feat: add workspace into includeHiddenTypes (opensearch-project#249)

* feat: add workspace into includeHiddenTypes of client wrapper and permission control client Signed-off-by: SuZhou-Joe <suzhou@amazon.com> * fix: hiddenType side effect Signed-off-by: SuZhou-Joe <suzhou@amazon.com> --------- Signed-off-by: SuZhou-Joe <suzhou@amazon.com>
wanglam · Mar 5, 2024 · dab88dd · dab88dd
1 parent 6375db7
commit dab88dd
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/src/plugins/workspace/server/permission_control/client.ts b/src/plugins/workspace/server/permission_control/client.ts
@@ -4,13 +4,16 @@
  */
 
 import { i18n } from '@osd/i18n';
-import { OpenSearchDashboardsRequest, Principals, SavedObject } from '../../../../core/server';
 import {
   ACL,
   TransformedPermission,
   SavedObjectsBulkGetObject,
   SavedObjectsServiceStart,
   Logger,
+  OpenSearchDashboardsRequest,
+  Principals,
+  SavedObject,
+  WORKSPACE_TYPE,
 } from '../../../../core/server';
 import { WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID } from '../../common/constants';
 import { getPrincipalsFromRequest } from '../utils';
@@ -28,6 +31,7 @@ export class SavedObjectsPermissionControl {
   private getScopedClient(request: OpenSearchDashboardsRequest) {
     return this._getScopedClient?.(request, {
       excludedWrappers: [WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID],
+      includedHiddenTypes: [WORKSPACE_TYPE],
     });
   }
 

diff --git a/src/plugins/workspace/server/plugin.ts b/src/plugins/workspace/server/plugin.ts
@@ -34,6 +34,7 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
   private workspaceConflictControl?: WorkspaceConflictSavedObjectsClientWrapper;
   private permissionControl?: SavedObjectsPermissionControlContract;
   private readonly config$: Observable<WorkspacePluginConfigType>;
+  private workspaceSavedObjectsClientWrapper?: WorkspaceSavedObjectsClientWrapper;
 
   private proxyWorkspaceTrafficToRealHandler(setupDeps: CoreSetup) {
     /**
@@ -79,14 +80,14 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
     if (isPermissionControlEnabled) {
       this.permissionControl = new SavedObjectsPermissionControl(this.logger);
 
-      const workspaceSavedObjectsClientWrapper = new WorkspaceSavedObjectsClientWrapper(
+      this.workspaceSavedObjectsClientWrapper = new WorkspaceSavedObjectsClientWrapper(
         this.permissionControl
       );
 
       core.savedObjects.addClientWrapper(
         0,
         WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID,
-        workspaceSavedObjectsClientWrapper.wrapperFactory
+        this.workspaceSavedObjectsClientWrapper.wrapperFactory
       );
     }
 
@@ -113,6 +114,7 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
     this.permissionControl?.setup(core.savedObjects.getScopedClient);
     this.client?.setSavedObjects(core.savedObjects);
     this.workspaceConflictControl?.setSerializer(core.savedObjects.createSerializer());
+    this.workspaceSavedObjectsClientWrapper?.setScopedClient(core.savedObjects.getScopedClient);
 
     return {
       client: this.client as IWorkspaceClientImpl,

diff --git a/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts b/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
@@ -26,9 +26,12 @@ import {
   WorkspacePermissionMode,
   SavedObjectsDeleteByWorkspaceOptions,
   SavedObjectsErrorHelpers,
+  SavedObjectsServiceStart,
+  SavedObjectsClientContract,
 } from '../../../../core/server';
 import { SavedObjectsPermissionControlContract } from '../permission_control/client';
 import { getPrincipalsFromRequest } from '../utils';
+import { WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID } from '../../common/constants';
 
 // Can't throw unauthorized for now, the page will be refreshed if unauthorized
 const generateWorkspacePermissionError = () =>
@@ -50,6 +53,7 @@ const generateSavedObjectsPermissionError = () =>
   );
 
 export class WorkspaceSavedObjectsClientWrapper {
+  private getScopedClient?: SavedObjectsServiceStart['getScopedClient'];
   private formatWorkspacePermissionModeToStringArray(
     permission: WorkspacePermissionMode | WorkspacePermissionMode[]
   ): string[] {
@@ -173,6 +177,17 @@ export class WorkspaceSavedObjectsClientWrapper {
     return hasPermission;
   }
 
+  private getWorkspaceTypeEnabledClient(request: OpenSearchDashboardsRequest) {
+    return this.getScopedClient?.(request, {
+      includedHiddenTypes: [WORKSPACE_TYPE],
+      excludedWrappers: [WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID],
+    }) as SavedObjectsClientContract;
+  }
+
+  public setScopedClient(getScopedClient: SavedObjectsServiceStart['getScopedClient']) {
+    this.getScopedClient = getScopedClient;
+  }
+
   public wrapperFactory: SavedObjectsClientWrapperFactory = (wrapperOptions) => {
     const deleteWithWorkspacePermissionControl = async (
       type: string,
@@ -396,8 +411,12 @@ export class WorkspaceSavedObjectsClientWrapper {
         ];
         options.ACLSearchParams.principals = principals;
       } else {
+        /**
+         * Workspace is a hidden type so that we need to
+         * initialize a new saved objects client with workspace enabled to retrieve all the workspaces with permission.
+         */
         const permittedWorkspaceIds = (
-          await wrapperOptions.client.find({
+          await this.getWorkspaceTypeEnabledClient(wrapperOptions.request).find({
             type: WORKSPACE_TYPE,
             perPage: 999,
             ACLSearchParams: {