add workspace attribute check and refactor saved object acl check

[raintygao]

Description

add workspace attribute check and refactor saved object acl check

Issues Resolved

Screenshot

Testing the changes

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

Merging #93 (2398e76) into workspace (a9ffe1b) will increase coverage by 0.00%.
Report is 2 commits behind head on workspace.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           workspace      #93   +/-   ##
==========================================
  Coverage      65.79%   65.79%           
==========================================
  Files           3334     3335    +1     
  Lines          64418    64445   +27     
  Branches       10250    10260   +10     
==========================================
+ Hits           42383    42402   +19     
- Misses         19466    19475    +9     
+ Partials        2569     2568    -1     

Flag	Coverage Δ
Linux_1	34.75% <ø> (+0.02%)	⬆️
Linux_3	42.70% <0.00%> (+<0.01%)	⬆️
Windows_1	34.77% <ø> (+0.02%)	⬆️
Windows_2	54.73% <0.00%> (-0.01%)	⬇️
Windows_3	42.70% <0.00%> (-0.01%)	⬇️
Windows_4	34.77% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
.../server/saved_objects/permission_control/client.ts	2.70% <0.00%> (-0.16%)	⬇️

... and 5 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[ruanyl]

I couldn't get this, could you elaborate a bit?

PermissionMode here is an array which is merged by workspace type required permission and other saved object required permission.

[raintygao]

Previously, our validation logic for savedobject was:

if(isWorkspaceTypeSavedObject){
validate(workspaceType, workspaceTypeNeedPermissions)
}else{
validate(type, savedObjectNeedPermissions)
}

Now, we can merge workspaceTypeNeedPermissions and savedObjectNeedPermissions and unify savedObject permission check code.

validate(type, savedObjectNeedPermissions || workspaceTypeNeedPermissions)

In this way, the verification can be performed, unless there is dirty data which cannot be controlled.

[ruanyl]

I'm a bit concern about the bulk action here, it looks the validation of the objects list is sequential, which means it validates the object one by one, if there was a long object list, I feel this is going to take unexpected long time. cc @wanglam

[wanglam]

Maybe we can find some way to do these parallelly, validate 5-10 objects one time. What do you think about that? I think this is out of this PR scope, we can separate one task to optimize it.

[raintygao]

The logic here is a little tricky. If we want to bulk update the four objects [a, b, c, d], if a and b only have the operation permission on the workspace attribute, and c and d only have the operation permission on the object, then the update operation can still succeed. This means we have to do validation based on the single object.

[raintygao]

From the perspective of experience, we can do several verifications based on single object at the same time in a new task.