refractor: remove additional method declaration

Signed-off-by: SuZhou-Joe <[email protected]>
SuZhou-Joe · Sep 13, 2023 · 3fb480b · 3fb480b
1 parent 98b77d0
commit 3fb480b
Show file tree

Hide file tree

Showing 8 changed files with 155 additions and 195 deletions.
diff --git a/src/core/server/saved_objects/permission_control/client.ts b/src/core/server/saved_objects/permission_control/client.ts
@@ -6,9 +6,10 @@ import { i18n } from '@osd/i18n';
 import { OpenSearchDashboardsRequest } from '../../http';
 import { ensureRawRequest } from '../../http/router';
 import { SavedObjectsServiceStart } from '../saved_objects_service';
-import { SavedObjectsBulkGetObject, SavedObjectsRepository, SavedObjectsUtils } from '../service';
+import { SavedObjectsBulkGetObject } from '../service';
 import { ACL, Principals, TransformedPermission, PrincipalType } from './acl';
 import { Logger } from '../../logging';
+import { WORKSPACE_TYPE } from '../../../utils';
 
 export type SavedObjectsPermissionControlContract = Pick<
   SavedObjectsPermissionControl,
@@ -163,11 +164,19 @@ export class SavedObjectsPermissionControl {
     permissionModes: SavedObjectsPermissionModes
   ) {
     const principals = this.getPrincipalsFromRequest(request);
-    const repository = this.getInternalRepository() as SavedObjectsRepository;
-    return await SavedObjectsUtils.getPermittedWorkspaceIds({
-      principals,
-      repository,
-      permissionModes,
-    });
+    const repository = this.getInternalRepository();
+    try {
+      const result = await repository?.find({
+        type: [WORKSPACE_TYPE],
+        ACLSearchParams: {
+          workspacePermissionModes: permissionModes,
+          principals,
+        },
+        perPage: 999,
+      });
+      return result?.saved_objects.map((item) => item.id);
+    } catch (e) {
+      return [];
+    }
   }
 }
diff --git a/src/core/server/saved_objects/service/lib/repository.ts b/src/core/server/saved_objects/service/lib/repository.ts
@@ -31,7 +31,6 @@
 import { omit, intersection } from 'lodash';
 import type { opensearchtypes } from '@opensearch-project/opensearch';
 import uuid from 'uuid';
-import { i18n } from '@osd/i18n';
 import type { ISavedObjectTypeRegistry } from '../../saved_objects_type_registry';
 import { SavedObjectTypeRegistry } from '../../saved_objects_type_registry';
 import { DeleteDocumentResponse, OpenSearchClient } from '../../../opensearch/';
@@ -91,9 +90,7 @@ import {
   FIND_DEFAULT_PER_PAGE,
   SavedObjectsUtils,
 } from './utils';
-import { PUBLIC_WORKSPACE_ID, WorkspacePermissionMode } from '../../../../utils/constants';
-import { ACL, Principals } from '../../permission_control/acl';
-import { WORKSPACE_TYPE } from '../../../../utils';
+import { PUBLIC_WORKSPACE_ID } from '../../../../utils/constants';
 
 // BEWARE: The SavedObjectClient depends on the implementation details of the SavedObjectsRepository
 // so any breaking changes to this repository are considered breaking changes to the SavedObjectsClient.
@@ -902,7 +899,7 @@ export class SavedObjectsRepository {
       filter,
       preference,
       workspaces,
-      queryDSL,
+      ACLSearchParams,
     } = options;
 
     if (!type && !typeToNamespacesMap) {
@@ -977,7 +974,7 @@ export class SavedObjectsRepository {
           hasReference,
           kueryNode,
           workspaces,
-          queryDSL,
+          ACLSearchParams,
         }),
       },
     };
@@ -1934,111 +1931,6 @@ export class SavedObjectsRepository {
     };
   }
 
-  async getPermissionQuery(props: {
-    permissionTypes: string[];
-    principals: Principals;
-    savedObjectType?: string[];
-  }) {
-    return ACL.generateGetPermittedSavedObjectsQueryDSL(
-      props.permissionTypes,
-      props.principals,
-      props.savedObjectType
-    );
-  }
-
-  async processFindOptions(props: {
-    options: SavedObjectsFindOptions & { permissionModes?: string[] };
-    principals: Principals;
-  }): Promise<SavedObjectsFindOptions> {
-    const { principals } = props;
-    const options = { ...props.options };
-    if (this.isRelatedToWorkspace(options.type)) {
-      options.queryDSL = await this.getPermissionQuery({
-        permissionTypes: options.permissionModes ?? [
-          WorkspacePermissionMode.LibraryRead,
-          WorkspacePermissionMode.LibraryWrite,
-          WorkspacePermissionMode.Management,
-        ],
-        principals,
-        savedObjectType: [WORKSPACE_TYPE],
-      });
-    } else {
-      const permittedWorkspaceIds = await SavedObjectsUtils.getPermittedWorkspaceIds({
-        permissionModes: [
-          WorkspacePermissionMode.LibraryRead,
-          WorkspacePermissionMode.LibraryWrite,
-          WorkspacePermissionMode.Management,
-        ],
-        principals,
-        repository: this,
-      });
-
-      if (options.workspaces) {
-        const permittedWorkspaces = options.workspaces.filter((item) =>
-          (permittedWorkspaceIds || []).includes(item)
-        );
-        if (!permittedWorkspaces.length) {
-          /**
-           * If user does not have any one workspace access
-           * deny the request
-           */
-          throw SavedObjectsErrorHelpers.decorateNotAuthorizedError(
-            new Error(
-              i18n.translate('workspace.permission.invalidate', {
-                defaultMessage: 'Invalid workspace permission',
-              })
-            )
-          );
-        }
-
-        /**
-         * Overwrite the options.workspaces when user has access on partial workspaces.
-         */
-        options.workspaces = permittedWorkspaces;
-      } else {
-        const queryDSL = await this.getPermissionQuery({
-          permissionTypes: [WorkspacePermissionMode.Read, WorkspacePermissionMode.Write],
-          principals,
-          savedObjectType: Array.isArray(options.type) ? options.type : [options.type],
-        });
-        options.workspaces = undefined;
-        /**
-         * Select all the docs that
-         * 1. ACL matches read or write permission OR
-         * 2. workspaces matches library_read or library_write or management OR
-         * 3. Advanced settings
-         */
-        options.queryDSL = {
-          query: {
-            bool: {
-              filter: [
-                {
-                  bool: {
-                    should: [
-                      {
-                        term: {
-                          type: 'config',
-                        },
-                      },
-                      queryDSL.query,
-                      {
-                        terms: {
-                          workspaces: permittedWorkspaceIds,
-                        },
-                      },
-                    ],
-                  },
-                },
-              ],
-            },
-          },
-        };
-      }
-    }
-
-    return options;
-  }
-
   /**
    * Returns index specified by the given type or the default index
    *
@@ -2167,16 +2059,6 @@ export class SavedObjectsRepository {
     }
     return body;
   }
-
-  /**
-   * check if the type include workspace
-   * Workspace permission check is totally different from object permission check.
-   * @param type
-   * @returns
-   */
-  private isRelatedToWorkspace(type: string | string[]): boolean {
-    return type === WORKSPACE_TYPE || (Array.isArray(type) && type.includes(WORKSPACE_TYPE));
-  }
 }
 
 function getBulkOperationError(error: { type: string; reason?: string }, type: string, id: string) {

diff --git a/src/core/server/saved_objects/service/lib/search_dsl/query_params.ts b/src/core/server/saved_objects/service/lib/search_dsl/query_params.ts
@@ -27,13 +27,14 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-import { mergeWith, isArray } from 'lodash';
 // @ts-expect-error no ts
 import { opensearchKuery } from '../../../opensearch_query';
 type KueryNode = any;
 
 import { ISavedObjectTypeRegistry } from '../../../saved_objects_type_registry';
 import { ALL_NAMESPACES_STRING, DEFAULT_NAMESPACE_STRING } from '../utils';
+import { SavedObjectsFindOptions } from '../../../types';
+import { ACL } from '../../../permission_control/acl';
 
 /**
  * Gets the types based on the type. Uses mappings to support
@@ -166,7 +167,7 @@ interface QueryParams {
   hasReference?: HasReferenceQueryParams;
   kueryNode?: KueryNode;
   workspaces?: string[];
-  queryDSL?: Record<string, any>;
+  ACLSearchParams?: SavedObjectsFindOptions['ACLSearchParams'];
 }
 
 export function getClauseForReference(reference: HasReferenceQueryParams) {
@@ -224,7 +225,7 @@ export function getQueryParams({
   hasReference,
   kueryNode,
   workspaces,
-  queryDSL,
+  ACLSearchParams,
 }: QueryParams) {
   const types = getTypes(
     registry,
@@ -283,12 +284,51 @@ export function getQueryParams({
 
   const result = { query: { bool } };
 
-  if (queryDSL) {
-    return mergeWith({}, result, queryDSL, (objValue, srcValue) => {
-      if (isArray(objValue)) {
-        return objValue.concat(srcValue);
-      }
-    });
+  if (ACLSearchParams) {
+    const shouldClause: any = [];
+    if (ACLSearchParams.workspacePermissionModes && ACLSearchParams.principals) {
+      const workspacePermissionDSL = ACL.generateGetPermittedSavedObjectsQueryDSL(
+        ACLSearchParams.workspacePermissionModes,
+        ACLSearchParams.principals
+      );
+      shouldClause.push(workspacePermissionDSL.query);
+    }
+
+    if (ACLSearchParams.workspaces) {
+      shouldClause.push({
+        terms: {
+          workspaces: ACLSearchParams.workspaces,
+        },
+      });
+    }
+
+    if (ACLSearchParams.objectPermissionModes && ACLSearchParams.principals) {
+      const objectPermissionDSL = ACL.generateGetPermittedSavedObjectsQueryDSL(
+        ACLSearchParams.objectPermissionModes,
+        ACLSearchParams.principals
+      );
+      shouldClause.push(objectPermissionDSL.query);
+    }
+
+    if (shouldClause.length) {
+      bool.filter.push({
+        bool: {
+          should: [
+            /**
+             * TODO remove this clause once advanced settings has attached with permission
+             */
+            {
+              term: {
+                type: 'config',
+              },
+            },
+            ...shouldClause,
+          ],
+        },
+      });
+    }
+
+    return result;
   }
   return result;
 }

diff --git a/src/core/server/saved_objects/service/lib/search_dsl/search_dsl.ts b/src/core/server/saved_objects/service/lib/search_dsl/search_dsl.ts
@@ -34,6 +34,7 @@ import { IndexMapping } from '../../../mappings';
 import { getQueryParams } from './query_params';
 import { getSortingParams } from './sorting_params';
 import { ISavedObjectTypeRegistry } from '../../../saved_objects_type_registry';
+import { SavedObjectsFindOptions } from '../../../types';
 
 type KueryNode = any;
 
@@ -53,7 +54,7 @@ interface GetSearchDslOptions {
   };
   kueryNode?: KueryNode;
   workspaces?: string[];
-  queryDSL?: Record<string, any>;
+  ACLSearchParams?: SavedObjectsFindOptions['ACLSearchParams'];
 }
 
 export function getSearchDsl(
@@ -74,7 +75,7 @@ export function getSearchDsl(
     hasReference,
     kueryNode,
     workspaces,
-    queryDSL,
+    ACLSearchParams,
   } = options;
 
   if (!type) {
@@ -98,7 +99,7 @@ export function getSearchDsl(
       hasReference,
       kueryNode,
       workspaces,
-      queryDSL,
+      ACLSearchParams,
     }),
     ...getSortingParams(mappings, type, sortField, sortOrder),
   };

diff --git a/src/core/server/saved_objects/service/lib/utils.ts b/src/core/server/saved_objects/service/lib/utils.ts
@@ -29,10 +29,7 @@
  */
 
 import { SavedObjectsFindOptions } from '../../types';
-import { SavedObjectsFindResponse, SavedObjectsRepository } from '..';
-import { Principals } from '../../permission_control/acl';
-import { SavedObjectsPermissionModes } from '../../permission_control/client';
-import { WORKSPACE_TYPE } from '../../../../utils';
+import { SavedObjectsFindResponse } from '..';
 
 export const DEFAULT_NAMESPACE_STRING = 'default';
 export const ALL_NAMESPACES_STRING = '*';
@@ -90,27 +87,4 @@ export class SavedObjectsUtils {
   ): string[] {
     return targetWorkspaces?.filter((item) => !baseWorkspaces?.includes(item)) || [];
   }
-
-  public static async getPermittedWorkspaceIds(props: {
-    principals: Principals;
-    repository: SavedObjectsRepository;
-    permissionModes: SavedObjectsPermissionModes;
-  }) {
-    const { principals, repository, permissionModes } = props;
-    const queryDSL = await repository.getPermissionQuery({
-      permissionTypes: permissionModes,
-      principals,
-      savedObjectType: [WORKSPACE_TYPE],
-    });
-    try {
-      const result = await repository?.find({
-        type: [WORKSPACE_TYPE],
-        queryDSL,
-        perPage: 999,
-      });
-      return result?.saved_objects.map((item) => item.id);
-    } catch (e) {
-      return [];
-    }
-  }
 }