[Workspace]Deny get or bulkGet for global data source (#8043) (#8051)

* Deny get or bulkGet for global data source



* Changeset file for PR #8043 created/updated

---------



(cherry picked from commit d22b68b)

Signed-off-by: Lin Wang <wonglam@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com>

Author: 3 people

changelogs/fragments/8043.yml

@@ -0,0 +1,2 @@
+feat:
+- [Workspace]Deny get or bulkGet for global data source ([#8043](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/8043))

src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.test.ts

@@ -53,6 +53,12 @@ const generateWorkspaceSavedObjectsClientWrapper = (role = NO_DASHBOARD_ADMIN) =
       id: 'global-data-source',
       attributes: { title: 'Global data source' },
     },
+    {
+      type: DATA_SOURCE_SAVED_OBJECT_TYPE,
+      id: 'global-data-source-empty-workspaces',
+      attributes: { title: 'Global data source empty workspaces' },
+      workspaces: [],
+    },
     {
       type: DATA_SOURCE_SAVED_OBJECT_TYPE,
       id: 'workspace-1-data-source',
@@ -620,6 +626,33 @@ describe('WorkspaceSavedObjectsClientWrapper', () => {
           workspaces: ['workspace-1'],
         });
       });
+
+      it('should throw permission error when tried to access a global data source', async () => {
+        const { wrapper } = generateWorkspaceSavedObjectsClientWrapper();
+        let errorCatched;
+        try {
+          await wrapper.get('data-source', 'global-data-source');
+        } catch (e) {
+          errorCatched = e;
+        }
+        expect(errorCatched?.message).toEqual(
+          'Invalid data source permission, please associate it to current workspace'
+        );
+      });
+
+      it('should throw permission error when tried to access a empty workspaces global data source', async () => {
+        const { wrapper, requestMock } = generateWorkspaceSavedObjectsClientWrapper();
+        updateWorkspaceState(requestMock, { requestWorkspaceId: undefined });
+        let errorCatched;
+        try {
+          await wrapper.get('data-source', 'global-data-source-empty-workspaces');
+        } catch (e) {
+          errorCatched = e;
+        }
+        expect(errorCatched?.message).toEqual(
+          'Invalid data source permission, please associate it to current workspace'
+        );
+      });
     });
     describe('bulk get', () => {
       it("should call permission validate with object's workspace and throw permission error", async () => {
@@ -744,6 +777,36 @@ describe('WorkspaceSavedObjectsClientWrapper', () => {
           ],
         });
       });
+
+      it('should throw permission error when tried to bulk get global data source', async () => {
+        const { wrapper, requestMock } = generateWorkspaceSavedObjectsClientWrapper();
+        updateWorkspaceState(requestMock, { requestWorkspaceId: undefined });
+        let errorCatched;
+        try {
+          await wrapper.bulkGet([{ type: 'data-source', id: 'global-data-source' }]);
+        } catch (e) {
+          errorCatched = e;
+        }
+        expect(errorCatched?.message).toEqual(
+          'Invalid data source permission, please associate it to current workspace'
+        );
+      });
+
+      it('should throw permission error when tried to bulk get a empty workspace global data source', async () => {
+        const { wrapper, requestMock } = generateWorkspaceSavedObjectsClientWrapper();
+        updateWorkspaceState(requestMock, { requestWorkspaceId: undefined });
+        let errorCatched;
+        try {
+          await wrapper.bulkGet([
+            { type: 'data-source', id: 'global-data-source-empty-workspaces' },
+          ]);
+        } catch (e) {
+          errorCatched = e;
+        }
+        expect(errorCatched?.message).toEqual(
+          'Invalid data source permission, please associate it to current workspace'
+        );
+      });
     });
     describe('find', () => {
       it('should call client.find with consistent params when ACLSearchParams and workspaceOperator not provided', async () => {

src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts

@@ -204,7 +204,24 @@ export class WorkspaceSavedObjectsClientWrapper {
     request: OpenSearchDashboardsRequest
   ) => {
     const requestWorkspaceId = getWorkspaceState(request).requestWorkspaceId;
-    return !requestWorkspaceId || !!object.workspaces?.includes(requestWorkspaceId);
+    // Deny access if the object is a global data source (no workspaces assigned)
+    if (!object.workspaces || object.workspaces.length === 0) {
+      return false;
+    }
+    /**
+     * Allow access if no specific workspace is requested.
+     * This typically occurs when retrieving data sources or performing operations
+     * that don't require a specific workspace, such as pages within the
+     * Data Administration navigation group that include a data source picker.
+     */
+    if (!requestWorkspaceId) {
+      return true;
+    }
+    /*
+     * Allow access if the requested workspace matches one of the object's assigned workspaces
+     * This ensures that the user can only access data sources within their current workspace
+     */
+    return object.workspaces.includes(requestWorkspaceId);
   };
 
   private getWorkspaceTypeEnabledClient(request: OpenSearchDashboardsRequest) {