Skip to content

Commit

Permalink
Authorized route migration for routes owned by @elastic/security-defe…
Browse files Browse the repository at this point in the history
…nd-workflows (elastic#198197)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Joey F. Poon <[email protected]>
Co-authored-by: Gergő Ábrahám <[email protected]>
Co-authored-by: Tomasz Ciecierski <[email protected]>
  • Loading branch information
4 people authored and CAWilson94 committed Dec 12, 2024
1 parent 72be122 commit f19891c
Show file tree
Hide file tree
Showing 23 changed files with 115 additions and 24 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ export const getAssetsStatusRoute = (router: IRouter, osqueryContext: OsqueryApp
.get({
access: 'internal',
path: '/internal/osquery/assets',
options: { tags: [`access:${PLUGIN_ID}-writePacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writePacks`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ export const updateAssetsRoute = (router: IRouter, osqueryContext: OsqueryAppCon
.post({
access: 'internal',
path: '/internal/osquery/assets/update',
options: { tags: [`access:${PLUGIN_ID}-writePacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writePacks`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ export const getAgentDetailsRoute = (router: IRouter, osqueryContext: OsqueryApp
.get({
access: 'internal',
path: '/internal/osquery/fleet_wrapper/agents/{id}',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,11 @@ export const getAgentPoliciesRoute = (router: IRouter, osqueryContext: OsqueryAp
.get({
access: 'internal',
path: '/internal/osquery/fleet_wrapper/agent_policies',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,11 @@ export const getAgentPolicyRoute = (router: IRouter, osqueryContext: OsqueryAppC
.get({
access: 'internal',
path: '/internal/osquery/fleet_wrapper/agent_policies/{id}',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ export const getAgentStatusForAgentPolicyRoute = (
.get({
access: 'internal',
path: '/internal/osquery/fleet_wrapper/agent_status',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@ export const getAgentsRoute = (router: IRouter, osqueryContext: OsqueryAppContex
.get({
access: 'internal',
path: '/internal/osquery/fleet_wrapper/agents',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ export const getPackagePoliciesRoute = (router: IRouter, osqueryContext: Osquery
.get({
access: 'internal',
path: '/internal/osquery/fleet_wrapper/package_policies',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,12 @@ export const findLiveQueryRoute = (router: IRouter<DataRequestHandlerContext>) =
.get({
access: 'public',
path: '/api/osquery/live_queries',
options: { tags: ['api', `access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
options: { tags: ['api'] },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,11 @@ export const getLiveQueryDetailsRoute = (router: IRouter<DataRequestHandlerConte
.get({
access: 'public',
path: '/api/osquery/live_queries/{id}',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,11 @@ export const getLiveQueryResultsRoute = (router: IRouter<DataRequestHandlerConte
.get({
access: 'public',
path: '/api/osquery/live_queries/{id}/results/{actionId}',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,11 @@ export const createPackRoute = (router: IRouter, osqueryContext: OsqueryAppConte
.post({
access: 'public',
path: '/api/osquery/packs',
options: { tags: [`access:${PLUGIN_ID}-writePacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writePacks`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,11 @@ export const deletePackRoute = (router: IRouter, osqueryContext: OsqueryAppConte
.delete({
access: 'public',
path: '/api/osquery/packs/{id}',
options: { tags: [`access:${PLUGIN_ID}-writePacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writePacks`],
},
},
})
.addVersion(
{
Expand Down
6 changes: 5 additions & 1 deletion x-pack/plugins/osquery/server/routes/pack/find_pack_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ export const findPackRoute = (router: IRouter) => {
.get({
access: 'public',
path: '/api/osquery/packs',
options: { tags: [`access:${PLUGIN_ID}-readPacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-readPacks`],
},
},
})
.addVersion(
{
Expand Down
6 changes: 5 additions & 1 deletion x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,11 @@ export const readPackRoute = (router: IRouter) => {
.get({
access: 'public',
path: '/api/osquery/packs/{id}',
options: { tags: [`access:${PLUGIN_ID}-readPacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-readPacks`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,11 @@ export const updatePackRoute = (router: IRouter, osqueryContext: OsqueryAppConte
.put({
access: 'public',
path: '/api/osquery/packs/{id}',
options: { tags: [`access:${PLUGIN_ID}-writePacks`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writePacks`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,10 @@ export const privilegesCheckRoute = (router: IRouter, osqueryContext: OsqueryApp
.get({
access: 'internal',
path: '/internal/osquery/privileges_check',
options: {
tags: [`access:${PLUGIN_ID}-readLiveQueries`],
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-readLiveQueries`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ export const createSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAp
.post({
access: 'public',
path: '/api/osquery/saved_queries',
options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writeSavedQueries`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,11 @@ export const deleteSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAp
.delete({
access: 'public',
path: '/api/osquery/saved_queries/{id}',
options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writeSavedQueries`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,11 @@ export const findSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAppC
.get({
access: 'public',
path: '/api/osquery/saved_queries',
options: { tags: [`access:${PLUGIN_ID}-readSavedQueries`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-readSavedQueries`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,11 @@ export const readSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAppC
.get({
access: 'public',
path: '/api/osquery/saved_queries/{id}',
options: { tags: [`access:${PLUGIN_ID}-readSavedQueries`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-readSavedQueries`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,11 @@ export const updateSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAp
.put({
access: 'public',
path: '/api/osquery/saved_queries/{id}',
options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-writeSavedQueries`],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ export const createStatusRoute = (router: IRouter, osqueryContext: OsqueryAppCon
.get({
access: 'internal',
path: '/internal/osquery/status',
options: { tags: [`access:${PLUGIN_ID}-read`] },
security: {
authz: {
requiredPrivileges: [`${PLUGIN_ID}-read`],
},
},
})
.addVersion(
{
Expand Down

0 comments on commit f19891c

Please sign in to comment.