Fix tests + swap_references API

afharo · afharo · commit 3a28421b12e5 · 2025-12-03T15:17:36.000+01:00
diff --git a/src/core/packages/saved-objects/api-server-internal/src/lib/repository.security_extension.test.ts b/src/core/packages/saved-objects/api-server-internal/src/lib/repository.security_extension.test.ts
@@ -62,6 +62,7 @@ import {
   generateIndexPatternSearchResults,
   setupAuthorizeFunc,
   setupAuthorizeFind,
+  HIDDEN_TYPE,
 } from '../test_helpers/repository.test.common';
 import { savedObjectsExtensionsMock } from '../mocks/saved_objects_extensions.mock';
 import { arrayMapsAreEqual } from '@kbn/core-saved-objects-utils-server';
@@ -845,14 +846,108 @@ describe('SavedObjectsRepository Security Extension', () => {
       });
     });
 
+    test(`returns empty authorization map for partially authorized if the authorized types are not part of the query`, async () => {
+      setupAuthorizeFind(mockSecurityExt, 'partially_authorized');
+      setupRedactPassthrough(mockSecurityExt);
+
+      await findSuccess(
+        client,
+        repository,
+        {
+          type: [type, NAMESPACE_AGNOSTIC_TYPE],
+          namespaces: [namespace, 'ns-1'],
+        }, // include multiple types and spaces
+        namespace
+      );
+
+      expect(mockGetSearchDsl.mock.calls[0].length).toBe(3); // Find success verifies this is called once, this should always pass
+      const {
+        typeToNamespacesMap: actualMap,
+      }: { typeToNamespacesMap: Map<string, string[] | undefined> } =
+        mockGetSearchDsl.mock.calls[0][2];
+
+      expect(actualMap).not.toBeUndefined();
+      const expectedMap = new Map<string, string[] | undefined>();
+
+      expect(arrayMapsAreEqual(actualMap, expectedMap)).toBeTruthy();
+    });
+
+    test(`returns empty authorization map for fully authorized if the authorized types are not part of the query`, async () => {
+      setupAuthorizeFind(mockSecurityExt, 'fully_authorized');
+      setupRedactPassthrough(mockSecurityExt);
+
+      await findSuccess(
+        client,
+        repository,
+        {
+          type: [type, NAMESPACE_AGNOSTIC_TYPE],
+          namespaces: [namespace, 'ns-1'],
+        }, // include multiple types and spaces
+        namespace
+      );
+
+      expect(mockGetSearchDsl.mock.calls[0].length).toBe(3); // Find success verifies this is called once, this should always pass
+      const {
+        typeToNamespacesMap: actualMap,
+      }: { typeToNamespacesMap: Map<string, string[] | undefined> } =
+        mockGetSearchDsl.mock.calls[0][2];
+
+      expect(actualMap).not.toBeUndefined();
+      const expectedMap = new Map<string, string[] | undefined>();
+
+      expect(arrayMapsAreEqual(actualMap, expectedMap)).toBeTruthy();
+    });
+
     test(`uses the authorization map when partially authorized`, async () => {
       setupAuthorizeFind(mockSecurityExt, 'partially_authorized');
       setupRedactPassthrough(mockSecurityExt);
 
       await findSuccess(
         client,
         repository,
-        { type: [type, NAMESPACE_AGNOSTIC_TYPE], namespaces: [namespace, 'ns-1'] }, // include multiple types and spaces
+        {
+          type: [
+            type,
+            'foo',
+            // Explicitly request the hidden type despite the repository not having access to it to confirm that it's not authorized.
+            HIDDEN_TYPE,
+            NAMESPACE_AGNOSTIC_TYPE,
+          ],
+          namespaces: [namespace, 'ns-1'],
+        }, // include multiple types and spaces
+        namespace
+      );
+
+      expect(mockGetSearchDsl.mock.calls[0].length).toBe(3); // Find success verifies this is called once, this should always pass
+      const {
+        typeToNamespacesMap: actualMap,
+      }: { typeToNamespacesMap: Map<string, string[] | undefined> } =
+        mockGetSearchDsl.mock.calls[0][2];
+
+      expect(actualMap).not.toBeUndefined();
+      const expectedMap = new Map<string, string[] | undefined>();
+      expectedMap.set('foo', ['bar']); // this is what is hard-coded in authMap
+
+      expect(arrayMapsAreEqual(actualMap, expectedMap)).toBeTruthy();
+    });
+
+    test(`uses the authorization map when fully authorized`, async () => {
+      setupAuthorizeFind(mockSecurityExt, 'fully_authorized');
+      setupRedactPassthrough(mockSecurityExt);
+
+      await findSuccess(
+        client,
+        repository,
+        {
+          type: [
+            type,
+            'foo',
+            // Explicitly request the hidden type despite the repository not having access to it to confirm that it's not authorized.
+            HIDDEN_TYPE,
+            NAMESPACE_AGNOSTIC_TYPE,
+          ],
+          namespaces: [namespace, 'ns-1'],
+        }, // include multiple types and spaces
         namespace
       );
 
diff --git a/src/core/packages/saved-objects/api-server-internal/src/test_helpers/repository.test.common.ts b/src/core/packages/saved-objects/api-server-internal/src/test_helpers/repository.test.common.ts
@@ -233,7 +233,13 @@ export const mappings: SavedObjectsTypeMappingDefinition = {
 export const authRecord: Record<string, AuthorizationTypeEntry> = {
   find: { authorizedSpaces: ['bar'] },
 };
-export const authMap = Object.freeze(new Map([['foo', authRecord]]));
+export const authMap = Object.freeze(
+  new Map([
+    ['foo', authRecord],
+    // The user is authorized to read hidden types but tests will confirm that repositories without that hidden type listed, won't show this as authorized.
+    [HIDDEN_TYPE, authRecord],
+  ])
+);
 
 export const checkAuthError = SavedObjectsErrorHelpers.createBadRequestError(
   'Failed to check authorization'
@@ -344,6 +350,7 @@ export const createType = (
 
 export const createRegistry = () => {
   const registry = new SavedObjectTypeRegistry();
+  registry.registerType(createType('foo'));
   registry.registerType(createType('config'));
   registry.registerType(createType('index-pattern'));
   registry.registerType(
diff --git a/src/platform/plugins/shared/data_views/server/rest_api_routes/public/swap_references.ts b/src/platform/plugins/shared/data_views/server/rest_api_routes/public/swap_references.ts
@@ -113,9 +113,12 @@ export const swapReferencesRoute =
         },
         router.handleLegacyErrors(
           handleErrors(async (ctx, req, res) => {
-            const savedObjectsClient = (await ctx.core).savedObjects.client;
-            const [core] = await getStartServices();
-            const types = core.savedObjects.getTypeRegistry().getAllTypes();
+            const savedObjectsContract = (await ctx.core).savedObjects;
+            const types = savedObjectsContract.typeRegistry.getAllTypes();
+            const savedObjectsClient = savedObjectsContract.getClient({
+              // Make sure to search through all the hidden types as well.
+              includedHiddenTypes: types.filter((t) => t.hidden).map((t) => t.name),
+            });
             const type = req.body.fromType || DATA_VIEW_SAVED_OBJECT_TYPE;
             const searchId =
               !Array.isArray(req.body.forId) && req.body.forId !== undefined
