[8.13] fix(platform-security): allow customizing sub-feature privileg…

…es with `all spaces` requirement (#178239) (#178644)

# Backport

This will backport the following commits from `main` to `8.13`:
- [fix(platform-security): allow customizing sub-feature privileges with
`all spaces` requirement
(#178239)](#178239)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Aleh
Zasypkin","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-03-13T15:29:54Z","message":"fix(platform-security):
allow customizing sub-feature privileges with `all spaces` requirement
(#178239)\n\n## Summary\r\n\r\nAllow customizing sub-feature privileges
with `all spaces` requirement.\r\nSee
#178006 (comment)
for\r\nmore details about what was broken.\r\n\r\n## To do\r\n\r\n- [x]
Fix bug and update existing tests\r\n- [x] Add more tests with `all
spaces` requirement\r\n\r\n__Reported
in:__\r\nhttps://github.com//pull/178006#issue-2169314164\r\n\r\n##
How to test\r\n\r\nAdd the following to your `kibana.dev.yml` and try to
customize\r\nsub-feature privileges of the `Fleet`
feature\r\n\r\n```yaml\r\nxpack.fleet.enableExperimental:
['subfeaturePrivileges']\r\n```\r\n\r\nBefore this PR, the `Customize
sub-feature privileges` switch didn't\r\nwork.\r\n\r\nCo-authored-by:
Kibana Machine
<[email protected]>","sha":"acc94b3b512c7ba9d9c3223c941154ba416cc5a2","branchLabelMapping":{"^v8.14.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","Team:Security","Feature:Users/Roles/API
Keys","release_note:skip","backport:all-open","v8.14.0"],"title":"fix(platform-security):
allow customizing sub-feature privileges with `all spaces`
requirement","number":178239,"url":"https://github.com/elastic/kibana/pull/178239","mergeCommit":{"message":"fix(platform-security):
allow customizing sub-feature privileges with `all spaces` requirement
(#178239)\n\n## Summary\r\n\r\nAllow customizing sub-feature privileges
with `all spaces` requirement.\r\nSee
#178006 (comment)
for\r\nmore details about what was broken.\r\n\r\n## To do\r\n\r\n- [x]
Fix bug and update existing tests\r\n- [x] Add more tests with `all
spaces` requirement\r\n\r\n__Reported
in:__\r\nhttps://github.com//pull/178006#issue-2169314164\r\n\r\n##
How to test\r\n\r\nAdd the following to your `kibana.dev.yml` and try to
customize\r\nsub-feature privileges of the `Fleet`
feature\r\n\r\n```yaml\r\nxpack.fleet.enableExperimental:
['subfeaturePrivileges']\r\n```\r\n\r\nBefore this PR, the `Customize
sub-feature privileges` switch didn't\r\nwork.\r\n\r\nCo-authored-by:
Kibana Machine
<[email protected]>","sha":"acc94b3b512c7ba9d9c3223c941154ba416cc5a2"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.14.0","branchLabelMappingKey":"^v8.14.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/178239","number":178239,"mergeCommit":{"message":"fix(platform-security):
allow customizing sub-feature privileges with `all spaces` requirement
(#178239)\n\n## Summary\r\n\r\nAllow customizing sub-feature privileges
with `all spaces` requirement.\r\nSee
#178006 (comment)
for\r\nmore details about what was broken.\r\n\r\n## To do\r\n\r\n- [x]
Fix bug and update existing tests\r\n- [x] Add more tests with `all
spaces` requirement\r\n\r\n__Reported
in:__\r\nhttps://github.com//pull/178006#issue-2169314164\r\n\r\n##
How to test\r\n\r\nAdd the following to your `kibana.dev.yml` and try to
customize\r\nsub-feature privileges of the `Fleet`
feature\r\n\r\n```yaml\r\nxpack.fleet.enableExperimental:
['subfeaturePrivileges']\r\n```\r\n\r\nBefore this PR, the `Customize
sub-feature privileges` switch didn't\r\nwork.\r\n\r\nCo-authored-by:
Kibana Machine
<[email protected]>","sha":"acc94b3b512c7ba9d9c3223c941154ba416cc5a2"}}]}]
BACKPORT-->

Co-authored-by: Aleh Zasypkin <[email protected]>

x-pack/plugins/security/public/management/roles/__fixtures__/kibana_features.ts

@@ -253,4 +253,29 @@ export const kibanaFeatures = [
       },
     ],
   }),
+  createFeature({
+    id: 'with_require_all_spaces_for_feature_and_sub_features',
+    name: 'Require all spaces Features and Sub Features',
+    requireAllSpacesOnAllPrivilege: true,
+    subFeatures: [
+      {
+        name: 'Require all spaces Sub Feature',
+        requireAllSpaces: true,
+        privilegeGroups: [
+          {
+            groupType: 'mutually_exclusive',
+            privileges: [
+              {
+                id: 'cool_toggle_1',
+                name: 'Cool toggle 1',
+                includeIn: 'all',
+                savedObject: { all: [], read: [] },
+                ui: ['cool_toggle_1-ui'],
+              },
+            ],
+          },
+        ],
+      },
+    ],
+  }),
 ];

x-pack/plugins/security/public/management/roles/edit_role/privileges/kibana/feature_table/feature_table.test.tsx

@@ -111,6 +111,10 @@ describe('FeatureTable', () => {
             primaryFeaturePrivilege: 'none',
             subFeaturePrivileges: [],
           },
+          with_require_all_spaces_for_feature_and_sub_features: {
+            primaryFeaturePrivilege: 'none',
+            subFeaturePrivileges: [],
+          },
         });
       });
 
@@ -164,9 +168,13 @@ describe('FeatureTable', () => {
           with_require_all_spaces_sub_features: {
             primaryFeaturePrivilege: 'all',
             ...(canCustomizeSubFeaturePrivileges
-              ? {
-                  subFeaturePrivileges: ['cool_toggle_1'],
-                }
+              ? { subFeaturePrivileges: ['cool_toggle_1'] }
+              : { subFeaturePrivileges: [] }),
+          },
+          with_require_all_spaces_for_feature_and_sub_features: {
+            primaryFeaturePrivilege: 'all',
+            ...(canCustomizeSubFeaturePrivileges
+              ? { subFeaturePrivileges: ['cool_toggle_1'] }
               : { subFeaturePrivileges: [] }),
           },
         });
@@ -224,6 +232,10 @@ describe('FeatureTable', () => {
             primaryFeaturePrivilege: 'none',
             subFeaturePrivileges: [],
           },
+          with_require_all_spaces_for_feature_and_sub_features: {
+            primaryFeaturePrivilege: 'none',
+            subFeaturePrivileges: [],
+          },
         });
       });
 
@@ -322,6 +334,10 @@ describe('FeatureTable', () => {
         primaryFeaturePrivilege: 'none',
         subFeaturePrivileges: [],
       },
+      with_require_all_spaces_for_feature_and_sub_features: {
+        primaryFeaturePrivilege: 'none',
+        subFeaturePrivileges: [],
+      },
     });
   });
 
@@ -708,6 +724,10 @@ describe('FeatureTable', () => {
         primaryFeaturePrivilege: 'none',
         subFeaturePrivileges: [],
       },
+      with_require_all_spaces_for_feature_and_sub_features: {
+        primaryFeaturePrivilege: 'none',
+        subFeaturePrivileges: [],
+      },
     });
   });
 
@@ -750,6 +770,10 @@ describe('FeatureTable', () => {
         primaryFeaturePrivilege: 'none',
         subFeaturePrivileges: [],
       },
+      with_require_all_spaces_for_feature_and_sub_features: {
+        primaryFeaturePrivilege: 'none',
+        subFeaturePrivileges: [],
+      },
     });
   });
 
@@ -792,6 +816,10 @@ describe('FeatureTable', () => {
         primaryFeaturePrivilege: 'none',
         subFeaturePrivileges: [],
       },
+      with_require_all_spaces_for_feature_and_sub_features: {
+        primaryFeaturePrivilege: 'none',
+        subFeaturePrivileges: [],
+      },
     });
   });
 
@@ -981,6 +1009,10 @@ describe('FeatureTable', () => {
         primaryFeaturePrivilege: 'none',
         subFeaturePrivileges: [],
       },
+      with_require_all_spaces_for_feature_and_sub_features: {
+        primaryFeaturePrivilege: 'none',
+        subFeaturePrivileges: [],
+      },
     });
   });
 

x-pack/plugins/security/public/management/roles/edit_role/privileges/kibana/feature_table/feature_table_expanded_row.test.tsx

@@ -351,4 +351,61 @@ describe('FeatureTableExpandedRow', () => {
     const object = wrapper.find('SubFeatureForm');
     expect(object.props()).toMatchObject({ disabled: false });
   });
+
+  it('require all spaces enabled and allSpacesSelected is true: option is enabled for both feature and sub-features', () => {
+    // Create role with `all` privilege turned on.
+    const role = createRole([
+      {
+        base: [],
+        feature: {
+          with_require_all_spaces_for_feature_and_sub_features: ['all'],
+        },
+        spaces: ['foo'],
+      },
+    ]);
+
+    const kibanaPrivileges = createKibanaPrivileges(kibanaFeatures);
+    const calculator = new PrivilegeFormCalculator(kibanaPrivileges, role);
+    const feature = kibanaPrivileges.getSecuredFeature(
+      'with_require_all_spaces_for_feature_and_sub_features'
+    );
+
+    // Make sure we update `selectedFeaturePrivileges` when `onChange` is called.
+    const onChange = jest.fn((_, selectedFeaturePrivileges) => {
+      wrapper.setProps({ selectedFeaturePrivileges });
+    });
+
+    const wrapper = mountWithIntl(
+      <FeatureTableExpandedRow
+        feature={feature}
+        privilegeIndex={0}
+        privilegeCalculator={calculator}
+        selectedFeaturePrivileges={['all']}
+        onChange={onChange}
+        licenseAllowsSubFeatPrivCustomization={true}
+        allSpacesSelected={true}
+      />
+    );
+
+    // Make sure sub-feature customization toggle is unchecked.
+    let customizeToggle = findTestSubject(wrapper, 'customizeSubFeaturePrivileges');
+    expect(customizeToggle.props()['aria-checked']).toBe(false);
+
+    // Click on the toggle to start customization.
+    act(() => {
+      customizeToggle.simulate('click');
+      wrapper.update();
+    });
+
+    // Make sure `onChange` is called with the expected arguments (all -> `minimal_all` + `cool_toggle_1`).
+    expect(onChange).toHaveBeenCalledWith('with_require_all_spaces_for_feature_and_sub_features', [
+      'minimal_all',
+      'cool_toggle_1',
+    ]);
+    expect(onChange).toHaveBeenCalledTimes(1);
+
+    // Make sure sub-feature customization toggle retained its checked state.
+    customizeToggle = findTestSubject(wrapper, 'customizeSubFeaturePrivileges');
+    expect(customizeToggle.props()['aria-checked']).toBe(true);
+  });
 });

x-pack/plugins/security/public/management/roles/edit_role/privileges/kibana/feature_table/feature_table_expanded_row.tsx

@@ -63,7 +63,8 @@ export const FeatureTableExpandedRow = ({
       privilegeCalculator.updateSelectedFeaturePrivilegesForCustomization(
         feature.id,
         privilegeIndex,
-        e.target.checked
+        e.target.checked,
+        allSpacesSelected
       )
     );
     setIsCustomizing(e.target.checked);