Merge branch '8.x' into backport/8.x/pr-193534

.buildkite/ftr_platform_stateful_configs.yml

@@ -315,6 +315,7 @@ enabled:
   - x-pack/test/security_api_integration/saml.http2.config.ts
   - x-pack/test/security_api_integration/saml_cloud.config.ts
   - x-pack/test/security_api_integration/chips.config.ts
+  - x-pack/test/security_api_integration/features.config.ts
   - x-pack/test/security_api_integration/session_idle.config.ts
   - x-pack/test/security_api_integration/session_invalidate.config.ts
   - x-pack/test/security_api_integration/session_lifespan.config.ts

package.json

@@ -522,6 +522,7 @@
     "@kbn/feature-flags-example-plugin": "link:examples/feature_flags_example",
     "@kbn/feature-usage-test-plugin": "link:x-pack/test/plugin_api_integration/plugins/feature_usage_test",
     "@kbn/features-plugin": "link:x-pack/plugins/features",
+    "@kbn/features-provider-plugin": "link:x-pack/test/security_api_integration/plugins/features_provider",
     "@kbn/fec-alerts-test-plugin": "link:x-pack/test/functional_execution_context/plugins/alerts",
     "@kbn/field-formats-example-plugin": "link:examples/field_formats_example",
     "@kbn/field-formats-plugin": "link:src/plugins/field_formats",
@@ -797,6 +798,7 @@
     "@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
     "@kbn/security-api-key-management": "link:x-pack/packages/security/api_key_management",
     "@kbn/security-authorization-core": "link:x-pack/packages/security/authorization_core",
+    "@kbn/security-authorization-core-common": "link:x-pack/packages/security/authorization_core_common",
     "@kbn/security-form-components": "link:x-pack/packages/security/form_components",
     "@kbn/security-hardening": "link:packages/kbn-security-hardening",
     "@kbn/security-plugin": "link:x-pack/plugins/security",

packages/kbn-ftr-common-functional-ui-services/services/security/role.ts

@@ -14,6 +14,28 @@ import { KbnClient } from '@kbn/test';
 export class Role {
   constructor(private log: ToolingLog, private kibanaServer: KbnClient) {}
 
+  public async get(
+    name: string,
+    { replaceDeprecatedPrivileges = true }: { replaceDeprecatedPrivileges?: boolean } = {}
+  ) {
+    this.log.debug(`retrieving role ${name}`);
+    const { data, status, statusText } = await this.kibanaServer
+      .request({
+        path: `/api/security/role/${name}?replaceDeprecatedPrivileges=${replaceDeprecatedPrivileges}`,
+        method: 'GET',
+      })
+      .catch((e) => {
+        throw new Error(util.inspect(e.axiosError.response, true));
+      });
+    if (status !== 200) {
+      throw new Error(
+        `Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
+      );
+    }
+
+    return data;
+  }
+
   public async create(name: string, role: any) {
     this.log.debug(`creating role ${name}`);
     const { data, status, statusText } = await this.kibanaServer

tsconfig.base.json

@@ -926,6 +926,8 @@
       "@kbn/feature-usage-test-plugin/*": ["x-pack/test/plugin_api_integration/plugins/feature_usage_test/*"],
       "@kbn/features-plugin": ["x-pack/plugins/features"],
       "@kbn/features-plugin/*": ["x-pack/plugins/features/*"],
+      "@kbn/features-provider-plugin": ["x-pack/test/security_api_integration/plugins/features_provider"],
+      "@kbn/features-provider-plugin/*": ["x-pack/test/security_api_integration/plugins/features_provider/*"],
       "@kbn/fec-alerts-test-plugin": ["x-pack/test/functional_execution_context/plugins/alerts"],
       "@kbn/fec-alerts-test-plugin/*": ["x-pack/test/functional_execution_context/plugins/alerts/*"],
       "@kbn/field-formats-example-plugin": ["examples/field_formats_example"],
@@ -1550,6 +1552,8 @@
       "@kbn/security-api-key-management/*": ["x-pack/packages/security/api_key_management/*"],
       "@kbn/security-authorization-core": ["x-pack/packages/security/authorization_core"],
       "@kbn/security-authorization-core/*": ["x-pack/packages/security/authorization_core/*"],
+      "@kbn/security-authorization-core-common": ["x-pack/packages/security/authorization_core_common"],
+      "@kbn/security-authorization-core-common/*": ["x-pack/packages/security/authorization_core_common/*"],
       "@kbn/security-form-components": ["x-pack/packages/security/form_components"],
       "@kbn/security-form-components/*": ["x-pack/packages/security/form_components/*"],
       "@kbn/security-hardening": ["packages/kbn-security-hardening"],

x-pack/packages/security/authorization_core/index.ts

@@ -6,10 +6,5 @@
  */
 
 export { Actions } from './src/actions';
-export { privilegesFactory } from './src/privileges';
-export type {
-  CasesSupportedOperations,
-  PrivilegesService,
-  RawKibanaPrivileges,
-  RawKibanaFeaturePrivileges,
-} from './src/privileges';
+export { privilegesFactory, getReplacedByForPrivilege } from './src/privileges';
+export type { CasesSupportedOperations, PrivilegesService } from './src/privileges';

x-pack/packages/security/authorization_core/src/actions/alerting.test.ts

@@ -51,3 +51,21 @@ describe('#get', () => {
     );
   });
 });
+
+test('#isValid', () => {
+  const alertingActions = new AlertingActions();
+  expect(alertingActions.isValid('alerting:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
+    true
+  );
+
+  expect(
+    alertingActions.isValid('api:alerting:foo-ruleType/consumer/alertingType/bar-operation')
+  ).toBe(false);
+  expect(alertingActions.isValid('api:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
+    false
+  );
+
+  expect(alertingActions.isValid('alerting_foo-ruleType/consumer/alertingType/bar-operation')).toBe(
+    false
+  );
+});

x-pack/packages/security/authorization_core/src/actions/alerting.ts

@@ -40,4 +40,12 @@ export class AlertingActions implements AlertingActionsType {
 
     return `${this.prefix}${ruleTypeId}/${consumer}/${alertingEntity}/${operation}`;
   }
+
+  /**
+   * Checks if the action is a valid alerting action.
+   * @param action The action string to check.
+   */
+  public isValid(action: string) {
+    return action.startsWith(this.prefix);
+  }
 }

x-pack/packages/security/authorization_core/src/actions/ui.test.ts

@@ -32,3 +32,15 @@ describe('#get', () => {
     expect(uiActions.get('foo', 'fooCapability', 'subFoo')).toBe('ui:foo/fooCapability/subFoo');
   });
 });
+
+test('#isValid', () => {
+  const uiActions = new UIActions();
+  expect(uiActions.isValid('ui:alpha')).toBe(true);
+  expect(uiActions.isValid('ui:beta')).toBe(true);
+
+  expect(uiActions.isValid('api:alpha')).toBe(false);
+  expect(uiActions.isValid('api:beta')).toBe(false);
+
+  expect(uiActions.isValid('ui_alpha')).toBe(false);
+  expect(uiActions.isValid('ui_beta')).toBe(false);
+});

x-pack/packages/security/authorization_core/src/actions/ui.ts

@@ -40,4 +40,12 @@ export class UIActions implements UIActionsType {
 
     return `${this.prefix}${featureId}/${uiCapabilityParts.join('/')}`;
   }
+
+  /**
+   * Checks if the action is a valid UI action.
+   * @param action The action string to check.
+   */
+  public isValid(action: string) {
+    return action.startsWith(this.prefix);
+  }
 }

x-pack/packages/security/authorization_core/src/privileges/index.ts

@@ -7,5 +7,4 @@
 
 export type { PrivilegesService } from './privileges';
 export type { CasesSupportedOperations } from './feature_privilege_builder';
-export { privilegesFactory } from './privileges';
-export type { RawKibanaPrivileges, RawKibanaFeaturePrivileges } from './raw_kibana_privileges';
+export { privilegesFactory, getReplacedByForPrivilege } from './privileges';