Authorized route migration for routes owned by security-defend-workfl…

…ows (elastic#198381) ### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration.
tkajtoch · Nov 12, 2024 · cef180e · cef180e
1 parent 126e13b
commit cef180e
Show file tree

Hide file tree

Showing 13 changed files with 158 additions and 28 deletions.
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/audit_log.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/audit_log.ts
@@ -27,7 +27,12 @@ export function registerActionAuditLogRoutes(
     .get({
       access: 'public',
       path: ENDPOINT_ACTION_LOG_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/details.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/details.ts
@@ -32,7 +32,12 @@ export const registerActionDetailsRoutes = (
     .get({
       access: 'public',
       path: ACTION_DETAILS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/file_download_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/file_download_handler.ts
@@ -38,7 +38,12 @@ export const registerActionFileDownloadRoutes = (
       // we need to enable setting the version number via query params
       enableQueryVersion: true,
       path: ACTION_AGENT_FILE_DOWNLOAD_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/file_info_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/file_info_handler.ts
@@ -74,7 +74,12 @@ export const registerActionFileInfoRoute = (
     .get({
       access: 'public',
       path: ACTION_AGENT_FILE_INFO_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/list.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/list.ts
@@ -30,7 +30,12 @@ export function registerActionListRoutes(
     .get({
       access: 'public',
       path: BASE_ENDPOINT_ACTION_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/response_actions.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/response_actions.ts
@@ -80,7 +80,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: ISOLATE_HOST_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -99,7 +104,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: UNISOLATE_HOST_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -119,7 +129,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: ISOLATE_HOST_ROUTE_V2,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -139,7 +154,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: UNISOLATE_HOST_ROUTE_V2,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -159,7 +179,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: KILL_PROCESS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -182,7 +207,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: SUSPEND_PROCESS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -205,7 +235,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: GET_PROCESSES_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -225,7 +260,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: GET_FILE_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -245,7 +285,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: EXECUTE_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -265,9 +310,14 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: UPLOAD_ROUTE,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
         authRequired: true,
-        tags: ['access:securitySolution'],
+
         body: {
           accepts: ['multipart/form-data'],
           output: 'stream',
@@ -293,7 +343,12 @@ export function registerResponseActionRoutes(
     .post({
       access: 'public',
       path: SCAN_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/state.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/state.ts
@@ -32,7 +32,12 @@ export function registerActionStateRoutes(
     .get({
       access: 'public',
       path: ACTION_STATE_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts b/x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts
@@ -29,7 +29,12 @@ export function registerActionStatusRoutes(
     .get({
       access: 'public',
       path: ACTION_STATUS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/agent/agent_status_handler.ts b/x-pack/plugins/security_solution/server/endpoint/routes/agent/agent_status_handler.ts
@@ -27,7 +27,12 @@ export const registerAgentStatusRoute = (
     .get({
       access: 'internal',
       path: AGENT_STATUS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
@@ -54,7 +54,12 @@ export function registerEndpointRoutes(
     .get({
       access: 'public',
       path: HOST_METADATA_LIST_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -94,7 +99,12 @@ export function registerEndpointRoutes(
     .get({
       access: 'public',
       path: METADATA_TRANSFORMS_STATUS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
       // @ts-expect-error TODO(https://github.com/elastic/kibana/issues/196095): Replace {RouteDeprecationInfo}
       deprecated: true,
     })
@@ -114,7 +124,12 @@ export function registerEndpointRoutes(
     .get({
       access: 'internal',
       path: METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts
@@ -240,8 +240,8 @@ describe('test endpoint routes', () => {
       });
       expect(routeConfig.options).toEqual({
         authRequired: true,
-        tags: ['access:securitySolution'],
       });
+      expect(routeConfig.security?.authz).toEqual({ requiredPrivileges: ['securitySolution'] });
       expect(mockResponse.ok).toBeCalled();
       const endpointResultList = mockResponse.ok.mock.calls[0][0]?.body as MetadataListResponse;
       expect(endpointResultList.data.length).toEqual(1);
@@ -614,8 +614,8 @@ describe('test endpoint routes', () => {
       expect(esClientMock.transform.getTransformStats).toHaveBeenCalledTimes(1);
       expect(routeConfig.options).toEqual({
         authRequired: true,
-        tags: ['access:securitySolution'],
       });
+      expect(routeConfig.security?.authz).toEqual({ requiredPrivileges: ['securitySolution'] });
       expect(mockResponse.ok).toBeCalled();
       const response = mockResponse.ok.mock.calls[0][0]?.body as TransformGetTransformStatsResponse;
       expect(response.count).toEqual(expectedResponse.count);

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/protection_updates_note/index.ts b/x-pack/plugins/security_solution/server/endpoint/routes/protection_updates_note/index.ts
@@ -25,7 +25,12 @@ export function registerProtectionUpdatesNoteRoutes(
     .post({
       access: 'public',
       path: PROTECTION_UPDATES_NOTE_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {
@@ -45,7 +50,12 @@ export function registerProtectionUpdatesNoteRoutes(
     .get({
       access: 'public',
       path: PROTECTION_UPDATES_NOTE_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {

diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/suggestions/index.ts b/x-pack/plugins/security_solution/server/endpoint/routes/suggestions/index.ts
@@ -42,7 +42,12 @@ export function registerEndpointSuggestionsRoutes(
     .post({
       access: 'public',
       path: SUGGESTIONS_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
       // @ts-expect-error TODO(https://github.com/elastic/kibana/issues/196095): Replace {RouteDeprecationInfo}
       deprecated: true,
     })
@@ -64,7 +69,12 @@ export function registerEndpointSuggestionsRoutes(
     .post({
       access: 'internal',
       path: SUGGESTIONS_INTERNAL_ROUTE,
-      options: { authRequired: true, tags: ['access:securitySolution'] },
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
+      options: { authRequired: true },
     })
     .addVersion(
       {