From 2f52205c56e17d7410b83ac1c3b14522df3f97c0 Mon Sep 17 00:00:00 2001 From: adcoelho Date: Thu, 12 Dec 2024 15:01:12 +0100 Subject: [PATCH 1/2] Add security for action APIs --- .../server/routes/connector/create/create.ts | 2 ++ .../server/routes/connector/delete/delete.ts | 2 ++ .../routes/connector/execute/execute.ts | 2 ++ .../server/routes/connector/get/get.ts | 2 ++ .../routes/connector/get_all/get_all.ts | 2 ++ .../get_all_system/get_all_system.ts | 2 ++ .../routes/connector/list_types/list_types.ts | 2 ++ .../list_types_system/list_types_system.ts | 2 ++ .../server/routes/connector/update/update.ts | 2 ++ .../actions/server/routes/constants.ts | 20 +++++++++++++++++++ .../server/routes/get_global_execution_kpi.ts | 2 ++ .../routes/get_global_execution_logs.ts | 2 ++ .../server/routes/get_oauth_access_token.ts | 2 ++ 13 files changed, 44 insertions(+) create mode 100644 x-pack/plugins/actions/server/routes/constants.ts diff --git a/x-pack/plugins/actions/server/routes/connector/create/create.ts b/x-pack/plugins/actions/server/routes/connector/create/create.ts index cd5073506c03f..d828c7339dc26 100644 --- a/x-pack/plugins/actions/server/routes/connector/create/create.ts +++ b/x-pack/plugins/actions/server/routes/connector/create/create.ts @@ -17,6 +17,7 @@ import { createConnectorRequestBodySchemaV1, } from '../../../../common/routes/connector/apis/create'; import { transformCreateConnectorBodyV1 } from './transforms'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const createConnectorRoute = ( router: IRouter, @@ -25,6 +26,7 @@ export const createConnectorRoute = ( router.post( { path: `${BASE_ACTION_API_PATH}/connector/{id?}`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: 'Create a connector', diff --git a/x-pack/plugins/actions/server/routes/connector/delete/delete.ts b/x-pack/plugins/actions/server/routes/connector/delete/delete.ts index 38f7c41d6037b..acb9b64b754c8 100644 --- a/x-pack/plugins/actions/server/routes/connector/delete/delete.ts +++ b/x-pack/plugins/actions/server/routes/connector/delete/delete.ts @@ -14,6 +14,7 @@ import { deleteConnectorRequestParamsSchemaV1, DeleteConnectorRequestParamsV1, } from '../../../../common/routes/connector/apis/delete'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const deleteConnectorRoute = ( router: IRouter, @@ -22,6 +23,7 @@ export const deleteConnectorRoute = ( router.delete( { path: `${BASE_ACTION_API_PATH}/connector/{id}`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: `Delete a connector`, diff --git a/x-pack/plugins/actions/server/routes/connector/execute/execute.ts b/x-pack/plugins/actions/server/routes/connector/execute/execute.ts index ab5ed25ff5f78..bbcb4f6a5a39c 100644 --- a/x-pack/plugins/actions/server/routes/connector/execute/execute.ts +++ b/x-pack/plugins/actions/server/routes/connector/execute/execute.ts @@ -20,6 +20,7 @@ import { ExecuteConnectorRequestParamsV1, } from '../../../../common/routes/connector/apis/execute'; import { transformExecuteConnectorResponseV1 } from './transforms'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const executeConnectorRoute = ( router: IRouter, @@ -28,6 +29,7 @@ export const executeConnectorRoute = ( router.post( { path: `${BASE_ACTION_API_PATH}/connector/{id}/_execute`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: `Run a connector`, diff --git a/x-pack/plugins/actions/server/routes/connector/get/get.ts b/x-pack/plugins/actions/server/routes/connector/get/get.ts index eaab31594ba1b..e5777d6ab08ff 100644 --- a/x-pack/plugins/actions/server/routes/connector/get/get.ts +++ b/x-pack/plugins/actions/server/routes/connector/get/get.ts @@ -16,6 +16,7 @@ import { ILicenseState } from '../../../lib'; import { BASE_ACTION_API_PATH } from '../../../../common'; import { ActionsRequestHandlerContext } from '../../../types'; import { verifyAccessAndContext } from '../../verify_access_and_context'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const getConnectorRoute = ( router: IRouter, @@ -24,6 +25,7 @@ export const getConnectorRoute = ( router.get( { path: `${BASE_ACTION_API_PATH}/connector/{id}`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: `Get connector information`, diff --git a/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts b/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts index 27f43a75eb151..945e878d445bd 100644 --- a/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts +++ b/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts @@ -12,6 +12,7 @@ import { ActionsRequestHandlerContext } from '../../../types'; import { BASE_ACTION_API_PATH } from '../../../../common'; import { ILicenseState } from '../../../lib'; import { verifyAccessAndContext } from '../../verify_access_and_context'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const getAllConnectorsRoute = ( router: IRouter, @@ -20,6 +21,7 @@ export const getAllConnectorsRoute = ( router.get( { path: `${BASE_ACTION_API_PATH}/connectors`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: `Get all connectors`, diff --git a/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts b/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts index 747d97e5ba8a3..4259f113a4456 100644 --- a/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts +++ b/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts @@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../../../common'; import { ILicenseState } from '../../../lib'; import { verifyAccessAndContext } from '../../verify_access_and_context'; import { transformGetAllConnectorsResponseV1 } from '../get_all/transforms'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const getAllConnectorsIncludingSystemRoute = ( router: IRouter, @@ -20,6 +21,7 @@ export const getAllConnectorsIncludingSystemRoute = ( router.get( { path: `${INTERNAL_BASE_ACTION_API_PATH}/connectors`, + security: DEFAULT_ACTION_ROUTE_SECURITY, validate: {}, options: { access: 'internal', diff --git a/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts b/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts index 20ca0d9343608..a19782c1a17de 100644 --- a/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts +++ b/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts @@ -16,6 +16,7 @@ import { ActionsRequestHandlerContext } from '../../../types'; import { BASE_ACTION_API_PATH } from '../../../../common'; import { ILicenseState } from '../../../lib'; import { verifyAccessAndContext } from '../../verify_access_and_context'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const listTypesRoute = ( router: IRouter, @@ -24,6 +25,7 @@ export const listTypesRoute = ( router.get( { path: `${BASE_ACTION_API_PATH}/connector_types`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: `Get connector types`, diff --git a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts index c43912ecbc7e4..4e9dd230ebfa3 100644 --- a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts +++ b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts @@ -16,6 +16,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../../../common'; import { ILicenseState } from '../../../lib'; import { verifyAccessAndContext } from '../../verify_access_and_context'; import { transformListTypesResponseV1 } from '../list_types/transforms'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const listTypesWithSystemRoute = ( router: IRouter, @@ -24,6 +25,7 @@ export const listTypesWithSystemRoute = ( router.get( { path: `${INTERNAL_BASE_ACTION_API_PATH}/connector_types`, + security: DEFAULT_ACTION_ROUTE_SECURITY, validate: { query: connectorTypesQuerySchemaV1, }, diff --git a/x-pack/plugins/actions/server/routes/connector/update/update.ts b/x-pack/plugins/actions/server/routes/connector/update/update.ts index 888cdee9b0e3a..8686ff2d7efd0 100644 --- a/x-pack/plugins/actions/server/routes/connector/update/update.ts +++ b/x-pack/plugins/actions/server/routes/connector/update/update.ts @@ -18,6 +18,7 @@ import { updateConnectorParamsSchemaV1, } from '../../../../common/routes/connector/apis/update'; import { transformUpdateConnectorResponseV1 } from './transforms'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const updateConnectorRoute = ( router: IRouter, @@ -26,6 +27,7 @@ export const updateConnectorRoute = ( router.put( { path: `${BASE_ACTION_API_PATH}/connector/{id}`, + security: DEFAULT_ACTION_ROUTE_SECURITY, options: { access: 'public', summary: `Update a connector`, diff --git a/x-pack/plugins/actions/server/routes/constants.ts b/x-pack/plugins/actions/server/routes/constants.ts new file mode 100644 index 0000000000000..2c71110b92833 --- /dev/null +++ b/x-pack/plugins/actions/server/routes/constants.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { RouteSecurity } from '@kbn/core-http-server'; + +/** + * This constant is used as the default value for the security object in routes + * where a reason for opting out needs to be provided. + */ +export const DEFAULT_ACTION_ROUTE_SECURITY: RouteSecurity = { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because actions use their own authorization model inside the actions client.', + }, +}; diff --git a/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts b/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts index 93034745584a7..a82cee84082bf 100644 --- a/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts +++ b/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts @@ -15,6 +15,7 @@ import { verifyAccessAndContext } from './verify_access_and_context'; import { ActionsRequestHandlerContext } from '../types'; import { ILicenseState } from '../lib'; import { rewriteNamespaces } from './rewrite_namespaces'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants'; const bodySchema = schema.object({ date_start: schema.string(), @@ -42,6 +43,7 @@ export const getGlobalExecutionKPIRoute = ( router.post( { path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_kpi`, + security: DEFAULT_ACTION_ROUTE_SECURITY, validate: { body: bodySchema, }, diff --git a/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts b/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts index d42ce07a814cf..2dc6bffa8f6f0 100644 --- a/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts +++ b/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts @@ -16,6 +16,7 @@ import { } from '../../common'; import { verifyAccessAndContext } from './verify_access_and_context'; import { rewriteNamespaces } from './rewrite_namespaces'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants'; const sortOrderSchema = schema.oneOf([schema.literal('asc'), schema.literal('desc')]); @@ -54,6 +55,7 @@ export const getGlobalExecutionLogRoute = ( router.post( { path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_logs`, + security: DEFAULT_ACTION_ROUTE_SECURITY, validate: { body: bodySchema, }, diff --git a/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts b/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts index b703c0de220f1..0d296fe55070b 100644 --- a/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts +++ b/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts @@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../common'; import { ActionsRequestHandlerContext } from '../types'; import { verifyAccessAndContext } from './verify_access_and_context'; import { ActionsConfigurationUtilities } from '../actions_config'; +import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants'; const oauthJwtBodySchema = schema.object({ tokenUrl: schema.string(), @@ -63,6 +64,7 @@ export const getOAuthAccessToken = ( router.post( { path: `${INTERNAL_BASE_ACTION_API_PATH}/connector/_oauth_access_token`, + security: DEFAULT_ACTION_ROUTE_SECURITY, validate: { body: bodySchema, }, From c71f24c9c6a1e6b87f9e8ad351f4f7c0256a312b Mon Sep 17 00:00:00 2001 From: adcoelho Date: Fri, 13 Dec 2024 12:31:24 +0100 Subject: [PATCH 2/2] update list types routes --- .../server/routes/connector/list_types/list_types.ts | 8 ++++++-- .../connector/list_types_system/list_types_system.ts | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts b/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts index a19782c1a17de..3078b9438d875 100644 --- a/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts +++ b/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts @@ -16,7 +16,6 @@ import { ActionsRequestHandlerContext } from '../../../types'; import { BASE_ACTION_API_PATH } from '../../../../common'; import { ILicenseState } from '../../../lib'; import { verifyAccessAndContext } from '../../verify_access_and_context'; -import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const listTypesRoute = ( router: IRouter, @@ -25,7 +24,12 @@ export const listTypesRoute = ( router.get( { path: `${BASE_ACTION_API_PATH}/connector_types`, - security: DEFAULT_ACTION_ROUTE_SECURITY, + security: { + authz: { + enabled: false, + reason: 'This API does not require any Kibana feature privileges.', + }, + }, options: { access: 'public', summary: `Get connector types`, diff --git a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts index 4e9dd230ebfa3..892ded96bbded 100644 --- a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts +++ b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts @@ -16,7 +16,6 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../../../common'; import { ILicenseState } from '../../../lib'; import { verifyAccessAndContext } from '../../verify_access_and_context'; import { transformListTypesResponseV1 } from '../list_types/transforms'; -import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants'; export const listTypesWithSystemRoute = ( router: IRouter, @@ -25,7 +24,12 @@ export const listTypesWithSystemRoute = ( router.get( { path: `${INTERNAL_BASE_ACTION_API_PATH}/connector_types`, - security: DEFAULT_ACTION_ROUTE_SECURITY, + security: { + authz: { + enabled: false, + reason: 'This internal API does not require any Kibana feature privileges.', + }, + }, validate: { query: connectorTypesQuerySchemaV1, },