From f8b1661937484939a92bc51ed346ad2d05091094 Mon Sep 17 00:00:00 2001
From: SuZhou-Joe <suzhou@amazon.com>
Date: Mon, 28 Aug 2023 14:51:46 +0800
Subject: [PATCH] feat: modify ACL of advanced settings

Signed-off-by: SuZhou-Joe <suzhou@amazon.com>
---
 .../saved_objects/service/lib/repository.ts   | 27 +++++++++
 src/plugins/workspace/server/plugin.ts        | 55 +++++++++++++++++--
 2 files changed, 78 insertions(+), 4 deletions(-)

diff --git a/src/core/server/saved_objects/service/lib/repository.ts b/src/core/server/saved_objects/service/lib/repository.ts
index fcfe6eed0d91..991ab071ce9d 100644
--- a/src/core/server/saved_objects/service/lib/repository.ts
+++ b/src/core/server/saved_objects/service/lib/repository.ts
@@ -1766,6 +1766,33 @@ export class SavedObjectsRepository {
     };
   }
 
+  async deleteACL<T = unknown>(type: string, id: string): Promise<boolean> {
+    if (!this._allowedTypes.includes(type)) {
+      throw SavedObjectsErrorHelpers.createGenericNotFoundError(type, id);
+    }
+
+    const { statusCode } = await this.client.update<SavedObjectsRawDocSource>(
+      {
+        id: this._serializer.generateRawId(undefined, type, id),
+        index: this.getIndexForType(type),
+
+        body: {
+          script: {
+            source: "ctx._source.remove('permissions')",
+          },
+        },
+      },
+      { ignore: [404] }
+    );
+
+    if (statusCode === 404) {
+      // see "404s from missing index" above
+      throw SavedObjectsErrorHelpers.createGenericNotFoundError(type, id);
+    }
+
+    return true;
+  }
+
   /**
    * Returns index specified by the given type or the default index
    *
diff --git a/src/plugins/workspace/server/plugin.ts b/src/plugins/workspace/server/plugin.ts
index 8ec28a102563..1fff1553a0f3 100644
--- a/src/plugins/workspace/server/plugin.ts
+++ b/src/plugins/workspace/server/plugin.ts
@@ -35,6 +35,7 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
   private coreStart?: CoreStart;
   private config$: Observable<ConfigSchema>;
   private enabled$: BehaviorSubject<boolean> = new BehaviorSubject(false);
+  private version: string;
 
   private get isEnabled() {
     return this.enabled$.getValue();
@@ -63,6 +64,7 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
   constructor(initializerContext: PluginInitializerContext) {
     this.logger = initializerContext.logger.get('plugins', 'workspace');
     this.config$ = initializerContext.config.create<ConfigSchema>();
+    this.version = initializerContext.env.packageInfo.version;
   }
 
   public async setup(core: CoreSetup) {
@@ -183,12 +185,21 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
     ]);
   }
 
+  private getInternalRepository() {
+    if (!this.coreStart) {
+      throw new Error('UI setting client can not be found');
+    }
+    const { savedObjects } = this.coreStart as CoreStart;
+
+    return savedObjects.createInternalRepository();
+  }
+
   private async getUISettingClient() {
     if (!this.coreStart) {
       throw new Error('UI setting client can not be found');
     }
-    const { uiSettings, savedObjects } = this.coreStart as CoreStart;
-    const internalRepository = savedObjects.createInternalRepository();
+    const { uiSettings } = this.coreStart as CoreStart;
+    const internalRepository = this.getInternalRepository();
     const savedObjectClient = new SavedObjectsClient(internalRepository);
     return uiSettings.asScopedToClient(savedObjectClient);
   }
@@ -206,17 +217,53 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
     return workspaceEnabled;
   }
 
-  public start(core: CoreStart) {
+  private async setupUISettinsACL() {
+    const internalRepository = this.getInternalRepository();
+    const CONFIG_TYPE = 'config';
+    try {
+      await internalRepository.get(CONFIG_TYPE, this.version);
+    } catch (e) {
+      try {
+        const uiSettingClient = await this.getUISettingClient();
+        await uiSettingClient.set(FEATURE_FLAG_KEY_IN_UI_SETTING, false);
+      } catch (error: unknown) {
+        if (typeof error === 'string') {
+          this.logger.error(error);
+        } else {
+          this.logger.error(`Something went wrong when setup advanced settings: ${error}`);
+        }
+      }
+    }
+
+    if (this.isEnabled) {
+      const acl = new ACL().addPermission([WorkspacePermissionMode.Read], {
+        users: ['*'],
+      });
+      await internalRepository.update(
+        CONFIG_TYPE,
+        this.version,
+        {},
+        {
+          permissions: acl.getPermissions(),
+        }
+      );
+    } else {
+      await internalRepository.deleteACL(CONFIG_TYPE, this.version);
+    }
+  }
+
+  public async start(core: CoreStart) {
     this.logger.debug('Starting SavedObjects service');
 
     this.coreStart = core;
 
-    this.setupWorkspaceFeatureFlag();
+    await this.setupWorkspaceFeatureFlag();
 
     this.enabled$.subscribe((enabled) => {
       if (enabled) {
         this.setupWorkspaces();
       }
+      this.setupUISettinsACL();
     });
 
     return {