Use savedObjects provided by the platform instead of legacy shim. (#…

…53679)

x-pack/legacy/plugins/security/index.js

@@ -130,7 +130,6 @@ export const security = kibana =>
       const config = server.config();
       const xpackInfo = server.plugins.xpack_main.info;
       securityPlugin.__legacyCompat.registerLegacyAPI({
-        savedObjects: server.savedObjects,
         auditLogger: new AuditLogger(server, 'security', config, xpackInfo),
         isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind(
           server.plugins.kibana.systemApi

x-pack/plugins/security/server/audit/audit_logger.test.ts

@@ -14,7 +14,7 @@ const createMockAuditLogger = () => {
 describe(`#savedObjectsAuthorizationFailure`, () => {
   test('logs via auditLogger', () => {
     const auditLogger = createMockAuditLogger();
-    const securityAuditLogger = new SecurityAuditLogger(auditLogger);
+    const securityAuditLogger = new SecurityAuditLogger(() => auditLogger);
     const username = 'foo-user';
     const action = 'foo-action';
     const types = ['foo-type-1', 'foo-type-2'];
@@ -43,7 +43,7 @@ describe(`#savedObjectsAuthorizationFailure`, () => {
 describe(`#savedObjectsAuthorizationSuccess`, () => {
   test('logs via auditLogger when xpack.security.audit.enabled is true', () => {
     const auditLogger = createMockAuditLogger();
-    const securityAuditLogger = new SecurityAuditLogger(auditLogger);
+    const securityAuditLogger = new SecurityAuditLogger(() => auditLogger);
     const username = 'foo-user';
     const action = 'foo-action';
     const types = ['foo-type-1', 'foo-type-2'];

x-pack/plugins/security/server/audit/audit_logger.ts

@@ -7,7 +7,7 @@
 import { LegacyAPI } from '../plugin';
 
 export class SecurityAuditLogger {
-  constructor(private readonly auditLogger: LegacyAPI['auditLogger']) {}
+  constructor(private readonly getAuditLogger: () => LegacyAPI['auditLogger']) {}
 
   savedObjectsAuthorizationFailure(
     username: string,
@@ -16,7 +16,7 @@ export class SecurityAuditLogger {
     missing: string[],
     args?: Record<string, unknown>
   ) {
-    this.auditLogger.log(
+    this.getAuditLogger().log(
       'saved_objects_authorization_failure',
       `${username} unauthorized to ${action} ${types.join(',')}, missing ${missing.join(',')}`,
       {
@@ -35,7 +35,7 @@ export class SecurityAuditLogger {
     types: string[],
     args?: Record<string, unknown>
   ) {
-    this.auditLogger.log(
+    this.getAuditLogger().log(
       'saved_objects_authorization_success',
       `${username} authorized to ${action} ${types.join(',')}`,
       {

x-pack/plugins/security/server/plugin.ts

@@ -13,8 +13,6 @@ import {
   Logger,
   PluginInitializerContext,
   RecursiveReadonly,
-  SavedObjectsLegacyService,
-  LegacyRequest,
 } from '../../../../src/core/server';
 import { deepFreeze } from '../../../../src/core/utils';
 import { SpacesPluginSetup } from '../../spaces/server';
@@ -43,7 +41,6 @@ export type FeaturesService = Pick<FeaturesSetupContract, 'getFeatures'>;
  */
 export interface LegacyAPI {
   isSystemAPIRequest: (request: KibanaRequest) => boolean;
-  savedObjects: SavedObjectsLegacyService<KibanaRequest | LegacyRequest>;
   auditLogger: {
     log: (eventType: string, message: string, data?: Record<string, unknown>) => void;
   };
@@ -153,6 +150,12 @@ export class Plugin {
       featuresService: features,
     });
 
+    setupSavedObjects({
+      auditLogger: new SecurityAuditLogger(() => this.getLegacyAPI().auditLogger),
+      authz,
+      savedObjects: core.savedObjects,
+    });
+
     core.capabilities.registerSwitcher(authz.disableUnauthorizedCapabilities);
 
     defineRoutes({
@@ -166,7 +169,6 @@ export class Plugin {
       csp: core.http.csp,
     });
 
-    const adminClient = await core.elasticsearch.adminClient$.pipe(first()).toPromise();
     return deepFreeze({
       authc,
 
@@ -185,16 +187,7 @@ export class Plugin {
       },
 
       __legacyCompat: {
-        registerLegacyAPI: (legacyAPI: LegacyAPI) => {
-          this.legacyAPI = legacyAPI;
-
-          setupSavedObjects({
-            auditLogger: new SecurityAuditLogger(legacyAPI.auditLogger),
-            adminClusterClient: adminClient,
-            authz,
-            legacyAPI,
-          });
-        },
+        registerLegacyAPI: (legacyAPI: LegacyAPI) => (this.legacyAPI = legacyAPI),
 
         registerPrivilegesWithCluster: async () => await authz.registerPrivilegesWithCluster(),
 

x-pack/plugins/security/server/saved_objects/index.ts

@@ -4,60 +4,47 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { IClusterClient, KibanaRequest, LegacyRequest } from '../../../../../src/core/server';
+import {
+  CoreSetup,
+  KibanaRequest,
+  LegacyRequest,
+  SavedObjectsClient,
+} from '../../../../../src/core/server';
 import { SecureSavedObjectsClientWrapper } from './secure_saved_objects_client_wrapper';
-import { LegacyAPI } from '../plugin';
 import { Authorization } from '../authorization';
 import { SecurityAuditLogger } from '../audit';
 
 interface SetupSavedObjectsParams {
-  adminClusterClient: IClusterClient;
   auditLogger: SecurityAuditLogger;
   authz: Pick<Authorization, 'mode' | 'actions' | 'checkSavedObjectsPrivilegesWithRequest'>;
-  legacyAPI: Pick<LegacyAPI, 'savedObjects'>;
+  savedObjects: CoreSetup['savedObjects'];
 }
 
-export function setupSavedObjects({
-  adminClusterClient,
-  auditLogger,
-  authz,
-  legacyAPI: { savedObjects },
-}: SetupSavedObjectsParams) {
+export function setupSavedObjects({ auditLogger, authz, savedObjects }: SetupSavedObjectsParams) {
   const getKibanaRequest = (request: KibanaRequest | LegacyRequest) =>
     request instanceof KibanaRequest ? request : KibanaRequest.from(request);
-  savedObjects.setScopedSavedObjectsClientFactory(({ request }) => {
-    const kibanaRequest = getKibanaRequest(request);
-    if (authz.mode.useRbacForRequest(kibanaRequest)) {
-      const internalRepository = savedObjects.getSavedObjectsRepository(
-        adminClusterClient.callAsInternalUser
-      );
-      return new savedObjects.SavedObjectsClient(internalRepository);
-    }
 
-    const callAsCurrentUserRepository = savedObjects.getSavedObjectsRepository(
-      adminClusterClient.asScoped(kibanaRequest).callAsCurrentUser
+  savedObjects.setClientFactory(({ request }) => {
+    const kibanaRequest = getKibanaRequest(request);
+    return new SavedObjectsClient(
+      authz.mode.useRbacForRequest(kibanaRequest)
+        ? savedObjects.createInternalRepository()
+        : savedObjects.createScopedRepository(kibanaRequest)
     );
-    return new savedObjects.SavedObjectsClient(callAsCurrentUserRepository);
   });
 
-  savedObjects.addScopedSavedObjectsClientWrapperFactory(
-    Number.MAX_SAFE_INTEGER - 1,
-    'security',
-    ({ client, request }) => {
-      const kibanaRequest = getKibanaRequest(request);
-      if (authz.mode.useRbacForRequest(kibanaRequest)) {
-        return new SecureSavedObjectsClientWrapper({
+  savedObjects.addClientWrapper(Number.MAX_SAFE_INTEGER - 1, 'security', ({ client, request }) => {
+    const kibanaRequest = getKibanaRequest(request);
+    return authz.mode.useRbacForRequest(kibanaRequest)
+      ? new SecureSavedObjectsClientWrapper({
           actions: authz.actions,
           auditLogger,
           baseClient: client,
           checkSavedObjectsPrivilegesAsCurrentUser: authz.checkSavedObjectsPrivilegesWithRequest(
             kibanaRequest
           ),
-          errors: savedObjects.SavedObjectsClient.errors,
-        });
-      }
-
-      return client;
-    }
-  );
+          errors: SavedObjectsClient.errors,
+        })
+      : client;
+  });
 }