[Serverless][Security Solution][Endpoint] Restrict endpoint exceptions on serverless via plugin sub-features

.eslintrc.js

@@ -1175,6 +1175,7 @@ module.exports = {
       overrides: [
         {
           files: [
+            'x-pack/packages/security-solution/features/**/*.{js,mjs,ts,tsx}',
             'x-pack/packages/security-solution/navigation/**/*.{js,mjs,ts,tsx}',
             'x-pack/plugins/security_solution/**/*.{js,mjs,ts,tsx}',
             'x-pack/plugins/security_solution_ess/**/*.{js,mjs,ts,tsx}',

.github/CODEOWNERS

@@ -598,6 +598,7 @@ x-pack/plugins/searchprofiler @elastic/platform-deployment-management
 x-pack/test/security_api_integration/packages/helpers @elastic/kibana-security
 x-pack/plugins/security @elastic/kibana-security
 x-pack/plugins/security_solution_ess @elastic/security-solution
+x-pack/packages/security-solution/features @elastic/security-threat-hunting-explore
 x-pack/test/cases_api_integration/common/plugins/security_solution @elastic/response-ops
 x-pack/packages/security-solution/navigation @elastic/security-threat-hunting-explore
 x-pack/plugins/security_solution @elastic/security-solution

package.json

@@ -602,6 +602,7 @@
     "@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
     "@kbn/security-plugin": "link:x-pack/plugins/security",
     "@kbn/security-solution-ess": "link:x-pack/plugins/security_solution_ess",
+    "@kbn/security-solution-features": "link:x-pack/packages/security-solution/features",
     "@kbn/security-solution-fixtures-plugin": "link:x-pack/test/cases_api_integration/common/plugins/security_solution",
     "@kbn/security-solution-navigation": "link:x-pack/packages/security-solution/navigation",
     "@kbn/security-solution-plugin": "link:x-pack/plugins/security_solution",

packages/kbn-optimizer/limits.yml

@@ -120,7 +120,7 @@ pageLoadAssetSize:
   security: 81771
   securitySolution: 66738
   securitySolutionEss: 16573
-  securitySolutionServerless: 40000
+  securitySolutionServerless: 45000
   serverless: 16573
   serverlessObservability: 68747
   serverlessSearch: 71995

packages/kbn-utility-types/index.ts

@@ -151,3 +151,23 @@ export type ArrayElement<A> = A extends ReadonlyArray<infer T> ? T : never;
 export type WithRequiredProperty<Type, Key extends keyof Type> = Omit<Type, Key> & {
   [Property in Key]-?: Type[Property];
 };
+
+// Recursive partial object type. inspired by EUI RecursivePartial
+export type RecursivePartial<T> = {
+  [P in keyof T]?: T[P] extends NonAny[]
+    ? T[P]
+    : T[P] extends readonly NonAny[]
+    ? T[P]
+    : T[P] extends Array<infer U>
+    ? Array<RecursivePartial<U>>
+    : T[P] extends ReadonlyArray<infer U>
+    ? ReadonlyArray<RecursivePartial<U>>
+    : T[P] extends Set<infer V>
+    ? Set<RecursivePartial<V>>
+    : T[P] extends Map<infer K, infer V>
+    ? Map<K, RecursivePartial<V>>
+    : T[P] extends NonAny
+    ? T[P]
+    : RecursivePartial<T[P]>;
+};
+type NonAny = number | boolean | string | symbol | null;

tsconfig.base.json

@@ -1190,6 +1190,8 @@
       "@kbn/security-plugin/*": ["x-pack/plugins/security/*"],
       "@kbn/security-solution-ess": ["x-pack/plugins/security_solution_ess"],
       "@kbn/security-solution-ess/*": ["x-pack/plugins/security_solution_ess/*"],
+      "@kbn/security-solution-features": ["x-pack/packages/security-solution/features"],
+      "@kbn/security-solution-features/*": ["x-pack/packages/security-solution/features/*"],
       "@kbn/security-solution-fixtures-plugin": ["x-pack/test/cases_api_integration/common/plugins/security_solution"],
       "@kbn/security-solution-fixtures-plugin/*": ["x-pack/test/cases_api_integration/common/plugins/security_solution/*"],
       "@kbn/security-solution-navigation": ["x-pack/packages/security-solution/navigation"],

x-pack/packages/security-solution/features/README.mdx

@@ -0,0 +1,4 @@
+## Security Solution App Features
+
+This package provides resources to be used for Security Solution app features
+

x-pack/packages/security-solution/features/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+export { AppFeatures } from './src/app_features';
+export { AppFeaturesPrivileges } from './src/app_features_privileges';
+export * from './src/app_features_keys';
+export * from './src/types';

x-pack/packages/security-solution/features/jest.config.js

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../../../..',
+  roots: ['<rootDir>/x-pack/packages/security-solution/features'],
+};

x-pack/packages/security-solution/features/kibana.jsonc

@@ -0,0 +1,5 @@
+{
+  "type": "shared-common",
+  "id": "@kbn/security-solution-features",
+  "owner": "@elastic/security-threat-hunting-explore"
+}

x-pack/packages/security-solution/features/mocks/context.ts

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { CoreStart } from '@kbn/core/public';
+
+export const mockGetUrlForApp = jest.fn();
+export const mockNavigateToApp = jest.fn();
+export const mockNavigateToUrl = jest.fn();
+
+export const mockCoreStart = {
+  application: {
+    getUrlForApp: mockGetUrlForApp,
+    navigateToApp: mockNavigateToApp,
+    navigateToUrl: mockNavigateToUrl,
+  },
+} as unknown as CoreStart;

x-pack/packages/security-solution/features/mocks/navigation.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const mockGetAppUrl = jest.fn();
+export const mockNavigateTo = jest.fn();

x-pack/packages/security-solution/features/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@kbn/security-solution-features",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0"
+}

x-pack/packages/security-solution/features/src/__mocks__/context.tsx

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import React, { createContext } from 'react';
+import type { CoreStart } from '@kbn/core/public';
+import { mockCoreStart } from '../../mocks/context';
+
+const navigationContext = createContext<CoreStart | null>(mockCoreStart);
+
+export const NavigationProvider: React.FC = ({ children }) => (
+  <navigationContext.Provider value={mockCoreStart}>{children}</navigationContext.Provider>
+);
+
+export const useNavigationContext = (): CoreStart => {
+  return mockCoreStart;
+};

x-pack/packages/security-solution/features/src/__mocks__/navigation.ts

@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { mockGetAppUrl, mockNavigateTo } from '../../mocks/navigation';
+
+export const useGetAppUrl = jest.fn(() => {
+  return { getAppUrl: mockGetAppUrl };
+});
+
+export const useNavigateTo = jest.fn(() => {
+  return { navigateTo: mockNavigateTo };
+});
+
+export const useNavigation = jest.fn(() => {
+  return { navigateTo: mockGetAppUrl, getAppUrl: mockNavigateTo };
+});

x-pack/packages/security-solution/features/src/app_features.test.ts

@@ -0,0 +1,185 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { PluginSetupContract } from '@kbn/features-plugin/server';
+import { loggingSystemMock } from '@kbn/core-logging-server-mocks';
+import { AppFeatures } from './app_features';
+import type {
+  AppFeatureKey,
+  AppFeaturesConfig,
+  AppSubFeaturesMap,
+  BaseKibanaFeatureConfig,
+} from './types';
+
+const category = {
+  id: 'security',
+  label: 'Security app category',
+};
+
+const baseKibanaFeature: BaseKibanaFeatureConfig = {
+  id: 'FEATURE_ID',
+  name: 'Base Feature',
+  order: 1100,
+  app: ['FEATURE_ID', 'kibana'],
+  catalogue: ['APP_ID'],
+  privileges: {
+    all: {
+      api: ['api-read', 'api-write'],
+      app: ['FEATURE_ID', 'kibana'],
+      catalogue: ['APP_ID'],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: ['write', 'read'],
+    },
+    read: {
+      api: ['api-read'],
+      app: ['FEATURE_ID', 'kibana'],
+      catalogue: ['APP_ID'],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: ['read'],
+    },
+  },
+  category,
+};
+
+const privileges = {
+  privileges: {
+    all: {
+      api: ['api-read', 'api-write', 'test-capability'],
+      app: ['FEATURE_ID', 'kibana'],
+      catalogue: ['APP_ID'],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: ['write', 'read', 'test-capability'],
+    },
+    read: {
+      api: ['api-read', 'test-capability'],
+      app: ['FEATURE_ID', 'kibana'],
+      catalogue: ['APP_ID'],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: ['read', 'test-capability'],
+    },
+  },
+};
+
+const SECURITY_APP_FEATURE_CONFIG: AppFeaturesConfig<string> = new Map();
+SECURITY_APP_FEATURE_CONFIG.set('test-base-feature' as AppFeatureKey, {
+  privileges: {
+    all: {
+      ui: ['test-capability'],
+      api: ['test-capability'],
+    },
+    read: {
+      ui: ['test-capability'],
+      api: ['test-capability'],
+    },
+  },
+});
+
+const CASES_BASE_CONFIG = {
+  privileges: {
+    all: {
+      api: ['api-read', 'api-write', 'test-cases-capability'],
+      app: ['FEATURE_ID', 'kibana'],
+      catalogue: ['APP_ID'],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: ['write', 'read', 'test-cases-capability'],
+    },
+    read: {
+      api: ['api-read', 'test-cases-capability'],
+      app: ['FEATURE_ID', 'kibana'],
+      catalogue: ['APP_ID'],
+      savedObject: {
+        all: [],
+        read: [],
+      },
+      ui: ['read', 'test-cases-capability'],
+    },
+  },
+};
+
+const CASES_APP_FEATURE_CONFIG: AppFeaturesConfig<string> = new Map();
+CASES_APP_FEATURE_CONFIG.set('test-cases-feature' as AppFeatureKey, {
+  privileges: {
+    all: {
+      ui: ['test-cases-capability'],
+      api: ['test-cases-capability'],
+    },
+    read: {
+      ui: ['test-cases-capability'],
+      api: ['test-cases-capability'],
+    },
+  },
+});
+
+const securityKibanaSubFeatures = {
+  securitySubFeaturesMap: new Map([['subFeature1', { baz: 'baz' }]]),
+};
+
+const securityCasesKibanaSubFeatures = {
+  casesSubFeaturesMap: new Map([['subFeature1', { baz: 'baz' }]]),
+};
+
+describe('AppFeatures', () => {
+  it('should register enabled kibana features', () => {
+    const featuresSetup = {
+      registerKibanaFeature: jest.fn(),
+      getKibanaFeatures: jest.fn(),
+    } as unknown as PluginSetupContract;
+
+    const appFeatures = new AppFeatures(
+      loggingSystemMock.create().get('mock'),
+      securityKibanaSubFeatures.securitySubFeaturesMap as unknown as AppSubFeaturesMap<string>,
+      baseKibanaFeature,
+      ['subFeature1']
+    );
+    appFeatures.init(featuresSetup);
+    appFeatures.setConfig(SECURITY_APP_FEATURE_CONFIG);
+
+    expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledWith({
+      ...baseKibanaFeature,
+      ...SECURITY_APP_FEATURE_CONFIG.get('test-base-feature' as AppFeatureKey),
+      ...privileges,
+      subFeatures: [{ baz: 'baz' }],
+    });
+  });
+
+  it('should register enabled cases features', () => {
+    const featuresSetup = {
+      registerKibanaFeature: jest.fn(),
+    } as unknown as PluginSetupContract;
+
+    const appFeatures = new AppFeatures(
+      loggingSystemMock.create().get('mock'),
+      securityCasesKibanaSubFeatures.casesSubFeaturesMap as unknown as AppSubFeaturesMap<string>,
+      baseKibanaFeature,
+      ['subFeature1']
+    );
+    appFeatures.init(featuresSetup);
+    appFeatures.setConfig(CASES_APP_FEATURE_CONFIG);
+
+    expect(featuresSetup.registerKibanaFeature).toHaveBeenCalledWith({
+      ...baseKibanaFeature,
+      ...CASES_APP_FEATURE_CONFIG.get('test-cases-feature' as AppFeatureKey),
+      subFeatures: [{ baz: 'baz' }],
+      ...CASES_BASE_CONFIG,
+    });
+  });
+});