[ResponseOps][Actions] Manual migration of action routes without acce…

…ss tags (elastic#204030)

Connected with elastic/kibana-team#1322

## Summary

Since most action routes do not use access tags they need to be migrated
to include a reason in the security params.


[Documentation.](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization#opting-out-of-authorization-for-specific-routes)

The following routes were migrated:
- `createConnectorRoute`
- `deleteConnectorRoute`
- `getConnectorRoute`
- `getAllConnectorsRoute`
- `updateConnectorRoute`
- `listTypesRoute`
- `executeConnectorRoute`
- `getGlobalExecutionLogRoute`
- `getGlobalExecutionKPIRoute`
- `getAllConnectorsIncludingSystemRoute`
- `listTypesWithSystemRoute`
- `getOAuthAccessToken`

x-pack/plugins/actions/server/routes/connector/create/create.ts

@@ -17,6 +17,7 @@ import {
   createConnectorRequestBodySchemaV1,
 } from '../../../../common/routes/connector/apis/create';
 import { transformCreateConnectorBodyV1 } from './transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const createConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -25,6 +26,7 @@ export const createConnectorRoute = (
   router.post(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id?}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: 'Create a connector',

x-pack/plugins/actions/server/routes/connector/delete/delete.ts

@@ -14,6 +14,7 @@ import {
   deleteConnectorRequestParamsSchemaV1,
   DeleteConnectorRequestParamsV1,
 } from '../../../../common/routes/connector/apis/delete';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const deleteConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -22,6 +23,7 @@ export const deleteConnectorRoute = (
   router.delete(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Delete a connector`,

x-pack/plugins/actions/server/routes/connector/execute/execute.ts

@@ -20,6 +20,7 @@ import {
   ExecuteConnectorRequestParamsV1,
 } from '../../../../common/routes/connector/apis/execute';
 import { transformExecuteConnectorResponseV1 } from './transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const executeConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -28,6 +29,7 @@ export const executeConnectorRoute = (
   router.post(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}/_execute`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Run a connector`,

x-pack/plugins/actions/server/routes/connector/get/get.ts

@@ -16,6 +16,7 @@ import { ILicenseState } from '../../../lib';
 import { BASE_ACTION_API_PATH } from '../../../../common';
 import { ActionsRequestHandlerContext } from '../../../types';
 import { verifyAccessAndContext } from '../../verify_access_and_context';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const getConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -24,6 +25,7 @@ export const getConnectorRoute = (
   router.get(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Get connector information`,

x-pack/plugins/actions/server/routes/connector/get_all/get_all.ts

@@ -12,6 +12,7 @@ import { ActionsRequestHandlerContext } from '../../../types';
 import { BASE_ACTION_API_PATH } from '../../../../common';
 import { ILicenseState } from '../../../lib';
 import { verifyAccessAndContext } from '../../verify_access_and_context';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const getAllConnectorsRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -20,6 +21,7 @@ export const getAllConnectorsRoute = (
   router.get(
     {
       path: `${BASE_ACTION_API_PATH}/connectors`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Get all connectors`,

x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts

@@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../../../common';
 import { ILicenseState } from '../../../lib';
 import { verifyAccessAndContext } from '../../verify_access_and_context';
 import { transformGetAllConnectorsResponseV1 } from '../get_all/transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const getAllConnectorsIncludingSystemRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -20,6 +21,7 @@ export const getAllConnectorsIncludingSystemRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connectors`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {},
       options: {
         access: 'internal',

x-pack/plugins/actions/server/routes/connector/list_types/list_types.ts

@@ -24,6 +24,12 @@ export const listTypesRoute = (
   router.get(
     {
       path: `${BASE_ACTION_API_PATH}/connector_types`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This API does not require any Kibana feature privileges.',
+        },
+      },
       options: {
         access: 'public',
         summary: `Get connector types`,

x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts

@@ -24,6 +24,12 @@ export const listTypesWithSystemRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connector_types`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This internal API does not require any Kibana feature privileges.',
+        },
+      },
       validate: {
         query: connectorTypesQuerySchemaV1,
       },

x-pack/plugins/actions/server/routes/connector/update/update.ts

@@ -18,6 +18,7 @@ import {
   updateConnectorParamsSchemaV1,
 } from '../../../../common/routes/connector/apis/update';
 import { transformUpdateConnectorResponseV1 } from './transforms';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from '../../constants';
 
 export const updateConnectorRoute = (
   router: IRouter<ActionsRequestHandlerContext>,
@@ -26,6 +27,7 @@ export const updateConnectorRoute = (
   router.put(
     {
       path: `${BASE_ACTION_API_PATH}/connector/{id}`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       options: {
         access: 'public',
         summary: `Update a connector`,

x-pack/plugins/actions/server/routes/constants.ts

@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { RouteSecurity } from '@kbn/core-http-server';
+
+/**
+ * This constant is used as the default value for the security object in routes
+ * where a reason for opting out needs to be provided.
+ */
+export const DEFAULT_ACTION_ROUTE_SECURITY: RouteSecurity = {
+  authz: {
+    enabled: false,
+    reason:
+      'This route is opted out from authorization because actions use their own authorization model inside the actions client.',
+  },
+};

x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts

@@ -15,6 +15,7 @@ import { verifyAccessAndContext } from './verify_access_and_context';
 import { ActionsRequestHandlerContext } from '../types';
 import { ILicenseState } from '../lib';
 import { rewriteNamespaces } from './rewrite_namespaces';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 
 const bodySchema = schema.object({
   date_start: schema.string(),
@@ -42,6 +43,7 @@ export const getGlobalExecutionKPIRoute = (
   router.post(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_kpi`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {
         body: bodySchema,
       },

x-pack/plugins/actions/server/routes/get_global_execution_logs.ts

@@ -16,6 +16,7 @@ import {
 } from '../../common';
 import { verifyAccessAndContext } from './verify_access_and_context';
 import { rewriteNamespaces } from './rewrite_namespaces';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 
 const sortOrderSchema = schema.oneOf([schema.literal('asc'), schema.literal('desc')]);
 
@@ -54,6 +55,7 @@ export const getGlobalExecutionLogRoute = (
   router.post(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/_global_connector_execution_logs`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {
         body: bodySchema,
       },

x-pack/plugins/actions/server/routes/get_oauth_access_token.ts

@@ -12,6 +12,7 @@ import { INTERNAL_BASE_ACTION_API_PATH } from '../../common';
 import { ActionsRequestHandlerContext } from '../types';
 import { verifyAccessAndContext } from './verify_access_and_context';
 import { ActionsConfigurationUtilities } from '../actions_config';
+import { DEFAULT_ACTION_ROUTE_SECURITY } from './constants';
 
 const oauthJwtBodySchema = schema.object({
   tokenUrl: schema.string(),
@@ -63,6 +64,7 @@ export const getOAuthAccessToken = (
   router.post(
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connector/_oauth_access_token`,
+      security: DEFAULT_ACTION_ROUTE_SECURITY,
       validate: {
         body: bodySchema,
       },