synthetics-param with "Share across spaces" cannot be re-encrypted #215534
Description
Kibana version: ? < 8.13.4 < ?
Describe the bug: synthetics-param's created with the "Share across spaces" UI option fail re-encryption process (rotate keys API).
This option adds the global spaces identifier to the object's namespaces array. When a synthetics-param is configured this way, it fails re-encryption. This was discovered during the first round of 9.0 testing, but is an existing bug unrelated to the AAD include list changes implemented in 8.14.0 (occurs prior to this version).
Steps to reproduce:
- Start es/kb
Make sure Kibana is configured with a known saved objects encryption key
xpack.encryptedSavedObjects.encryptionKey: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" - Navigate to Synthetics->Settings->Global Parameters
- Create a parameter, check the "Share across spaces" option
- Create another parameter without this option
- Rotate the saved objects encryption key
xpack.encryptedSavedObjects:
encryptionKey: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
keyRotation:
decryptionOnlyKeys: ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
- Use the rotate key API to attempt to re-encrypt the parameters
POST kbn:/api/encrypted_saved_objects/_rotate_key?type=synthetics-param&batch_size=1000 - Confirm that one of the two
synthetics-param's failed to be re-encrypted. If you delete the synthetics-param with the "Share across spaces" option, there will be no failures.
Expected behavior:
synthetics-params, like any other encrypted saved object, should be re-encryptable after a proper key rotation.
In the scope of this issue we should add a platform integration test for shareable encrypted SOs.