From 725d0cc1bbe20c30c445e79239e5d6f5d69d8de2 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 19 Nov 2024 02:50:28 +1100
Subject: [PATCH] [8.x] Unauthorized route migration for routes owned by
 security-defend-workflows (#198375) (#200570)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Unauthorized route migration for routes owned by
security-defend-workflows
(#198375)](https://github.com/elastic/kibana/pull/198375)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"42973632+kibanamachine@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-18T13:38:12Z","message":"Unauthorized
route migration for routes owned by security-defend-workflows
(#198375)\n\n### Authz API migration for unauthorized routes\r\n\r\nFix
unauthorized
routes","sha":"dbab2214e9451d3a262007660cc0b7cdcea5307c","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Defend
Workflows","OLM Sprint","backport:prev-minor","Authz: API
migration"],"title":"Unauthorized route migration for routes owned by
security-defend-workflows","number":198375,"url":"https://github.com/elastic/kibana/pull/198375","mergeCommit":{"message":"Unauthorized
route migration for routes owned by security-defend-workflows
(#198375)\n\n### Authz API migration for unauthorized routes\r\n\r\nFix
unauthorized
routes","sha":"dbab2214e9451d3a262007660cc0b7cdcea5307c"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198375","number":198375,"mergeCommit":{"message":"Unauthorized
route migration for routes owned by security-defend-workflows
(#198375)\n\n### Authz API migration for unauthorized routes\r\n\r\nFix
unauthorized
routes","sha":"dbab2214e9451d3a262007660cc0b7cdcea5307c"}}]}]
BACKPORT-->
---
 .../routes/live_query/create_live_query_route.ts  |  7 +++++++
 .../server/endpoint/routes/metadata/index.ts      |  5 +++++
 .../server/endpoint/routes/policy/index.ts        |  5 +++++
 .../server/endpoint/routes/resolver.ts            | 15 +++++++++++++++
 4 files changed, 32 insertions(+)

diff --git a/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts b/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
index 6372a48c89b6e..31edbd59f5400 100644
--- a/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
+++ b/x-pack/plugins/osquery/server/routes/live_query/create_live_query_route.ts
@@ -31,6 +31,13 @@ export const createLiveQueryRoute = (router: IRouter, osqueryContext: OsqueryApp
     .addVersion(
       {
         version: API_VERSIONS.public.v1,
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'We do the check for 2 different scenarios below (const isInvalid): writeLiveQueries and runSavedQueries with saved_query_id, or pack_id',
+          },
+        },
         validate: {
           request: {
             body: buildRouteValidation<
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
index 3f028719fe5ad..b9b7fd905dc3a 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts
@@ -84,6 +84,11 @@ export function registerEndpointRoutes(
     .addVersion(
       {
         version: '2023-10-31',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: GetMetadataRequestSchema,
         },
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/policy/index.ts b/x-pack/plugins/security_solution/server/endpoint/routes/policy/index.ts
index f437ed332828c..c83da3d31185b 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/policy/index.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/policy/index.ts
@@ -35,6 +35,11 @@ export function registerPolicyRoutes(
     .addVersion(
       {
         version: '2023-10-31',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: GetPolicyResponseSchema,
         },
diff --git a/x-pack/plugins/security_solution/server/endpoint/routes/resolver.ts b/x-pack/plugins/security_solution/server/endpoint/routes/resolver.ts
index d8cb4db4b0a65..0edd0e90d4907 100644
--- a/x-pack/plugins/security_solution/server/endpoint/routes/resolver.ts
+++ b/x-pack/plugins/security_solution/server/endpoint/routes/resolver.ts
@@ -35,6 +35,11 @@ export const registerResolverRoutes = (
   router.post(
     {
       path: '/api/endpoint/resolver/tree',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       validate: validateTree,
       options: { authRequired: true },
     },
@@ -44,6 +49,11 @@ export const registerResolverRoutes = (
   router.post(
     {
       path: '/api/endpoint/resolver/events',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       validate: validateEvents,
       options: { authRequired: true },
     },
@@ -56,6 +66,11 @@ export const registerResolverRoutes = (
   router.get(
     {
       path: '/api/endpoint/resolver/entity',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       validate: validateEntities,
       options: { authRequired: true },
     },