feat: allow plugins to deprecate and replace features and feature privileges

.buildkite/ftr_platform_stateful_configs.yml

@@ -317,6 +317,7 @@ enabled:
   - x-pack/test/security_api_integration/saml.http2.config.ts
   - x-pack/test/security_api_integration/saml_cloud.config.ts
   - x-pack/test/security_api_integration/chips.config.ts
+  - x-pack/test/security_api_integration/features.config.ts
   - x-pack/test/security_api_integration/session_idle.config.ts
   - x-pack/test/security_api_integration/session_invalidate.config.ts
   - x-pack/test/security_api_integration/session_lifespan.config.ts

.github/CODEOWNERS

@@ -466,6 +466,7 @@ examples/feature_control_examples @elastic/kibana-security
 examples/feature_flags_example @elastic/kibana-core
 x-pack/test/plugin_api_integration/plugins/feature_usage_test @elastic/kibana-security
 x-pack/plugins/features @elastic/kibana-core
+x-pack/test/security_api_integration/plugins/features_provider @elastic/kibana-security
 x-pack/test/functional_execution_context/plugins/alerts @elastic/kibana-core
 examples/field_formats_example @elastic/kibana-data-discovery
 src/plugins/field_formats @elastic/kibana-data-discovery
@@ -778,6 +779,7 @@ x-pack/plugins/searchprofiler @elastic/kibana-management
 x-pack/test/security_api_integration/packages/helpers @elastic/kibana-security
 x-pack/packages/security/api_key_management @elastic/kibana-security
 x-pack/packages/security/authorization_core @elastic/kibana-security
+x-pack/packages/security/authorization_core_common @elastic/kibana-security
 x-pack/packages/security/form_components @elastic/kibana-security
 packages/kbn-security-hardening @elastic/kibana-security
 x-pack/plugins/security @elastic/kibana-security

oas_docs/bundle.json

@@ -40978,7 +40978,28 @@
     "/api/security/role": {
       "get": {
         "operationId": "%2Fapi%2Fsecurity%2Frole#0",
-        "parameters": [],
+        "parameters": [
+          {
+            "description": "The version of the API to use",
+            "in": "header",
+            "name": "elastic-api-version",
+            "schema": {
+              "default": "2023-10-31",
+              "enum": [
+                "2023-10-31"
+              ],
+              "type": "string"
+            }
+          },
+          {
+            "in": "query",
+            "name": "replaceDeprecatedPrivileges",
+            "required": false,
+            "schema": {
+              "type": "boolean"
+            }
+          }
+        ],
         "responses": {},
         "summary": "Get all roles",
         "tags": [
@@ -41051,6 +41072,14 @@
               "minLength": 1,
               "type": "string"
             }
+          },
+          {
+            "in": "query",
+            "name": "replaceDeprecatedPrivileges",
+            "required": false,
+            "schema": {
+              "type": "boolean"
+            }
           }
         ],
         "responses": {},

oas_docs/output/kibana.staging.yaml

@@ -40578,7 +40578,20 @@ paths:
   /api/security/role:
     get:
       operationId: '%2Fapi%2Fsecurity%2Frole#0'
-      parameters: []
+      parameters:
+        - description: The version of the API to use
+          in: header
+          name: elastic-api-version
+          schema:
+            default: '2023-10-31'
+            enum:
+              - '2023-10-31'
+            type: string
+        - in: query
+          name: replaceDeprecatedPrivileges
+          required: false
+          schema:
+            type: boolean
       responses: {}
       summary: Get all roles
       tags:
@@ -40629,6 +40642,11 @@ paths:
           schema:
             minLength: 1
             type: string
+        - in: query
+          name: replaceDeprecatedPrivileges
+          required: false
+          schema:
+            type: boolean
       responses: {}
       summary: Get a role
       tags:

oas_docs/output/kibana.yaml

@@ -40578,7 +40578,20 @@ paths:
   /api/security/role:
     get:
       operationId: '%2Fapi%2Fsecurity%2Frole#0'
-      parameters: []
+      parameters:
+        - description: The version of the API to use
+          in: header
+          name: elastic-api-version
+          schema:
+            default: '2023-10-31'
+            enum:
+              - '2023-10-31'
+            type: string
+        - in: query
+          name: replaceDeprecatedPrivileges
+          required: false
+          schema:
+            type: boolean
       responses: {}
       summary: Get all roles
       tags:
@@ -40629,6 +40642,11 @@ paths:
           schema:
             minLength: 1
             type: string
+        - in: query
+          name: replaceDeprecatedPrivileges
+          required: false
+          schema:
+            type: boolean
       responses: {}
       summary: Get a role
       tags:

package.json

@@ -522,6 +522,7 @@
     "@kbn/feature-flags-example-plugin": "link:examples/feature_flags_example",
     "@kbn/feature-usage-test-plugin": "link:x-pack/test/plugin_api_integration/plugins/feature_usage_test",
     "@kbn/features-plugin": "link:x-pack/plugins/features",
+    "@kbn/features-provider-plugin": "link:x-pack/test/security_api_integration/plugins/features_provider",
     "@kbn/fec-alerts-test-plugin": "link:x-pack/test/functional_execution_context/plugins/alerts",
     "@kbn/field-formats-example-plugin": "link:examples/field_formats_example",
     "@kbn/field-formats-plugin": "link:src/plugins/field_formats",
@@ -797,6 +798,7 @@
     "@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
     "@kbn/security-api-key-management": "link:x-pack/packages/security/api_key_management",
     "@kbn/security-authorization-core": "link:x-pack/packages/security/authorization_core",
+    "@kbn/security-authorization-core-common": "link:x-pack/packages/security/authorization_core_common",
     "@kbn/security-form-components": "link:x-pack/packages/security/form_components",
     "@kbn/security-hardening": "link:packages/kbn-security-hardening",
     "@kbn/security-plugin": "link:x-pack/plugins/security",

packages/kbn-ftr-common-functional-ui-services/services/security/role.ts

@@ -14,6 +14,28 @@ import { KbnClient } from '@kbn/test';
 export class Role {
   constructor(private log: ToolingLog, private kibanaServer: KbnClient) {}
 
+  public async get(
+    name: string,
+    { replaceDeprecatedPrivileges = true }: { replaceDeprecatedPrivileges?: boolean } = {}
+  ) {
+    this.log.debug(`retrieving role ${name}`);
+    const { data, status, statusText } = await this.kibanaServer
+      .request({
+        path: `/api/security/role/${name}?replaceDeprecatedPrivileges=${replaceDeprecatedPrivileges}`,
+        method: 'GET',
+      })
+      .catch((e) => {
+        throw new Error(util.inspect(e.axiosError.response, true));
+      });
+    if (status !== 200) {
+      throw new Error(
+        `Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
+      );
+    }
+
+    return data;
+  }
+
   public async create(name: string, role: any) {
     this.log.debug(`creating role ${name}`);
     const { data, status, statusText } = await this.kibanaServer

tsconfig.base.json

@@ -926,6 +926,8 @@
       "@kbn/feature-usage-test-plugin/*": ["x-pack/test/plugin_api_integration/plugins/feature_usage_test/*"],
       "@kbn/features-plugin": ["x-pack/plugins/features"],
       "@kbn/features-plugin/*": ["x-pack/plugins/features/*"],
+      "@kbn/features-provider-plugin": ["x-pack/test/security_api_integration/plugins/features_provider"],
+      "@kbn/features-provider-plugin/*": ["x-pack/test/security_api_integration/plugins/features_provider/*"],
       "@kbn/fec-alerts-test-plugin": ["x-pack/test/functional_execution_context/plugins/alerts"],
       "@kbn/fec-alerts-test-plugin/*": ["x-pack/test/functional_execution_context/plugins/alerts/*"],
       "@kbn/field-formats-example-plugin": ["examples/field_formats_example"],
@@ -1550,6 +1552,8 @@
       "@kbn/security-api-key-management/*": ["x-pack/packages/security/api_key_management/*"],
       "@kbn/security-authorization-core": ["x-pack/packages/security/authorization_core"],
       "@kbn/security-authorization-core/*": ["x-pack/packages/security/authorization_core/*"],
+      "@kbn/security-authorization-core-common": ["x-pack/packages/security/authorization_core_common"],
+      "@kbn/security-authorization-core-common/*": ["x-pack/packages/security/authorization_core_common/*"],
       "@kbn/security-form-components": ["x-pack/packages/security/form_components"],
       "@kbn/security-form-components/*": ["x-pack/packages/security/form_components/*"],
       "@kbn/security-hardening": ["packages/kbn-security-hardening"],

x-pack/packages/security/authorization_core/index.ts

@@ -6,10 +6,5 @@
  */
 
 export { Actions } from './src/actions';
-export { privilegesFactory } from './src/privileges';
-export type {
-  CasesSupportedOperations,
-  PrivilegesService,
-  RawKibanaPrivileges,
-  RawKibanaFeaturePrivileges,
-} from './src/privileges';
+export { privilegesFactory, getReplacedByForPrivilege } from './src/privileges';
+export type { CasesSupportedOperations, PrivilegesService } from './src/privileges';

x-pack/packages/security/authorization_core/src/actions/alerting.test.ts

@@ -51,3 +51,21 @@ describe('#get', () => {
     );
   });
 });
+
+test('#isValid', () => {
+  const alertingActions = new AlertingActions();
+  expect(alertingActions.isValid('alerting:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
+    true
+  );
+
+  expect(
+    alertingActions.isValid('api:alerting:foo-ruleType/consumer/alertingType/bar-operation')
+  ).toBe(false);
+  expect(alertingActions.isValid('api:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
+    false
+  );
+
+  expect(alertingActions.isValid('alerting_foo-ruleType/consumer/alertingType/bar-operation')).toBe(
+    false
+  );
+});

x-pack/packages/security/authorization_core/src/actions/alerting.ts

@@ -40,4 +40,12 @@ export class AlertingActions implements AlertingActionsType {
 
     return `${this.prefix}${ruleTypeId}/${consumer}/${alertingEntity}/${operation}`;
   }
+
+  /**
+   * Checks if the action is a valid alerting action.
+   * @param action The action string to check.
+   */
+  public isValid(action: string) {
+    return action.startsWith(this.prefix);
+  }
 }

x-pack/packages/security/authorization_core/src/actions/ui.test.ts

@@ -32,3 +32,15 @@ describe('#get', () => {
     expect(uiActions.get('foo', 'fooCapability', 'subFoo')).toBe('ui:foo/fooCapability/subFoo');
   });
 });
+
+test('#isValid', () => {
+  const uiActions = new UIActions();
+  expect(uiActions.isValid('ui:alpha')).toBe(true);
+  expect(uiActions.isValid('ui:beta')).toBe(true);
+
+  expect(uiActions.isValid('api:alpha')).toBe(false);
+  expect(uiActions.isValid('api:beta')).toBe(false);
+
+  expect(uiActions.isValid('ui_alpha')).toBe(false);
+  expect(uiActions.isValid('ui_beta')).toBe(false);
+});

x-pack/packages/security/authorization_core/src/actions/ui.ts

@@ -40,4 +40,12 @@ export class UIActions implements UIActionsType {
 
     return `${this.prefix}${featureId}/${uiCapabilityParts.join('/')}`;
   }
+
+  /**
+   * Checks if the action is a valid UI action.
+   * @param action The action string to check.
+   */
+  public isValid(action: string) {
+    return action.startsWith(this.prefix);
+  }
 }

x-pack/packages/security/authorization_core/src/privileges/index.ts

@@ -7,5 +7,4 @@
 
 export type { PrivilegesService } from './privileges';
 export type { CasesSupportedOperations } from './feature_privilege_builder';
-export { privilegesFactory } from './privileges';
-export type { RawKibanaPrivileges, RawKibanaFeaturePrivileges } from './raw_kibana_privileges';
+export { privilegesFactory, getReplacedByForPrivilege } from './privileges';