Authorized route migration for routes owned by security-detection-rul…

…e-management (elastic#198383) ### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
CAWilson94 · Dec 12, 2024 · 63a0c03 · 63a0c03
1 parent 1e0a4ce
commit 63a0c03
Show file tree

Hide file tree

Showing 31 changed files with 144 additions and 55 deletions.
diff --git a/...solution/server/lib/detection_engine/fleet_integrations/api/get_all_integrations/route.ts b/...solution/server/lib/detection_engine/fleet_integrations/api/get_all_integrations/route.ts
@@ -23,8 +23,10 @@ export const getAllIntegrationsRoute = (router: SecuritySolutionPluginRouter) =>
     .get({
       access: 'internal',
       path: GET_ALL_INTEGRATIONS_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...on/server/lib/detection_engine/fleet_integrations/api/get_installed_integrations/route.ts b/...on/server/lib/detection_engine/fleet_integrations/api/get_installed_integrations/route.ts
@@ -21,8 +21,10 @@ export const getInstalledIntegrationsRoute = (router: SecuritySolutionPluginRout
     .get({
       access: 'internal',
       path: GET_INSTALLED_INTEGRATIONS_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/.../detection_engine/prebuilt_rules/api/bootstrap_prebuilt_rules/bootstrap_prebuilt_rules.ts b/.../detection_engine/prebuilt_rules/api/bootstrap_prebuilt_rules/bootstrap_prebuilt_rules.ts
@@ -21,8 +21,10 @@ export const bootstrapPrebuiltRulesRoute = (router: SecuritySolutionPluginRouter
     .post({
       access: 'internal',
       path: BOOTSTRAP_PREBUILT_RULES_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/.../get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.ts b/.../get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.ts
@@ -30,8 +30,10 @@ export const getPrebuiltRulesAndTimelinesStatusRoute = (router: SecuritySolution
     .get({
       access: 'public',
       path: PREBUILT_RULES_STATUS_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...on_engine/prebuilt_rules/api/get_prebuilt_rules_status/get_prebuilt_rules_status_route.ts b/...on_engine/prebuilt_rules/api/get_prebuilt_rules_status/get_prebuilt_rules_status_route.ts
@@ -20,8 +20,10 @@ export const getPrebuiltRulesStatusRoute = (router: SecuritySolutionPluginRouter
     .get({
       access: 'internal',
       path: GET_PREBUILT_RULES_STATUS_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...es/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.ts b/...es/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.ts
@@ -33,8 +33,12 @@ export const installPrebuiltRulesAndTimelinesRoute = (router: SecuritySolutionPl
     .put({
       access: 'public',
       path: PREBUILT_RULES_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: PREBUILT_RULES_OPERATION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...on_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_route.ts b/...on_engine/prebuilt_rules/api/perform_rule_installation/perform_rule_installation_route.ts
@@ -34,8 +34,12 @@ export const performRuleInstallationRoute = (router: SecuritySolutionPluginRoute
     .post({
       access: 'internal',
       path: PERFORM_RULE_INSTALLATION_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: PREBUILT_RULES_OPERATION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...ib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/perform_rule_upgrade_route.ts b/...ib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/perform_rule_upgrade_route.ts
@@ -35,8 +35,12 @@ export const performRuleUpgradeRoute = (
     .post({
       access: 'internal',
       path: PERFORM_RULE_UPGRADE_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: PREBUILT_RULES_OPERATION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...tion_engine/prebuilt_rules/api/review_rule_installation/review_rule_installation_route.ts b/...tion_engine/prebuilt_rules/api/review_rule_installation/review_rule_installation_route.ts
@@ -26,8 +26,12 @@ export const reviewRuleInstallationRoute = (router: SecuritySolutionPluginRouter
     .post({
       access: 'internal',
       path: REVIEW_RULE_INSTALLATION_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: PREBUILT_RULES_OPERATION_SOCKET_TIMEOUT_MS,
         },

diff --git a/.../lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts b/.../lib/detection_engine/prebuilt_rules/api/review_rule_upgrade/review_rule_upgrade_route.ts
@@ -35,8 +35,12 @@ export const reviewRuleUpgradeRoute = (router: SecuritySolutionPluginRouter) =>
     .post({
       access: 'internal',
       path: REVIEW_RULE_UPGRADE_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: PREBUILT_RULES_OPERATION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...rity_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts b/...rity_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts
@@ -61,8 +61,13 @@ export const performBulkActionRoute = (
     .post({
       access: 'public',
       path: DETECTION_ENGINE_RULES_BULK_ACTION,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution', routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
+        tags: [routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
         timeout: {
           idleSocket: RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...solution/server/lib/detection_engine/rule_management/api/rules/bulk_create_rules/route.ts b/...solution/server/lib/detection_engine/rule_management/api/rules/bulk_create_rules/route.ts
@@ -39,8 +39,12 @@ export const bulkCreateRulesRoute = (router: SecuritySolutionPluginRouter, logge
     .post({
       access: 'public',
       path: DETECTION_ENGINE_RULES_BULK_CREATE,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS,
         },

diff --git a/..._solution/server/lib/detection_engine/rule_management/api/rules/bulk_patch_rules/route.ts b/..._solution/server/lib/detection_engine/rule_management/api/rules/bulk_patch_rules/route.ts
@@ -33,8 +33,12 @@ export const bulkPatchRulesRoute = (router: SecuritySolutionPluginRouter, logger
     .patch({
       access: 'public',
       path: DETECTION_ENGINE_RULES_BULK_UPDATE,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...solution/server/lib/detection_engine/rule_management/api/rules/bulk_update_rules/route.ts b/...solution/server/lib/detection_engine/rule_management/api/rules/bulk_update_rules/route.ts
@@ -37,8 +37,12 @@ export const bulkUpdateRulesRoute = (router: SecuritySolutionPluginRouter, logge
     .put({
       access: 'public',
       path: DETECTION_ENGINE_RULES_BULK_UPDATE,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: RULE_MANAGEMENT_BULK_ACTION_SOCKET_TIMEOUT_MS,
         },

diff --git a/...solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/route.ts b/...solution/server/lib/detection_engine/rule_management/api/rules/coverage_overview/route.ts
@@ -22,8 +22,10 @@ export const getCoverageOverviewRoute = (router: SecuritySolutionPluginRouter) =
     .post({
       access: 'internal',
       path: RULE_MANAGEMENT_COVERAGE_OVERVIEW_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...urity_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts b/...urity_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
@@ -27,8 +27,10 @@ export const createRuleRoute = (router: SecuritySolutionPluginRouter): void => {
       access: 'public',
       path: DETECTION_ENGINE_RULES_URL,
 
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...urity_solution/server/lib/detection_engine/rule_management/api/rules/delete_rule/route.ts b/...urity_solution/server/lib/detection_engine/rule_management/api/rules/delete_rule/route.ts
@@ -24,8 +24,10 @@ export const deleteRuleRoute = (router: SecuritySolutionPluginRouter) => {
     .delete({
       access: 'public',
       path: DETECTION_ENGINE_RULES_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...rity_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts b/...rity_solution/server/lib/detection_engine/rule_management/api/rules/export_rules/route.ts
@@ -33,8 +33,12 @@ export const exportRulesRoute = (
     .post({
       access: 'public',
       path: `${DETECTION_ENGINE_RULES_URL}/_export`,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         timeout: {
           idleSocket: RULE_MANAGEMENT_IMPORT_EXPORT_SOCKET_TIMEOUT_MS,
         },

diff --git a/.../security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts b/.../security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts
@@ -56,8 +56,10 @@ export const getRuleManagementFilters = (router: SecuritySolutionPluginRouter) =
     .get({
       access: 'internal',
       path: RULE_MANAGEMENT_FILTERS_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...curity_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts b/...curity_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts
@@ -25,8 +25,10 @@ export const findRulesRoute = (router: SecuritySolutionPluginRouter, logger: Log
     .get({
       access: 'public',
       path: DETECTION_ENGINE_RULES_URL_FIND,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...rity_solution/server/lib/detection_engine/rule_management/api/rules/import_rules/route.ts b/...rity_solution/server/lib/detection_engine/rule_management/api/rules/import_rules/route.ts
@@ -47,8 +47,12 @@ export const importRulesRoute = (router: SecuritySolutionPluginRouter, config: C
     .post({
       access: 'public',
       path: `${DETECTION_ENGINE_RULES_URL}/_import`,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution'],
         body: {
           maxBytes: config.maxRuleImportPayloadBytes,
           output: 'stream',

diff --git a/...curity_solution/server/lib/detection_engine/rule_management/api/rules/patch_rule/route.ts b/...curity_solution/server/lib/detection_engine/rule_management/api/rules/patch_rule/route.ts
@@ -26,8 +26,10 @@ export const patchRuleRoute = (router: SecuritySolutionPluginRouter) => {
     .patch({
       access: 'public',
       path: DETECTION_ENGINE_RULES_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ecurity_solution/server/lib/detection_engine/rule_management/api/rules/read_rule/route.ts b/...ecurity_solution/server/lib/detection_engine/rule_management/api/rules/read_rule/route.ts
@@ -24,8 +24,10 @@ export const readRuleRoute = (router: SecuritySolutionPluginRouter, logger: Logg
     .get({
       access: 'public',
       path: DETECTION_ENGINE_RULES_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...urity_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.ts b/...urity_solution/server/lib/detection_engine/rule_management/api/rules/update_rule/route.ts
@@ -27,8 +27,10 @@ export const updateRuleRoute = (router: SecuritySolutionPluginRouter) => {
     .put({
       access: 'public',
       path: DETECTION_ENGINE_RULES_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/route.ts b/...security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/route.ts
@@ -18,8 +18,10 @@ export const readTagsRoute = (router: SecuritySolutionPluginRouter) => {
     .get({
       access: 'public',
       path: DETECTION_ENGINE_TAGS_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...ule_monitoring/api/detection_engine_health/get_cluster_health/get_cluster_health_route.ts b/...ule_monitoring/api/detection_engine_health/get_cluster_health/get_cluster_health_route.ts
@@ -36,8 +36,10 @@ export const getClusterHealthRoute = (router: SecuritySolutionPluginRouter) => {
     .get({
       access: 'internal',
       path: GET_CLUSTER_HEALTH_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(
@@ -62,8 +64,10 @@ export const getClusterHealthRoute = (router: SecuritySolutionPluginRouter) => {
     .post({
       access: 'internal',
       path: GET_CLUSTER_HEALTH_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

diff --git a/...gine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts b/...gine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts
@@ -33,8 +33,10 @@ export const getRuleHealthRoute = (router: SecuritySolutionPluginRouter) => {
     .post({
       access: 'internal',
       path: GET_RULE_HEALTH_URL,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(