[Saved Objects] Adds config flag to toggle hiddenFromHttpApis SO types conditionally

config/kibana.yml

@@ -151,6 +151,7 @@
 # configuration option. Default: 100mb
 #migrations.maxBatchSizeBytes: 100mb
 
+
 # The number of times to retry temporary migration failures. Increase the setting
 # if migrations fail frequently with a message such as `Unable to complete the [...] step after
 # 15 attempts, terminating`. Defaults to 15

packages/core/saved-objects/core-saved-objects-base-server-internal/src/saved_objects_config.ts

@@ -42,6 +42,8 @@ export const savedObjectsMigrationConfig: ServiceConfigDescriptor<SavedObjectsMi
 const soSchema = schema.object({
   maxImportPayloadBytes: schema.byteSize({ defaultValue: 26_214_400 }),
   maxImportExportSize: schema.number({ defaultValue: 10_000 }),
+  // Conditionally set within config, dependening on the env. In prod: allow all access(default), in dev: false
+  allowHttpApiAccess: schema.boolean({ defaultValue: true }),
 });
 
 export type SavedObjectsConfigType = TypeOf<typeof soSchema>;
@@ -50,19 +52,20 @@ export const savedObjectsConfig: ServiceConfigDescriptor<SavedObjectsConfigType>
   path: 'savedObjects',
   schema: soSchema,
 };
-
 export class SavedObjectConfig {
   public maxImportPayloadBytes: number;
   public maxImportExportSize: number;
-
+  public allowHttpApiAccess: boolean; // depend on env: see https://github.com/elastic/dev/issues/2200
   public migration: SavedObjectsMigrationConfigType;
 
   constructor(
     rawConfig: SavedObjectsConfigType,
-    rawMigrationConfig: SavedObjectsMigrationConfigType
+    rawMigrationConfig: SavedObjectsMigrationConfigType,
+    allowHttpApiAccess: boolean
   ) {
     this.maxImportPayloadBytes = rawConfig.maxImportPayloadBytes.getValueInBytes();
     this.maxImportExportSize = rawConfig.maxImportExportSize;
     this.migration = rawMigrationConfig;
+    this.allowHttpApiAccess = rawConfig.allowHttpApiAccess || allowHttpApiAccess;
   }
 }

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_create.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfAnyTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerBulkCreateRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.post(
     {
       path: '/_bulk_create',
@@ -62,7 +65,9 @@ export const registerBulkCreateRoute = (
       const { savedObjects } = await context.core;
 
       const typesToCheck = [...new Set(req.body.map(({ type }) => type))];
-      throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      if (!allowHttpApiAccess) {
+        throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      }
       const result = await savedObjects.client.bulkCreate(req.body, { overwrite });
       return res.ok({ body: result });
     })

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_delete.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfAnyTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerBulkDeleteRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.post(
     {
       path: '/_bulk_delete',
@@ -47,8 +50,9 @@ export const registerBulkDeleteRoute = (
       const { savedObjects } = await context.core;
 
       const typesToCheck = [...new Set(req.body.map(({ type }) => type))];
-      throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
-
+      if (!allowHttpApiAccess) {
+        throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      }
       const statuses = await savedObjects.client.bulkDelete(req.body, { force });
       return res.ok({ body: statuses });
     })

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_get.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfAnyTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerBulkGetRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.post(
     {
       path: '/_bulk_get',
@@ -42,8 +45,9 @@ export const registerBulkGetRoute = (
 
       const { savedObjects } = await context.core;
       const typesToCheck = [...new Set(req.body.map(({ type }) => type))];
-      throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
-
+      if (!allowHttpApiAccess) {
+        throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      }
       const result = await savedObjects.client.bulkGet(req.body);
       return res.ok({ body: result });
     })

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_resolve.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfAnyTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerBulkResolveRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.post(
     {
       path: '/_bulk_resolve',
@@ -42,7 +45,9 @@ export const registerBulkResolveRoute = (
 
       const { savedObjects } = await context.core;
       const typesToCheck = [...new Set(req.body.map(({ type }) => type))];
-      throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      if (!allowHttpApiAccess) {
+        throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      }
       const result = await savedObjects.client.bulkResolve(req.body);
       return res.ok({ body: result });
     })

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_update.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfAnyTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerBulkUpdateRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.put(
     {
       path: '/_bulk_update',
@@ -55,8 +58,9 @@ export const registerBulkUpdateRoute = (
       const { savedObjects } = await context.core;
 
       const typesToCheck = [...new Set(req.body.map(({ type }) => type))];
-      throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
-
+      if (!allowHttpApiAccess) {
+        throwIfAnyTypeNotVisibleByAPI(typesToCheck, savedObjects.typeRegistry);
+      }
       const savedObject = await savedObjects.client.bulkUpdate(req.body);
       return res.ok({ body: savedObject });
     })

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/create.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerCreateRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.post(
     {
       path: '/{type}/{id?}',
@@ -60,9 +63,9 @@ export const registerCreateRoute = (
       usageStatsClient.incrementSavedObjectsCreate({ request: req }).catch(() => {});
 
       const { savedObjects } = await context.core;
-
-      throwIfTypeNotVisibleByAPI(type, savedObjects.typeRegistry);
-
+      if (!allowHttpApiAccess) {
+        throwIfTypeNotVisibleByAPI(type, savedObjects.typeRegistry);
+      }
       const options = {
         id,
         overwrite,

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/delete.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerDeleteRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.delete(
     {
       path: '/{type}/{id}',
@@ -42,8 +45,9 @@ export const registerDeleteRoute = (
 
       const usageStatsClient = coreUsageData.getClient();
       usageStatsClient.incrementSavedObjectsDelete({ request: req }).catch(() => {});
-      throwIfTypeNotVisibleByAPI(type, typeRegistry);
-
+      if (!allowHttpApiAccess) {
+        throwIfTypeNotVisibleByAPI(type, typeRegistry);
+      }
       const client = getClient();
       const result = await client.delete(type, id, { force });
       return res.ok({ body: result });

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/find.ts

@@ -7,19 +7,21 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwOnHttpHiddenTypes } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerFindRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
   const referenceSchema = schema.object({
     type: schema.string(),
@@ -28,7 +30,7 @@ export const registerFindRoute = (
   const searchOperatorSchema = schema.oneOf([schema.literal('OR'), schema.literal('AND')], {
     defaultValue: 'OR',
   });
-
+  const { allowHttpApiAccess } = config;
   router.get(
     {
       path: '/_find',
@@ -95,7 +97,7 @@ export const registerFindRoute = (
           return fullType.name;
         }
       });
-      if (unsupportedTypes.length > 0) {
+      if (unsupportedTypes.length > 0 && !allowHttpApiAccess) {
         throwOnHttpHiddenTypes(unsupportedTypes);
       }
 

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/get.ts

@@ -7,20 +7,23 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwIfTypeNotVisibleByAPI } from './utils';
 
 interface RouteDependencies {
+  config: SavedObjectConfig;
   coreUsageData: InternalCoreUsageDataSetup;
   logger: Logger;
 }
 
 export const registerGetRoute = (
   router: InternalSavedObjectRouter,
-  { coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger }: RouteDependencies
 ) => {
+  const { allowHttpApiAccess } = config;
   router.get(
     {
       path: '/{type}/{id}',
@@ -39,7 +42,10 @@ export const registerGetRoute = (
       usageStatsClient.incrementSavedObjectsGet({ request: req }).catch(() => {});
 
       const { savedObjects } = await context.core;
-      throwIfTypeNotVisibleByAPI(type, savedObjects.typeRegistry);
+
+      if (!allowHttpApiAccess) {
+        throwIfTypeNotVisibleByAPI(type, savedObjects.typeRegistry);
+      }
 
       const object = await savedObjects.client.get(type, id);
       return res.ok({ body: object });