Address https://github.com/elastic/kibana/issues/216061
Adds an indirection layer in the definition of the `transformFn:`, which
forces devs to explicitly define the types of the documents being
transformed.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR makes `security` a required field for route registration. To
incorporate the new required filed, changes has been made:
1. **Test file updates**. A lot of the updates made in this PR were made
in tests.
2. **Versioned route security configuration**. For the versioned route
`security` config has been lifted up to the top-level definition:
Before
```ts
router.versioned
.get({
path: '/api/path',
options: { ... },
...
}, handler)
.addVersion({
version: 1,
validate: false,
security: {
authz: {
requiredPrivileges: ['privilege'],
},
},
});
```
After
```ts
router.versioned
.get({
path: '/api/path',
options: { ... },
security: {
authz: {
requiredPrivileges: ['privilege'],
},
},
...
}, handler)
.addVersion({
version: 1,
validate: false,
});
```
3. **Type adjustments for route wrappers**. Type changes has been made
in:
-
`x-pack/solutions/observability/plugins/infra/server/lib/adapters/framework/adapter_types.ts`
-
`x-pack/solutions/observability/plugins/metrics_data_access/server/lib/adapters/framework/adapter_types.ts`
-
`x-pack/solutions/observability/plugins/synthetics/server/routes/types.ts`
-
`x-pack/solutions/observability/plugins/uptime/server/legacy_uptime/routes/types.ts`
Security was made an optional field for the wrappers defined in those
files, since the default security is provided in the wrapper itself and
then passed down to the core router.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
__Closes: https://github.com/elastic/kibana/issues/215331__
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Updating the ES client to 9.0.
Resolves#116102
## What changes?
**Breaking change**: `body` has been removed.
Most of the changes are about bringing all the content inside the body
as a root attribute to the API params:
```diff
const response = await client.search({
index: 'test',
- body: {
query: {
match_all: {}
}
- }
})
```
For this reason, enabling the "Hide whitespace changes" option when
reviewing is recommended.
Some exceptions to this rule:
* Bulk APIs replace the `body` array with `operations` array (direct
replacement)
* Index Put Settings API replace `body` array with `settings` (direct
replacement)
* Msearch replaces the `body` array with `searches` array (direct
replacement)
* Document Index API replaces `body` with `document` (direct
replacement)
* Create Repository replaces `body` with `repository` (direct
replacement)
Because of a known issue in the client
(https://github.com/elastic/elasticsearch-js/issues/2584), there's still
an escape hatch to send data in the body in case the specific use case
requires it via `// @ts-expect-error elasticsearch@9.0.0
https://github.com/elastic/elasticsearch-js/issues/2584`, but it
shouldn't be abused because we lose types. In this PR we've used it in
those scenarios where we reuse the response of a GET as the body of a
PUT/POST.
### Other changes
* `estypes` can be imported from the root of the library as `import type
{ estypes } from '@elastic/elasticsearch';`
* `estypesWithBody` have been removed
* `requestTimeout`'s 30s default has been removed in the client. This PR
explicitly adds the setting in all client usages.
### Identify risks
- [x] The client places unknown properties as querystring, risking body
params leaking there, and causing 400 errors from ES => Solved by
forcing `body` usage there via `// @ts-expect-error elasticsearch@9.0.0
https://github.com/elastic/elasticsearch-js/issues/2584`. The next
version of the client will address this.
- [x] We need to run the MKI tests to make sure that we're not breaking
anything there =>
https://elastic.slack.com/archives/C04HT4P1YS3/p1739528112482629?thread_ts=1739480136.231439&cid=C04HT4P1YS3
---------
Co-authored-by: Gloria Hornero <gloria.hornero@elastic.co>
Stricter defaults for plugin types: `Plugin` and `CoreSetup` now have
empty objects as defaults instead of `object` which is assignable to
anything basically. This catches some type errors, but my motivation for
this is to allow something like:
```ts
function createPlugin ():Plugin<MySetupContract, MyStartContract, MySetupDependencies, MyStartDependencies> {
return {
// look ma, no additional typing necessary
setup ( coreSetup, pluginsSetup ) {
},
start ( coreStart, pluginsStart ) {
}
}
}
```
Closes#156023
## Summary
ESO = Encrypted Saved Object(s)
This PR modifies the `EncryptedSavedObjectTypeRegistration` definition,
replacing the `attributesToExcludeFromAAD` property with a
`attributesToIncludeInAAD` property. The purpose is to alter the default
inclusion of new SO attributes, which will help to resolve potential
decryption issues with serverless zero downtime upgrades (see
https://github.com/elastic/kibana/issues/156023).
NOTE: nested fields are included when the parent field is added to the
include list. In this way the include list behaves just as the exclude
list did.
#### Attention Code Owners:
I attempted to create the include list for existing ESOs by comparing
the exclude list to the full list of attributes, ~~however, I am sure
this is either incomplete or partially incorrect~~ UPDATE: new tests
have been created to validate the include list (see the **Testing**
section). These changes will need to be carefully audited by the owning
teams during the review process. This PR will not merge until all code
owners have reviewed and approved the changes. If your team is a
consumer of ESOs, please see the **Testing** section below.
## Testing
Automated test suites have been updated to account for the changes to
ESO registration. The riskier part of this PR are the changes to
existing ESOs, and validating that they are effectively identical to
their previous implementations. I have used main branch Kibana to
generate several ESOs - one of each type, then saved those raw encrypted
objects to an esArchiver JSON file. New functional tests, in the
`encrypted_saved_objects_api_integration` suite, have been created to
verify that those objects can be successfully decrypted using the new
ESO definitions containing the AAD include list.
### ESO Types to Validate
See
`x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_aad_include_list.ts`
- [x] ACTION_SAVED_OBJECT_TYPE/'action'
- [x] ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE/'action_task_params'
- [x] CONNECTOR_TOKEN_SAVED_OBJECT_TYPE/'connector_token'
- [x] RULE_SAVED_OBJECT_TYPE/'alert'
- [x] 'api_key_pending_invalidation'
- [x] OUTPUT_SAVED_OBJECT_TYPE/'ingest-outputs
- [x] MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE/'fleet-message-signing-keys
- [x] UNINSTALL_TOKENS_SAVED_OBJECT_TYPE/'fleet-uninstall-tokens'
- [x] syntheticsApiKeyObjectType/'uptime-synthetics-api-key'
- [x] syntheticsMonitorType/'synthetics-monitor'
- [x] syntheticsParamType/'synthetics-param'
### Flaky Test Runner
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5419
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
Closes#161002Closes#170073
## Summary
This PR implements a createModelVersion API in the Encrypted Saved
Objects plugin to support upward migrations for model version encrypted
saved objects.
Much like how the `createMigration` API provided a way to wrap migration
functions to support migration of encrypted saved objects prior to the
model version paradigm, the new `createModelVersion` API provides a way
to wrap a model version definition for the same purpose.
`createModelVersion` manipulates the changes defined for a model version
('unsafe_transform', 'data_backfill', 'data_removal'), merging them into
a single transform function in which the saved object document is
decrypted, transformed, and then encrypted again. The document is
decrypted with the `encrypted saved object type registration` provided
by the required `inputType` parameter. Similarly, the document is by
encrypted with the `encrypted saved object type registration` provided
by the required `outputType` parameter.
An example plugin (`examples/eso_model_version_example`) provides a
demonstration of how the createModelVersion API should be used. The UI
of the example plugin gives an idea of what the encrypted saved objects
look like before and after the model version changes are applied.
## Testing
### Manual Testing
- Modify the example plugin implementation in
`examples/eso_model_version_example` to include different changes or
additional model versions.
### Unit Tests
-
`x-pack/plugins/encrypted_saved_objects/server/create_model_version.test.ts`
### Functional Tests
-
`x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_api.ts`
-
`x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_decryption.ts`
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
