From 1edc4729326a0198aee4c7c2c4e4e0dfcba48f33 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Wed, 19 Jul 2023 17:48:53 +0200 Subject: [PATCH 01/14] first pass of getting Kibana up and running with internal APIs restricted --- .../src/bundle_routes/bundles_route.ts | 1 + .../core-apps-server-internal/src/core_app.ts | 27 ++++++++++--------- .../src/http_resources_service.test.ts | 14 ++++++++++ .../src/http_resources_service.ts | 21 ++++++++++----- .../src/http_server.ts | 1 + .../src/routes/translations.ts | 1 + .../src/bootstrap/register_bootstrap_route.ts | 2 ++ .../home/public/application/load_tutorials.js | 2 ++ 8 files changed, 51 insertions(+), 18 deletions(-) diff --git a/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundles_route.ts b/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundles_route.ts index d427921365949..e14fd1f4f0a61 100644 --- a/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundles_route.ts +++ b/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundles_route.ts @@ -32,6 +32,7 @@ export function registerRouteForBundle( path: `${routePath}{path*}`, options: { authRequired: false, + access: 'public', }, validate: { params: schema.object({ diff --git a/packages/core/apps/core-apps-server-internal/src/core_app.ts b/packages/core/apps/core-apps-server-internal/src/core_app.ts index c50ddd6e5cc1f..6ef61c8571c6f 100644 --- a/packages/core/apps/core-apps-server-internal/src/core_app.ts +++ b/packages/core/apps/core-apps-server-internal/src/core_app.ts @@ -93,18 +93,21 @@ export class CoreAppsService { const router = httpSetup.createRouter(''); const resources = coreSetup.httpResources.createRegistrar(router); - router.get({ path: '/', validate: false }, async (context, req, res) => { - const { uiSettings } = await context.core; - const defaultRoute = await uiSettings.client.get('defaultRoute'); - const basePath = httpSetup.basePath.get(req); - const url = `${basePath}${defaultRoute}`; - - return res.redirected({ - headers: { - location: url, - }, - }); - }); + router.get( + { path: '/', validate: false, options: { access: 'public' } }, + async (context, req, res) => { + const { uiSettings } = await context.core; + const defaultRoute = await uiSettings.client.get('defaultRoute'); + const basePath = httpSetup.basePath.get(req); + const url = `${basePath}${defaultRoute}`; + + return res.redirected({ + headers: { + location: url, + }, + }); + } + ); this.registerCommonDefaultRoutes({ basePath: coreSetup.http.basePath, diff --git a/packages/core/http/core-http-resources-server-internal/src/http_resources_service.test.ts b/packages/core/http/core-http-resources-server-internal/src/http_resources_service.test.ts index 26a61ae1c369d..481b0b694747a 100644 --- a/packages/core/http/core-http-resources-server-internal/src/http_resources_service.test.ts +++ b/packages/core/http/core-http-resources-server-internal/src/http_resources_service.test.ts @@ -62,6 +62,20 @@ describe('HttpResources service', () => { register = await initializer(); }); + it('registration defaults to "public" access', () => { + register(routeConfig, async (ctx, req, res) => res.ok()); + const [[registeredRouteConfig]] = router.get.mock.calls; + expect(registeredRouteConfig.options?.access).toBe('public'); + }); + + it('registration can set access to "internal"', () => { + register({ ...routeConfig, options: { access: 'internal' } }, async (ctx, req, res) => + res.ok() + ); + const [[registeredRouteConfig]] = router.get.mock.calls; + expect(registeredRouteConfig.options?.access).toBe('internal'); + }); + describe('renderCoreApp', () => { it('formats successful response', async () => { register(routeConfig, async (ctx, req, res) => { diff --git a/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts b/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts index 0e659e30d474c..a896d6b98542f 100644 --- a/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts +++ b/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts @@ -85,12 +85,21 @@ export class HttpResourcesService implements CoreService, handler: HttpResourcesRequestHandler ) => { - return router.get(route, (context, request, response) => { - return handler(context as Context, request, { - ...response, - ...this.createResponseToolkit(deps, context, request, response), - }); - }); + return router.get( + { + ...route, + options: { + access: 'public', + ...route.options, + }, + }, + (context, request, response) => { + return handler(context as Context, request, { + ...response, + ...this.createResponseToolkit(deps, context, request, response), + }); + } + ); }, }; } diff --git a/packages/core/http/core-http-server-internal/src/http_server.ts b/packages/core/http/core-http-server-internal/src/http_server.ts index 3ed8a73a38641..78cab6c6ea076 100644 --- a/packages/core/http/core-http-server-internal/src/http_server.ts +++ b/packages/core/http/core-http-server-internal/src/http_server.ts @@ -587,6 +587,7 @@ export class HttpServer { }, }, options: { + app: { access: 'public' }, auth: false, cache: { privacy: 'public', diff --git a/packages/core/i18n/core-i18n-server-internal/src/routes/translations.ts b/packages/core/i18n/core-i18n-server-internal/src/routes/translations.ts index 965ac46ed413b..49a6779c7d3b2 100644 --- a/packages/core/i18n/core-i18n-server-internal/src/routes/translations.ts +++ b/packages/core/i18n/core-i18n-server-internal/src/routes/translations.ts @@ -28,6 +28,7 @@ export const registerTranslationsRoute = (router: IRouter, locale: string) => { }), }, options: { + access: 'public', authRequired: false, }, }, diff --git a/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.ts b/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.ts index c22f7f56d70f2..20d77c67b0e8f 100644 --- a/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.ts +++ b/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.ts @@ -21,6 +21,7 @@ export const registerBootstrapRoute = ({ path: '/bootstrap.js', options: { tags: ['api'], + access: 'public', }, validate: false, }, @@ -44,6 +45,7 @@ export const registerBootstrapRoute = ({ options: { authRequired: 'optional', tags: ['api'], + access: 'public', }, validate: false, }, diff --git a/src/plugins/home/public/application/load_tutorials.js b/src/plugins/home/public/application/load_tutorials.js index f6826e4de51ea..285547d6a588b 100644 --- a/src/plugins/home/public/application/load_tutorials.js +++ b/src/plugins/home/public/application/load_tutorials.js @@ -9,12 +9,14 @@ import _ from 'lodash'; import { getServices } from './kibana_services'; import { i18n } from '@kbn/i18n'; +import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common'; const baseUrl = getServices().addBasePath('/api/kibana/home/tutorials'); const headers = new Headers(); headers.append('Accept', 'application/json'); headers.append('Content-Type', 'application/json'); headers.append('kbn-xsrf', 'kibana'); +headers.append(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); let tutorials = []; let tutorialsLoaded = false; From e0141c96736496e751767c064f963c63aad5e645 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 19 Jul 2023 15:55:50 +0000 Subject: [PATCH 02/14] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- src/plugins/home/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/src/plugins/home/tsconfig.json b/src/plugins/home/tsconfig.json index 7d5acb0f24128..f45860e4f3163 100644 --- a/src/plugins/home/tsconfig.json +++ b/src/plugins/home/tsconfig.json @@ -32,6 +32,7 @@ "@kbn/storybook", "@kbn/cloud-chat-provider-plugin", "@kbn/shared-ux-router", + "@kbn/core-http-common", ], "exclude": [ "target/**/*", From 31885b4ef52cef438bbbc62bfd2c638fa1ee1d49 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 20 Jul 2023 13:02:54 +0200 Subject: [PATCH 03/14] fix jest test --- .../src/bundle_routes/bundle_route.test.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundle_route.test.ts b/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundle_route.test.ts index ee43bea44ef05..4faceb178ae45 100644 --- a/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundle_route.test.ts +++ b/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundle_route.test.ts @@ -42,6 +42,7 @@ describe('registerRouteForBundle', () => { { path: '/route-path/{path*}', options: { + access: 'public', authRequired: false, }, validate: expect.any(Object), From e97d93af5067568deb950aa132f9a022e7d95e7f Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 20 Jul 2023 14:39:34 +0200 Subject: [PATCH 04/14] set /api/status to public --- .../core/status/core-status-server-internal/src/routes/status.ts | 1 + .../core-status-server-internal/src/routes/status_preboot.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/packages/core/status/core-status-server-internal/src/routes/status.ts b/packages/core/status/core-status-server-internal/src/routes/status.ts index ff2a5f8b1dbea..d3c8c7b99ff58 100644 --- a/packages/core/status/core-status-server-internal/src/routes/status.ts +++ b/packages/core/status/core-status-server-internal/src/routes/status.ts @@ -83,6 +83,7 @@ export const registerStatusRoute = ({ options: { authRequired: 'optional', tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page + access: 'public', }, validate: { query: schema.object( diff --git a/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts b/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts index c3c65a0f98642..0c1ea660ebb11 100644 --- a/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts +++ b/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts @@ -17,6 +17,7 @@ export const registerPrebootStatusRoute = ({ router }: { router: IRouter }) => { options: { authRequired: false, tags: ['api'], + access: 'public', }, validate: false, }, From 261ae4925eff34e5ef3ae69a72b791065cd8a81a Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 20 Jul 2023 14:40:01 +0200 Subject: [PATCH 05/14] set /api/stats to public --- src/plugins/usage_collection/server/routes/stats/stats.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/plugins/usage_collection/server/routes/stats/stats.ts b/src/plugins/usage_collection/server/routes/stats/stats.ts index 0c9d28d81109f..8875a350c67bc 100644 --- a/src/plugins/usage_collection/server/routes/stats/stats.ts +++ b/src/plugins/usage_collection/server/routes/stats/stats.ts @@ -55,6 +55,7 @@ export function registerStatsRoute({ path: '/api/stats', options: { authRequired: !config.allowAnonymous, + access: 'public', tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page }, validate: { From a342b0f517e6316d9ab9ad13c0d55bc9467db38a Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 20 Jul 2023 14:40:12 +0200 Subject: [PATCH 06/14] set /api/stats to public --- src/plugins/usage_collection/server/routes/stats/stats.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/plugins/usage_collection/server/routes/stats/stats.ts b/src/plugins/usage_collection/server/routes/stats/stats.ts index 8875a350c67bc..386d482be63de 100644 --- a/src/plugins/usage_collection/server/routes/stats/stats.ts +++ b/src/plugins/usage_collection/server/routes/stats/stats.ts @@ -55,8 +55,8 @@ export function registerStatsRoute({ path: '/api/stats', options: { authRequired: !config.allowAnonymous, - access: 'public', tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page + access: 'public', }, validate: { query: schema.object({ From 2b6a23f4c95c8f686d9d12764914737387514146 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 20 Jul 2023 17:26:45 +0200 Subject: [PATCH 07/14] fix test --- .../core-status-server-internal/src/status_service.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/core/status/core-status-server-internal/src/status_service.test.ts b/packages/core/status/core-status-server-internal/src/status_service.test.ts index 35aa12b497fcd..9bc25b66167fe 100644 --- a/packages/core/status/core-status-server-internal/src/status_service.test.ts +++ b/packages/core/status/core-status-server-internal/src/status_service.test.ts @@ -82,7 +82,7 @@ describe('StatusService', () => { expect(prebootRouterMock.get).toHaveBeenCalledWith( { path: '/api/status', - options: { authRequired: false, tags: ['api'] }, + options: { authRequired: false, tags: ['api'], access: 'public' }, validate: false, }, expect.any(Function) From 2face7fbd1a1fbc81afefbf4ff76fb23bafc80bf Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Mon, 24 Jul 2023 11:57:25 +0200 Subject: [PATCH 08/14] added test for setting "public" on registerStaticDirs --- .../src/http_server.test.ts | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/packages/core/http/core-http-server-internal/src/http_server.test.ts b/packages/core/http/core-http-server-internal/src/http_server.test.ts index 675d7e4fffcef..d280beee3efbc 100644 --- a/packages/core/http/core-http-server-internal/src/http_server.test.ts +++ b/packages/core/http/core-http-server-internal/src/http_server.test.ts @@ -6,6 +6,14 @@ * Side Public License, v 1. */ +jest.mock('@kbn/server-http-tools', () => { + const module = jest.requireActual('@kbn/server-http-tools'); + return { + ...module, + createServer: jest.fn(module.createServer), + }; +}); + import { Server } from 'http'; import { rm, mkdtemp, readFile, writeFile } from 'fs/promises'; import supertest from 'supertest'; @@ -23,6 +31,7 @@ import type { RequestHandlerContextBase, } from '@kbn/core-http-server'; import { Router, type RouterOptions } from '@kbn/core-http-router-server-internal'; +import { createServer } from '@kbn/server-http-tools'; import { HttpConfig } from './http_config'; import { HttpServer } from './http_server'; import { Readable } from 'stream'; @@ -1506,6 +1515,29 @@ describe('setup contract', () => { } }); + test('registers routes with access set to "public"', async () => { + const { registerStaticDir } = await server.setup(config); + expect(createServer).toHaveBeenCalledTimes(1); + const [{ value: myServer }] = (createServer as jest.Mock).mock.results; + jest.spyOn(myServer, 'route'); + expect(myServer.route).toHaveBeenCalledTimes(0); + registerStaticDir('/static/{path*}', assetFolder); + expect(myServer.route).toHaveBeenCalledTimes(1); + expect(myServer.route).toHaveBeenNthCalledWith( + 1, + expect.objectContaining({ + options: { + app: { access: 'public' }, + auth: false, + cache: { + privacy: 'public', + otherwise: 'must-revalidate', + }, + }, + }) + ); + }); + test('does not throw if called after stop', async () => { const { registerStaticDir } = await server.setup(config); await server.stop(); From 2c560d2b4003cd903668fd8479bdc8cd66e07392 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Mon, 24 Jul 2023 12:02:40 +0200 Subject: [PATCH 09/14] rename test --- .../core/http/core-http-server-internal/src/http_server.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/core/http/core-http-server-internal/src/http_server.test.ts b/packages/core/http/core-http-server-internal/src/http_server.test.ts index d280beee3efbc..f188d7a06552e 100644 --- a/packages/core/http/core-http-server-internal/src/http_server.test.ts +++ b/packages/core/http/core-http-server-internal/src/http_server.test.ts @@ -1515,7 +1515,7 @@ describe('setup contract', () => { } }); - test('registers routes with access set to "public"', async () => { + test('registers routes with expected options', async () => { const { registerStaticDir } = await server.setup(config); expect(createServer).toHaveBeenCalledTimes(1); const [{ value: myServer }] = (createServer as jest.Mock).mock.results; From a6e78b8006e3f736bc6b3696d98e941cbf9acd82 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Mon, 24 Jul 2023 12:02:54 +0200 Subject: [PATCH 10/14] added test against translations route options --- .../src/routes/translations.test.ts | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 packages/core/i18n/core-i18n-server-internal/src/routes/translations.test.ts diff --git a/packages/core/i18n/core-i18n-server-internal/src/routes/translations.test.ts b/packages/core/i18n/core-i18n-server-internal/src/routes/translations.test.ts new file mode 100644 index 0000000000000..9d9f19c381577 --- /dev/null +++ b/packages/core/i18n/core-i18n-server-internal/src/routes/translations.test.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { mockRouter } from '@kbn/core-http-router-server-mocks'; +import { registerTranslationsRoute } from './translations'; + +describe('registerTranslationsRoute', () => { + test('registers route with expected options', () => { + const router = mockRouter.create(); + registerTranslationsRoute(router, 'en'); + expect(router.get).toHaveBeenCalledTimes(1); + expect(router.get).toHaveBeenNthCalledWith( + 1, + expect.objectContaining({ options: { access: 'public', authRequired: false } }), + expect.any(Function) + ); + }); +}); From db08571e5786480d1dee14bf1a3566ec293dc2ca Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Mon, 24 Jul 2023 12:07:28 +0200 Subject: [PATCH 11/14] added test for options against bootstrap.js routes --- .../register_bootstrap_route.test.ts | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.test.ts diff --git a/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.test.ts b/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.test.ts new file mode 100644 index 0000000000000..0b0a015e254df --- /dev/null +++ b/packages/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.test.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { registerBootstrapRoute } from './register_bootstrap_route'; +import { mockRouter } from '@kbn/core-http-router-server-mocks'; + +describe('registerBootstrapRoute', () => { + test('register with expected options', () => { + const router = mockRouter.create(); + const renderer = jest.fn(); + registerBootstrapRoute({ router, renderer }); + expect(router.get).toHaveBeenCalledTimes(2); + expect(router.get).toHaveBeenNthCalledWith( + 1, + expect.objectContaining({ options: { access: 'public', tags: ['api'] } }), + expect.any(Function) + ); + expect(router.get).toHaveBeenNthCalledWith( + 2, + expect.objectContaining({ + options: { access: 'public', tags: ['api'], authRequired: 'optional' }, + }), + expect.any(Function) + ); + }); +}); From 06861d5065b7c58fbd7b31c0b57314e9210b1766 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Mon, 24 Jul 2023 12:12:09 +0200 Subject: [PATCH 12/14] added comments to stats and status routes --- .../status/core-status-server-internal/src/routes/status.ts | 2 +- .../core-status-server-internal/src/routes/status_preboot.ts | 2 +- src/plugins/usage_collection/server/routes/stats/stats.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/core/status/core-status-server-internal/src/routes/status.ts b/packages/core/status/core-status-server-internal/src/routes/status.ts index d3c8c7b99ff58..403686bdf2688 100644 --- a/packages/core/status/core-status-server-internal/src/routes/status.ts +++ b/packages/core/status/core-status-server-internal/src/routes/status.ts @@ -83,7 +83,7 @@ export const registerStatusRoute = ({ options: { authRequired: 'optional', tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page - access: 'public', + access: 'public', // needs to be public to allow access from "system" users like k8s readiness probes. }, validate: { query: schema.object( diff --git a/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts b/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts index 0c1ea660ebb11..88adf8c418506 100644 --- a/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts +++ b/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts @@ -17,7 +17,7 @@ export const registerPrebootStatusRoute = ({ router }: { router: IRouter }) => { options: { authRequired: false, tags: ['api'], - access: 'public', + access: 'public', // needs to be public to allow access from "system" users like k8s readiness probes. }, validate: false, }, diff --git a/src/plugins/usage_collection/server/routes/stats/stats.ts b/src/plugins/usage_collection/server/routes/stats/stats.ts index 386d482be63de..8c32003f38098 100644 --- a/src/plugins/usage_collection/server/routes/stats/stats.ts +++ b/src/plugins/usage_collection/server/routes/stats/stats.ts @@ -56,7 +56,7 @@ export function registerStatsRoute({ options: { authRequired: !config.allowAnonymous, tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page - access: 'public', + access: 'public', // needs to be public to allow access from "system" users like metricbeat. }, validate: { query: schema.object({ From f81fe1e389fe304238c6b443f9b29fc0cfa893fd Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 24 Jul 2023 10:18:07 +0000 Subject: [PATCH 13/14] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- packages/core/i18n/core-i18n-server-internal/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/core/i18n/core-i18n-server-internal/tsconfig.json b/packages/core/i18n/core-i18n-server-internal/tsconfig.json index ea139de89eb19..a00305e2ca096 100644 --- a/packages/core/i18n/core-i18n-server-internal/tsconfig.json +++ b/packages/core/i18n/core-i18n-server-internal/tsconfig.json @@ -25,6 +25,7 @@ "@kbn/i18n", "@kbn/std", "@kbn/repo-packages", + "@kbn/core-http-router-server-mocks", ], "exclude": [ "target/**/*", From 6ecb2fcc597a122daee711521c419a3dbd3bdfd4 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Mon, 24 Jul 2023 12:27:21 +0200 Subject: [PATCH 14/14] set access for bevy of known system paths --- x-pack/plugins/fleet/server/routes/agent_policy/index.ts | 1 + .../get_cluster_health/get_cluster_health_route.ts | 2 ++ .../get_rule_health/get_rule_health_route.ts | 1 + .../get_space_health/get_space_health_route.ts | 2 ++ .../api/detection_engine_health/setup/setup_health_route.ts | 1 + .../task_manager/server/routes/background_task_utilization.ts | 1 + 6 files changed, 8 insertions(+) diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/index.ts b/x-pack/plugins/fleet/server/routes/agent_policy/index.ts index 7c9726227f437..4482d02119887 100644 --- a/x-pack/plugins/fleet/server/routes/agent_policy/index.ts +++ b/x-pack/plugins/fleet/server/routes/agent_policy/index.ts @@ -42,6 +42,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { { path: AGENT_POLICY_API_ROUTES.LIST_PATTERN, validate: GetAgentPoliciesRequestSchema, + options: { access: 'public' }, fleetAuthz: { fleet: { readAgentPolicies: true }, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_cluster_health/get_cluster_health_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_cluster_health/get_cluster_health_route.ts index fe25e7d93c870..8d561957ec508 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_cluster_health/get_cluster_health_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_cluster_health/get_cluster_health_route.ts @@ -38,6 +38,7 @@ export const getClusterHealthRoute = (router: SecuritySolutionPluginRouter) => { validate: {}, options: { tags: ['access:securitySolution'], + access: 'public', // must be public to enable "system" users to collect data }, }, async (context, request, response) => { @@ -61,6 +62,7 @@ export const getClusterHealthRoute = (router: SecuritySolutionPluginRouter) => { }, options: { tags: ['access:securitySolution'], + access: 'public', // must be public to enable "system" users to collect data }, }, async (context, request, response) => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts index 30dbf65e63f3c..ae65bc9d70c1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts @@ -36,6 +36,7 @@ export const getRuleHealthRoute = (router: SecuritySolutionPluginRouter) => { }, options: { tags: ['access:securitySolution'], + access: 'public', // must be public to enable "system" users to collect data }, }, async (context, request, response) => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_space_health/get_space_health_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_space_health/get_space_health_route.ts index 9d59ed97ba60f..86728dbf3e3be 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_space_health/get_space_health_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_space_health/get_space_health_route.ts @@ -38,6 +38,7 @@ export const getSpaceHealthRoute = (router: SecuritySolutionPluginRouter) => { validate: {}, options: { tags: ['access:securitySolution'], + access: 'public', // must be public to enable "system" users to collect data }, }, async (context, request, response) => { @@ -61,6 +62,7 @@ export const getSpaceHealthRoute = (router: SecuritySolutionPluginRouter) => { }, options: { tags: ['access:securitySolution'], + access: 'public', // must be public to enable "system" users to collect data }, }, async (context, request, response) => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts index 40d3d9d88192e..61604df4b9197 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts @@ -23,6 +23,7 @@ export const setupHealthRoute = (router: SecuritySolutionPluginRouter) => { validate: {}, options: { tags: ['access:securitySolution'], + access: 'public', // must be public to enable "system" users to collect data }, }, async (context, request, response) => { diff --git a/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts b/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts index 16ed92ca18dd6..38b1ce9966f33 100644 --- a/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts +++ b/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts @@ -115,6 +115,7 @@ export function backgroundTaskUtilizationRoute( // options: { tags: ['access:taskManager'] }, validate: false, options: { + access: 'public', // access must be public to allow "system" users, like metrics collectors, to access these routes authRequired: routeOption.isAuthenticated ?? true, }, },