[Debt] Removing authz.fleet requirement (#194069)

## Summary This PR closes #194053 by removing the requirement of Kibana Fleet privileges to access some Cloud Security Posture endpoints, once we investigated that there's no real need for this extra checking. ### Screenshots Users with `viewer` [built-in role](https://www.elastic.co/guide/en/cloud/current/ec-user-privileges.html) in ESS can now see all the Findings-related pages: ![image](https://github.com/user-attachments/assets/0da7062d-1d8c-4210-bd4e-e95e0409aed7) ![image](https://github.com/user-attachments/assets/5a3131d8-e5e1-4c5d-8471-dd4dbbbb1294) ![image](https://github.com/user-attachments/assets/9fb9b167-555c-499a-a9f5-39072af45238)
elastic · Sep 26, 2024 · 0825f03 · 0825f03
1 parent 8e29141
commit 0825f03
Show file tree

Hide file tree

Showing 7 changed files with 1 addition and 122 deletions.
diff --git a/...k/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts b/...k/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts
@@ -58,9 +58,6 @@ export const defineBulkActionCspBenchmarkRulesRoute = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
         const cspContext = await context.csp;
 
         try {

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/find/find.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/find/find.ts
@@ -39,10 +39,6 @@ export const defineFindCspBenchmarkRuleRoute = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
-
         const requestBody: FindCspBenchmarkRuleRequestV1 = request.query;
         const cspContext = await context.csp;
 
@@ -72,10 +68,6 @@ export const defineFindCspBenchmarkRuleRoute = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
-
         const requestBody: FindCspBenchmarkRuleRequestV2 = request.query;
         const cspContext = await context.csp;
 
@@ -106,10 +98,6 @@ export const defineFindCspBenchmarkRuleRoute = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
-
         const requestBody: FindCspBenchmarkRuleRequest = request.query;
         const cspContext = await context.csp;
 

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/get_states/get_states.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/get_states/get_states.ts
@@ -26,9 +26,6 @@ export const defineGetCspBenchmarkRulesStatesRoute = (router: CspRouter) =>
         validate: {},
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
         const cspContext = await context.csp;
 
         try {

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.test.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.test.ts
@@ -4,7 +4,7 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { httpServerMock, httpServiceMock, savedObjectsClientMock } from '@kbn/core/server/mocks';
+import { httpServiceMock, savedObjectsClientMock } from '@kbn/core/server/mocks';
 import {
   benchmarksQueryParamsSchema,
   DEFAULT_BENCHMARKS_PER_PAGE,
@@ -15,7 +15,6 @@ import { getRulesCountForPolicy } from './utilities';
 import { SavedObjectsClientContract, SavedObjectsFindResponse } from '@kbn/core/server';
 import { createMockAgentPolicyService } from '@kbn/fleet-plugin/server/mocks';
 import { createPackagePolicyMock } from '@kbn/fleet-plugin/common/mocks';
-import { createCspRequestHandlerContextMock } from '../../mocks';
 
 describe('benchmarks API', () => {
   beforeEach(() => {
@@ -32,45 +31,6 @@ describe('benchmarks API', () => {
     expect(config.path).toEqual('/internal/cloud_security_posture/benchmarks');
   });
 
-  it('should accept to a user with fleet.all privilege', async () => {
-    const router = httpServiceMock.createRouter();
-
-    defineGetBenchmarksRoute(router);
-
-    const versionedRouter = router.versioned.get.mock.results[0].value;
-
-    const handler = versionedRouter.addVersion.mock.calls[0][1];
-
-    const mockContext = createCspRequestHandlerContextMock();
-    const mockResponse = httpServerMock.createResponseFactory();
-    const mockRequest = httpServerMock.createKibanaRequest();
-    const [context, req, res] = [mockContext, mockRequest, mockResponse];
-
-    await handler(context, req, res);
-
-    expect(res.forbidden).toHaveBeenCalledTimes(0);
-  });
-
-  it('should reject to a user without fleet.all privilege', async () => {
-    const router = httpServiceMock.createRouter();
-
-    defineGetBenchmarksRoute(router);
-
-    const versionedRouter = router.versioned.get.mock.results[0].value;
-    const handler = versionedRouter.addVersion.mock.calls[0][1];
-
-    const mockContext = createCspRequestHandlerContextMock();
-    mockContext.fleet.authz.fleet.all = false;
-
-    const mockResponse = httpServerMock.createResponseFactory();
-    const mockRequest = httpServerMock.createKibanaRequest();
-    const [context, req, res] = [mockContext, mockRequest, mockResponse];
-
-    await handler(context, req, res);
-
-    expect(res.forbidden).toHaveBeenCalledTimes(1);
-  });
-
   describe('test input schema', () => {
     it('expect to find default values', async () => {
       const validatedQuery = benchmarksQueryParamsSchema.validate({});

diff --git a/x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.ts b/x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.ts
@@ -34,9 +34,6 @@ export const defineGetBenchmarksRoute = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
         const cspContext = await context.csp;
         try {
           const cspBenchmarks = await getBenchmarksV1(
@@ -72,9 +69,6 @@ export const defineGetBenchmarksRoute = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
         const cspContext = await context.csp;
         const esClient = cspContext.esClient.asCurrentUser;
         try {

diff --git a/...ns/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.test.ts b/...ns/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.test.ts
diff --git a/..._posture/server/routes/detection_engine/get_detection_engine_alerts_count_by_rule_tags.ts b/..._posture/server/routes/detection_engine/get_detection_engine_alerts_count_by_rule_tags.ts
@@ -69,10 +69,6 @@ export const defineGetDetectionEngineAlertsStatus = (router: CspRouter) =>
         },
       },
       async (context, request, response) => {
-        if (!(await context.fleet).authz.fleet.all) {
-          return response.forbidden();
-        }
-
         const requestBody = request.query;
         const cspContext = await context.csp;