Skip to content

Commit

Permalink
[ResponseOps][Rules] Migrate alerting APIs without access tags. (#204003
Browse files Browse the repository at this point in the history
)

Connected with elastic/kibana-team#1322

## Summary

Since most rule routes do not use access tags they need to be migrated
to include a reason in the security params.

[Documentation.](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)

Some routes **use** access tags and have already been migrated. These
are:

-`getFlappingSettingsRoute`
-`updateFlappingSettingsRoute`
-`createMaintenanceWindowRoute`
-`getMaintenanceWindowRoute`
-`updateMaintenanceWindowRoute`
-`deleteMaintenanceWindowRoute`
-`findMaintenanceWindowsRoute`
-`archiveMaintenanceWindowRoute`
-`finishMaintenanceWindowRoute`
-`getActiveMaintenanceWindowsRoute`
-`bulkGetMaintenanceWindowRoute`
-`getQueryDelaySettingsRoute`
-`updateQueryDelaySettingsRoute`

All other were assigned the default reason for opting out.

(cherry picked from commit 42704af)
  • Loading branch information
adcoelho committed Dec 13, 2024
1 parent f01d507 commit 4a737e9
Show file tree
Hide file tree
Showing 62 changed files with 170 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import {
import { ILicenseState } from '../../../../lib';
import { verifyAccessAndContext } from '../../../lib';
import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '../../../../types';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../../../constants';

export const deleteBackfillRoute = (
router: IRouter<AlertingRequestHandlerContext>,
Expand All @@ -20,6 +21,7 @@ export const deleteBackfillRoute = (
router.delete(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/{id}`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import {
INTERNAL_ALERTING_BACKFILL_FIND_API_PATH,
} from '../../../../types';
import { transformRequestV1, transformResponseV1 } from './transforms';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../../../constants';

export const findBackfillRoute = (
router: IRouter<AlertingRequestHandlerContext>,
Expand All @@ -25,6 +26,7 @@ export const findBackfillRoute = (
router.post(
{
path: `${INTERNAL_ALERTING_BACKFILL_FIND_API_PATH}`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
validate: {
query: findQuerySchemaV1,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { ILicenseState } from '../../../../lib';
import { verifyAccessAndContext } from '../../../lib';
import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '../../../../types';
import { transformBackfillToBackfillResponseV1 } from '../../transforms';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../../../constants';

export const getBackfillRoute = (
router: IRouter<AlertingRequestHandlerContext>,
Expand All @@ -22,6 +23,7 @@ export const getBackfillRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/{id}`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { ILicenseState } from '../../../../lib';
import { verifyAccessAndContext } from '../../../lib';
import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '../../../../types';
import { transformRequestV1, transformResponseV1 } from './transforms';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../../../constants';

export const scheduleBackfillRoute = (
router: IRouter<AlertingRequestHandlerContext>,
Expand All @@ -22,6 +23,7 @@ export const scheduleBackfillRoute = (
router.post(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/_schedule`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: { access: 'internal' },
validate: {
body: scheduleBodySchemaV1,
Expand Down
20 changes: 20 additions & 0 deletions x-pack/plugins/alerting/server/routes/constants.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { RouteSecurity } from '@kbn/core-http-server';

/**
* This constant is used as the default value for the security object in routes
* where a reason for opting out needs to be provided.
*/
export const DEFAULT_ALERTING_ROUTE_SECURITY: RouteSecurity = {
authz: {
enabled: false,
reason:
"This route is opted out from authorization because alerting uses it's own authorization model inside the alerts client.",
},
};
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import {
} from '../../../../types';
import { getSecurityHealth } from '../../../../lib/get_security_health';
import { transformHealthBodyResponse } from './transforms/transform_health_response/v1';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../../../constants';

export const healthRoute = (
router: IRouter<AlertingRequestHandlerContext>,
Expand All @@ -26,6 +27,7 @@ export const healthRoute = (
router.get(
{
path: `${BASE_ALERTING_API_PATH}/_health`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'public',
summary: `Get the alerting framework health`,
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/get_action_error_log.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import { ILicenseState } from '../lib';
import { GetActionErrorLogByIdParams } from '../rules_client';
import { RewriteRequestCase, verifyAccessAndContext } from './lib';
import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '../types';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const paramSchema = schema.object({
id: schema.string(),
Expand Down Expand Up @@ -59,6 +60,7 @@ export const getActionErrorLogRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_action_error_log`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
validate: {
params: paramSchema,
query: querySchema,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '
import { RewriteRequestCase, verifyAccessAndContext, rewriteNamespaces } from './lib';
import { GetGlobalExecutionKPIParams } from '../rules_client';
import { ILicenseState } from '../lib';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const querySchema = schema.object({
date_start: schema.string(),
Expand Down Expand Up @@ -37,6 +38,7 @@ export const getGlobalExecutionKPIRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/_global_execution_kpi`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import { ILicenseState } from '../lib';
import { GetGlobalExecutionLogParams } from '../rules_client';
import { RewriteRequestCase, verifyAccessAndContext, rewriteNamespaces } from './lib';
import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '../types';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const sortOrderSchema = schema.oneOf([schema.literal('asc'), schema.literal('desc')]);

Expand Down Expand Up @@ -62,6 +63,7 @@ export const getGlobalExecutionLogRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/_global_execution_logs`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import {
INTERNAL_BASE_ALERTING_API_PATH,
AlertSummary,
} from '../types';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const paramSchema = schema.object({
id: schema.string(),
Expand Down Expand Up @@ -65,6 +66,7 @@ export const getRuleAlertSummaryRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_alert_summary`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '
import { RewriteRequestCase, verifyAccessAndContext } from './lib';
import { GetRuleExecutionKPIParams } from '../rules_client';
import { ILicenseState } from '../lib';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const paramSchema = schema.object({
id: schema.string(),
Expand Down Expand Up @@ -38,6 +39,7 @@ export const getRuleExecutionKPIRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_execution_kpi`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import { ILicenseState } from '../lib';
import { GetExecutionLogByIdParams } from '../rules_client';
import { RewriteRequestCase, verifyAccessAndContext } from './lib';
import { AlertingRequestHandlerContext, INTERNAL_BASE_ALERTING_API_PATH } from '../types';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const paramSchema = schema.object({
id: schema.string(),
Expand Down Expand Up @@ -63,6 +64,7 @@ export const getRuleExecutionLogRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_execution_log`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/get_rule_state.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import {
INTERNAL_BASE_ALERTING_API_PATH,
RuleTaskState,
} from '../types';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from './constants';

const paramSchema = schema.object({
id: schema.string(),
Expand All @@ -38,6 +39,7 @@ export const getRuleStateRoute = (
router.get(
{
path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/state`,
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: 'internal',
},
Expand Down
43 changes: 26 additions & 17 deletions x-pack/plugins/alerting/server/routes/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,10 @@ export function defineRoutes(opts: RouteOptions) {
getAlertIndicesAlias,
} = opts;

// Legacy APIs
defineLegacyRoutes(opts);

// Rule APIs
createRuleRoute(opts);
getRuleRoute(router, licenseState);
getInternalRuleRoute(router, licenseState);
Expand All @@ -108,29 +111,30 @@ export function defineRoutes(opts: RouteOptions) {
findInternalRulesRoute(router, licenseState, usageCounter);
getRuleAlertSummaryRoute(router, licenseState);
getRuleExecutionLogRoute(router, licenseState);
getGlobalExecutionLogRoute(router, licenseState);
getActionErrorLogRoute(router, licenseState);
getRuleExecutionKPIRoute(router, licenseState);
getGlobalExecutionKPIRoute(router, licenseState);
getRuleStateRoute(router, licenseState);
healthRoute(router, licenseState, encryptedSavedObjects);
ruleTypesRoute(router, licenseState);
muteAllRuleRoute(router, licenseState, usageCounter);
muteAlertRoute(router, licenseState);
unmuteAllRuleRoute(router, licenseState);
unmuteAlertRoute(router, licenseState);
updateRuleApiKeyRoute(router, licenseState);
bulkEditInternalRulesRoute(router, licenseState);
bulkDeleteRulesRoute({ router, licenseState });
bulkEnableRulesRoute({ router, licenseState });
bulkDisableRulesRoute({ router, licenseState });
snoozeRuleRoute(router, licenseState);
unsnoozeRuleRoute(router, licenseState);
runSoonRoute(router, licenseState);
cloneRuleRoute(router, licenseState);
getFlappingSettingsRoute(router, licenseState);
updateFlappingSettingsRoute(router, licenseState);
getRuleTagsRoute(router, licenseState);
registerRulesValueSuggestionsRoute(router, licenseState, config$!);

// Alert APIs
registerAlertsValueSuggestionsRoute(router, licenseState, config$!, getAlertIndicesAlias);
bulkUntrackAlertsRoute(router, licenseState);
bulkUntrackAlertsByQueryRoute(router, licenseState);
muteAlertRoute(router, licenseState);
unmuteAlertRoute(router, licenseState);

// Maintenance Window APIs
createMaintenanceWindowRoute(router, licenseState);
getMaintenanceWindowRoute(router, licenseState);
updateMaintenanceWindowRoute(router, licenseState);
Expand All @@ -139,19 +143,24 @@ export function defineRoutes(opts: RouteOptions) {
archiveMaintenanceWindowRoute(router, licenseState);
finishMaintenanceWindowRoute(router, licenseState);
getActiveMaintenanceWindowsRoute(router, licenseState);
registerAlertsValueSuggestionsRoute(router, licenseState, config$!, getAlertIndicesAlias);
registerRulesValueSuggestionsRoute(router, licenseState, config$!);
registerFieldsRoute(router, licenseState);
bulkGetMaintenanceWindowRoute(router, licenseState);
getScheduleFrequencyRoute(router, licenseState);
bulkUntrackAlertsRoute(router, licenseState);
bulkUntrackAlertsByQueryRoute(router, licenseState);
getQueryDelaySettingsRoute(router, licenseState);
updateQueryDelaySettingsRoute(router, licenseState);

// backfill APIs
scheduleBackfillRoute(router, licenseState);
getBackfillRoute(router, licenseState);
findBackfillRoute(router, licenseState);
deleteBackfillRoute(router, licenseState);

// Other APIs
registerFieldsRoute(router, licenseState);
getScheduleFrequencyRoute(router, licenseState);
getQueryDelaySettingsRoute(router, licenseState);
updateQueryDelaySettingsRoute(router, licenseState);
getGlobalExecutionLogRoute(router, licenseState);
getActionErrorLogRoute(router, licenseState);
getFlappingSettingsRoute(router, licenseState);
updateFlappingSettingsRoute(router, licenseState);
runSoonRoute(router, licenseState);
healthRoute(router, licenseState, encryptedSavedObjects);
getGlobalExecutionKPIRoute(router, licenseState);
}
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/legacy/create.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import { RuleTypeDisabledError } from '../../lib/errors/rule_type_disabled';
import { RouteOptions } from '..';
import { countUsageOfPredefinedIds } from '../lib';
import { trackLegacyRouteUsage } from '../../lib/track_legacy_route_usage';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../constants';

export const bodySchema = schema.object({
name: schema.string(),
Expand Down Expand Up @@ -62,6 +63,7 @@ export const createAlertRoute = ({
),
body: bodySchema,
},
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: isServerless ? 'internal' : 'public',
summary: 'Create an alert',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/legacy/delete.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import { ILicenseState } from '../../lib/license_state';
import { verifyApiAccess } from '../../lib/license_api_access';
import { LEGACY_BASE_ALERT_API_PATH } from '../../../common';
import { trackLegacyRouteUsage } from '../../lib/track_legacy_route_usage';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../constants';

const paramSchema = schema.object({
id: schema.string(),
Expand All @@ -31,6 +32,7 @@ export const deleteAlertRoute = (
validate: {
params: paramSchema,
},
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: isServerless ? 'internal' : 'public',
summary: 'Delete an alert',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/legacy/disable.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { verifyApiAccess } from '../../lib/license_api_access';
import { LEGACY_BASE_ALERT_API_PATH } from '../../../common';
import { RuleTypeDisabledError } from '../../lib/errors/rule_type_disabled';
import { trackLegacyRouteUsage } from '../../lib/track_legacy_route_usage';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../constants';

const paramSchema = schema.object({
id: schema.string(),
Expand All @@ -32,6 +33,7 @@ export const disableAlertRoute = (
validate: {
params: paramSchema,
},
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: isServerless ? 'internal' : 'public',
summary: 'Disable an alert',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/legacy/enable.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import { LEGACY_BASE_ALERT_API_PATH } from '../../../common';
import { handleDisabledApiKeysError } from '../lib/error_handler';
import { RuleTypeDisabledError } from '../../lib/errors/rule_type_disabled';
import { trackLegacyRouteUsage } from '../../lib/track_legacy_route_usage';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../constants';

const paramSchema = schema.object({
id: schema.string(),
Expand All @@ -33,6 +34,7 @@ export const enableAlertRoute = (
validate: {
params: paramSchema,
},
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: isServerless ? 'internal' : 'public',
summary: 'Enable an alert',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/legacy/find.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import { renameKeys } from '../lib/rename_keys';
import { IndexType } from '../../rules_client';
import { trackLegacyRouteUsage } from '../../lib/track_legacy_route_usage';
import { trackLegacyTerminology } from '../lib/track_legacy_terminology';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../constants';

export interface FindOptions extends IndexType {
perPage?: number;
Expand Down Expand Up @@ -75,6 +76,7 @@ export const findAlertRoute = (
validate: {
query: querySchema,
},
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: isServerless ? 'internal' : 'public',
summary: 'Find alerts',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/alerting/server/routes/legacy/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import { verifyApiAccess } from '../../lib/license_api_access';
import { LEGACY_BASE_ALERT_API_PATH } from '../../../common';
import type { AlertingRouter } from '../../types';
import { trackLegacyRouteUsage } from '../../lib/track_legacy_route_usage';
import { DEFAULT_ALERTING_ROUTE_SECURITY } from '../constants';

const paramSchema = schema.object({
id: schema.string(),
Expand All @@ -31,6 +32,7 @@ export const getAlertRoute = (
validate: {
params: paramSchema,
},
security: DEFAULT_ALERTING_ROUTE_SECURITY,
options: {
access: isServerless ? 'internal' : 'public',
summary: 'Get an alert',
Expand Down
Loading

0 comments on commit 4a737e9

Please sign in to comment.