Skip to content

Commit

Permalink
[8.x] [ResponseOps][Actions] Manual migration of action routes withou…
Browse files Browse the repository at this point in the history
…t access tags (elastic#204030) (elastic#204215)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[ResponseOps][Actions] Manual migration of action routes without
access tags (elastic#204030)](elastic#204030)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Antonio","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-13T13:57:13Z","message":"[ResponseOps][Actions]
Manual migration of action routes without access tags
(elastic#204030)\n\nConnected with
https://github.com/elastic/kibana-team/issues/1322\r\n\r\n##
Summary\r\n\r\nSince most action routes do not use access tags they need
to be migrated\r\nto include a reason in the security
params.\r\n\r\n\r\n[Documentation.](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)\r\n\r\nThe
following routes were migrated:\r\n- `createConnectorRoute`\r\n-
`deleteConnectorRoute`\r\n- `getConnectorRoute`\r\n-
`getAllConnectorsRoute`\r\n- `updateConnectorRoute`\r\n-
`listTypesRoute`\r\n- `executeConnectorRoute`\r\n-
`getGlobalExecutionLogRoute`\r\n- `getGlobalExecutionKPIRoute`\r\n-
`getAllConnectorsIncludingSystemRoute`\r\n-
`listTypesWithSystemRoute`\r\n-
`getOAuthAccessToken`","sha":"2dc790bbc024fd805aaafc9b2f6a5cc79dd2c6e2","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","v9.0.0","Feature:Alerting/RuleActions","backport:prev-minor","v8.18.0"],"title":"[ResponseOps][Actions]
Manual migration of action routes without access tags
","number":204030,"url":"https://github.com/elastic/kibana/pull/204030","mergeCommit":{"message":"[ResponseOps][Actions]
Manual migration of action routes without access tags
(elastic#204030)\n\nConnected with
https://github.com/elastic/kibana-team/issues/1322\r\n\r\n##
Summary\r\n\r\nSince most action routes do not use access tags they need
to be migrated\r\nto include a reason in the security
params.\r\n\r\n\r\n[Documentation.](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)\r\n\r\nThe
following routes were migrated:\r\n- `createConnectorRoute`\r\n-
`deleteConnectorRoute`\r\n- `getConnectorRoute`\r\n-
`getAllConnectorsRoute`\r\n- `updateConnectorRoute`\r\n-
`listTypesRoute`\r\n- `executeConnectorRoute`\r\n-
`getGlobalExecutionLogRoute`\r\n- `getGlobalExecutionKPIRoute`\r\n-
`getAllConnectorsIncludingSystemRoute`\r\n-
`listTypesWithSystemRoute`\r\n-
`getOAuthAccessToken`","sha":"2dc790bbc024fd805aaafc9b2f6a5cc79dd2c6e2"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204030","number":204030,"mergeCommit":{"message":"[ResponseOps][Actions]
Manual migration of action routes without access tags
(elastic#204030)\n\nConnected with
https://github.com/elastic/kibana-team/issues/1322\r\n\r\n##
Summary\r\n\r\nSince most action routes do not use access tags they need
to be migrated\r\nto include a reason in the security
params.\r\n\r\n\r\n[Documentation.](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)\r\n\r\nThe
following routes were migrated:\r\n- `createConnectorRoute`\r\n-
`deleteConnectorRoute`\r\n- `getConnectorRoute`\r\n-
`getAllConnectorsRoute`\r\n- `updateConnectorRoute`\r\n-
`listTypesRoute`\r\n- `executeConnectorRoute`\r\n-
`getGlobalExecutionLogRoute`\r\n- `getGlobalExecutionKPIRoute`\r\n-
`getAllConnectorsIncludingSystemRoute`\r\n-
`listTypesWithSystemRoute`\r\n-
`getOAuthAccessToken`","sha":"2dc790bbc024fd805aaafc9b2f6a5cc79dd2c6e2"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Antonio <[email protected]>
  • Loading branch information
kibanamachine and adcoelho authored Dec 13, 2024
1 parent 6d1eb27 commit 35809cb
Show file tree
Hide file tree
Showing 13 changed files with 52 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import {
createConnectorRequestBodySchemaV1,
} from '../../../../common/routes/connector/apis/create';
import { transformCreateConnectorBodyV1 } from './transforms';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const createConnectorRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -25,6 +26,7 @@ export const createConnectorRoute = (
router.post(
{
path: `${BASE_ACTION_API_PATH}/connector/{id?}`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
options: {
access: 'public',
summary: 'Create a connector',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import {
deleteConnectorRequestParamsSchemaV1,
DeleteConnectorRequestParamsV1,
} from '../../../../common/routes/connector/apis/delete';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const deleteConnectorRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -22,6 +23,7 @@ export const deleteConnectorRoute = (
router.delete(
{
path: `${BASE_ACTION_API_PATH}/connector/{id}`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
options: {
access: 'public',
summary: `Delete a connector`,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import {
ExecuteConnectorRequestParamsV1,
} from '../../../../common/routes/connector/apis/execute';
import { transformExecuteConnectorResponseV1 } from './transforms';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const executeConnectorRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -28,6 +29,7 @@ export const executeConnectorRoute = (
router.post(
{
path: `${BASE_ACTION_API_PATH}/connector/{id}/_execute`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
options: {
access: 'public',
summary: `Run a connector`,
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/actions/server/routes/connector/get/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import { ILicenseState } from '../../../lib';
import { BASE_ACTION_API_PATH } from '../../../../common';
import { ActionsRequestHandlerContext } from '../../../types';
import { verifyAccessAndContext } from '../../verify_access_and_context';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const getConnectorRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -24,6 +25,7 @@ export const getConnectorRoute = (
router.get(
{
path: `${BASE_ACTION_API_PATH}/connector/{id}`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
options: {
access: 'public',
summary: `Get connector information`,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import { ActionsRequestHandlerContext } from '../../../types';
import { BASE_ACTION_API_PATH } from '../../../../common';
import { ILicenseState } from '../../../lib';
import { verifyAccessAndContext } from '../../verify_access_and_context';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const getAllConnectorsRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -20,6 +21,7 @@ export const getAllConnectorsRoute = (
router.get(
{
path: `${BASE_ACTION_API_PATH}/connectors`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
options: {
access: 'public',
summary: `Get all connectors`,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../../../common';
import { ILicenseState } from '../../../lib';
import { verifyAccessAndContext } from '../../verify_access_and_context';
import { transformGetAllConnectorsResponseV1 } from '../get_all/transforms';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const getAllConnectorsIncludingSystemRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -20,6 +21,7 @@ export const getAllConnectorsIncludingSystemRoute = (
router.get(
{
path: `${INTERNAL_BASE_ACTION_API_PATH}/connectors`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
validate: {},
options: {
access: 'internal',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@ export const listTypesRoute = (
router.get(
{
path: `${BASE_ACTION_API_PATH}/connector_types`,
security: {
authz: {
enabled: false,
reason: 'This API does not require any Kibana feature privileges.',
},
},
options: {
access: 'public',
summary: `Get connector types`,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@ export const listTypesWithSystemRoute = (
router.get(
{
path: `${INTERNAL_BASE_ACTION_API_PATH}/connector_types`,
security: {
authz: {
enabled: false,
reason: 'This internal API does not require any Kibana feature privileges.',
},
},
validate: {
query: connectorTypesQuerySchemaV1,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import {
updateConnectorParamsSchemaV1,
} from '../../../../common/routes/connector/apis/update';
import { transformUpdateConnectorResponseV1 } from './transforms';
import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';

export const updateConnectorRoute = (
router: IRouter<ActionsRequestHandlerContext>,
Expand All @@ -26,6 +27,7 @@ export const updateConnectorRoute = (
router.put(
{
path: `${BASE_ACTION_API_PATH}/connector/{id}`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
options: {
access: 'public',
summary: `Update a connector`,
Expand Down
20 changes: 20 additions & 0 deletions x-pack/plugins/actions/server/routes/constants.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { RouteSecurity } from '@kbn/core-http-server';

/**
* This constant is used as the default value for the security object in routes
* where a reason for opting out needs to be provided.
*/
export const DEFAULT_ACTION_ROUTE_SECURITY: RouteSecurity = {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because actions use their own authorization model inside the actions client.',
},
};
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import { verifyAccessAndContext } from './verify_access_and_context';
import { ActionsRequestHandlerContext } from '../types';
import { ILicenseState } from '../lib';
import { rewriteNamespaces } from './rewrite_namespaces';
import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';

const bodySchema = schema.object({
date_start: schema.string(),
Expand Down Expand Up @@ -42,6 +43,7 @@ export const getGlobalExecutionKPIRoute = (
router.post(
{
path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_kpi`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
validate: {
body: bodySchema,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import {
} from '../../common';
import { verifyAccessAndContext } from './verify_access_and_context';
import { rewriteNamespaces } from './rewrite_namespaces';
import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';

const sortOrderSchema = schema.oneOf([schema.literal('asc'), schema.literal('desc')]);

Expand Down Expand Up @@ -54,6 +55,7 @@ export const getGlobalExecutionLogRoute = (
router.post(
{
path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_logs`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
validate: {
body: bodySchema,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../common';
import { ActionsRequestHandlerContext } from '../types';
import { verifyAccessAndContext } from './verify_access_and_context';
import { ActionsConfigurationUtilities } from '../actions_config';
import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';

const oauthJwtBodySchema = schema.object({
tokenUrl: schema.string(),
Expand Down Expand Up @@ -63,6 +64,7 @@ export const getOAuthAccessToken = (
router.post(
{
path: `${INTERNAL_BASE_ACTION_API_PATH}/connector/_oauth_access_token`,
security: DEFAULT_ACTION_ROUTE_SECURITY,
validate: {
body: bodySchema,
},
Expand Down

0 comments on commit 35809cb

Please sign in to comment.