Skip to content

Commit

Permalink
[8.x] Authorized route migration for routes owned by security-defend-…
Browse files Browse the repository at this point in the history 
…workflows (#198381) (#199680)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by
security-defend-workflows
(#198381)](#198381)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-11T17:56:34Z","message":"Authorized
route migration for routes owned by security-defend-workflows
(#198381)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security
configuration.","sha":"68a5308bd5b4a4caa0cdaaa5d6b6d80553ceee9a","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Defend
Workflows","backport:prev-minor","Authz: API
migration"],"title":"Authorized route migration for routes owned by
security-defend-workflows","number":198381,"url":"https://github.com/elastic/kibana/pull/198381","mergeCommit":{"message":"Authorized
route migration for routes owned by security-defend-workflows
(#198381)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security
configuration.","sha":"68a5308bd5b4a4caa0cdaaa5d6b6d80553ceee9a"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198381","number":198381,"mergeCommit":{"message":"Authorized
route migration for routes owned by security-defend-workflows
(#198381)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security
configuration.","sha":"68a5308bd5b4a4caa0cdaaa5d6b6d80553ceee9a"}}]}]
BACKPORT-->
  • Loading branch information
@kibanamachine
kibanamachine authored Nov 11, 2024
1 parent ab1cb1e commit 4e89a6c
Show file tree
Hide file tree
Showing 13 changed files with 158 additions and 28 deletions.
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/audit_log.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,12 @@ export function registerActionAuditLogRoutes(
.get({
access: 'public',
path: ENDPOINT_ACTION_LOG_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/details.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,12 @@ export const registerActionDetailsRoutes = (
.get({
access: 'public',
path: ACTION_DETAILS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/file_download_handler.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,12 @@ export const registerActionFileDownloadRoutes = (
// we need to enable setting the version number via query params
enableQueryVersion: true,
path: ACTION_AGENT_FILE_DOWNLOAD_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/file_info_handler.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ export const registerActionFileInfoRoute = (
.get({
access: 'public',
path: ACTION_AGENT_FILE_INFO_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/list.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,12 @@ export function registerActionListRoutes(
.get({
access: 'public',
path: BASE_ENDPOINT_ACTION_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
77 changes: 66 additions & 11 deletions x-pack/plugins/security_solution/server/endpoint/routes/actions/response_actions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: ISOLATE_HOST_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -99,7 +104,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: UNISOLATE_HOST_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -119,7 +129,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: ISOLATE_HOST_ROUTE_V2,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -139,7 +154,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: UNISOLATE_HOST_ROUTE_V2,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -159,7 +179,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: KILL_PROCESS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -182,7 +207,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: SUSPEND_PROCESS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -205,7 +235,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: GET_PROCESSES_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -225,7 +260,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: GET_FILE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -245,7 +285,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: EXECUTE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -265,9 +310,14 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: UPLOAD_ROUTE,
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: {
authRequired: true,
tags: ['access:securitySolution'],

body: {
accepts: ['multipart/form-data'],
output: 'stream',
Expand All @@ -293,7 +343,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: SCAN_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/state.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,12 @@ export function registerActionStateRoutes(
.get({
access: 'public',
path: ACTION_STATE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/actions/status.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,12 @@ export function registerActionStatusRoutes(
.get({
access: 'public',
path: ACTION_STATUS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
7 changes: 6 additions & 1 deletion x-pack/plugins/security_solution/server/endpoint/routes/agent/agent_status_handler.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,12 @@ export const registerAgentStatusRoute = (
.get({
access: 'internal',
path: AGENT_STATUS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
21 changes: 18 additions & 3 deletions x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,12 @@ export function registerEndpointRoutes(
.get({
access: 'public',
path: HOST_METADATA_LIST_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down Expand Up @@ -94,7 +99,12 @@ export function registerEndpointRoutes(
.get({
access: 'public',
path: METADATA_TRANSFORMS_STATUS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
// @ts-expect-error TODO(https://github.com/elastic/kibana/issues/196095): Replace {RouteDeprecationInfo}
deprecated: true,
})
Expand All @@ -114,7 +124,12 @@ export function registerEndpointRoutes(
.get({
access: 'internal',
path: METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,8 +240,8 @@ describe('test endpoint routes', () => {
});
expect(routeConfig.options).toEqual({
authRequired: true,
tags: ['access:securitySolution'],
});
expect(routeConfig.security?.authz).toEqual({ requiredPrivileges: ['securitySolution'] });
expect(mockResponse.ok).toBeCalled();
const endpointResultList = mockResponse.ok.mock.calls[0][0]?.body as MetadataListResponse;
expect(endpointResultList.data.length).toEqual(1);
Expand Down Expand Up @@ -614,8 +614,8 @@ describe('test endpoint routes', () => {
expect(esClientMock.transform.getTransformStats).toHaveBeenCalledTimes(1);
expect(routeConfig.options).toEqual({
authRequired: true,
tags: ['access:securitySolution'],
});
expect(routeConfig.security?.authz).toEqual({ requiredPrivileges: ['securitySolution'] });
expect(mockResponse.ok).toBeCalled();
const response = mockResponse.ok.mock.calls[0][0]?.body as TransformGetTransformStatsResponse;
expect(response.count).toEqual(expectedResponse.count);
Expand Down
14 changes: 12 additions & 2 deletions x-pack/plugins/security_solution/server/endpoint/routes/protection_updates_note/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,12 @@ export function registerProtectionUpdatesNoteRoutes(
.post({
access: 'public',
path: PROTECTION_UPDATES_NOTE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -45,7 +50,12 @@ export function registerProtectionUpdatesNoteRoutes(
.get({
access: 'public',
path: PROTECTION_UPDATES_NOTE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
14 changes: 12 additions & 2 deletions x-pack/plugins/security_solution/server/endpoint/routes/suggestions/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,12 @@ export function registerEndpointSuggestionsRoutes(
.post({
access: 'public',
path: SUGGESTIONS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
// @ts-expect-error TODO(https://github.com/elastic/kibana/issues/196095): Replace {RouteDeprecationInfo}
deprecated: true,
})
Expand All @@ -64,7 +69,12 @@ export function registerEndpointSuggestionsRoutes(
.post({
access: 'internal',
path: SUGGESTIONS_INTERNAL_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down

0 comments on commit 4e89a6c

Please sign in to comment.