[8.x] Authorized route migration for routes owned by @elastic/kibana-…

…core (elastic#198187) (elastic#199489) # Backport This will backport the following commits from `main` to `8.x`: - [Authorized route migration for routes owned by @elastic/kibana-core (elastic#198187)](elastic#198187)  ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)
kibanamachine · Nov 8, 2024 · b667b5a · b667b5a
1 parent 4b4bd24
commit b667b5a
Show file tree

Hide file tree

Showing 24 changed files with 83 additions and 40 deletions.
diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/bulk_delete.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/bulk_delete.ts
@@ -15,8 +15,10 @@ export const registerBulkDeleteRoute = (router: IRouter) => {
   router.post(
     {
       path: `${KBN_CLIENT_API_PREFIX}/_bulk_delete`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         body: schema.arrayOf(

diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/clean.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/clean.ts
@@ -15,8 +15,10 @@ export const registerCleanRoute = (router: IRouter) => {
   router.post(
     {
       path: `${KBN_CLIENT_API_PREFIX}/_clean`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         body: schema.object({

diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/create.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/create.ts
@@ -15,8 +15,10 @@ export const registerCreateRoute = (router: IRouter) => {
   router.post(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id?}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/delete.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/delete.ts
@@ -15,8 +15,10 @@ export const registerDeleteRoute = (router: IRouter) => {
   router.delete(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/find.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/find.ts
@@ -15,8 +15,10 @@ export const registerFindRoute = (router: IRouter) => {
   router.get(
     {
       path: `${KBN_CLIENT_API_PREFIX}/_find`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         query: schema.object({

diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/get.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/get.ts
@@ -15,8 +15,10 @@ export const registerGetRoute = (router: IRouter) => {
   router.get(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

diff --git a/src/plugins/ftr_apis/server/routes/kbn_client_so/update.ts b/src/plugins/ftr_apis/server/routes/kbn_client_so/update.ts
@@ -15,8 +15,10 @@ export const registerUpdateRoute = (router: IRouter) => {
   router.put(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

diff --git a/...k/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts b/...k/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts
@@ -44,8 +44,10 @@ export const defineBulkActionCspBenchmarkRulesRoute = (router: CspRouter) =>
     .post({
       access: 'internal',
       path: CSP_BENCHMARK_RULES_BULK_ACTION_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-all'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-all'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/find/find.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/find/find.ts
@@ -25,8 +25,10 @@ export const defineFindCspBenchmarkRuleRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: FIND_CSP_BENCHMARK_RULE_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/get_states/get_states.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/get_states/get_states.ts
@@ -16,8 +16,10 @@ export const defineGetCspBenchmarkRulesStatesRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: CSP_GET_BENCHMARK_RULES_STATE_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.ts
@@ -20,8 +20,10 @@ export const defineGetBenchmarksRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: BENCHMARKS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/...plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts b/...plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts
@@ -65,8 +65,10 @@ export const defineGetComplianceDashboardRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: STATS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/..._posture/server/routes/detection_engine/get_detection_engine_alerts_count_by_rule_tags.ts b/..._posture/server/routes/detection_engine/get_detection_engine_alerts_count_by_rule_tags.ts
@@ -53,8 +53,10 @@ export const defineGetDetectionEngineAlertsStatus = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: GET_DETECTION_RULE_ALERTS_STATUS_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/graph/route.ts b/x-pack/plugins/cloud_security_posture/server/routes/graph/route.ts
@@ -20,8 +20,10 @@ export const defineGraphRoute = (router: CspRouter) =>
       access: 'internal',
       enableQueryVersion: true,
       path: GRAPH_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/status/status.ts b/x-pack/plugins/cloud_security_posture/server/routes/status/status.ts
@@ -437,8 +437,10 @@ export const defineGetCspStatusRoute = (
     .get({
       access: 'internal',
       path: STATUS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

diff --git a/...oud_security_posture/server/routes/vulnerabilities_dashboard/vulnerabilities_dashboard.ts b/...oud_security_posture/server/routes/vulnerabilities_dashboard/vulnerabilities_dashboard.ts
@@ -20,8 +20,10 @@ export const defineGetVulnerabilitiesDashboardRoute = (router: CspRouter): void
     {
       path: VULNERABILITIES_DASHBOARD_ROUTE_PATH,
       validate: false,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     },
     async (context, request, response) => {

diff --git a/x-pack/plugins/features/server/routes/index.ts b/x-pack/plugins/features/server/routes/index.ts
@@ -21,8 +21,12 @@ export function defineRoutes({ router, featureRegistry }: RouteDefinitionParams)
   router.get(
     {
       path: '/api/features',
+      security: {
+        authz: {
+          requiredPrivileges: ['read_features'],
+        },
+      },
       options: {
-        tags: ['access:read_features'],
         access: 'public',
         summary: `Get features`,
       },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/bulk_delete.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/bulk_delete.ts
@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [POST /internal/ftr/kbn_client_so/_bulk_delete] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/clean.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/clean.ts
@@ -43,7 +43,8 @@ export default function (ftrContext: FtrProviderContext) {
         expectResponse: ({ body }) => {
           expect(body).to.eql({
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [POST /internal/ftr/kbn_client_so/_clean] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
             statusCode: 403,
           });
         },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/create.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/create.ts
@@ -48,7 +48,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [POST /internal/ftr/kbn_client_so/tag] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/delete.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/delete.ts
@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [DELETE /internal/ftr/kbn_client_so/visualization/vis-area-1] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/find.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/find.ts
@@ -43,7 +43,8 @@ export default function (ftrContext: FtrProviderContext) {
         expectResponse: ({ body }) => {
           expect(body).to.eql({
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [GET /internal/ftr/kbn_client_so/_find?type=tag] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
             statusCode: 403,
           });
         },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/get.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/get.ts
@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [GET /internal/ftr/kbn_client_so/visualization/vis-area-4] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

diff --git a/x-pack/test/ftr_apis/security_and_spaces/apis/update.ts b/x-pack/test/ftr_apis/security_and_spaces/apis/update.ts
@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [PUT /internal/ftr/kbn_client_so/tag/tag-1] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },