[Fleet] Use correctly space scoped SO client when tagging saved objects (#173860)

x-pack/plugins/fleet/server/services/app_context.ts

@@ -16,6 +16,8 @@ import type {
   KibanaRequest,
 } from '@kbn/core/server';
 
+import { CoreKibanaRequest } from '@kbn/core/server';
+
 import type { PluginStart as DataPluginStart } from '@kbn/data-plugin/server';
 import type {
   EncryptedSavedObjectsClient,
@@ -25,7 +27,7 @@ import type {
 import type { SecurityPluginStart, SecurityPluginSetup } from '@kbn/security-plugin/server';
 
 import type { CloudSetup } from '@kbn/cloud-plugin/server';
-
+import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common';
 import type { SavedObjectTaggingStart } from '@kbn/saved-objects-tagging-plugin/server';
 
 import { SECURITY_EXTENSION_ID } from '@kbn/core-saved-objects-server';
@@ -172,6 +174,23 @@ class AppContextService {
     }
     return this.savedObjectsTagging;
   }
+  public getInternalUserSOClientForSpaceId(spaceId?: string) {
+    const request = CoreKibanaRequest.from({
+      headers: {},
+      path: '/',
+      route: { settings: {} },
+      url: { href: '', hash: '' } as URL,
+      raw: { req: { url: '/' } } as any,
+    });
+    if (this.httpSetup && spaceId && spaceId !== DEFAULT_SPACE_ID) {
+      this.httpSetup?.basePath.set(request, `/s/${spaceId}`);
+    }
+
+    // soClient as kibana internal users, be careful on how you use it, security is not enabled
+    return appContextService.getSavedObjects().getScopedClient(request, {
+      excludedExtensions: [SECURITY_EXTENSION_ID],
+    });
+  }
 
   public getInternalUserSOClient(request: KibanaRequest) {
     // soClient as kibana internal users, be careful on how you use it, security is not enabled

x-pack/plugins/fleet/server/services/epm/packages/install.test.ts

@@ -28,6 +28,11 @@ import * as obj from '.';
 
 jest.mock('../../app_context', () => {
   const logger = { error: jest.fn(), debug: jest.fn(), warn: jest.fn(), info: jest.fn() };
+  const mockedSavedObjectTagging = {
+    createInternalAssignmentService: jest.fn(),
+    createTagClient: jest.fn(),
+  };
+
   return {
     appContextService: {
       getLogger: jest.fn(() => {
@@ -38,13 +43,12 @@ jest.mock('../../app_context', () => {
         createImporter: jest.fn(),
       })),
       getConfig: jest.fn(() => ({})),
-      getSavedObjectsTagging: jest.fn(() => ({
-        createInternalAssignmentService: jest.fn(),
-        createTagClient: jest.fn(),
-      })),
+      getSavedObjectsTagging: jest.fn(() => mockedSavedObjectTagging),
+      getInternalUserSOClientForSpaceId: jest.fn(),
     },
   };
 });
+
 jest.mock('.');
 jest.mock('../registry', () => {
   return {
@@ -145,6 +149,7 @@ describe('install', () => {
 
     mockGetBundledPackageByPkgKey.mockReset();
     (install._installPackage as jest.Mock).mockClear();
+    jest.mocked(appContextService.getInternalUserSOClientForSpaceId).mockReset();
   });
 
   describe('registry', () => {
@@ -348,6 +353,38 @@ describe('install', () => {
 
       expect(response.status).toEqual('installed');
     });
+
+    it('should use a scopped to package space soClient for tagging', async () => {
+      const mockedTaggingSo = savedObjectsClientMock.create();
+      jest
+        .mocked(appContextService.getInternalUserSOClientForSpaceId)
+        .mockReturnValue(mockedTaggingSo);
+      jest
+        .spyOn(obj, 'getInstallationObject')
+        .mockImplementationOnce(() => Promise.resolve({ attributes: { version: '1.2.0' } } as any));
+      jest.spyOn(licenseService, 'hasAtLeast').mockReturnValue(true);
+      await installPackage({
+        spaceId: 'test',
+        installSource: 'registry',
+        pkgkey: 'apache-1.3.0',
+        savedObjectsClient: savedObjectsClientMock.create(),
+        esClient: {} as ElasticsearchClient,
+      });
+
+      expect(appContextService.getInternalUserSOClientForSpaceId).toBeCalledWith('test');
+      expect(appContextService.getSavedObjectsTagging().createTagClient).toBeCalledWith(
+        expect.objectContaining({
+          client: mockedTaggingSo,
+        })
+      );
+      expect(
+        appContextService.getSavedObjectsTagging().createInternalAssignmentService
+      ).toBeCalledWith(
+        expect.objectContaining({
+          client: mockedTaggingSo,
+        })
+      );
+    });
   });
 
   describe('upload', () => {

x-pack/plugins/fleet/server/services/epm/packages/install.ts

@@ -578,13 +578,16 @@ async function installPackageCommon(options: {
       .getSavedObjects()
       .createImporter(savedObjectsClient, { importSizeLimit: 15_000 });
 
+    // Saved object client need to be scopped with the package space for saved object tagging
+    const savedObjectClientWithSpace = appContextService.getInternalUserSOClientForSpaceId(spaceId);
+
     const savedObjectTagAssignmentService = appContextService
       .getSavedObjectsTagging()
-      .createInternalAssignmentService({ client: savedObjectsClient });
+      .createInternalAssignmentService({ client: savedObjectClientWithSpace });
 
     const savedObjectTagClient = appContextService
       .getSavedObjectsTagging()
-      .createTagClient({ client: savedObjectsClient });
+      .createTagClient({ client: savedObjectClientWithSpace });
 
     // try installing the package, if there was an error, call error handler and rethrow
     // @ts-expect-error status is string instead of InstallResult.status 'installed' | 'already_installed'