From 3ff80a2aba10a367405cc31a0a047b08670094be Mon Sep 17 00:00:00 2001
From: Antonio <antonio.coelho@elastic.co>
Date: Fri, 13 Dec 2024 14:57:13 +0100
Subject: [PATCH] [ResponseOps][Actions] Manual migration of action routes
 without access tags  (#204030)

Connected with https://github.com/elastic/kibana-team/issues/1322

## Summary

Since most action routes do not use access tags they need to be migrated
to include a reason in the security params.

[Documentation.](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)

The following routes were migrated:
- `createConnectorRoute`
- `deleteConnectorRoute`
- `getConnectorRoute`
- `getAllConnectorsRoute`
- `updateConnectorRoute`
- `listTypesRoute`
- `executeConnectorRoute`
- `getGlobalExecutionLogRoute`
- `getGlobalExecutionKPIRoute`
- `getAllConnectorsIncludingSystemRoute`
- `listTypesWithSystemRoute`
- `getOAuthAccessToken`

(cherry picked from commit 2dc790bbc024fd805aaafc9b2f6a5cc79dd2c6e2)
---
 .../server/routes/connector/create/create.ts  |  2 ++
 .../server/routes/connector/delete/delete.ts  |  2 ++
 .../routes/connector/execute/execute.ts       |  2 ++
 .../server/routes/connector/get/get.ts        |  2 ++
 .../routes/connector/get_all/get_all.ts       |  2 ++
 .../get_all_system/get_all_system.ts          |  2 ++
 .../routes/connector/list_types/list_types.ts |  6 ++++++
 .../list_types_system/list_types_system.ts    |  6 ++++++
 .../server/routes/connector/update/update.ts  |  2 ++
 .../actions/server/routes/constants.ts        | 20 +++++++++++++++++++
 .../server/routes/get_global_execution_kpi.ts |  2 ++
 .../routes/get_global_execution_logs.ts       |  2 ++
 .../server/routes/get_oauth_access_token.ts   |  2 ++
 13 files changed, 52 insertions(+)
 create mode 100644 x-pack/plugins/actions/server/routes/constants.ts

diff --git a/x-pack/plugins/actions/server/routes/connector/create/create.ts b/x-pack/plugins/actions/server/routes/connector/create/create.ts
index cd5073506c03f..d828c7339dc26 100644
--- a/x-pack/plugins/actions/server/routes/connector/create/create.ts
+++ b/x-pack/plugins/actions/server/routes/connector/create/create.ts
@@ -17,6 +17,7 @@ import {
   createConnectorRequestBodySchemaV1,
 } from '../../../../common/routes/connector/apis/create';
 import { transformCreateConnectorBodyV1 } from './transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const createConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -25,6 +26,7 @@ export const createConnectorRoute = (
   router.post(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id?}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: 'Create a connector',
diff --git a/x-pack/plugins/actions/server/routes/connector/delete/delete.ts b/x-pack/plugins/actions/server/routes/connector/delete/delete.ts
index 38f7c41d6037b..acb9b64b754c8 100644
--- a/x-pack/plugins/actions/server/routes/connector/delete/delete.ts
+++ b/x-pack/plugins/actions/server/routes/connector/delete/delete.ts
@@ -14,6 +14,7 @@ import {
   deleteConnectorRequestParamsSchemaV1,
   DeleteConnectorRequestParamsV1,
 } from '../../../../common/routes/connector/apis/delete';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const deleteConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -22,6 +23,7 @@ export const deleteConnectorRoute = (
   router.delete(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Delete a connector`,
diff --git a/x-pack/plugins/actions/server/routes/connector/execute/execute.ts b/x-pack/plugins/actions/server/routes/connector/execute/execute.ts
index ab5ed25ff5f78..bbcb4f6a5a39c 100644
--- a/x-pack/plugins/actions/server/routes/connector/execute/execute.ts
+++ b/x-pack/plugins/actions/server/routes/connector/execute/execute.ts
@@ -20,6 +20,7 @@ import {
   ExecuteConnectorRequestParamsV1,
 } from '../../../../common/routes/connector/apis/execute';
 import { transformExecuteConnectorResponseV1 } from './transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const executeConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -28,6 +29,7 @@ export const executeConnectorRoute = (
   router.post(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}/_execute`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Run a connector`,
diff --git a/x-pack/plugins/actions/server/routes/connector/get/get.ts b/x-pack/plugins/actions/server/routes/connector/get/get.ts
index eaab31594ba1b..e5777d6ab08ff 100644
--- a/x-pack/plugins/actions/server/routes/connector/get/get.ts
+++ b/x-pack/plugins/actions/server/routes/connector/get/get.ts
@@ -16,6 +16,7 @@ import { ILicenseState } from '../../../lib';
 import { BASE_ACTION_API_PATH } from '../../../../common';
 import { ActionsRequestHandlerContext } from '../../../types';
 import { verifyAccessAndContext } from '../../verify_access_and_context';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const getConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -24,6 +25,7 @@ export const getConnectorRoute = (
   router.get(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Get connector information`,
diff --git a/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts b/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts
index 27f43a75eb151..945e878d445bd 100644
--- a/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts
+++ b/x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts
@@ -12,6 +12,7 @@ import { ActionsRequestHandlerContext } from '../../../types';
 import { BASE_ACTION_API_PATH } from '../../../../common';
 import { ILicenseState } from '../../../lib';
 import { verifyAccessAndContext } from '../../verify_access_and_context';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const getAllConnectorsRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -20,6 +21,7 @@ export const getAllConnectorsRoute = (
   router.get(
     {
       path: `${BASE_ACTION_API_PATH}/connectors`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Get all connectors`,
diff --git a/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts b/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts
index 747d97e5ba8a3..4259f113a4456 100644
--- a/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts
+++ b/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts
@@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../../../common';
 import { ILicenseState } from '../../../lib';
 import { verifyAccessAndContext } from '../../verify_access_and_context';
 import { transformGetAllConnectorsResponseV1 } from '../get_all/transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const getAllConnectorsIncludingSystemRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -20,6 +21,7 @@ export const getAllConnectorsIncludingSystemRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connectors`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {},
       options: {
         access: 'internal',
diff --git a/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts b/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts
index 20ca0d9343608..3078b9438d875 100644
--- a/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts
+++ b/x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts
@@ -24,6 +24,12 @@ export const listTypesRoute = (
   router.get(
     {
       path: `${BASE_ACTION_API_PATH}/connector_types`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This API does not require any Kibana feature privileges.',
+        },
+      },
       options: {
         access: 'public',
         summary: `Get connector types`,
diff --git a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts
index c43912ecbc7e4..892ded96bbded 100644
--- a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts
+++ b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts
@@ -24,6 +24,12 @@ export const listTypesWithSystemRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connector_types`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This internal API does not require any Kibana feature privileges.',
+        },
+      },
       validate: {
         query: connectorTypesQuerySchemaV1,
       },
diff --git a/x-pack/plugins/actions/server/routes/connector/update/update.ts b/x-pack/plugins/actions/server/routes/connector/update/update.ts
index 888cdee9b0e3a..8686ff2d7efd0 100644
--- a/x-pack/plugins/actions/server/routes/connector/update/update.ts
+++ b/x-pack/plugins/actions/server/routes/connector/update/update.ts
@@ -18,6 +18,7 @@ import {
   updateConnectorParamsSchemaV1,
 } from '../../../../common/routes/connector/apis/update';
 import { transformUpdateConnectorResponseV1 } from './transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const updateConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -26,6 +27,7 @@ export const updateConnectorRoute = (
   router.put(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Update a connector`,
diff --git a/x-pack/plugins/actions/server/routes/constants.ts b/x-pack/plugins/actions/server/routes/constants.ts
new file mode 100644
index 0000000000000..2c71110b92833
--- /dev/null
+++ b/x-pack/plugins/actions/server/routes/constants.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { RouteSecurity } from '@kbn/core-http-server';
+
+/**
+ * This constant is used as the default value for the security object in routes
+ * where a reason for opting out needs to be provided.
+ */
+export const DEFAULT_ACTION_ROUTE_SECURITY: RouteSecurity = {
+  authz: {
+    enabled: false,
+    reason:
+      'This route is opted out from authorization because actions use their own authorization model inside the actions client.',
+  },
+};
diff --git a/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts b/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts
index 93034745584a7..a82cee84082bf 100644
--- a/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts
+++ b/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts
@@ -15,6 +15,7 @@ import { verifyAccessAndContext } from './verify_access_and_context';
 import { ActionsRequestHandlerContext } from '../types';
 import { ILicenseState } from '../lib';
 import { rewriteNamespaces } from './rewrite_namespaces';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 
 const bodySchema = schema.object({
   date_start: schema.string(),
@@ -42,6 +43,7 @@ export const getGlobalExecutionKPIRoute = (
   router.post(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_kpi`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {
         body: bodySchema,
       },
diff --git a/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts b/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts
index d42ce07a814cf..2dc6bffa8f6f0 100644
--- a/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts
+++ b/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts
@@ -16,6 +16,7 @@ import {
 } from '../../common';
 import { verifyAccessAndContext } from './verify_access_and_context';
 import { rewriteNamespaces } from './rewrite_namespaces';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 
 const sortOrderSchema = schema.oneOf([schema.literal('asc'), schema.literal('desc')]);
 
@@ -54,6 +55,7 @@ export const getGlobalExecutionLogRoute = (
   router.post(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_logs`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {
         body: bodySchema,
       },
diff --git a/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts b/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts
index b703c0de220f1..0d296fe55070b 100644
--- a/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts
+++ b/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts
@@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../common';
 import { ActionsRequestHandlerContext } from '../types';
 import { verifyAccessAndContext } from './verify_access_and_context';
 import { ActionsConfigurationUtilities } from '../actions_config';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 
 const oauthJwtBodySchema = schema.object({
   tokenUrl: schema.string(),
@@ -63,6 +64,7 @@ export const getOAuthAccessToken = (
   router.post(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connector/_oauth_access_token`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {
         body: bodySchema,
       },