From 29af54cf1e91b4f3dd4f9a1c4c55e06c1cd9c6e5 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 2 May 2023 16:57:20 -0400
Subject: [PATCH] [8.8] Fix unable to create roles under Stack Management
 (#156381) (#156440)

# Backport

This will backport the following commits from `main` to `8.8`:
- [Fix unable to create roles under Stack Management
(#156381)](https://github.com/elastic/kibana/pull/156381)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Thom
Heymann","email":"190132+thomheymann@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-05-02T19:46:37Z","message":"Fix
unable to create roles under Stack Management (#156381)\n\nResolves
#156249\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"de0498decb0992a6b20a4158aeae0d3bd39278b3","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["backport","Team:Security","v8.8.0","v8.9.0"],"number":156381,"url":"https://github.com/elastic/kibana/pull/156381","mergeCommit":{"message":"Fix
unable to create roles under Stack Management (#156381)\n\nResolves
#156249\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"de0498decb0992a6b20a4158aeae0d3bd39278b3"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156381","number":156381,"mergeCommit":{"message":"Fix
unable to create roles under Stack Management (#156381)\n\nResolves
#156249\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"de0498decb0992a6b20a4158aeae0d3bd39278b3"}}]}]
BACKPORT-->

Co-authored-by: Thom Heymann <190132+thomheymann@users.noreply.github.com>
---
 .../roles/model/put_payload.test.ts           | 43 +++++++++++++++++++
 .../authorization/roles/model/put_payload.ts  |  2 +-
 .../routes/authorization/roles/put.test.ts    | 43 ++++++++++++++-----
 3 files changed, 77 insertions(+), 11 deletions(-)

diff --git a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts
index 597396a5837ff..9dd2deb876c61 100644
--- a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts
+++ b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.test.ts
@@ -389,6 +389,49 @@ describe('Put payload schema', () => {
       }
     `);
   });
+
+  test('passes through remote_indices when specified', () => {
+    expect(
+      getPutPayloadSchema(() => basePrivilegeNamesMap).validate({
+        elasticsearch: {
+          remote_indices: [
+            {
+              clusters: ['remote_cluster'],
+              names: ['remote_index'],
+              privileges: ['all'],
+            },
+          ],
+        },
+      })
+    ).toMatchInlineSnapshot(`
+      Object {
+        "elasticsearch": Object {
+          "remote_indices": Array [
+            Object {
+              "clusters": Array [
+                "remote_cluster",
+              ],
+              "names": Array [
+                "remote_index",
+              ],
+              "privileges": Array [
+                "all",
+              ],
+            },
+          ],
+        },
+      }
+    `);
+  });
+
+  // This is important for backwards compatibility
+  test('does not set default value for remote_indices when not specified', () => {
+    expect(getPutPayloadSchema(() => basePrivilegeNamesMap).validate({})).toMatchInlineSnapshot(`
+      Object {
+        "elasticsearch": Object {},
+      }
+    `);
+  });
 });
 
 describe('validateKibanaPrivileges', () => {
diff --git a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts
index a52399d4a04ec..5c8a07d15000d 100644
--- a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts
+++ b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts
@@ -37,7 +37,7 @@ export const transformPutPayloadToElasticsearchRole = (
     metadata: rolePayload.metadata,
     cluster: elasticsearch.cluster || [],
     indices: elasticsearch.indices || [],
-    remote_indices: elasticsearch.remote_indices || [],
+    remote_indices: elasticsearch.remote_indices,
     run_as: elasticsearch.run_as || [],
     applications: [
       ...transformPrivilegesToElasticsearchPrivileges(application, kibana),
diff --git a/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts b/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts
index 1e59f7a5d6a0f..6adbe8975b0a9 100644
--- a/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts
+++ b/x-pack/plugins/security/server/routes/authorization/roles/put.test.ts
@@ -325,7 +325,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [],
               },
@@ -359,7 +359,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [
                   {
@@ -402,7 +402,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [
                   {
@@ -443,7 +443,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [
                   {
@@ -480,6 +480,18 @@ describe('PUT role', () => {
               query: `{ "match": { "title": "foo" } }`,
             },
           ],
+          remote_indices: [
+            {
+              field_security: {
+                grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                except: ['test-field-security-except-1', 'test-field-security-except-2'],
+              },
+              clusters: ['test-cluster-name-1', 'test-cluster-name-2'],
+              names: ['test-index-name-1', 'test-index-name-2'],
+              privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+              query: `{ "match": { "title": "foo" } }`,
+            },
+          ],
           run_as: ['test-run-as-1', 'test-run-as-2'],
         },
         kibana: [
@@ -539,7 +551,18 @@ describe('PUT role', () => {
                     query: `{ "match": { "title": "foo" } }`,
                   },
                 ],
-                remote_indices: [],
+                remote_indices: [
+                  {
+                    field_security: {
+                      grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                      except: ['test-field-security-except-1', 'test-field-security-except-2'],
+                    },
+                    clusters: ['test-cluster-name-1', 'test-cluster-name-2'],
+                    names: ['test-index-name-1', 'test-index-name-2'],
+                    privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+                    query: `{ "match": { "title": "foo" } }`,
+                  },
+                ],
                 metadata: { foo: 'test-metadata' },
                 run_as: ['test-run-as-1', 'test-run-as-2'],
               },
@@ -661,7 +684,7 @@ describe('PUT role', () => {
                     query: `{ "match": { "title": "foo" } }`,
                   },
                 ],
-                remote_indices: [],
+                remote_indices: undefined,
                 metadata: { foo: 'test-metadata' },
                 run_as: ['test-run-as-1', 'test-run-as-2'],
               },
@@ -765,7 +788,7 @@ describe('PUT role', () => {
                     privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
                   },
                 ],
-                remote_indices: [],
+                remote_indices: undefined,
                 metadata: { foo: 'test-metadata' },
                 run_as: ['test-run-as-1', 'test-run-as-2'],
               },
@@ -803,7 +826,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [
                   {
@@ -848,7 +871,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [
                   {
@@ -893,7 +916,7 @@ describe('PUT role', () => {
               body: {
                 cluster: [],
                 indices: [],
-                remote_indices: [],
+                remote_indices: undefined,
                 run_as: [],
                 applications: [
                   {