Add reporting_user feature for reserved set of privileges (elastic#231533)

## Summary

We want to switch the reserved `reporting_user` role to use a "reserved
privilege definition" and uses just that privilege. This PR satisfies
the Kibana requirements. There is a corresponding Elasticsearch PR:
elastic/elasticsearch#132766

## Testing
**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**

1. Create `test_reporting_user` role

    ```
    POST /_security/role/test_reporting_user
    {
        "cluster": [],
        "indices": [],
        "application": [{
            "application": "kibana-*",
            "privileges": ["reserved_reporting_user"],
            "resources": ["*"]
        }]
    }
    ```

2. Create `test_analyst_user` role

    ```
    POST /_security/role/test_analyst_user
    {
        "cluster": [],
        "indices": [
            {
            "names": ["kibana_sample_*"],
            "privileges": ["all"],
            "field_security": {
                "grant": ["*"],
                "except": []
            },
            "allow_restricted_indices": false
            }
        ],
        "applications": [
            {
            "application": "kibana-.kibana",
            "privileges": [
                "feature_discover_v2.read",
                "feature_dashboard_v2.read",
                "feature_canvas.read",
                "feature_visualize_v2.read"
            ],
            "resources": ["space:default"]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }
    ```

3. Create a test user with just those two roles. Install sample data.
Log in using the new test user.
4. Test cases

    | App | Reporting feature
    |-|-
    | Dashboard | PDF, PNG, CSV (from saved search panel action)
    | Discover | CSV
    | Canvas | PDF
    | Lens | PDF, PNG
| Stack Management | List reports, download reports, view report info,
delete reports

6. As admin, create an additional Space which the test user should not
have access to. Ensure the test user does not have access to those
spaces.
7. Remove the `test_reporting_user` role from the user and ensure they
do not see any Reporting controls in the UI, and can not access Stack
Management > Reporting.

## Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: Larry Gregory <[email protected]>
(cherry picked from commit f9be58b)

# Conflicts:
#	src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_csv_modal_reporting.tsx
#	src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_pdf_png_modal_reporting.tsx
#	src/platform/test/functional/page_objects/export_page.ts
#	x-pack/platform/plugins/private/reporting/server/plugin.test.ts
#	x-pack/test/api_integration/apis/features/features/features.ts
#	x-pack/test/reporting_api_integration/reporting_and_security/default_reporting_user_role.ts
#	x-pack/test/reporting_api_integration/services/scenarios.ts
#	x-pack/test/reporting_functional/services/scenarios.ts

Author: tsullivan

src/platform/packages/private/kbn-reporting/get_csv_panel_actions/panel_actions/get_csv_panel_action.tsx

@@ -160,8 +160,11 @@ export class ReportingCsvPanelAction implements ActionDefinition<EmbeddableApiCo
     const license = await firstValueFrom(licensing.license$);
     const licenseHasCsvReporting = checkLicense(license.check('reporting', 'basic')).showLinks;
 
+    const capabilities = application.capabilities;
     // NOTE: For historical reasons capability identifier is called `downloadCsv. It can not be renamed.
-    const capabilityHasCsvReporting = application.capabilities.dashboard_v2?.downloadCsv === true;
+    const capabilityHasCsvReporting =
+      capabilities.dashboard_v2?.downloadCsv === true ||
+      capabilities.reportingLegacy?.generateReport === true;
     if (!licenseHasCsvReporting || !capabilityHasCsvReporting) {
       return false;
     }

x-pack/platform/packages/private/security/authorization_core/src/privileges/privileges.ts

@@ -245,6 +245,8 @@ export function privilegesFactory(
           read: [actions.login, ...readActions],
         },
         reserved: features.reduce((acc: Record<string, string[]>, feature: KibanaFeature) => {
+          // Reserved privileges are intentionally not excluded from registration based on their `hidden` attribute.
+          // This is explicitly to support the legacy reporting use case.
           if (feature.reserved) {
             feature.reserved.privileges.forEach((reservedPrivilege) => {
               acc[reservedPrivilege.id] = [

x-pack/platform/plugins/private/canvas/public/services/kibana_services.ts

@@ -45,13 +45,17 @@ export const setKibanaServices = (
   kibanaVersion = initContext.env.packageInfo.version;
 
   coreServices = kibanaCore;
+  const capabilities = kibanaCore.application.capabilities;
   contentManagementService = deps.contentManagement;
   dataService = deps.data;
   dataViewsService = deps.dataViews;
   embeddableService = deps.embeddable;
   expressionsService = deps.expressions;
   presentationUtilService = deps.presentationUtil;
-  reportingService = Boolean(kibanaCore.application.capabilities.canvas?.generatePdf)
+  reportingService = Boolean(
+    capabilities.canvas?.generatePdf === true ||
+      capabilities.reportingLegacy?.generateReport === true
+  )
     ? deps.reporting
     : undefined;
   spacesService = deps.spaces;

x-pack/platform/plugins/private/reporting/server/features.ts

@@ -16,9 +16,10 @@ interface FeatureRegistrationOpts {
 }
 
 export function registerFeatures({ isServerless, features }: FeatureRegistrationOpts) {
-  // Register a 'shell' feature specifically for Serverless. If granted, it will automatically provide access to
-  // reporting capabilities in other features, such as Discover, Dashboards, and Visualizations. On its own, this
-  // feature doesn't grant any additional privileges.
+  // Register a 'shell' features for Reporting. On their own, they don't grant specific privileges.
+
+  // Shell feature for Serverless. If granted, it will automatically provide access to
+  // reporting capabilities in other features, such as Discover, Dashboards, and Visualizations.
   if (isServerless) {
     features.registerKibanaFeature({
       id: 'reporting',
@@ -34,6 +35,44 @@ export function registerFeatures({ isServerless, features }: FeatureRegistration
         read: { disabled: true, savedObject: { all: [], read: [] }, ui: [] },
       },
     });
+  } else {
+    // Shell feature for self-managed environments, to be leveraged by a reserved privilege defined
+    // in ES. This grants access to reporting features in a legacy fashion.
+    features.registerKibanaFeature({
+      id: 'reportingLegacy',
+      name: i18n.translate('xpack.reporting.features.reportingLegacyFeatureName', {
+        defaultMessage: 'Reporting Legacy',
+      }),
+      category: DEFAULT_APP_CATEGORIES.management,
+      management: { insightsAndAlerting: ['reporting'] },
+      scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
+      hidden: true,
+      app: [],
+      privileges: null,
+      reserved: {
+        description: i18n.translate(
+          'xpack.reporting.features.reportingLegacyFeatureReservedDescription',
+          {
+            defaultMessage:
+              'Reserved for use by the Reporting plugin. This feature is used to grant access to Reporting capabilities in a legacy manner.',
+          }
+        ),
+        privileges: [
+          {
+            id: 'reporting_user',
+            privilege: {
+              excludeFromBasePrivileges: true,
+              app: [],
+              catalogue: [],
+              management: { insightsAndAlerting: ['reporting'] },
+              savedObject: { all: [], read: [] },
+              api: ['generateReport'],
+              ui: ['generateReport'],
+            },
+          },
+        ],
+      },
+    });
   }
 
   features.enableReportingUiCapabilities();

x-pack/platform/plugins/private/reporting/server/plugin.test.ts

@@ -5,13 +5,8 @@
  * 2.0.
  */
 
-import {
-  CoreSetup,
-  CoreStart,
-  DEFAULT_APP_CATEGORIES,
-  Logger,
-  type PackageInfo,
-} from '@kbn/core/server';
+import type { CoreSetup, CoreStart, Logger } from '@kbn/core/server';
+import { DEFAULT_APP_CATEGORIES, type PackageInfo } from '@kbn/core/server';
 import { coreMock, loggingSystemMock } from '@kbn/core/server/mocks';
 import { featuresPluginMock } from '@kbn/features-plugin/server/mocks';
 import { createMockConfigSchema } from '@kbn/reporting-mocks-server';
@@ -25,7 +20,7 @@ import { ReportingPlugin } from './plugin';
 import { createMockPluginSetup, createMockPluginStart } from './test_helpers';
 import type { ReportingSetupDeps } from './types';
 import { ExportTypesRegistry } from '@kbn/reporting-server/export_types_registry';
-import { FeaturesPluginSetup } from '@kbn/features-plugin/server';
+import type { FeaturesPluginSetup } from '@kbn/features-plugin/server';
 
 const sleep = (time: number) => new Promise((r) => setTimeout(r, time));
 

x-pack/platform/plugins/shared/features/common/kibana_feature.ts

@@ -159,6 +159,8 @@ export interface KibanaFeatureConfig {
    * Indicates whether the feature is available as a standalone feature. The feature can still be
    * referenced by other features, but it will not be displayed in any feature management UIs. By default, all features
    * are visible.
+   *
+   * @note This flag is designed for use via configuration overrides, and very select use cases. Please consult prior to use.
    */
   hidden?: boolean;
 

x-pack/platform/plugins/shared/features/server/feature_registry.test.ts

@@ -2030,6 +2030,114 @@ describe('FeatureRegistry', () => {
       );
     });
 
+    it('allows reserved features to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: null,
+        hidden: true,
+        reserved: {
+          description: 'my reserved privileges',
+          privileges: [
+            {
+              id: 'a_reserved_1',
+              privilege: {
+                savedObject: {
+                  all: [],
+                  read: [],
+                },
+                ui: [],
+                app: [],
+              },
+            },
+          ],
+        },
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() => featureRegistry.registerKibanaFeature(feature)).not.toThrowError();
+    });
+
+    it('does not allow features with both regular and reserved privileges to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: {
+          all: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+          read: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+        },
+        hidden: true,
+        reserved: {
+          description: 'my reserved privileges',
+          privileges: [
+            {
+              id: 'a_reserved_1',
+              privilege: {
+                savedObject: {
+                  all: [],
+                  read: [],
+                },
+                ui: [],
+                app: [],
+              },
+            },
+          ],
+        },
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() =>
+        featureRegistry.registerKibanaFeature(feature)
+      ).toThrowErrorMatchingInlineSnapshot(`"Feature test-feature cannot be hidden."`);
+    });
+
+    it('does not allow features with regular privileges to be hidden', () => {
+      const feature: KibanaFeatureConfig = {
+        id: 'test-feature',
+        name: 'Test Feature',
+        app: [],
+        category: { id: 'foo', label: 'foo' },
+        privileges: {
+          all: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+          read: {
+            savedObject: {
+              all: [],
+              read: [],
+            },
+            ui: [],
+          },
+        },
+        hidden: true,
+      };
+
+      const featureRegistry = new FeatureRegistry();
+      expect(() =>
+        featureRegistry.registerKibanaFeature(feature)
+      ).toThrowErrorMatchingInlineSnapshot(`"Feature test-feature cannot be hidden."`);
+    });
+
     it('allows independent sub-feature privileges to register a minimumLicense', () => {
       const feature1: KibanaFeatureConfig = {
         id: 'test-feature',

x-pack/platform/plugins/shared/features/server/feature_schema.ts

@@ -217,7 +217,7 @@ const kibanaSubFeatureSchema = schema.object({
   ),
 });
 
-// NOTE: This schema intentionally omits the `composedOf` and `hidden` properties to discourage consumers from using
+// NOTE: This schema intentionally omits the `composedOf` property to discourage consumers from using
 // them during feature registration. This is because these properties should only be set via configuration overrides.
 const kibanaFeatureSchema = schema.object({
   id: schema.string({
@@ -233,6 +233,9 @@ const kibanaFeatureSchema = schema.object({
   name: schema.string(),
   category: appCategorySchema,
   scope: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })),
+  // The hidden flag is only supported for explicit configuration for features with reserved privileges.
+  // All other usages are via configuration overrides.
+  hidden: schema.maybe(schema.boolean()),
   description: schema.maybe(schema.string()),
   order: schema.maybe(schema.number()),
   excludeFromBasePrivileges: schema.maybe(schema.boolean()),
@@ -322,6 +325,14 @@ const elasticsearchFeatureSchema = schema.object({
 export function validateKibanaFeature(feature: KibanaFeatureConfig) {
   kibanaFeatureSchema.validate(feature);
 
+  // The `hidden` attribute is ONLY permitted for features with reserved privileges, AND without normal privileges.
+  // The original intent of the hidden flag was to support serverless configuration overrides. There is now (>=9.0) an additional,
+  // maybe temporary use case for the legacy reporting authorization mode, which registers as a reserved privilege.
+  const { hidden, privileges, reserved } = feature;
+  if (hidden && (privileges !== null || typeof reserved === 'undefined')) {
+    throw new Error(`Feature ${feature.id} cannot be hidden.`);
+  }
+
   const unknownScopesEntries = difference(feature.scope ?? [], Object.values(KibanaFeatureScope));
 
   if (unknownScopesEntries.length) {

x-pack/platform/plugins/shared/spaces/public/management/components/enabled_features/__snapshots__/enabled_features.test.tsx.snap

@@ -32,6 +32,15 @@ const features: KibanaFeatureConfig[] = [
     category: DEFAULT_APP_CATEGORIES.kibana,
     privileges: null,
   },
+  {
+    id: 'feature-3',
+    name: 'Feature 3 (hidden)',
+    hidden: true,
+    scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
+    app: [],
+    category: DEFAULT_APP_CATEGORIES.kibana,
+    privileges: null,
+  },
 ];
 
 describe('EnabledFeatures', () => {