Skip to content

Commit

Permalink
Authorized route migration for routes owned by security-entity-analyt…
Browse files Browse the repository at this point in the history
…ics (elastic#198385)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Pablo Machado <pablo.nevesmachado@elastic.co>
(cherry picked from commit 0e99a77)
  • Loading branch information
kibanamachine committed Nov 6, 2024
1 parent 197256b commit 8d016ba
Show file tree
Hide file tree
Showing 36 changed files with 149 additions and 73 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,10 @@ export const assetCriticalityPublicBulkUploadRoute = (
.post({
access: 'public',
path: ASSET_CRITICALITY_PUBLIC_BULK_UPLOAD_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,10 @@ export const assetCriticalityPublicDeleteRoute = (
.delete({
access: 'public',
path: ASSET_CRITICALITY_PUBLIC_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,10 @@ export const assetCriticalityPublicGetRoute = (
.get({
access: 'public',
path: ASSET_CRITICALITY_PUBLIC_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,10 @@ export const assetCriticalityPublicListRoute = (
.get({
access: 'public',
path: ASSET_CRITICALITY_PUBLIC_LIST_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,10 @@ export const assetCriticalityInternalPrivilegesRoute = (
.get({
access: 'internal',
path: ASSET_CRITICALITY_INTERNAL_PRIVILEGES_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,10 @@ export const assetCriticalityInternalStatusRoute = (
.get({
access: 'internal',
path: ASSET_CRITICALITY_INTERNAL_STATUS_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,12 @@ export const assetCriticalityPublicCSVUploadRoute = (
.post({
access: 'public',
path: ASSET_CRITICALITY_PUBLIC_CSV_UPLOAD_URL,
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
body: {
output: 'stream',
accepts: 'multipart/form-data',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,10 @@ export const assetCriticalityPublicUpsertRoute = (
.post({
access: 'public',
path: ASSET_CRITICALITY_PUBLIC_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ export const applyDataViewIndicesEntityEngineRoute = (
.post({
access: 'public',
path: '/api/entity_store/engines/apply_dataview_indices',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,10 @@ export const deleteEntityEngineRoute = (
.delete({
access: 'public',
path: '/api/entity_store/engines/{entityType}',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,10 @@ export const listEntitiesRoute = (router: EntityAnalyticsRoutesDeps['router'], l
.get({
access: 'public',
path: LIST_ENTITIES_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ export const getEntityEngineRoute = (
.get({
access: 'public',
path: '/api/entity_store/engines/{entityType}',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,10 @@ export const initEntityEngineRoute = (
.post({
access: 'public',
path: '/api/entity_store/engines/{entityType}/init',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ export const listEntityEnginesRoute = (
.get({
access: 'public',
path: '/api/entity_store/engines',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export const startEntityEngineRoute = (
.post({
access: 'public',
path: '/api/entity_store/engines/{entityType}/start',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ export const getEntityEngineStatsRoute = (
.post({
access: 'public',
path: '/api/entity_store/engines/{entityType}/stats',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export const stopEntityEngineRoute = (
.post({
access: 'public',
path: '/api/entity_store/engines/{entityType}/stop',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ export const riskEngineCleanupRoute = (
.delete({
access: 'public',
path: RISK_ENGINE_CLEANUP_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export const riskEngineDisableRoute = (
.post({
access: 'internal',
path: RISK_ENGINE_DISABLE_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export const riskEngineEnableRoute = (
.post({
access: 'internal',
path: RISK_ENGINE_ENABLE_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,10 @@ export const riskEngineInitRoute = (
.post({
access: 'internal',
path: RISK_ENGINE_INIT_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export const riskEnginePrivilegesRoute = (
.get({
access: 'internal',
path: RISK_ENGINE_PRIVILEGES_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@ export const riskEngineScheduleNowRoute = (
.post({
access: 'public',
path: RISK_ENGINE_SCHEDULE_NOW_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,10 @@ export const riskEngineSettingsRoute = (router: EntityAnalyticsRoutesDeps['route
.get({
access: 'internal',
path: RISK_ENGINE_SETTINGS_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ export const riskEngineStatusRoute = (
.get({
access: 'internal',
path: RISK_ENGINE_STATUS_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,10 @@ export const deprecatedRiskScoreEntityCalculationRoute = (
.post({
path: '/api/risk_scores/calculation/entity',
access: 'internal',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand All @@ -192,8 +194,10 @@ export const riskScoreEntityCalculationRoute = (
.post({
path: RISK_SCORE_ENTITY_CALCULATION_URL,
access: 'internal',
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,10 @@ export const riskScorePreviewRoute = (
.post({
access: 'internal',
path: RISK_SCORE_PREVIEW_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,10 @@ export const getRiskScoreIndexStatusRoute = (router: SecuritySolutionPluginRoute
.get({
access: 'internal',
path: RISK_SCORE_INDEX_STATUS_API_URL,
options: {
tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
security: {
authz: {
requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,10 @@ export const createEsIndexRoute = (router: SecuritySolutionPluginRouter, logger:
.put({
access: 'internal',
path: RISK_SCORE_CREATE_INDEX,
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Loading

0 comments on commit 8d016ba

Please sign in to comment.