From 969e9d6c5e5ff606cd8be8129c160ba6fad34b5f Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 19 Dec 2024 06:37:33 +1100 Subject: [PATCH] Unauthorized route migration for routes owned by fleet (#198330) --- .../server/routes/define_routes.ts | 10 ++++++++++ .../fleet/server/services/security/fleet_router.ts | 11 ++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/src/plugins/custom_integrations/server/routes/define_routes.ts b/src/plugins/custom_integrations/server/routes/define_routes.ts index d59d9f98ff4c1..35231c7064345 100644 --- a/src/plugins/custom_integrations/server/routes/define_routes.ts +++ b/src/plugins/custom_integrations/server/routes/define_routes.ts @@ -22,6 +22,11 @@ export function defineRoutes( { path: ROUTES_APPEND_CUSTOM_INTEGRATIONS, validate: false, + security: { + authz: { + requiredPrivileges: ['integrations-read'], + }, + }, }, async (context, request, response) => { const integrations = customIntegrationsRegistry.getAppendCustomIntegrations(); @@ -35,6 +40,11 @@ export function defineRoutes( { path: ROUTES_REPLACEMENT_CUSTOM_INTEGRATIONS, validate: false, + security: { + authz: { + requiredPrivileges: ['integrations-read'], + }, + }, }, async (context, request, response) => { const integrations = customIntegrationsRegistry.getReplacementCustomIntegrations(); diff --git a/x-pack/plugins/fleet/server/services/security/fleet_router.ts b/x-pack/plugins/fleet/server/services/security/fleet_router.ts index 775fe7e4765e5..b727fa5ec68d1 100644 --- a/x-pack/plugins/fleet/server/services/security/fleet_router.ts +++ b/x-pack/plugins/fleet/server/services/security/fleet_router.ts @@ -14,7 +14,7 @@ import { type RequestHandler, type RouteMethod, } from '@kbn/core/server'; -import type { VersionedRouteConfig } from '@kbn/core-http-server'; +import type { RouteSecurity, VersionedRouteConfig } from '@kbn/core-http-server'; import { PUBLIC_API_ACCESS } from '../../../common/constants'; import type { FleetRequestHandlerContext } from '../..'; @@ -35,6 +35,14 @@ import { doesNotHaveRequiredFleetAuthz, } from './security'; +export const DEFAULT_FLEET_ROUTE_SECURITY: RouteSecurity = { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because Fleet use his own authorization model.', + }, +}; + function withDefaultPublicAccess( options: FleetVersionedRouteConfig ): VersionedRouteConfig { @@ -44,6 +52,7 @@ function withDefaultPublicAccess( return { ...options, access: PUBLIC_API_ACCESS, + security: DEFAULT_FLEET_ROUTE_SECURITY, }; } }