[ResponseOps] Granular Connector RBAC (elastic#203503)

Part of elastic#180908

## Summary

**EDR Connector Subfeature Privilege**
This PR creates a new EDR connector sub-feature privilege under the read
privilege for connectors. The read privilege currently allows users to
execute connectors, and this new privilege will limit some of the
connectors that can be executed. When the EDR privilege is turned on,
users will be able to execute EDR connectors, and when it is off they
will not execute. This new privilege includes SentinelOne and
Crowdstrike connectors.

To determine which connectors are considered EDR connectors, we
leverage`getKibanaPrivileges` in the connector type definition. I
removed the restrictions to use this field only for system actions and
renamed `getSystemActionKibanaPrivileges` to
`getActionKibanaPrivileges`. I also added a field, `subFeatureType `, to
the connector type definition to help disable testing/executing an
connectors that are restricted under a sub-feature.

**EDR Connector Execution for Testing**
The execution of EDR connectors using the API is limited to a single
sub-action for testing purposes. This ensures users can still
configure/test EDR connectors. In a separate
[PR](elastic#204804), I added back the
SentinelOne and Crowdstrike params UIs with options restricted to one
sub-action.

**Rule API and Feature Configuration Updates**
Validation has been added to the rule APIs to enforce restrictions on
adding EDR connectors. The connector feature configuration has been
updated to include a new feature ID, EdrForSecurityFeature, which
ensures that EDR connectors are hidden on the rule form.
Note: I saw that EDR connectors are also temporarily restricted in the
Security Solution UI. To streamline this, I removed the
`isBidirectionalConnectorType` check in `action_type_registry.ts`.
Instead, I removed `SecurityConnectorFeatureId` from the
`supportedFeatureIds` of the SentinelOne connector type definition.


### Checklist

Check the PR satisfies following conditions. 

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


## To test

**EDR Connector Subfeature Privilege**
1. Create a new role and disable EDR connectors under the Actions and
Connectors privilege
2. Create a new user and assign that role to user
3. Create a Sentinel One connector (It doesn't need to work, you can use
fake values for the url and token)
4. Login as the new user and run the following in Dev Tools to verify
that you aren't authorized execute the Sentinel One connector
```
POST kbn:/api/actions/connector/$CONNECTOR_ID/_execute
{
  "params": {
    "subAction": "getAgents",
    "subActionParams": {}
  }
}
```
7. Update the role to enable EDR connectors and repeat the steps to
verify that you are authorized to run the connector. (It will fail but
verify it's not Unauthorized)

**EDR Connector Execution for Testing**
1. Enable the EDR connectors privilege in the role you created above and
log in as the user you created above.
2. Run the following in Dev Tools to verify that you are authorized
execute the Sentinel One connector using only the `getAgents`
sub-action. (It will fail but verify it's not `Unauthorized`)
```
POST kbn:/api/actions/connector/$CONNECTOR_ID/_execute
{
  "params": {
    "subAction": "getAgents",
    "subActionParams": {}
  }
}
```
3. Run it again but replace the `subAction` with `isolateHost`. Verify
that you get an unauthorized error.

**Rule API and Feature Configuration Updates**
1. 1. Enable the EDR connectors privilege in the role you created above
and log in as the user you created above.
2. Go to Stack Management
3. Try to create a rule, and verify that you don't see the SentinelOne
connector.
4. Try to create a rule using the API and add your SentinelOne
connector, verify that the API throws an error.
```
POST kbn:/api/alerting/rule
{
  "tags": [],
  "params": {},
  "schedule": {
    "interval": "1m"
  },
  "consumer": "alerts",
  "name": "Always firing rule",
  "rule_type_id": "example.always-firing",
  "actions": [
    {
      "group": "small",
      "id": "$CONNECTOR_ID",
      "params": {
        "subAction": "isolateAgent",
        "subActionParams": {}
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 1
  }
}
```
5. You can test the same behaviors when trying to add a SentinelOne
connector to existing rules.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

src/platform/packages/shared/kbn-actions-types/action_types.ts

@@ -9,6 +9,11 @@
 
 import type { LicenseType } from '@kbn/licensing-plugin/common/types';
 
+export enum SUB_FEATURE {
+  endpointSecurity,
+}
+export type SubFeature = keyof typeof SUB_FEATURE;
+
 export interface ActionType {
   id: string;
   name: string;
@@ -18,4 +23,5 @@ export interface ActionType {
   minimumLicenseRequired: LicenseType;
   supportedFeatureIds: string[];
   isSystemActionType: boolean;
+  subFeature?: SubFeature;
 }

src/platform/packages/shared/kbn-alerts-ui-shared/src/common/apis/fetch_connector_types/transform_connector_types_response.test.ts

@@ -21,6 +21,7 @@ describe('transformConnectorTypesResponse', () => {
         minimum_license_required: 'basic',
         supported_feature_ids: ['stackAlerts'],
         is_system_action_type: true,
+        sub_feature: 'endpointSecurity',
       },
       {
         id: 'actionType2Id',
@@ -44,6 +45,7 @@ describe('transformConnectorTypesResponse', () => {
         minimumLicenseRequired: 'basic',
         supportedFeatureIds: ['stackAlerts'],
         isSystemActionType: true,
+        subFeature: 'endpointSecurity',
       },
       {
         id: 'actionType2Id',

src/platform/packages/shared/kbn-alerts-ui-shared/src/common/apis/fetch_connector_types/transform_connector_types_response.ts

@@ -15,13 +15,15 @@ const transformConnectorType: RewriteRequestCase<ActionType> = ({
   minimum_license_required: minimumLicenseRequired,
   supported_feature_ids: supportedFeatureIds,
   is_system_action_type: isSystemActionType,
+  sub_feature: subFeature,
   ...res
 }: AsApiContract<ActionType>) => ({
   enabledInConfig,
   enabledInLicense,
   minimumLicenseRequired,
   supportedFeatureIds,
   isSystemActionType,
+  subFeature,
   ...res,
 });
 

src/platform/packages/shared/kbn-alerts-ui-shared/src/common/types/action_types.ts

@@ -11,6 +11,7 @@ import type { ComponentType, ReactNode } from 'react';
 import type { RuleActionParam, ActionVariable } from '@kbn/alerting-types';
 import { IconType, RecursivePartial } from '@elastic/eui';
 import { PublicMethodsOf } from '@kbn/utility-types';
+import { SubFeature } from '@kbn/actions-types';
 import { TypeRegistry } from '../type_registry';
 import { RuleFormParamsErrors } from './rule_types';
 
@@ -130,6 +131,7 @@ export interface ActionTypeModel<ActionConfig = any, ActionSecrets = any, Action
   hideInUi?: boolean;
   modalWidth?: number;
   isSystemActionType?: boolean;
+  subFeature?: SubFeature;
 }
 
 export type ActionTypeRegistryContract<Connector = unknown, Params = unknown> = PublicMethodsOf<

x-pack/platform/packages/shared/kbn-elastic-assistant/impl/mock/connectors.ts

@@ -18,6 +18,7 @@ export const mockActionTypes = [
     minimumLicenseRequired: 'basic',
     isSystemActionType: true,
     supportedFeatureIds: ['generativeAI'],
+    subFeature: undefined,
   } as ActionType,
   {
     id: '.bedrock',
@@ -28,6 +29,7 @@ export const mockActionTypes = [
     minimumLicenseRequired: 'basic',
     isSystemActionType: true,
     supportedFeatureIds: ['generativeAI'],
+    subFeature: undefined,
   } as ActionType,
   {
     id: '.gemini',
@@ -38,6 +40,7 @@ export const mockActionTypes = [
     minimumLicenseRequired: 'basic',
     isSystemActionType: true,
     supportedFeatureIds: ['generativeAI'],
+    subFeature: undefined,
   } as ActionType,
 ];
 

x-pack/platform/plugins/shared/actions/common/connector_feature_config.ts

@@ -28,6 +28,14 @@ export const SecurityConnectorFeatureId = 'siem';
 export const GenerativeAIForSecurityConnectorFeatureId = 'generativeAIForSecurity';
 export const GenerativeAIForObservabilityConnectorFeatureId = 'generativeAIForObservability';
 export const GenerativeAIForSearchPlaygroundConnectorFeatureId = 'generativeAIForSearchPlayground';
+export const EndpointSecurityConnectorFeatureId = 'endpointSecurity';
+
+const compatibilityEndpointSecurity = i18n.translate(
+  'xpack.actions.availableConnectorFeatures.compatibility.endpointSecurity',
+  {
+    defaultMessage: 'Endpoint Security',
+  }
+);
 
 const compatibilityGenerativeAIForSecurity = i18n.translate(
   'xpack.actions.availableConnectorFeatures.compatibility.generativeAIForSecurity',
@@ -120,6 +128,12 @@ export const GenerativeAIForSearchPlaygroundFeature: ConnectorFeatureConfig = {
   compatibility: compatibilityGenerativeAIForSearchPlayground,
 };
 
+export const EndpointSecurityConnectorFeature: ConnectorFeatureConfig = {
+  id: EndpointSecurityConnectorFeatureId,
+  name: compatibilityEndpointSecurity,
+  compatibility: compatibilityEndpointSecurity,
+};
+
 const AllAvailableConnectorFeatures = {
   [AlertingConnectorFeature.id]: AlertingConnectorFeature,
   [CasesConnectorFeature.id]: CasesConnectorFeature,
@@ -128,6 +142,7 @@ const AllAvailableConnectorFeatures = {
   [GenerativeAIForSecurityFeature.id]: GenerativeAIForSecurityFeature,
   [GenerativeAIForObservabilityFeature.id]: GenerativeAIForObservabilityFeature,
   [GenerativeAIForSearchPlaygroundFeature.id]: GenerativeAIForSearchPlaygroundFeature,
+  [EndpointSecurityConnectorFeature.id]: EndpointSecurityConnectorFeature,
 };
 
 export function areValidFeatures(ids: string[]) {

x-pack/platform/plugins/shared/actions/common/routes/connector/response/schemas/v1.ts

@@ -97,6 +97,13 @@ export const connectorTypesResponseSchema = schema.object({
   is_system_action_type: schema.boolean({
     meta: { description: 'Indicates whether the action is a system action.' },
   }),
+  sub_feature: schema.maybe(
+    schema.oneOf([schema.literal('endpointSecurity')], {
+      meta: {
+        description: 'Indicates the sub-feature type the connector is grouped under.',
+      },
+    })
+  ),
 });
 
 export const connectorExecuteResponseSchema = schema.object({

x-pack/platform/plugins/shared/actions/common/routes/connector/response/types/v1.ts

@@ -41,6 +41,7 @@ export interface ConnectorTypesResponse {
   minimum_license_required: ConnectorTypesResponseSchemaType['minimum_license_required'];
   supported_feature_ids: ConnectorTypesResponseSchemaType['supported_feature_ids'];
   is_system_action_type: ConnectorTypesResponseSchemaType['is_system_action_type'];
+  sub_feature?: ConnectorTypesResponseSchemaType['sub_feature'];
 }
 
 type ConnectorExecuteResponseSchemaType = TypeOf<typeof connectorExecuteResponseSchema>;

x-pack/platform/plugins/shared/actions/common/types.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { SUB_FEATURE } from '@kbn/actions-types';
 import { LicenseType } from '@kbn/licensing-plugin/common/types';
 import { TaskErrorSource } from '@kbn/task-manager-plugin/common';
 
@@ -15,6 +16,9 @@ export {
   SecurityConnectorFeatureId,
   GenerativeAIForSecurityConnectorFeatureId,
 } from './connector_feature_config';
+
+export type SubFeature = keyof typeof SUB_FEATURE;
+
 export interface ActionType {
   id: string;
   name: string;
@@ -24,6 +28,7 @@ export interface ActionType {
   minimumLicenseRequired: LicenseType;
   supportedFeatureIds: string[];
   isSystemActionType: boolean;
+  subFeature?: SubFeature;
 }
 
 export enum InvalidEmailReason {

x-pack/platform/plugins/shared/actions/server/action_type_registry.mock.ts

@@ -19,7 +19,8 @@ const createActionTypeRegistryMock = () => {
     isActionExecutable: jest.fn(),
     isSystemActionType: jest.fn(),
     getUtils: jest.fn(),
-    getSystemActionKibanaPrivileges: jest.fn(),
+    getActionKibanaPrivileges: jest.fn(),
+    hasSubFeature: jest.fn(),
   };
   return mocked;
 };