Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorized route migration for routes owned by @elastic/kibana-security #198198

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export function defineGetAllRolesBySpaceRoutes({
router.get(
{
path: '/internal/security/roles/{spaceId}',
options: {
tags: ['access:manage_spaces'],
security: {
authz: {
requiredPrivileges: ['manage_spaces'],
},
},
validate: {
params: schema.object({ spaceId: schema.string({ minLength: 1 }) }),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,19 @@ export function defineInvalidateSessionsRoutes({
),
}),
},
security: {
authz: {
requiredPrivileges: ['sessionManagement'],
},
},
options: {
// The invalidate session API was introduced to address situations where the session index
// could grow rapidly - when session timeouts are disabled, or with anonymous access.
// In the serverless environment, sessions timeouts are always be enabled, and there is no
// anonymous access. However, keeping this endpoint available internally in serverless would
// be useful in situations where we need to batch-invalidate user sessions.
access: buildFlavor === 'serverless' ? 'internal' : 'public',
tags: ['access:sessionManagement'],

summary: `Invalidate user sessions`,
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@ export function defineBulkGetUserProfilesRoute({
dataPath: schema.maybe(schema.string()),
}),
},
options: { tags: ['access:bulkGetUserProfiles'] },
security: {
authz: {
requiredPrivileges: ['bulkGetUserProfiles'],
},
},
},
createLicensedRouteHandler(async (context, request, response) => {
const userProfileServiceInternal = getUserProfileService();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,12 @@ export function registerActionAuditLogRoutes(
.get({
access: 'public',
path: ENDPOINT_ACTION_LOG_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,12 @@ export const registerActionDetailsRoutes = (
.get({
access: 'public',
path: ACTION_DETAILS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,12 @@ export const registerActionFileDownloadRoutes = (
// we need to enable setting the version number via query params
enableQueryVersion: true,
path: ACTION_AGENT_FILE_DOWNLOAD_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ export const registerActionFileInfoRoute = (
.get({
access: 'public',
path: ACTION_AGENT_FILE_INFO_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,12 @@ export function registerActionListRoutes(
.get({
access: 'public',
path: BASE_ENDPOINT_ACTION_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: ISOLATE_HOST_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -99,7 +104,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: UNISOLATE_HOST_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -119,7 +129,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: ISOLATE_HOST_ROUTE_V2,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -139,7 +154,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: UNISOLATE_HOST_ROUTE_V2,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -159,7 +179,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: KILL_PROCESS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -182,7 +207,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: SUSPEND_PROCESS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -205,7 +235,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: GET_PROCESSES_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -225,7 +260,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: GET_FILE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -245,7 +285,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: EXECUTE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -265,9 +310,14 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: UPLOAD_ROUTE,
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: {
authRequired: true,
tags: ['access:securitySolution'],

body: {
accepts: ['multipart/form-data'],
output: 'stream',
Expand All @@ -293,7 +343,12 @@ export function registerResponseActionRoutes(
.post({
access: 'public',
path: SCAN_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,12 @@ export function registerActionStateRoutes(
.get({
access: 'public',
path: ACTION_STATE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,12 @@ export function registerActionStatusRoutes(
.get({
access: 'public',
path: ACTION_STATUS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,12 @@ export const registerAgentStatusRoute = (
.get({
access: 'internal',
path: AGENT_STATUS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,12 @@ export function registerEndpointRoutes(
.get({
access: 'public',
path: HOST_METADATA_LIST_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down Expand Up @@ -94,7 +99,12 @@ export function registerEndpointRoutes(
.get({
access: 'public',
path: METADATA_TRANSFORMS_STATUS_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
// @ts-expect-error TODO(https://github.com/elastic/kibana/issues/196095): Replace {RouteDeprecationInfo}
deprecated: true,
})
Expand All @@ -114,7 +124,12 @@ export function registerEndpointRoutes(
.get({
access: 'internal',
path: METADATA_TRANSFORMS_STATUS_INTERNAL_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,12 @@ export function registerProtectionUpdatesNoteRoutes(
.post({
access: 'public',
path: PROTECTION_UPDATES_NOTE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand All @@ -45,7 +50,12 @@ export function registerProtectionUpdatesNoteRoutes(
.get({
access: 'public',
path: PROTECTION_UPDATES_NOTE_ROUTE,
options: { authRequired: true, tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: { authRequired: true },
})
.addVersion(
{
Expand Down
Loading