n* User should be able to generate attack
discoveries\n\n## NOTES\n\nThe feature is hidden behind the feature flag
(in `kibana.dev.yml`):\n\n```\nfeature_flags.overrides:\n
securitySolution.attackDiscoveryAlertsEnabled: true\n
securitySolution.assistantAttackDiscoverySchedulingEnabled:
true\n```","sha":"d6eb939e00d4ee7400574a69f05c5375605d5099"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/226013","number":226013,"mergeCommit":{"message":"[Attack
Discovery][Scheduling] RBAC: Make sure we check Index privileges before
we allow user to access them (#226013)\n\n## Summary\n\nWith these
changes we make sure that we do an access control checks\nbefore the
user tries to perform operations on attack discovery
alerts\nindices:\n\n- `.alerts-security.attack.discovery.alerts`\n-
`.internal.alerts-security.attack.discovery.alerts`\n-
`.adhoc.alerts-security.attack.discovery.alerts`\n-
`.internal.adhoc.alerts-security.attack.discovery.alerts`\n\nTo be able
to fetch alerts use has to have `read` elastic search\nprivileges on the
above indices. To modify (create, update, delete)\nalerts user has to
have `write` and `maintenance` (for `refresh: true`\noperations; we use
it to bulk update alerts) privileges for those\nindices.\n\nAlso, as
part of this PR, I realized that we would use `internal user`\n(which is
a `kibana_system` user behind the scene) to perform some of\nthe
operations (`findAttackDiscoveryAlerts`, `getAlertConnectorNames`\nand
`bulkUpdateAttackDiscoveryAlerts`) which should be performed with\nthe
current user rights instead. Those are fixed and we scope
elastic\nsearch operations to current user.\n\n### Testing\n\n#### 1.
Create a user and assign a role `with NO` index privileges for\nthe
above indices\n\n**Expected**:\n* User should not be able to see any
existing attack discovery alerts\n* User should not be able to generate
attack discoveries\n\n#### 2. Create a user and assign a role with
`read` index privileges for\nthe above indices\n\n**Expected**:\n* User
should be able to see existing attack discovery alerts\n* User should
not be able to generate attack discoveries via
\"Generate\"\nbutton\n\n#### 3. Create a user and assign a role with
`write` index privileges\nfor the above indices\n\n**Expected**:\n* User
should be able to see existing attack discovery alerts\n* User should
not be able to generate attack discoveries because the\n`maintenance`
privilege is missing\n\n#### 4. Create a user and assign a role with
`write` and `maintenance`\nindex privileges for the above
indices\n\n**Expected**:\n* User should be able to see existing attack
discovery alerts\n* User should be able to generate attack
discoveries\n\n## NOTES\n\nThe feature is hidden behind the feature flag
(in `kibana.dev.yml`):\n\n```\nfeature_flags.overrides:\n
securitySolution.attackDiscoveryAlertsEnabled: true\n
securitySolution.assistantAttackDiscoverySchedulingEnabled:
true\n```","sha":"d6eb939e00d4ee7400574a69f05c5375605d5099"}}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/elastic_assistant/server/__mocks__/request_context.ts

@@ -77,7 +77,7 @@ export const createMockClients = () => {
 type MockClients = ReturnType<typeof createMockClients>;
 
 export type ElasticAssistantRequestHandlerContextMock = MockedKeys<
-  AwaitedProperties<Omit<ElasticAssistantRequestHandlerContext, 'resolve'>>
+  AwaitedProperties<ElasticAssistantRequestHandlerContext>
 > & {
   core: MockClients['core'];
 };
@@ -94,6 +94,7 @@ const createRequestContextMock = (
     core: clients.core,
     elasticAssistant: createElasticAssistantRequestContextMock(clients),
     licensing: licensingMock.createRequestHandlerContext({ license }),
+    resolve: jest.fn(),
   };
 };
 
@@ -171,6 +172,7 @@ const createElasticAssistantRequestContextMock = (
     core: clients.core,
     savedObjectsClient: clients.elasticAssistant.savedObjectsClient,
     telemetry: clients.elasticAssistant.telemetry,
+    checkPrivileges: jest.fn(),
   };
 };
 

x-pack/solutions/security/plugins/elastic_assistant/server/__mocks__/test_adapters.ts

@@ -45,6 +45,8 @@ const buildResponses = (method: Method, calls: MockCall[]): ResponseCall[] => {
       }));
     case 'notFound':
       return calls.map(() => ({ status: 404, body: undefined }));
+    case 'forbidden':
+      return calls.map(([call]) => ({ status: 403, body: call.body }));
     default:
       throw new Error(`Encountered unexpected call to response.${method}`);
   }

x-pack/solutions/security/plugins/elastic_assistant/server/ai_assistant_data_clients/index.ts

@@ -100,7 +100,6 @@ export class AIAssistantDataClient {
     sortOrder,
     filter,
     fields,
-    index,
     aggs,
     mSearch,
   }: {
@@ -110,7 +109,6 @@ export class AIAssistantDataClient {
     sortOrder?: string;
     filter?: string;
     fields?: string[];
-    index?: string;
     aggs?: Record<string, estypes.AggregationsAggregationContainer>;
     mSearch?: {
       filter: string;
@@ -125,7 +123,7 @@ export class AIAssistantDataClient {
       perPage,
       filter,
       sortField,
-      index: index ?? this.indexTemplateAndPattern.alias,
+      index: this.indexTemplateAndPattern.alias,
       sortOrder: sortOrder as estypes.SortOrder,
       logger: this.options.logger,
       aggs,

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/index.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import type { estypes } from '@elastic/elasticsearch';
 import {
   type AttackDiscoveryAlert,
   type AttackDiscoveryCreateProps,
@@ -17,13 +18,14 @@ import {
   type PostAttackDiscoveryGenerationsDismissResponse,
 } from '@kbn/elastic-assistant-common';
 import { AuthenticatedUser } from '@kbn/core-security-common';
-import type { Logger } from '@kbn/core/server';
+import type { ElasticsearchClient, Logger } from '@kbn/core/server';
 import { IRuleDataClient } from '@kbn/rule-registry-plugin/server';
 
 import {
   AIAssistantDataClient,
   AIAssistantDataClientParams,
 } from '../../../ai_assistant_data_clients';
+import { findDocuments } from '../../../ai_assistant_data_clients/find';
 import { findAllAttackDiscoveries } from './find_all_attack_discoveries/find_all_attack_discoveries';
 import { combineFindAttackDiscoveryFilters } from './combine_find_attack_discovery_filters';
 import { findAttackDiscoveryByConnectorId } from './find_attack_discovery_by_connector_id/find_attack_discovery_by_connector_id';
@@ -145,6 +147,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
     alertIds,
     authenticatedUser,
     end,
+    esClient,
     ids,
     index,
     logger,
@@ -157,6 +160,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
     alertIds: string[] | undefined;
     authenticatedUser: AuthenticatedUser;
     end: string | undefined;
+    esClient: ElasticsearchClient;
     ids: string[] | undefined;
     index: string;
     logger: Logger;
@@ -182,14 +186,16 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
       filter: connectorsAggsFilter,
     });
 
-    const aggsResult = await this.findDocuments<AttackDiscoveryAlertDocument>({
+    const aggsResult = await findDocuments<AttackDiscoveryAlertDocument>({
       aggs,
+      esClient,
       filter: combinedConnectorsAggsFilter,
       index,
+      logger,
       page,
       perPage,
       sortField,
-      sortOrder,
+      sortOrder: sortOrder as estypes.SortOrder,
     });
 
     const { connectorNames } = transformSearchResponseToAlerts({
@@ -202,10 +208,12 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
 
   public findAttackDiscoveryAlerts = async ({
     authenticatedUser,
+    esClient,
     findAttackDiscoveryAlertsParams,
     logger,
   }: {
     authenticatedUser: AuthenticatedUser;
+    esClient: ElasticsearchClient;
     findAttackDiscoveryAlertsParams: FindAttackDiscoveryAlertsParams;
     logger: Logger;
   }): Promise<AttackDiscoveryFindResponse> => {
@@ -243,14 +251,16 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
       shared,
     });
 
-    const result = await this.findDocuments<AttackDiscoveryAlertDocument>({
+    const result = await findDocuments<AttackDiscoveryAlertDocument>({
       aggs,
+      esClient,
       filter: combinedFilter,
       index,
+      logger,
       page,
       perPage,
       sortField,
-      sortOrder,
+      sortOrder: sortOrder as estypes.SortOrder,
     });
 
     const { data, uniqueAlertIdsCount } = transformSearchResponseToAlerts({
@@ -262,6 +272,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
       alertIds,
       authenticatedUser,
       end,
+      esClient,
       ids,
       index,
       logger,
@@ -334,21 +345,21 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
 
   public bulkUpdateAttackDiscoveryAlerts = async ({
     authenticatedUser,
+    esClient,
     ids,
     kibanaAlertWorkflowStatus,
     logger,
     visibility,
   }: {
     authenticatedUser: AuthenticatedUser;
+    esClient: ElasticsearchClient;
     ids: string[];
     kibanaAlertWorkflowStatus?: 'acknowledged' | 'closed' | 'open';
     logger: Logger;
     visibility?: 'not_shared' | 'shared';
   }): Promise<AttackDiscoveryAlert[]> => {
     const PER_PAGE = 1000;
 
-    const esClient = await this.options.elasticsearchClientPromise;
-
     const indexPattern = this.getScheduledAndAdHocIndexPattern();
 
     if (ids.length === 0) {
@@ -403,6 +414,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
 
       const alertsResult = await this.findAttackDiscoveryAlerts({
         authenticatedUser,
+        esClient,
         findAttackDiscoveryAlertsParams: {
           ids,
           page: FIRST_PAGE,

x-pack/solutions/security/plugins/elastic_assistant/server/routes/attack_discovery/get/find_attack_discoveries.test.ts

@@ -7,49 +7,45 @@
 
 import type { KibanaRequest } from '@kbn/core-http-server';
 import { httpServiceMock, httpServerMock } from '@kbn/core-http-server-mocks';
-import { loggingSystemMock } from '@kbn/core-logging-server-mocks';
 
 import { findAttackDiscoveriesRoute } from './find_attack_discoveries';
 import * as helpers from '../../helpers';
+import { hasReadAttackDiscoveryAlertsPrivileges } from '../helpers/index_privileges';
 import { getMockAttackDiscoveryFindResponse } from '../../../__mocks__/attack_discovery_find_response';
 import { mockAuthenticatedUser } from '../../../__mocks__/mock_authenticated_user';
+import { requestContextMock } from '../../../__mocks__/request_context';
+import { AttackDiscoveryDataClient } from '../../../lib/attack_discovery/persistence';
 
 const mockAttackDiscoveryFindResponse = getMockAttackDiscoveryFindResponse();
 
+jest.mock('../helpers/index_privileges', () => {
+  const original = jest.requireActual('../helpers/index_privileges');
+
+  return {
+    ...original,
+    hasReadAttackDiscoveryAlertsPrivileges: jest.fn(),
+  };
+});
+
+const { context: mockContext } = requestContextMock.createTools();
+
 describe('findAttackDiscoveriesRoute', () => {
   let router: ReturnType<typeof httpServiceMock.createRouter>;
-  let mockContext: {
-    resolve: jest.Mock;
-    elasticAssistant: Promise<{
-      logger: ReturnType<typeof loggingSystemMock.createLogger>;
-      eventLogIndex: string;
-      getSpaceId: () => string;
-      getAttackDiscoveryDataClient: jest.Mock;
-    }>;
-  };
   let mockRequest: Partial<KibanaRequest<unknown, unknown, unknown>>;
   let mockResponse: ReturnType<typeof httpServerMock.createResponseFactory>;
   let mockDataClient: { findAttackDiscoveryAlerts: jest.Mock };
-  let mockLogger: ReturnType<typeof loggingSystemMock.createLogger>;
   let addVersionMock: jest.Mock;
   let getHandler: (ctx: unknown, req: unknown, res: unknown) => Promise<unknown>;
 
   beforeEach(() => {
     jest.clearAllMocks();
     router = httpServiceMock.createRouter();
-    mockLogger = loggingSystemMock.createLogger();
     mockDataClient = {
       findAttackDiscoveryAlerts: jest.fn().mockResolvedValue(mockAttackDiscoveryFindResponse),
     };
-    mockContext = {
-      resolve: jest.fn().mockResolvedValue({ core: {}, elasticAssistant: {}, licensing: {} }),
-      elasticAssistant: Promise.resolve({
-        logger: mockLogger,
-        eventLogIndex: 'event-log-index',
-        getSpaceId: () => 'default',
-        getAttackDiscoveryDataClient: jest.fn().mockResolvedValue(mockDataClient),
-      }),
-    };
+    mockContext.elasticAssistant.getAttackDiscoveryDataClient.mockResolvedValue(
+      mockDataClient as unknown as AttackDiscoveryDataClient
+    );
     mockRequest = {
       query: { page: 1, per_page: 10 },
     };
@@ -62,6 +58,9 @@ describe('findAttackDiscoveriesRoute', () => {
     (router.versioned.get as jest.Mock).mockReturnValue({ addVersion: addVersionMock });
     findAttackDiscoveriesRoute(router);
     getHandler = addVersionMock.mock.calls[0][1];
+    (hasReadAttackDiscoveryAlertsPrivileges as jest.Mock).mockResolvedValue({
+      isSuccess: true,
+    });
   });
 
   it('returns 200 and the expected discoveries on success', async () => {
@@ -100,6 +99,19 @@ describe('findAttackDiscoveriesRoute', () => {
     expect(result).toEqual({ status: 403, payload: { message: 'Forbidden' } });
   });
 
+  it('returns an error when hasReadAttackDiscoveryAlertsPrivileges fails', async () => {
+    (hasReadAttackDiscoveryAlertsPrivileges as jest.Mock).mockImplementation(({ response }) => {
+      return Promise.resolve({
+        isSuccess: false,
+        response: { status: 403, payload: { message: 'no privileges' } },
+      });
+    });
+
+    const result = await getHandler(mockContext, mockRequest, mockResponse);
+
+    expect(result).toEqual({ status: 403, payload: { message: 'no privileges' } });
+  });
+
   describe('when data client throws', () => {
     const thrownError = new Error('fail!');
 

x-pack/solutions/security/plugins/elastic_assistant/server/routes/attack_discovery/get/find_attack_discoveries.ts

@@ -18,6 +18,7 @@ import { buildRouteValidationWithZod } from '@kbn/zod-helpers';
 import { performChecks } from '../../helpers';
 import { buildResponse } from '../../../lib/build_response';
 import { ElasticAssistantRequestHandlerContext } from '../../../types';
+import { hasReadAttackDiscoveryAlertsPrivileges } from '../helpers/index_privileges';
 
 export const findAttackDiscoveriesRoute = (
   router: IRouter<ElasticAssistantRequestHandlerContext>
@@ -65,6 +66,15 @@ export const findAttackDiscoveriesRoute = (
           return checkResponse.response;
         }
 
+        // Perform alerts access check
+        const privilegesCheckResponse = await hasReadAttackDiscoveryAlertsPrivileges({
+          context: ctx,
+          response,
+        });
+        if (!privilegesCheckResponse.isSuccess) {
+          return privilegesCheckResponse.response;
+        }
+
         try {
           const { query } = request;
           const dataClient = await assistantContext.getAttackDiscoveryDataClient();
@@ -78,8 +88,12 @@ export const findAttackDiscoveriesRoute = (
 
           const currentUser = await checkResponse.currentUser;
 
+          // get an Elasticsearch client for the authenticated user:
+          const esClient = (await context.core).elasticsearch.client.asCurrentUser;
+
           const result = await dataClient.findAttackDiscoveryAlerts({
             authenticatedUser: currentUser,
+            esClient,
             findAttackDiscoveryAlertsParams: {
               alertIds: query.alert_ids,
               ids: query.ids,