Copy Saved Objects to Spaces API

src/legacy/server/saved_objects/export/get_sorted_objects_for_export.ts

@@ -27,7 +27,7 @@ interface ObjectToExport {
   type: string;
 }
 
-interface ExportObjectsOptions {
+export interface ExportObjectsOptions {
   types?: string[];
   objects?: ObjectToExport[];
   savedObjectsClient: SavedObjectsClient;

src/legacy/server/saved_objects/export/index.ts

@@ -17,4 +17,5 @@
  * under the License.
  */
 
-export { getSortedObjectsForExport } from './get_sorted_objects_for_export';
+export { getSortedObjectsForExport, ExportObjectsOptions } from './get_sorted_objects_for_export';
+export { objectsToNdJson } from './objects_to_ndjson';

src/legacy/server/saved_objects/export/objects_to_ndjson.ts

@@ -0,0 +1,24 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import stringify from 'json-stable-stringify';
+import { SavedObject } from '..';
+
+export function objectsToNdJson(savedObjects: SavedObject[]): string {
+  return savedObjects.map(doc => stringify(doc)).join('\n');
+}

src/legacy/server/saved_objects/import/import_saved_objects.ts

@@ -24,15 +24,16 @@ import { extractErrors } from './extract_errors';
 import { ImportError } from './types';
 import { validateReferences } from './validate_references';
 
-interface ImportSavedObjectsOptions {
+export interface ImportSavedObjectsOptions {
   readStream: Readable;
   objectLimit: number;
   overwrite: boolean;
   savedObjectsClient: SavedObjectsClient;
   supportedTypes: string[];
+  namespace?: string;
 }
 
-interface ImportResponse {
+export interface ImportResponse {
   success: boolean;
   successCount: number;
   errors?: ImportError[];
@@ -44,6 +45,7 @@ export async function importSavedObjects({
   overwrite,
   savedObjectsClient,
   supportedTypes,
+  namespace,
 }: ImportSavedObjectsOptions): Promise<ImportResponse> {
   let errorAccumulator: ImportError[] = [];
 
@@ -73,6 +75,7 @@ export async function importSavedObjects({
   // Create objects in bulk
   const bulkCreateResult = await savedObjectsClient.bulkCreate(filteredObjects, {
     overwrite,
+    namespace,
   });
   errorAccumulator = [
     ...errorAccumulator,

src/legacy/server/saved_objects/import/index.ts

@@ -17,5 +17,9 @@
  * under the License.
  */
 
-export { importSavedObjects } from './import_saved_objects';
+export {
+  importSavedObjects,
+  ImportSavedObjectsOptions,
+  ImportResponse,
+} from './import_saved_objects';
 export { resolveImportErrors } from './resolve_import_errors';

src/legacy/server/saved_objects/import/validate_references.ts

@@ -29,7 +29,8 @@ function filterReferencesToValidate({ type }: { type: string }) {
 
 export async function getNonExistingReferenceAsKeys(
   savedObjects: SavedObject[],
-  savedObjectsClient: SavedObjectsClient
+  savedObjectsClient: SavedObjectsClient,
+  namespace?: string
 ) {
   const collector = new Map();
   // Collect all references within objects
@@ -50,7 +51,7 @@ export async function getNonExistingReferenceAsKeys(
 
   // Fetch references to see if they exist
   const bulkGetOpts = Array.from(collector.values()).map(obj => ({ ...obj, fields: ['id'] }));
-  const bulkGetResponse = await savedObjectsClient.bulkGet(bulkGetOpts);
+  const bulkGetResponse = await savedObjectsClient.bulkGet(bulkGetOpts, { namespace });
 
   // Error handling
   const erroredObjects = bulkGetResponse.saved_objects.filter(
@@ -77,12 +78,14 @@ export async function getNonExistingReferenceAsKeys(
 
 export async function validateReferences(
   savedObjects: SavedObject[],
-  savedObjectsClient: SavedObjectsClient
+  savedObjectsClient: SavedObjectsClient,
+  namespace?: string
 ) {
   const errorMap: { [key: string]: ImportError } = {};
   const nonExistingReferenceKeys = await getNonExistingReferenceAsKeys(
     savedObjects,
-    savedObjectsClient
+    savedObjectsClient,
+    namespace
   );
 
   // Filter out objects with missing references, add to error object

src/legacy/server/saved_objects/routes/export.ts

@@ -19,9 +19,8 @@
 
 import Hapi from 'hapi';
 import Joi from 'joi';
-import stringify from 'json-stable-stringify';
 import { SavedObjectsClient } from '../';
-import { getSortedObjectsForExport } from '../export';
+import { getSortedObjectsForExport, objectsToNdJson } from '../export';
 import { Prerequisites } from './types';
 
 interface ExportRequest extends Hapi.Request {
@@ -78,7 +77,7 @@ export const createExportRoute = (
         includeReferencesDeep: request.payload.includeReferencesDeep,
       });
       return h
-        .response(docsToExport.map(doc => stringify(doc)).join('\n'))
+        .response(objectsToNdJson(docsToExport))
         .header('Content-Disposition', `attachment; filename="export.ndjson"`)
         .header('Content-Type', 'application/ndjson');
     },

src/legacy/server/saved_objects/saved_objects_mixin.js

@@ -42,6 +42,9 @@ import {
   createLogLegacyImportRoute,
 } from './routes';
 
+import { getSortedObjectsForExport, objectsToNdJson } from './export';
+import { importSavedObjects } from './import';
+
 function getImportableAndExportableTypes({ kbnServer, visibleTypes }) {
   const { savedObjectsManagement = {} } = kbnServer.uiExports;
   return visibleTypes.filter(
@@ -141,6 +144,12 @@ export function savedObjectsMixin(kbnServer, server) {
     setScopedSavedObjectsClientFactory: (...args) => provider.setClientFactory(...args),
     addScopedSavedObjectsClientWrapperFactory: (...args) =>
       provider.addClientWrapperFactory(...args),
+    importExport: {
+      importSavedObjects,
+      getSortedObjectsForExport,
+      objectsToNdJson,
+    },
+    schema,
   };
   server.decorate('server', 'savedObjects', service);
 

src/legacy/server/saved_objects/service/index.d.ts

@@ -18,7 +18,10 @@
  */
 
 import { ScopedSavedObjectsClientProvider } from './lib';
-import { SavedObjectsClient } from './saved_objects_client';
+import { SavedObjectsClient, SavedObject } from './saved_objects_client';
+import { ExportObjectsOptions } from '../export';
+import { ImportSavedObjectsOptions, ImportResponse } from '../import';
+import { SavedObjectsSchema } from '../schema';
 
 export interface SavedObjectsService<Request = any> {
   // ATTENTION: these types are incomplete
@@ -28,7 +31,13 @@ export interface SavedObjectsService<Request = any> {
   getScopedSavedObjectsClient: ScopedSavedObjectsClientProvider<Request>['getClient'];
   SavedObjectsClient: typeof SavedObjectsClient;
   types: string[];
+  schema: SavedObjectsSchema;
   getSavedObjectsRepository(...rest: any[]): any;
+  importExport: {
+    importSavedObjects(options: ImportSavedObjectsOptions): Promise<ImportResponse>;
+    getSortedObjectsForExport(options: ExportObjectsOptions): Promise<SavedObject[]>;
+    objectsToNdJson(objects: SavedObject[]): string;
+  };
 }
 
 export { SavedObjectsClientWrapperFactory } from './lib';

x-pack/plugins/security/index.js

@@ -189,7 +189,7 @@ export const security = (kibana) => new kibana.Plugin({
       return new savedObjects.SavedObjectsClient(callWithRequestRepository);
     });
 
-    savedObjects.addScopedSavedObjectsClientWrapperFactory(Number.MIN_SAFE_INTEGER, ({ client, request }) => {
+    savedObjects.addScopedSavedObjectsClientWrapperFactory(Number.MAX_SAFE_INTEGER - 1, ({ client, request }) => {
       if (authorization.mode.useRbacForRequest(request)) {
         return new SecureSavedObjectsClientWrapper({
           actions: authorization.actions,

x-pack/plugins/security/server/lib/authorization/actions/saved_object.test.ts

@@ -15,6 +15,13 @@ describe('#all', () => {
   });
 });
 
+describe('#manage', () => {
+  test(`returns saved_object:manage`, () => {
+    const savedObjectActions = new SavedObjectActions(version);
+    expect(savedObjectActions.manage).toBe('saved_object:1.0.0-zeta1:manage');
+  });
+});
+
 describe('#get', () => {
   [null, undefined, '', 1, true, {}].forEach((type: any) => {
     test(`type of ${JSON.stringify(type)} throws error`, () => {

x-pack/plugins/security/server/lib/authorization/actions/saved_object.ts

@@ -17,6 +17,10 @@ export class SavedObjectActions {
     return `${this.prefix}*`;
   }
 
+  public get manage(): string {
+    return `${this.prefix}manage`;
+  }
+
   public get(type: string, operation: string): string {
     if (!type || !isString(type)) {
       throw new Error('type is required and must be a string');

x-pack/plugins/security/server/lib/authorization/check_privileges_dynamically.ts

@@ -29,10 +29,15 @@ export function checkPrivilegesDynamicallyWithRequestFactory(
 ): CheckPrivilegesDynamicallyWithRequest {
   return function checkPrivilegesDynamicallyWithRequest(request: Record<string, any>) {
     const checkPrivileges = checkPrivilegesWithRequest(request);
-    return async function checkPrivilegesDynamically(privilegeOrPrivileges: string | string[]) {
+    return async function checkPrivilegesDynamically(
+      privilegeOrPrivileges: string | string[],
+      spaceId?: string
+    ) {
       if (spaces.isEnabled) {
-        const spaceId = spaces.getSpaceId(request);
-        return await checkPrivileges.atSpace(spaceId, privilegeOrPrivileges);
+        return await checkPrivileges.atSpace(
+          spaceId || spaces.getSpaceId(request),
+          privilegeOrPrivileges
+        );
       } else {
         return await checkPrivileges.globally(privilegeOrPrivileges);
       }

x-pack/plugins/security/server/lib/authorization/privileges/feature_privilege_builder/saved_objects_management.ts

@@ -17,6 +17,7 @@ export class FeaturePrivilegeSavedObjectsManagementBuilder extends BaseFeaturePr
     if (feature.id !== 'savedObjectsManagement') {
       return [];
     }
+    const canManage = privilegeDefinition.savedObject.all.length > 0;
     return uniq([
       ...flatten(
         privilegeDefinition.savedObject.all.map(type => [
@@ -28,6 +29,7 @@ export class FeaturePrivilegeSavedObjectsManagementBuilder extends BaseFeaturePr
       ...privilegeDefinition.savedObject.read.map(type =>
         this.actions.ui.get('savedObjectsManagement', type, 'read')
       ),
+      ...(canManage ? [this.actions.savedObject.manage] : []),
     ]);
   }
 }

x-pack/plugins/security/server/lib/authorization/privileges/privileges.test.ts

@@ -679,6 +679,8 @@ describe('savedObjectsManagement feature', () => {
 
       actions.ui.get('savedObjectsManagement', 'all-savedObject-read-1', 'read'),
 
+      actions.savedObject.manage,
+
       actions.allHack,
     ]);
 
@@ -702,6 +704,8 @@ describe('savedObjectsManagement feature', () => {
       actions.ui.get('savedObjectsManagement', 'read-savedObject-all-1', 'read'),
 
       actions.ui.get('savedObjectsManagement', 'read-savedObject-read-1', 'read'),
+
+      actions.savedObject.manage,
     ]);
   });
 });

x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.js

@@ -31,6 +31,7 @@ export class SecureSavedObjectsClientWrapper {
     await this._ensureAuthorized(
       type,
       'create',
+      options.namespace,
       { type, attributes, options },
     );
 
@@ -42,16 +43,18 @@ export class SecureSavedObjectsClientWrapper {
     await this._ensureAuthorized(
       types,
       'bulk_create',
+      options.namespace,
       { objects, options },
     );
 
     return await this._baseClient.bulkCreate(objects, options);
   }
 
-  async delete(type, id, options) {
+  async delete(type, id, options = {}) {
     await this._ensureAuthorized(
       type,
       'delete',
+      options.namespace,
       { type, id, options },
     );
 
@@ -62,6 +65,7 @@ export class SecureSavedObjectsClientWrapper {
     await this._ensureAuthorized(
       options.type,
       'find',
+      options.namespace,
       { options }
     );
 
@@ -73,6 +77,7 @@ export class SecureSavedObjectsClientWrapper {
     await this._ensureAuthorized(
       types,
       'bulk_get',
+      options.namespace,
       { objects, options },
     );
 
@@ -83,6 +88,7 @@ export class SecureSavedObjectsClientWrapper {
     await this._ensureAuthorized(
       type,
       'get',
+      options.namespace,
       { type, id, options },
     );
 
@@ -93,26 +99,27 @@ export class SecureSavedObjectsClientWrapper {
     await this._ensureAuthorized(
       type,
       'update',
+      options.namespace,
       { type, id, attributes, options },
     );
 
     return await this._baseClient.update(type, id, attributes, options);
   }
 
-  async _checkSavedObjectPrivileges(actions) {
+  async _checkSavedObjectPrivileges(actions, namespace) {
     try {
-      return await this._checkPrivileges(actions);
+      return await this._checkPrivileges(actions, namespace);
     } catch(error) {
       const { reason } = get(error, 'body.error', {});
       throw this.errors.decorateGeneralError(error, reason);
     }
   }
 
-  async _ensureAuthorized(typeOrTypes, action, args) {
+  async _ensureAuthorized(typeOrTypes, action, namespace, args) {
     const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
     const actionsToTypesMap = new Map(types.map(type => [this._actions.savedObject.get(type, action), type]));
     const actions = Array.from(actionsToTypesMap.keys());
-    const { hasAllRequested, username, privileges } = await this._checkSavedObjectPrivileges(actions);
+    const { hasAllRequested, username, privileges } = await this._checkSavedObjectPrivileges(actions, namespace);
 
     if (hasAllRequested) {
       this._auditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);