Fixes bulk re-encryption for encrypted objects located in all spaces (#217625)

Closes #215534 ## Summary The Encrypted Saved Objects Key Rotation service makes use of the Saved Objects Bulk Update API to re-encrypt objects. Bulk update supports an optional 'namespace' parameter, per-object, defining the space to access a specific object. This allows objects outside of the current space to be affected in the update operation. The Key Rotation service leverages this optional parameter for each object to ensure that the re-encryption operation is not limited to the current space. However, should a multi-namespace encrypted object reside in all spaces, the only value in the object's namespaces property is the `ALL_NAMESPACES_STRING` constant '*'. As this is not a valid single namespace, the Bulk Update operation will skip updating the object. PR resolves the issue by only providing a object namespace for objects that do not reside in all spaces. Objects that reside in all spaces can be accessed from the current space without the need for an override. This PR also updates unit tests to account for this case. ### Testing - [x] Set the encrypted saved objects encryption key to a known value (either in kibana.yml or kibana.dev.yml). For example: ``` xpack.encryptedSavedObjects: encryptionKey: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ``` - [x] Start ES & Kibana - [x] You will need to set up a Fleet agent policy and create a synthetics location and monitor. The UI will guide you through this when you navigate to Observability -> Synthetics - [x] Create a synthetics parameter, Observability -> Synthetics -> Settings, Global Parameters tab. Use anything for a value, but be sure to check the `Share across spaces` option. - [x] Update the kibana config to change the encryption key, and use the old key as a decryption-only key ``` xpack.encryptedSavedObjects: encryptionKey: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" keyRotation: decryptionOnlyKeys: ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"] ``` - [x] Wait for Kibana to restart - [x] Call the key rotation HTTP API as a privileged user (I just used the `elastic` superuser account) `[you_kibana_endpoint]/api/encrypted_saved_objects/_rotate_key?type=synthetics-param` - [x] Verify that 1 out of 1 objects were processed with 0 failures. - [x] Repeat these steps from Main and note that 0 of 1 objects succeeded, and there is 1 failure ### Release Note Fixes an issue where the Saved Objects Rotate Encryption Key API would not affect sharable encrypted object types that exist in all spaces. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-19 15:35:00 -04:00 · 2025-04-14 21:20:38 +02:00 · 2025-04-14 21:20:38 +02:00 · 1176625dca
commit 1176625dca
parent 7dcb22bdec
3 changed files with 24 additions and 9 deletions
--- a/x-pack/platform/plugins/shared/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.test.ts
+++ b/x-pack/platform/plugins/shared/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.test.ts
@ -63,8 +63,11 @@ beforeEach(() => {
    { name: 'type-id-4', namespaceType: 'multiple', mappings: { properties: {} }, hidden: true },
    { name: 'type-id-5', namespaceType: 'single', mappings: { properties: {} }, hidden: false },
    { name: 'type-id-6', namespaceType: 'single', mappings: { properties: {} }, hidden: true },
+    { name: 'type-id-7', namespaceType: 'multiple', mappings: { properties: {} }, hidden: false },
  ]);
-  typeRegistryMock.isSingleNamespace.mockImplementation((type) => type !== 'type-id-4');
+  typeRegistryMock.isSingleNamespace.mockImplementation(
+    (type) => type !== 'type-id-4' && type !== 'type-id-7'
+  );
  mockSavedObjects.getTypeRegistry.mockReturnValue(typeRegistryMock);

  mockRetrieveClient = savedObjectsClientMock.create();
@ -125,7 +128,7 @@ it('does not perform rotation if there are no Saved Objects to process', async (

  expect(mockRetrieveClient.find).toHaveBeenCalledTimes(1);
  expect(mockRetrieveClient.find).toHaveBeenCalledWith({
-    type: ['type-id-1', 'type-id-2', 'type-id-4', 'type-id-5'],
+    type: ['type-id-1', 'type-id-2', 'type-id-4', 'type-id-5', 'type-id-7'],
    perPage: 12345,
    namespaces: ['*'],
    sortField: 'updated_at',
@ -200,11 +203,12 @@ it('properly rotates encryption key', async () => {
    getMockSavedObject({ id: 'id-1' }),
    getMockSavedObject({ id: 'id-2', namespaces: ['ns-1'] }),
    getMockSavedObject({ id: 'id-4', namespaces: ['ns-2', 'ns-3'] }),
+    getMockSavedObject({ id: 'id-7', namespaces: ['*'] }),
  ];
  mockRetrieveClient.find.mockResolvedValue({
-    total: 3,
+    total: 4,
    saved_objects: savedObjects,
-    per_page: 3,
+    per_page: 4,
    page: 0,
  });
  mockUpdateClient.bulkUpdate.mockResolvedValue({
@ -214,12 +218,12 @@ it('properly rotates encryption key', async () => {
  await expect(
    service.rotate(httpServerMock.createKibanaRequest(), { batchSize: 12345 })
  ).resolves.toEqual({
-    total: 3,
-    successful: 3,
+    total: 4,
+    successful: 4,
    failed: 0,
  });

-  expect(mockEncryptionService.decryptAttributes).toHaveBeenCalledTimes(3);
+  expect(mockEncryptionService.decryptAttributes).toHaveBeenCalledTimes(4);
  expect(mockEncryptionService.decryptAttributes).toHaveBeenCalledWith(
    { type: 'type-id-1', id: 'id-1' },
    { attr: 'attr-id-1' },
@ -235,12 +239,18 @@ it('properly rotates encryption key', async () => {
    { attr: 'attr-id-4' },
    { omitPrimaryEncryptionKey: true }
  );
+  expect(mockEncryptionService.decryptAttributes).toHaveBeenCalledWith(
+    { type: 'type-id-7', id: 'id-7' },
+    { attr: 'attr-id-7' },
+    { omitPrimaryEncryptionKey: true }
+  );

  expect(mockUpdateClient.bulkUpdate).toHaveBeenCalledTimes(1);
  expect(mockUpdateClient.bulkUpdate).toHaveBeenCalledWith([
    { ...savedObjects[0], attributes: { attr: 'decrypted-attr-id-1' } },
    { ...savedObjects[1], namespace: 'ns-1', attributes: { attr: 'decrypted-attr-id-2' } },
    { ...savedObjects[2], namespace: 'ns-2', attributes: { attr: 'decrypted-attr-id-4' } },
+    { ...savedObjects[3], attributes: { attr: 'decrypted-attr-id-7' } },
  ]);
 });

--- a/x-pack/platform/plugins/shared/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts
+++ b/x-pack/platform/plugins/shared/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts
@ -14,6 +14,7 @@ import type {
  StartServicesAccessor,
 } from '@kbn/core/server';
 import { ENCRYPTION_EXTENSION_ID } from '@kbn/core-saved-objects-server';
+import { ALL_NAMESPACES_STRING } from '@kbn/core-saved-objects-utils-server';
 import type { AuthenticatedUser } from '@kbn/core-security-common';
 import type { PublicMethodsOf } from '@kbn/utility-types';

@ -258,11 +259,14 @@ export class EncryptionKeyRotationService {
        continue;
      }

+      const firstNamespace = savedObject.namespaces?.[0];
+
      decryptedSavedObjects.push({
        ...savedObject,
        attributes: decryptedAttributes,
-        // `bulkUpdate` expects objects with a single `namespace`.
-        namespace: savedObject.namespaces?.[0],
+        // The optional object namespace for `bulkUpdate` is used to affect objects outside of the current space
+        // '*' is an invalid option, and if the object exists in all spaces, we don't need to set the namespace
+        namespace: firstNamespace !== ALL_NAMESPACES_STRING ? firstNamespace : undefined,
      });
    }

--- a/x-pack/platform/plugins/shared/encrypted_saved_objects/tsconfig.json
+++ b/x-pack/platform/plugins/shared/encrypted_saved_objects/tsconfig.json
@ -16,6 +16,7 @@
    "@kbn/test-jest-helpers",
    "@kbn/config",
    "@kbn/encrypted-saved-objects-shared",
+    "@kbn/core-saved-objects-utils-server",
  ],
  "exclude": [
    "target/**/*",