ESLint fixes for @elastic/kibana-security

.github/workflows/security-route-migration.yaml

@@ -0,0 +1,58 @@
+name: ESLint no_deprecated_authz_config
+
+on:
+  push:
+    branches:
+      - authz-migration-workflow
+  workflow_dispatch:
+    inputs:
+      route_type:
+        description: 'Choose route type (authorized/unauthorized)'
+        required: true
+        default: 'authorized'
+        type: choice
+        options:
+          - authorized
+          - unauthorized
+
+jobs:
+  eslint-autofix:
+    name: Run no_deprecated_authz_config rule
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: write
+      security-events: write
+
+    env:
+      ROUTE_TYPE: ${{ github.event.inputs.route_type }}
+      GH_TOKEN: ${{ secrets.KIBANAMACHINE_TOKEN }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        ref: ${{ matrix.branch }}
+
+    - name: setup node
+      uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+
+    - name: Set GitHub name and email
+      run: |
+        git config --global user.name 'kibanamachine'
+        git config --global user.email '[email protected]'
+
+    - name: yarn kbn bootstrap
+      run: |
+        yarn kbn bootstrap --no-validate --no-vscode
+
+    - name: Install GitHub CLI
+      run: sudo apt-get install gh -y
+
+    # - name: Authenticate with GitHub CLI
+    #   run: gh auth login
+    - name: Run ESLint Autofix Script
+      run: node scripts/eslint-security-route.js
+

packages/kbn-eslint-config/.eslintrc.js

@@ -326,6 +326,7 @@ module.exports = {
     '@kbn/imports/uniform_imports': 'error',
     '@kbn/imports/no_unused_imports': 'error',
     '@kbn/imports/no_boundary_crossing': 'error',
+    'kbn/eslint/no_deprecated_authz_config': 'off',
 
     'no-new-func': 'error',
     'no-implied-eval': 'error',

packages/kbn-eslint-plugin-eslint/rules/no_deprecated_authz_config.js

@@ -72,7 +72,7 @@ const maybeReportDisabledSecurityConfig = (node, context, isVersionedRoute = fal
           );
 
           const accessTagsFilter = (el) => isLiteralAccessTag(el) || isTemplateLiteralAccessTag(el);
-          const accessTags = tagsProperty.value.elements.filter(accessTagsFilter);
+          const accessTags = tagsProperty?.value.elements.filter(accessTagsFilter) ?? [];
 
           return accessTags.length > 0;
         }

scripts/eslint-security-route.js

@@ -0,0 +1,143 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+/* eslint-disable no-restricted-syntax */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+function runCommand(command) {
+  try {
+    return execSync(command, { encoding: 'utf8' }).trim();
+  } catch (err) {
+    console.error(`Error running command: ${command}`);
+    console.error(err.stdout.toString());
+    process.exit(1);
+  }
+}
+
+function parseCodeOwners(codeownersPath) {
+  const codeowners = {};
+  const content = fs.readFileSync(codeownersPath, 'utf8').split('\n');
+
+  content.forEach((line) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) return;
+
+    const [pattern, owner] = trimmed.split(/\s+/);
+    if (pattern && owner) {
+      codeowners[pattern] = owner;
+    }
+  });
+
+  return codeowners;
+}
+
+function getChangedFiles() {
+  const diffOutput = runCommand('git diff --name-only --diff-filter=M');
+  return diffOutput.split('\n').filter(Boolean);
+}
+
+function groupFilesByOwners(files, codeowners) {
+  const ownerFilesMap = {};
+
+  files.forEach((file) => {
+    for (const [pattern, owner] of Object.entries(codeowners)) {
+      const regexPattern = pattern
+        .replace(/\*\*/g, '.*')
+        .replace(/\*/g, '[^/]*')
+        .replace(/\//g, '\\/');
+
+      const regex = new RegExp(`${regexPattern}`);
+
+      if (regex.test(file)) {
+        if (!ownerFilesMap[owner]) ownerFilesMap[owner] = [];
+        ownerFilesMap[owner].push(file);
+        break;
+      }
+    }
+  });
+
+  return ownerFilesMap;
+}
+
+// Create a branch, stage, and commit files for each owner
+function processChangesByOwners(ownerFilesMap) {
+  const mainBranch = execSync('git rev-parse --abbrev-ref HEAD');
+
+  for (const [owner, files] of Object.entries(ownerFilesMap)) {
+    const branchName = `eslint/changes-by-${owner.replace('@elastic/', '')}`;
+
+    console.log(`Owner: ${owner}`);
+    console.log(`Files: ${files.join(', ')} \n ----`);
+    console.log(`Creating branch: ${branchName}`);
+
+    runCommand(`git checkout -b ${branchName}`);
+
+    const fileList = files.join(' ');
+    runCommand(`git add ${fileList}`);
+    runCommand(`git commit -m "Changes for ${owner}"`);
+
+    console.log(`Pushing branch: ${branchName}`);
+    runCommand(`git push -u origin ${branchName}`);
+
+    console.log(`Creating pull request for branch: ${branchName}`);
+    runCommand(
+      `gh pr create --base main --head ${branchName} --title "ESLint fixes for ${owner}" --body "This PR contains ESLint fixes for files owned by ${owner}"`
+    );
+
+    runCommand(`git checkout ${mainBranch}`);
+  }
+}
+
+function runESLint() {
+  console.log(`Running ESLint on ${process.env.ROUTE_TYPE} routes...`);
+  const eslintRuleFlag =
+    process.env.ROUTE_TYPE === 'authorized'
+      ? 'MIGRATE_DISABLED_AUTHZ=false'
+      : 'MIGRATE_DISABLED_AUTHZ=true';
+
+  try {
+    runCommand(
+      `${eslintRuleFlag} grep -rEl --include="*.ts" "router\.(get|post|delete|put)|router\.versioned\.(get|post|put|delete)" ./x-pack/plugins/security | xargs npx eslint --fix --rule "@kbn/eslint/no_deprecated_authz_config:error"`
+    );
+
+    // runCommand(
+    //   `${eslintRuleFlag} grep -rEl --include="*.ts" "router\.(get|post|delete|put)|router\.versioned\.(get|post|put|delete)" ./x-pack/plugins/banners | xargs npx eslint --fix --rule "@kbn/eslint/no_deprecated_authz_config:error"`
+    // );
+    console.log('ESLint autofix complete');
+  } catch (error) {
+    console.error('Error running ESLint:', error);
+  }
+}
+
+function main() {
+  const codeownersPath = path.resolve('.github', 'CODEOWNERS');
+  if (!fs.existsSync(codeownersPath)) {
+    console.error('CODEOWNERS file not found');
+    process.exit(1);
+  }
+
+  const codeowners = parseCodeOwners(codeownersPath);
+
+  runESLint();
+
+  const changedFiles = getChangedFiles();
+  if (changedFiles.length === 0) {
+    console.log('No changes detected.');
+    return;
+  }
+
+  const ownerFilesMap = groupFilesByOwners(changedFiles, codeowners);
+
+  processChangesByOwners(ownerFilesMap);
+}
+
+main();

x-pack/plugins/security/server/authorization/api_authorization.ts

@@ -87,17 +87,17 @@ export function initAPIAuthorization(
           const missingPrivileges = Object.keys(kibanaPrivileges).filter(
             (key) => !kibanaPrivileges[key]
           );
-          logger.warn(
-            `User not authorized for "${request.url.pathname}${
-              request.url.search
-            }", responding with 403: missing privileges: ${missingPrivileges.join(', ')}`
-          );
+          const forbiddenMessage = `API [${request.route.method.toLocaleUpperCase('en')} ${
+            request.url.pathname
+          }${
+            request.url.search
+          }] is unauthorized for user, this action is granted by the Kibana privileges [${missingPrivileges}]`;
+
+          logger.warn(`Responding with 403: ${forbiddenMessage}}`);
 
           return response.forbidden({
             body: {
-              message: `User not authorized for ${request.url.pathname}${
-                request.url.search
-              }, missing privileges: ${missingPrivileges.join(', ')}`,
+              message: forbiddenMessage,
             },
           });
         }

x-pack/plugins/security/server/routes/analytics/authentication_type.ts

@@ -31,6 +31,12 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({
   router.post(
     {
       path: '/internal/security/analytics/_record_auth_type',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {
         body: schema.nullable(
           schema.object({ signature: schema.string(), timestamp: schema.number() })

x-pack/plugins/security/server/routes/analytics/record_violations.ts

@@ -135,6 +135,12 @@ export function defineRecordViolations({ router, analyticsService }: RouteDefini
   router.post(
     {
       path: '/internal/security/analytics/_record_violations',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {
         /**
          * Chrome supports CSP3 spec and sends an array of reports. Safari only sends a single

x-pack/plugins/security/server/routes/anonymous_access/get_capabilities.ts

@@ -15,7 +15,16 @@ export function defineAnonymousAccessGetCapabilitiesRoutes({
   getAnonymousAccessService,
 }: RouteDefinitionParams) {
   router.get(
-    { path: '/internal/security/anonymous_access/capabilities', validate: false },
+    {
+      path: '/internal/security/anonymous_access/capabilities',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
+      validate: false,
+    },
     async (_context, request, response) => {
       const anonymousAccessService = getAnonymousAccessService();
       return response.ok({ body: await anonymousAccessService.getCapabilities(request) });

x-pack/plugins/security/server/routes/anonymous_access/get_state.ts

@@ -18,7 +18,16 @@ export function defineAnonymousAccessGetStateRoutes({
   getAnonymousAccessService,
 }: RouteDefinitionParams) {
   router.get(
-    { path: '/internal/security/anonymous_access/state', validate: false },
+    {
+      path: '/internal/security/anonymous_access/state',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
+      validate: false,
+    },
     async (_context, _request, response) => {
       const anonymousAccessService = getAnonymousAccessService();
       const accessURLParameters = anonymousAccessService.accessURLParameters

x-pack/plugins/security/server/routes/api_keys/create.ts

@@ -32,6 +32,12 @@ export function defineCreateApiKeyRoutes({
   router.post(
     {
       path: '/internal/security/api_key',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {
         body: schema.oneOf([
           restApiKeySchema,

x-pack/plugins/security/server/routes/api_keys/enabled.ts

@@ -16,6 +16,12 @@ export function defineEnabledApiKeysRoutes({
   router.get(
     {
       path: '/internal/security/api_key/_enabled',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: false,
     },
     createLicensedRouteHandler(async (context, request, response) => {

x-pack/plugins/security/server/routes/api_keys/has_active.ts

@@ -22,6 +22,12 @@ export function defineHasApiKeysRoutes({
   router.get(
     {
       path: '/internal/security/api_key/_has_active',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: false,
       options: {
         access: 'internal',

x-pack/plugins/security/server/routes/api_keys/invalidate.ts

@@ -21,6 +21,12 @@ export function defineInvalidateApiKeysRoutes({ router }: RouteDefinitionParams)
   router.post(
     {
       path: '/internal/security/api_key/invalidate',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {
         body: schema.object({
           apiKeys: schema.arrayOf(schema.object({ id: schema.string(), name: schema.string() })),

x-pack/plugins/security/server/routes/api_keys/query.ts

@@ -25,6 +25,12 @@ export function defineQueryApiKeysAndAggregationsRoute({
     // on behalf of the user making the request and governed by the user's own cluster privileges.
     {
       path: '/internal/security/api_key/_query',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {
         body: schema.object({
           query: schema.maybe(schema.object({}, { unknowns: 'allow' })),

x-pack/plugins/security/server/routes/api_keys/update.ts

@@ -34,6 +34,12 @@ export function defineUpdateApiKeyRoutes({
   router.put(
     {
       path: '/internal/security/api_key',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {
         body: schema.oneOf([
           updateRestApiKeySchema,