WIP

x-pack/plugins/actions/server/actions_client.ts

@@ -17,6 +17,7 @@ import {
   SavedObject,
   KibanaRequest,
   SavedObjectsUtils,
+  SavedObjectsResolveResponse,
 } from '../../../../src/core/server';
 import { AuditLogger } from '../../security/server';
 import { ActionType } from '../common';
@@ -209,10 +210,10 @@ export class ActionsClient {
       throw error;
     }
     const {
-      attributes,
-      references,
-      version,
-    } = await this.unsecuredSavedObjectsClient.get<RawAction>('action', id);
+      saved_object: { attributes, references, version },
+      /* resolvedResponse */
+    } = await this.unsecuredSavedObjectsClient.resolve<RawAction>('action', id);
+    // TODO: How to handle `resolveResponse` here
     const { actionTypeId } = attributes;
     const { name, config, secrets } = action;
     const actionType = this.actionTypeRegistry.get(actionTypeId);
@@ -263,7 +264,13 @@ export class ActionsClient {
   /**
    * Get an action
    */
-  public async get({ id }: { id: string }): Promise<ActionResult> {
+  public async get({
+    id,
+  }: {
+    id: string;
+  }): Promise<
+    ActionResult & { resolveResponse?: Omit<SavedObjectsResolveResponse, 'saved_object'> }
+  > {
     try {
       await this.authorization.ensureAuthorized('get');
     } catch (error) {
@@ -296,7 +303,12 @@ export class ActionsClient {
       };
     }
 
-    const result = await this.unsecuredSavedObjectsClient.get<RawAction>('action', id);
+    const {
+      saved_object: result,
+      ...resolveResponse
+    } = await this.unsecuredSavedObjectsClient.resolve<RawAction>('action', id);
+
+    // TODO: How to handle `resolveResponse` here
 
     this.auditLogger?.log(
       connectorAuditEvent({
@@ -312,6 +324,7 @@ export class ActionsClient {
       name: result.attributes.name,
       config: result.attributes.config,
       isPreconfigured: false,
+      resolveResponse,
     };
   }
 
@@ -331,12 +344,24 @@ export class ActionsClient {
       throw error;
     }
 
-    const savedObjectsActions = (
+    const discoveredSavedObjects = (
       await this.unsecuredSavedObjectsClient.find<RawAction>({
         perPage: MAX_ACTIONS_RETURNED,
         type: 'action',
       })
-    ).saved_objects.map(actionFromSavedObject);
+    ).saved_objects;
+    const savedObjectsActions = (
+      await Promise.all(
+        discoveredSavedObjects.map(({ id }) =>
+          this.unsecuredSavedObjectsClient.resolve<RawAction>('action', id)
+        )
+      )
+    ).map(({ saved_object: action, ...resolveResponse }) => {
+      return {
+        ...actionFromSavedObject(action),
+        resolveResponse,
+      };
+    });
 
     savedObjectsActions.forEach(({ id }) =>
       this.auditLogger?.log(

x-pack/plugins/actions/server/authorization/get_authorization_mode_by_source.ts

@@ -20,15 +20,16 @@ export async function getAuthorizationModeBySource(
   unsecuredSavedObjectsClient: SavedObjectsClientContract,
   executionSource?: ActionExecutionSource<unknown>
 ): Promise<AuthorizationMode> {
+  // TODO: How to handle `resolveResponse` here
   return isSavedObjectExecutionSource(executionSource) &&
     executionSource?.source?.type === ALERT_SAVED_OBJECT_TYPE &&
     (
-      await unsecuredSavedObjectsClient.get<{
+      await unsecuredSavedObjectsClient.resolve<{
         meta?: {
           versionApiKeyLastmodified?: string;
         };
       }>(ALERT_SAVED_OBJECT_TYPE, executionSource.source.id)
-    ).attributes.meta?.versionApiKeyLastmodified === LEGACY_VERSION
+    ).saved_object.attributes.meta?.versionApiKeyLastmodified === LEGACY_VERSION
     ? AuthorizationMode.Legacy
     : AuthorizationMode.RBAC;
 }

x-pack/plugins/actions/server/create_execute_function.ts

@@ -5,7 +5,10 @@
  * 2.0.
  */
 
-import { SavedObjectsClientContract } from '../../../../src/core/server';
+import {
+  SavedObjectsClientContract,
+  SavedObjectsResolveResponse,
+} from '../../../../src/core/server';
 import { RunNowResult, TaskManagerStartContract } from '../../task_manager/server';
 import {
   RawAction,
@@ -53,9 +56,11 @@ export function createExecutionEnqueuerFunction({
       );
     }
 
-    const action = await getAction(unsecuredSavedObjectsClient, preconfiguredActions, id);
+    const { action } = await getAction(unsecuredSavedObjectsClient, preconfiguredActions, id);
     validateCanActionBeUsed(action);
 
+    // TODO: How to handle `resolveResponse` here
+
     const { actionTypeId } = action;
     if (!actionTypeRegistry.isActionExecutable(id, actionTypeId, { notifyUsage: true })) {
       actionTypeRegistry.ensureActionTypeEnabled(actionTypeId);
@@ -93,7 +98,7 @@ export function createEphemeralExecutionEnqueuerFunction({
     unsecuredSavedObjectsClient: SavedObjectsClientContract,
     { id, params, spaceId, source, apiKey }: ExecuteOptions
   ): Promise<RunNowResult> {
-    const action = await getAction(unsecuredSavedObjectsClient, preconfiguredActions, id);
+    const { action } = await getAction(unsecuredSavedObjectsClient, preconfiguredActions, id);
     validateCanActionBeUsed(action);
 
     const { actionTypeId } = action;
@@ -148,12 +153,21 @@ async function getAction(
   unsecuredSavedObjectsClient: SavedObjectsClientContract,
   preconfiguredActions: PreConfiguredAction[],
   actionId: string
-): Promise<PreConfiguredAction | RawAction> {
+): Promise<{
+  action: PreConfiguredAction | RawAction;
+  resolveResponse?: Omit<SavedObjectsResolveResponse, 'saved_object'>;
+}> {
   const pcAction = preconfiguredActions.find((action) => action.id === actionId);
   if (pcAction) {
-    return pcAction;
+    return { action: pcAction };
   }
 
-  const { attributes } = await unsecuredSavedObjectsClient.get<RawAction>('action', actionId);
-  return attributes;
+  const {
+    saved_object: { attributes },
+    ...resolveResponse
+  } = await unsecuredSavedObjectsClient.resolve<RawAction>('action', actionId);
+  return {
+    action: attributes,
+    resolveResponse,
+  };
 }

x-pack/plugins/actions/server/lib/action_executor.ts

@@ -6,7 +6,7 @@
  */
 
 import type { PublicMethodsOf } from '@kbn/utility-types';
-import { Logger, KibanaRequest } from 'src/core/server';
+import { Logger, KibanaRequest, SavedObjectsResolveResponse } from 'src/core/server';
 import { cloneDeep } from 'lodash';
 import { withSpan } from '@kbn/apm-utils';
 import { validateParams, validateConfig, validateSecrets } from './validate_with_schema';
@@ -288,7 +288,7 @@ async function getActionInfo(
   preconfiguredActions: PreConfiguredAction[],
   actionId: string,
   namespace: string | undefined
-): Promise<ActionInfo> {
+): Promise<ActionInfo & { resolveResponse?: Omit<SavedObjectsResolveResponse, 'saved_object'> }> {
   // check to see if it's a pre-configured action first
   const pcAction = preconfiguredActions.find(
     (preconfiguredAction) => preconfiguredAction.id === actionId
@@ -308,6 +308,7 @@ async function getActionInfo(
 
   const {
     attributes: { secrets },
+    resolveResponse,
   } = await encryptedSavedObjectsClient.getDecryptedAsInternalUser<RawAction>('action', actionId, {
     namespace: namespace === 'default' ? undefined : namespace,
   });
@@ -317,5 +318,6 @@ async function getActionInfo(
     name,
     config,
     secrets,
+    resolveResponse,
   };
 }

x-pack/plugins/actions/server/lib/task_runner_factory.ts

@@ -87,12 +87,15 @@ export class TaskRunnerFactory {
         const {
           attributes: { actionId, params, apiKey, relatedSavedObjects },
           references,
+          /* resolveResponse, */
         } = await getActionTaskParams(
           actionTaskExecutorParams,
           encryptedSavedObjectsClient,
           spaceIdToNamespace
         );
 
+        // TODO: How to handle `resolveResponse` here?
+
         const requestHeaders: Record<string, string> = {};
         if (apiKey) {
           requestHeaders.authorization = `ApiKey ${apiKey}`;

x-pack/plugins/actions/server/saved_objects/index.ts

@@ -31,7 +31,9 @@ export function setupSavedObjects(
   savedObjects.registerType({
     name: ACTION_SAVED_OBJECT_TYPE,
     hidden: true,
-    namespaceType: 'single',
+    // namespaceType: 'single',
+    namespaceType: 'multiple-isolated',
+    convertToMultiNamespaceTypeVersion: '8.0.0',
     mappings: mappings.action as SavedObjectsTypeMappingDefinition,
     migrations: getMigrations(encryptedSavedObjects),
     management: {
@@ -67,7 +69,9 @@ export function setupSavedObjects(
   savedObjects.registerType({
     name: ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE,
     hidden: true,
-    namespaceType: 'single',
+    // namespaceType: 'single',
+    namespaceType: 'multiple-isolated',
+    convertToMultiNamespaceTypeVersion: '8.0.0',
     mappings: mappings.action_task_params as SavedObjectsTypeMappingDefinition,
   });
   encryptedSavedObjects.registerType({

x-pack/plugins/alerting/server/invalidate_pending_api_keys/task.ts

@@ -201,6 +201,7 @@ async function invalidateApiKeys(
         'api_key_pending_invalidation',
         apiKeyObj.id
       );
+      // TODO: How to handle `resolveResponse` here?
       return decryptedApiKey.attributes.apiKeyId;
     })
   );