elastic · SiddharthMantri · Nov 5, 2024 · Oct 30, 2024 · Oct 30, 2024 · Oct 30, 2024
diff --git a/.../core/saved-objects/core-saved-objects-api-server-internal/src/lib/apis/helpers/common.ts b/.../core/saved-objects/core-saved-objects-api-server-internal/src/lib/apis/helpers/common.ts
@@ -105,10 +105,14 @@ export class CommonHelper {
     if (!id) {
       return SavedObjectsUtils.generateId();
     }
-    // only allow a specified ID if we're overwriting an existing ESO with a Version
-    // this helps us ensure that the document really was previously created using ESO
-    // and not being used to get around the specified ID limitation
-    const canSpecifyID = (overwrite && version) || SavedObjectsUtils.isRandomId(id);
+
+    const shouldEnforceRandomId = this.encryptionExtension?.shouldEnforceRandomId(type);
+
+    // Allow specified ID if:
+    // 1. we're overwriting an existing ESO with a Version (this helps us ensure that the document really was previously created using ESO)
+    // 2. enforceRandomId is explicitly set to false
+    const canSpecifyID =
+      !shouldEnforceRandomId || (overwrite && version) || SavedObjectsUtils.isRandomId(id);
     if (!canSpecifyID) {
       throw SavedObjectsErrorHelpers.createBadRequestError(
         'Predefined IDs are not allowed for saved objects with encrypted attributes unless the ID is a UUID.'

diff --git a/...ts/core-saved-objects-api-server-internal/src/lib/repository.encryption_extension.test.ts b/...ts/core-saved-objects-api-server-internal/src/lib/repository.encryption_extension.test.ts
@@ -261,6 +261,7 @@ describe('SavedObjectsRepository Encryption Extension', () => {
 
     it(`fails if non-UUID ID is specified for encrypted type`, async () => {
       mockEncryptionExt.isEncryptableType.mockReturnValue(true);
+      mockEncryptionExt.shouldEnforceRandomId.mockReturnValue(true);
       mockEncryptionExt.decryptOrStripResponseAttributes.mockResolvedValue({
         ...encryptedSO,
         ...decryptedStrippedAttributes,
@@ -483,6 +484,7 @@ describe('SavedObjectsRepository Encryption Extension', () => {
 
     it(`fails if non-UUID ID is specified for encrypted type`, async () => {
       mockEncryptionExt.isEncryptableType.mockReturnValue(true);
+      mockEncryptionExt.shouldEnforceRandomId.mockReturnValue(true);
       const result = await bulkCreateSuccess(client, repository, [
         encryptedSO, // Predefined IDs are not allowed for saved objects with encrypted attributes unless the ID is a UUID
       ]);

diff --git a/...objects/core-saved-objects-api-server-internal/src/mocks/saved_objects_extensions.mock.ts b/...objects/core-saved-objects-api-server-internal/src/mocks/saved_objects_extensions.mock.ts
@@ -17,6 +17,7 @@ const createEncryptionExtension = (): jest.Mocked<ISavedObjectsEncryptionExtensi
   isEncryptableType: jest.fn(),
   decryptOrStripResponseAttributes: jest.fn(),
   encryptAttributes: jest.fn(),
+  shouldEnforceRandomId: jest.fn(),
 });
 
 const createSecurityExtension = (): jest.Mocked<ISavedObjectsSecurityExtension> => ({

@@ -18,6 +18,7 @@ const createEncryptionExtension = (): jest.Mocked<ISavedObjectsEncryptionExtensi
   isEncryptableType: jest.fn(),
   decryptOrStripResponseAttributes: jest.fn(),
   encryptAttributes: jest.fn(),
+  shouldEnforceRandomId: jest.fn(),
 });
 
 const createSecurityExtension = (): jest.Mocked<ISavedObjectsSecurityExtension> => ({

diff --git a/packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts b/packages/core/saved-objects/core-saved-objects-server/src/extensions/encryption.ts
@@ -39,6 +39,14 @@ export interface ISavedObjectsEncryptionExtension {
    */
   isEncryptableType: (type: string) => boolean;
 
+  /**
+   * Returns false if ESO explicilty opts out of highly random UID
+   *
+   * @param type the string name of the object type
+   * @returns boolean, true by default unless explicitly set to false
+   */
+  shouldEnforceRandomId: (type: string) => boolean;
+
   /**
    * Given a saved object, will return a decrypted saved object or will strip
    * attributes from the returned object if decryption fails.

diff --git a/...k/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_object_type_definition.ts b/...k/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_object_type_definition.ts
@@ -16,6 +16,7 @@ export class EncryptedSavedObjectAttributesDefinition {
   public readonly attributesToEncrypt: ReadonlySet<string>;
   private readonly attributesToIncludeInAAD: ReadonlySet<string> | undefined;
   private readonly attributesToStrip: ReadonlySet<string>;
+  public readonly enforceRandomId: boolean;
 
   constructor(typeRegistration: EncryptedSavedObjectTypeRegistration) {
     if (typeRegistration.attributesToIncludeInAAD) {
@@ -49,6 +50,8 @@ export class EncryptedSavedObjectAttributesDefinition {
       }
     }
 
+    this.enforceRandomId = typeRegistration.enforceRandomId !== false;
+
     this.attributesToEncrypt = attributesToEncrypt;
     this.attributesToStrip = attributesToStrip;
     this.attributesToIncludeInAAD = typeRegistration.attributesToIncludeInAAD;

diff --git a/x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts b/x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts
@@ -33,6 +33,7 @@ export interface EncryptedSavedObjectTypeRegistration {
   readonly type: string;
   readonly attributesToEncrypt: ReadonlySet<string | AttributeToEncrypt>;
   readonly attributesToIncludeInAAD?: ReadonlySet<string>;
+  readonly enforceRandomId?: boolean;
 }
 
 /**
@@ -152,6 +153,16 @@ export class EncryptedSavedObjectsService {
     return this.typeDefinitions.has(type);
   }
 
+  /**
+   * Check whether the ESO has explicitly opted out of enforcing random IDs for the specified type.
+   * @param type Saved object type.
+   * @returns boolean - true unless explicitly opted out by setting enforceRandomId to false
+   */
+  public shouldEnforceRandomId(type: string) {
+    const typeDefinition = this.typeDefinitions.get(type);
+    return typeDefinition?.enforceRandomId !== false;
+  }
+
   /**
    * Takes saved object attributes for the specified type and, depending on the type definition,
    * either decrypts or strips encrypted attributes (e.g. in case AAD or encryption key has changed

diff --git a/...lugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts b/...lugins/encrypted_saved_objects/server/saved_objects/saved_objects_encryption_extension.ts
@@ -40,6 +40,10 @@ export class SavedObjectsEncryptionExtension implements ISavedObjectsEncryptionE
     return this._service.isRegistered(type);
   }
 
+  shouldEnforceRandomId(type: string) {
-  shouldEnforceRandomId(type: string) {
+  typeEnforcesRandomId(type: string) {
-  shouldEnforceRandomId(type: string) {
+  typeEnforcesRandomId(type: string) {
+    return this._service.shouldEnforceRandomId(type);
+  }
+
   async decryptOrStripResponseAttributes<T, R extends SavedObject<T>>(
     response: R,
     originalAttributes?: T

@@ -32,6 +32,8 @@ const SAVED_OBJECT_WITH_MIGRATION_TYPE = 'saved-object-with-migration';
 
 const SAVED_OBJECT_MV_TYPE = 'saved-object-mv';
 
+const TYPE_WITH_PREDICTABLE_ID = 'type-with-predictable-ids';
+
 interface MigratedTypePre790 {
   nonEncryptedAttribute: string;
   encryptedAttribute: string;
@@ -83,6 +85,30 @@ export const plugin: PluginInitializer<void, void, PluginsSetup, PluginsStart> =
       });
     }
 
+    core.savedObjects.registerType({
+      name: TYPE_WITH_PREDICTABLE_ID,
+      hidden: false,
+      namespaceType: 'single',
+      mappings: deepFreeze({
+        properties: {
+          publicProperty: { type: 'keyword' },
+          publicPropertyExcludedFromAAD: { type: 'keyword' },
+          publicPropertyStoredEncrypted: { type: 'binary' },
+          privateProperty: { type: 'binary' },
+        },
+      }),
+    });
+
+    deps.encryptedSavedObjects.registerType({
+      type: TYPE_WITH_PREDICTABLE_ID,
+      attributesToEncrypt: new Set([
+        'privateProperty',
+        { key: 'publicPropertyStoredEncrypted', dangerouslyExposeValue: true },
+      ]),
+      attributesToIncludeInAAD: new Set(['publicProperty']),
+      enforceRandomId: false,
+    });
+
     core.savedObjects.registerType({
       name: SAVED_OBJECT_WITHOUT_SECRET_TYPE,
       hidden: false,

@@ -26,6 +26,8 @@ export default function ({ getService }: FtrProviderContext) {
     'saved-object-with-secret-and-multiple-spaces';
   const SAVED_OBJECT_WITHOUT_SECRET_TYPE = 'saved-object-without-secret';
 
+  const TYPE_WITH_PREDICTABLE_ID = 'type-with-predictable-ids';
+
   function runTests(
     encryptedSavedObjectType: string,
     getURLAPIBaseURL: () => string,
@@ -900,5 +902,79 @@ export default function ({ getService }: FtrProviderContext) {
         }
       });
     });
+
+    describe('enforceRandomId', () => {
+      it('#create ESO which has opted out of random IDs allows setting ID', async () => {
+        const id = 'my_predictable_id';
+
+        const savedObjectOriginalAttributes = {
+          publicProperty: randomness.string(),
+          publicPropertyStoredEncrypted: randomness.string(),
+          privateProperty: randomness.string(),
+          publicPropertyExcludedFromAAD: randomness.string(),
+        };
+
+        const { body: response } = await supertest
+          .post(`/api/saved_objects/${TYPE_WITH_PREDICTABLE_ID}/${id}`)
+          .set('kbn-xsrf', 'xxx')
+          .send({ attributes: savedObjectOriginalAttributes })
+          .expect(200);
+
+        expect(response.id).to.be(id);
+      });
+
+      it('#create setting a predictable id on ESOs that have not opted out throws an error', async () => {
+        const id = 'my_predictable_id';
+
+        const savedObjectOriginalAttributes = {
+          publicProperty: randomness.string(),
+          publicPropertyStoredEncrypted: randomness.string(),
+          privateProperty: randomness.string(),
+          publicPropertyExcludedFromAAD: randomness.string(),
+        };
+
+        const { body: response } = await supertest
+          .post(`/api/saved_objects/saved-object-with-secret/${id}`)
+          .set('kbn-xsrf', 'xxx')
+          .send({ attributes: savedObjectOriginalAttributes })
+          .expect(400);
+
+        expect(response.message).to.contain(
+          'Predefined IDs are not allowed for saved objects with encrypted attributes unless the ID is a UUID.'
+        );
+      });
+
+      it('#bulkCreate not enforcing random ID allows to specify ID', async () => {
+        const bulkCreateParams = [
+          {
+            type: TYPE_WITH_PREDICTABLE_ID,
+            id: 'my_predictable_id',
+            attributes: {
+              publicProperty: randomness.string(),
+              publicPropertyExcludedFromAAD: randomness.string(),
+              publicPropertyStoredEncrypted: randomness.string(),
+              privateProperty: randomness.string(),
+            },
+          },
+          {
+            type: SAVED_OBJECT_WITHOUT_SECRET_TYPE,
+            attributes: {
+              publicProperty: randomness.string(),
+            },
+          },
+        ];
+
+        const {
+          body: { saved_objects: savedObjects },
+        } = await supertest
+          .post('/api/saved_objects/_bulk_create')
+          .set('kbn-xsrf', 'xxx')
+          .send(bulkCreateParams)
+          .expect(200);
+
+        expect(savedObjects).to.have.length(bulkCreateParams.length);
+        expect(savedObjects[0].id).to.be('my_predictable_id');
+      });
+    });
   });
 }