Authorized route migration for routes owned by security-entity-analyt…

…ics (elastic#198385) ### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. Co-authored-by: Pablo Machado <[email protected]>
pheyos · Nov 6, 2024 · 0e99a77 · 0e99a77
1 parent 7608d76
commit 0e99a77
Show file tree

Hide file tree

Showing 36 changed files with 149 additions and 73 deletions.
diff --git a/...ins/security_solution/server/lib/entity_analytics/asset_criticality/routes/bulk_upload.ts b/...ins/security_solution/server/lib/entity_analytics/asset_criticality/routes/bulk_upload.ts
@@ -33,8 +33,10 @@ export const assetCriticalityPublicBulkUploadRoute = (
     .post({
       access: 'public',
       path: ASSET_CRITICALITY_PUBLIC_BULK_UPLOAD_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/.../plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/delete.ts b/.../plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/delete.ts
@@ -28,8 +28,10 @@ export const assetCriticalityPublicDeleteRoute = (
     .delete({
       access: 'public',
       path: ASSET_CRITICALITY_PUBLIC_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/get.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/get.ts
@@ -30,8 +30,10 @@ export const assetCriticalityPublicGetRoute = (
     .get({
       access: 'public',
       path: ASSET_CRITICALITY_PUBLIC_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...ck/plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/list.ts b/...ck/plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/list.ts
@@ -28,8 +28,10 @@ export const assetCriticalityPublicListRoute = (
     .get({
       access: 'public',
       path: ASSET_CRITICALITY_PUBLIC_LIST_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...gins/security_solution/server/lib/entity_analytics/asset_criticality/routes/privileges.ts b/...gins/security_solution/server/lib/entity_analytics/asset_criticality/routes/privileges.ts
@@ -28,8 +28,10 @@ export const assetCriticalityInternalPrivilegesRoute = (
     .get({
       access: 'internal',
       path: ASSET_CRITICALITY_INTERNAL_PRIVILEGES_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/.../plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/status.ts b/.../plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/status.ts
@@ -26,8 +26,10 @@ export const assetCriticalityInternalStatusRoute = (
     .get({
       access: 'internal',
       path: ASSET_CRITICALITY_INTERNAL_STATUS_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...gins/security_solution/server/lib/entity_analytics/asset_criticality/routes/upload_csv.ts b/...gins/security_solution/server/lib/entity_analytics/asset_criticality/routes/upload_csv.ts
@@ -35,8 +35,12 @@ export const assetCriticalityPublicCSVUploadRoute = (
     .post({
       access: 'public',
       path: ASSET_CRITICALITY_PUBLIC_CSV_UPLOAD_URL,
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
+      },
       options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
         body: {
           output: 'stream',
           accepts: 'multipart/form-data',

diff --git a/.../plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/upsert.ts b/.../plugins/security_solution/server/lib/entity_analytics/asset_criticality/routes/upsert.ts
@@ -31,8 +31,10 @@ export const assetCriticalityPublicUpsertRoute = (
     .post({
       access: 'public',
       path: ASSET_CRITICALITY_PUBLIC_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...curity_solution/server/lib/entity_analytics/entity_store/routes/apply_dataview_indices.ts b/...curity_solution/server/lib/entity_analytics/entity_store/routes/apply_dataview_indices.ts
@@ -20,8 +20,10 @@ export const applyDataViewIndicesEntityEngineRoute = (
     .post({
       access: 'public',
       path: '/api/entity_store/engines/apply_dataview_indices',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/delete.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/delete.ts
@@ -28,8 +28,10 @@ export const deleteEntityEngineRoute = (
     .delete({
       access: 'public',
       path: '/api/entity_store/engines/{entityType}',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...lugins/security_solution/server/lib/entity_analytics/entity_store/routes/entities/list.ts b/...lugins/security_solution/server/lib/entity_analytics/entity_store/routes/entities/list.ts
@@ -32,8 +32,10 @@ export const listEntitiesRoute = (router: EntityAnalyticsRoutesDeps['router'], l
     .get({
       access: 'public',
       path: LIST_ENTITIES_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/get.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/get.ts
@@ -23,8 +23,10 @@ export const getEntityEngineRoute = (
     .get({
       access: 'public',
       path: '/api/entity_store/engines/{entityType}',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/init.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/init.ts
@@ -28,8 +28,10 @@ export const initEntityEngineRoute = (
     .post({
       access: 'public',
       path: '/api/entity_store/engines/{entityType}/init',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/list.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/list.ts
@@ -22,8 +22,10 @@ export const listEntityEnginesRoute = (
     .get({
       access: 'public',
       path: '/api/entity_store/engines',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/start.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/start.ts
@@ -24,8 +24,10 @@ export const startEntityEngineRoute = (
     .post({
       access: 'public',
       path: '/api/entity_store/engines/{entityType}/start',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stats.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stats.ts
@@ -23,8 +23,10 @@ export const getEntityEngineStatsRoute = (
     .post({
       access: 'public',
       path: '/api/entity_store/engines/{entityType}/stats',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stop.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/routes/stop.ts
@@ -24,8 +24,10 @@ export const stopEntityEngineRoute = (
     .post({
       access: 'public',
       path: '/api/entity_store/engines/{entityType}/stop',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/delete.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/delete.ts
@@ -23,8 +23,10 @@ export const riskEngineCleanupRoute = (
     .delete({
       access: 'public',
       path: RISK_ENGINE_CLEANUP_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/disable.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/disable.ts
@@ -24,8 +24,10 @@ export const riskEngineDisableRoute = (
     .post({
       access: 'internal',
       path: RISK_ENGINE_DISABLE_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/enable.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/enable.ts
@@ -24,8 +24,10 @@ export const riskEngineEnableRoute = (
     .post({
       access: 'internal',
       path: RISK_ENGINE_ENABLE_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/init.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/init.ts
@@ -26,8 +26,10 @@ export const riskEngineInitRoute = (
     .post({
       access: 'internal',
       path: RISK_ENGINE_INIT_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...ck/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/privileges.ts b/...ck/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/privileges.ts
@@ -24,8 +24,10 @@ export const riskEnginePrivilegesRoute = (
     .get({
       access: 'internal',
       path: RISK_ENGINE_PRIVILEGES_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/.../plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/schedule_now.ts b/.../plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/schedule_now.ts
@@ -27,8 +27,10 @@ export const riskEngineScheduleNowRoute = (
     .post({
       access: 'public',
       path: RISK_ENGINE_SCHEDULE_NOW_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/settings.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/settings.ts
@@ -19,8 +19,10 @@ export const riskEngineSettingsRoute = (router: EntityAnalyticsRoutesDeps['route
     .get({
       access: 'internal',
       path: RISK_ENGINE_SETTINGS_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/status.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/status.ts
@@ -20,8 +20,10 @@ export const riskEngineStatusRoute = (
     .get({
       access: 'internal',
       path: RISK_ENGINE_STATUS_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/...ins/security_solution/server/lib/entity_analytics/risk_score/routes/entity_calculation.ts b/...ins/security_solution/server/lib/entity_analytics/risk_score/routes/entity_calculation.ts
@@ -166,8 +166,10 @@ export const deprecatedRiskScoreEntityCalculationRoute = (
     .post({
       path: '/api/risk_scores/calculation/entity',
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(
@@ -192,8 +194,10 @@ export const riskScoreEntityCalculationRoute = (
     .post({
       path: RISK_SCORE_ENTITY_CALCULATION_URL,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/routes/preview.ts b/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/routes/preview.ts
@@ -30,8 +30,10 @@ export const riskScorePreviewRoute = (
     .post({
       access: 'internal',
       path: RISK_SCORE_PREVIEW_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/risk_score/index_status/index.ts b/x-pack/plugins/security_solution/server/lib/risk_score/index_status/index.ts
@@ -18,8 +18,10 @@ export const getRiskScoreIndexStatusRoute = (router: SecuritySolutionPluginRoute
     .get({
       access: 'internal',
       path: RISK_SCORE_INDEX_STATUS_API_URL,
-      options: {
-        tags: ['access:securitySolution', `access:${APP_ID}-entity-analytics`],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution', `${APP_ID}-entity-analytics`],
+        },
       },
     })
     .addVersion(

diff --git a/x-pack/plugins/security_solution/server/lib/risk_score/indices/create_index_route.ts b/x-pack/plugins/security_solution/server/lib/risk_score/indices/create_index_route.ts
@@ -19,8 +19,10 @@ export const createEsIndexRoute = (router: SecuritySolutionPluginRouter, logger:
     .put({
       access: 'internal',
       path: RISK_SCORE_CREATE_INDEX,
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(