Skip to content

Commit

Permalink
[8.x] Unauthorized route migration for routes owned by fleet (#198330) (
Browse files Browse the repository at this point in the history 
#204828)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Unauthorized route migration for routes owned by fleet
(#198330)](#198330)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-18T19:37:33Z","message":"Unauthorized
route migration for routes owned by fleet
(#198330)","sha":"51033457468821a73bf709fdfad1367b7156ab14","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","Team:Fleet","v9.0.0","backport:prev-minor","Authz:
API migration"],"title":"Unauthorized route migration for routes owned
by
fleet","number":198330,"url":"https://github.com/elastic/kibana/pull/198330","mergeCommit":{"message":"Unauthorized
route migration for routes owned by fleet
(#198330)","sha":"51033457468821a73bf709fdfad1367b7156ab14"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198330","number":198330,"mergeCommit":{"message":"Unauthorized
route migration for routes owned by fleet
(#198330)","sha":"51033457468821a73bf709fdfad1367b7156ab14"}}]}]
BACKPORT-->
  • Loading branch information
@kibanamachine
kibanamachine authored Dec 18, 2024
1 parent f0d24e4 commit 353551f
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 1 deletion.
10 changes: 10 additions & 0 deletions src/plugins/custom_integrations/server/routes/define_routes.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ export function defineRoutes(
{
path: ROUTES_APPEND_CUSTOM_INTEGRATIONS,
validate: false,
security: {
authz: {
requiredPrivileges: ['integrations-read'],
},
},
},
async (context, request, response) => {
const integrations = customIntegrationsRegistry.getAppendCustomIntegrations();
Expand All @@ -35,6 +40,11 @@ export function defineRoutes(
{
path: ROUTES_REPLACEMENT_CUSTOM_INTEGRATIONS,
validate: false,
security: {
authz: {
requiredPrivileges: ['integrations-read'],
},
},
},
async (context, request, response) => {
const integrations = customIntegrationsRegistry.getReplacementCustomIntegrations();
Expand Down
11 changes: 10 additions & 1 deletion x-pack/plugins/fleet/server/services/security/fleet_router.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import {
type RequestHandler,
type RouteMethod,
} from '@kbn/core/server';
import type { VersionedRouteConfig } from '@kbn/core-http-server';
import type { RouteSecurity, VersionedRouteConfig } from '@kbn/core-http-server';

import { PUBLIC_API_ACCESS } from '../../../common/constants';
import type { FleetRequestHandlerContext } from '../..';
Expand All @@ -35,6 +35,14 @@ import {
doesNotHaveRequiredFleetAuthz,
} from './security';

export const DEFAULT_FLEET_ROUTE_SECURITY: RouteSecurity = {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because Fleet use his own authorization model.',
},
};

function withDefaultPublicAccess<Method extends RouteMethod>(
options: FleetVersionedRouteConfig<Method>
): VersionedRouteConfig<Method> {
Expand All @@ -44,6 +52,7 @@ function withDefaultPublicAccess<Method extends RouteMethod>(
return {
...options,
access: PUBLIC_API_ACCESS,
security: DEFAULT_FLEET_ROUTE_SECURITY,
};
}
}
Expand Down

0 comments on commit 353551f

Please sign in to comment.