Handle decryption in saved object find with partial fields

[jeramysoucy]

Related: https://github.com/elastic/kibana/pull/198703

Description

The saved object repository's find function allows partial objects to be retrieved via the SavedObjectsFindOptions.fields parameter. When this occurs, the partial documents do not undergo migration, however, decryption is still attempted on any attributes with dangerouslyExposeValue set to true.

Decryption will fail if:

• find is used to resolve encrypted saved object types AND
• those types define encrypted attributes with dangerouslyExposeValue set to true AND
• the SavedObjectsFindOptions.fields parameter contains one of the encrypted attributes that is "dangerously exposed" AND
• the SavedObjectsFindOptions.fields parameter does not include all of the AAD attributes

Note: The find function handles decryption failures gracefully, however, an error log is generated for every decryption failure that occurs. Our serverless dashboards and alerts will pick up this failure without knowing the context.

This case may never occur, but because it is possible, it should be handled appropriately.

Potential solution

One solution would be to first determine if the find parameters target dangerously exposed encrypted attributes, and if it does, augment the fields parameter value with the required AAD fields in order to perform decryption successfully. The additional fields could be stripped from the objects before returning the response.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)