[One Workflow] Tech Debt: use ActionsClient instead of UnsecuredActionsClient when possible (#240726)

_LLM generated description_

⚠️ This PR should be merged only after
#240725 is merged

### Summary
This PR enhances the workflow execution engine to preserve user context
when executing connectors by utilizing the scoped ActionsClient when a
request context is available, while gracefully falling back to the
IUnsecuredActionsClient when no context exists.
### Changes Made
1. Enhanced `ConnectorExecutor` to Support Both Client Types

- Updated constructor to accept either `ActionsClient` (scoped) or
`IUnsecuredActionsClient` (unsecured)
- Added isScoped flag to track which client type is being used
- Refactored connector execution logic to handle both client types:
- Scoped client: Uses actionId parameter and automatically inherits user
permissions and space context
- Unsecured client: Uses id parameter with explicit spaceId and
requesterId
- Extracted resolveConnectorId() method to handle connector name-to-ID
resolution for both client types

2. Updated setup_dependencies.ts to Use Context-Aware Client Selection

- When fakeRequest is available: Calls
actionsPlugin.getActionsClientWithRequest(fakeRequest) to create a
scoped actions client that preserves the original user's context,
permissions, and space
- When fakeRequest is not available: Falls back to
actionsPlugin.getUnsecuredActionsClient()
- **Added TODO comment about potentially disabling connectors completely
when no fakeRequest is available for security considerations**

### Benefits

- Preserves User Context: Connectors executed from workflows now run
with the original user's permissions, improving security and audit
trails
- Better Security: Actions are properly scoped to the user and space,
respecting Kibana's security model
- Backward Compatible: Gracefully falls back to unsecured client when no
request context is available
- Efficient Design: Client selection happens once during setup, not on
every connector execution
- Maintains Clean Architecture: Implementation follows clean code
principles with small, focused functions

Author: talboren

src/platform/plugins/shared/workflows_execution_engine/integration_tests/mocks/actions_plugin.mock.ts

@@ -7,8 +7,10 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
+/* eslint-disable max-classes-per-file */
+
 import type { ActionTypeExecutorResult } from '@kbn/actions-plugin/common';
-import type { IUnsecuredActionsClient } from '@kbn/actions-plugin/server';
+import type { ActionsClient, IUnsecuredActionsClient } from '@kbn/actions-plugin/server';
 import type { ConnectorWithExtraFindData } from '@kbn/actions-plugin/server/application/connector/types';
 
 export const FakeConnectors = {
@@ -50,73 +52,98 @@ export const FakeConnectors = {
   },
 };
 
+async function getMockedConnectorResult(
+  id: string,
+  params: Record<string, any>
+): Promise<ActionTypeExecutorResult<unknown>> {
+  const fakeConnector = Object.values(FakeConnectors).find((c) => c.id === id);
+
+  switch (fakeConnector?.name) {
+    case FakeConnectors.slack1.name:
+    case FakeConnectors.slack2.name: {
+      return {
+        status: 'ok',
+        actionId: id,
+        data: { text: 'ok' },
+      };
+    }
+    case FakeConnectors.echo_inference.name: {
+      return {
+        status: 'ok',
+        actionId: id,
+        data: [
+          {
+            result: params?.text,
+          },
+        ],
+      };
+    }
+    case FakeConnectors.constantlyFailing.name: {
+      throw new Error('Error: Constantly failing connector');
+    }
+    case FakeConnectors.slow_1sec_inference.name: {
+      await new Promise<void>((resolve) => setTimeout(() => resolve(), 1000));
+      return {
+        status: 'ok',
+        actionId: id,
+        data: [
+          {
+            result: 'Hello! How can I help you?',
+          },
+        ],
+      };
+    }
+    case FakeConnectors.slow_3sec_inference.name: {
+      await new Promise<void>((resolve) => setTimeout(() => resolve(), 3000));
+      return {
+        status: 'ok',
+        actionId: id,
+        data: [
+          {
+            result: 'Hello! How can I help you?',
+          },
+        ],
+      };
+    }
+  }
+
+  throw new Error(`Connector with id ${id} not found in mock`);
+}
+
 export class UnsecuredActionsClientMock implements IUnsecuredActionsClient {
   getAll = jest
     .fn()
     .mockResolvedValue(Object.values(FakeConnectors) as ConnectorWithExtraFindData[]);
   execute = jest.fn().mockImplementation((options) => this.returnMockedConnectorResult(options));
   bulkEnqueueExecution = jest.fn().mockResolvedValue(undefined);
 
-  private async returnMockedConnectorResult({
+  public async returnMockedConnectorResult({
     id,
     params,
   }: {
     id: string;
     params: Record<string, any>;
     spaceId: string;
-    requesterId: string; // This is a custom ID for testing purposes
+    requesterId: string;
   }): Promise<ActionTypeExecutorResult<unknown>> {
-    const fakeConnector = Object.values(FakeConnectors).find((c) => c.id === id);
+    return getMockedConnectorResult(id, params);
+  }
+}
 
-    switch (fakeConnector?.name) {
-      case FakeConnectors.slack1.name:
-      case FakeConnectors.slack2.name: {
-        return {
-          status: 'ok',
-          actionId: id,
-          data: { text: 'ok' },
-        };
-      }
-      case FakeConnectors.echo_inference.name: {
-        return {
-          status: 'ok',
-          actionId: id,
-          data: [
-            {
-              result: params?.text,
-            },
-          ],
-        };
-      }
-      case FakeConnectors.constantlyFailing.name: {
-        throw new Error('Error: Constantly failing connector');
-      }
-      case FakeConnectors.slow_1sec_inference.name: {
-        await new Promise<void>((resolve) => setTimeout(() => resolve(), 1000));
-        return {
-          status: 'ok',
-          actionId: id,
-          data: [
-            {
-              result: 'Hello! How can I help you?',
-            },
-          ],
-        };
-      }
-      case FakeConnectors.slow_3sec_inference.name: {
-        await new Promise<void>((resolve) => setTimeout(() => resolve(), 3000));
-        return {
-          status: 'ok',
-          actionId: id,
-          data: [
-            {
-              result: 'Hello! How can I help you?',
-            },
-          ],
-        };
-      }
-    }
+export class ScopedActionsClientMock implements Partial<ActionsClient> {
+  getAll = jest
+    .fn()
+    .mockResolvedValue(Object.values(FakeConnectors) as ConnectorWithExtraFindData[]);
+  execute = jest.fn().mockImplementation((options) => this.returnMockedConnectorResult(options));
+  bulkEnqueueExecution = jest.fn().mockResolvedValue(undefined);
 
-    throw new Error(`Connector with id ${id} not found in mock`);
+  public async returnMockedConnectorResult({
+    actionId,
+    params,
+  }: {
+    actionId: string;
+    params: Record<string, any>;
+  }): Promise<ActionTypeExecutorResult<unknown>> {
+    return getMockedConnectorResult(actionId, params);
   }
 }

src/platform/plugins/shared/workflows_execution_engine/integration_tests/workflow_run_fixture.ts

@@ -28,7 +28,7 @@ import {
   StepExecutionRepositoryMock,
   WorkflowExecutionRepositoryMock,
 } from './mocks';
-import { UnsecuredActionsClientMock } from './mocks/actions_plugin.mock';
+import { ScopedActionsClientMock, UnsecuredActionsClientMock } from './mocks/actions_plugin.mock';
 import { TaskManagerMock } from './mocks/task_manager.mock';
 import type { WorkflowsExecutionEngineConfig } from '../server/config';
 import { resumeWorkflow } from '../server/execution_functions';
@@ -57,10 +57,29 @@ export class WorkflowRunFixture {
     debug: jest.fn(),
     trace: jest.fn(),
   } as unknown as Logger;
+  // Create shared execute mock so tests can verify calls regardless of which client is used
+  private readonly sharedExecuteMock = jest.fn();
   public readonly unsecuredActionsClientMock = new UnsecuredActionsClientMock();
+  public readonly scopedActionsClientMock = new ScopedActionsClientMock();
   public readonly actionsClientMock = {
     getUnsecuredActionsClient: jest.fn().mockReturnValue(this.unsecuredActionsClientMock),
+    getActionsClientWithRequest: jest.fn().mockResolvedValue(this.scopedActionsClientMock),
   } as unknown as ActionsPluginStartContract;
+
+  constructor() {
+    // Wire both clients to use the same shared execute mock with normalized parameters
+    this.unsecuredActionsClientMock.execute = this.sharedExecuteMock.mockImplementation((options) =>
+      this.unsecuredActionsClientMock.returnMockedConnectorResult(options)
+    );
+    this.scopedActionsClientMock.execute = this.sharedExecuteMock.mockImplementation((options) => {
+      // Normalize scoped client parameters to match unsecured client for test assertions
+      // Convert actionId -> id so tests can check using 'id' parameter
+      const normalizedOptions = { ...options, id: options.actionId };
+      this.sharedExecuteMock.mock.calls[this.sharedExecuteMock.mock.calls.length - 1][0] =
+        normalizedOptions;
+      return this.scopedActionsClientMock.returnMockedConnectorResult(options);
+    });
+  }
   public readonly configMock = {
     logging: {
       console: true,

src/platform/plugins/shared/workflows_execution_engine/server/connector_executor.ts

@@ -12,10 +12,14 @@
 
 import { validate as validateUuid } from 'uuid';
 import type { ActionTypeExecutorResult } from '@kbn/actions-plugin/common';
-import type { IUnsecuredActionsClient } from '@kbn/actions-plugin/server';
+import type { ActionsClient, IUnsecuredActionsClient } from '@kbn/actions-plugin/server';
+import type { ConnectorWithExtraFindData } from '@kbn/actions-plugin/server/application/connector/types';
 
 export class ConnectorExecutor {
-  constructor(private actionsClient: IUnsecuredActionsClient) {}
+  constructor(
+    private actionsClient: IUnsecuredActionsClient | ActionsClient,
+    private isScoped: boolean = false
+  ) {}
 
   public async execute(
     connectorType: string,
@@ -49,26 +53,40 @@ export class ConnectorExecutor {
     connectorParams: Record<string, any>,
     spaceId: string
   ): Promise<ActionTypeExecutorResult<unknown>> {
-    let connectorId: string;
+    const connectorId = await this.resolveConnectorId(connectorName, spaceId);
 
-    if (validateUuid(connectorName)) {
-      connectorId = connectorName;
-    } else {
-      const allConnectors = await this.actionsClient.getAll('default');
-      const connector = allConnectors.find((c) => c.name === connectorName);
-
-      if (!connector) {
-        throw new Error(`Connector with name ${connectorName} not found`);
-      }
-
-      connectorId = connector?.id;
+    if (this.isScoped) {
+      return (this.actionsClient as ActionsClient).execute({
+        actionId: connectorId,
+        params: connectorParams,
+      });
     }
 
-    return this.actionsClient.execute({
+    return (this.actionsClient as IUnsecuredActionsClient).execute({
       id: connectorId,
       params: connectorParams,
       spaceId,
-      requesterId: 'background_task', // This is a custom ID for testing purposes
+      requesterId: 'background_task',
     });
   }
+
+  private async resolveConnectorId(connectorName: string, spaceId: string): Promise<string> {
+    if (validateUuid(connectorName)) {
+      return connectorName;
+    }
+
+    const allConnectors = this.isScoped
+      ? await (this.actionsClient as ActionsClient).getAll()
+      : await (this.actionsClient as IUnsecuredActionsClient).getAll(spaceId);
+
+    const connector = allConnectors.find(
+      (c: ConnectorWithExtraFindData) => c.name === connectorName
+    );
+
+    if (!connector) {
+      throw new Error(`Connector with name ${connectorName} not found`);
+    }
+
+    return connector.id;
+  }
 }

src/platform/plugins/shared/workflows_execution_engine/server/execution_functions/setup_dependencies.test.ts

@@ -51,8 +51,19 @@ describe('setupDependencies', () => {
     startedAt: Date.now(),
   };
 
+  const mockUnsecuredActionsClient = {
+    getAll: jest.fn(),
+    execute: jest.fn(),
+  };
+
+  const mockScopedActionsClient = {
+    getAll: jest.fn(),
+    execute: jest.fn(),
+  };
+
   const mockActionsPlugin = {
-    getUnsecuredActionsClient: jest.fn().mockResolvedValue({}),
+    getUnsecuredActionsClient: jest.fn().mockResolvedValue(mockUnsecuredActionsClient),
+    getActionsClientWithRequest: jest.fn().mockResolvedValue(mockScopedActionsClient),
   } as unknown as ActionsPluginStartContract;
 
   const mockTaskManager = {} as TaskManagerStartContract;
@@ -170,4 +181,69 @@ describe('setupDependencies', () => {
     expect(result.clientToUse).toBe(mockAsCurrentUser);
     expect(result.clientToUse).not.toBe(mockEsClient);
   });
+
+  it('should use unsecured actions client when fakeRequest is not provided', async () => {
+    await setupDependencies(
+      workflowRunId,
+      spaceId,
+      mockActionsPlugin,
+      mockTaskManager,
+      mockEsClient,
+      mockLogger,
+      mockConfig,
+      mockWorkflowExecutionRepository,
+      mockStepExecutionRepository,
+      mockLogsRepository,
+      {} as CoreStart,
+      mockDependencies
+    );
+
+    expect(mockActionsPlugin.getUnsecuredActionsClient).toHaveBeenCalled();
+    expect(mockActionsPlugin.getActionsClientWithRequest).not.toHaveBeenCalled();
+    expect(ConnectorExecutor).toHaveBeenCalledWith(mockUnsecuredActionsClient, false);
+  });
+
+  it('should use scoped actions client when fakeRequest is provided', async () => {
+    const mockScopedClient = {
+      search: jest.fn(),
+      index: jest.fn(),
+    } as unknown as ElasticsearchClient;
+
+    const mockAsCurrentUser = mockScopedClient;
+    const mockAsScoped = jest.fn().mockReturnValue({
+      asCurrentUser: mockAsCurrentUser,
+    });
+
+    const mockCoreStart = {
+      elasticsearch: {
+        client: {
+          asScoped: mockAsScoped,
+        },
+      },
+    } as unknown as CoreStart;
+
+    const mockFakeRequest = {
+      headers: {},
+    } as KibanaRequest;
+
+    await setupDependencies(
+      workflowRunId,
+      spaceId,
+      mockActionsPlugin,
+      mockTaskManager,
+      mockEsClient,
+      mockLogger,
+      mockConfig,
+      mockWorkflowExecutionRepository,
+      mockStepExecutionRepository,
+      mockLogsRepository,
+      mockCoreStart,
+      mockDependencies,
+      mockFakeRequest
+    );
+
+    expect(mockActionsPlugin.getActionsClientWithRequest).toHaveBeenCalledWith(mockFakeRequest);
+    expect(mockActionsPlugin.getUnsecuredActionsClient).not.toHaveBeenCalled();
+    expect(ConnectorExecutor).toHaveBeenCalledWith(mockScopedActionsClient, true);
+  });
 });

src/platform/plugins/shared/workflows_execution_engine/server/execution_functions/setup_dependencies.ts

@@ -62,8 +62,17 @@ export async function setupDependencies(
     workflowExecutionGraph = workflowExecutionGraph.getStepGraph(workflowExecution.stepId);
   }
 
-  const unsecuredActionsClient = await actionsPlugin.getUnsecuredActionsClient();
-  const connectorExecutor = new ConnectorExecutor(unsecuredActionsClient);
+  // Use scoped actions client when fakeRequest is available to preserve user context
+  // Otherwise fallback to unsecured actions client
+  // TODO(tb): Consider completely disabling connectors when no fakeRequest is available
+  let connectorExecutor: ConnectorExecutor;
+  if (fakeRequest) {
+    const scopedActionsClient = await actionsPlugin.getActionsClientWithRequest(fakeRequest);
+    connectorExecutor = new ConnectorExecutor(scopedActionsClient, true);
+  } else {
+    const unsecuredActionsClient = await actionsPlugin.getUnsecuredActionsClient();
+    connectorExecutor = new ConnectorExecutor(unsecuredActionsClient, false);
+  }
 
   const workflowLogger = new WorkflowEventLogger(
     logsRepository,