## Summary
As part of #154888, we need to stop making direct requests to the index
`.kibana`, and use the SO Clients instead.
This PR changes the utility `getSavedObjectsCount` to use aggregations
in the SO client.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
I'm pointing to `main` because it's an improvement we needed anyway.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves: https://github.com/elastic/kibana/issues/131682
Taking inspiration from this PR: https://github.com/elastic/kibana/pull/148382
This PR changes the rules client aggregation method to accept arbitrary aggregations. This allows the users of the method to better customize the response when calling rules client aggregate. We have added validation to the aggregate method to prevent aggregations on certain rule fields.
```ts
const ALLOW_FIELDS = [
'alert.attributes.executionStatus.status',
'alert.attributes.lastRun.outcome',
'alert.attributes.muteAll',
'alert.attributes.tags',
'alert.attributes.snoozeSchedule',
'alert.attributes.snoozeSchedule.duration',
'alert.attributes.alertTypeId',
'alert.attributes.enabled',
'alert.attributes.params.*',
];
const ALLOW_AGG_TYPES = ['terms', 'composite', 'nested', 'filter'];
```
This PR also adds a new endpoint `rules/_tags` to allow for pagination of rule tags. This new endpoint takes advantage of the arbitrary aggregation of the new aggregate method.
I tested the security solution rules page to ensure tags are still loading as expected.
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
Closes#147049Closes#149897
Migrates authorization and audit logic from the Saved Objects Repository
to the Saved Objects Security Extension. This is achieved by
implementing action-specific authorization methods within the security
extension. The SO repository is no longer responsible for making any
authorization decisions, but It is still responsible to know how to call
the extension methods. I've tried to make this as straightforward as
possible such that there is a clear ownership delineation between the
repository and the extension, by keeping the interface simple and
(hopefully) obvious.
### Security Extension Interface
New Public Extension Methods:
- authorizeCreate
- authorizeBulkCreate
- authorizeUpdate
- authorizeBulkUpdate
- authorizeDelete
- authorizeBulkDelete
- authorizeGet
- authorizeBulkGet
- authorizeCheckConflicts
- authorizeRemoveReferences
- authorizeOpenPointInTime
- auditClosePointInTime
- authorizeAndRedactMultiNamespaceReferences
- authorizeAndRedactInternalBulkResolve
- authorizeUpdateSpaces
- authorizeFind
- getFindRedactTypeMap
- authorizeDisableLegacyUrlAliases (for secure spaces client)
- auditObjectsForSpaceDeletion (for secure spaces client)
Removed from public interface:
- authorize
- enforceAuthorization
- addAuditEvent
### Tests
- Most test coverage moved from `repository.security_extension.test.ts`
to `saved_objects_security_extension.test.ts`
- `repository.security_extension.test.ts` tests extension call,
parameters, and return
- Updates repository unit tests to check that all security extension
calls are made with the current space when the spaces extension is also
enabled
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
## Summary
This PR adds an internal API to get all users involved in a case. The
response returns the case's participants, the assignees, and the
unassigned users. A participant is considered anyone that made an action
to the case. The participants' array may contain an assignee and
vise-versa. Each user has `email`, `full_name`, `username`, and
`profile_uid`. All fields are optional. The endpoint will get all known
profiles using the security plugin. The profile information takes
precedence. The API will fall back to the information kept in the user
action if the profile uid is not valid.
**Endpoint:**
`GET /internal/cases/<case_id>/_users`
<details>
<summary>Example Response</summary>
```
{
"participants": [
{
"email": null,
"full_name": null,
"username": "elastic",
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
{
"email": "fuzzy_marten@profiles.elastic.co",
"full_name": "Fuzzy Marten",
"username": "fuzzy_marten",
"profile_uid": "u_3OgKOf-ogtr8kJ5B0fnRcqzXs2aQQkZLtzKEEFnKaYg_0"
},
],
"assignees": [
{
"email": "fuzzy_marten@profiles.elastic.co",
"full_name": "Fuzzy Marten",
"username": "fuzzy_marten",
"profile_uid": "u_3OgKOf-ogtr8kJ5B0fnRcqzXs2aQQkZLtzKEEFnKaYg_0"
},
{
"email": "misty_mackerel@profiles.elastic.co",
"full_name": "Misty Mackerel",
"username": "misty_mackerel",
"profile_uid": "u_BXf_iGxcnicv4l-3-ER7I-XPpfanAFAap7uls86xV7A_0"
}
],
"unassignedUsers": [
{
"email": "valid_chimpanzee@profiles.elastic.co",
"full_name": "Valid Chimpanzee",
"username": "valid_chimpanzee",
"profile_uid": "u_wEtPffVJIgxWIN8W79Rp84bbORN6x0wKiJ5eTsQvpBA_0"
}
]
}
```
</details>
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
After merging https://github.com/elastic/kibana/pull/148979 there are a
number of imports that can be fixed immediately to address our new
deprecation notice.
## To Core reviewers
The package `core-saved-objects-server` is using types from
`core-saved-objects-api-server` which creates a circular dependency when
using `SavedObject` type from it's new home in
`core-saved-object-server`:
`core-saved-objects-server` -> `core-saved-objects-api-server` ->
`core-saved-objects-server`
One solution is that we can create a new package
`packages/core/saved-objects/core-saved-objects-server-shared` that will
only hold the `SavedObject` type and a select few others. I'm not sure
what the best approach here is. I have left
`core-saved-objects-api-server` unchanged for now (i.e., it is still
importing `SavedObject` from `common` which is deprecated).
Any input would be greatly appreciated!
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Bump elasticsearch-js to 8.6.0-canary.3 to unblock
https://github.com/elastic/kibana/issues/145653
The updated version of elasticsearch-js comes with some type changes
that causes typescript type checking to fail. I've fixed the type errors
that were obvious/easy but left todo's for some types which were harder
for me to figure out. If any of these todo's are in your team's code,
please contribute directly to the branch to fix them.
### Checklist
Delete any items that are not applicable to this PR.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [ ] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [ ] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Thom Heymann <thom.heymann@elastic.co>
Co-authored-by: weltenwort <stuermer@weltenwort.de>
Closes#149037.
## Summary
The namespace argument in Saved Object Repository Update method's call
to optionallyEncryptAttributes was being supplied by an unqualified
optional parameter. This means that when the namespace option was not
defined, the current namespace was not being passed to the encrypt
method. This PR updates the argument to the qualified namespace
determined by the optional parameter and the Spaces Extension's
getCurrentNamespace method.
Unit tests have also been updated to catch this case should it occur in
the future. The same consideration will be made for security extension
unit tests in [PR
148165](https://github.com/elastic/kibana/pull/148165).
## Testing
To test, follow the instructions given in [the
issue](https://github.com/elastic/kibana/issues/149037).
This PR implements a new internal API to return the information relating
to all the connectors used throughout a case's lifespan.
Fixes: https://github.com/elastic/kibana/issues/134346
```
GET http://localhost:5601/internal/cases/<case id>/_connectors
Response
{
"my-jira": {
"name": "preconfigured-jira",
"type": ".jira",
"fields": {
"issueType": "10001",
"parent": null,
"priority": null
},
"id": "my-jira",
"needsToBePushed": true,
"hasBeenPushed": false
}
}
```
<details><summary>cURL example</summary>
```
curl --location --request GET 'http://localhost:5601/internal/cases/ae038370-91d9-11ed-97ce-c35961718f7b/_connectors' \
--header 'kbn-xsrf: hello' \
--header 'Authorization: Basic <token>' \
--data-raw ''
```
Response
```
{
"my-jira": {
"name": "preconfigured-jira",
"type": ".jira",
"fields": {
"issueType": "10001",
"parent": null,
"priority": null
},
"id": "my-jira",
"needsToBePushed": true,
"hasBeenPushed": false
}
}
```
</details>
Notable changes:
- Refactored the user actions service to move the functions that create
user actions (builders etc) to its own class `UserActionPersister`
- Refactored the `CaseUserActionService` class to pull the saved object
client, logger, and other fields passed to each function via parameters
to be wrapped in a `context` member field within the class
- Plumbed in `savedObjectsService.createSerializer` to transform a raw
elasticsearch document into the saved object representation
- Added new internal `_connectors` route and `getConnectors` client
function
- Refactored the integration tests by extracting the connector related
utility functions into their own file
## Needs to be pushed algorithm
To determine whether a case needs to be pushed for a certain connector
we follow this algorithm:
- Get all unique connectors
- For each connector
- Find the most recent user action contain the connector's fields, this
will be in the most recent `connector` user action or if the connector
was configured only once when the case was initially created it'll be on
the `create_case` user action
- Grab the most recent push user action if it exists
- For each push search for the connector fields that were used in that
push
- Get the most recent user action that would cause a push to occur
(title, description, tags, or comment change)
- For each connector
- If a push does not exist, we need to push
- If a push exists but the fields do not match the field of the most
recent connector fields, we need to push because the fields changed
- If the timestamp of the most recent user action is more recent than
that of the last push (aka the user changed something since we last
pushed) we need to push
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Dearest Reviewers 👋
I've been working on this branch with @mistic and @tylersmalley and
we're really confident in these changes. Additionally, this changes code
in nearly every package in the repo so we don't plan to wait for reviews
to get in before merging this. If you'd like to have a concern
addressed, please feel free to leave a review, but assuming that nobody
raises a blocker in the next 24 hours we plan to merge this EOD pacific
tomorrow, 12/22.
We'll be paying close attention to any issues this causes after merging
and work on getting those fixed ASAP. 🚀
---
The operations team is not confident that we'll have the time to achieve
what we originally set out to accomplish by moving to Bazel with the
time and resources we have available. We have also bought ourselves some
headroom with improvements to babel-register, optimizer caching, and
typescript project structure.
In order to make sure we deliver packages as quickly as possible (many
teams really want them), with a usable and familiar developer
experience, this PR removes Bazel for building packages in favor of
using the same JIT transpilation we use for plugins.
Additionally, packages now use `kbn_references` (again, just copying the
dx from plugins to packages).
Because of the complex relationships between packages/plugins and in
order to prepare ourselves for automatic dependency detection tools we
plan to use in the future, this PR also introduces a "TS Project Linter"
which will validate that every tsconfig.json file meets a few
requirements:
1. the chain of base config files extended by each config includes
`tsconfig.base.json` and not `tsconfig.json`
1. the `include` config is used, and not `files`
2. the `exclude` config includes `target/**/*`
3. the `outDir` compiler option is specified as `target/types`
1. none of these compiler options are specified: `declaration`,
`declarationMap`, `emitDeclarationOnly`, `skipLibCheck`, `target`,
`paths`
4. all references to other packages/plugins use their pkg id, ie:
```js
// valid
{
"kbn_references": ["@kbn/core"]
}
// not valid
{
"kbn_references": [{ "path": "../../../src/core/tsconfig.json" }]
}
```
5. only packages/plugins which are imported somewhere in the ts code are
listed in `kbn_references`
This linter is not only validating all of the tsconfig.json files, but
it also will fix these config files to deal with just about any
violation that can be produced. Just run `node scripts/ts_project_linter
--fix` locally to apply these fixes, or let CI take care of
automatically fixing things and pushing the changes to your PR.
> **Example:** [`64e93e5`
(#146212)](64e93e5806)
When I merged main into my PR it included a change which removed the
`@kbn/core-injected-metadata-browser` package. After resolving the
conflicts I missed a few tsconfig files which included references to the
now removed package. The TS Project Linter identified that these
references were removed from the code and pushed a change to the PR to
remove them from the tsconfig.json files.
## No bazel? Does that mean no packages??
Nope! We're still doing packages but we're pretty sure now that we won't
be using Bazel to accomplish the 'distributed caching' and 'change-based
tasks' portions of the packages project.
This PR actually makes packages much easier to work with and will be
followed up with the bundling benefits described by the original
packages RFC. Then we'll work on documentation and advocacy for using
packages for any and all new code.
We're pretty confident that implementing distributed caching and
change-based tasks will be necessary in the future, but because of
recent improvements in the repo we think we can live without them for
**at least** a year.
## Wait, there are still BUILD.bazel files in the repo
Yes, there are still three webpack bundles which are built by Bazel: the
`@kbn/ui-shared-deps-npm` DLL, `@kbn/ui-shared-deps-src` externals, and
the `@kbn/monaco` workers. These three webpack bundles are still created
during bootstrap and remotely cached using bazel. The next phase of this
project is to figure out how to get the package bundling features
described in the RFC with the current optimizer, and we expect these
bundles to go away then. Until then any package that is used in those
three bundles still needs to have a BUILD.bazel file so that they can be
referenced by the remaining webpack builds.
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
https://jestjs.io/blog/2022/04/25/jest-28https://jestjs.io/blog/2022/08/25/jest-29
- jest.useFakeTimers('legacy') -> jest.useFakeTimers({ legacyFakeTimers:
true });
- jest.useFakeTimers('modern'); -> jest.useFakeTimers();
- tests can either use promises or callbacks, but not both
- test runner jasmine is no longer included, switch all suites to
jest-circus
Co-authored-by: Andrew Tate <andrew.tate@elastic.co>
Merges the changes of #134395 into the new packages structure.
Resolves#133835
### Description
This PR represents a fully manual merge of the saved objects refactor of
client wrapper system into repository extensions. These changes are
being manually merged due to significant changes of the saved objects
implementation in the main branch, specifically the migration to the new
packages structure.
### Other changes
- Bulk Delete: bulk delete was implemented in parallel to #134395 being
completed and this PR will refactor that API to utilize the new
extensions
Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* Bump `elastic/elasticsearch` to `8.4.0-canary.1`
* fixing package violations
* some xpack violations
* remove more unused ts-expect-error
* started muting errors
* start adapting watcher
* fix more usages
* fix more usages
* fixing more usages
* just one more
* more usages
* infra usages
* moar types
* fix unit test
* adapt more usages
* fixes in FTR tests
* try to fix kbn/es-types
* last fixes?
* [packages] add kibana.jsonc files
* auto-migrate to kibana.jsonc
* support interactive pkg id selection too
* remove old codeowners entry
* skip codeowners generation when .github/CODEOWNERS doesn't exist
* fall back to format validation if user is offline
* update question style
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
