Add multiple namespaces support to PIT search and finder

src/core/server/saved_objects/service/lib/point_in_time_finder.ts

@@ -139,7 +139,9 @@ export class PointInTimeFinder<T = unknown, A = unknown>
 
   private async open() {
     try {
-      const { id } = await this.#client.openPointInTimeForType(this.#findOptions.type);
+      const { id } = await this.#client.openPointInTimeForType(this.#findOptions.type, {
+        namespaces: this.#findOptions.namespaces,
+      });
       this.#pitId = id;
       this.#open = true;
     } catch (e) {

src/core/server/saved_objects/service/lib/repository.ts

@@ -1863,9 +1863,36 @@ export class SavedObjectsRepository {
    */
   async openPointInTimeForType(
     type: string | string[],
-    { keepAlive = '5m', preference }: SavedObjectsOpenPointInTimeOptions = {}
+    {
+      keepAlive = '5m',
+      preference,
+      namespaces,
+      typeToNamespacesMap,
+    }: SavedObjectsOpenPointInTimeOptions = {}
   ): Promise<SavedObjectsOpenPointInTimeResponse> {
-    const types = Array.isArray(type) ? type : [type];
+    if (!type && !typeToNamespacesMap) {
+      throw SavedObjectsErrorHelpers.createBadRequestError(
+        'options.type must be a string or an array of strings'
+      );
+    } else if (namespaces?.length === 0 && !typeToNamespacesMap) {
+      throw SavedObjectsErrorHelpers.createBadRequestError(
+        'options.namespaces cannot be an empty array'
+      );
+    } else if (type && typeToNamespacesMap) {
+      throw SavedObjectsErrorHelpers.createBadRequestError(
+        'options.type must be an empty string when options.typeToNamespacesMap is used'
+      );
+    } else if ((!namespaces || namespaces?.length) && typeToNamespacesMap) {
+      throw SavedObjectsErrorHelpers.createBadRequestError(
+        'options.namespaces must be an empty array when options.typeToNamespacesMap is used'
+      );
+    }
+
+    const types = type
+      ? Array.isArray(type)
+        ? type
+        : [type]
+      : Array.from(typeToNamespacesMap!.keys());
     const allowedTypes = types.filter((t) => this._allowedTypes.includes(t));
     if (allowedTypes.length === 0) {
       throw SavedObjectsErrorHelpers.createGenericNotFoundError();

src/core/server/saved_objects/service/saved_objects_client.ts

@@ -334,7 +334,7 @@ export interface SavedObjectsResolveResponse<T = unknown> {
 /**
  * @public
  */
-export interface SavedObjectsOpenPointInTimeOptions extends SavedObjectsBaseOptions {
+export interface SavedObjectsOpenPointInTimeOptions {
   /**
    * Optionally specify how long ES should keep the PIT alive until the next request. Defaults to `5m`.
    */
@@ -343,6 +343,18 @@ export interface SavedObjectsOpenPointInTimeOptions extends SavedObjectsBaseOpti
    * An optional ES preference value to be used for the query.
    */
   preference?: string;
+  /**
+   * An optional list of namespaces to be used by the PIT.
+   */
+  namespaces?: string[];
+  /**
+   * This map defines each type to search for, and the namespace(s) to search for the type in; this is only intended to be used by a saved
+   * object client wrapper.
+   * If this is defined, it supersedes the `type` and `namespaces` fields when building the Elasticsearch query.
+   * Any types that are not included in this map will be excluded entirely.
+   * If a type is included but its value is undefined, the operation will search for that type in the Default namespace.
+   */
+  typeToNamespacesMap?: Map<string, string[] | undefined>;
 }
 
 /**

x-pack/plugins/security/server/saved_objects/secure_saved_objects_client_wrapper.ts

@@ -29,7 +29,7 @@ import type {
   SavedObjectsUpdateOptions,
 } from 'src/core/server';
 
-import { SavedObjectsUtils } from '../../../../../src/core/server';
+import { SavedObjectsErrorHelpers, SavedObjectsUtils } from '../../../../../src/core/server';
 import { ALL_SPACES_ID, UNKNOWN_SPACE } from '../../common/constants';
 import type { AuditLogger, SecurityAuditLogger } from '../audit';
 import { SavedObjectAction, savedObjectEvent } from '../audit';
@@ -54,6 +54,7 @@ interface SecureSavedObjectsClientWrapperOptions {
   baseClient: SavedObjectsClientContract;
   errors: SavedObjectsClientContract['errors'];
   checkSavedObjectsPrivilegesAsCurrentUser: CheckSavedObjectsPrivileges;
+
   getSpacesService(): SpacesService | undefined;
 }
 
@@ -75,10 +76,12 @@ interface LegacyEnsureAuthorizedResult {
   status: 'fully_authorized' | 'partially_authorized' | 'unauthorized';
   typeMap: Map<string, LegacyEnsureAuthorizedTypeResult>;
 }
+
 interface LegacyEnsureAuthorizedTypeResult {
   authorizedSpaces: string[];
   isGloballyAuthorized?: boolean;
 }
+
 export class SecureSavedObjectsClientWrapper implements SavedObjectsClientContract {
   private readonly actions: Actions;
   private readonly legacyAuditLogger: PublicMethodsOf<SecurityAuditLogger>;
@@ -236,11 +239,6 @@ export class SecureSavedObjectsClientWrapper implements SavedObjectsClientContra
         `_find across namespaces is not permitted when the Spaces plugin is disabled.`
       );
     }
-    if (options.pit && Array.isArray(options.namespaces) && options.namespaces.length > 1) {
-      throw this.errors.createBadRequestError(
-        '_find across namespaces is not permitted when using the `pit` option.'
-      );
-    }
 
     const args = { options };
     const { status, typeMap } = await this.legacyEnsureAuthorized(
@@ -508,32 +506,52 @@ export class SecureSavedObjectsClientWrapper implements SavedObjectsClientContra
     type: string | string[],
     options: SavedObjectsOpenPointInTimeOptions
   ) {
-    try {
-      const args = { type, options };
-      await this.legacyEnsureAuthorized(type, 'open_point_in_time', options?.namespace, {
+    const args = { type, options };
+    const { status, typeMap } = await this.legacyEnsureAuthorized(
+      type,
+      'open_point_in_time',
+      options?.namespaces,
+      {
         args,
         // Partial authorization is acceptable in this case because this method is only designed
         // to be used with `find`, which already allows for partial authorization.
         requireFullAuthorization: false,
-      });
-    } catch (error) {
+      }
+    );
+
+    if (status === 'unauthorized') {
       this.auditLogger.log(
         savedObjectEvent({
           action: SavedObjectAction.OPEN_POINT_IN_TIME,
-          error,
+          error: new Error(status),
         })
       );
-      throw error;
+      throw SavedObjectsErrorHelpers.decorateForbiddenError(new Error(status));
     }
 
+    const typeToNamespacesMap = Array.from(typeMap).reduce<Map<string, string[] | undefined>>(
+      (acc, [currentType, { authorizedSpaces, isGloballyAuthorized }]) =>
+        isGloballyAuthorized
+          ? acc.set(currentType, options.namespaces)
+          : acc.set(currentType, authorizedSpaces),
+      new Map()
+    );
+
     this.auditLogger.log(
       savedObjectEvent({
         action: SavedObjectAction.OPEN_POINT_IN_TIME,
         outcome: 'unknown',
       })
     );
 
-    return await this.baseClient.openPointInTimeForType(type, options);
+    return await this.baseClient.openPointInTimeForType(
+      status === 'partially_authorized' ? '' : type, // if the user is partially authorized, type must be an empty string to use typeToNamespacesMap instead
+      {
+        ...options,
+        typeToNamespacesMap: undefined, // if the user is fully authorized, use `undefined` as the typeToNamespacesMap to prevent privilege escalation
+        ...(status === 'partially_authorized' && { typeToNamespacesMap, namespaces: [] }), // the repository requires that `type` and `namespaces` must be empty if `typeToNamespacesMap` is defined
+      }
+    );
   }
 
   public async closePointInTime(id: string, options?: SavedObjectsClosePointInTimeOptions) {

x-pack/plugins/spaces/server/saved_objects/spaces_saved_objects_client.ts

@@ -30,7 +30,7 @@ import type {
   SavedObjectsUpdateOptions,
 } from 'src/core/server';
 
-import { SavedObjectsUtils } from '../../../../../src/core/server';
+import { SavedObjectsErrorHelpers, SavedObjectsUtils } from '../../../../../src/core/server';
 import { ALL_SPACES_ID } from '../../common/constants';
 import { spaceIdToNamespace } from '../lib/utils/namespace';
 import type { ISpacesClient } from '../spaces_client';
@@ -177,30 +177,19 @@ export class SpacesSavedObjectsClient implements SavedObjectsClientContract {
   public async find<T = unknown, A = unknown>(options: SavedObjectsFindOptions) {
     throwErrorIfNamespaceSpecified(options);
 
-    let namespaces = options.namespaces;
-    if (namespaces) {
-      try {
-        const availableSpaces = await this.spacesClient.getAll({ purpose: 'findSavedObjects' });
-        if (namespaces.includes(ALL_SPACES_ID)) {
-          namespaces = availableSpaces.map((space) => space.id);
-        } else {
-          namespaces = namespaces.filter((namespace) =>
-            availableSpaces.some((space) => space.id === namespace)
-          );
-        }
-        if (namespaces.length === 0) {
-          // return empty response, since the user is unauthorized in this space (or these spaces), but we don't return forbidden errors for `find` operations
-          return SavedObjectsUtils.createEmptyFindResponse<T, A>(options);
-        }
-      } catch (err) {
-        if (Boom.isBoom(err) && err.output.payload.statusCode === 403) {
-          // return empty response, since the user is unauthorized in any space, but we don't return forbidden errors for `find` operations
-          return SavedObjectsUtils.createEmptyFindResponse<T, A>(options);
-        }
-        throw err;
+    let namespaces: string[];
+    try {
+      namespaces = await this.getSearchableSpaces(options.namespaces);
+    } catch (err) {
+      if (Boom.isBoom(err) && err.output.payload.statusCode === 403) {
+        // return empty response, since the user is unauthorized in any space, but we don't return forbidden errors for `find` operations
+        return SavedObjectsUtils.createEmptyFindResponse<T, A>(options);
       }
-    } else {
-      namespaces = [this.spaceId];
+      throw err;
+    }
+    if (namespaces.length === 0) {
+      // return empty response, since the user is unauthorized in this space (or these spaces), but we don't return forbidden errors for `find` operations
+      return SavedObjectsUtils.createEmptyFindResponse<T, A>(options);
     }
 
     return await this.client.find<T, A>({
@@ -212,6 +201,21 @@ export class SpacesSavedObjectsClient implements SavedObjectsClientContract {
     });
   }
 
+  private async getSearchableSpaces(namespaces?: string[]): Promise<string[]> {
+    if (namespaces) {
+      const availableSpaces = await this.spacesClient.getAll({ purpose: 'findSavedObjects' });
+      if (namespaces.includes(ALL_SPACES_ID)) {
+        return availableSpaces.map((space) => space.id);
+      } else {
+        return namespaces.filter((namespace) =>
+          availableSpaces.some((space) => space.id === namespace)
+        );
+      }
+    } else {
+      return [this.spaceId];
+    }
+  }
+
   /**
    * Returns an array of objects by id
    *
@@ -397,9 +401,16 @@ export class SpacesSavedObjectsClient implements SavedObjectsClientContract {
     options: SavedObjectsOpenPointInTimeOptions = {}
   ) {
     throwErrorIfNamespaceSpecified(options);
+
+    const namespaces = await this.getSearchableSpaces(options.namespaces);
+    if (namespaces.length === 0) {
+      // throw bad request if no valid spaces were found.
+      throw SavedObjectsErrorHelpers.createBadRequestError();
+    }
+
     return await this.client.openPointInTimeForType(type, {
       ...options,
-      namespace: spaceIdToNamespace(this.spaceId),
+      namespaces,
     });
   }