-
Notifications
You must be signed in to change notification settings - Fork 8.3k
/
index.ts
95 lines (88 loc) · 3.21 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
import {
StartServicesAccessor,
SavedObject,
SavedObjectsBaseOptions,
SavedObjectsServiceSetup,
ISavedObjectsRepository,
ISavedObjectTypeRegistry,
} from 'src/core/server';
import { SecurityPluginSetup } from '../../../security/server';
import { EncryptedSavedObjectsService } from '../crypto';
import { EncryptedSavedObjectsClientWrapper } from './encrypted_saved_objects_client_wrapper';
interface SetupSavedObjectsParams {
service: PublicMethodsOf<EncryptedSavedObjectsService>;
savedObjects: SavedObjectsServiceSetup;
security?: SecurityPluginSetup;
getStartServices: StartServicesAccessor;
}
export type ClientInstanciator = (
options?: EncryptedSavedObjectsClientOptions
) => EncryptedSavedObjectsClient;
export interface EncryptedSavedObjectsClientOptions {
includedHiddenTypes?: string[];
}
export interface EncryptedSavedObjectsClient {
getDecryptedAsInternalUser: <T = unknown>(
type: string,
id: string,
options?: SavedObjectsBaseOptions
) => Promise<SavedObject<T>>;
}
export function setupSavedObjects({
service,
savedObjects,
security,
getStartServices,
}: SetupSavedObjectsParams): ClientInstanciator {
// Register custom saved object client that will encrypt, decrypt and strip saved object
// attributes where appropriate for any saved object repository request. We choose max possible
// priority for this wrapper to allow all other wrappers to set proper `namespace` for the Saved
// Object (e.g. wrapper registered by the Spaces plugin) before we encrypt attributes since
// `namespace` is included into AAD.
savedObjects.addClientWrapper(
Number.MAX_SAFE_INTEGER,
'encryptedSavedObjects',
({ client: baseClient, typeRegistry: baseTypeRegistry, request }) =>
new EncryptedSavedObjectsClientWrapper({
baseClient,
baseTypeRegistry,
service,
getCurrentUser: () => security?.authc.getCurrentUser(request) ?? undefined,
})
);
return (clientOpts) => {
const internalRepositoryAndTypeRegistryPromise = getStartServices().then(
([core]) =>
[
core.savedObjects.createInternalRepository(clientOpts?.includedHiddenTypes),
core.savedObjects.getTypeRegistry(),
] as [ISavedObjectsRepository, ISavedObjectTypeRegistry]
);
return {
getDecryptedAsInternalUser: async <T = unknown>(
type: string,
id: string,
options?: SavedObjectsBaseOptions
): Promise<SavedObject<T>> => {
const [internalRepository, typeRegistry] = await internalRepositoryAndTypeRegistryPromise;
const savedObject = await internalRepository.get(type, id, options);
return {
...savedObject,
attributes: (await service.decryptAttributes(
{
type,
id,
namespace: typeRegistry.isSingleNamespace(type) ? options?.namespace : undefined,
},
savedObject.attributes as Record<string, unknown>
)) as T,
};
},
};
};
}