[Fleet] Filter globalsearch deeplink based on authz (elastic#181492)

andrew-goldstein · Apr 23, 2024 · 3142f1a · 3142f1a
1 parent 37c5759
commit 3142f1a
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 78 deletions.
diff --git a/x-pack/plugins/fleet/public/deep_links.ts b/x-pack/plugins/fleet/public/deep_links.ts
@@ -9,6 +9,7 @@ import { i18n } from '@kbn/i18n';
 import type { AppDeepLink } from '@kbn/core/public';
 
 import type { ExperimentalFeatures } from '../common/experimental_features';
+import type { FleetAuthz } from '../common';
 
 import { FLEET_ROUTING_PATHS } from './constants/page_paths';
 
@@ -21,51 +22,59 @@ export enum FleetDeepLinkId {
   settings = 'settings',
 }
 
-export const getFleetDeepLinks: (experimentalFeatures: ExperimentalFeatures) => AppDeepLink[] = (
-  experimentalFeatures
-) => [
-  {
-    id: FleetDeepLinkId.agents,
-    title: i18n.translate('xpack.fleet.deepLinks.agents.title', { defaultMessage: 'Agents' }),
-    path: FLEET_ROUTING_PATHS.agents,
-  },
-  {
-    id: FleetDeepLinkId.policies,
-    title: i18n.translate('xpack.fleet.deepLinks.policies.title', {
-      defaultMessage: 'Agent policies',
-    }),
-    path: FLEET_ROUTING_PATHS.policies,
-  },
-  {
-    id: FleetDeepLinkId.enrollmentTokens,
-    title: i18n.translate('xpack.fleet.deepLinks.enrollmentTokens.title', {
-      defaultMessage: 'Enrollment tokens',
-    }),
-    path: FLEET_ROUTING_PATHS.enrollment_tokens,
-  },
-  ...(experimentalFeatures.agentTamperProtectionEnabled
-    ? [
-        {
-          id: FleetDeepLinkId.uninstallTokens,
-          title: i18n.translate('xpack.fleet.deepLinks.uninstallTokens.title', {
-            defaultMessage: 'Uninstall tokens',
-          }),
-          path: FLEET_ROUTING_PATHS.uninstall_tokens,
-        },
-      ]
-    : []),
-  {
-    id: FleetDeepLinkId.dataStreams,
-    title: i18n.translate('xpack.fleet.deepLinks.dataStreams.title', {
-      defaultMessage: 'Data streams',
-    }),
-    path: FLEET_ROUTING_PATHS.data_streams,
-  },
-  {
-    id: FleetDeepLinkId.settings,
-    title: i18n.translate('xpack.fleet.deepLinks.settings.title', {
-      defaultMessage: 'Settings',
-    }),
-    path: FLEET_ROUTING_PATHS.settings,
-  },
-];
+export const getFleetDeepLinks: (
+  experimentalFeatures: ExperimentalFeatures,
+  authz?: FleetAuthz
+) => AppDeepLink[] = (experimentalFeatures, authz) => {
+  return [
+    {
+      id: FleetDeepLinkId.agents,
+      title: i18n.translate('xpack.fleet.deepLinks.agents.title', { defaultMessage: 'Agents' }),
+      path: FLEET_ROUTING_PATHS.agents,
+      visibleIn: !authz?.fleet.readAgents ? [] : ['globalSearch'],
+    },
+    {
+      id: FleetDeepLinkId.policies,
+      title: i18n.translate('xpack.fleet.deepLinks.policies.title', {
+        defaultMessage: 'Agent policies',
+      }),
+      path: FLEET_ROUTING_PATHS.policies,
+      visibleIn: !authz?.fleet.readAgentPolicies ? [] : ['globalSearch'],
+    },
+    {
+      id: FleetDeepLinkId.enrollmentTokens,
+      title: i18n.translate('xpack.fleet.deepLinks.enrollmentTokens.title', {
+        defaultMessage: 'Enrollment tokens',
+      }),
+      path: FLEET_ROUTING_PATHS.enrollment_tokens,
+      visibleIn: !authz?.fleet.allAgents ? [] : ['globalSearch'],
+    },
+    ...((experimentalFeatures.agentTamperProtectionEnabled
+      ? [
+          {
+            id: FleetDeepLinkId.uninstallTokens,
+            title: i18n.translate('xpack.fleet.deepLinks.uninstallTokens.title', {
+              defaultMessage: 'Uninstall tokens',
+            }),
+            path: FLEET_ROUTING_PATHS.uninstall_tokens,
+            visibleIn: !authz?.fleet.allAgents ? [] : ['globalSearch'],
+          },
+        ]
+      : []) as AppDeepLink[]),
+    {
+      id: FleetDeepLinkId.dataStreams,
+      title: i18n.translate('xpack.fleet.deepLinks.dataStreams.title', {
+        defaultMessage: 'Data streams',
+      }),
+      path: FLEET_ROUTING_PATHS.data_streams,
+    },
+    {
+      id: FleetDeepLinkId.settings,
+      title: i18n.translate('xpack.fleet.deepLinks.settings.title', {
+        defaultMessage: 'Settings',
+      }),
+      path: FLEET_ROUTING_PATHS.settings,
+      visibleIn: !authz?.fleet.readSettings ? [] : ['globalSearch'],
+    },
+  ];
+};
diff --git a/x-pack/plugins/fleet/public/plugin.ts b/x-pack/plugins/fleet/public/plugin.ts
@@ -8,6 +8,7 @@
 import React from 'react';
 import type {
   AppMountParameters,
+  AppUpdater,
   CoreSetup,
   CoreStart,
   Plugin,
@@ -84,6 +85,7 @@ import type {
 import { LazyCustomLogsAssetsExtension } from './lazy_custom_logs_assets_extension';
 import { setCustomIntegrations, setCustomIntegrationsStart } from './services/custom_integrations';
 import { getFleetDeepLinks } from './deep_links';
+import { Subject } from 'rxjs';
 
 export type { FleetConfigType } from '../common/types';
 
@@ -149,6 +151,7 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep
   private extensions: UIExtensionsStorage = {};
   private experimentalFeatures: ExperimentalFeatures;
   private storage = new Storage(localStorage);
+  private appUpdater$ = new Subject<AppUpdater>();
 
   constructor(private readonly initializerContext: PluginInitializerContext) {
     this.config = this.initializerContext.config.get<FleetConfigType>();
@@ -220,6 +223,7 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep
       order: 9020,
       euiIconType: 'logoElastic',
       appRoute: '/app/fleet',
+      updater$: this.appUpdater$,
       deepLinks: getFleetDeepLinks(this.experimentalFeatures),
       mount: async (params: AppMountParameters) => {
         const [coreStartServices, startDepsServices, fleetStart] = await core.getStartServices();
@@ -236,7 +240,6 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep
         };
         const { renderApp, teardownFleet } = await import('./applications/fleet');
         const unmount = renderApp(startServices, params, config, kibanaVersion, extensions);
-
         return () => {
           unmount();
           teardownFleet(startServices);
@@ -302,46 +305,53 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep
     // Set up license service
     licenseService.start(deps.licensing.license$);
 
+    const { capabilities } = core.application;
+    const authz = {
+      ...calculateAuthz({
+        fleet: {
+          all: capabilities.fleetv2.all as boolean,
+          setup: false,
+          agents: {
+            read: capabilities.fleetv2.agents_read as boolean,
+            all: capabilities.fleetv2.agents_all as boolean,
+          },
+          agentPolicies: {
+            read: capabilities.fleetv2.agent_policies_read as boolean,
+            all: capabilities.fleetv2.agent_policies_all as boolean,
+          },
+          settings: {
+            read: capabilities.fleetv2.settings_read as boolean,
+            all: capabilities.fleetv2.settings_all as boolean,
+          },
+        },
+        integrations: {
+          all: capabilities.fleet.all as boolean,
+          read: capabilities.fleet.read as boolean,
+        },
+        subfeatureEnabled: this.experimentalFeatures.subfeaturePrivileges ?? false,
+      }),
+      packagePrivileges: calculatePackagePrivilegesFromCapabilities(capabilities),
+      endpointExceptionsPrivileges:
+        calculateEndpointExceptionsPrivilegesFromCapabilities(capabilities),
+    };
+
+    // Update Fleet deeplinks with authz
+    this.appUpdater$.next(() => ({
+      deepLinks: getFleetDeepLinks(this.experimentalFeatures, authz),
+    }));
+
     registerExtension({
       package: CUSTOM_LOGS_INTEGRATION_NAME,
       view: 'package-detail-assets',
       Component: LazyCustomLogsAssetsExtension,
     });
-    const { capabilities } = core.application;
 
     // Set the custom integrations language clients
     setCustomIntegrationsStart(deps.customIntegrations);
 
     //  capabilities.fleetv2 returns fleet privileges and capabilities.fleet returns integrations privileges
     return {
-      authz: {
-        ...calculateAuthz({
-          fleet: {
-            all: capabilities.fleetv2.all as boolean,
-            setup: false,
-            agents: {
-              read: capabilities.fleetv2.agents_read as boolean,
-              all: capabilities.fleetv2.agents_all as boolean,
-            },
-            agentPolicies: {
-              read: capabilities.fleetv2.agent_policies_read as boolean,
-              all: capabilities.fleetv2.agent_policies_all as boolean,
-            },
-            settings: {
-              read: capabilities.fleetv2.settings_read as boolean,
-              all: capabilities.fleetv2.settings_all as boolean,
-            },
-          },
-          integrations: {
-            all: capabilities.fleet.all as boolean,
-            read: capabilities.fleet.read as boolean,
-          },
-          subfeatureEnabled: this.experimentalFeatures.subfeaturePrivileges ?? false,
-        }),
-        packagePrivileges: calculatePackagePrivilegesFromCapabilities(capabilities),
-        endpointExceptionsPrivileges:
-          calculateEndpointExceptionsPrivilegesFromCapabilities(capabilities),
-      },
+      authz,
 
       isInitialized: once(async () => {
         const permissionsResponse = await getPermissions();