[Write Restricted Dashboards] Feature branch

.buildkite/ftr_platform_stateful_configs.yml

@@ -338,6 +338,8 @@ enabled:
   - x-pack/platform/test/spaces_api_integration/security_and_spaces/config_basic.ts
   - x-pack/platform/test/spaces_api_integration/security_and_spaces/config_trial.ts
   - x-pack/platform/test/spaces_api_integration/spaces_only/config.ts
+  - x-pack/platform/test/spaces_api_integration/access_control_objects/config.ts
+  - x-pack/platform/test/spaces_api_integration/access_control_objects/feature_disabled.config.ts
   - x-pack/platform/test/task_manager_claimer_update_by_query/config.ts
   - x-pack/platform/test/ui_capabilities/security_and_spaces/config.ts
   - x-pack/platform/test/ui_capabilities/spaces_only/config.ts

.github/CODEOWNERS

@@ -404,6 +404,8 @@ src/platform/packages/private/shared-ux/storybook/config @elastic/appex-sharedux
 src/platform/packages/shared/chart-expressions-common @elastic/kibana-visualizations
 src/platform/packages/shared/chart-test-jest-helpers @elastic/kibana-visualizations
 src/platform/packages/shared/cloud @elastic/kibana-core
+src/platform/packages/shared/content-management/access_control/access_control_public @elastic/appex-sharedux
+src/platform/packages/shared/content-management/access_control/access_control_server @elastic/appex-sharedux
 src/platform/packages/shared/content-management/content_editor @elastic/appex-sharedux
 src/platform/packages/shared/content-management/content_insights/content_insights_public @elastic/appex-sharedux
 src/platform/packages/shared/content-management/content_insights/content_insights_server @elastic/appex-sharedux
@@ -1126,6 +1128,7 @@ x-pack/platform/test/security_api_integration/plugins/oidc_provider @elastic/kib
 x-pack/platform/test/security_api_integration/plugins/saml_provider @elastic/kibana-security
 x-pack/platform/test/security_api_integration/plugins/user_profiles_consumer @elastic/kibana-security
 x-pack/platform/test/security_functional/plugins/test_endpoints @elastic/kibana-security
+x-pack/platform/test/spaces_api_integration/common/plugins/access_control_test_plugin @elastic/kibana-security
 x-pack/platform/test/spaces_api_integration/common/plugins/spaces_test_plugin @elastic/kibana-security
 x-pack/platform/test/task_manager_claimer_update_by_query/plugins/sample_task_plugin_mget @elastic/response-ops
 x-pack/platform/test/ui_capabilities/common/plugins/foo_plugin @elastic/kibana-security

package.json

@@ -166,6 +166,7 @@
     "@hapi/wreck": "^18.1.0",
     "@hello-pangea/dnd": "18.0.1",
     "@kbn/aad-fixtures-plugin": "link:x-pack/platform/test/alerting_api_integration/common/plugins/aad",
+    "@kbn/access-control-test-plugin": "link:x-pack/platform/test/spaces_api_integration/common/plugins/access_control_test_plugin",
     "@kbn/actions-plugin": "link:x-pack/platform/plugins/shared/actions",
     "@kbn/actions-simulators-plugin": "link:x-pack/platform/test/alerting_api_integration/common/plugins/actions_simulators",
     "@kbn/actions-types": "link:src/platform/packages/shared/kbn-actions-types",
@@ -261,6 +262,8 @@
     "@kbn/connector-specs": "link:src/platform/packages/shared/kbn-connector-specs",
     "@kbn/console-plugin": "link:src/platform/plugins/shared/console",
     "@kbn/content-connectors-plugin": "link:x-pack/platform/plugins/shared/content_connectors",
+    "@kbn/content-management-access-control-public": "link:src/platform/packages/shared/content-management/access_control/access_control_public",
+    "@kbn/content-management-access-control-server": "link:src/platform/packages/shared/content-management/access_control/access_control_server",
     "@kbn/content-management-content-editor": "link:src/platform/packages/shared/content-management/content_editor",
     "@kbn/content-management-content-insights-public": "link:src/platform/packages/shared/content-management/content_insights/content_insights_public",
     "@kbn/content-management-content-insights-server": "link:src/platform/packages/shared/content-management/content_insights/content_insights_server",

src/core/packages/plugins/server-internal/src/plugin_context.ts

@@ -266,8 +266,10 @@ export function createPluginSetupContext<TPlugin, TPluginDependencies>({
       setEncryptionExtension: deps.savedObjects.setEncryptionExtension,
       setSecurityExtension: deps.savedObjects.setSecurityExtension,
       setSpacesExtension: deps.savedObjects.setSpacesExtension,
+      setAccessControlTransforms: deps.savedObjects.setAccessControlTransforms,
       registerType: deps.savedObjects.registerType,
       getDefaultIndex: deps.savedObjects.getDefaultIndex,
+      isAccessControlEnabled: deps.savedObjects.isAccessControlEnabled,
     },
     status: {
       core$: deps.status.core$,

src/core/packages/saved-objects/api-server-internal/src/lib/apis/bulk_create.test.ts

@@ -19,7 +19,10 @@ import {
 
 import type { Payload } from '@hapi/boom';
 
-import type { SavedObjectsBulkCreateObject } from '@kbn/core-saved-objects-api-server';
+import type {
+  SavedObjectAccessControl,
+  SavedObjectsBulkCreateObject,
+} from '@kbn/core-saved-objects-api-server';
 import {
   type SavedObjectsRawDoc,
   type SavedObjectUnsanitizedDoc,
@@ -58,6 +61,7 @@ import {
 } from '../../test_helpers/repository.test.common';
 import type { ISavedObjectsSecurityExtension } from '@kbn/core-saved-objects-server';
 import { savedObjectsExtensionsMock } from '../../mocks/saved_objects_extensions.mock';
+import type { AuthenticatedUser } from '@kbn/core-security-common';
 
 // so any breaking changes to this repository are considered breaking changes to the SavedObjectsClient.
 
@@ -1086,6 +1090,266 @@ describe('#bulkCreate', () => {
           })
         );
       });
+
+      describe('access control', () => {
+        const CURRENT_USER_PROFILE_ID = 'current_user_profile_id';
+        const ACCESS_CONTROL_TYPE = 'access-control-type';
+
+        beforeEach(() => {
+          securityExtension.getCurrentUser.mockReturnValue({
+            authentication_realm: {
+              name: 'authentication_realm',
+              type: 'authentication_realm_type',
+            },
+            lookup_realm: {
+              name: 'lookup_realm',
+              type: 'lookup_realm_type',
+            },
+            authentication_provider: {
+              name: 'authentication_provider',
+              type: 'authentication_provider_type',
+            },
+            authentication_type: 'realm',
+            elastic_cloud_user: false,
+            profile_uid: CURRENT_USER_PROFILE_ID,
+          } as AuthenticatedUser);
+        });
+
+        registry.registerType({
+          name: ACCESS_CONTROL_TYPE,
+          hidden: false,
+          namespaceType: 'multiple-isolated',
+          supportsAccessControl: true,
+          mappings: {
+            dynamic: false,
+            properties: {
+              description: { type: 'text' },
+            },
+          },
+          management: {
+            importableAndExportable: true,
+          },
+        });
+
+        afterEach(() => {
+          securityExtension.getCurrentUser.mockClear();
+        });
+
+        it('applies access control options only to applicable types when using global access control options', async () => {
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+          const obj2AccessControl = {
+            type: ACCESS_CONTROL_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl], {
+            accessControl: { accessMode: 'write_restricted' },
+          });
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
+            expect.objectContaining({
+              objects: expect.arrayContaining([
+                {
+                  type: ACCESS_CONTROL_TYPE,
+                  id: 'has-read-only-metadata',
+                  name: 'Test Two',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  accessControl: {
+                    owner: CURRENT_USER_PROFILE_ID,
+                    accessMode: 'write_restricted',
+                  },
+                },
+              ]),
+            })
+          );
+        });
+
+        it('applies access control options to supporting types when using per object access control options', async () => {
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+          const obj2AccessControl = {
+            type: ACCESS_CONTROL_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+            accessControl: {
+              accessMode: 'write_restricted',
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl]);
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith({
+            objects: [
+              {
+                type: 'config',
+                id: '6.0.0-alpha1',
+                name: 'Test One',
+                existingNamespaces: [],
+                initialNamespaces: undefined,
+              },
+              {
+                type: ACCESS_CONTROL_TYPE,
+                id: 'has-read-only-metadata',
+                name: 'Test Two',
+                existingNamespaces: [],
+                initialNamespaces: undefined,
+                accessControl: {
+                  owner: CURRENT_USER_PROFILE_ID,
+                  accessMode: 'write_restricted',
+                },
+              },
+            ],
+          });
+        });
+
+        it('overrides access control options with incoming object property only for applicable types', async () => {
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+            accessControl: {
+              accessMode: 'write_restricted',
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          const obj2AccessControl = {
+            type: ACCESS_CONTROL_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+            accessControl: {
+              accessMode: 'default', // default === RBAC-only
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          const obj3AccessControl = {
+            type: ACCESS_CONTROL_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Three' },
+            references: [{ name: 'ref_0', type: 'test', id: '3' }],
+          };
+          const obj4NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha4',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+
+          await bulkCreateSuccess(
+            client,
+            repository,
+            [obj1NoAccessControl, obj2AccessControl, obj3AccessControl, obj4NoAccessControl],
+            {
+              accessControl: { accessMode: 'write_restricted' },
+            }
+          );
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith({
+            objects: [
+              {
+                type: ACCESS_CONTROL_TYPE,
+                id: 'has-read-only-metadata',
+                name: 'Test Two',
+                existingNamespaces: [],
+                initialNamespace: undefined,
+                accessControl: {
+                  owner: CURRENT_USER_PROFILE_ID,
+                  accessMode: 'default', // explicitly confirm the mode is overriden
+                },
+              },
+              {
+                type: ACCESS_CONTROL_TYPE,
+                id: 'has-read-only-metadata',
+                name: 'Test Three',
+                existingNamespaces: [],
+                initialNamespace: undefined,
+                accessControl: {
+                  owner: CURRENT_USER_PROFILE_ID,
+                  accessMode: 'write_restricted', // explicitly confirm the mode is NOT overriden
+                },
+              },
+            ],
+          });
+        });
+
+        it('does not create objects with access control when there is no active user profile', async () => {
+          securityExtension.getCurrentUser.mockReturnValueOnce(null);
+
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+            accessControl: {
+              accessMode: 'write_restricted',
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          const obj2AccessControl = {
+            type: ACCESS_CONTROL_TYPE,
+            id: 'has-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+            accessControl: {
+              accessMode: 'write_restricted',
+            } as Pick<SavedObjectAccessControl, 'accessMode'>,
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl]);
+
+          expect(securityExtension.authorizeBulkCreate).not.toHaveBeenCalled();
+        });
+
+        // regression test
+        it('creates objects supporting access control with no access control metadata when there is no active user profile and no access mode is provided', async () => {
+          securityExtension.getCurrentUser.mockReturnValueOnce(null);
+
+          const obj1NoAccessControl = {
+            type: 'config',
+            id: '6.0.0-alpha1',
+            attributes: { title: 'Test One' },
+            references: [{ name: 'ref_0', type: 'test', id: '1' }],
+          };
+          const obj2AccessControl = {
+            type: ACCESS_CONTROL_TYPE,
+            id: 'could-have-read-only-metadata',
+            attributes: { title: 'Test Two' },
+            references: [{ name: 'ref_0', type: 'test', id: '2' }],
+          };
+          await bulkCreateSuccess(client, repository, [obj1NoAccessControl, obj2AccessControl]); // no accessControl options
+
+          expect(securityExtension.authorizeBulkCreate).toHaveBeenCalledWith(
+            expect.objectContaining({
+              objects: [
+                {
+                  type: 'config',
+                  id: '6.0.0-alpha1',
+                  name: 'Test One',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for non-supporting type
+                },
+                {
+                  type: ACCESS_CONTROL_TYPE,
+                  id: 'could-have-read-only-metadata',
+                  name: 'Test Two',
+                  existingNamespaces: [],
+                  initialNamespace: undefined,
+                  // explicitly confirm there is no accessControl for supporting type
+                },
+              ],
+            })
+          );
+        });
+      });
     });
   });
 });