From fe5c939f1f03c8dea2925b92e9a8042412aac9dd Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 21 Nov 2024 03:31:19 +1100 Subject: [PATCH] Authorized route migration for routes owned by @elastic/security-defend-workflows (#198197) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Authz API migration for authorized routes This PR migrates `access:` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:', 'access:'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['', ''], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. Co-authored-by: Joey F. Poon Co-authored-by: Gergő Ábrahám Co-authored-by: Tomasz Ciecierski --- .../osquery/server/routes/asset/get_assets_status_route.ts | 6 +++++- .../osquery/server/routes/asset/update_assets_route.ts | 6 +++++- .../server/routes/fleet_wrapper/get_agent_details.ts | 6 +++++- .../server/routes/fleet_wrapper/get_agent_policies.ts | 6 +++++- .../server/routes/fleet_wrapper/get_agent_policy.ts | 6 +++++- .../fleet_wrapper/get_agent_status_for_agent_policy.ts | 6 +++++- .../osquery/server/routes/fleet_wrapper/get_agents.ts | 6 +++++- .../server/routes/fleet_wrapper/get_package_policies.ts | 6 +++++- .../server/routes/live_query/find_live_query_route.ts | 7 ++++++- .../routes/live_query/get_live_query_details_route.ts | 6 +++++- .../routes/live_query/get_live_query_results_route.ts | 6 +++++- .../osquery/server/routes/pack/create_pack_route.ts | 6 +++++- .../osquery/server/routes/pack/delete_pack_route.ts | 6 +++++- .../plugins/osquery/server/routes/pack/find_pack_route.ts | 6 +++++- .../plugins/osquery/server/routes/pack/read_pack_route.ts | 6 +++++- .../osquery/server/routes/pack/update_pack_route.ts | 6 +++++- .../routes/privileges_check/privileges_check_route.ts | 6 ++++-- .../server/routes/saved_query/create_saved_query_route.ts | 6 +++++- .../server/routes/saved_query/delete_saved_query_route.ts | 6 +++++- .../server/routes/saved_query/find_saved_query_route.ts | 6 +++++- .../server/routes/saved_query/read_saved_query_route.ts | 6 +++++- .../server/routes/saved_query/update_saved_query_route.ts | 6 +++++- .../osquery/server/routes/status/create_status_route.ts | 6 +++++- 23 files changed, 115 insertions(+), 24 deletions(-) diff --git a/x-pack/plugins/osquery/server/routes/asset/get_assets_status_route.ts b/x-pack/plugins/osquery/server/routes/asset/get_assets_status_route.ts index f217b60bf2459..ab7a52c6fca68 100644 --- a/x-pack/plugins/osquery/server/routes/asset/get_assets_status_route.ts +++ b/x-pack/plugins/osquery/server/routes/asset/get_assets_status_route.ts @@ -23,7 +23,11 @@ export const getAssetsStatusRoute = (router: IRouter, osqueryContext: OsqueryApp .get({ access: 'internal', path: '/internal/osquery/assets', - options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-writePacks`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/asset/update_assets_route.ts b/x-pack/plugins/osquery/server/routes/asset/update_assets_route.ts index 690ea4206b84a..7c8ccc5bb0ba4 100644 --- a/x-pack/plugins/osquery/server/routes/asset/update_assets_route.ts +++ b/x-pack/plugins/osquery/server/routes/asset/update_assets_route.ts @@ -28,7 +28,11 @@ export const updateAssetsRoute = (router: IRouter, osqueryContext: OsqueryAppCon .post({ access: 'internal', path: '/internal/osquery/assets/update', - options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-writePacks`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_details.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_details.ts index c1d445fd40183..2bf8eea1811c1 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_details.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_details.ts @@ -17,7 +17,11 @@ export const getAgentDetailsRoute = (router: IRouter, osqueryContext: OsqueryApp .get({ access: 'internal', path: '/internal/osquery/fleet_wrapper/agents/{id}', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts index 64b10f0a8248e..e347299b42d3b 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policies.ts @@ -21,7 +21,11 @@ export const getAgentPoliciesRoute = (router: IRouter, osqueryContext: OsqueryAp .get({ access: 'internal', path: '/internal/osquery/fleet_wrapper/agent_policies', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policy.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policy.ts index bad5b01289d52..9535b36ed3e2b 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policy.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_policy.ts @@ -18,7 +18,11 @@ export const getAgentPolicyRoute = (router: IRouter, osqueryContext: OsqueryAppC .get({ access: 'internal', path: '/internal/osquery/fleet_wrapper/agent_policies/{id}', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_status_for_agent_policy.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_status_for_agent_policy.ts index 64cd9d9f8ddd0..bfc77e9d6d6ae 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_status_for_agent_policy.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agent_status_for_agent_policy.ts @@ -28,7 +28,11 @@ export const getAgentStatusForAgentPolicyRoute = ( .get({ access: 'internal', path: '/internal/osquery/fleet_wrapper/agent_status', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agents.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agents.ts index 195e550077aa8..a04967a3e3c7c 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agents.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_agents.ts @@ -26,7 +26,11 @@ export const getAgentsRoute = (router: IRouter, osqueryContext: OsqueryAppContex .get({ access: 'internal', path: '/internal/osquery/fleet_wrapper/agents', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_package_policies.ts b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_package_policies.ts index 86719125b97eb..748c9102d6366 100644 --- a/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_package_policies.ts +++ b/x-pack/plugins/osquery/server/routes/fleet_wrapper/get_package_policies.ts @@ -17,7 +17,11 @@ export const getPackagePoliciesRoute = (router: IRouter, osqueryContext: Osquery .get({ access: 'internal', path: '/internal/osquery/fleet_wrapper/package_policies', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts b/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts index 008964f2468b5..b89a69e5aeb24 100644 --- a/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/live_query/find_live_query_route.ts @@ -29,7 +29,12 @@ export const findLiveQueryRoute = (router: IRouter) = .get({ access: 'public', path: '/api/osquery/live_queries', - options: { tags: ['api', `access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, + options: { tags: ['api'] }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts b/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts index 2b32a3269b693..7406887ecb594 100644 --- a/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts +++ b/x-pack/plugins/osquery/server/routes/live_query/get_live_query_details_route.ts @@ -34,7 +34,11 @@ export const getLiveQueryDetailsRoute = (router: IRouter { .get({ access: 'public', path: '/api/osquery/packs', - options: { tags: [`access:${PLUGIN_ID}-readPacks`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-readPacks`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts index 724deedf19845..4ec3e6806a55c 100644 --- a/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/read_pack_route.ts @@ -25,7 +25,11 @@ export const readPackRoute = (router: IRouter) => { .get({ access: 'public', path: '/api/osquery/packs/{id}', - options: { tags: [`access:${PLUGIN_ID}-readPacks`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-readPacks`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts b/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts index 532aa2c772732..0872a16c5bb05 100644 --- a/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts +++ b/x-pack/plugins/osquery/server/routes/pack/update_pack_route.ts @@ -44,7 +44,11 @@ export const updatePackRoute = (router: IRouter, osqueryContext: OsqueryAppConte .put({ access: 'public', path: '/api/osquery/packs/{id}', - options: { tags: [`access:${PLUGIN_ID}-writePacks`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-writePacks`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/privileges_check/privileges_check_route.ts b/x-pack/plugins/osquery/server/routes/privileges_check/privileges_check_route.ts index b31da0c0e24da..2470b2f0c418e 100644 --- a/x-pack/plugins/osquery/server/routes/privileges_check/privileges_check_route.ts +++ b/x-pack/plugins/osquery/server/routes/privileges_check/privileges_check_route.ts @@ -15,8 +15,10 @@ export const privilegesCheckRoute = (router: IRouter, osqueryContext: OsqueryApp .get({ access: 'internal', path: '/internal/osquery/privileges_check', - options: { - tags: [`access:${PLUGIN_ID}-readLiveQueries`], + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-readLiveQueries`], + }, }, }) .addVersion( diff --git a/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts index 1be4cb24a2ea3..35d3b34b1ca8c 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/create_saved_query_route.ts @@ -23,7 +23,11 @@ export const createSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAp .post({ access: 'public', path: '/api/osquery/saved_queries', - options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-writeSavedQueries`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts index f33040e167c62..1d76bcf2d4711 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/delete_saved_query_route.ts @@ -20,7 +20,11 @@ export const deleteSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAp .delete({ access: 'public', path: '/api/osquery/saved_queries/{id}', - options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-writeSavedQueries`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts index 88ccc120d0fd6..02d4b0229fd18 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/find_saved_query_route.ts @@ -25,7 +25,11 @@ export const findSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAppC .get({ access: 'public', path: '/api/osquery/saved_queries', - options: { tags: [`access:${PLUGIN_ID}-readSavedQueries`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-readSavedQueries`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts index 706304300c40a..e3100baa4b3f1 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/read_saved_query_route.ts @@ -23,7 +23,11 @@ export const readSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAppC .get({ access: 'public', path: '/api/osquery/saved_queries/{id}', - options: { tags: [`access:${PLUGIN_ID}-readSavedQueries`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-readSavedQueries`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts b/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts index 4225f0f223cd3..12dd5b2bf73d6 100644 --- a/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts +++ b/x-pack/plugins/osquery/server/routes/saved_query/update_saved_query_route.ts @@ -30,7 +30,11 @@ export const updateSavedQueryRoute = (router: IRouter, osqueryContext: OsqueryAp .put({ access: 'public', path: '/api/osquery/saved_queries/{id}', - options: { tags: [`access:${PLUGIN_ID}-writeSavedQueries`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-writeSavedQueries`], + }, + }, }) .addVersion( { diff --git a/x-pack/plugins/osquery/server/routes/status/create_status_route.ts b/x-pack/plugins/osquery/server/routes/status/create_status_route.ts index 8b6f75100a371..b6e6f988f454d 100644 --- a/x-pack/plugins/osquery/server/routes/status/create_status_route.ts +++ b/x-pack/plugins/osquery/server/routes/status/create_status_route.ts @@ -27,7 +27,11 @@ export const createStatusRoute = (router: IRouter, osqueryContext: OsqueryAppCon .get({ access: 'internal', path: '/internal/osquery/status', - options: { tags: [`access:${PLUGIN_ID}-read`] }, + security: { + authz: { + requiredPrivileges: [`${PLUGIN_ID}-read`], + }, + }, }) .addVersion( {