Optimize performance of ES privilege response validation (#90074)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Author: legrego

x-pack/plugins/security/server/authorization/__snapshots__/validate_es_response.test.ts.snap

@@ -316,7 +316,7 @@ describe('#atSpace', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because ["saved_object:bar-type/get" is not allowed]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: [saved_object:bar-type/get]: definition for this key is missing]`
       );
     });
 
@@ -338,7 +338,7 @@ describe('#atSpace', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "saved_object:foo-type/get" fails because ["saved_object:foo-type/get" is required]]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: [saved_object:foo-type/get]: expected value of type [boolean] but got [undefined]]`
       );
     });
   });
@@ -1092,7 +1092,7 @@ describe('#atSpaces', () => {
       },
     });
     expect(result).toMatchInlineSnapshot(
-      `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_1" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`
+      `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: [mock-action:version]: expected value of type [boolean] but got [undefined]]`
     );
   });
 
@@ -1379,7 +1379,7 @@ describe('#atSpaces', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: Payload did not match expected resources]`
       );
     });
 
@@ -1407,7 +1407,7 @@ describe('#atSpaces', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: Payload did not match expected resources]`
       );
     });
 
@@ -1440,7 +1440,7 @@ describe('#atSpaces', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because ["space:space_3" is not allowed]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: Payload did not match expected resources]`
       );
     });
 
@@ -1463,7 +1463,7 @@ describe('#atSpaces', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "space:space_2" fails because ["space:space_2" is required]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: Payload did not match expected resources]`
       );
     });
   });
@@ -2266,7 +2266,7 @@ describe('#globally', () => {
       },
     });
     expect(result).toMatchInlineSnapshot(
-      `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "*" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`
+      `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: [mock-action:version]: expected value of type [boolean] but got [undefined]]`
     );
   });
 
@@ -2384,7 +2384,7 @@ describe('#globally', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "*" fails because ["saved_object:bar-type/get" is not allowed]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: [saved_object:bar-type/get]: definition for this key is missing]`
       );
     });
 
@@ -2405,7 +2405,7 @@ describe('#globally', () => {
         },
       });
       expect(result).toMatchInlineSnapshot(
-        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "*" fails because [child "saved_object:foo-type/get" fails because ["saved_object:foo-type/get" is required]]]]]`
+        `[Error: Invalid response received from Elasticsearch has_privilege endpoint. Error: [application.kibana-our_application]: [saved_object:foo-type/get]: expected value of type [boolean] but got [undefined]]`
       );
     });
   });

x-pack/plugins/security/server/authorization/check_privileges.test.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import Joi from 'joi';
+import { schema } from '@kbn/config-schema';
 import { HasPrivilegesResponse } from './types';
 
 export function validateEsPrivilegeResponse(
@@ -14,48 +14,57 @@ export function validateEsPrivilegeResponse(
   actions: string[],
   resources: string[]
 ) {
-  const schema = buildValidationSchema(application, actions, resources);
-  const { error, value } = schema.validate(response);
-
-  if (error) {
-    throw new Error(
-      `Invalid response received from Elasticsearch has_privilege endpoint. ${error}`
-    );
+  const validationSchema = buildValidationSchema(application, actions, resources);
+  try {
+    validationSchema.validate(response);
+  } catch (e) {
+    throw new Error(`Invalid response received from Elasticsearch has_privilege endpoint. ${e}`);
   }
 
-  return value;
+  return response;
 }
 
 function buildActionsValidationSchema(actions: string[]) {
-  return Joi.object({
+  return schema.object({
     ...actions.reduce<Record<string, any>>((acc, action) => {
       return {
         ...acc,
-        [action]: Joi.bool().required(),
+        [action]: schema.boolean(),
       };
     }, {}),
-  }).required();
+  });
 }
 
 function buildValidationSchema(application: string, actions: string[], resources: string[]) {
   const actionValidationSchema = buildActionsValidationSchema(actions);
 
-  const resourceValidationSchema = Joi.object({
-    ...resources.reduce((acc, resource) => {
-      return {
-        ...acc,
-        [resource]: actionValidationSchema,
-      };
-    }, {}),
-  }).required();
+  const resourceValidationSchema = schema.object(
+    {},
+    {
+      unknowns: 'allow',
+      validate: (value) => {
+        const actualResources = Object.keys(value).sort();
+        if (
+          resources.length !== actualResources.length ||
+          !resources.sort().every((x, i) => x === actualResources[i])
+        ) {
+          throw new Error('Payload did not match expected resources');
+        }
+
+        Object.values(value).forEach((actionResult) => {
+          actionValidationSchema.validate(actionResult);
+        });
+      },
+    }
+  );
 
-  return Joi.object({
-    username: Joi.string().required(),
-    has_all_requested: Joi.bool(),
-    cluster: Joi.object(),
-    application: Joi.object({
+  return schema.object({
+    username: schema.string(),
+    has_all_requested: schema.boolean(),
+    cluster: schema.object({}, { unknowns: 'allow' }),
+    application: schema.object({
       [application]: resourceValidationSchema,
-    }).required(),
-    index: Joi.object(),
-  }).required();
+    }),
+    index: schema.object({}, { unknowns: 'allow' }),
+  });
 }