make endpointArtifactManagement product feature offer specific with own role migrations

2025-06-27 18:51:07 -04:00 · 2025-06-20 01:55:03 +02:00 · 2025-06-20 01:55:03 +02:00 · 1c31f56b43
commit 1c31f56b43
parent de05a3b167
6 changed files with 145 additions and 54 deletions
--- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts
+++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts
@ -126,16 +126,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
  // Adds no additional kibana feature controls
  [ProductFeatureSecurityKey.endpointPolicyProtections]: {},

-  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
-    subFeatureIds: [
-      SecuritySubFeatureId.hostIsolationExceptionsBasic,
-      SecuritySubFeatureId.trustedApplications,
-      SecuritySubFeatureId.blocklist,
-      SecuritySubFeatureId.eventFilters,
-      SecuritySubFeatureId.globalArtifactManagement,
-    ],
-  },
-
  // Endpoint Complete Tier:
  // Allows access to create/update HIEs
  [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: {
--- a/x-pack/solutions/security/packages/features/src/security/types.ts
+++ b/x-pack/solutions/security/packages/features/src/security/types.ts
@ -22,6 +22,7 @@ export interface SecurityFeatureParams {

 export type DefaultSecurityProductFeaturesConfig = Omit<
  Record<ProductFeatureSecurityKey, ProductFeatureKibanaConfig<SecuritySubFeatureId>>,
-  ProductFeatureSecurityKey.endpointExceptions
+  | ProductFeatureSecurityKey.endpointExceptions
+  | ProductFeatureSecurityKey.endpointArtifactManagement
  // | add not generic security app features here
 >;
--- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts
+++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts
@ -93,31 +93,14 @@ export const getSecurityBaseKibanaFeature = ({
        default: [
          { feature: TIMELINE_FEATURE_ID, privileges: ['all'] },
          { feature: NOTES_FEATURE_ID, privileges: ['all'] },
-          {
-            feature: SECURITY_FEATURE_ID_V3,
-            privileges: [
-              // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
-              'minimal_all',
-
-              // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
-              // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
-              // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege.
-              'global_artifact_management_all',
-            ],
-          },
+          // note: overriden by product feature endpointArtifactManagement when enabled
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] },
        ],
        minimal: [
          { feature: TIMELINE_FEATURE_ID, privileges: ['all'] },
          { feature: NOTES_FEATURE_ID, privileges: ['all'] },
-          {
-            feature: SECURITY_FEATURE_ID_V3,
-            privileges: [
-              'minimal_all',
-
-              // See above.
-              'global_artifact_management_all',
-            ],
-          },
+          // note: overriden by product feature endpointArtifactManagement when enabled
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] },
        ],
      },
      app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'],
--- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts
+++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts
@ -90,29 +90,12 @@ export const getSecurityV2BaseKibanaFeature = ({
    all: {
      replacedBy: {
        default: [
-          {
-            feature: SECURITY_FEATURE_ID_V3,
-            privileges: [
-              // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
-              'minimal_all',
-
-              // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
-              // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
-              // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege.
-              'global_artifact_management_all',
-            ],
-          },
+          // note: overriden by product feature endpointArtifactManagement when enabled
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] },
        ],
        minimal: [
-          {
-            feature: SECURITY_FEATURE_ID_V3,
-            privileges: [
-              'minimal_all',
-
-              // See above.
-              'global_artifact_management_all',
-            ],
-          },
+          // note: overriden by product feature endpointArtifactManagement when enabled
+          { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] },
        ],
      },
      app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'],
--- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts
+++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts
@ -11,7 +11,7 @@ import type {
 } from '@kbn/security-solution-features';
 import {
  ProductFeatureSecurityKey,
-  type SecuritySubFeatureId,
+  SecuritySubFeatureId,
 } from '@kbn/security-solution-features/keys';
 import {
  securityDefaultProductFeaturesConfig,
@ -21,6 +21,7 @@ import {
  ProductFeaturesPrivilegeId,
  ProductFeaturesPrivileges,
 } from '@kbn/security-solution-features/privileges';
+import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants';

 export const getSecurityProductFeaturesConfigurator =
  (enabledProductFeatureKeys: ProductFeatureKeys) => (): ProductFeaturesSecurityConfig => {
@ -47,4 +48,77 @@ const securityProductFeaturesConfig: Record<
  [ProductFeatureSecurityKey.endpointExceptions]: {
    privileges: ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions],
  },
+
+  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
+    subFeatureIds: [
+      SecuritySubFeatureId.hostIsolationExceptionsBasic,
+      SecuritySubFeatureId.trustedApplications,
+      SecuritySubFeatureId.blocklist,
+      SecuritySubFeatureId.eventFilters,
+      SecuritySubFeatureId.globalArtifactManagement,
+    ],
+
+    baseFeatureConfigModifier: (baseFeatureConfig) => {
+      if (
+        !['siem', 'siemV2'].includes(baseFeatureConfig.id) ||
+        !baseFeatureConfig.privileges?.all.replacedBy ||
+        !('default' in baseFeatureConfig.privileges.all.replacedBy)
+      ) {
+        return baseFeatureConfig;
+      }
+
+      return {
+        ...baseFeatureConfig,
+        privileges: {
+          ...baseFeatureConfig.privileges,
+
+          all: {
+            ...baseFeatureConfig.privileges.all,
+
+            // overwriting siem:ALL role migration in siem and siemV2
+            replacedBy: {
+              default: baseFeatureConfig.privileges.all.replacedBy.default.map(
+                (privilegesPreference) => {
+                  if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) {
+                    return {
+                      feature: SECURITY_FEATURE_ID_V3,
+                      privileges: [
+                        // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
+                        'minimal_all',
+
+                        // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
+                        // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
+                        // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege.
+                        'global_artifact_management_all',
+                      ],
+                    };
+                  }
+
+                  return privilegesPreference;
+                }
+              ),
+
+              minimal: baseFeatureConfig.privileges.all.replacedBy.minimal.map(
+                (privilegesPreference) => {
+                  if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) {
+                    return {
+                      feature: SECURITY_FEATURE_ID_V3,
+                      privileges: [
+                        'minimal_all',
+
+                        // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL
+                        'global_artifact_management_all',
+                      ],
+                    };
+                  }
+
+                  return privilegesPreference;
+                }
+              ),
+            },
+          },
+        },
+      };
+    },
+  },
 };
--- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts
+++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts
@ -17,6 +17,7 @@ import {
  ProductFeatureSecurityKey,
  SecuritySubFeatureId,
 } from '@kbn/security-solution-features/keys';
+import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants';
 import type { ExperimentalFeatures } from '../../common/experimental_features';

 export const getSecurityProductFeaturesConfigurator =
@ -48,4 +49,63 @@ const securityProductFeaturesConfig: Record<
  [ProductFeatureSecurityKey.endpointExceptions]: {
    subFeatureIds: [SecuritySubFeatureId.endpointExceptions],
  },
+
+  [ProductFeatureSecurityKey.endpointArtifactManagement]: {
+    subFeatureIds: [
+      SecuritySubFeatureId.hostIsolationExceptionsBasic,
+      SecuritySubFeatureId.trustedApplications,
+      SecuritySubFeatureId.blocklist,
+      SecuritySubFeatureId.eventFilters,
+      SecuritySubFeatureId.globalArtifactManagement,
+    ],
+
+    baseFeatureConfigModifier: (baseFeatureConfig) => {
+      if (
+        !['siem', 'siemV2'].includes(baseFeatureConfig.id) ||
+        !baseFeatureConfig.privileges?.all.replacedBy ||
+        !('default' in baseFeatureConfig.privileges.all.replacedBy)
+      ) {
+        return baseFeatureConfig;
+      }
+
+      return {
+        ...baseFeatureConfig,
+        privileges: {
+          ...baseFeatureConfig.privileges,
+
+          all: {
+            ...baseFeatureConfig.privileges.all,
+
+            // overwriting siem:ALL role migration in siem and siemV2
+            replacedBy: {
+              ...baseFeatureConfig.privileges.all.replacedBy,
+
+              default: baseFeatureConfig.privileges.all.replacedBy.default.map(
+                (privilegesPreference) => {
+                  if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) {
+                    return {
+                      feature: SECURITY_FEATURE_ID_V3,
+                      privileges: [
+                        // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user.
+                        'minimal_all',
+
+                        // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3.
+                        // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior.
+                        // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege.
+                        'global_artifact_management_all',
+                      ],
+                    };
+                  }
+
+                  return privilegesPreference;
+                }
+              ),
+            },
+
+            // minimal_all is not overwritten, as it does not includes Endpoint Exceptions ALL.
+          },
+        },
+      };
+    },
+  },
 };