[One Workflow] Fix workflows features configuration (#241015)

## Summary

Closes elastic/security-team#14403

- Uses the correct API action in the server routes from the privilege
configuration
- UI capabilities and API actions values extracted as enums to the
package so they can be easily reused

---------

Co-authored-by: kibanamachine <[email protected]>

Author: semd

src/platform/packages/shared/kbn-workflows/common/constants.ts

@@ -7,6 +7,11 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
+/**
+ * Feature ID for the workflows management feature
+ */
+export const WORKFLOWS_MANAGEMENT_FEATURE_ID = 'workflowsManagement';
+
 /**
  * UI Setting ID for enabling / disabling the workflows management UI
  */

src/platform/packages/shared/kbn-workflows/common/privileges.ts

@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { WORKFLOWS_MANAGEMENT_FEATURE_ID } from './constants';
+
+// The API actions added by feature privileges, to be checked in the API routes.
+// Api actions are not scoped by feature ID, so we scope it by adding the feature ID ("workflowsManagement") as prefix.
+// example: security.authz.requiredPrivileges: ["workflowsManagement:create"]
+export enum WorkflowsManagementApiActions {
+  'create' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:create`,
+  'read' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:read`,
+  'update' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:update`,
+  'delete' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:delete`,
+  'execute' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:execute`,
+  'readExecution' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:readExecution`,
+  'cancelExecution' = `${WORKFLOWS_MANAGEMENT_FEATURE_ID}:cancelExecution`,
+}
+
+// The UI actions (aka capabilities) added by feature privileges, to be checked in the UI components.
+// UI actions are scoped by feature ID ("workflowsManagement"), so no need to add any prefix.
+// example: application.capabilities.workflowsManagement.createWorkflow
+export enum WorkflowsManagementUiActions {
+  'create' = 'createWorkflow',
+  'read' = 'readWorkflow',
+  'update' = 'updateWorkflow',
+  'delete' = 'deleteWorkflow',
+  'execute' = 'executeWorkflow',
+  'readExecution' = 'readWorkflowExecution',
+  'cancelExecution' = 'cancelWorkflowExecution',
+}

src/platform/packages/shared/kbn-workflows/index.ts

@@ -13,6 +13,7 @@ export * from './spec/schema';
 export * from './types/latest';
 export * from './types/utils';
 export * from './common/constants';
+export * from './common/privileges';
 export * from './common/elasticsearch_request_builder';
 export * from './common/kibana_request_builder';
 

src/platform/plugins/shared/workflows_management/public/hooks/use_capabilities.test.ts

@@ -0,0 +1,236 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { renderHook } from '@testing-library/react';
+import { WORKFLOWS_MANAGEMENT_FEATURE_ID } from '@kbn/workflows/common/constants';
+import { useCapabilities } from './use_capabilities';
+import { useKibana } from './use_kibana';
+import { createStartServicesMock } from '../mocks';
+
+jest.mock('./use_kibana');
+const mockUseKibana = useKibana as jest.Mock;
+
+describe('useCapabilities', () => {
+  let mockServices: ReturnType<typeof createStartServicesMock>;
+
+  const mockCapabilities = (capabilities: any) => {
+    mockServices.application.capabilities = {
+      [WORKFLOWS_MANAGEMENT_FEATURE_ID]: capabilities,
+      navLinks: {},
+      management: {},
+      catalogue: {},
+    };
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockServices = createStartServicesMock();
+    mockUseKibana.mockReturnValue({ services: mockServices });
+  });
+
+  describe('when all capabilities are enabled', () => {
+    beforeEach(() => {
+      mockCapabilities({
+        createWorkflow: true,
+        readWorkflow: true,
+        updateWorkflow: true,
+        deleteWorkflow: true,
+        executeWorkflow: true,
+        readWorkflowExecution: true,
+        cancelWorkflowExecution: true,
+      });
+    });
+
+    it('should return all capabilities as true', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: true,
+        canReadWorkflow: true,
+        canUpdateWorkflow: true,
+        canDeleteWorkflow: true,
+        canExecuteWorkflow: true,
+        canReadWorkflowExecution: true,
+        canCancelWorkflowExecution: true,
+      });
+    });
+  });
+
+  describe('when all capabilities are disabled', () => {
+    beforeEach(() => {
+      mockCapabilities({
+        createWorkflow: false,
+        readWorkflow: false,
+        updateWorkflow: false,
+        deleteWorkflow: false,
+        executeWorkflow: false,
+        readWorkflowExecution: false,
+        cancelWorkflowExecution: false,
+      });
+    });
+
+    it('should return all capabilities as false', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: false,
+        canReadWorkflow: false,
+        canUpdateWorkflow: false,
+        canDeleteWorkflow: false,
+        canExecuteWorkflow: false,
+        canReadWorkflowExecution: false,
+        canCancelWorkflowExecution: false,
+      });
+    });
+  });
+
+  describe('when some capabilities are enabled', () => {
+    beforeEach(() => {
+      mockCapabilities({
+        createWorkflow: true,
+        readWorkflow: true,
+        updateWorkflow: false,
+        deleteWorkflow: false,
+        executeWorkflow: true,
+        readWorkflowExecution: false,
+        cancelWorkflowExecution: false,
+      });
+    });
+
+    it('should return correct mixed capabilities', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: true,
+        canReadWorkflow: true,
+        canUpdateWorkflow: false,
+        canDeleteWorkflow: false,
+        canExecuteWorkflow: true,
+        canReadWorkflowExecution: false,
+        canCancelWorkflowExecution: false,
+      });
+    });
+  });
+
+  describe('when capabilities object is undefined', () => {
+    beforeEach(() => {
+      mockCapabilities(undefined);
+    });
+
+    it('should return all capabilities as false', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: false,
+        canReadWorkflow: false,
+        canUpdateWorkflow: false,
+        canDeleteWorkflow: false,
+        canExecuteWorkflow: false,
+        canReadWorkflowExecution: false,
+        canCancelWorkflowExecution: false,
+      });
+    });
+  });
+
+  describe('when capabilities object does not exist', () => {
+    beforeEach(() => {
+      mockCapabilities({});
+    });
+
+    it('should return all capabilities as false', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: false,
+        canReadWorkflow: false,
+        canUpdateWorkflow: false,
+        canDeleteWorkflow: false,
+        canExecuteWorkflow: false,
+        canReadWorkflowExecution: false,
+        canCancelWorkflowExecution: false,
+      });
+    });
+  });
+
+  describe('when application is undefined', () => {
+    beforeEach(() => {
+      mockServices.application = undefined as any;
+    });
+
+    it('should return all capabilities as false', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: false,
+        canReadWorkflow: false,
+        canUpdateWorkflow: false,
+        canDeleteWorkflow: false,
+        canExecuteWorkflow: false,
+        canReadWorkflowExecution: false,
+        canCancelWorkflowExecution: false,
+      });
+    });
+  });
+
+  describe('when capability values are falsy', () => {
+    beforeEach(() => {
+      mockCapabilities({
+        createWorkflow: 0,
+        readWorkflow: '',
+        updateWorkflow: null,
+        deleteWorkflow: undefined,
+        executeWorkflow: false,
+        readWorkflowExecution: 0,
+        cancelWorkflowExecution: null,
+      });
+    });
+
+    it('should convert all falsy values to false', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: false,
+        canReadWorkflow: false,
+        canUpdateWorkflow: false,
+        canDeleteWorkflow: false,
+        canExecuteWorkflow: false,
+        canReadWorkflowExecution: false,
+        canCancelWorkflowExecution: false,
+      });
+    });
+  });
+
+  describe('when capability values are truthy', () => {
+    beforeEach(() => {
+      mockCapabilities({
+        createWorkflow: 1,
+        readWorkflow: 'true',
+        updateWorkflow: {},
+        deleteWorkflow: [],
+        executeWorkflow: true,
+        readWorkflowExecution: 'test',
+        cancelWorkflowExecution: 42,
+      });
+    });
+
+    it('should convert all truthy values to true', () => {
+      const { result } = renderHook(useCapabilities);
+
+      expect(result.current).toEqual({
+        canCreateWorkflow: true,
+        canReadWorkflow: true,
+        canUpdateWorkflow: true,
+        canDeleteWorkflow: true,
+        canExecuteWorkflow: true,
+        canReadWorkflowExecution: true,
+        canCancelWorkflowExecution: true,
+      });
+    });
+  });
+});

src/platform/plugins/shared/workflows_management/public/hooks/use_capabilities.ts

@@ -7,28 +7,31 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
+import { WORKFLOWS_MANAGEMENT_FEATURE_ID } from '@kbn/workflows/common/constants';
+import { WorkflowsManagementUiActions } from '@kbn/workflows/common/privileges';
 import { useKibana } from './use_kibana';
 
 const CapabilitiesMap = {
-  canCreateWorkflow: 'createWorkflow',
-  canReadWorkflow: 'readWorkflow',
-  canUpdateWorkflow: 'updateWorkflow',
-  canDeleteWorkflow: 'deleteWorkflow',
-  canExecuteWorkflow: 'executeWorkflow',
-  canReadWorkflowExecution: 'readWorkflowExecution',
-  canCancelWorkflowExecution: 'cancelWorkflowExecution',
+  canCreateWorkflow: WorkflowsManagementUiActions.create,
+  canReadWorkflow: WorkflowsManagementUiActions.read,
+  canUpdateWorkflow: WorkflowsManagementUiActions.update,
+  canDeleteWorkflow: WorkflowsManagementUiActions.delete,
+  canExecuteWorkflow: WorkflowsManagementUiActions.execute,
+  canReadWorkflowExecution: WorkflowsManagementUiActions.readExecution,
+  canCancelWorkflowExecution: WorkflowsManagementUiActions.cancelExecution,
 } as const;
 
 export type CapabilitiesKey = keyof typeof CapabilitiesMap;
 export type WorkflowsManagementCapabilities = Record<CapabilitiesKey, boolean>;
 
 export const useCapabilities = (): WorkflowsManagementCapabilities => {
   const { application } = useKibana().services;
+  const workflowsCapabilities = application?.capabilities?.[WORKFLOWS_MANAGEMENT_FEATURE_ID] ?? {};
 
   return Object.fromEntries(
     Object.entries(CapabilitiesMap).map(([key, value]) => [
       key,
-      Boolean(application?.capabilities.workflowsManagement?.[value]),
+      Boolean(workflowsCapabilities[value]),
     ])
   ) as WorkflowsManagementCapabilities;
 };