[8.x] [EDR Workflows] Deprecate public metadata/transforms api endpoi…

…nt in favour of an internal one (#194829) (#195565)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] Deprecate public metadata/transforms api endpoint in
favour of an internal one
(#194829)](#194829)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-09T10:21:55Z","message":"[EDR
Workflows] Deprecate public metadata/transforms api endpoint in favour
of an internal one (#194829)\n\nNew internal GET
`/api/endpoint/metadata/transforms` route.\r\n\r\nCurrent public GET
`/api/endpoint/metadata/transforms` route is set
to\r\ndeprecated.\r\n\r\nAll usages across the project have been updated
to consume the new\r\ninternal
route.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"15abb859920fc2132eaf7c519c18ca39577acaf1","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","v8.16.0","backport:version"],"title":"[EDR Workflows]
Deprecate public metadata/transforms api endpoint in favour of an
internal
one","number":194829,"url":"https://github.com/elastic/kibana/pull/194829","mergeCommit":{"message":"[EDR
Workflows] Deprecate public metadata/transforms api endpoint in favour
of an internal one (#194829)\n\nNew internal GET
`/api/endpoint/metadata/transforms` route.\r\n\r\nCurrent public GET
`/api/endpoint/metadata/transforms` route is set
to\r\ndeprecated.\r\n\r\nAll usages across the project have been updated
to consume the new\r\ninternal
route.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"15abb859920fc2132eaf7c519c18ca39577acaf1"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194829","number":194829,"mergeCommit":{"message":"[EDR
Workflows] Deprecate public metadata/transforms api endpoint in favour
of an internal one (#194829)\n\nNew internal GET
`/api/endpoint/metadata/transforms` route.\r\n\r\nCurrent public GET
`/api/endpoint/metadata/transforms` route is set
to\r\ndeprecated.\r\n\r\nAll usages across the project have been updated
to consume the new\r\ninternal
route.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"15abb859920fc2132eaf7c519c18ca39577acaf1"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Konrad Szwarc <[email protected]>

oas_docs/output/kibana.serverless.staging.yaml

@@ -8053,6 +8053,7 @@ paths:
         - Security Endpoint Management API
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       operationId: GetEndpointMetadataTransform
       responses:
         '200':

oas_docs/output/kibana.serverless.yaml

@@ -8053,6 +8053,7 @@ paths:
         - Security Endpoint Management API
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       operationId: GetEndpointMetadataTransform
       responses:
         '200':

oas_docs/output/kibana.staging.yaml

@@ -11424,6 +11424,7 @@ paths:
         - Security Endpoint Management API
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       operationId: GetEndpointMetadataTransform
       responses:
         '200':

oas_docs/output/kibana.yaml

@@ -11424,6 +11424,7 @@ paths:
         - Security Endpoint Management API
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       operationId: GetEndpointMetadataTransform
       responses:
         '200':

x-pack/plugins/security_solution/common/api/endpoint/metadata/get_metadata.schema.yaml

@@ -25,6 +25,7 @@ paths:
 
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       summary: Get metadata transforms
       operationId: GetEndpointMetadataTransform
       x-codegen-enabled: false

x-pack/plugins/security_solution/common/endpoint/constants.ts

@@ -65,8 +65,12 @@ export const BASE_INTERNAL_ENDPOINT_ROUTE = `/internal${BASE_ENDPOINT_ROUTE}`;
 // Endpoint API routes
 export const HOST_METADATA_LIST_ROUTE = `${BASE_ENDPOINT_ROUTE}/metadata`;
 export const HOST_METADATA_GET_ROUTE = `${HOST_METADATA_LIST_ROUTE}/{id}`;
+
+/** @deprecated public route, use {@link METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE} internal route  */
 export const METADATA_TRANSFORMS_STATUS_ROUTE = `${BASE_ENDPOINT_ROUTE}/metadata/transforms`;
 
+export const METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE = `${BASE_INTERNAL_ENDPOINT_ROUTE}/metadata/transforms`;
+
 export const BASE_POLICY_RESPONSE_ROUTE = `${BASE_ENDPOINT_ROUTE}/policy_response`;
 export const BASE_POLICY_ROUTE = `${BASE_ENDPOINT_ROUTE}/policy`;
 export const AGENT_POLICY_SUMMARY_ROUTE = `${BASE_POLICY_ROUTE}/summaries`;

x-pack/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml

@@ -438,6 +438,7 @@ paths:
         - Security Endpoint Management API
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       operationId: GetEndpointMetadataTransform
       responses:
         '200':

x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml

@@ -388,6 +388,7 @@ paths:
         - Security Endpoint Management API
   /api/endpoint/metadata/transforms:
     get:
+      deprecated: true
       operationId: GetEndpointMetadataTransform
       responses:
         '200':

x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/mocks.ts

@@ -21,7 +21,7 @@ import {
   BASE_POLICY_RESPONSE_ROUTE,
   HOST_METADATA_GET_ROUTE,
   HOST_METADATA_LIST_ROUTE,
-  METADATA_TRANSFORMS_STATUS_ROUTE,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
 } from '../../../../common/endpoint/constants';
 import type { PendingActionsHttpMockInterface } from '../../../common/lib/endpoint/endpoint_pending_actions/mocks';
 import { pendingActionsHttpMock } from '../../../common/lib/endpoint/endpoint_pending_actions/mocks';
@@ -120,7 +120,7 @@ export const failedTransformStateMock = {
 export const transformsHttpMocks = httpHandlerMockFactory<TransformHttpMocksInterface>([
   {
     id: 'metadataTransformStats',
-    path: METADATA_TRANSFORMS_STATUS_ROUTE,
+    path: METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
     method: 'get',
     handler: () => failedTransformStateMock,
   },

x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts

@@ -21,7 +21,7 @@ import type {
 import {
   ENDPOINT_FIELDS_SEARCH_STRATEGY,
   HOST_METADATA_LIST_ROUTE,
-  METADATA_TRANSFORMS_STATUS_ROUTE,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
   METADATA_UNITED_INDEX,
   metadataCurrentIndexPattern,
 } from '../../../../../common/endpoint/constants';
@@ -421,8 +421,8 @@ export async function handleLoadMetadataTransformStats(http: HttpStart, store: E
 
   try {
     const transformStatsResponse: TransformStatsResponse = await http.get(
-      METADATA_TRANSFORMS_STATUS_ROUTE,
-      { version: '2023-10-31' }
+      METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
+      { version: '1' }
     );
 
     dispatch({

x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/mock_endpoint_result_list.ts

@@ -35,7 +35,7 @@ import {
   ENDPOINT_DEFAULT_SORT_DIRECTION,
   ENDPOINT_DEFAULT_SORT_FIELD,
   HOST_METADATA_LIST_ROUTE,
-  METADATA_TRANSFORMS_STATUS_ROUTE,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
 } from '../../../../../common/endpoint/constants';
 import type { TransformStats, TransformStatsResponse } from '../types';
 
@@ -178,7 +178,7 @@ const endpointListApiPathHandlerMocks = ({
       return pendingActionsResponseMock();
     },
 
-    [METADATA_TRANSFORMS_STATUS_ROUTE]: (): TransformStatsResponse => ({
+    [METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE]: (): TransformStatsResponse => ({
       count: transforms.length,
       transforms,
     }),

x-pack/plugins/security_solution/server/endpoint/routes/metadata/index.ts

@@ -23,6 +23,7 @@ import type { SecuritySolutionPluginRouter } from '../../../types';
 import {
   HOST_METADATA_GET_ROUTE,
   HOST_METADATA_LIST_ROUTE,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
   METADATA_TRANSFORMS_STATUS_ROUTE,
 } from '../../../../common/endpoint/constants';
 import { withEndpointAuthz } from '../with_endpoint_authz';
@@ -94,6 +95,7 @@ export function registerEndpointRoutes(
       access: 'public',
       path: METADATA_TRANSFORMS_STATUS_ROUTE,
       options: { authRequired: true, tags: ['access:securitySolution'] },
+      deprecated: true,
     })
     .addVersion(
       {
@@ -106,4 +108,22 @@ export function registerEndpointRoutes(
         getMetadataTransformStatsHandler(endpointAppContext, logger)
       )
     );
+
+  router.versioned
+    .get({
+      access: 'internal',
+      path: METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
+      options: { authRequired: true, tags: ['access:securitySolution'] },
+    })
+    .addVersion(
+      {
+        version: '1',
+        validate: false,
+      },
+      withEndpointAuthz(
+        { all: ['canReadSecuritySolution'] },
+        logger,
+        getMetadataTransformStatsHandler(endpointAppContext, logger)
+      )
+    );
 }

x-pack/plugins/security_solution/server/endpoint/routes/metadata/metadata.test.ts

@@ -47,7 +47,7 @@ import {
   ENDPOINT_DEFAULT_SORT_FIELD,
   HOST_METADATA_GET_ROUTE,
   HOST_METADATA_LIST_ROUTE,
-  METADATA_TRANSFORMS_STATUS_ROUTE,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
   METADATA_UNITED_INDEX,
 } from '../../../../common/endpoint/constants';
 import { TRANSFORM_STATES } from '../../../../common/constants';
@@ -506,8 +506,8 @@ describe('test endpoint routes', () => {
       ({ routeConfig, routeHandler } = getRegisteredVersionedRouteMock(
         routerMock,
         'get',
-        METADATA_TRANSFORMS_STATUS_ROUTE,
-        '2023-10-31'
+        METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
+        '1'
       ));
 
       const contextOverrides = {
@@ -539,8 +539,8 @@ describe('test endpoint routes', () => {
       ({ routeConfig, routeHandler } = getRegisteredVersionedRouteMock(
         routerMock,
         'get',
-        METADATA_TRANSFORMS_STATUS_ROUTE,
-        '2023-10-31'
+        METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
+        '1'
       ));
       await routeHandler(
         createRouteHandlerContext(mockScopedClient, mockSavedObjectClient),

x-pack/test/security_solution_api_integration/test_suites/edr_workflows/authentication/trial_license_complete_tier/endpoint_authz.ts

@@ -19,7 +19,7 @@ import {
   HOST_METADATA_LIST_ROUTE,
   ISOLATE_HOST_ROUTE_V2,
   KILL_PROCESS_ROUTE,
-  METADATA_TRANSFORMS_STATUS_ROUTE,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
   SUSPEND_PROCESS_ROUTE,
   UNISOLATE_HOST_ROUTE_V2,
 } from '@kbn/security-solution-plugin/common/endpoint/constants';
@@ -31,6 +31,7 @@ import { ROLE } from '../../../../config/services/security_solution_edr_workflow
 export default function ({ getService }: FtrProviderContext) {
   const endpointTestResources = getService('endpointTestResources');
   const utils = getService('securitySolutionUtils');
+  const samlAuth = getService('samlAuth');
 
   interface ApiCallsInterface {
     method: keyof Pick<TestAgent, 'post' | 'get'>;
@@ -70,7 +71,8 @@ export default function ({ getService }: FtrProviderContext) {
       },
       {
         method: 'get',
-        path: METADATA_TRANSFORMS_STATUS_ROUTE,
+        path: METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
+        version: '1',
         body: undefined,
       },
       {
@@ -210,6 +212,11 @@ export default function ({ getService }: FtrProviderContext) {
         }]`, async () => {
           await t1AnalystSupertest[apiListItem.method](replacePathIds(apiListItem.path))
             .set('kbn-xsrf', 'xxx')
+            .set(
+              apiListItem.version ? 'Elastic-Api-Version' : 'foo',
+              apiListItem.version || '2023-10-31'
+            )
+            .set(samlAuth.getInternalRequestHeader())
             .send(getBodyPayload(apiListItem))
             .expect(200);
         });
@@ -246,6 +253,11 @@ export default function ({ getService }: FtrProviderContext) {
         }]`, async () => {
           await platformEnginnerSupertest[apiListItem.method](replacePathIds(apiListItem.path))
             .set('kbn-xsrf', 'xxx')
+            .set(
+              apiListItem.version ? 'Elastic-Api-Version' : 'foo',
+              apiListItem.version || '2023-10-31'
+            )
+            .set(samlAuth.getInternalRequestHeader())
             .send(getBodyPayload(apiListItem))
             .expect(200);
         });
@@ -283,6 +295,11 @@ export default function ({ getService }: FtrProviderContext) {
           await endpointOperationsAnalystSupertest[apiListItem.method](
             replacePathIds(apiListItem.path)
           )
+            .set(
+              apiListItem.version ? 'Elastic-Api-Version' : 'foo',
+              apiListItem.version || '2023-10-31'
+            )
+            .set(samlAuth.getInternalRequestHeader())
             .set('kbn-xsrf', 'xxx')
             .send(getBodyPayload(apiListItem))
             .expect(200);
@@ -304,6 +321,11 @@ export default function ({ getService }: FtrProviderContext) {
         }]`, async () => {
           await adminSupertest[apiListItem.method](replacePathIds(apiListItem.path))
             .set('kbn-xsrf', 'xxx')
+            .set(
+              apiListItem.version ? 'Elastic-Api-Version' : 'foo',
+              apiListItem.version || '2023-10-31'
+            )
+            .set(samlAuth.getInternalRequestHeader())
             .send(getBodyPayload(apiListItem))
             .expect(200);
         });

x-pack/test/security_solution_api_integration/test_suites/edr_workflows/metadata/trial_license_complete_tier/metadata.ts

@@ -13,12 +13,12 @@ import {
   ENDPOINT_DEFAULT_SORT_FIELD,
   HOST_METADATA_LIST_ROUTE,
   METADATA_DATASTREAM,
-  METADATA_TRANSFORMS_STATUS_ROUTE,
   METADATA_UNITED_INDEX,
   METADATA_UNITED_TRANSFORM,
   METADATA_UNITED_TRANSFORM_V2,
   metadataTransformPrefix,
   METADATA_CURRENT_TRANSFORM_V2,
+  METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
 } from '@kbn/security-solution-plugin/common/endpoint/constants';
 import { AGENTS_INDEX } from '@kbn/fleet-plugin/common';
 import { indexFleetEndpointPolicy } from '@kbn/security-solution-plugin/common/endpoint/data_loaders/index_fleet_endpoint_policy';
@@ -426,9 +426,9 @@ export default function ({ getService }: FtrProviderContext) {
         const ca = config.get('servers.kibana').certificateAuthorities;
 
         await t1AnalystSupertest
-          .get(METADATA_TRANSFORMS_STATUS_ROUTE)
+          .get(METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE)
           .set('kbn-xsrf', 'xxx')
-          .set('Elastic-Api-Version', '2023-10-31')
+          .set('Elastic-Api-Version', '1')
           .ca(ca)
           .expect(401);
       });
@@ -438,9 +438,9 @@ export default function ({ getService }: FtrProviderContext) {
         await endpointDataStreamHelpers.stopTransform(getService, `${unitedTransformName}*`);
 
         const { body } = await adminSupertest
-          .get(METADATA_TRANSFORMS_STATUS_ROUTE)
+          .get(METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE)
           .set('kbn-xsrf', 'xxx')
-          .set('Elastic-Api-Version', '2023-10-31')
+          .set('Elastic-Api-Version', '1')
           .expect(200);
 
         const transforms = (body.transforms as TransformGetTransformStatsTransformStats[]).filter(
@@ -466,9 +466,9 @@ export default function ({ getService }: FtrProviderContext) {
 
       it('correctly returns started transform stats', async () => {
         const { body } = await adminSupertest
-          .get(METADATA_TRANSFORMS_STATUS_ROUTE)
+          .get(METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE)
           .set('kbn-xsrf', 'xxx')
-          .set('Elastic-Api-Version', '2023-10-31')
+          .set('Elastic-Api-Version', '1')
           .expect(200);
 
         const transforms = (body.transforms as TransformGetTransformStatsTransformStats[]).filter(