Add notifications plugin, offering basic email service

tsconfig.base.json

@@ -391,6 +391,8 @@
       "@kbn/monitoring-collection-plugin/*": ["x-pack/plugins/monitoring_collection/*"],
       "@kbn/monitoring-plugin": ["x-pack/plugins/monitoring"],
       "@kbn/monitoring-plugin/*": ["x-pack/plugins/monitoring/*"],
+      "@kbn/notifications-plugin": ["x-pack/plugins/notifications"],
+      "@kbn/notifications-plugin/*": ["x-pack/plugins/notifications/*"],
       "@kbn/observability-plugin": ["x-pack/plugins/observability"],
       "@kbn/observability-plugin/*": ["x-pack/plugins/observability/*"],
       "@kbn/osquery-plugin": ["x-pack/plugins/osquery"],

x-pack/plugins/actions/server/create_unsecured_execute_function.ts

@@ -0,0 +1,158 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { compact } from 'lodash';
+import { ISavedObjectsRepository, SavedObjectsBulkResponse } from '@kbn/core/server';
+import { TaskManagerStartContract } from '@kbn/task-manager-plugin/server';
+import {
+  ActionTypeRegistryContract as ConnectorTypeRegistryContract,
+  PreConfiguredAction as PreconfiguredConnector,
+} from './types';
+import { ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE } from './constants/saved_objects';
+import { ExecuteOptions as ActionExecutorOptions } from './lib/action_executor';
+import { extractSavedObjectReferences, isSavedObjectExecutionSource } from './lib';
+import { RelatedSavedObjects } from './lib/related_saved_objects';
+
+const ALLOWED_CONNECTOR_TYPE_IDS = ['.email', '.slack'];
+interface CreateBulkUnsecuredExecuteFunctionOptions {
+  taskManager: TaskManagerStartContract;
+  connectorTypeRegistry: ConnectorTypeRegistryContract;
+  preconfiguredConnectors: PreconfiguredConnector[];
+}
+
+export interface ExecuteOptions extends Pick<ActionExecutorOptions, 'params' | 'source'> {
+  id: string;
+  executionId: string;
+  consumer?: string;
+  relatedSavedObjects?: RelatedSavedObjects;
+}
+
+export interface ActionTaskParams extends Pick<ActionExecutorOptions, 'params'> {
+  actionId: string;
+  apiKey: string | null;
+  executionId: string;
+  consumer?: string;
+  relatedSavedObjects?: RelatedSavedObjects;
+}
+
+export type BulkUnsecuredExecutionEnqueuer<T> = (
+  internalSavedObjectsRepository: ISavedObjectsRepository,
+  actionsToExectute: ExecuteOptions[]
+) => Promise<T>;
+
+export function createBulkUnsecuredExecutionEnqueuerFunction({
+  taskManager,
+  connectorTypeRegistry,
+  preconfiguredConnectors,
+}: CreateBulkUnsecuredExecuteFunctionOptions): BulkUnsecuredExecutionEnqueuer<void> {
+  return async function execute(
+    internalSavedObjectsRepository: ISavedObjectsRepository,
+    actionsToExecute: ExecuteOptions[]
+  ) {
+    const connectorTypeIds: Record<string, string> = {};
+    const connectorIds = [...new Set(actionsToExecute.map((action) => action.id))];
+
+    const notPreconfiguredConnectors = connectorIds.filter(
+      (connectorId) =>
+        preconfiguredConnectors.find((connector) => connector.id === connectorId) == null
+    );
+
+    if (notPreconfiguredConnectors.length > 0) {
+      throw new Error(
+        `${notPreconfiguredConnectors.join(
+          ','
+        )} are not preconfigured connectors and can't be scheduled for unsecured actions execution`
+      );
+    }
+
+    const connectors: PreconfiguredConnector[] = compact(
+      connectorIds.map((connectorId) =>
+        preconfiguredConnectors.find((pConnector) => pConnector.id === connectorId)
+      )
+    );
+
+    connectors.forEach((connector) => {
+      const { id, actionTypeId } = connector;
+      if (!connectorTypeRegistry.isActionExecutable(id, actionTypeId, { notifyUsage: true })) {
+        connectorTypeRegistry.ensureActionTypeEnabled(actionTypeId);
+      }
+
+      if (!ALLOWED_CONNECTOR_TYPE_IDS.includes(actionTypeId)) {
+        throw new Error(
+          `${actionTypeId} actions cannot be scheduled for unsecured actions execution`
+        );
+      }
+
+      connectorTypeIds[id] = actionTypeId;
+    });
+
+    const actions = await Promise.all(
+      actionsToExecute.map(async (actionToExecute) => {
+        // Get saved object references from action ID and relatedSavedObjects
+        const { references, relatedSavedObjectWithRefs } = extractSavedObjectReferences(
+          actionToExecute.id,
+          true,
+          actionToExecute.relatedSavedObjects
+        );
+        const executionSourceReference = executionSourceAsSavedObjectReferences(
+          actionToExecute.source
+        );
+
+        const taskReferences = [];
+        if (executionSourceReference.references) {
+          taskReferences.push(...executionSourceReference.references);
+        }
+        if (references) {
+          taskReferences.push(...references);
+        }
+
+        return {
+          type: ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE,
+          attributes: {
+            actionId: actionToExecute.id,
+            params: actionToExecute.params,
+            apiKey: null,
+            executionId: actionToExecute.executionId,
+            consumer: actionToExecute.consumer,
+            relatedSavedObjects: relatedSavedObjectWithRefs,
+          },
+          references: taskReferences,
+        };
+      })
+    );
+
+    const actionTaskParamsRecords: SavedObjectsBulkResponse<ActionTaskParams> =
+      await internalSavedObjectsRepository.bulkCreate(actions);
+
+    const taskInstances = actionTaskParamsRecords.saved_objects.map((so) => {
+      const actionId = so.attributes.actionId;
+      return {
+        taskType: `actions:${connectorTypeIds[actionId]}`,
+        params: {
+          spaceId: 'default',
+          actionTaskParamsId: so.id,
+        },
+        state: {},
+        scope: ['actions'],
+      };
+    });
+    await taskManager.bulkSchedule(taskInstances);
+  };
+}
+
+function executionSourceAsSavedObjectReferences(executionSource: ActionExecutorOptions['source']) {
+  return isSavedObjectExecutionSource(executionSource)
+    ? {
+        references: [
+          {
+            name: 'source',
+            ...executionSource.source,
+          },
+        ],
+      }
+    : {};
+}

x-pack/plugins/actions/server/lib/action_executor.ts

@@ -105,12 +105,6 @@ export class ActionExecutor {
       throw new Error('ActionExecutor not initialized');
     }
 
-    if (!this.isESOCanEncrypt) {
-      throw new Error(
-        `Unable to execute action because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.`
-      );
-    }
-
     return withSpan(
       {
         name: `execute_action`,
@@ -136,11 +130,14 @@ export class ActionExecutor {
         const namespace = spaceId && spaceId !== 'default' ? { namespace: spaceId } : {};
 
         const actionInfo = await getActionInfoInternal(
-          await getActionsClientWithRequest(request, source),
+          getActionsClientWithRequest,
+          request,
+          this.isESOCanEncrypt,
           encryptedSavedObjectsClient,
           preconfiguredActions,
           actionId,
-          namespace.namespace
+          namespace.namespace,
+          source
         );
 
         const { actionTypeId, name, config, secrets } = actionInfo;
@@ -318,11 +315,14 @@ export class ActionExecutor {
     const namespace = spaceId && spaceId !== 'default' ? { namespace: spaceId } : {};
     if (!this.actionInfo || this.actionInfo.actionId !== actionId) {
       this.actionInfo = await getActionInfoInternal(
-        await getActionsClientWithRequest(request, source),
+        getActionsClientWithRequest,
+        request,
+        this.isESOCanEncrypt,
         encryptedSavedObjectsClient,
         preconfiguredActions,
         actionId,
-        namespace.namespace
+        namespace.namespace,
+        source
       );
     }
     const task = taskInfo
@@ -368,12 +368,18 @@ interface ActionInfo {
   actionId: string;
 }
 
-async function getActionInfoInternal(
-  actionsClient: PublicMethodsOf<ActionsClient>,
+async function getActionInfoInternal<Source = unknown>(
+  getActionsClientWithRequest: (
+    request: KibanaRequest,
+    authorizationContext?: ActionExecutionSource<unknown>
+  ) => Promise<PublicMethodsOf<ActionsClient>>,
+  request: KibanaRequest,
+  isESOCanEncrypt: boolean,
   encryptedSavedObjectsClient: EncryptedSavedObjectsClient,
   preconfiguredActions: PreConfiguredAction[],
   actionId: string,
-  namespace: string | undefined
+  namespace: string | undefined,
+  source?: ActionExecutionSource<Source>
 ): Promise<ActionInfo> {
   // check to see if it's a pre-configured action first
   const pcAction = preconfiguredActions.find(
@@ -389,6 +395,14 @@ async function getActionInfoInternal(
     };
   }
 
+  if (!isESOCanEncrypt) {
+    throw new Error(
+      `Unable to execute action because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.`
+    );
+  }
+
+  const actionsClient = await getActionsClientWithRequest(request, source);
+
   // if not pre-configured action, should be a saved object
   // ensure user can read the action before processing
   const { actionTypeId, config, name } = await actionsClient.get({ id: actionId });

x-pack/plugins/actions/server/plugin.ts

@@ -101,6 +101,9 @@ import { createSubActionConnectorFramework } from './sub_action_framework';
 import { IServiceAbstract, SubActionConnectorType } from './sub_action_framework/types';
 import { SubActionConnector } from './sub_action_framework/sub_action_connector';
 import { CaseConnector } from './sub_action_framework/case';
+import { UnsecuredActionsClientAccessRegistry } from './unsecured_actions_client/unsecured_actions_client_access_registry';
+import { UnsecuredActionsClient } from './unsecured_actions_client/unsecured_actions_client';
+import { createBulkUnsecuredExecutionEnqueuerFunction } from './create_unsecured_execute_function';
 
 export interface PluginSetupContract {
   registerType<
@@ -117,6 +120,7 @@ export interface PluginSetupContract {
   >(
     connector: SubActionConnectorType<Config, Secrets>
   ): void;
+  registerUnsecuredActionsClientAccess(featureId: string): void;
   isPreconfiguredConnector(connectorId: string): boolean;
   getSubActionConnectorClass: <Config, Secrets>() => IServiceAbstract<Config, Secrets>;
   getCaseConnectorClass: <Config, Secrets>() => IServiceAbstract<Config, Secrets>;
@@ -138,6 +142,8 @@ export interface PluginStartContract {
 
   preconfiguredActions: PreConfiguredAction[];
 
+  getUnsecuredActionsClient(): Promise<PublicMethodsOf<UnsecuredActionsClient>>;
+
   renderActionParameterTemplates<Params extends ActionTypeParams = ActionTypeParams>(
     actionTypeId: string,
     actionId: string,
@@ -188,6 +194,7 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
   private readonly preconfiguredActions: PreConfiguredAction[];
   private inMemoryMetrics: InMemoryMetrics;
   private kibanaIndex?: string;
+  private unsecuredActionsClientAccessRegistry?: UnsecuredActionsClientAccessRegistry;
 
   constructor(initContext: PluginInitializerContext) {
     this.logger = initContext.logger.get();
@@ -266,6 +273,8 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
     this.actionExecutor = actionExecutor;
     this.security = plugins.security;
 
+    this.unsecuredActionsClientAccessRegistry = new UnsecuredActionsClientAccessRegistry();
+
     setupSavedObjects(
       core.savedObjects,
       plugins.encryptedSavedObjects,
@@ -361,6 +370,9 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
       ) => {
         subActionFramework.registerConnector(connector);
       },
+      registerUnsecuredActionsClientAccess: (featureId: string) => {
+        this.unsecuredActionsClientAccessRegistry?.register(featureId);
+      },
       isPreconfiguredConnector: (connectorId: string): boolean => {
         return !!this.preconfiguredActions.find(
           (preconfigured) => preconfigured.id === connectorId
@@ -452,6 +464,22 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
       });
     };
 
+    const getUnsecuredActionsClient = async () => {
+      const internalSavedObjectsRepository = core.savedObjects.createInternalRepository([
+        ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE,
+      ]);
+
+      return new UnsecuredActionsClient({
+        internalSavedObjectsRepository,
+        unsecuredActionsClientAccessRegistry: this.unsecuredActionsClientAccessRegistry!,
+        executionEnqueuer: createBulkUnsecuredExecutionEnqueuerFunction({
+          taskManager: plugins.taskManager,
+          connectorTypeRegistry: actionTypeRegistry!,
+          preconfiguredConnectors: preconfiguredActions,
+        }),
+      });
+    };
+
     // Ensure the public API cannot be used to circumvent authorization
     // using our legacy exemption mechanism by passing in a legacy SO
     // as authorizationContext which would then set a Legacy AuthorizationMode
@@ -532,6 +560,7 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
         return instantiateAuthorization(request);
       },
       getActionsClientWithRequest: secureGetActionsClientWithRequest,
+      getUnsecuredActionsClient,
       preconfiguredActions,
       renderActionParameterTemplates: (...args) =>
         renderActionParameterTemplates(actionTypeRegistry, ...args),

x-pack/plugins/actions/server/unsecured_actions_client/unsecured_actions_client.ts

@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ISavedObjectsRepository } from '@kbn/core/server';
+import { UnsecuredActionsClientAccessRegistry } from './unsecured_actions_client_access_registry';
+import {
+  BulkUnsecuredExecutionEnqueuer,
+  ExecuteOptions,
+} from '../create_unsecured_execute_function';
+
+export interface UnsecuredActionsClientOpts {
+  unsecuredActionsClientAccessRegistry: UnsecuredActionsClientAccessRegistry;
+  internalSavedObjectsRepository: ISavedObjectsRepository;
+  executionEnqueuer: BulkUnsecuredExecutionEnqueuer<void>;
+}
+
+export class UnsecuredActionsClient {
+  private readonly unsecuredActionsClientAccessRegistry: UnsecuredActionsClientAccessRegistry;
+  private readonly internalSavedObjectsRepository: ISavedObjectsRepository;
+  private readonly executionEnqueuer: BulkUnsecuredExecutionEnqueuer<void>;
+
+  constructor(params: UnsecuredActionsClientOpts) {
+    this.unsecuredActionsClientAccessRegistry = params.unsecuredActionsClientAccessRegistry;
+    this.executionEnqueuer = params.executionEnqueuer;
+    this.internalSavedObjectsRepository = params.internalSavedObjectsRepository;
+  }
+
+  public async bulkEnqueueExecution(
+    requesterId: string,
+    actionsToExecute: ExecuteOptions[]
+  ): Promise<void> {
+    // Check that requesterId is allowed
+    if (!this.unsecuredActionsClientAccessRegistry.has(requesterId)) {
+      throw new Error(
+        `${requesterId} feature is not registered for UnsecuredActionsClient access.`
+      );
+    }
+    return this.executionEnqueuer(this.internalSavedObjectsRepository, actionsToExecute);
+  }
+}