diff --git a/x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts b/x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts index c18c7a46c54c4..d8fa12a3e4973 100644 --- a/x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts +++ b/x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts @@ -14,7 +14,7 @@ import type { StartServicesAccessor, } from '@kbn/core/server'; import { ENCRYPTION_EXTENSION_ID } from '@kbn/core-saved-objects-server'; -import type { AuthenticatedUser, SecurityPluginSetup } from '@kbn/security-plugin/server'; +import type { AuthenticatedUser } from '@kbn/core-security-common'; import type { PublicMethodsOf } from '@kbn/utility-types'; import type { EncryptedSavedObjectsService } from './encrypted_saved_objects_service'; @@ -25,7 +25,6 @@ interface EncryptionKeyRotationServiceOptions { logger: Logger; service: PublicMethodsOf; getStartServices: StartServicesAccessor; - security?: SecurityPluginSetup; } interface EncryptionKeyRotationParams { @@ -69,7 +68,7 @@ export class EncryptionKeyRotationService { request: KibanaRequest, { batchSize, type }: EncryptionKeyRotationParams ): Promise { - const [{ savedObjects }] = await this.options.getStartServices(); + const [{ security, savedObjects }] = await this.options.getStartServices(); const typeRegistry = savedObjects.getTypeRegistry(); // We need to retrieve all SavedObject types which have encrypted attributes, specifically @@ -105,7 +104,7 @@ export class EncryptionKeyRotationService { // don't want to have Encrypted Saved Objects wrapper so that it doesn't strip encrypted // attributes. But for the update we want to have it so that it automatically re-encrypts // attributes with the new primary encryption key. - const user = this.options.security?.authc.getCurrentUser(request) ?? undefined; + const user = security.authc.getCurrentUser(request) ?? undefined; const retrieveClient = savedObjects.getScopedClient(request, { includedHiddenTypes: registeredHiddenSavedObjectTypes, excludedExtensions: [ENCRYPTION_EXTENSION_ID], diff --git a/x-pack/plugins/encrypted_saved_objects/server/plugin.ts b/x-pack/plugins/encrypted_saved_objects/server/plugin.ts index ba69b00ecb4e1..50514bc619978 100644 --- a/x-pack/plugins/encrypted_saved_objects/server/plugin.ts +++ b/x-pack/plugins/encrypted_saved_objects/server/plugin.ts @@ -60,7 +60,7 @@ export class EncryptedSavedObjectsPlugin this.logger = this.initializerContext.logger.get(); } - public setup(core: CoreSetup, deps: PluginsSetup): EncryptedSavedObjectsPluginSetup { + public setup(core: CoreSetup, _deps: PluginsSetup): EncryptedSavedObjectsPluginSetup { const config = this.initializerContext.config.get(); const canEncrypt = config.encryptionKey !== undefined; if (!canEncrypt) { @@ -95,7 +95,6 @@ export class EncryptedSavedObjectsPlugin this.savedObjectsSetup = setupSavedObjects({ service, savedObjects: core.savedObjects, - security: deps.security, getStartServices: core.getStartServices, }); @@ -110,7 +109,6 @@ export class EncryptedSavedObjectsPlugin logger: this.logger.get('key-rotation-service'), service, getStartServices: core.getStartServices, - security: deps.security, }) ), config, diff --git a/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.test.ts b/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.test.ts index dc7cb2a9e52d5..bd8f21d1c8bf9 100644 --- a/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.test.ts +++ b/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.test.ts @@ -15,7 +15,7 @@ import { savedObjectsRepositoryMock, savedObjectsTypeRegistryMock, } from '@kbn/core/server/mocks'; -import { securityMock } from '@kbn/security-plugin/server/mocks'; +import { nextTick } from '@kbn/test-jest-helpers'; import type { ClientInstanciator } from '.'; import { setupSavedObjects } from '.'; @@ -47,14 +47,14 @@ describe('#setupSavedObjects', () => { setupContract = setupSavedObjects({ service: mockEncryptedSavedObjectsService, savedObjects: coreSetupMock.savedObjects, - security: securityMock.createSetup(), getStartServices: coreSetupMock.getStartServices, }); }); describe('#setupContract', () => { it('includes hiddenTypes when specified', async () => { - await setupContract({ includedHiddenTypes: ['hiddenType'] }); + setupContract({ includedHiddenTypes: ['hiddenType'] }); + await nextTick(); expect(coreStartMock.savedObjects.createInternalRepository).toHaveBeenCalledWith([ 'hiddenType', ]); diff --git a/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts b/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts index 6c7b9ef5513ac..3fbfec79b1528 100644 --- a/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts +++ b/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts @@ -18,7 +18,6 @@ import type { SavedObjectsServiceSetup, StartServicesAccessor, } from '@kbn/core/server'; -import type { SecurityPluginSetup } from '@kbn/security-plugin/server'; import type { PublicMethodsOf } from '@kbn/utility-types'; import { getDescriptorNamespace, normalizeNamespace } from './get_descriptor_namespace'; @@ -30,7 +29,6 @@ export { normalizeNamespace }; interface SetupSavedObjectsParams { service: PublicMethodsOf; savedObjects: SavedObjectsServiceSetup; - security?: SecurityPluginSetup; getStartServices: StartServicesAccessor; } @@ -78,7 +76,6 @@ export interface EncryptedSavedObjectsClient { export function setupSavedObjects({ service, savedObjects, - security, getStartServices, }: SetupSavedObjectsParams): ClientInstanciator { // Register custom saved object extension that will encrypt, decrypt and strip saved object @@ -87,7 +84,10 @@ export function setupSavedObjects({ return new SavedObjectsEncryptionExtension({ baseTypeRegistry, service, - getCurrentUser: () => security?.authc.getCurrentUser(request) ?? undefined, + getCurrentUser: async () => { + const [{ security }] = await getStartServices(); + return security.authc.getCurrentUser(request) ?? undefined; + }, }); }); diff --git a/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts b/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts index fe5d00ee4a8fb..01c35c7403fdf 100644 --- a/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts +++ b/x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts @@ -22,13 +22,13 @@ import type { EncryptedSavedObjectsService } from '../crypto'; export interface Params { baseTypeRegistry: ISavedObjectTypeRegistry; service: Readonly; - getCurrentUser: () => AuthenticatedUser | undefined; + getCurrentUser: () => Promise; } export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionExtension { readonly _baseTypeRegistry: ISavedObjectTypeRegistry; readonly _service: Readonly; - readonly _getCurrentUser: () => AuthenticatedUser | undefined; + readonly _getCurrentUser: () => Promise; constructor({ baseTypeRegistry, service, getCurrentUser }: Params) { this._baseTypeRegistry = baseTypeRegistry; @@ -51,6 +51,7 @@ export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionE type: response.type, namespace: getDescriptorNamespace(this._baseTypeRegistry, response.type, namespace), }; + const user = await this._getCurrentUser(); // Error is returned when decryption fails, and in this case encrypted attributes will be // stripped from the returned attributes collection. That will let consumer decide whether to // fail or handle recovery gracefully. @@ -58,7 +59,7 @@ export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionE normalizedDescriptor, response.attributes as Record, originalAttributes as Record, - { user: this._getCurrentUser() } + { user } ); return { ...response, attributes, ...(error && { error }) }; @@ -82,8 +83,7 @@ export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionE id, namespace: getDescriptorNamespace(this._baseTypeRegistry, type, namespace), }; - return this._service.encryptAttributes(normalizedDescriptor, attributes, { - user: this._getCurrentUser(), - }); + const user = await this._getCurrentUser(); + return this._service.encryptAttributes(normalizedDescriptor, attributes, { user }); } } diff --git a/x-pack/plugins/encrypted_saved_objects/tsconfig.json b/x-pack/plugins/encrypted_saved_objects/tsconfig.json index 17dea87aca6ee..83cdcd6225850 100644 --- a/x-pack/plugins/encrypted_saved_objects/tsconfig.json +++ b/x-pack/plugins/encrypted_saved_objects/tsconfig.json @@ -12,6 +12,8 @@ "@kbn/core-saved-objects-server", "@kbn/core-saved-objects-base-server-internal", "@kbn/core-saved-objects-api-server-mocks", + "@kbn/core-security-common", + "@kbn/test-jest-helpers", ], "exclude": [ "target/**/*",