Expose privilege API client to spaces (#189819)

## Summary

Expose privilege API client to be injected into the spaces app, to
facilitate new spaces UX

<!--
### Checklist

Delete any items that are not applicable to this PR.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [ ] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [ ] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)


### Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.

When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:

| Risk | Probability | Severity | Mitigation/Notes |

|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces&mdash;unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes&mdash;Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
-->

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

x-pack/packages/security/plugin_types_public/index.ts

@@ -17,3 +17,5 @@ export type {
   UserProfileAPIClient,
 } from './src/user_profile';
 export type { RolePutPayload, RolesAPIClient } from './src/roles';
+export { PrivilegesAPIClientPublicContract } from './src/privileges';
+export type { PrivilegesAPIClientGetAllArgs } from './src/privileges';

x-pack/packages/security/plugin_types_public/src/authorization/authorization_service.ts

@@ -6,6 +6,7 @@
  */
 
 import type { RolesAPIClient } from '../roles';
+import type { PrivilegesAPIClientPublicContract } from '../privileges';
 
 export interface AuthorizationServiceSetup {
   /**
@@ -17,6 +18,11 @@ export interface AuthorizationServiceSetup {
    * A set of methods to work with Kibana user roles.
    */
   roles: RolesAPIClient;
+
+  /**
+   * A set of methods to work with Kibana role privileges
+   */
+  privileges: PrivilegesAPIClientPublicContract;
 }
 
 /**

x-pack/packages/security/plugin_types_public/src/privileges/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { PrivilegesAPIClientPublicContract } from './privileges_api_client';
+export type { PrivilegesAPIClientGetAllArgs } from './privileges_api_client';

x-pack/packages/security/plugin_types_public/src/privileges/privileges_api_client.ts

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { RawKibanaPrivileges } from '@kbn/security-authorization-core';
+
+export interface PrivilegesAPIClientGetAllArgs {
+  includeActions: boolean;
+  /*
+   * respectLicenseLevel is an internal optional parameter solely for getting all sub-feature
+   * privileges to use in the UI. It is not meant for any other use.
+   */
+  respectLicenseLevel: boolean;
+}
+// TODO: Eyo include the proper return types for contract
+export abstract class PrivilegesAPIClientPublicContract {
+  abstract getAll(args: PrivilegesAPIClientGetAllArgs): Promise<RawKibanaPrivileges>;
+}

x-pack/packages/security/plugin_types_public/tsconfig.json

@@ -14,5 +14,6 @@
     "@kbn/core-user-profile-common",
     "@kbn/security-plugin-types-common",
     "@kbn/core-security-common",
+    "@kbn/security-authorization-core"
   ]
 }

x-pack/plugins/security/public/authentication/index.mock.ts

@@ -32,6 +32,9 @@ export const authorizationMock = {
       deleteRole: jest.fn(),
       saveRole: jest.fn(),
     },
+    privileges: {
+      getAll: jest.fn(),
+    },
   }),
   createStart: (): jest.Mocked<AuthorizationServiceStart> => ({
     isRoleManagementEnabled: jest.fn(),
@@ -41,5 +44,8 @@ export const authorizationMock = {
       deleteRole: jest.fn(),
       saveRole: jest.fn(),
     },
+    privileges: {
+      getAll: jest.fn(),
+    },
   }),
 };

x-pack/plugins/security/public/authorization/authorization_service.ts

@@ -9,7 +9,7 @@ import type { HttpStart } from '@kbn/core/public';
 import type { AuthorizationServiceSetup } from '@kbn/security-plugin-types-public';
 
 import type { ConfigType } from '../config';
-import { RolesAPIClient } from '../management';
+import { PrivilegesAPIClient, RolesAPIClient } from '../management';
 
 interface SetupParams {
   config: ConfigType;
@@ -20,6 +20,7 @@ export class AuthorizationService {
   public setup({ config, http }: SetupParams): AuthorizationServiceSetup {
     const isRoleManagementEnabled = () => config.roleManagementEnabled;
     const rolesAPIClient = new RolesAPIClient(http);
+    const privilegesAPIClient = new PrivilegesAPIClient(http);
 
     return {
       isRoleManagementEnabled,
@@ -29,6 +30,9 @@ export class AuthorizationService {
         deleteRole: rolesAPIClient.deleteRole,
         saveRole: rolesAPIClient.saveRole,
       },
+      privileges: {
+        getAll: privilegesAPIClient.getAll.bind(privilegesAPIClient),
+      },
     };
   }
 }

x-pack/plugins/security/public/management/index.ts

@@ -7,4 +7,4 @@
 
 export { ManagementService } from './management_service';
 export { UserAPIClient } from './users/user_api_client';
-export { RolesAPIClient } from './roles';
+export { RolesAPIClient, PrivilegesAPIClient } from './roles';

x-pack/plugins/security/public/management/roles/index.ts

@@ -7,3 +7,4 @@
 
 export { rolesManagementApp } from './roles_management_app';
 export { RolesAPIClient } from './roles_api_client';
+export { PrivilegesAPIClient } from './privileges_api_client';

x-pack/plugins/security/public/management/roles/privileges_api_client.ts

@@ -7,16 +7,15 @@
 
 import type { HttpStart } from '@kbn/core/public';
 import type { RawKibanaPrivileges } from '@kbn/security-authorization-core';
+import { PrivilegesAPIClientPublicContract } from '@kbn/security-plugin-types-public';
 
 import type { BuiltinESPrivileges } from '../../../common/model';
 
-export class PrivilegesAPIClient {
-  constructor(private readonly http: HttpStart) {}
+export class PrivilegesAPIClient extends PrivilegesAPIClientPublicContract {
+  constructor(private readonly http: HttpStart) {
+    super();
+  }
 
-  /*
-   * respectLicenseLevel is an internal optional parameter soley for getting all sub-feature
-   * privilieges to use in the UI. It is not meant for any other use.
-   */
   async getAll({
     includeActions,
     respectLicenseLevel = true,

x-pack/plugins/security/public/plugin.test.tsx

@@ -40,7 +40,11 @@ describe('Security Plugin', () => {
         })
       ).toEqual({
         authc: { getCurrentUser: expect.any(Function), areAPIKeysEnabled: expect.any(Function) },
-        authz: { isRoleManagementEnabled: expect.any(Function), roles: expect.any(Object) },
+        authz: {
+          isRoleManagementEnabled: expect.any(Function),
+          roles: expect.any(Object),
+          privileges: expect.any(Object),
+        },
         license: {
           isLicenseAvailable: expect.any(Function),
           getLicenseType: expect.any(Function),
@@ -129,6 +133,9 @@ describe('Security Plugin', () => {
           },
           "authz": Object {
             "isRoleManagementEnabled": [Function],
+            "privileges": Object {
+              "getAll": [Function],
+            },
             "roles": Object {
               "deleteRole": [Function],
               "getRole": [Function],

x-pack/plugins/spaces/public/management/management_service.test.ts

@@ -42,6 +42,7 @@ describe('ManagementService', () => {
         spacesManager: spacesManagerMock.create(),
         config,
         getRolesAPIClient: getRolesAPIClientMock,
+        getPrivilegesAPIClient: jest.fn(),
         eventTracker,
       });
 
@@ -63,6 +64,7 @@ describe('ManagementService', () => {
         spacesManager: spacesManagerMock.create(),
         config,
         getRolesAPIClient: getRolesAPIClientMock,
+        getPrivilegesAPIClient: jest.fn(),
         eventTracker,
       });
     });
@@ -85,6 +87,7 @@ describe('ManagementService', () => {
         spacesManager: spacesManagerMock.create(),
         config,
         getRolesAPIClient: jest.fn(),
+        getPrivilegesAPIClient: jest.fn(),
         eventTracker,
       });
 

x-pack/plugins/spaces/public/management/management_service.tsx

@@ -7,7 +7,10 @@
 
 import type { StartServicesAccessor } from '@kbn/core/public';
 import type { ManagementApp, ManagementSetup } from '@kbn/management-plugin/public';
-import type { RolesAPIClient } from '@kbn/security-plugin-types-public';
+import type {
+  PrivilegesAPIClientPublicContract,
+  RolesAPIClient,
+} from '@kbn/security-plugin-types-public';
 
 import { spacesManagementApp } from './spaces_management_app';
 import type { EventTracker } from '../analytics';
@@ -22,6 +25,7 @@ interface SetupDeps {
   config: ConfigType;
   getRolesAPIClient: () => Promise<RolesAPIClient>;
   eventTracker: EventTracker;
+  getPrivilegesAPIClient: () => Promise<PrivilegesAPIClientPublicContract>;
 }
 
 export class ManagementService {
@@ -34,6 +38,7 @@ export class ManagementService {
     config,
     getRolesAPIClient,
     eventTracker,
+    getPrivilegesAPIClient,
   }: SetupDeps) {
     this.registeredSpacesManagementApp = management.sections.section.kibana.registerApp(
       spacesManagementApp.create({
@@ -42,6 +47,7 @@ export class ManagementService {
         config,
         getRolesAPIClient,
         eventTracker,
+        getPrivilegesAPIClient,
       })
     );
   }

x-pack/plugins/spaces/public/management/spaces_management_app.test.tsx

@@ -57,6 +57,7 @@ async function mountApp(basePath: string, pathname: string, spaceId?: string) {
       getStartServices: async () => [coreStart, pluginsStart as PluginsStart, {}],
       config,
       getRolesAPIClient: jest.fn(),
+      getPrivilegesAPIClient: jest.fn(),
       eventTracker,
     })
     .mount({
@@ -79,6 +80,7 @@ describe('spacesManagementApp', () => {
         getStartServices: coreMock.createSetup().getStartServices as any,
         config,
         getRolesAPIClient: jest.fn(),
+        getPrivilegesAPIClient: jest.fn(),
         eventTracker,
       })
     ).toMatchInlineSnapshot(`

x-pack/plugins/spaces/public/management/spaces_management_app.tsx

@@ -14,7 +14,10 @@ import { i18n } from '@kbn/i18n';
 import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public';
 import type { RegisterManagementAppArgs } from '@kbn/management-plugin/public';
 import { KibanaRenderContextProvider } from '@kbn/react-kibana-context-render';
-import type { RolesAPIClient } from '@kbn/security-plugin-types-public';
+import type {
+  PrivilegesAPIClientPublicContract,
+  RolesAPIClient,
+} from '@kbn/security-plugin-types-public';
 import { RedirectAppLinks } from '@kbn/shared-ux-link-redirect-app';
 import { Route, Router, Routes } from '@kbn/shared-ux-router';
 
@@ -30,6 +33,7 @@ interface CreateParams {
   config: ConfigType;
   getRolesAPIClient: () => Promise<RolesAPIClient>;
   eventTracker: EventTracker;
+  getPrivilegesAPIClient: () => Promise<PrivilegesAPIClientPublicContract>;
 }
 
 export const spacesManagementApp = Object.freeze({

x-pack/plugins/spaces/public/plugin.tsx

@@ -95,6 +95,18 @@ export class SpacesPlugin implements Plugin<SpacesPluginSetup, SpacesPluginStart
         return security.contract.authz.roles;
       };
 
+      const getPrivilegesAPIClient = async () => {
+        const { security } = await core.plugins.onSetup<{ security: SecurityPluginStart }>(
+          'security'
+        );
+
+        if (!security.found) {
+          throw new Error('Security plugin is not available as runtime dependency.');
+        }
+
+        return security.contract.authz.privileges;
+      };
+
       if (plugins.home) {
         plugins.home.featureCatalogue.register(createSpacesFeatureCatalogueEntry());
       }
@@ -108,6 +120,7 @@ export class SpacesPlugin implements Plugin<SpacesPluginSetup, SpacesPluginStart
           config: this.config,
           getRolesAPIClient,
           eventTracker: this.eventTracker,
+          getPrivilegesAPIClient,
         });
       }