[8.x] [SecuritySolution][ProductFeatures] Add support for `secur…

…ity.authz.requiredPrivileges` for the API auth control (#198312) (#198566)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution][ProductFeatures] Add support for
`security.authz.requiredPrivileges` for the API auth control
(#198312)](#198312)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-31T15:31:00Z","message":"[SecuritySolution][ProductFeatures]
Add support for `security.authz.requiredPrivileges` for the API auth
control (#198312)\n\n## Summary\r\n\r\nAdds support for the new API
routes security authorization
properties\r\n([docs](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization))\r\nto
the `ProductFeaturesService` API authorization control\r\n\r\nCloses:
https://github.com/elastic/kibana/issues/194445\r\n\r\nRelated:
https://github.com/elastic/kibana/issues/184674\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"42e978be21bc7c85fc09f46213c194b89209690f","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:
SecuritySolution","backport:prev-minor","v8.17.0"],"title":"[SecuritySolution][ProductFeatures]
Add support for `security.authz.requiredPrivileges` for the API auth
control","number":198312,"url":"https://github.com/elastic/kibana/pull/198312","mergeCommit":{"message":"[SecuritySolution][ProductFeatures]
Add support for `security.authz.requiredPrivileges` for the API auth
control (#198312)\n\n## Summary\r\n\r\nAdds support for the new API
routes security authorization
properties\r\n([docs](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization))\r\nto
the `ProductFeaturesService` API authorization control\r\n\r\nCloses:
https://github.com/elastic/kibana/issues/194445\r\n\r\nRelated:
https://github.com/elastic/kibana/issues/184674\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"42e978be21bc7c85fc09f46213c194b89209690f"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198312","number":198312,"mergeCommit":{"message":"[SecuritySolution][ProductFeatures]
Add support for `security.authz.requiredPrivileges` for the API auth
control (#198312)\n\n## Summary\r\n\r\nAdds support for the new API
routes security authorization
properties\r\n([docs](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization))\r\nto
the `ProductFeaturesService` API authorization control\r\n\r\nCloses:
https://github.com/elastic/kibana/issues/194445\r\n\r\nRelated:
https://github.com/elastic/kibana/issues/184674\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"42e978be21bc7c85fc09f46213c194b89209690f"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Sergi Massaneda <[email protected]>

x-pack/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts

@@ -23,6 +23,7 @@ import type {
 import { ProductFeatureKey } from '@kbn/security-solution-features/keys';
 import { httpServiceMock } from '@kbn/core-http-server-mocks';
 import type {
+  AuthzEnabled,
   KibanaRequest,
   LifecycleResponseFactory,
   OnPostAuthHandler,
@@ -181,11 +182,6 @@ describe('ProductFeaturesService', () => {
       lastRegisteredFn = fn;
     });
 
-    const getReq = (tags: string[] = []) =>
-      ({
-        route: { options: { tags } },
-        url: { pathname: '', search: '' },
-      } as unknown as KibanaRequest);
     const res = { notFound: jest.fn() } as unknown as LifecycleResponseFactory;
     const toolkit = httpServiceMock.createOnPostAuthToolkit();
 
@@ -204,93 +200,281 @@ describe('ProductFeaturesService', () => {
       expect(mockHttpSetup.registerOnPostAuth).toHaveBeenCalledTimes(1);
     });
 
-    it('should authorize when no tag matches', async () => {
-      const experimentalFeatures = {} as ExperimentalFeatures;
-      const productFeaturesService = new ProductFeaturesService(
-        loggerMock.create(),
-        experimentalFeatures
-      );
-      productFeaturesService.registerApiAccessControl(mockHttpSetup);
-
-      await lastRegisteredFn(getReq(['access:something', 'access:securitySolution']), res, toolkit);
-
-      expect(MockedProductFeatures.mock.instances[0].isActionRegistered).not.toHaveBeenCalled();
-      expect(res.notFound).not.toHaveBeenCalled();
-      expect(toolkit.next).toHaveBeenCalledTimes(1);
-    });
-
-    it('should check when tag matches and return not found when not action registered', async () => {
-      const experimentalFeatures = {} as ExperimentalFeatures;
-      const productFeaturesService = new ProductFeaturesService(
-        loggerMock.create(),
-        experimentalFeatures
-      );
-      productFeaturesService.registerApiAccessControl(mockHttpSetup);
-
-      (MockedProductFeatures.mock.instances[0].isActionRegistered as jest.Mock).mockReturnValueOnce(
-        false
-      );
-      await lastRegisteredFn(getReq(['access:securitySolution-foo']), res, toolkit);
-
-      expect(MockedProductFeatures.mock.instances[0].isActionRegistered).toHaveBeenCalledWith(
-        'api:securitySolution-foo'
-      );
-      expect(res.notFound).toHaveBeenCalledTimes(1);
-      expect(toolkit.next).not.toHaveBeenCalled();
-    });
-
-    it('should check when tag matches and continue when action registered', async () => {
-      const experimentalFeatures = {} as ExperimentalFeatures;
-      const productFeaturesService = new ProductFeaturesService(
-        loggerMock.create(),
-        experimentalFeatures
-      );
-      productFeaturesService.registerApiAccessControl(mockHttpSetup);
-
-      (MockedProductFeatures.mock.instances[0].isActionRegistered as jest.Mock).mockReturnValueOnce(
-        true
-      );
-      await lastRegisteredFn(getReq(['access:securitySolution-foo']), res, toolkit);
-
-      expect(MockedProductFeatures.mock.instances[0].isActionRegistered).toHaveBeenCalledWith(
-        'api:securitySolution-foo'
-      );
-      expect(res.notFound).not.toHaveBeenCalled();
-      expect(toolkit.next).toHaveBeenCalledTimes(1);
-    });
-
-    it('should check when productFeature tag when it matches and return not found when not enabled', async () => {
-      const experimentalFeatures = {} as ExperimentalFeatures;
-      const productFeaturesService = new ProductFeaturesService(
-        loggerMock.create(),
-        experimentalFeatures
-      );
-      productFeaturesService.registerApiAccessControl(mockHttpSetup);
-
-      productFeaturesService.isEnabled = jest.fn().mockReturnValueOnce(false);
-
-      await lastRegisteredFn(getReq(['securitySolutionProductFeature:foo']), res, toolkit);
-
-      expect(productFeaturesService.isEnabled).toHaveBeenCalledWith('foo');
-      expect(res.notFound).toHaveBeenCalledTimes(1);
-      expect(toolkit.next).not.toHaveBeenCalled();
+    describe('when using productFeature tag', () => {
+      const getReq = (tags: string[] = []) =>
+        ({
+          route: { options: { tags } },
+          url: { pathname: '', search: '' },
+        } as unknown as KibanaRequest);
+
+      it('should check when productFeature tag when it matches and return not found when not enabled', async () => {
+        const experimentalFeatures = {} as ExperimentalFeatures;
+        const productFeaturesService = new ProductFeaturesService(
+          loggerMock.create(),
+          experimentalFeatures
+        );
+        productFeaturesService.registerApiAccessControl(mockHttpSetup);
+
+        productFeaturesService.isEnabled = jest.fn().mockReturnValueOnce(false);
+
+        await lastRegisteredFn(getReq(['securitySolutionProductFeature:foo']), res, toolkit);
+
+        expect(productFeaturesService.isEnabled).toHaveBeenCalledWith('foo');
+        expect(res.notFound).toHaveBeenCalledTimes(1);
+        expect(toolkit.next).not.toHaveBeenCalled();
+      });
+
+      it('should check when productFeature tag when it matches and continue when enabled', async () => {
+        const experimentalFeatures = {} as ExperimentalFeatures;
+        const productFeaturesService = new ProductFeaturesService(
+          loggerMock.create(),
+          experimentalFeatures
+        );
+        productFeaturesService.registerApiAccessControl(mockHttpSetup);
+
+        productFeaturesService.isEnabled = jest.fn().mockReturnValueOnce(true);
+
+        await lastRegisteredFn(getReq(['securitySolutionProductFeature:foo']), res, toolkit);
+
+        expect(productFeaturesService.isEnabled).toHaveBeenCalledWith('foo');
+        expect(res.notFound).not.toHaveBeenCalled();
+        expect(toolkit.next).toHaveBeenCalledTimes(1);
+      });
     });
 
-    it('should check when productFeature tag when it matches and continue when enabled', async () => {
-      const experimentalFeatures = {} as ExperimentalFeatures;
-      const productFeaturesService = new ProductFeaturesService(
-        loggerMock.create(),
-        experimentalFeatures
-      );
-      productFeaturesService.registerApiAccessControl(mockHttpSetup);
-
-      productFeaturesService.isEnabled = jest.fn().mockReturnValueOnce(true);
-
-      await lastRegisteredFn(getReq(['securitySolutionProductFeature:foo']), res, toolkit);
-
-      expect(productFeaturesService.isEnabled).toHaveBeenCalledWith('foo');
-      expect(res.notFound).not.toHaveBeenCalled();
-      expect(toolkit.next).toHaveBeenCalledTimes(1);
+    // Documentation: https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization
+    describe('when using authorization', () => {
+      let productFeaturesService: ProductFeaturesService;
+      let mockIsActionRegistered: jest.Mock;
+
+      beforeEach(() => {
+        const experimentalFeatures = {} as ExperimentalFeatures;
+        productFeaturesService = new ProductFeaturesService(
+          loggerMock.create(),
+          experimentalFeatures
+        );
+        productFeaturesService.registerApiAccessControl(mockHttpSetup);
+        mockIsActionRegistered = MockedProductFeatures.mock.instances[0]
+          .isActionRegistered as jest.Mock;
+      });
+
+      describe('when using access tag', () => {
+        const getReq = (tags: string[] = []) =>
+          ({
+            route: { options: { tags } },
+            url: { pathname: '', search: '' },
+          } as unknown as KibanaRequest);
+
+        it('should authorize when no tag matches', async () => {
+          await lastRegisteredFn(
+            getReq(['access:something', 'access:securitySolution']),
+            res,
+            toolkit
+          );
+
+          expect(mockIsActionRegistered).not.toHaveBeenCalled();
+          expect(res.notFound).not.toHaveBeenCalled();
+          expect(toolkit.next).toHaveBeenCalledTimes(1);
+        });
+
+        it('should check when tag matches and return not found when not action registered', async () => {
+          mockIsActionRegistered.mockReturnValueOnce(false);
+          await lastRegisteredFn(getReq(['access:securitySolution-foo']), res, toolkit);
+
+          expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-foo');
+          expect(res.notFound).toHaveBeenCalledTimes(1);
+          expect(toolkit.next).not.toHaveBeenCalled();
+        });
+
+        it('should check when tag matches and continue when action registered', async () => {
+          mockIsActionRegistered.mockReturnValueOnce(true);
+          await lastRegisteredFn(getReq(['access:securitySolution-foo']), res, toolkit);
+
+          expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-foo');
+          expect(res.notFound).not.toHaveBeenCalled();
+          expect(toolkit.next).toHaveBeenCalledTimes(1);
+        });
+      });
+
+      describe('when using security authz', () => {
+        beforeEach(() => {
+          mockIsActionRegistered.mockImplementation((action: string) => action.includes('enabled'));
+        });
+
+        const getReq = (requiredPrivileges?: AuthzEnabled['requiredPrivileges']) =>
+          ({
+            route: { options: { security: { authz: { requiredPrivileges } } } },
+            url: { pathname: '', search: '' },
+          } as unknown as KibanaRequest);
+
+        it('should authorize when no privilege matches', async () => {
+          await lastRegisteredFn(getReq(['something', 'securitySolution']), res, toolkit);
+
+          expect(mockIsActionRegistered).not.toHaveBeenCalled();
+          expect(res.notFound).not.toHaveBeenCalled();
+          expect(toolkit.next).toHaveBeenCalledTimes(1);
+        });
+
+        it('should check when privilege matches and return not found when not action registered', async () => {
+          await lastRegisteredFn(getReq(['securitySolution-disabled']), res, toolkit);
+
+          expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled');
+          expect(res.notFound).toHaveBeenCalledTimes(1);
+          expect(toolkit.next).not.toHaveBeenCalled();
+        });
+
+        it('should check when privilege matches and continue when action registered', async () => {
+          mockIsActionRegistered.mockReturnValueOnce(true);
+          await lastRegisteredFn(getReq(['securitySolution-enabled']), res, toolkit);
+
+          expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled');
+          expect(res.notFound).not.toHaveBeenCalled();
+          expect(toolkit.next).toHaveBeenCalledTimes(1);
+        });
+
+        it('should restrict access when one action is not registered', async () => {
+          mockIsActionRegistered.mockReturnValueOnce(true);
+          await lastRegisteredFn(
+            getReq([
+              'securitySolution-enabled',
+              'securitySolution-disabled',
+              'securitySolution-enabled2',
+            ]),
+            res,
+            toolkit
+          );
+
+          expect(mockIsActionRegistered).toHaveBeenCalledTimes(2);
+          expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled');
+          expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled');
+
+          expect(res.notFound).toHaveBeenCalledTimes(1);
+          expect(toolkit.next).not.toHaveBeenCalled();
+        });
+
+        describe('when using nested requiredPrivileges', () => {
+          describe('when using allRequired', () => {
+            it('should allow access when all actions are registered', async () => {
+              const req = getReq([
+                {
+                  allRequired: [
+                    'securitySolution-enabled',
+                    'securitySolution-enabled2',
+                    'securitySolution-enabled3',
+                  ],
+                },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).toHaveBeenCalledTimes(3);
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled');
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled2');
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled3');
+
+              expect(res.notFound).not.toHaveBeenCalled();
+              expect(toolkit.next).toHaveBeenCalledTimes(1);
+            });
+
+            it('should restrict access if one action is not registered', async () => {
+              const req = getReq([
+                {
+                  allRequired: [
+                    'securitySolution-enabled',
+                    'securitySolution-disabled',
+                    'securitySolution-notCalled',
+                  ],
+                },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).toHaveBeenCalledTimes(2);
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled');
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled');
+
+              expect(res.notFound).toHaveBeenCalledTimes(1);
+              expect(toolkit.next).not.toHaveBeenCalled();
+            });
+
+            it('should allow only based on security privileges and ignore non-security', async () => {
+              const req = getReq([
+                { allRequired: ['notSecurityPrivilege', 'securitySolution-enabled'] },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).toHaveBeenCalledTimes(1);
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled');
+
+              expect(res.notFound).not.toHaveBeenCalled();
+              expect(toolkit.next).toHaveBeenCalledTimes(1);
+            });
+
+            it('should restrict only based on security privileges and ignore non-security', async () => {
+              const req = getReq([
+                { allRequired: ['notSecurityPrivilege', 'securitySolution-disabled'] },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).toHaveBeenCalledTimes(1);
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled');
+
+              expect(res.notFound).toHaveBeenCalledTimes(1);
+              expect(toolkit.next).not.toHaveBeenCalled();
+            });
+          });
+
+          describe('when using anyRequired', () => {
+            it('should allow access when one action is registered', async () => {
+              const req = getReq([
+                {
+                  anyRequired: [
+                    'securitySolution-disabled',
+                    'securitySolution-enabled',
+                    'securitySolution-notCalled',
+                  ],
+                },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).toHaveBeenCalledTimes(2);
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled');
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled');
+
+              expect(res.notFound).not.toHaveBeenCalled();
+              expect(toolkit.next).toHaveBeenCalledTimes(1);
+            });
+
+            it('should restrict access when no action is registered', async () => {
+              const req = getReq([
+                {
+                  anyRequired: ['securitySolution-disabled', 'securitySolution-disabled2'],
+                },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).toHaveBeenCalledTimes(2);
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled');
+              expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled2');
+
+              expect(res.notFound).toHaveBeenCalledTimes(1);
+              expect(toolkit.next).not.toHaveBeenCalled();
+            });
+
+            it('should restrict only based on security privileges and allow when non-security privilege is present', async () => {
+              const req = getReq([
+                {
+                  anyRequired: ['notSecurityPrivilege', 'securitySolution-disabled'],
+                },
+              ]);
+              await lastRegisteredFn(req, res, toolkit);
+
+              expect(mockIsActionRegistered).not.toHaveBeenCalled();
+
+              expect(res.notFound).not.toHaveBeenCalled();
+              expect(toolkit.next).toHaveBeenCalledTimes(1);
+            });
+          });
+        });
+      });
     });
   });
 });