Enforce standards on the ApiAction definition by separating actions and subjects. This will ensure consistent naming conventions and make it easier to trace and monitor authorization failures.
The new standard should replace direct string usage for actions with a defined ApiOperation enum, which will prevent naming inconsistencies across the codebase.
Example Transformation:
// Before
actions.api.get('create-space');
actions.api.get('space_read');
actions.api.get('user_get');
// After
enum ApiOperation {
Read = 'read',
Create = 'create',
Update = 'update',
Delete = 'delete',
}
actions.api.get(ApiOperation.Read, 'space');
actions.api.get(ApiOperation.Create, 'space');
actions.api.get(ApiOperation.Read, 'user');
// x-pack/plugins/security/server/authorization/actions/api.ts
// From this
public get(operation: string) {
if (!operation || !isString(operation)) {
throw new Error('operation is required and must be a string');
}
return `${this.prefix}${operation}`;
}
// To this
const isValidOperation = (operation: string): operation is ApiOperation =>
operation in ApiOperation;
public get(operation: ApiOperation, subject: string) {
if (!isValidOperation(operation)) {
throw new Error('operation is required and must be a valid ApiOperation');
}
if (!subject || !isString(subject)) {
throw new Error('subject is required and must be a string');
}
return `${this.prefix}${operation}_${subject}`;
}
Enforce standards on the
ApiAction
definition by separating actions and subjects. This will ensure consistent naming conventions and make it easier to trace and monitor authorization failures.The new standard should replace direct string usage for actions with a defined
ApiOperation
enum, which will prevent naming inconsistencies across the codebase.Example Transformation: