# Backport
This will backport the following commits from `main` to `8.8`:
- [Security tech debt cleanup
(#157990)](https://github.com/elastic/kibana/pull/157990)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Thom
Heymann","email":"190132+thomheymann@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-05-23T08:30:48Z","message":"Security
tech debt cleanup (#157990)\n\n## Summary\r\n\r\nThis PR cleans up some
outstanding tech debt.\r\n\r\n### 1. Remove deprecation warning for
`disabled` prop\r\n\r\nThis property was marked as deprecated the moment
it was introduced
(See\r\nhttps://github.com/elastic/kibana/pull/118001/files#r753124740).
However\r\nit has been adopted by Fleet and Guided Onboarding plugins so
I don't\r\nthink there's value in keeping this deprecation warning in
place.\r\n\r\nAs an alternative we could also bump the `@removeBy`
version if people\r\nthink we should still remove this
property.\r\n\r\n\r\n### ~~2. Remove deprecated property
`requiredRoles`~~\r\n\r\n~~This property has been deprecated and marked
for removal for 8.8. The\r\nproperty isn't being used anywhere in our
codebase and we have reached\r\nfeature freeze for 8.8 so looks safe to
be removed now.~~\r\n\r\nTurns out this property is still used and can't
be removed without\r\nbreaking existing functionality so reverting that
commit.","sha":"3800ce4c9cbbceaa861b62de2fd217f0c1961b98","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","v8.9.0","v8.8.1"],"number":157990,"url":"https://github.com/elastic/kibana/pull/157990","mergeCommit":{"message":"Security
tech debt cleanup (#157990)\n\n## Summary\r\n\r\nThis PR cleans up some
outstanding tech debt.\r\n\r\n### 1. Remove deprecation warning for
`disabled` prop\r\n\r\nThis property was marked as deprecated the moment
it was introduced
(See\r\nhttps://github.com/elastic/kibana/pull/118001/files#r753124740).
However\r\nit has been adopted by Fleet and Guided Onboarding plugins so
I don't\r\nthink there's value in keeping this deprecation warning in
place.\r\n\r\nAs an alternative we could also bump the `@removeBy`
version if people\r\nthink we should still remove this
property.\r\n\r\n\r\n### ~~2. Remove deprecated property
`requiredRoles`~~\r\n\r\n~~This property has been deprecated and marked
for removal for 8.8. The\r\nproperty isn't being used anywhere in our
codebase and we have reached\r\nfeature freeze for 8.8 so looks safe to
be removed now.~~\r\n\r\nTurns out this property is still used and can't
be removed without\r\nbreaking existing functionality so reverting that
commit.","sha":"3800ce4c9cbbceaa861b62de2fd217f0c1961b98"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/157990","number":157990,"mergeCommit":{"message":"Security
tech debt cleanup (#157990)\n\n## Summary\r\n\r\nThis PR cleans up some
outstanding tech debt.\r\n\r\n### 1. Remove deprecation warning for
`disabled` prop\r\n\r\nThis property was marked as deprecated the moment
it was introduced
(See\r\nhttps://github.com/elastic/kibana/pull/118001/files#r753124740).
However\r\nit has been adopted by Fleet and Guided Onboarding plugins so
I don't\r\nthink there's value in keeping this deprecation warning in
place.\r\n\r\nAs an alternative we could also bump the `@removeBy`
version if people\r\nthink we should still remove this
property.\r\n\r\n\r\n### ~~2. Remove deprecated property
`requiredRoles`~~\r\n\r\n~~This property has been deprecated and marked
for removal for 8.8. The\r\nproperty isn't being used anywhere in our
codebase and we have reached\r\nfeature freeze for 8.8 so looks safe to
be removed now.~~\r\n\r\nTurns out this property is still used and can't
be removed without\r\nbreaking existing functionality so reverting that
commit.","sha":"3800ce4c9cbbceaa861b62de2fd217f0c1961b98"}},{"branch":"8.8","label":"v8.8.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
Co-authored-by: Thom Heymann <190132+thomheymann@users.noreply.github.com>
* Adds requireAllSpaces flag for subfeatures.
* fixes ts errors
* Adds unit test on sub features form UI
* Adds unit test for validateKibanaPrivileges function with subfeatures
* Fixes failing tests
* Rename some vars and reorder return null. Also skip two tests that are not working as expected
* Reorder if condition for performance optimisation
* Fixes unit test
* PR feedback - remove useMemo and use a function
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Splitting out cases privs
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Getting tests working
* Fixing import error
* Fixing tests
* Fixing role to only have delete permissions
* Extracting sub feature tests to trial license
* Removing deletion user from common tests
* Addressing feedback
* Fixing tests
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* Adding feature flag for auth
* Hiding SOs and adding consumer field
* First pass at adding security changes
* Consumer as the app's plugin ID
* Create addConsumerToSO migration helper
* Fix mapping's SO consumer
* Add test for CasesActions
* Declare hidden types on SO client
* Restructure integration tests
* Init spaces_only integration tests
* Implementing the cases security string
* Adding security plugin tests for cases
* Rough concept for authorization class
* Adding comments
* Fix merge
* Get requiredPrivileges for classes
* Check privillages
* Ensure that all classes are available
* Success if hasAllRequested is true
* Failure if hasAllRequested is false
* Adding schema updates for feature plugin
* Seperate basic from trial
* Enable SIR on integration tests
* Starting the plumbing for authorization in plugin
* Unit tests working
* Move find route logic to case client
* Create integration test helper functions
* Adding auth to create call
* Create getClassFilter helper
* Add class attribute to find request
* Create getFindAuthorizationFilter
* Ensure savedObject is authorized in find method
* Include fields for authorization
* Combine authorization filter with cases & subcases filter
* Fix isAuthorized flag
* Fix merge issue
* Create/delete spaces & users before and after tests
* Add more user and roles
* [Cases] Convert filters from strings to KueryNode (#95288)
* [Cases] RBAC: Rename class to scope (#95535)
* [Cases][RBAC] Rename scope to owner (#96035)
* [Cases] RBAC: Create & Find integration tests (#95511)
* [Cases] Cases client enchantment (#95923)
* [Cases] Authorization and Client Audit Logger (#95477)
* Starting audit logger
* Finishing auth audit logger
* Fixing tests and types
* Adding audit event creator
* Renaming class to scope
* Adding audit logger messages to create and find
* Adding comments and fixing import issue
* Fixing type errors
* Fixing tests and adding username to message
* Addressing PR feedback
* Removing unneccessary log and generating id
* Fixing module issue and remove expect.anything
* [Cases] Migrate sub cases routes to a client (#96461)
* Adding sub cases client
* Move sub case routes to case client
* Throw when attempting to access the sub cases client
* Fixing throw and removing user ans soclients
* [Cases] RBAC: Migrate routes' unit tests to integration tests (#96374)
Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co>
* [Cases] Move remaining HTTP functionality to client (#96507)
* Moving deletes and find for attachments
* Moving rest of comment apis
* Migrating configuration routes to client
* Finished moving routes, starting utils refactor
* Refactoring utilites and fixing integration tests
* Addressing PR feedback
* Fixing mocks and types
* Fixing integration tests
* Renaming status_stats
* Fixing test type errors
* Adding plugins to kibana.json
* Adding cases to required plugin
* [Cases] Refactoring authorization (#97483)
* Refactoring authorization
* Wrapping auth calls in helper for try catch
* Reverting name change
* Hardcoding the saved object types
* Switching ensure to owner array
* [Cases] Add authorization to configuration & cases routes (#97228)
* [Cases] Attachments RBAC (#97756)
* Starting rbac for comments
* Adding authorization to rest of comment apis
* Starting the comment rbac tests
* Fixing some of the rbac tests
* Adding some integration tests
* Starting patch tests
* Working tests for comments
* Working tests
* Fixing some tests
* Fixing type issues from pulling in master
* Fixing connector tests that only work in trial license
* Attempting to fix cypress
* Mock return of array for configure
* Fixing cypress test
* Cleaning up
* Addressing PR comments
* Reducing operations
* [Cases] Add RBAC to remaining Cases APIs (#98762)
* Starting rbac for comments
* Adding authorization to rest of comment apis
* Starting the comment rbac tests
* Fixing some of the rbac tests
* Adding some integration tests
* Starting patch tests
* Working tests for comments
* Working tests
* Fixing some tests
* Fixing type issues from pulling in master
* Fixing connector tests that only work in trial license
* Attempting to fix cypress
* Mock return of array for configure
* Fixing cypress test
* Cleaning up
* Working case update tests
* Addressing PR comments
* Reducing operations
* Working rbac push case tests
* Starting stats apis
* Working status tests
* User action tests and fixing migration errors
* Fixing type errors
* including error in message
* Addressing pr feedback
* Fixing some type errors
* [Cases] Add space only tests (#99409)
* Starting spaces tests
* Finishing space only tests
* Refactoring createCaseWithConnector
* Fixing spelling
* Addressing PR feedback and creating alert tests
* Fixing mocks
* [Cases] Add security only tests (#99679)
* Starting spaces tests
* Finishing space only tests
* Refactoring createCaseWithConnector
* Fixing spelling
* Addressing PR feedback and creating alert tests
* Fixing mocks
* Starting security only tests
* Adding remainder security only tests
* Using helper objects
* Fixing type error for null space
* Renaming utility variables
* Refactoring users and roles for security only tests
* Adding sub feature
* [Cases] Cleaning up the services and TODOs (#99723)
* Cleaning up the service intialization
* Fixing type errors
* Adding comments for the api
* Working test for cases client
* Fix type error
* Adding generated docs
* Adding more docs and cleaning up types
* Cleaning up readme
* More clean up and links
* Changing some file names
* Renaming docs
* Integration tests for cases privs and fixes (#100038)
* [Cases] RBAC on UI (#99478)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Fixing case ids by alert id route call
* [Cases] Fixing UI feature permissions and adding UI tests (#100074)
* Integration tests for cases privs and fixes
* Fixing ui cases permissions and adding tests
* Adding test for collection failure and fixing jest
* Renaming variables
* Fixing type error
* Adding some comments
* Validate cases features
* Fix new schema
* Adding owner param for the status stats
* Fix get case status tests
* Adjusting permissions text and fixing status
* Address PR feedback
* Adding top level feature back
* Fixing feature privileges
* Renaming
* Removing uneeded else
* Fixing tests and adding cases merge tests
* [Cases][Security Solution] Basic license security solution API tests (#100925)
* Cleaning up the fixture plugins
* Adding basic feature test
* renaming to unsecuredSavedObjectsClient (#101215)
* [Cases] RBAC Refactoring audit logging (#100952)
* Refactoring audit logging
* Adding unit tests for authorization classes
* Addressing feedback and adding util tests
* return undefined on empty array
* fixing eslint
* [Cases] Cleaning up RBAC integration tests (#101324)
* Adding tests for space permissions
* Adding tests for testing a disable feature
Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract
* Updating alerting feature privilege builder to handle different alerting types
* Passing in alerting authorization type to AlertingActions class string builder
* Passing in authorization type in each function call
* Passing in exempt consumer ids. Adding authorization type to audit logger
* Changing alertType to ruleType
* Changing alertType to ruleType
* Updating unit tests
* Updating unit tests
* Passing field names into authorization query builder. Adding kql/es dsl option
* Converting to es query if requested
* Fixing functional tests
* Removing ability to specify feature privilege name in constructor
* Fixing some types and tests
* Consolidating alerting authorization kuery filter options
* Cleanup and tests
* Cleanup and tests
* Initial commit with changes needed for subfeature privilege
* Throwing error when AlertingAuthorizationClientFactory is not defined
* Renaming authorizationType to entity
* Renaming AlertsAuthorization to AlertingAuthorization
* Fixing unit tests
* Changing schema of alerting feature privilege
* Changing schema of alerting feature privilege
* Updating feature privilege iterator
* Updating feature privilege builder
* Fixing types check
* Updating privilege string terminology
* Updating privilege string terminology
* Wip
* Fixing unit tests
* Unit tests
* Updating README and removing stack subfeature privilege changes
* Fixing README
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Grouped features for space management
* Apply suggestions from code review
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Address PR Feedback
* docs changes
* updating types/docs
* update APM feature name
* Reintroduce extraAction following EUI update
* change ordering of infra features, and render callout for management category
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: https://github.com/elastic/kibana/issues/43994
This also closes https://github.com/elastic/kibana/issues/62438
This PR includes the following:
1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
* ts-ignore --> ts-expect-error
* fix error with mutable array
* fix errors in consumers code
* update SOM
* fix FeatureConfig & Feature compatibility
* do not re-export from code. it breaks built version
* update docs
* add eslint rule for platform team code
* remove test. this is covered by ts-expect-error in unit tests
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Specifying valid licenses for the Graph feature
* Adding option to /api/features to ignore valid licenses
This allow us to take advantage of the /api/featues endpoint within our
tests to disable all features, including those which are disabled by the
current license. The ui capabilities don't take into considerating the
license at the moment, so they're separate entirely separeate mechanisms
at this point in time.
* Addressing PR comments
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
