Authorized route migration for routes owned by @elastic/security-gene…

…rative-ai (elastic#198192) ### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: Andrew Macri <[email protected]>
gsoldevila · Dec 10, 2024 · 8477dc7 · 8477dc7
1 parent 7aa80ce
commit 8477dc7
Show file tree

Hide file tree

Showing 28 changed files with 120 additions and 48 deletions.
diff --git a/x-pack/plugins/elastic_assistant/server/routes/anonymization_fields/bulk_actions_route.ts b/x-pack/plugins/elastic_assistant/server/routes/anonymization_fields/bulk_actions_route.ts
@@ -118,8 +118,12 @@ export const bulkActionAnonymizationFieldsRoute = (
     .post({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_ANONYMIZATION_FIELDS_URL_BULK_ACTION,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution-updateAIAssistantAnonymization'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution-updateAIAssistantAnonymization'],
         timeout: {
           idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/anonymization_fields/find_route.ts b/x-pack/plugins/elastic_assistant/server/routes/anonymization_fields/find_route.ts
@@ -32,8 +32,10 @@ export const findAnonymizationFieldsRoute = (
     .get({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_ANONYMIZATION_FIELDS_URL_FIND,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/attack_discovery/get/get_attack_discovery.ts b/x-pack/plugins/elastic_assistant/server/routes/attack_discovery/get/get_attack_discovery.ts
@@ -24,8 +24,10 @@ export const getAttackDiscoveryRoute = (router: IRouter<ElasticAssistantRequestH
     .get({
       access: 'internal',
       path: ATTACK_DISCOVERY_BY_CONNECTOR_ID,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/...s/elastic_assistant/server/routes/attack_discovery/post/cancel/cancel_attack_discovery.ts b/...s/elastic_assistant/server/routes/attack_discovery/post/cancel/cancel_attack_discovery.ts
@@ -26,8 +26,10 @@ export const cancelAttackDiscoveryRoute = (
     .post({
       access: 'internal',
       path: ATTACK_DISCOVERY_CANCEL_BY_CONNECTOR_ID,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/...ck/plugins/elastic_assistant/server/routes/attack_discovery/post/post_attack_discovery.ts b/...ck/plugins/elastic_assistant/server/routes/attack_discovery/post/post_attack_discovery.ts
@@ -35,8 +35,12 @@ export const postAttackDiscoveryRoute = (
     .post({
       access: 'internal',
       path: ATTACK_DISCOVERY,
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: ROUTE_HANDLER_TIMEOUT,
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/capabilities/get_capabilities_route.ts b/x-pack/plugins/elastic_assistant/server/routes/capabilities/get_capabilities_route.ts
@@ -30,8 +30,10 @@ export const getCapabilitiesRoute = (router: IRouter<ElasticAssistantRequestHand
     .get({
       access: INTERNAL_API_ACCESS,
       path: CAPABILITIES,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/chat/chat_complete_route.ts b/x-pack/plugins/elastic_assistant/server/routes/chat/chat_complete_route.ts
@@ -46,8 +46,10 @@ export const chatCompleteRoute = (
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_CHAT_COMPLETE_URL,
 
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/defend_insights/get_defend_insight.ts b/x-pack/plugins/elastic_assistant/server/routes/defend_insights/get_defend_insight.ts
@@ -26,8 +26,10 @@ export const getDefendInsightRoute = (router: IRouter<ElasticAssistantRequestHan
     .get({
       access: 'internal',
       path: DEFEND_INSIGHTS_BY_ID,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/defend_insights/get_defend_insights.ts b/x-pack/plugins/elastic_assistant/server/routes/defend_insights/get_defend_insights.ts
@@ -26,8 +26,10 @@ export const getDefendInsightsRoute = (router: IRouter<ElasticAssistantRequestHa
     .get({
       access: 'internal',
       path: DEFEND_INSIGHTS,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/defend_insights/post_defend_insights.ts b/x-pack/plugins/elastic_assistant/server/routes/defend_insights/post_defend_insights.ts
@@ -42,11 +42,15 @@ export const postDefendInsightsRoute = (router: IRouter<ElasticAssistantRequestH
       access: 'internal',
       path: DEFEND_INSIGHTS,
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: ROUTE_HANDLER_TIMEOUT,
         },
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/elastic_assistant/server/routes/evaluate/get_evaluate.ts b/x-pack/plugins/elastic_assistant/server/routes/evaluate/get_evaluate.ts
@@ -26,8 +26,10 @@ export const getEvaluateRoute = (router: IRouter<ElasticAssistantRequestHandlerC
     .get({
       access: INTERNAL_API_ACCESS,
       path: ELASTIC_AI_ASSISTANT_EVALUATE_URL,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/evaluate/post_evaluate.ts b/x-pack/plugins/elastic_assistant/server/routes/evaluate/post_evaluate.ts
@@ -64,8 +64,12 @@ export const postEvaluateRoute = (
     .post({
       access: INTERNAL_API_ACCESS,
       path: ELASTIC_AI_ASSISTANT_EVALUATE_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: ROUTE_HANDLER_TIMEOUT,
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/bulk_actions_route.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/bulk_actions_route.ts
@@ -125,8 +125,12 @@ export const bulkActionKnowledgeBaseEntriesRoute = (router: ElasticAssistantPlug
     .post({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_ENTRIES_URL_BULK_ACTION,
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/create_route.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/create_route.ts
@@ -26,8 +26,10 @@ export const createKnowledgeBaseEntryRoute = (router: ElasticAssistantPluginRout
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_ENTRIES_URL,
 
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/find_route.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/find_route.ts
@@ -33,8 +33,10 @@ export const findKnowledgeBaseEntriesRoute = (router: ElasticAssistantPluginRout
     .get({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_ENTRIES_URL_FIND,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/get_knowledge_base_indices.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/get_knowledge_base_indices.ts
@@ -26,8 +26,10 @@ export const getKnowledgeBaseIndicesRoute = (router: ElasticAssistantPluginRoute
     .get({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_INDICES_URL,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/get_knowledge_base_status.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/get_knowledge_base_status.ts
@@ -28,8 +28,10 @@ export const getKnowledgeBaseStatusRoute = (router: ElasticAssistantPluginRouter
     .get({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_URL,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/post_knowledge_base.ts b/x-pack/plugins/elastic_assistant/server/routes/knowledge_base/post_knowledge_base.ts
@@ -30,8 +30,12 @@ export const postKnowledgeBaseRoute = (router: ElasticAssistantPluginRouter) =>
     .post({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: ROUTE_HANDLER_TIMEOUT,
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/post_actions_connector_execute.ts b/x-pack/plugins/elastic_assistant/server/routes/post_actions_connector_execute.ts
@@ -38,8 +38,10 @@ export const postActionsConnectorExecuteRoute = (
     .post({
       access: 'internal',
       path: POST_ACTIONS_CONNECTOR_EXECUTE,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/prompts/bulk_actions_route.ts b/x-pack/plugins/elastic_assistant/server/routes/prompts/bulk_actions_route.ts
@@ -112,8 +112,12 @@ export const bulkPromptsRoute = (router: ElasticAssistantPluginRouter, logger: L
     .post({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_PROMPTS_URL_BULK_ACTION,
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/prompts/find_route.ts b/x-pack/plugins/elastic_assistant/server/routes/prompts/find_route.ts
@@ -25,8 +25,10 @@ export const findPromptsRoute = (router: ElasticAssistantPluginRouter, logger: L
     .get({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_PROMPTS_URL_FIND,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/.../elastic_assistant/server/routes/user_conversations/append_conversation_messages_route.ts b/.../elastic_assistant/server/routes/user_conversations/append_conversation_messages_route.ts
@@ -24,8 +24,10 @@ export const appendConversationMessageRoute = (router: ElasticAssistantPluginRou
     .post({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID_MESSAGES,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/user_conversations/bulk_actions_route.ts b/x-pack/plugins/elastic_assistant/server/routes/user_conversations/bulk_actions_route.ts
@@ -116,8 +116,12 @@ export const bulkActionConversationsRoute = (
     .post({
       access: 'internal',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BULK_ACTION,
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
+      },
       options: {
-        tags: ['access:elasticAssistant'],
         timeout: {
           idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
         },

diff --git a/x-pack/plugins/elastic_assistant/server/routes/user_conversations/create_route.ts b/x-pack/plugins/elastic_assistant/server/routes/user_conversations/create_route.ts
@@ -25,8 +25,10 @@ export const createConversationRoute = (router: ElasticAssistantPluginRouter): v
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL,
 
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/user_conversations/delete_route.ts b/x-pack/plugins/elastic_assistant/server/routes/user_conversations/delete_route.ts
@@ -21,8 +21,10 @@ export const deleteConversationRoute = (router: ElasticAssistantPluginRouter) =>
     .delete({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/user_conversations/find_route.ts b/x-pack/plugins/elastic_assistant/server/routes/user_conversations/find_route.ts
@@ -28,8 +28,10 @@ export const findUserConversationsRoute = (router: ElasticAssistantPluginRouter)
     .get({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_FIND,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/user_conversations/read_route.ts b/x-pack/plugins/elastic_assistant/server/routes/user_conversations/read_route.ts
@@ -23,8 +23,10 @@ export const readConversationRoute = (router: ElasticAssistantPluginRouter) => {
     .get({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/elastic_assistant/server/routes/user_conversations/update_route.ts b/x-pack/plugins/elastic_assistant/server/routes/user_conversations/update_route.ts
@@ -26,8 +26,10 @@ export const updateConversationRoute = (router: ElasticAssistantPluginRouter) =>
     .put({
       access: 'public',
       path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID,
-      options: {
-        tags: ['access:elasticAssistant'],
+      security: {
+        authz: {
+          requiredPrivileges: ['elasticAssistant'],
+        },
       },
     })
     .addVersion(