[Security Solution][Endpoint] Use internal kibana client to write to ES system indices (#121642) (#122026)

* use kibana_system to write to system indices

refs elastic/security-team/issues/2494

* also use `kibana_system` for reads on system indices

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Ashokaditya <1849116+ashokaditya@users.noreply.github.com>

x-pack/plugins/security_solution/server/endpoint/routes/actions/audit_log.test.ts

@@ -235,7 +235,7 @@ describe('Action Log API', () => {
         hasFleetResponses?: boolean;
         hasResponses?: boolean;
       }) => {
-        esClientMock.asCurrentUser.search = jest.fn().mockImplementationOnce(() => {
+        esClientMock.asInternalUser.search = jest.fn().mockImplementationOnce(() => {
           let actions: Results[] = [];
           let fleetActions: Results[] = [];
           let responses: Results[] = [];
@@ -281,7 +281,7 @@ describe('Action Log API', () => {
       };
 
       havingErrors = () => {
-        esClientMock.asCurrentUser.search = jest.fn().mockImplementationOnce(() =>
+        esClientMock.asInternalUser.search = jest.fn().mockImplementationOnce(() =>
           Promise.resolve(() => {
             throw new Error();
           })

x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.test.ts

@@ -223,10 +223,6 @@ describe('Host Isolation', () => {
             Promise.resolve({ body: legacyMetadataSearchResponseMock(searchResponse) })
           );
 
-        if (indexExists) {
-          ctx.core.elasticsearch.client.asCurrentUser.index = mockIndexResponse;
-        }
-
         ctx.core.elasticsearch.client.asInternalUser.index = mockIndexResponse;
         ctx.core.elasticsearch.client.asCurrentUser.search = mockSearchResponse;
 
@@ -372,13 +368,12 @@ describe('Host Isolation', () => {
           },
           { endpointDsExists: true }
         );
+
+        const indexDoc = ctx.core.elasticsearch.client.asInternalUser.index;
         const actionDocs: [
           { index: string; body: LogsEndpointAction },
           { index: string; body: EndpointAction }
-        ] = [
-          (ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock).mock.calls[0][0],
-          (ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock).mock.calls[1][0],
-        ];
+        ] = [(indexDoc as jest.Mock).mock.calls[0][0], (indexDoc as jest.Mock).mock.calls[1][0]];
 
         expect(actionDocs[0].index).toEqual(ENDPOINT_ACTIONS_INDEX);
         expect(actionDocs[1].index).toEqual(AGENT_ACTIONS_INDEX);
@@ -394,13 +389,11 @@ describe('Host Isolation', () => {
           },
           { endpointDsExists: true }
         );
+        const indexDoc = ctx.core.elasticsearch.client.asInternalUser.index;
         const actionDocs: [
           { index: string; body: LogsEndpointAction },
           { index: string; body: EndpointAction }
-        ] = [
-          (ctx.core.elasticsearch.client.asCurrentUser.index as jest.Mock).mock.calls[0][0],
-          (ctx.core.elasticsearch.client.asInternalUser.index as jest.Mock).mock.calls[1][0],
-        ];
+        ] = [(indexDoc as jest.Mock).mock.calls[0][0], (indexDoc as jest.Mock).mock.calls[1][0]];
 
         expect(actionDocs[0].index).toEqual(ENDPOINT_ACTIONS_INDEX);
         expect(actionDocs[1].index).toEqual(AGENT_ACTIONS_INDEX);

x-pack/plugins/security_solution/server/endpoint/routes/actions/isolation.ts

@@ -73,7 +73,8 @@ const createFailedActionResponseEntry = async ({
   doc: LogsEndpointActionResponse;
   logger: Logger;
 }): Promise<void> => {
-  const esClient = context.core.elasticsearch.client.asCurrentUser;
+  // 8.0+ requires internal user to write to system indices
+  const esClient = context.core.elasticsearch.client.asInternalUser;
   try {
     await esClient.index<LogsEndpointActionResponse>({
       index: `${ENDPOINT_ACTION_RESPONSES_DS}-default`,
@@ -175,11 +176,14 @@ export const isolationRequestHandler = function (
       logger,
       dataStreamName: ENDPOINT_ACTIONS_DS,
     });
+
+    // 8.0+ requires internal user to write to system indices
+    const esClient = context.core.elasticsearch.client.asInternalUser;
+
     // if the new endpoint indices/data streams exists
-    // write the action request to the new index as the current user
+    // write the action request to the new endpoint index
     if (doesLogsEndpointActionsDsExist) {
       try {
-        const esClient = context.core.elasticsearch.client.asCurrentUser;
         logsEndpointActionsResult = await esClient.index<LogsEndpointAction>({
           index: `${ENDPOINT_ACTIONS_DS}-default`,
           body: {
@@ -202,10 +206,8 @@ export const isolationRequestHandler = function (
       }
     }
 
+    // write actions to .fleet-actions index
     try {
-      const esClient = context.core.elasticsearch.client.asInternalUser;
-      // write as the internal user if the new indices do not exist
-      // 8.0+ requires internal user to write to system indices
       fleetActionIndexResult = await esClient.index<EndpointAction>({
         index: AGENT_ACTIONS_INDEX,
         body: {

x-pack/plugins/security_solution/server/endpoint/routes/actions/status.test.ts

@@ -114,7 +114,7 @@ describe('Endpoint Action Status', () => {
         responses: MockResponse[],
         endpointResponses?: MockEndpointResponse[]
       ) => {
-        esClientMock.asCurrentUser.search = jest.fn().mockImplementation((req) => {
+        esClientMock.asInternalUser.search = jest.fn().mockImplementation((req) => {
           const size = req.size ? req.size : 10;
           const items: any[] =
             req.index === '.fleet-actions'
@@ -505,7 +505,7 @@ describe('Endpoint Action Status', () => {
         responses: MockResponse[],
         endpointResponses?: MockEndpointResponse[]
       ) => {
-        esClientMock.asCurrentUser.search = jest.fn().mockImplementation((req) => {
+        esClientMock.asInternalUser.search = jest.fn().mockImplementation((req) => {
           const size = req.size ? req.size : 10;
           const items: any[] =
             req.index === '.fleet-actions'

x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts

@@ -42,7 +42,7 @@ export const actionStatusRequestHandler = function (
   SecuritySolutionRequestHandlerContext
 > {
   return async (context, req, res) => {
-    const esClient = context.core.elasticsearch.client.asCurrentUser;
+    const esClient = context.core.elasticsearch.client.asInternalUser;
     const agentIDs: string[] = Array.isArray(req.query.agent_ids)
       ? [...new Set(req.query.agent_ids)]
       : [req.query.agent_ids];

x-pack/plugins/security_solution/server/endpoint/utils/audit_log_helpers.ts

@@ -191,7 +191,7 @@ export const getActionRequestsResult = async ({
 
   let actionRequests: TransportResult<estypes.SearchResponse<unknown>, unknown>;
   try {
-    const esClient = context.core.elasticsearch.client.asCurrentUser;
+    const esClient = context.core.elasticsearch.client.asInternalUser;
     actionRequests = await esClient.search(actionsSearchQuery, queryOptions);
     const actionIds = actionRequests?.body?.hits?.hits?.map((e) => {
       return logsEndpointActionsRegex.test(e._index)
@@ -248,7 +248,7 @@ export const getActionResponsesResult = async ({
 
   let actionResponses: TransportResult<estypes.SearchResponse<unknown>, unknown>;
   try {
-    const esClient = context.core.elasticsearch.client.asCurrentUser;
+    const esClient = context.core.elasticsearch.client.asInternalUser;
     actionResponses = await esClient.search(responsesSearchQuery, queryOptions);
   } catch (error) {
     logger.error(error);