[ESO Plugin] Migrate authc.getCurrentUser usage to coreStart.security

x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts

@@ -14,7 +14,7 @@ import type {
   StartServicesAccessor,
 } from '@kbn/core/server';
 import { ENCRYPTION_EXTENSION_ID } from '@kbn/core-saved-objects-server';
-import type { AuthenticatedUser, SecurityPluginSetup } from '@kbn/security-plugin/server';
+import type { AuthenticatedUser } from '@kbn/core-security-common';
 import type { PublicMethodsOf } from '@kbn/utility-types';
 
 import type { EncryptedSavedObjectsService } from './encrypted_saved_objects_service';
@@ -25,7 +25,6 @@ interface EncryptionKeyRotationServiceOptions {
   logger: Logger;
   service: PublicMethodsOf<EncryptedSavedObjectsService>;
   getStartServices: StartServicesAccessor;
-  security?: SecurityPluginSetup;
 }
 
 interface EncryptionKeyRotationParams {
@@ -69,7 +68,7 @@ export class EncryptionKeyRotationService {
     request: KibanaRequest,
     { batchSize, type }: EncryptionKeyRotationParams
   ): Promise<EncryptionKeyRotationResult> {
-    const [{ savedObjects }] = await this.options.getStartServices();
+    const [{ security, savedObjects }] = await this.options.getStartServices();
     const typeRegistry = savedObjects.getTypeRegistry();
 
     // We need to retrieve all SavedObject types which have encrypted attributes, specifically
@@ -105,7 +104,7 @@ export class EncryptionKeyRotationService {
     // don't want to have Encrypted Saved Objects wrapper so that it doesn't strip encrypted
     // attributes. But for the update we want to have it so that it automatically re-encrypts
     // attributes with the new primary encryption key.
-    const user = this.options.security?.authc.getCurrentUser(request) ?? undefined;
+    const user = security.authc.getCurrentUser(request) ?? undefined;
     const retrieveClient = savedObjects.getScopedClient(request, {
       includedHiddenTypes: registeredHiddenSavedObjectTypes,
       excludedExtensions: [ENCRYPTION_EXTENSION_ID],

x-pack/plugins/encrypted_saved_objects/server/plugin.ts

@@ -60,7 +60,7 @@ export class EncryptedSavedObjectsPlugin
     this.logger = this.initializerContext.logger.get();
   }
 
-  public setup(core: CoreSetup, deps: PluginsSetup): EncryptedSavedObjectsPluginSetup {
+  public setup(core: CoreSetup, _deps: PluginsSetup): EncryptedSavedObjectsPluginSetup {
     const config = this.initializerContext.config.get<ConfigType>();
     const canEncrypt = config.encryptionKey !== undefined;
     if (!canEncrypt) {
@@ -95,7 +95,6 @@ export class EncryptedSavedObjectsPlugin
     this.savedObjectsSetup = setupSavedObjects({
       service,
       savedObjects: core.savedObjects,
-      security: deps.security,
       getStartServices: core.getStartServices,
     });
 
@@ -110,7 +109,6 @@ export class EncryptedSavedObjectsPlugin
             logger: this.logger.get('key-rotation-service'),
             service,
             getStartServices: core.getStartServices,
-            security: deps.security,
           })
         ),
         config,

x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.test.ts

@@ -15,7 +15,7 @@ import {
   savedObjectsRepositoryMock,
   savedObjectsTypeRegistryMock,
 } from '@kbn/core/server/mocks';
-import { securityMock } from '@kbn/security-plugin/server/mocks';
+import { nextTick } from '@kbn/test-jest-helpers';
 
 import type { ClientInstanciator } from '.';
 import { setupSavedObjects } from '.';
@@ -47,14 +47,14 @@ describe('#setupSavedObjects', () => {
     setupContract = setupSavedObjects({
       service: mockEncryptedSavedObjectsService,
       savedObjects: coreSetupMock.savedObjects,
-      security: securityMock.createSetup(),
       getStartServices: coreSetupMock.getStartServices,
     });
   });
 
   describe('#setupContract', () => {
     it('includes hiddenTypes when specified', async () => {
-      await setupContract({ includedHiddenTypes: ['hiddenType'] });
+      setupContract({ includedHiddenTypes: ['hiddenType'] });
+      await nextTick();
       expect(coreStartMock.savedObjects.createInternalRepository).toHaveBeenCalledWith([
         'hiddenType',
       ]);

x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts

@@ -18,7 +18,6 @@ import type {
   SavedObjectsServiceSetup,
   StartServicesAccessor,
 } from '@kbn/core/server';
-import type { SecurityPluginSetup } from '@kbn/security-plugin/server';
 import type { PublicMethodsOf } from '@kbn/utility-types';
 
 import { getDescriptorNamespace, normalizeNamespace } from './get_descriptor_namespace';
@@ -30,7 +29,6 @@ export { normalizeNamespace };
 interface SetupSavedObjectsParams {
   service: PublicMethodsOf<EncryptedSavedObjectsService>;
   savedObjects: SavedObjectsServiceSetup;
-  security?: SecurityPluginSetup;
   getStartServices: StartServicesAccessor;
 }
 
@@ -78,7 +76,6 @@ export interface EncryptedSavedObjectsClient {
 export function setupSavedObjects({
   service,
   savedObjects,
-  security,
   getStartServices,
 }: SetupSavedObjectsParams): ClientInstanciator {
   // Register custom saved object extension that will encrypt, decrypt and strip saved object
@@ -87,7 +84,10 @@ export function setupSavedObjects({
     return new SavedObjectsEncryptionExtension({
       baseTypeRegistry,
       service,
-      getCurrentUser: () => security?.authc.getCurrentUser(request) ?? undefined,
+      getCurrentUser: async () => {
+        const [{ security }] = await getStartServices();
+        return security.authc.getCurrentUser(request) ?? undefined;
+      },
     });
   });
 

x-pack/plugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts

@@ -22,13 +22,13 @@ import type { EncryptedSavedObjectsService } from '../crypto';
 export interface Params {
   baseTypeRegistry: ISavedObjectTypeRegistry;
   service: Readonly<EncryptedSavedObjectsService>;
-  getCurrentUser: () => AuthenticatedUser | undefined;
+  getCurrentUser: () => Promise<AuthenticatedUser | undefined>;
 }
 
 export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionExtension {
   readonly _baseTypeRegistry: ISavedObjectTypeRegistry;
   readonly _service: Readonly<EncryptedSavedObjectsService>;
-  readonly _getCurrentUser: () => AuthenticatedUser | undefined;
+  readonly _getCurrentUser: () => Promise<AuthenticatedUser | undefined>;
 
   constructor({ baseTypeRegistry, service, getCurrentUser }: Params) {
     this._baseTypeRegistry = baseTypeRegistry;
@@ -51,14 +51,15 @@ export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionE
         type: response.type,
         namespace: getDescriptorNamespace(this._baseTypeRegistry, response.type, namespace),
       };
+      const user = await this._getCurrentUser();
       // Error is returned when decryption fails, and in this case encrypted attributes will be
       // stripped from the returned attributes collection. That will let consumer decide whether to
       // fail or handle recovery gracefully.
       const { attributes, error } = await this._service.stripOrDecryptAttributes(
         normalizedDescriptor,
         response.attributes as Record<string, unknown>,
         originalAttributes as Record<string, unknown>,
-        { user: this._getCurrentUser() }
+        { user }
       );
 
       return { ...response, attributes, ...(error && { error }) };
@@ -82,8 +83,7 @@ export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionE
       id,
       namespace: getDescriptorNamespace(this._baseTypeRegistry, type, namespace),
     };
-    return this._service.encryptAttributes(normalizedDescriptor, attributes, {
-      user: this._getCurrentUser(),
-    });
+    const user = await this._getCurrentUser();
+    return this._service.encryptAttributes(normalizedDescriptor, attributes, { user });
   }
 }

x-pack/plugins/encrypted_saved_objects/tsconfig.json

@@ -12,6 +12,7 @@
     "@kbn/core-saved-objects-server",
     "@kbn/core-saved-objects-base-server-internal",
     "@kbn/core-saved-objects-api-server-mocks",
+    "@kbn/core-security-common",
   ],
   "exclude": [
     "target/**/*",