Authorized route migration for routes owned by security-detection-eng…

…ine (elastic#198384) ### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
pheyos · Nov 6, 2024 · bf51662 · bf51662
1 parent bde5e11
commit bf51662
Show file tree

Hide file tree

Showing 16 changed files with 66 additions and 31 deletions.
diff --git a/.../plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts b/.../plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@@ -40,8 +40,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
     .post({
       path: DETECTION_ENGINE_INDEX_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/.../plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts b/.../plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts
@@ -35,8 +35,10 @@ export const deleteIndexRoute = (router: SecuritySolutionPluginRouter) => {
     .delete({
       path: DETECTION_ENGINE_INDEX_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...urity_solution/server/lib/detection_engine/routes/index/read_alerts_index_exists_route.ts b/...urity_solution/server/lib/detection_engine/routes/index/read_alerts_index_exists_route.ts
@@ -18,8 +18,10 @@ export const readAlertsIndexExistsRoute = (router: SecuritySolutionPluginRouter)
     .get({
       path: DETECTION_ENGINE_ALERTS_INDEX_URL,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ck/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts b/...ck/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
@@ -26,8 +26,10 @@ export const readIndexRoute = (
     .get({
       path: DETECTION_ENGINE_INDEX_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ity_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts b/...ity_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts
@@ -24,8 +24,10 @@ export const createSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
     .post({
       path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ity_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts b/...ity_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts
@@ -20,8 +20,10 @@ export const deleteSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
     .delete({
       path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...y_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts b/...y_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts
@@ -25,8 +25,10 @@ export const finalizeSignalsMigrationRoute = (
     .post({
       path: DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...solution/server/lib/detection_engine/routes/signals/get_signals_migration_status_route.ts b/...solution/server/lib/detection_engine/routes/signals/get_signals_migration_status_route.ts
@@ -23,8 +23,10 @@ export const getSignalsMigrationStatusRoute = (router: SecuritySolutionPluginRou
     .get({
       path: DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/.../security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts b/.../security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts
@@ -37,8 +37,10 @@ export const setSignalsStatusRoute = (
     .post({
       path: DETECTION_ENGINE_SIGNALS_STATUS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ugins/security_solution/server/lib/detection_engine/routes/signals/query_signals_route.ts b/...ugins/security_solution/server/lib/detection_engine/routes/signals/query_signals_route.ts
@@ -23,8 +23,10 @@ export const querySignalsRoute = (
     .post({
       path: DETECTION_ENGINE_QUERY_SIGNALS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...security_solution/server/lib/detection_engine/routes/signals/set_alert_assignees_route.ts b/...security_solution/server/lib/detection_engine/routes/signals/set_alert_assignees_route.ts
@@ -22,8 +22,10 @@ export const setAlertAssigneesRoute = (router: SecuritySolutionPluginRouter) =>
     .post({
       path: DETECTION_ENGINE_ALERT_ASSIGNEES_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...gins/security_solution/server/lib/detection_engine/routes/signals/set_alert_tags_route.ts b/...gins/security_solution/server/lib/detection_engine/routes/signals/set_alert_tags_route.ts
@@ -22,8 +22,10 @@ export const setAlertTagsRoute = (router: SecuritySolutionPluginRouter) => {
     .post({
       path: DETECTION_ENGINE_ALERT_TAGS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...n/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts b/...n/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts
@@ -34,8 +34,10 @@ export const legacyCreateLegacyNotificationRoute = (
     .post({
       path: UPDATE_OR_CREATE_LEGACY_ACTIONS,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/..._solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts b/..._solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts
@@ -36,8 +36,10 @@ export const createRuleExceptionsRoute = (router: SecuritySolutionPluginRouter)
     .post({
       path: CREATE_RULE_EXCEPTIONS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...lution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts b/...lution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts
@@ -29,8 +29,10 @@ export const findRuleExceptionReferencesRoute = (router: SecuritySolutionPluginR
     .get({
       path: DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts b/...ins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
@@ -89,8 +89,13 @@ export const previewRulesRoute = (
     .post({
       path: DETECTION_ENGINE_RULES_PREVIEW,
       access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution', routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
+        tags: [routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
       },
     })
     .addVersion(