Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Saved Objects] Allow saved object owners to set encrypted fields during creation without a fake request #209413

Open
TinaHeiligers opened this issue Feb 3, 2025 · 1 comment
Open

[Saved Objects] Allow saved object owners to set encrypted fields during creation without a fake request #209413

TinaHeiligers opened this issue Feb 3, 2025 · 1 comment
Labels
Feature:Saved Objects Feature:Security/Encrypted Saved Objects Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc

Comments

@TinaHeiligers
Copy link
Contributor

TinaHeiligers commented Feb 3, 2025
edited
Loading

The savedObjectsRepository does not currently support field encryption when creating saved objects using a scoped client

The workaround, using a fakeRequest, is the only alternative, for example:

kibana/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_watch.ts

Lines 49 to 59 in 092c2cd

private makeInternalSOClient(soStart: SavedObjectsServiceStart): SavedObjectsClientContract {
const fakeRequest = {
headers: {},
getBasePath: () => '',
path: '/',
route: { settings: {} },
url: { href: {} },
raw: { req: { url: '/' } },
} as unknown as KibanaRequest;
return soStart.getScopedClient(fakeRequest, { excludedExtensions: [SECURITY_EXTENSION_ID] });
}

kibana/x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/policy/license_watch.ts

Lines 56 to 66 in 092c2cd

private makeInternalSOClient(soStart: SavedObjectsServiceStart): SavedObjectsClientContract {
const fakeRequest = {
headers: {},
getBasePath: () => '',
path: '/',
route: { settings: {} },
url: { href: {} },
raw: { req: { url: '/' } },
} as unknown as KibanaRequest;
return soStart.getScopedClient(fakeRequest, { excludedExtensions: [SECURITY_EXTENSION_ID] });
}

kibana/x-pack/solutions/security/plugins/security_solution/server/endpoint/lib/policy/telemetry_watch.ts

Lines 52 to 62 in 092c2cd

private makeInternalSOClient(soStart: SavedObjectsServiceStart): SavedObjectsClientContract {
const fakeRequest = {
headers: {},
getBasePath: () => '',
path: '/',
route: { settings: {} },
url: { href: {} },
raw: { req: { url: '/' } },
} as unknown as KibanaRequest;
return soStart.getScopedClient(fakeRequest, { excludedExtensions: [SECURITY_EXTENSION_ID] });
}

Ideally, there should be a way for a third party to access the SO service's extensions to pass in (currently private without accessors).

Alternatives:

  • A soStart.getInternalClient function to the start contract
  • A way to instantiate an SOR using the SO service's extensions by default. e.g.
    savedObjects.createInternalRepository({ withExtensions: true }) or
    savedObjects.createInternalRepository({ withExtensions: ['encryptedSavedObjects'] })
@TinaHeiligers TinaHeiligers added Feature:Saved Objects Feature:Security/Encrypted Saved Objects Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc labels Feb 3, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Saved Objects Feature:Security/Encrypted Saved Objects Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TinaHeiligers @elasticmachine