[Alerting v2] Consolidate the feature privileges into one place (#270574)

## Summary

This PR prepares the ground for the upcoming RBAC work by making it
easier to configure and add feature privileges that can be used by the
UI and the backend. Also, all API tests were updated to use only the
feature privileges they actually require.

Closes: elastic/rna-program#442
Closes: elastic/rna-program#439

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: cnasikas

x-pack/platform/plugins/shared/alerting_v2/common/feature_privileges.ts

@@ -0,0 +1,207 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type {
+  FeatureKibanaPrivileges,
+  SubFeatureConfig,
+  SubFeaturePrivilegeConfig,
+} from '@kbn/features-plugin/common';
+import { ACTION_POLICY_SAVED_OBJECT_TYPE, RULE_SAVED_OBJECT_TYPE } from './saved_object_types';
+
+type ValueOf<T> = T[keyof T];
+type NestedValueOf<T extends Record<string, Record<string, string>>> = ValueOf<{
+  [K in keyof T]: ValueOf<T[K]>;
+}>;
+
+/**
+ * Single source of truth for alerting_v2 feature ids, API privilege strings,
+ * UI capability keys, and future sub-feature definitions.
+ *
+ * Add all new alerting_v2 privilege strings here and derive from this file.
+ */
+export const ALERTING_V2_API_PRIVILEGES = {
+  rules: {
+    read: 'read-alerting-v2-rules',
+    write: 'write-alerting-v2-rules',
+  },
+  alerts: {
+    read: 'read-alerting-v2-alerts',
+    write: 'write-alerting-v2-alerts',
+  },
+  actionPolicies: {
+    read: 'read-alerting-v2-action-policies',
+    write: 'write-alerting-v2-action-policies',
+  },
+} as const;
+
+/**
+ * Top-level UI capability keys per feature. Each feature owns its own
+ * `all` / `read` capability strings. Granted entries surface at runtime as
+ * `capabilities[featureId][capabilityKey]`. Extend per-feature when a feature
+ * needs additional top-level UI flags beyond the primary read/write split.
+ */
+export const ALERTING_V2_UI_CAPABILITIES = {
+  rules: {
+    all: 'all',
+    read: 'read',
+  },
+  alerts: {
+    all: 'all',
+    read: 'read',
+  },
+  actionPolicies: {
+    all: 'all',
+    read: 'read',
+  },
+} as const;
+
+/**
+ * Sub-feature-only UI capability keys per feature. Add new sub-feature UI
+ * capabilities here (e.g. `alerts: { assignAlert: 'assignAlert' }`) so the
+ * sub-feature privilege schema stays type-checked against the catalog.
+ */
+export const ALERTING_V2_SUB_FEATURE_UI_CAPABILITIES = {
+  rules: {},
+  alerts: {},
+  actionPolicies: {},
+} as const satisfies Record<string, Record<string, string>>;
+
+type AlertingV2ApiPrivilege = NestedValueOf<typeof ALERTING_V2_API_PRIVILEGES>;
+type AlertingV2TopLevelUICapability = NestedValueOf<typeof ALERTING_V2_UI_CAPABILITIES>;
+type AlertingV2SubFeatureUICapability = NestedValueOf<
+  typeof ALERTING_V2_SUB_FEATURE_UI_CAPABILITIES
+>;
+type AlertingV2UICapability = AlertingV2TopLevelUICapability | AlertingV2SubFeatureUICapability;
+
+type AlertingV2FeaturePrivilege = Pick<FeatureKibanaPrivileges, 'api' | 'ui' | 'savedObject'> & {
+  readonly api: readonly AlertingV2ApiPrivilege[];
+  readonly ui: readonly AlertingV2TopLevelUICapability[];
+  readonly savedObject: {
+    readonly all: readonly string[];
+    readonly read: readonly string[];
+  };
+};
+
+type AlertingV2SubFeaturePrivilege = Omit<
+  SubFeaturePrivilegeConfig,
+  'api' | 'ui' | 'savedObject'
+> & {
+  readonly api: readonly AlertingV2ApiPrivilege[];
+  readonly ui: readonly AlertingV2UICapability[];
+  readonly savedObject: {
+    readonly all: readonly string[];
+    readonly read: readonly string[];
+  };
+};
+
+type AlertingV2SubFeature = Omit<SubFeatureConfig, 'privilegeGroups'> & {
+  readonly privilegeGroups: ReadonlyArray<{
+    readonly groupType: 'independent' | 'mutually_exclusive';
+    readonly privileges: readonly AlertingV2SubFeaturePrivilege[];
+  }>;
+};
+
+export interface AlertingV2FeatureDefinition {
+  readonly id: string;
+  readonly name: string;
+  readonly privileges: {
+    readonly all: AlertingV2FeaturePrivilege;
+    readonly read: AlertingV2FeaturePrivilege;
+  };
+  readonly subFeatures: readonly AlertingV2SubFeature[];
+}
+
+export const ALERTING_V2_FEATURES = {
+  rules: {
+    id: 'alerting_v2_rules',
+    name: 'Rules',
+    privileges: {
+      all: {
+        api: [ALERTING_V2_API_PRIVILEGES.rules.read, ALERTING_V2_API_PRIVILEGES.rules.write],
+        ui: [ALERTING_V2_UI_CAPABILITIES.rules.all, ALERTING_V2_UI_CAPABILITIES.rules.read],
+        savedObject: {
+          all: [RULE_SAVED_OBJECT_TYPE],
+          read: [],
+        },
+      },
+      read: {
+        api: [ALERTING_V2_API_PRIVILEGES.rules.read],
+        ui: [ALERTING_V2_UI_CAPABILITIES.rules.read],
+        savedObject: {
+          all: [],
+          read: [RULE_SAVED_OBJECT_TYPE],
+        },
+      },
+    },
+    subFeatures: [] as const,
+  },
+  alerts: {
+    id: 'alerting_v2_alerts',
+    name: 'Alerts',
+    privileges: {
+      all: {
+        api: [ALERTING_V2_API_PRIVILEGES.alerts.read, ALERTING_V2_API_PRIVILEGES.alerts.write],
+        ui: [ALERTING_V2_UI_CAPABILITIES.alerts.all, ALERTING_V2_UI_CAPABILITIES.alerts.read],
+        savedObject: {
+          all: [],
+          read: [],
+        },
+      },
+      read: {
+        api: [ALERTING_V2_API_PRIVILEGES.alerts.read],
+        ui: [ALERTING_V2_UI_CAPABILITIES.alerts.read],
+        savedObject: {
+          all: [],
+          read: [],
+        },
+      },
+    },
+    subFeatures: [] as const,
+  },
+  actionPolicies: {
+    id: 'alerting_v2_action_policies',
+    name: 'Action Policies',
+    privileges: {
+      all: {
+        api: [
+          ALERTING_V2_API_PRIVILEGES.actionPolicies.read,
+          ALERTING_V2_API_PRIVILEGES.actionPolicies.write,
+        ],
+        ui: [
+          ALERTING_V2_UI_CAPABILITIES.actionPolicies.all,
+          ALERTING_V2_UI_CAPABILITIES.actionPolicies.read,
+        ],
+        savedObject: {
+          all: [ACTION_POLICY_SAVED_OBJECT_TYPE],
+          read: [],
+        },
+      },
+      read: {
+        api: [ALERTING_V2_API_PRIVILEGES.actionPolicies.read],
+        ui: [ALERTING_V2_UI_CAPABILITIES.actionPolicies.read],
+        savedObject: {
+          all: [],
+          read: [ACTION_POLICY_SAVED_OBJECT_TYPE],
+        },
+      },
+    },
+    subFeatures: [] as const,
+  },
+} as const satisfies Record<string, AlertingV2FeatureDefinition>;
+
+export type AlertingV2Feature = keyof typeof ALERTING_V2_FEATURES;
+
+type TopLevelUiOf<F extends AlertingV2Feature> =
+  | (typeof ALERTING_V2_FEATURES)[F]['privileges']['all']['ui'][number]
+  | (typeof ALERTING_V2_FEATURES)[F]['privileges']['read']['ui'][number];
+
+type SubFeatureUiOf<F extends AlertingV2Feature> =
+  (typeof ALERTING_V2_FEATURES)[F]['subFeatures'][number]['privilegeGroups'][number]['privileges'][number]['ui'][number];
+
+export type AlertingV2UICapabilityFor<F extends AlertingV2Feature> =
+  | TopLevelUiOf<F>
+  | SubFeatureUiOf<F>;

x-pack/platform/plugins/shared/alerting_v2/common/saved_object_types.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const RULE_SAVED_OBJECT_TYPE = 'alerting_rule';
+export const ACTION_POLICY_SAVED_OBJECT_TYPE = 'alerting_action_policy';
+export const API_KEY_PENDING_INVALIDATION_TYPE = 'alerting_api_key_pending_invalidation';

x-pack/platform/plugins/shared/alerting_v2/server/lib/security/privileges.ts

@@ -6,90 +6,54 @@
  */
 
 import type { FeaturesPluginSetup } from '@kbn/features-plugin/server';
+import type { KibanaFeatureConfig } from '@kbn/features-plugin/common';
 import type { AppCategory } from '@kbn/core/types';
 import { APP_ID } from '../constants';
-import { ACTION_POLICY_SAVED_OBJECT_TYPE, RULE_SAVED_OBJECT_TYPE } from '../../saved_objects';
+import {
+  ALERTING_V2_API_PRIVILEGES,
+  ALERTING_V2_FEATURES,
+  type AlertingV2FeatureDefinition,
+} from '../../../common/feature_privileges';
 
-const ALERTS_FEATURE_ID = 'alerting_v2_alerts';
-const RULES_FEATURE_ID = 'alerting_v2_rules';
-const CATEGORY_ID = 'alerting';
-
-export const ALERTING_V2_API_PRIVILEGES = {
-  rules: {
-    read: 'read-alerting-v2-rules',
-    write: 'write-alerting-v2-rules',
-  },
-  alerts: {
-    read: 'read-alerting-v2-alerts',
-    write: 'write-alerting-v2-alerts',
-  },
-  actionPolicies: {
-    read: 'read-alerting-v2-action-policies',
-    write: 'write-alerting-v2-action-policies',
-  },
-} as const;
-
-const ALERTING_V2_SAVED_OBJECT_TYPES = [
-  RULE_SAVED_OBJECT_TYPE,
-  ACTION_POLICY_SAVED_OBJECT_TYPE,
-] as const;
-
-const getPrivileges = () => ({
-  all: {
-    app: [APP_ID],
-    savedObject: {
-      all: [...ALERTING_V2_SAVED_OBJECT_TYPES],
-      read: [],
-    },
-    ui: [],
-    api: [
-      ALERTING_V2_API_PRIVILEGES.rules.read,
-      ALERTING_V2_API_PRIVILEGES.rules.write,
-      ALERTING_V2_API_PRIVILEGES.alerts.read,
-      ALERTING_V2_API_PRIVILEGES.alerts.write,
-      ALERTING_V2_API_PRIVILEGES.actionPolicies.read,
-      ALERTING_V2_API_PRIVILEGES.actionPolicies.write,
-    ],
-  },
-  read: {
-    app: [APP_ID],
-    savedObject: {
-      all: [],
-      read: [...ALERTING_V2_SAVED_OBJECT_TYPES],
-    },
-    ui: [],
-    api: [
-      ALERTING_V2_API_PRIVILEGES.rules.read,
-      ALERTING_V2_API_PRIVILEGES.alerts.read,
-      ALERTING_V2_API_PRIVILEGES.actionPolicies.read,
-    ],
-  },
-});
+export { ALERTING_V2_API_PRIVILEGES };
 
 const category: AppCategory = {
-  id: CATEGORY_ID,
+  id: 'alerting',
   label: 'Alerting',
   order: 1000,
   euiIconType: 'watchesApp',
 };
 
-const alertsFeature = {
-  id: ALERTS_FEATURE_ID,
-  name: 'Alerts',
-  category,
-  app: [APP_ID],
-  privileges: getPrivileges(),
-};
-
-const rulesFeature = {
-  id: RULES_FEATURE_ID,
-  name: 'Rules',
+const buildKibanaFeature = (feature: AlertingV2FeatureDefinition): KibanaFeatureConfig => ({
+  id: feature.id,
+  name: feature.name,
   category,
   app: [APP_ID],
-  privileges: getPrivileges(),
-};
+  privileges: {
+    all: {
+      app: [APP_ID],
+      savedObject: {
+        all: [...feature.privileges.all.savedObject.all],
+        read: [...feature.privileges.all.savedObject.read],
+      },
+      api: [...feature.privileges.all.api],
+      ui: [...feature.privileges.all.ui],
+    },
+    read: {
+      app: [APP_ID],
+      savedObject: {
+        all: [...feature.privileges.read.savedObject.all],
+        read: [...feature.privileges.read.savedObject.read],
+      },
+      api: [...feature.privileges.read.api],
+      ui: [...feature.privileges.read.ui],
+    },
+  },
+  ...(feature.subFeatures.length > 0 ? { subFeatures: [...feature.subFeatures] } : {}),
+});
 
 export const registerFeaturePrivileges = (features: FeaturesPluginSetup) => {
-  features.registerKibanaFeature(alertsFeature);
-  features.registerKibanaFeature(rulesFeature);
+  Object.values(ALERTING_V2_FEATURES).forEach((feature) => {
+    features.registerKibanaFeature(buildKibanaFeature(feature));
+  });
 };

x-pack/platform/plugins/shared/alerting_v2/server/routes/action_policies/create_action_policy_route.ts

@@ -26,7 +26,10 @@ export class CreateActionPolicyRoute extends BaseAlertingRoute {
   static path = `${ALERTING_V2_ACTION_POLICY_API_PATH}`;
   static security: RouteSecurity = {
     authz: {
-      requiredPrivileges: [ALERTING_V2_API_PRIVILEGES.actionPolicies.write],
+      requiredPrivileges: [
+        ALERTING_V2_API_PRIVILEGES.actionPolicies.write,
+        ALERTING_V2_API_PRIVILEGES.rules.read,
+      ],
     },
   };
   static routeOptions = {

x-pack/platform/plugins/shared/alerting_v2/server/routes/action_policies/upsert_action_policy_route.ts

@@ -31,7 +31,10 @@ export class UpsertActionPolicyRoute extends BaseAlertingRoute {
   static path = `${ALERTING_V2_ACTION_POLICY_API_PATH}/{id}`;
   static security: RouteSecurity = {
     authz: {
-      requiredPrivileges: [ALERTING_V2_API_PRIVILEGES.actionPolicies.write],
+      requiredPrivileges: [
+        ALERTING_V2_API_PRIVILEGES.actionPolicies.write,
+        ALERTING_V2_API_PRIVILEGES.rules.read,
+      ],
     },
   };
   static routeOptions = {

x-pack/platform/plugins/shared/alerting_v2/server/routes/suggestions/matcher_data_fields_route.ts

@@ -30,7 +30,7 @@ export class MatcherDataFieldsRoute extends BaseAlertingRoute {
   static path = `${ALERTING_V2_ACTION_POLICY_API_PATH}/suggestions/data_fields`;
   static security: RouteSecurity = {
     authz: {
-      requiredPrivileges: [ALERTING_V2_API_PRIVILEGES.actionPolicies.read],
+      requiredPrivileges: [ALERTING_V2_API_PRIVILEGES.alerts.read],
     },
   };
   static routeOptions = {

x-pack/platform/plugins/shared/alerting_v2/server/routes/suggestions/matcher_value_suggestions_route.ts

@@ -31,8 +31,8 @@ export class MatcherValueSuggestionsRoute extends BaseAlertingRoute {
   static security: RouteSecurity = {
     authz: {
       requiredPrivileges: [
-        ALERTING_V2_API_PRIVILEGES.actionPolicies.read,
         ALERTING_V2_API_PRIVILEGES.rules.read,
+        ALERTING_V2_API_PRIVILEGES.alerts.read,
       ],
     },
   };