From 373902d5f2763e8c236e122db80e71d89dc3e0ec Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Fri, 15 Nov 2024 10:50:01 +1100
Subject: [PATCH] Unauthorized route migration for routes owned by
 kibana-cloud-security-posture (#198353)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Paulo Silva <paulo.henrique@elastic.co>
---
 .../plugins/kubernetes_security/server/routes/aggregate.ts  | 5 +++++
 x-pack/plugins/kubernetes_security/server/routes/count.ts   | 5 +++++
 .../server/routes/multi_terms_aggregate.ts                  | 5 +++++
 .../session_view/server/routes/alert_status_route.ts        | 5 +++++
 x-pack/plugins/session_view/server/routes/alerts_route.ts   | 5 +++++
 .../session_view/server/routes/get_total_io_bytes_route.ts  | 6 ++++++
 .../plugins/session_view/server/routes/io_events_route.ts   | 6 ++++++
 .../session_view/server/routes/process_events_route.ts      | 6 ++++++
 8 files changed, 43 insertions(+)

diff --git a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts
index f83ddc818cbb4..4ddb828b68976 100644
--- a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts
+++ b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts
@@ -38,6 +38,11 @@ export const registerAggregateRoute = (router: IRouter, logger: Logger) => {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/kubernetes_security/server/routes/count.ts b/x-pack/plugins/kubernetes_security/server/routes/count.ts
index 0922adeb0cf45..b73452e8e45fc 100644
--- a/x-pack/plugins/kubernetes_security/server/routes/count.ts
+++ b/x-pack/plugins/kubernetes_security/server/routes/count.ts
@@ -28,6 +28,11 @@ export const registerCountRoute = (router: IRouter, logger: Logger) => {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts
index 83f5b70efe051..b4a0271b63edc 100644
--- a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts
+++ b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts
@@ -35,6 +35,11 @@ export const registerMultiTermsAggregateRoute = (router: IRouter, logger: Logger
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/session_view/server/routes/alert_status_route.ts b/x-pack/plugins/session_view/server/routes/alert_status_route.ts
index e0b95f9705e9d..64192198b5e46 100644
--- a/x-pack/plugins/session_view/server/routes/alert_status_route.ts
+++ b/x-pack/plugins/session_view/server/routes/alert_status_route.ts
@@ -31,6 +31,11 @@ export const registerAlertStatusRoute = (
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.ts b/x-pack/plugins/session_view/server/routes/alerts_route.ts
index c6b7fd8db7896..c875236989efe 100644
--- a/x-pack/plugins/session_view/server/routes/alerts_route.ts
+++ b/x-pack/plugins/session_view/server/routes/alerts_route.ts
@@ -36,6 +36,11 @@ export const registerAlertsRoute = (
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            requiredPrivileges: ['securitySolution'],
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts
index 50f36ac47f5a4..7d54654c89cdc 100644
--- a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts
+++ b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts
@@ -22,6 +22,12 @@ export const registerGetTotalIOBytesRoute = (router: IRouter, logger: Logger) =>
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`,
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts
index 9810f9da5aa77..3e73517a978c3 100644
--- a/x-pack/plugins/session_view/server/routes/io_events_route.ts
+++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts
@@ -29,6 +29,12 @@ export const registerIOEventsRoute = (router: IRouter, logger: Logger) => {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`,
+          },
+        },
         validate: {
           request: {
             query: schema.object({
diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts
index bc6b24fc36bc5..b30b3b6ddcc51 100644
--- a/x-pack/plugins/session_view/server/routes/process_events_route.ts
+++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts
@@ -43,6 +43,12 @@ export const registerProcessEventsRoute = (
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`,
+          },
+        },
         validate: {
           request: {
             query: schema.object({