From b328fe89c9ac610fc324781a3574c6d6bdc1b0bb Mon Sep 17 00:00:00 2001
From: Irene Blanco <irene.blanco@elastic.co>
Date: Mon, 13 Jan 2025 10:25:27 +0100
Subject: [PATCH] [APM] Update non auth endpoints with authz info (#206289)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Closes https://github.com/elastic/kibana/issues/206252


As part of the Authz migration, we updated the endpoints that didn’t
have any authorization restrictions to match the
[documentation](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)
requirements.
---
 .../plugins/apm/server/routes/fleet/route.ts  | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/x-pack/solutions/observability/plugins/apm/server/routes/fleet/route.ts b/x-pack/solutions/observability/plugins/apm/server/routes/fleet/route.ts
index c4b8789543649..8b8a6b3bef55b 100644
--- a/x-pack/solutions/observability/plugins/apm/server/routes/fleet/route.ts
+++ b/x-pack/solutions/observability/plugins/apm/server/routes/fleet/route.ts
@@ -36,7 +36,13 @@ function throwNotFoundIfFleetMigrationNotAvailable(featureFlags: ApmFeatureFlags
 
 const hasFleetDataRoute = createApmServerRoute({
   endpoint: 'GET /internal/apm/fleet/has_apm_policies',
-  options: { tags: [] },
+  security: {
+    authz: {
+      enabled: false,
+      reason:
+        "It's being used in the tutorial page, so it needs to be available for users even if they don't have APM permissions.",
+    },
+  },
   handler: async ({ core, plugins }): Promise<{ hasApmPolicies: boolean }> => {
     const fleetPluginStart = await plugins.fleet?.start();
     if (!fleetPluginStart) {
@@ -53,7 +59,13 @@ const hasFleetDataRoute = createApmServerRoute({
 
 const fleetAgentsRoute = createApmServerRoute({
   endpoint: 'GET /internal/apm/fleet/agents',
-  options: { tags: [] },
+  security: {
+    authz: {
+      enabled: false,
+      reason:
+        "It's being used in the tutorial page, so it needs to be available for users even if they don't have APM permissions.",
+    },
+  },
   handler: async ({ core, plugins }): Promise<FleetAgentResponse> => {
     return getFleetAgents({
       coreStart: await core.start(),
@@ -182,7 +194,13 @@ const createCloudApmPackagePolicyRoute = createApmServerRoute({
 
 const javaAgentVersions = createApmServerRoute({
   endpoint: 'GET /internal/apm/fleet/java_agent_versions',
-  options: { tags: [] },
+  security: {
+    authz: {
+      enabled: false,
+      reason:
+        'It returns static information stored in a public file in https://repo1.maven.org/maven2/co/elastic/apm/elastic-apm-agent/maven-metadata.xml',
+    },
+  },
   handler: async (): Promise<{ versions: string[] | undefined }> => {
     const versions = await getJavaAgentVersionsFromRegistry();
     return {