## Summary
Kibana needs to more tightly control the set of visible features within
a space, in order to support the new solution-based navigation.
Added `scope` field to the features configuration. This enhancement is
intended to prevent new features from appearing in Space Visibility
Toggles.
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
__Fixes: https://github.com/elastic/kibana/issues/191299__
## Release Note
Added `scope` field to the features configuration. This enhancement is
intended to prevent new features from appearing in Space Visibility
Toggles.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR has breadth, but not depth. This adds 3 new `eslint` rules. The
first two protect against the use of code generated from strings (`eval`
and friends), which will not work client-side due to our CSP, and is not
something we wish to support server-side. The last rule aims to prevent
a subtle class of bugs, and to defend against a subset of prototype
pollution exploits:
- `no-new-func` to be compliant with our CSP, and to prevent code
execution from strings server-side:
https://eslint.org/docs/latest/rules/no-new-func
- `no-implied-eval` to be compliant with our CSP, and to prevent code
execution from strings server-side:
https://eslint.org/docs/latest/rules/no-implied-eval. Note that this
function implies that it prevents no-new-func, but I don't see [test
cases](https://github.com/eslint/eslint/blob/main/tests/lib/rules/no-implied-eval.js)
covering this behavior, so I think we should play it safe and enable
both rules.
- `no-prototype-builtins` to prevent accessing shadowed properties:
https://eslint.org/docs/latest/rules/no-prototype-builtins
In order to be compliant with `no-prototype-builtins`, I've migrated all
usages and variants of `Object.hasOwnProperty` to use the newer
[`Object.hasOwn`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwn).
## Summary
Added solution property for the space.
- Forbidden in serverless.
- To facilitate iterative development made the property as optional in
stateful offering until all of the workstreams are complete.
### How to test API changes
```
# Should create space
POST kbn:/api/spaces/space
{
"name": "space without solution",
"id": "my-space-solution-1",
"description": "a description",
"color": "#5c5959",
"disabledFeatures": []
}
# Should fail with 400
POST kbn:/api/spaces/space
{
"name": "space with solution",
"id": "my-space-solution-2",
"description": "a description",
"color": "#5c5959",
"solution": "some_solution",
"disabledFeatures": []
}
# Should fail with 400
POST kbn:/api/spaces/space
{
"name": "space with solution",
"id": "my-space-solution-2",
"description": "a description",
"color": "#5c5959",
"solution": null,
"disabledFeatures": []
}
# Should create space
POST kbn:/api/spaces/space
{
"name": "space with solution",
"id": "my-space-solution-2",
"description": "a description",
"color": "#5c5959",
"solution": "search",
"disabledFeatures": []
}
# Should get 'my-space-solution-1' space without solution field
GET kbn:/api/spaces/space/my-space-solution-1
# Should get 'my-space-solution-2' space with solution field
GET kbn:/api/spaces/space/my-space-solution-2
# Should fail to update with 400
PUT kbn:/api/spaces/space/my-space-solution-1
{
"id": "my-space-solution-1",
"name": "my-space-solution-1 name",
"solution": "some_solution"
}
# Should fail to update with 400
PUT kbn:/api/spaces/space/my-space-solution-1
{
"id": "my-space-solution-1",
"name": "my-space-solution-1 name",
"solution": null
}
# Should update 'my-space-solution-1'
PUT kbn:/api/spaces/space/my-space-solution-1
{
"id": "my-space-solution-1",
"name": "my-space-solution-1 name",
"solution": "security"
}
# Should get 'my-space-solution-1' space wit solution field set to 'security'
GET kbn:/api/spaces/space/my-space-solution-1
# Should return list where
# 1. 'my-space-solution-1' has solution 'security'
# 2. 'my-space-solution-2' has solution 'search'
# 3. Other spaces don't have solution field present
GET kbn:/api/spaces/space
```
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed ([Security and Spaces
config](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6076),
[Spaces only
config](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6075))
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
__Fixes: https://github.com/elastic/kibana/issues/183559__
## Release note
Added optional solution property for Space in a stateful offering.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Upgrade eslint from 7.32.0 to 8.46.0.
For details of breaking changes, see ESLint blog post, Migrate to v8.0.0:
https://eslint.org/docs/latest/use/migrate-to-8.0.0
For a full list of changes see their CHANGELOG.md:
https://github.com/eslint/eslint/blob/main/CHANGELOG.md
This also upgrades a bunch of ESLint plugins and related packages at the same time:
@types/eslint: 7.28.0 -> 8.44.2
eslint-config-prettier: 8.5.0 -> 9.0.0
eslint-module-utils: 2.6.2 -> 2.8.0
eslint-plugin-ban; 1.5.2 -> 1.6.0
eslint-plugin-cypress: 2.13.2 -> 2.14.0
eslint-plugin-import: 2.24.2 -> 2.28.0
eslint-plugin-jsx-a11y: 6.4.1 -> 6.7.1
eslint-plugin-mocha: 10.0.5 -> 10.1.0
eslint-plugin-no-unsanitized: 3.1.5 -> 4.0.2
Resolves https://github.com/elastic/kibana/issues/159392
## Summary
This PR hides the feature visibility section on the space management
screen and disables adding `disabledFeatures` when creating or updating
spaces using the REST API or spaces client on serverless.
## Screenshot
## Testing
1. Start Kibana in serverless mode: `yarn start --serverless`
2. Edit default space and observe that the feature visibility section is
not rendered
3. Quit Kibana and restart using classic mode: `yarn start`
4. Edit default space and observe that the feature visibility section is
rendered correctly
5. Other considerations:
- Disabling feature visibility in the classic offering should throw an
error (`xpack.spaces.allowFeatureVisibility: false`)
- Enabling feature visibility on serverless should throw an error
(`xpack.spaces.allowFeatureVisibility: true`)
Closes#159708
## Summary
This PR replaces the common Space interface with a versioned interface
per [The road to versioned HTTP APIs
doc](https://docs.google.com/document/d/1wSj6S5mvbiZ-YeGnrH3McXl0EgLHIXj5T1kkVrbkov4/edit?pli=1#heading=h.ldcj84g80m8x),
and guidance of [Versioning
Interfaces](https://docs.elastic.dev/kibana-dev-docs/versioning-interfaces).
Additionally, this PR replaces the implicit use of saved object
attributes with an explicit conversion from the SO attributes to
versioned interface properties.
### Tests
-
x-pack/plugins/spaces/server/spaces_client/spaces_client_service.test.ts
- x-pack/test/functional/apps/spaces
- x-pack/test/api_integration/apis/spaces
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Closes#147049Closes#149897
Migrates authorization and audit logic from the Saved Objects Repository
to the Saved Objects Security Extension. This is achieved by
implementing action-specific authorization methods within the security
extension. The SO repository is no longer responsible for making any
authorization decisions, but It is still responsible to know how to call
the extension methods. I've tried to make this as straightforward as
possible such that there is a clear ownership delineation between the
repository and the extension, by keeping the interface simple and
(hopefully) obvious.
### Security Extension Interface
New Public Extension Methods:
- authorizeCreate
- authorizeBulkCreate
- authorizeUpdate
- authorizeBulkUpdate
- authorizeDelete
- authorizeBulkDelete
- authorizeGet
- authorizeBulkGet
- authorizeCheckConflicts
- authorizeRemoveReferences
- authorizeOpenPointInTime
- auditClosePointInTime
- authorizeAndRedactMultiNamespaceReferences
- authorizeAndRedactInternalBulkResolve
- authorizeUpdateSpaces
- authorizeFind
- getFindRedactTypeMap
- authorizeDisableLegacyUrlAliases (for secure spaces client)
- auditObjectsForSpaceDeletion (for secure spaces client)
Removed from public interface:
- authorize
- enforceAuthorization
- addAuditEvent
### Tests
- Most test coverage moved from `repository.security_extension.test.ts`
to `saved_objects_security_extension.test.ts`
- `repository.security_extension.test.ts` tests extension call,
parameters, and return
- Updates repository unit tests to check that all security extension
calls are made with the current space when the spaces extension is also
enabled
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
* Removing circular dependency between spaces and security
* Apply suggestions from code review
Co-authored-by: Constance <constancecchen@users.noreply.github.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* Tests refactor
- Reorganize top level describes into 3 space-based blocks into based on spaces:
- space disabled
- spaces plugin unavailable
- space enabled (most previous tests go under this new block) with new beforeEach
- wrote new tests for uncovered lines 58, 66-69
* Review1: address PR feedback
* changing fake requests for alerts/actions
* Fixing tests
* fixing more tests
* Additional testing and refactoring
* Apply suggestions from code review
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* Review 2: Address feedback
* Make ESLint happy again
Co-authored-by: Constance <constancecchen@users.noreply.github.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
Co-authored-by: Constance Chen <constance.chen.3@gmail.com>
