[9.0] [Security Solution][Endpoint] Adjust Artifacts policy assignment component in support of spaces (elastic#214487) (elastic#215194)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[Security Solution][Endpoint] Adjust Artifacts policy assignment
component in support of spaces
(elastic#214487)](elastic#214487)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Paul
Tavares","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-19T15:12:59Z","message":"[Security
Solution][Endpoint] Adjust Artifacts policy assignment component in
support of spaces (elastic#214487)\n\n## Summary\n\n\n### Fleet\n\n- Exposed
API route for bulk get package policies via the routes service\n-
Created and exposed type
`BulkGetPackagePoliciesRequestBody`\n\n<br/>\n\n\n### Security
Solution\n\nThe following changes were made to Endpoint Artifacts in
support of\nspaces:\n\n> [!NOTE]\n> Space awareness is currently behind
feature flag:\n`endpointManagementSpaceAwarenessEnabled`\n\n\n- The
policy assignment component, which is displayed on artifact's\nCreate
and Update forms, now:\n- Displays the count of policies (if any) that
are associated with the\nartifact, but not currently accessible in the
active space (screen\ncapture 1️⃣ )\n- When a user does NOT have the
Global Artifact privilege, the `Global`\ntoggle selection will be
disabled and a tooltip is displayed. This\nchange also applies to the
create form where the default selection will\nbe per-policy and the
global button will be disabled. (screen capture\n2️⃣ )\n- Artifact
policy assignments that are not accessible in active space\nare
preserved when submitting an update to the artifact\n- The component was
also refactored a bit to simplify its list of props\n- Artifact card
policy assignment menu was adjusted to show any policy\nthat is not
accessible to the user as \"disabled\" along with a tooltip\n(screen
capture 3️⃣ )\n- The update artifact API was changed (via server-side
extension point)\nto not error when validating policies that are not
accessible in active\nspace if they were already associated with the
item being updated.\n- Fixes a bug in the Find artifacts API (impact
only when spaces was\nenabled) where an invalid filter was created when
there was no policies\ncurrently shared with active
space.","sha":"e11c3ecea5119202800d121a73765e26a41ff0a1","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","Team:Defend
Workflows","backport:prev-minor","v9.1.0"],"title":"[Security
Solution][Endpoint] Adjust Artifacts policy assignment component in
support of
spaces","number":214487,"url":"https://github.com/elastic/kibana/pull/214487","mergeCommit":{"message":"[Security
Solution][Endpoint] Adjust Artifacts policy assignment component in
support of spaces (elastic#214487)\n\n## Summary\n\n\n### Fleet\n\n- Exposed
API route for bulk get package policies via the routes service\n-
Created and exposed type
`BulkGetPackagePoliciesRequestBody`\n\n<br/>\n\n\n### Security
Solution\n\nThe following changes were made to Endpoint Artifacts in
support of\nspaces:\n\n> [!NOTE]\n> Space awareness is currently behind
feature flag:\n`endpointManagementSpaceAwarenessEnabled`\n\n\n- The
policy assignment component, which is displayed on artifact's\nCreate
and Update forms, now:\n- Displays the count of policies (if any) that
are associated with the\nartifact, but not currently accessible in the
active space (screen\ncapture 1️⃣ )\n- When a user does NOT have the
Global Artifact privilege, the `Global`\ntoggle selection will be
disabled and a tooltip is displayed. This\nchange also applies to the
create form where the default selection will\nbe per-policy and the
global button will be disabled. (screen capture\n2️⃣ )\n- Artifact
policy assignments that are not accessible in active space\nare
preserved when submitting an update to the artifact\n- The component was
also refactored a bit to simplify its list of props\n- Artifact card
policy assignment menu was adjusted to show any policy\nthat is not
accessible to the user as \"disabled\" along with a tooltip\n(screen
capture 3️⃣ )\n- The update artifact API was changed (via server-side
extension point)\nto not error when validating policies that are not
accessible in active\nspace if they were already associated with the
item being updated.\n- Fixes a bug in the Find artifacts API (impact
only when spaces was\nenabled) where an invalid filter was created when
there was no policies\ncurrently shared with active
space.","sha":"e11c3ecea5119202800d121a73765e26a41ff0a1"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/214487","number":214487,"mergeCommit":{"message":"[Security
Solution][Endpoint] Adjust Artifacts policy assignment component in
support of spaces (elastic#214487)\n\n## Summary\n\n\n### Fleet\n\n- Exposed
API route for bulk get package policies via the routes service\n-
Created and exposed type
`BulkGetPackagePoliciesRequestBody`\n\n<br/>\n\n\n### Security
Solution\n\nThe following changes were made to Endpoint Artifacts in
support of\nspaces:\n\n> [!NOTE]\n> Space awareness is currently behind
feature flag:\n`endpointManagementSpaceAwarenessEnabled`\n\n\n- The
policy assignment component, which is displayed on artifact's\nCreate
and Update forms, now:\n- Displays the count of policies (if any) that
are associated with the\nartifact, but not currently accessible in the
active space (screen\ncapture 1️⃣ )\n- When a user does NOT have the
Global Artifact privilege, the `Global`\ntoggle selection will be
disabled and a tooltip is displayed. This\nchange also applies to the
create form where the default selection will\nbe per-policy and the
global button will be disabled. (screen capture\n2️⃣ )\n- Artifact
policy assignments that are not accessible in active space\nare
preserved when submitting an update to the artifact\n- The component was
also refactored a bit to simplify its list of props\n- Artifact card
policy assignment menu was adjusted to show any policy\nthat is not
accessible to the user as \"disabled\" along with a tooltip\n(screen
capture 3️⃣ )\n- The update artifact API was changed (via server-side
extension point)\nto not error when validating policies that are not
accessible in active\nspace if they were already associated with the
item being updated.\n- Fixes a bug in the Find artifacts API (impact
only when spaces was\nenabled) where an invalid filter was created when
there was no policies\ncurrently shared with active
space.","sha":"e11c3ecea5119202800d121a73765e26a41ff0a1"}}]}]
BACKPORT-->

Co-authored-by: Paul Tavares <[email protected]>

Author: kibanamachine

x-pack/platform/plugins/shared/fleet/common/services/routes.ts

@@ -155,6 +155,10 @@ export const packagePolicyRouteService = {
   getOrphanedIntegrationPoliciesPath: () => {
     return PACKAGE_POLICY_API_ROUTES.ORPHANED_INTEGRATION_POLICIES;
   },
+
+  getBulkGetPath: (): string => {
+    return PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN;
+  },
 };
 
 export const agentPolicyRouteService = {

x-pack/platform/plugins/shared/fleet/common/types/rest_spec/package_policy.ts

@@ -5,6 +5,10 @@
  * 2.0.
  */
 
+import type { TypeOf } from '@kbn/config-schema';
+
+import type { BulkGetPackagePoliciesRequestSchema } from '../../../server/types';
+
 import type {
   PackagePolicy,
   NewPackagePolicy,
@@ -21,6 +25,9 @@ export interface GetPackagePoliciesRequest {
 }
 
 export type GetPackagePoliciesResponse = ListResult<PackagePolicy>;
+export type BulkGetPackagePoliciesRequestBody = TypeOf<
+  typeof BulkGetPackagePoliciesRequestSchema.body
+>;
 export type BulkGetPackagePoliciesResponse = BulkGetResult<PackagePolicy>;
 
 export interface GetOnePackagePolicyRequest {

x-pack/solutions/security/plugins/security_solution/common/endpoint/service/artifacts/utils.ts

@@ -27,11 +27,15 @@ export const isArtifactGlobal = (item: Partial<Pick<ExceptionListItemSchema, 'ta
   return (item.tags ?? []).includes(GLOBAL_ARTIFACT_TAG);
 };
 
-export const isArtifactByPolicy = (item: Pick<ExceptionListItemSchema, 'tags'>): boolean => {
+export const isArtifactByPolicy = (
+  item: Partial<Pick<ExceptionListItemSchema, 'tags'>>
+): boolean => {
   return !isArtifactGlobal(item);
 };
 
-export const getPolicyIdsFromArtifact = (item: Pick<ExceptionListItemSchema, 'tags'>): string[] => {
+export const getPolicyIdsFromArtifact = (
+  item: Partial<Pick<ExceptionListItemSchema, 'tags'>>
+): string[] => {
   const policyIds = [];
   const tags = item.tags ?? [];
 

x-pack/solutions/security/plugins/security_solution/public/management/common/translations.ts

@@ -320,3 +320,15 @@ export const CONFIRM_WARNING_MODAL_LABELS = (entryType: string) => {
     ),
   };
 };
+
+export const NO_PRIVILEGE_FOR_MANAGEMENT_OF_GLOBAL_ARTIFACT_MESSAGE = i18n.translate(
+  'xpack.securitySolution.translations.noGlobalArtifactManagementAllowedMessage',
+  { defaultMessage: 'Management of global artifacts requires additional privilege' }
+);
+
+export const ARTIFACT_POLICIES_NOT_ACCESSIBLE_IN_ACTIVE_SPACE_MESSAGE = (count: number): string =>
+  i18n.translate('xpack.securitySolution.translations.artifactPoliciesNotAccessibleInActiveSpace', {
+    defaultMessage:
+      'This artifact is associated with {count} {count, plural, =1 {policy that is} other {policies that are}} not accessible in active space',
+    values: { count },
+  });

x-pack/solutions/security/plugins/security_solution/public/management/components/artifact_entry_card/artifact_entry_card.test.tsx

@@ -203,8 +203,9 @@ describe.each([
 
       policies = {
         'policy-1': {
-          children: 'Policy one',
+          children: 'Policy one title',
           'data-test-subj': 'policyMenuItem',
+          href: 'http://some/path/to/policy-1',
         },
       };
     });
@@ -239,7 +240,11 @@ describe.each([
         ).not.toBeNull();
 
         expect(renderResult.getByTestId('policyMenuItem').textContent).toEqual(
-          'Policy oneView details'
+          'Policy one titleView details'
+        );
+
+        expect((renderResult.getByTestId('policyMenuItem') as HTMLAnchorElement).href).toEqual(
+          policies!['policy-1'].href
         );
       });
 
@@ -259,12 +264,12 @@ describe.each([
           renderResult.getByTestId('testCard-subHeader-effectScope-popupMenu-popoverPanel')
         ).not.toBeNull();
 
-        expect(renderResult.getByTestId('policyMenuItem').textContent).toEqual('Policy one');
+        expect(renderResult.getByTestId('policyMenuItem').textContent).toEqual('Policy one title');
       });
     });
 
-    it('should display policy ID if no policy menu item found in `policies` prop', async () => {
-      render();
+    it('should display disabled button with policy ID if no policy menu item found in `policies` prop', async () => {
+      render(); // Important: no polices provided to component on input
       await act(async () => {
         await fireEvent.click(
           renderResult.getByTestId('testCard-subHeader-effectScope-popupMenu-button')
@@ -275,7 +280,18 @@ describe.each([
         renderResult.getByTestId('testCard-subHeader-effectScope-popupMenu-popoverPanel')
       ).not.toBeNull();
 
-      expect(renderResult.getByText('policy-1').textContent).not.toBeNull();
+      expect(
+        renderResult.getByTestId('testCard-subHeader-effectScope-popupMenu-item-0-truncateWrapper')
+          .textContent
+      ).toEqual('policy-1');
+
+      expect(
+        (
+          renderResult.getByTestId(
+            'testCard-subHeader-effectScope-popupMenu-item-0'
+          ) as HTMLButtonElement
+        ).disabled
+      ).toBe(true);
     });
 
     it('should pass item to decorator function and display its result', () => {

x-pack/solutions/security/plugins/security_solution/public/management/components/artifact_entry_card/components/card_actions_flex_item.tsx

@@ -10,11 +10,9 @@ import React, { memo, useMemo } from 'react';
 import type { CommonProps } from '@elastic/eui';
 import { EuiFlexItem } from '@elastic/eui';
 import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
+import { NO_PRIVILEGE_FOR_MANAGEMENT_OF_GLOBAL_ARTIFACT_MESSAGE } from '../../../common/translations';
 import { useUserPrivileges } from '../../../../common/components/user_privileges';
-import {
-  MANAGEMENT_OF_GLOBAL_ARTIFACT_NOT_ALLOWED_MESSAGE,
-  MANAGEMENT_OF_SHARED_PER_POLICY_ARTIFACT_NOT_ALLOWED_MESSAGE,
-} from './translations';
+import { MANAGEMENT_OF_SHARED_PER_POLICY_ARTIFACT_NOT_ALLOWED_MESSAGE } from './translations';
 import { useSpaceId } from '../../../../common/hooks/use_space_id';
 import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
 import { isArtifactGlobal } from '../../../../../common/endpoint/service/artifacts';
@@ -52,7 +50,7 @@ export const CardActionsFlexItem = memo<CardActionsFlexItemProps>(
       if (isGlobal) {
         return {
           isDisabled: true,
-          disabledTooltip: MANAGEMENT_OF_GLOBAL_ARTIFACT_NOT_ALLOWED_MESSAGE,
+          disabledTooltip: NO_PRIVILEGE_FOR_MANAGEMENT_OF_GLOBAL_ARTIFACT_MESSAGE,
         };
       }
 

x-pack/solutions/security/plugins/security_solution/public/management/components/artifact_entry_card/components/effect_scope.tsx

@@ -11,6 +11,8 @@ import type { CommonProps } from '@elastic/eui';
 import { EuiButtonEmpty, EuiFlexGroup, EuiFlexItem, EuiIcon } from '@elastic/eui';
 import styled from 'styled-components';
 import { FormattedMessage } from '@kbn/i18n-react';
+import { i18n } from '@kbn/i18n';
+import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
 import { useUserPrivileges } from '../../../../common/components/user_privileges';
 import {
   GLOBAL_EFFECT_SCOPE,
@@ -28,6 +30,16 @@ import { useTestIdGenerator } from '../../../hooks/use_test_id_generator';
 //          So something like: `<EffectScope perPolicyCount={3} />`
 //          This should display it as "Applied to 3 policies", but NOT as a menu with links
 
+const POLICY_DETAILS_NOT_ACCESSIBLE = i18n.translate(
+  'xpack.securitySolution.effectScope.policyDetailsNotAccessible',
+  { defaultMessage: 'Policy is no longer accessible' }
+);
+
+const POLICY_DETAILS_NOT_ACCESSIBLE_IN_ACTIVE_SPACE = i18n.translate(
+  'xpack.securitySolution.effectScope.policyDetailsNotAccessibleInActiveSpace',
+  { defaultMessage: 'Policy is not accessible from the current space' }
+);
+
 const StyledWithContextMenuShiftedWrapper = styled('div')`
   margin-left: -10px;
 `;
@@ -104,29 +116,46 @@ const WithContextMenu = memo<WithContextMenuProps>(
     'data-test-subj': dataTestSubj,
   }) => {
     const getTestId = useTestIdGenerator(dataTestSubj);
-
-    const hoverInfo = useMemo(
-      () =>
-        canReadPolicies ? (
-          <StyledEuiButtonEmpty flush="right" size="s" iconSide="right" iconType="popout">
-            <FormattedMessage
-              id="xpack.securitySolution.contextMenuItemByRouter.viewDetails"
-              defaultMessage="View details"
-            />
-          </StyledEuiButtonEmpty>
-        ) : undefined,
-      [canReadPolicies]
+    const isSpacesEnabled = useIsExperimentalFeatureEnabled(
+      'endpointManagementSpaceAwarenessEnabled'
     );
+
+    const menuItems: ContextMenuItemNavByRouterProps[] = useMemo(() => {
+      return policies.map((policyMenuItem) => {
+        const hasHref = Boolean(policyMenuItem.href);
+
+        return {
+          ...policyMenuItem,
+          hoverInfo:
+            hasHref && canReadPolicies ? (
+              <StyledEuiButtonEmpty flush="right" size="s" iconSide="right" iconType="popout">
+                <FormattedMessage
+                  id="xpack.securitySolution.contextMenuItemByRouter.viewDetails"
+                  defaultMessage="View details"
+                />
+              </StyledEuiButtonEmpty>
+            ) : undefined,
+          disabled: !hasHref,
+          toolTipContent: !hasHref ? (
+            <>
+              {isSpacesEnabled
+                ? POLICY_DETAILS_NOT_ACCESSIBLE_IN_ACTIVE_SPACE
+                : POLICY_DETAILS_NOT_ACCESSIBLE}
+            </>
+          ) : undefined,
+        };
+      });
+    }, [canReadPolicies, isSpacesEnabled, policies]);
+
     return (
       <ContextMenuWithRouterSupport
         maxHeight="235px"
         fixedWidth={true}
         panelPaddingSize="none"
-        items={policies}
+        items={menuItems}
         anchorPosition={policies.length > 1 ? 'rightCenter' : 'rightUp'}
         data-test-subj={dataTestSubj}
         loading={loadingPoliciesList}
-        hoverInfo={hoverInfo}
         button={
           <EuiButtonEmpty size="xs" data-test-subj={getTestId('button')}>
             {children}

x-pack/solutions/security/plugins/security_solution/public/management/components/artifact_entry_card/components/translations.ts

@@ -163,11 +163,6 @@ export const DESCRIPTION_LABEL = i18n.translate(
   }
 );
 
-export const MANAGEMENT_OF_GLOBAL_ARTIFACT_NOT_ALLOWED_MESSAGE = i18n.translate(
-  'xpack.securitySolution.translations.noGlobalArtifactManagementAllowedMessage',
-  { defaultMessage: 'Management of global artifacts requires additional privilege' }
-);
-
 export const MANAGEMENT_OF_SHARED_PER_POLICY_ARTIFACT_NOT_ALLOWED_MESSAGE = i18n.translate(
   'xpack.securitySolution.translations.sharedPerPolicyArtifactNotAllowed',
   {

x-pack/solutions/security/plugins/security_solution/public/management/components/artifact_list_page/components/artifact_flyout.test.tsx

@@ -36,11 +36,19 @@ describe('When the flyout is opened in the ArtifactListPage component', () => {
   let getLastFormComponentProps: ReturnType<
     typeof getFormComponentMock
   >['getLastFormComponentProps'];
+  let setExperimentalFlag: AppContextTestRender['setExperimentalFlag'];
 
   beforeEach(() => {
     const renderSetup = getArtifactListPageRenderingSetup();
 
-    ({ history, coreStart, mockedApi, FormComponentMock, getLastFormComponentProps } = renderSetup);
+    ({
+      history,
+      coreStart,
+      mockedApi,
+      FormComponentMock,
+      getLastFormComponentProps,
+      setExperimentalFlag,
+    } = renderSetup);
 
     history.push('somepage?show=create');
 
@@ -116,6 +124,36 @@ describe('When the flyout is opened in the ArtifactListPage component', () => {
     );
   });
 
+  it('should initialize form with a per-policy artifact when user does not have global artifact privilege and spaces is enabeld', async () => {
+    setExperimentalFlag({ endpointManagementSpaceAwarenessEnabled: true });
+    useUserPrivileges.mockReturnValue({
+      ...useUserPrivileges(),
+      endpointPrivileges: getEndpointPrivilegesInitialStateMock({
+        canManageGlobalArtifacts: false,
+      }),
+    });
+    await render();
+
+    expect(FormComponentMock).toHaveBeenLastCalledWith(
+      expect.objectContaining({
+        item: {
+          comments: [],
+          description: '',
+          entries: [],
+          item_id: undefined,
+          list_id: 'endpoint_trusted_apps',
+          meta: expect.any(Object),
+          name: '',
+          namespace_type: 'agnostic',
+          os_types: ['windows'],
+          tags: [],
+          type: 'simple',
+        },
+      }),
+      expect.anything()
+    );
+  });
+
   describe('and form data is valid', () => {
     beforeEach(async () => {
       const _renderAndWaitForFlyout = render;

x-pack/solutions/security/plugins/security_solution/public/management/components/artifact_list_page/components/artifact_flyout.tsx

@@ -27,6 +27,8 @@ import type { EuiFlyoutSize } from '@elastic/eui/src/components/flyout/flyout';
 import type { IHttpFetchError } from '@kbn/core-http-browser';
 import { useIsMounted } from '@kbn/securitysolution-hook-utils';
 import { useLocation } from 'react-router-dom';
+import { GLOBAL_ARTIFACT_TAG } from '../../../../../common/endpoint/service/artifacts';
+import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
 import { useMarkInsightAsRemediated } from '../hooks/use_mark_workflow_insight_as_remediated';
 import type { WorkflowInsightRouteState } from '../../../pages/endpoint_hosts/types';
 import { useUrlParams } from '../../../hooks/use_url_params';
@@ -47,6 +49,7 @@ import { useIsArtifactAllowedPerPolicyUsage } from '../hooks/use_is_artifact_all
 import { useGetArtifact } from '../../../hooks/artifacts';
 import type { PolicyData } from '../../../../../common/endpoint/types';
 import { ArtifactConfirmModal } from './artifact_confirm_modal';
+import { useUserPrivileges } from '../../../../common/components/user_privileges';
 
 export const ARTIFACT_FLYOUT_LABELS = Object.freeze({
   flyoutEditTitle: i18n.translate('xpack.securitySolution.artifactListPage.flyoutEditTitle', {
@@ -211,6 +214,11 @@ export const ArtifactFlyout = memo<ArtifactFlyoutProps>(
     const setUrlParams = useSetUrlParams();
     const { urlParams } = useUrlParams<ArtifactListPageUrlParams>();
     const isMounted = useIsMounted();
+    const isSpaceAwarenessEnabled = useIsExperimentalFeatureEnabled(
+      'endpointManagementSpaceAwarenessEnabled'
+    );
+    const canManageGlobalArtifacts =
+      useUserPrivileges().endpointPrivileges.canManageGlobalArtifacts;
     const labels = useMemo<typeof ARTIFACT_FLYOUT_LABELS>(() => {
       return {
         ...ARTIFACT_FLYOUT_LABELS,
@@ -255,9 +263,18 @@ export const ArtifactFlyout = memo<ArtifactFlyoutProps>(
       enabled: false,
     });
 
-    const [formState, setFormState] = useState<ArtifactFormComponentOnChangeCallbackProps>(
-      createFormInitialState.bind(null, apiClient.listId, item)
-    );
+    const [formState, setFormState] = useState<ArtifactFormComponentOnChangeCallbackProps>(() => {
+      const initialFormState = createFormInitialState(apiClient.listId, item);
+
+      // for Create Mode: If user is not able to manage global artifacts then the initial item should be per-policy
+      if (!item && isSpaceAwarenessEnabled && !canManageGlobalArtifacts) {
+        initialFormState.item.tags = (initialFormState.item.tags ?? []).filter(
+          (tag) => tag !== GLOBAL_ARTIFACT_TAG
+        );
+      }
+
+      return initialFormState;
+    });
     const showExpiredLicenseBanner = useIsArtifactAllowedPerPolicyUsage(
       { tags: formState.item.tags ?? [] },
       formMode