[Security Solution][Navigation] Distinguish between unavailable and unauthorized (elastic#220552)

## Summary

Implements different behaviour for unavailable vs unauthorised links.

### Challenge

In serverless, the application links implementation did not discriminate
between these 2 scenarios:

- **unavailable**: The link can not be accessed because it's not
available in the current payment plan (aka PLI scenario)
- **unauthorized**: The link can not be accessed because the user does
not have sufficient privileges (aka RBAC scenario)

This happened because, in serverless, both scenarios are checked via
`capabilities`, the behaviour for when the capabilities check did not
pass was delegated to the components, so we were always doing the same
fallback (show no privilege page or redirect to landing) for both
scenarios.

This is a problem for links that need to do different things in each
scenario.

### Proposal

The capability check is split to discriminate between both scenarios,
and a new computed property is introduced: `unavailable`.

Example with `securitySolutionAttackDiscovery` feature:

- When all conditions are met, PLI is enabled, and the user has the
right privileges, the capabilities are `true`:

![true](https://github.com/user-attachments/assets/5fc37b34-07e3-456c-a503-987d838d89ce)

- When we are in the RBAC scenario, where the user role does not have
the required privileges, the relevant capabilities are `false`:

![false](https://github.com/user-attachments/assets/f2352335-0105-4b3e-a79f-e1898b727a6d)

- In the disabled PLI scenario, the capabilities do not even exist,
because they were not registered in the Kibana feature privileges:

![missing](https://github.com/user-attachments/assets/e804e007-a7bf-4247-a254-58b378cc5409)


We can distinguish between these scenarios and act accordingly,
consistently across the app, without relying on each route component
decision (`redirectOnMissing` prop).

### Scenarios

- **Available and authorized**: 
  - left nav: shown
  - global search: shown
  - content: the page

Serverless

![ok_serverless](https://github.com/user-attachments/assets/2e5e8fe8-62cd-4512-807b-28f9743b4ac4)

Classic

![ok_classic](https://github.com/user-attachments/assets/824918bc-99d6-4851-8f5d-37da32b2c290)

- **Unauthorized**:
  - left nav: hidden
  - global search: hidden
- content: the generic _NoPrivilege_ page. Before this PR, we were
sometimes redirecting to the landing page (when using the
`redirectOnMissing` flag).

Serverless

![NoPrivilege_serverless](https://github.com/user-attachments/assets/3a0866d5-cee9-4ab5-b9be-7c299eaab06b)

Classic

![NoPrivilege_ess](https://github.com/user-attachments/assets/3e32bbec-7a9d-41b0-a376-d7c08be64a51)

- **Unavailable**: When the links needs a higher the payment plan
  - **With Upselling**: (same behaviour)
    - left nav: shown
    - global search: hidden
    - content: the registered upselling component

Serverless

![upselling_serverless](https://github.com/user-attachments/assets/db98ca03-0e2b-464b-9dac-750eaeee4981)

Classic

![upselling_ess](https://github.com/user-attachments/assets/3c9518da-9eaf-4e35-a9bc-439dc39953da)

  - **Without Upselling**:     
    - left nav: hidden
    - global search: hidden
- content: redirects to the landing page. Before this PR, we were
sometimes showing the _NoPrivilege_ page (when the `redirectOnMissing`
flag was missing).

Serverless

![no_upselling_serverless](https://github.com/user-attachments/assets/b73853ba-8a9c-4b5e-90a2-d76ca9ee5e6d)

Classic

![no_upselling_ess](https://github.com/user-attachments/assets/587b7562-9a5a-4903-992d-ad634ba8f83e)

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: kibanamachine <[email protected]>

Author: 3 people

x-pack/solutions/security/plugins/security_solution/public/app/links/application_links_updater.test.ts

@@ -10,19 +10,23 @@ import {
   type ApplicationLinksUpdateParams,
 } from './application_links_updater';
 import type { AppLinkItems, LinkItem } from '../../common/links/types';
-import { hasCapabilities as mockHasCapabilities } from '../../common/lib/capabilities';
+import { hasCapabilities, existCapabilities } from '../../common/lib/capabilities';
 import type { Capabilities, IUiSettingsClient } from '@kbn/core/public';
 import type { ExperimentalFeatures, SecurityPageName } from '../../../common';
 import type { ILicense } from '@kbn/licensing-plugin/public';
 import type { UpsellingService } from '@kbn/security-solution-upselling/service';
 
 jest.mock('../../common/lib/capabilities', () => ({
   hasCapabilities: jest.fn(),
+  existCapabilities: jest.fn(),
 }));
 
+const mockHasCapabilities = hasCapabilities as jest.Mock;
+const mockExistCapabilities = existCapabilities as jest.Mock;
+
 // Allow access to private method just for testing
 const appLinks = applicationLinksUpdater as unknown as {
-  filterAppLinks: (links: AppLinkItems, params: ApplicationLinksUpdateParams) => LinkItem[];
+  processAppLinks: (links: AppLinkItems, params: ApplicationLinksUpdateParams) => LinkItem[];
 };
 
 const link: LinkItem = {
@@ -31,7 +35,7 @@ const link: LinkItem = {
   title: 'Test',
 };
 
-describe('ApplicationLinks - filterAppLinks', () => {
+describe('ApplicationLinksUpdater', () => {
   const createMockParams = (
     overrides: Partial<ApplicationLinksUpdateParams> = {}
   ): ApplicationLinksUpdateParams => ({
@@ -51,115 +55,129 @@ describe('ApplicationLinks - filterAppLinks', () => {
 
   beforeEach(() => {
     jest.clearAllMocks();
+
+    mockHasCapabilities.mockReturnValue(true);
+    mockExistCapabilities.mockReturnValue(true);
   });
 
-  it('should include a link when all links are allowed', () => {
-    (mockHasCapabilities as jest.Mock).mockReturnValue(true);
+  describe('processAppLinks', () => {
+    it('should include a link when all links are allowed', () => {
+      const params = createMockParams();
+      const result = appLinks.processAppLinks([link], params);
 
-    const params = createMockParams();
-    const result = appLinks.filterAppLinks([link], params);
+      expect(result).toEqual([link]);
+    });
 
-    expect(result).toEqual([link]);
-  });
+    it('should exclude a link when capabilities do not exist and not upsellable', () => {
+      mockExistCapabilities.mockReturnValue(false);
 
-  it('should exclude a link when capabilities are not met and not upsellable', () => {
-    (mockHasCapabilities as jest.Mock).mockReturnValue(false);
+      const links: AppLinkItems = [{ ...link, capabilities: ['admin'] }];
 
-    const links: AppLinkItems = [{ ...link, capabilities: ['admin'] }];
+      const params = createMockParams();
+      const result = appLinks.processAppLinks(links, params);
 
-    const params = createMockParams();
-    const result = appLinks.filterAppLinks(links, params);
+      expect(result).toEqual([]);
+    });
 
-    expect(result).toEqual([]);
-  });
+    it('should mark link as unavailable when capabilities do not exist and it is upsellable', () => {
+      mockExistCapabilities.mockReturnValue(false);
+
+      const links: AppLinkItems = [{ ...link, capabilities: ['advanced_access'] }];
 
-  it('should mark a link as unauthorized if upsellable but capabilities fail', () => {
-    (mockHasCapabilities as jest.Mock).mockReturnValue(false);
+      const params = createMockParams({
+        upselling: { isPageUpsellable: jest.fn(() => true) } as unknown as UpsellingService,
+      });
 
-    const links: AppLinkItems = [{ ...link, capabilities: ['advanced_access'] }];
+      const result = appLinks.processAppLinks(links, params);
 
-    const params = createMockParams({
-      upselling: { isPageUpsellable: jest.fn(() => true) } as unknown as UpsellingService,
+      expect(result).toEqual([expect.objectContaining({ ...link, unavailable: true })]);
     });
 
-    const result = appLinks.filterAppLinks(links, params);
+    it('should mark a link as unauthorized if capabilities exist but requirements are not met', () => {
+      mockExistCapabilities.mockReturnValue(true);
+      mockHasCapabilities.mockReturnValue(false);
 
-    expect(result).toEqual([expect.objectContaining({ ...link, unauthorized: true })]);
-  });
+      const links: AppLinkItems = [{ ...link, capabilities: ['advanced_access'] }];
 
-  it('should filter out a link based on uiSettingsClient', () => {
-    (mockHasCapabilities as jest.Mock).mockReturnValue(true);
+      const params = createMockParams({
+        upselling: { isPageUpsellable: jest.fn(() => true) } as unknown as UpsellingService,
+      });
 
-    const links: AppLinkItems = [{ ...link, uiSettingRequired: 'showBeta' }];
+      const result = appLinks.processAppLinks(links, params);
 
-    const params = createMockParams({
-      uiSettingsClient: { get: jest.fn(() => false) } as unknown as IUiSettingsClient,
+      expect(result).toEqual([expect.objectContaining({ ...link, unauthorized: true })]);
     });
 
-    const result = appLinks.filterAppLinks(links, params);
-
-    expect(result).toEqual([]);
-  });
+    it('should filter out a link based on uiSettingsClient', () => {
+      const links: AppLinkItems = [{ ...link, uiSettingRequired: 'showBeta' }];
 
-  it('should filter out links based on experimental features', () => {
-    (mockHasCapabilities as jest.Mock).mockReturnValue(true);
+      const params = createMockParams({
+        uiSettingsClient: { get: jest.fn(() => false) } as unknown as IUiSettingsClient,
+      });
 
-    const links: AppLinkItems = [
-      { ...link, experimentalKey: 'labsEnabled' as keyof ExperimentalFeatures },
-    ];
+      const result = appLinks.processAppLinks(links, params);
 
-    const params = createMockParams({
-      experimentalFeatures: { labsEnabled: false } as unknown as ExperimentalFeatures,
+      expect(result).toEqual([]);
     });
 
-    const result = appLinks.filterAppLinks(links, params);
+    it('should filter out links based on experimental features', () => {
+      const links: AppLinkItems = [
+        { ...link, experimentalKey: 'labsEnabled' as keyof ExperimentalFeatures },
+      ];
 
-    expect(result).toEqual([]);
-  });
+      const params = createMockParams({
+        experimentalFeatures: { labsEnabled: false } as unknown as ExperimentalFeatures,
+      });
+
+      const result = appLinks.processAppLinks(links, params);
 
-  it('should recurse and filter child links', () => {
-    (mockHasCapabilities as jest.Mock).mockImplementation(
-      (caps, required) => required?.includes('read') ?? true
-    );
-
-    const links: AppLinkItems = [
-      {
-        id: 'parent' as SecurityPageName,
-        path: '/app/parent',
-        title: 'Parent',
-        capabilities: ['read'],
-        links: [
-          {
-            id: 'child-1' as SecurityPageName,
-            title: 'Child 1',
-            path: '/app/child-1',
-            capabilities: ['read'],
-          },
-          {
-            id: 'child-2' as SecurityPageName,
-            title: 'Child 2',
-            path: '/app/child-2',
-            capabilities: ['admin'],
-          },
-        ],
-      },
-    ];
-
-    const params = createMockParams({
-      upselling: { isPageUpsellable: jest.fn(() => false) } as unknown as UpsellingService,
+      expect(result).toEqual([]);
     });
 
-    const result = appLinks.filterAppLinks(links, params);
-
-    expect(result).toEqual([
-      expect.objectContaining({
-        id: 'parent',
-        links: [
-          expect.objectContaining({
-            id: 'child-1',
-          }),
-        ],
-      }),
-    ]);
+    it('should recurse and filter child links', () => {
+      mockExistCapabilities.mockImplementation(
+        (_caps, required) => required?.includes('read') ?? true
+      );
+
+      const links: AppLinkItems = [
+        {
+          id: 'parent' as SecurityPageName,
+          path: '/app/parent',
+          title: 'Parent',
+          capabilities: ['read'],
+          links: [
+            {
+              id: 'child-1' as SecurityPageName,
+              title: 'Child 1',
+              path: '/app/child-1',
+              capabilities: ['read'],
+            },
+            {
+              id: 'child-2' as SecurityPageName,
+              title: 'Child 2',
+              path: '/app/child-2',
+              capabilities: ['admin'],
+            },
+          ],
+        },
+      ];
+
+      const params = createMockParams({
+        upselling: { isPageUpsellable: jest.fn(() => false) } as unknown as UpsellingService,
+      });
+
+      const result = appLinks.processAppLinks(links, params);
+
+      expect(result).toEqual([
+        expect.objectContaining({
+          id: 'parent',
+          links: [
+            expect.objectContaining({
+              id: 'child-1',
+            }),
+          ],
+        }),
+      ]);
+    });
   });
 });

x-pack/solutions/security/plugins/security_solution/public/app/links/application_links_updater.ts

@@ -13,7 +13,7 @@ import type { UpsellingService } from '@kbn/security-solution-upselling/service'
 import type { IUiSettingsClient } from '@kbn/core/public';
 import type { ExperimentalFeatures } from '../../../common';
 import type { AppLinkItems, LinkItem, NormalizedLinks } from '../../common/links/types';
-import { hasCapabilities } from '../../common/lib/capabilities';
+import { hasCapabilities, existCapabilities } from '../../common/lib/capabilities';
 
 /**
  * Dependencies to update the application links
@@ -51,9 +51,9 @@ class ApplicationLinksUpdater {
    * Updates the internal app links applying the filter by permissions
    */
   public update(appLinksToUpdate: AppLinkItems, params: ApplicationLinksUpdateParams) {
-    const filteredAppLinks = this.filterAppLinks(appLinksToUpdate, params);
-    this.linksSubject$.next(Object.freeze(filteredAppLinks));
-    this.normalizedLinksSubject$.next(Object.freeze(this.getNormalizedLinks(filteredAppLinks)));
+    const processedAppLinks = this.processAppLinks(appLinksToUpdate, params);
+    this.linksSubject$.next(Object.freeze(processedAppLinks));
+    this.normalizedLinksSubject$.next(Object.freeze(this.getNormalizedLinks(processedAppLinks)));
   }
 
   /**
@@ -92,36 +92,54 @@ class ApplicationLinksUpdater {
   /**
    * Filters the app links based on the links configuration
    */
-  private filterAppLinks(appLinks: AppLinkItems, params: ApplicationLinksUpdateParams): LinkItem[] {
+  private processAppLinks(
+    appLinks: AppLinkItems,
+    params: ApplicationLinksUpdateParams,
+    inheritedProps: Partial<LinkItem> = {}
+  ): LinkItem[] {
     const { experimentalFeatures, uiSettingsClient, capabilities, license, upselling } = params;
 
-    return appLinks.reduce<LinkItem[]>((acc, { links, ...appLinkInfo }) => {
+    return appLinks.reduce<LinkItem[]>((acc, appLink) => {
+      const { links, ...link } = appLink;
+      // Check experimental flags and uiSettings, removing the link if any of them is defined and disabled
       if (
-        !this.isLinkExperimentalKeyAllowed(appLinkInfo, experimentalFeatures) ||
-        !this.isLinkUiSettingsAllowed(appLinkInfo, uiSettingsClient)
+        !this.isLinkExperimentalKeyAllowed(link, experimentalFeatures) ||
+        !this.isLinkUiSettingsAllowed(link, uiSettingsClient)
       ) {
         return acc;
       }
 
+      // Extra props to be assigned to the current link and its children
+      const extraProps: Partial<LinkItem> = { ...inheritedProps };
+
+      // Check link availability
       if (
-        !hasCapabilities(capabilities, appLinkInfo.capabilities) ||
-        !this.isLinkLicenseAllowed(appLinkInfo, license)
+        !existCapabilities(capabilities, link.capabilities) ||
+        !this.isLinkLicenseAllowed(link, license)
       ) {
-        if (upselling.isPageUpsellable(appLinkInfo.id)) {
-          acc.push({ ...appLinkInfo, unauthorized: true });
+        // The link is not available in the current product payment plan
+        if (!upselling.isPageUpsellable(link.id)) {
+          return acc; // no upselling registered for this link, just exclude it
         }
-        return acc; // not adding sub-links for links that are not authorized
+        extraProps.unavailable = true;
+
+        // Check link authorization only if it is available
+      } else if (!hasCapabilities(capabilities, link.capabilities)) {
+        // Required capabilities exist but are not granted
+        extraProps.unauthorized = true;
       }
 
-      const resultAppLink: LinkItem = appLinkInfo;
+      const processedAppLink: LinkItem = { ...link, ...extraProps };
+
+      // Process children links if they exist
       if (links) {
-        const childrenLinks = this.filterAppLinks(links, params);
+        const childrenLinks = this.processAppLinks(links, params, extraProps);
         if (childrenLinks.length > 0) {
-          resultAppLink.links = childrenLinks;
+          processedAppLink.links = childrenLinks;
         }
       }
 
-      acc.push(resultAppLink);
+      acc.push(processedAppLink);
       return acc;
     }, []);
   }