From dcf5f91784e320cd097d63b2df38622b03883e50 Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 6 May 2019 15:57:18 -0400
Subject: [PATCH] Feature Controls - remove "grantWithBaseRead" flag (#36121)

---
 .../privileges/privileges.test.ts             | 88 -------------------
 .../authorization/privileges/privileges.ts    |  2 +-
 .../feature_registry/feature_registry.test.ts |  1 -
 .../lib/feature_registry/feature_registry.ts  |  2 -
 4 files changed, 1 insertion(+), 92 deletions(-)

diff --git a/x-pack/plugins/security/server/lib/authorization/privileges/privileges.test.ts b/x-pack/plugins/security/server/lib/authorization/privileges/privileges.test.ts
index c8c9377c41b3..ccd2272f55a1 100644
--- a/x-pack/plugins/security/server/lib/authorization/privileges/privileges.test.ts
+++ b/x-pack/plugins/security/server/lib/authorization/privileges/privileges.test.ts
@@ -625,94 +625,6 @@ describe('features', () => {
       ]);
     });
 
-    test('actions defined in a feature privilege with `includeInBaseRead` are included in `read`', () => {
-      const features: Feature[] = [
-        {
-          id: 'foo',
-          name: 'Foo Feature',
-          icon: 'arrowDown',
-          navLinkId: 'kibana:foo',
-          app: [],
-          catalogue: ['ignore-me-1', 'ignore-me-2'],
-          management: {
-            foo: ['ignore-me-1', 'ignore-me-2'],
-          },
-          privileges: {
-            all: {
-              management: {
-                'ignore-me': ['ignore-me-1', 'ignore-me-2'],
-              },
-              catalogue: ['ignore-me-1', 'ignore-me-2'],
-              savedObject: {
-                all: ['ignore-me-1', 'ignore-me-2'],
-                read: ['ignore-me-1', 'ignore-me-2'],
-              },
-              ui: ['ignore-me-1', 'ignore-me-2'],
-            },
-            bar: {
-              grantWithBaseRead: true,
-              management: {
-                'read-management': ['read-management-1', 'read-management-2'],
-              },
-              catalogue: ['read-catalogue-1', 'read-catalogue-2'],
-              savedObject: {
-                all: ['read-savedObject-all-1', 'read-savedObject-all-2'],
-                read: ['read-savedObject-read-1', 'read-savedObject-read-2'],
-              },
-              ui: ['read-ui-1', 'read-ui-2'],
-            },
-          },
-        },
-      ];
-
-      const mockXPackMainPlugin = {
-        getFeatures: jest.fn().mockReturnValue(features),
-      };
-
-      const privileges = privilegesFactory(actions, mockXPackMainPlugin as any);
-
-      const actual = privileges.get();
-      expect(actual).toHaveProperty(`${group}.read`, [
-        actions.login,
-        actions.version,
-        actions.ui.get('catalogue', 'read-catalogue-1'),
-        actions.ui.get('catalogue', 'read-catalogue-2'),
-        actions.ui.get('management', 'read-management', 'read-management-1'),
-        actions.ui.get('management', 'read-management', 'read-management-2'),
-        actions.ui.get('navLinks', 'kibana:foo'),
-        actions.savedObject.get('read-savedObject-all-1', 'bulk_get'),
-        actions.savedObject.get('read-savedObject-all-1', 'get'),
-        actions.savedObject.get('read-savedObject-all-1', 'find'),
-        actions.savedObject.get('read-savedObject-all-1', 'create'),
-        actions.savedObject.get('read-savedObject-all-1', 'bulk_create'),
-        actions.savedObject.get('read-savedObject-all-1', 'update'),
-        actions.savedObject.get('read-savedObject-all-1', 'delete'),
-        actions.savedObject.get('read-savedObject-all-2', 'bulk_get'),
-        actions.savedObject.get('read-savedObject-all-2', 'get'),
-        actions.savedObject.get('read-savedObject-all-2', 'find'),
-        actions.savedObject.get('read-savedObject-all-2', 'create'),
-        actions.savedObject.get('read-savedObject-all-2', 'bulk_create'),
-        actions.savedObject.get('read-savedObject-all-2', 'update'),
-        actions.savedObject.get('read-savedObject-all-2', 'delete'),
-        actions.savedObject.get('read-savedObject-read-1', 'bulk_get'),
-        actions.savedObject.get('read-savedObject-read-1', 'get'),
-        actions.savedObject.get('read-savedObject-read-1', 'find'),
-        actions.savedObject.get('read-savedObject-read-2', 'bulk_get'),
-        actions.savedObject.get('read-savedObject-read-2', 'get'),
-        actions.savedObject.get('read-savedObject-read-2', 'find'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-all-1', 'delete'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-all-1', 'edit'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-all-1', 'read'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-all-2', 'delete'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-all-2', 'edit'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-all-2', 'read'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-read-1', 'read'),
-        actions.ui.get('savedObjectsManagement', 'read-savedObject-read-2', 'read'),
-        actions.ui.get('foo', 'read-ui-1'),
-        actions.ui.get('foo', 'read-ui-2'),
-      ]);
-    });
-
     test('actions defined in a reserved privilege are not included in `all` or `read`', () => {
       const features: Feature[] = [
         {
diff --git a/x-pack/plugins/security/server/lib/authorization/privileges/privileges.ts b/x-pack/plugins/security/server/lib/authorization/privileges/privileges.ts
index fbf806606bc3..c858bc61393f 100644
--- a/x-pack/plugins/security/server/lib/authorization/privileges/privileges.ts
+++ b/x-pack/plugins/security/server/lib/authorization/privileges/privileges.ts
@@ -36,7 +36,7 @@ export function privilegesFactory(actions: Actions, xpackMainPlugin: XPackMainPl
         flatten(
           features.map(feature =>
             Object.entries(feature.privileges).reduce<string[]>((acc, [privilegeId, privilege]) => {
-              if (privilegeId !== 'read' && !Boolean(privilege.grantWithBaseRead)) {
+              if (privilegeId !== 'read') {
                 return acc;
               }
 
diff --git a/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.test.ts b/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.test.ts
index a2b7395b1a02..9bab780ac56a 100644
--- a/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.test.ts
+++ b/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.test.ts
@@ -40,7 +40,6 @@ describe('FeatureRegistry', () => {
       },
       privileges: {
         all: {
-          grantWithBaseRead: true,
           catalogue: ['foo'],
           management: {
             foo: ['bar'],
diff --git a/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.ts b/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.ts
index 66fd31fb7db4..c07eef3681d5 100644
--- a/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.ts
+++ b/x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.ts
@@ -9,7 +9,6 @@ import { cloneDeep, difference, uniq } from 'lodash';
 import { UICapabilities } from 'ui/capabilities';
 
 export interface FeatureKibanaPrivileges {
-  grantWithBaseRead?: boolean;
   management?: {
     [sectionId: string]: string[];
   };
@@ -65,7 +64,6 @@ const managementSchema = Joi.object().pattern(
 const catalogueSchema = Joi.array().items(Joi.string());
 
 const privilegeSchema = Joi.object({
-  grantWithBaseRead: Joi.bool(),
   management: managementSchema,
   catalogue: catalogueSchema,
   api: Joi.array().items(Joi.string()),