Skip to content

Commit

Permalink
Authorized route migration for routes owned by kibana-security (#198380)
Browse files Browse the repository at this point in the history
### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Elena Shostak <[email protected]>
(cherry picked from commit 20989b6)

# Conflicts:
#	x-pack/plugins/security/server/routes/authorization/roles/get_all_by_space.test.ts
#	x-pack/plugins/security/server/routes/authorization/roles/get_all_by_space.ts
#	x-pack/plugins/spaces/server/routes/api/internal/get_content_summary.test.ts
#	x-pack/plugins/spaces/server/routes/api/internal/get_content_summary.ts
  • Loading branch information
kibanamachine committed Nov 1, 2024
1 parent d74f8a7 commit 319bf52
Show file tree
Hide file tree
Showing 11 changed files with 40 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ describe('GET all roles by space id', () => {

const paramsSchema = (config.validate as any).params;

expect(config.options).toEqual({ tags: ['access:manageSpaces'] });
expect(config.security?.authz).toEqual({ requiredPrivileges: ['manage_spaces'] });
expect(() => paramsSchema.validate({})).toThrowErrorMatchingInlineSnapshot(
`"[spaceId]: expected value of type [string] but got [undefined]"`
);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export function defineGetAllRolesBySpaceRoutes({
router.get(
{
path: '/internal/security/roles/{spaceId}',
options: {
tags: ['access:manageSpaces'],
security: {
authz: {
requiredPrivileges: ['manage_spaces'],
},
},
validate: {
params: schema.object({ spaceId: schema.string({ minLength: 1 }) }),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,10 @@ describe('Invalidate sessions routes', () => {
expect(routeConfig.options).toEqual({
access: 'public',
summary: 'Invalidate user sessions',
tags: ['access:sessionManagement'],
});

expect(routeConfig.security?.authz).toEqual({ requiredPrivileges: ['sessionManagement'] });

const bodySchema = (routeConfig.validate as any).body as ObjectType;
expect(() => bodySchema.validate({})).toThrowErrorMatchingInlineSnapshot(
`"[match]: expected at least one defined value but got [undefined]"`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,19 @@ export function defineInvalidateSessionsRoutes({
),
}),
},
security: {
authz: {
requiredPrivileges: ['sessionManagement'],
},
},
options: {
// The invalidate session API was introduced to address situations where the session index
// could grow rapidly - when session timeouts are disabled, or with anonymous access.
// In the serverless environment, sessions timeouts are always be enabled, and there is no
// anonymous access. However, keeping this endpoint available internally in serverless would
// be useful in situations where we need to batch-invalidate user sessions.
access: buildFlavor === 'serverless' ? 'internal' : 'public',
tags: ['access:sessionManagement'],

summary: `Invalidate user sessions`,
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ describe('Bulk get profile routes', () => {
});

it('correctly defines route.', () => {
expect(routeConfig.options).toEqual({ tags: ['access:bulkGetUserProfiles'] });
expect(routeConfig.security?.authz).toEqual({ requiredPrivileges: ['bulkGetUserProfiles'] });

const bodySchema = (routeConfig.validate as any).body as ObjectType;
expect(() => bodySchema.validate(0)).toThrowErrorMatchingInlineSnapshot(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@ export function defineBulkGetUserProfilesRoute({
dataPath: schema.maybe(schema.string()),
}),
},
options: { tags: ['access:bulkGetUserProfiles'] },
security: {
authz: {
requiredPrivileges: ['bulkGetUserProfiles'],
},
},
},
createLicensedRouteHandler(async (context, request, response) => {
const userProfileServiceInternal = getUserProfileService();
Expand Down
14 changes: 12 additions & 2 deletions x-pack/plugins/spaces/server/routes/api/external/copy_to_space.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,14 @@ export function initCopyToSpacesApi(deps: ExternalRouteDeps) {
router.post(
{
path: '/api/spaces/_copy_saved_objects',
security: {
authz: {
requiredPrivileges: ['copySavedObjectsToSpaces'],
},
},
options: {
access: isServerless ? 'internal' : 'public',
tags: ['access:copySavedObjectsToSpaces', 'oas-tag:spaces'],
tags: ['oas-tag:spaces'],
summary: `Copy saved objects between spaces`,
description:
'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved searches, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.',
Expand Down Expand Up @@ -188,9 +193,14 @@ export function initCopyToSpacesApi(deps: ExternalRouteDeps) {
router.post(
{
path: '/api/spaces/_resolve_copy_saved_objects_errors',
security: {
authz: {
requiredPrivileges: ['copySavedObjectsToSpaces'],
},
},
options: {
access: isServerless ? 'internal' : 'public',
tags: ['access:copySavedObjectsToSpaces'],

summary: `Resolve conflicts copying saved objects`,
description:
'Overwrite saved objects that are returned as errors from the copy saved objects to space API.',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ describe('GET /internal/spaces/{spaceId}/content_summary', () => {

const paramsSchema = (config.validate as any).params;

expect(config.options).toEqual({ tags: ['access:manageSpaces'] });
expect(config.security?.authz).toEqual({ requiredPrivileges: ['manage_spaces'] });
expect(() => paramsSchema.validate({})).toThrowErrorMatchingInlineSnapshot(
`"[spaceId]: expected value of type [string] but got [undefined]"`
);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,10 @@ export function initGetSpaceContentSummaryApi(deps: InternalRouteDeps) {
router.get(
{
path: '/internal/spaces/{spaceId}/content_summary',
options: {
tags: ['access:manageSpaces'],
security: {
authz: {
requiredPrivileges: ['manage_spaces'],
},
},
validate: {
params: schema.object({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,8 @@ export function copyToSpaceTestSuiteFactory(context: FtrProviderContext) {
expect(resp.body).to.eql({
statusCode: 403,
error: 'Forbidden',
message: 'Forbidden',
message:
'API [POST /api/spaces/_copy_saved_objects] is unauthorized for user, this action is granted by the Kibana privileges [copySavedObjectsToSpaces]',
});
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,8 @@ export function resolveCopyToSpaceConflictsSuite(context: FtrProviderContext) {
expect(resp.body).to.eql({
statusCode: 403,
error: 'Forbidden',
message: 'Forbidden',
message:
'API [POST /api/spaces/_resolve_copy_saved_objects_errors] is unauthorized for user, this action is granted by the Kibana privileges [copySavedObjectsToSpaces]',
});
};

Expand Down

0 comments on commit 319bf52

Please sign in to comment.