Skip to content

Commit

Permalink
Authorized route migration for routes owned by @elastic/security-dete…
Browse files Browse the repository at this point in the history
…ction-engine (#198195)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Nikita Khristinin <[email protected]>
(cherry picked from commit 32f0396)

# Conflicts:
#	x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/indicator_match/trial_license_complete_tier/indicator_match_alert_suppression.ts
  • Loading branch information
kibanamachine committed Nov 12, 2024
1 parent ca1e04a commit f9c6622
Show file tree
Hide file tree
Showing 44 changed files with 208 additions and 124 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,12 @@ export const createEndpointListItemRoute = (router: ListsPluginRouter): void =>
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: ENDPOINT_LIST_ITEM_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,12 @@ export const createEndpointListRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: ENDPOINT_LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@ export const createExceptionListItemRoute = (router: ListsPluginRouter): void =>
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: EXCEPTION_LIST_ITEM_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,12 @@ export const createExceptionListRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: EXCEPTION_LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@ export const deleteEndpointListItemRoute = (router: ListsPluginRouter): void =>
router.versioned
.delete({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: ENDPOINT_LIST_ITEM_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,12 @@ export const deleteExceptionListItemRoute = (router: ListsPluginRouter): void =>
router.versioned
.delete({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: EXCEPTION_LIST_ITEM_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ export const deleteExceptionListRoute = (router: ListsPluginRouter): void => {
router.versioned
.delete({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: EXCEPTION_LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ export const duplicateExceptionsRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: `${EXCEPTION_LIST_URL}/_duplicate`,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@ export const exportExceptionsRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-read'],
},
path: `${EXCEPTION_LIST_URL}/_export`,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ export const findEndpointListItemRoute = (router: ListsPluginRouter): void => {
router.versioned
.get({
access: 'public',
options: {
tags: ['access:lists-read'],
},
path: `${ENDPOINT_LIST_ITEM_URL}/_find`,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ export const findExceptionListItemRoute = (router: ListsPluginRouter): void => {
router.versioned
.get({
access: 'public',
options: {
tags: ['access:lists-read'],
},
path: `${EXCEPTION_LIST_ITEM_URL}/_find`,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ export const findExceptionListRoute = (router: ListsPluginRouter): void => {
router.versioned
.get({
access: 'public',
options: {
tags: ['access:lists-read'],
},
path: `${EXCEPTION_LIST_URL}/_find`,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,13 @@ export const importExceptionsRoute = (router: ListsPluginRouter, config: ConfigT
maxBytes: config.maxImportPayloadBytes,
output: 'stream',
},
tags: ['access:lists-all'],
},
path: `${EXCEPTION_LIST_URL}/_import`,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,12 @@ export const getExceptionFilterRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'internal',
options: {
tags: ['access:securitySolution'],
},
path: INTERNAL_EXCEPTION_FILTER,
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,12 @@ export const internalCreateExceptionListRoute = (router: ListsPluginRouter): voi
router.versioned
.post({
access: 'internal',
options: {
// Access control is set to `read` on purpose, as this route is internal and meant to
// ensure we have lists created (if not already) for Endpoint artifacts in order to support
// the UI. The Schema ensures that only endpoint artifact list IDs are allowed.
tags: ['access:lists-read'],
},
path: INTERNAL_EXCEPTIONS_LIST_ENSURE_CREATED_URL,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,12 @@ export const findListsBySizeRoute = (router: ListsPluginRouter): void => {
router.versioned
.get({
access: 'internal',
options: {
tags: ['access:lists-read'],
},
path: INTERNAL_FIND_LISTS_BY_SIZE,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
8 changes: 5 additions & 3 deletions x-pack/plugins/lists/server/routes/list/create_list_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@ export const createListRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
8 changes: 5 additions & 3 deletions x-pack/plugins/lists/server/routes/list/delete_list_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,12 @@ export const deleteListRoute = (router: ListsPluginRouter): void => {
router.versioned
.delete({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,16 @@ export const importListItemRoute = (router: ListsPluginRouter, config: ConfigTyp
maxBytes: config.maxImportPayloadBytes,
parse: false,
},
tags: ['access:lists-all'],
timeout: {
payload: config.importTimeout.asMilliseconds(),
},
},
path: `${LIST_ITEM_URL}/_import`,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
8 changes: 5 additions & 3 deletions x-pack/plugins/lists/server/routes/list/patch_list_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@ export const patchListRoute = (router: ListsPluginRouter): void => {
router.versioned
.patch({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
8 changes: 5 additions & 3 deletions x-pack/plugins/lists/server/routes/list/read_list_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@ export const readListRoute = (router: ListsPluginRouter): void => {
router.versioned
.get({
access: 'public',
options: {
tags: ['access:lists-read'],
},
path: LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-read'],
},
},
})
.addVersion(
{
Expand Down
8 changes: 5 additions & 3 deletions x-pack/plugins/lists/server/routes/list/update_list_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,12 @@ export const updateListRoute = (router: ListsPluginRouter): void => {
router.versioned
.put({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: LIST_URL,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ export const createListIndexRoute = (router: ListsPluginRouter): void => {
router.versioned
.post({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: LIST_INDEX,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion({ validate: false, version: '2023-10-31' }, async (context, _, response) => {
const siemResponse = buildSiemResponse(response);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,12 @@ export const deleteListIndexRoute = (router: ListsPluginRouter): void => {
router.versioned
.delete({
access: 'public',
options: {
tags: ['access:lists-all'],
},
path: LIST_INDEX,
security: {
authz: {
requiredPrivileges: ['lists-all'],
},
},
})
.addVersion(
{
Expand Down
Loading

0 comments on commit f9c6622

Please sign in to comment.