[Security GenAI] Fetching Assistant Knowledge Base fails when current…

… user's username contains a : character (#11159) (#200131) ## Summary Original bug: [internal link](elastic/security-team#11159) **This PR fixes the next bug**: When the user is logged in with a username that contains a `:` character, fetching Knowlege Base entries fails with an error. This is preventing customers from viewing their created KB entries. This problem affects ECE customers using the SSO login option. There were a similar bugfix which inspired this one #181709 There is no easy way to reproduce this but you can try and change the line in question so that the faulty username is used instead of the one passed in. @MadameSheema Do you know a way to login locally with the username that contains a `:` character? As mentioned above this situation is possible with the ECE customers using SSO login. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
elastic · Nov 18, 2024 · aa0dcdc · aa0dcdc
1 parent 5ab39e5
commit aa0dcdc
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/utils.test.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/utils.test.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { AuthenticatedUser } from '@kbn/core-security-common';
+import { getKBUserFilter } from './utils';
+
+describe('Utils', () => {
+  describe('getKBUserFilter', () => {
+    it('should return global filter when user is null', () => {
+      const filter = getKBUserFilter(null);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* })');
+    });
+
+    it('should return global filter when `username` and `profile_uid` are undefined', () => {
+      const filter = getKBUserFilter({} as AuthenticatedUser);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* })');
+    });
+
+    it('should return global filter when `username` is undefined', () => {
+      const filter = getKBUserFilter({ profile_uid: 'fake_user_id' } as AuthenticatedUser);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* } OR users: {id: fake_user_id})');
+    });
+
+    it('should return global filter when `profile_uid` is undefined', () => {
+      const filter = getKBUserFilter({ username: 'user1' } as AuthenticatedUser);
+      expect(filter).toEqual('(NOT users: {name:* OR id:* } OR users: {name: "user1"})');
+    });
+
+    it('should return global filter when `username` has semicolon', () => {
+      const filter = getKBUserFilter({
+        username: 'user:1',
+        profile_uid: 'fake_user_id',
+      } as AuthenticatedUser);
+      expect(filter).toEqual(
+        '(NOT users: {name:* OR id:* } OR (users: {name: "user:1"} OR users: {id: fake_user_id}))'
+      );
+    });
+  });
+});
diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/utils.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/utils.ts
@@ -11,7 +11,7 @@ export const getKBUserFilter = (user: AuthenticatedUser | null) => {
   // Only return the current users entries and all other global entries (where user[] is empty)
   const globalFilter = 'NOT users: {name:* OR id:* }';
 
-  const nameFilter = user?.username ? `users: {name: ${user?.username}}` : '';
+  const nameFilter = user?.username ? `users: {name: "${user?.username}"}` : '';
   const idFilter = user?.profile_uid ? `users: {id: ${user?.profile_uid}}` : '';
   const userFilter =
     user?.username && user?.profile_uid