add elasticInternalOrigin=false tests and update readme

packages/core/deprecations/core-deprecations-server-internal/src/routes/post_validation_handler.ts

@@ -38,7 +38,6 @@ export function createRouteDeprecationsHandler({
   return (req: CoreKibanaRequest, metadata: PostValidationMetadata) => {
     const hasRouteDeprecation = getIsRouteApiDeprecation(metadata);
     const hasAccessDeprecation = getIsAccessApiDeprecation(metadata);
-
     const isApiDeprecation = hasAccessDeprecation || hasRouteDeprecation;
     if (isApiDeprecation && req.route.routePath) {
       const counterName = buildApiDeprecationId({

packages/core/http/core-http-router-server-internal/src/request.ts

@@ -177,9 +177,14 @@ export class CoreKibanaRequest<
     this.headers = isRealReq ? deepFreeze({ ...request.headers }) : request.headers;
     this.isSystemRequest = this.headers['kbn-system-request'] === 'true';
     this.isFakeRequest = !isRealReq;
+    // set to false if elasticInternalOrigin is explicitly set to false
+    // otherwise check for the header or the query param
     this.isInternalApiRequest =
-      X_ELASTIC_INTERNAL_ORIGIN_REQUEST in this.headers ||
-      Boolean(this.url?.searchParams?.has(ELASTIC_INTERNAL_ORIGIN_QUERY_PARAM));
+      this.url?.searchParams?.get(ELASTIC_INTERNAL_ORIGIN_QUERY_PARAM) === 'false'
+        ? false
+        : X_ELASTIC_INTERNAL_ORIGIN_REQUEST in this.headers ||
+          this.url?.searchParams?.has(ELASTIC_INTERNAL_ORIGIN_QUERY_PARAM);
+
     // prevent Symbol exposure via Object.getOwnPropertySymbols()
     Object.defineProperty(this, requestSymbol, {
       value: request,

packages/core/http/core-http-router-server-internal/src/router.ts

@@ -343,15 +343,15 @@ export class Router<Context extends RequestHandlerContextBase = RequestHandlerCo
       emit?.onPostValidation(req, {
         deprecated: req.route.options.deprecated,
         isInternalApiRequest: req.isInternalApiRequest,
-        isPublicAccess: isPublicUnversionedRoute,
+        isPublicAccess: req.route.options.access === 'public',
       });
       return response;
     }
 
     emit?.onPostValidation(kibanaRequest, {
       deprecated: kibanaRequest.route.options.deprecated,
       isInternalApiRequest: kibanaRequest.isInternalApiRequest,
-      isPublicAccess: isPublicUnversionedRoute,
+      isPublicAccess: kibanaRequest.route.options.access === 'public',
     });
 
     try {

packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts

@@ -417,6 +417,33 @@ describe('restrictInternal post-auth handler', () => {
     const request = createForgeRequest('public', { 'x-elastic-internal-origin': 'Kibana' });
     createForwardSuccess(handler, request);
   });
+
+  it('overrides internal api when elasticInternalOrigin=false is set explicitly', () => {
+    const handler = createRestrictInternalRoutesPostAuthHandler(
+      { ...config, restrictInternalApis: true },
+      logger
+    );
+
+    // Will be treated as external
+    const request = createForgeRequest(
+      'internal',
+      { 'x-elastic-internal-origin': 'Kibana' },
+      { elasticInternalOrigin: 'false' }
+    );
+
+    responseFactory.badRequest.mockReturnValue('badRequest' as any);
+
+    const result = handler(request, responseFactory, toolkit);
+
+    expect(toolkit.next).not.toHaveBeenCalled();
+    expect(responseFactory.badRequest).toHaveBeenCalledTimes(1);
+    expect(responseFactory.badRequest.mock.calls[0][0]).toMatchInlineSnapshot(`
+      Object {
+        "body": "uri [/internal/some-path] with method [get] exists but is not available with the current configuration",
+      }
+    `);
+    expect(result).toEqual('badRequest');
+  });
 });
 
 describe('customHeaders pre-response handler', () => {

x-pack/plugins/upgrade_assistant/README.md

@@ -284,21 +284,22 @@ yarn start --plugin-path=examples/routing_example --plugin-path=examples/develop
 The following comprehensive deprecated routes examples are registered inside the folder: `examples/routing_example/server/routes/deprecated_routes`
 
 Run them in the console to trigger the deprecation condition so they show up in the UA:
+We need to explicitly set the query param `elasticInternalOrigin` to `false` to track the request as non-internal origin.
 
 ```
 # Route deprecations for Versioned routes: Version 1 is deprecated
-GET kbn:/api/routing_example/d/versioned_route?apiVersion=2023-10-31
+GET kbn:/api/routing_example/d/versioned_route?apiVersion=2023-10-31&elasticInternalOrigin=false
 
-# Route deprecations for Non-versioned routes
-GET kbn:/api/routing_example/d/removed_route
-GET kbn:/api/routing_example/d/deprecated_route
-POST kbn:/api/routing_example/d/migrated_route
+# Route deprecations for Non-versioned routes?elasticInternalOrigin=false
+GET kbn:/api/routing_example/d/removed_route?elasticInternalOrigin=false
+GET kbn:/api/routing_example/d/deprecated_route?elasticInternalOrigin=false
+POST kbn:/api/routing_example/d/migrated_route?elasticInternalOrigin=false
 {}
 
 # Access deprecations
-GET kbn:/api/routing_example/d/internal_deprecated_route
-GET kbn:/internal/routing_example/d/internal_only_route
-GET kbn:/internal/routing_example/d/internal_versioned_route?apiVersion=1
+GET kbn:/api/routing_example/d/internal_deprecated_route?elasticInternalOrigin=false
+GET kbn:/internal/routing_example/d/internal_only_route?elasticInternalOrigin=false
+GET kbn:/internal/routing_example/d/internal_versioned_route?apiVersion=1&elasticInternalOrigin=false
 ```
 
 1. You can also mark as deprecated in the UA to remove the deprecation from the list.