Extract authorization logic and it's peripherals into packages

.github/CODEOWNERS

@@ -747,12 +747,14 @@ packages/kbn-search-types @elastic/kibana-data-discovery
 x-pack/plugins/searchprofiler @elastic/kibana-management
 x-pack/test/security_api_integration/packages/helpers @elastic/kibana-security
 x-pack/packages/security/api_key_management @elastic/kibana-security
+x-pack/packages/security/authorization_core @elastic/kibana-security
 x-pack/packages/security/form_components @elastic/kibana-security
 packages/kbn-security-hardening @elastic/kibana-security
 x-pack/plugins/security @elastic/kibana-security
 x-pack/packages/security/plugin_types_common @elastic/kibana-security
 x-pack/packages/security/plugin_types_public @elastic/kibana-security
 x-pack/packages/security/plugin_types_server @elastic/kibana-security
+x-pack/packages/security/role_management_model @elastic/kibana-security
 x-pack/packages/security-solution/distribution_bar @elastic/kibana-cloud-security-posture
 x-pack/plugins/security_solution_ess @elastic/security-solution
 x-pack/packages/security-solution/features @elastic/security-threat-hunting-explore

package.json

@@ -764,12 +764,14 @@
     "@kbn/search-types": "link:packages/kbn-search-types",
     "@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
     "@kbn/security-api-key-management": "link:x-pack/packages/security/api_key_management",
+    "@kbn/security-authorization-core": "link:x-pack/packages/security/authorization_core",
     "@kbn/security-form-components": "link:x-pack/packages/security/form_components",
     "@kbn/security-hardening": "link:packages/kbn-security-hardening",
     "@kbn/security-plugin": "link:x-pack/plugins/security",
     "@kbn/security-plugin-types-common": "link:x-pack/packages/security/plugin_types_common",
     "@kbn/security-plugin-types-public": "link:x-pack/packages/security/plugin_types_public",
     "@kbn/security-plugin-types-server": "link:x-pack/packages/security/plugin_types_server",
+    "@kbn/security-role-management-model": "link:x-pack/packages/security/role_management_model",
     "@kbn/security-solution-distribution-bar": "link:x-pack/packages/security-solution/distribution_bar",
     "@kbn/security-solution-ess": "link:x-pack/plugins/security_solution_ess",
     "@kbn/security-solution-features": "link:x-pack/packages/security-solution/features",

tsconfig.base.json

@@ -1488,6 +1488,8 @@
       "@kbn/security-api-integration-helpers/*": ["x-pack/test/security_api_integration/packages/helpers/*"],
       "@kbn/security-api-key-management": ["x-pack/packages/security/api_key_management"],
       "@kbn/security-api-key-management/*": ["x-pack/packages/security/api_key_management/*"],
+      "@kbn/security-authorization-core": ["x-pack/packages/security/authorization_core"],
+      "@kbn/security-authorization-core/*": ["x-pack/packages/security/authorization_core/*"],
       "@kbn/security-form-components": ["x-pack/packages/security/form_components"],
       "@kbn/security-form-components/*": ["x-pack/packages/security/form_components/*"],
       "@kbn/security-hardening": ["packages/kbn-security-hardening"],
@@ -1500,6 +1502,8 @@
       "@kbn/security-plugin-types-public/*": ["x-pack/packages/security/plugin_types_public/*"],
       "@kbn/security-plugin-types-server": ["x-pack/packages/security/plugin_types_server"],
       "@kbn/security-plugin-types-server/*": ["x-pack/packages/security/plugin_types_server/*"],
+      "@kbn/security-role-management-model": ["x-pack/packages/security/role_management_model"],
+      "@kbn/security-role-management-model/*": ["x-pack/packages/security/role_management_model/*"],
       "@kbn/security-solution-distribution-bar": ["x-pack/packages/security-solution/distribution_bar"],
       "@kbn/security-solution-distribution-bar/*": ["x-pack/packages/security-solution/distribution_bar/*"],
       "@kbn/security-solution-ess": ["x-pack/plugins/security_solution_ess"],

x-pack/packages/security/authorization_core/README.md

@@ -0,0 +1,3 @@
+# @kbn/security-authorization-core
+
+Contains core authorization logic

x-pack/packages/security/authorization_core/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { Actions } from './src/actions';
+export { privilegesFactory } from './src/privileges';
+export type {
+  CasesSupportedOperations,
+  PrivilegesService,
+  RawKibanaPrivileges,
+  RawKibanaFeaturePrivileges,
+} from './src/privileges';

x-pack/packages/security/authorization_core/jest.config.js

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+module.exports = {
+  coverageDirectory: '<rootDir>/x-pack/packages/security/authorization_core',
+  coverageReporters: ['text', 'html'],
+  collectCoverageFrom: ['<rootDir>/x-pack/packages/security/authorization_core/**/*.{ts,tsx}'],
+  preset: '@kbn/test',
+  rootDir: '../../../..',
+  roots: ['<rootDir>/x-pack/packages/security/authorization_core'],
+};

x-pack/packages/security/authorization_core/kibana.jsonc

@@ -0,0 +1,5 @@
+{
+  "type": "shared-server",
+  "id": "@kbn/security-authorization-core",
+  "owner": "@elastic/kibana-security"
+}

x-pack/packages/security/authorization_core/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@kbn/security-authorization-core",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0"
+}

x-pack/packages/security/authorization_core/src/__fixtures__/licensing.mock.ts

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Observable, of } from 'rxjs';
+
+import type { LicenseType } from '@kbn/licensing-plugin/common/types';
+import { LICENSE_TYPE } from '@kbn/licensing-plugin/common/types';
+import type { SecurityLicense, SecurityLicenseFeatures } from '@kbn/security-plugin-types-common';
+
+export const licenseMock = {
+  create: (
+    features: Partial<SecurityLicenseFeatures> | Observable<Partial<SecurityLicenseFeatures>> = {},
+    licenseType: LicenseType = 'basic', // default to basic if this is not specified,
+    isAvailable: Observable<boolean> = of(true)
+  ): jest.Mocked<SecurityLicense> => ({
+    isLicenseAvailable: jest.fn().mockImplementation(() => {
+      let result = true;
+
+      isAvailable.subscribe((next) => {
+        result = next;
+      });
+
+      return result;
+    }),
+    getLicenseType: jest.fn().mockReturnValue(licenseType),
+    getUnavailableReason: jest.fn(),
+    isEnabled: jest.fn().mockReturnValue(true),
+    getFeatures:
+      features instanceof Observable
+        ? jest.fn().mockImplementation(() => {
+            let subbedFeatures: Partial<SecurityLicenseFeatures> = {};
+
+            features.subscribe((next) => {
+              subbedFeatures = next;
+            });
+
+            return subbedFeatures;
+          })
+        : jest.fn().mockReturnValue(features),
+    hasAtLeast: jest
+      .fn()
+      .mockImplementation(
+        (licenseTypeToCheck: LicenseType) =>
+          LICENSE_TYPE[licenseTypeToCheck] <= LICENSE_TYPE[licenseType]
+      ),
+    features$:
+      features instanceof Observable
+        ? (features as Observable<SecurityLicenseFeatures>)
+        : of((features ?? {}) as SecurityLicenseFeatures),
+  }),
+};

x-pack/plugins/security/server/authorization/privileges/index.ts → x-pack/packages/security/authorization_core/src/privileges/index.ts

@@ -8,3 +8,4 @@
 export type { PrivilegesService } from './privileges';
 export type { CasesSupportedOperations } from './feature_privilege_builder';
 export { privilegesFactory } from './privileges';
+export type { RawKibanaPrivileges, RawKibanaFeaturePrivileges } from './raw_kibana_privileges';

x-pack/plugins/security/server/authorization/privileges/privileges.test.ts → x-pack/packages/security/authorization_core/src/privileges/privileges.test.ts

@@ -9,7 +9,7 @@ import { KibanaFeature } from '@kbn/features-plugin/server';
 import { featuresPluginMock } from '@kbn/features-plugin/server/mocks';
 
 import { privilegesFactory } from './privileges';
-import { licenseMock } from '../../../common/licensing/index.mock';
+import { licenseMock } from '../__fixtures__/licensing.mock';
 import { Actions } from '../actions';
 
 const actions = new Actions();

x-pack/plugins/security/server/authorization/privileges/privileges.ts → x-pack/packages/security/authorization_core/src/privileges/privileges.ts

@@ -13,9 +13,9 @@ import type {
 } from '@kbn/features-plugin/common';
 import type { FeaturesPluginSetup, KibanaFeature } from '@kbn/features-plugin/server';
 
+import type { SecurityLicense } from '@kbn/security-plugin-types-common';
 import { featurePrivilegeBuilderFactory } from './feature_privilege_builder';
-import type { SecurityLicense } from '../../../common';
-import type { RawKibanaPrivileges } from '../../../common/model';
+import type { RawKibanaPrivileges } from './raw_kibana_privileges';
 import type { Actions } from '../actions';
 
 export interface PrivilegesService {

x-pack/packages/security/authorization_core/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": "../../../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "target/types",
+    "types": ["jest", "node", "react"]
+  },
+  "include": ["**/*.ts", "**/*.tsx"],
+  "exclude": ["target/**/*"],
+  "kbn_references": [
+    "@kbn/core",
+    "@kbn/features-plugin",
+    "@kbn/security-plugin-types-common",
+    "@kbn/security-plugin-types-server",
+    "@kbn/licensing-plugin",
+  ]
+}

x-pack/packages/security/role_management_model/README.md

@@ -0,0 +1,3 @@
+# @kbn/security-role-management
+
+Contains business logic for RBAC administration within Kibana.

x-pack/packages/security/role_management_model/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { SecuredFeature } from './src/secured_feature';
+export { SecuredSubFeature } from './src/secured_sub_feature';
+export { SubFeaturePrivilegeGroup } from './src/sub_feature_privilege_group';
+export { SubFeaturePrivilege } from './src/sub_feature_privilege';
+export { PrimaryFeaturePrivilege } from './src/primary_feature_privilege';
+export { KibanaPrivileges, isGlobalPrivilegeDefinition } from './src/kibana_privileges';
+export { KibanaPrivilege } from './src/kibana_privilege';
+export { PrivilegeCollection } from './src/privilege_collection';

x-pack/packages/security/role_management_model/jest.config.js

@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+module.exports = {
+  coverageDirectory:
+    '<rootDir>/target/kibana-coverage/jest/x-pack/packages/security/role_management_model',
+  coverageReporters: ['text', 'html'],
+  collectCoverageFrom: ['<rootDir>/x-pack/packages/security/role_management_model/**/*.{ts,tsx}'],
+  preset: '@kbn/test',
+  rootDir: '../../../..',
+  roots: ['<rootDir>/x-pack/packages/security/role_management_model'],
+};

x-pack/packages/security/role_management_model/kibana.jsonc

@@ -0,0 +1,5 @@
+{
+  "type": "shared-common",
+  "id": "@kbn/security-role-management-model",
+  "owner": "@elastic/kibana-security"
+}

x-pack/packages/security/role_management_model/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@kbn/security-role-management-model",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0"
+}

x-pack/packages/security/role_management_model/src/__fixtures__/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { createFeature, kibanaFeatures } from './kibana_features';
+export { createKibanaPrivileges, createRawKibanaPrivileges } from './kibana_privileges';

x-pack/plugins/security/public/management/roles/__fixtures__/kibana_privileges.ts → x-pack/packages/security/role_management_model/src/__fixtures__/kibana_privileges.ts

@@ -6,19 +6,33 @@
  */
 
 import type { KibanaFeature } from '@kbn/features-plugin/public';
-import { featuresPluginMock } from '@kbn/features-plugin/server/mocks';
+import { type FeaturesPluginSetup } from '@kbn/features-plugin/server';
+import {
+  featurePrivilegeIterator,
+  subFeaturePrivilegeIterator,
+} from '@kbn/features-plugin/server/feature_privilege_iterator';
 import type { LicenseType } from '@kbn/licensing-plugin/server';
+import type { SecurityLicenseFeatures } from '@kbn/security-plugin-types-common';
+import { Actions, privilegesFactory } from '@kbn/security-authorization-core';
+import { KibanaPrivileges } from '../kibana_privileges';
 
-import type { SecurityLicenseFeatures } from '../../../../common';
-import { Actions } from '../../../../server/authorization';
-import { privilegesFactory } from '../../../../server/authorization/privileges';
-import { KibanaPrivileges } from '../model';
+const featuresPluginService = (): jest.Mocked<FeaturesPluginSetup> => {
+  return {
+    getKibanaFeatures: jest.fn(),
+    getElasticsearchFeatures: jest.fn(),
+    registerKibanaFeature: jest.fn(),
+    registerElasticsearchFeature: jest.fn(),
+    enableReportingUiCapabilities: jest.fn(),
+    featurePrivilegeIterator: jest.fn().mockImplementation(featurePrivilegeIterator),
+    subFeaturePrivilegeIterator: jest.fn().mockImplementation(subFeaturePrivilegeIterator),
+  };
+};
 
 export const createRawKibanaPrivileges = (
   features: KibanaFeature[],
   { allowSubFeaturePrivileges = true } = {}
 ) => {
-  const featuresService = featuresPluginMock.createSetup();
+  const featuresService = featuresPluginService();
   featuresService.getKibanaFeatures.mockReturnValue(features);
 
   const licensingService = {