From dec83ab5d1ca06113b97903aa92d66d0b6e0dc89 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 20 Dec 2024 09:13:58 +1100 Subject: [PATCH] [8.x] Unauthorized route migration for routes owned by kibana-presentation (#198329) (#205006) # Backport This will backport the following commits from `main` to `8.x`: - [Unauthorized route migration for routes owned by kibana-presentation (#198329)](https://github.com/elastic/kibana/pull/198329) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) --- .../options_list_cluster_settings_route.ts | 7 ++++ .../options_list_suggestions_route.ts | 7 ++++ .../server/routes/custom_elements/create.ts | 7 ++++ .../server/routes/custom_elements/delete.ts | 7 ++++ .../server/routes/custom_elements/find.ts | 7 ++++ .../server/routes/custom_elements/get.ts | 7 ++++ .../server/routes/custom_elements/update.ts | 7 ++++ .../server/routes/functions/functions.ts | 34 +++++++++++++---- .../server/routes/shareables/download.ts | 37 +++++++++++++------ .../canvas/server/routes/shareables/zip.ts | 12 +++++- .../canvas/server/routes/templates/list.ts | 7 ++++ .../canvas/server/routes/workpad/create.ts | 7 ++++ .../canvas/server/routes/workpad/delete.ts | 7 ++++ .../canvas/server/routes/workpad/find.ts | 7 ++++ .../canvas/server/routes/workpad/get.ts | 7 ++++ .../canvas/server/routes/workpad/import.ts | 7 ++++ .../canvas/server/routes/workpad/resolve.ts | 7 ++++ .../canvas/server/routes/workpad/update.ts | 21 +++++++++++ .../server/data_indexing/indexing_routes.ts | 35 ++++++++++++++++++ x-pack/plugins/maps/server/mvt/mvt_routes.ts | 14 +++++++ x-pack/plugins/maps/server/routes.ts | 14 +++++++ 21 files changed, 245 insertions(+), 20 deletions(-) diff --git a/src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts b/src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts index 04b0aaa3e6f78..c04a8e9244785 100644 --- a/src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts +++ b/src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts @@ -20,6 +20,13 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.', + }, + }, validate: false, }, async (context, _, response) => { diff --git a/src/plugins/controls/server/options_list/options_list_suggestions_route.ts b/src/plugins/controls/server/options_list/options_list_suggestions_route.ts index 15dd66c5586dc..63176c31b3b7f 100644 --- a/src/plugins/controls/server/options_list/options_list_suggestions_route.ts +++ b/src/plugins/controls/server/options_list/options_list_suggestions_route.ts @@ -33,6 +33,13 @@ export const setupOptionsListSuggestionsRoute = ( .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { params: schema.object( diff --git a/x-pack/plugins/canvas/server/routes/custom_elements/create.ts b/x-pack/plugins/canvas/server/routes/custom_elements/create.ts index e0ea4be8d35f1..d4ea0557048bb 100644 --- a/x-pack/plugins/canvas/server/routes/custom_elements/create.ts +++ b/x-pack/plugins/canvas/server/routes/custom_elements/create.ts @@ -29,6 +29,13 @@ export function initializeCreateCustomElementRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { body: CustomElementSchema }, }, diff --git a/x-pack/plugins/canvas/server/routes/custom_elements/delete.ts b/x-pack/plugins/canvas/server/routes/custom_elements/delete.ts index 94ea9cda5e367..328812ec32a5d 100644 --- a/x-pack/plugins/canvas/server/routes/custom_elements/delete.ts +++ b/x-pack/plugins/canvas/server/routes/custom_elements/delete.ts @@ -22,6 +22,13 @@ export function initializeDeleteCustomElementRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/custom_elements/find.ts b/x-pack/plugins/canvas/server/routes/custom_elements/find.ts index a45eb217cd9cb..5d2b0ba1be12d 100644 --- a/x-pack/plugins/canvas/server/routes/custom_elements/find.ts +++ b/x-pack/plugins/canvas/server/routes/custom_elements/find.ts @@ -20,6 +20,13 @@ export function initializeFindCustomElementsRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/custom_elements/get.ts b/x-pack/plugins/canvas/server/routes/custom_elements/get.ts index 4775d4cb497fb..a6f6a0ffe64bb 100644 --- a/x-pack/plugins/canvas/server/routes/custom_elements/get.ts +++ b/x-pack/plugins/canvas/server/routes/custom_elements/get.ts @@ -21,6 +21,13 @@ export function initializeGetCustomElementRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/custom_elements/update.ts b/x-pack/plugins/canvas/server/routes/custom_elements/update.ts index eee18fb1e9a07..905e6aa3efed5 100644 --- a/x-pack/plugins/canvas/server/routes/custom_elements/update.ts +++ b/x-pack/plugins/canvas/server/routes/custom_elements/update.ts @@ -30,6 +30,13 @@ export function initializeUpdateCustomElementRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/functions/functions.ts b/x-pack/plugins/canvas/server/routes/functions/functions.ts index 3a8ff207fa000..70017862ea50f 100644 --- a/x-pack/plugins/canvas/server/routes/functions/functions.ts +++ b/x-pack/plugins/canvas/server/routes/functions/functions.ts @@ -23,13 +23,26 @@ export function initializeGetFunctionsRoute(deps: RouteInitializerDeps) { path: API_ROUTE_FUNCTIONS, access: 'internal', }) - .addVersion({ version: '1', validate: false }, async (context, request, response) => { - const functions = expressions.getFunctions('canvas'); - const body = JSON.stringify(functions); - return response.ok({ - body, - }); - }); + .addVersion( + { + version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it only provides non-sensitive information about functions available to Canvas.', + }, + }, + validate: false, + }, + async (context, request, response) => { + const functions = expressions.getFunctions('canvas'); + const body = JSON.stringify(functions); + return response.ok({ + body, + }); + } + ); } export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) { @@ -42,6 +55,13 @@ export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because data source expressions that perform search operations use the Kibana search client which handles permission checking.', + }, + }, validate: { request: { body: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/shareables/download.ts b/x-pack/plugins/canvas/server/routes/shareables/download.ts index 2d3b4af74855b..6ed41701d9602 100644 --- a/x-pack/plugins/canvas/server/routes/shareables/download.ts +++ b/x-pack/plugins/canvas/server/routes/shareables/download.ts @@ -18,16 +18,29 @@ export function initializeDownloadShareableWorkpadRoute(deps: RouteInitializerDe path: API_ROUTE_SHAREABLE_RUNTIME_DOWNLOAD, access: 'internal', }) - .addVersion({ version: '1', validate: false }, async (_context, _request, response) => { - // TODO: check if this is still an issue on cloud after migrating to NP - // - // The option setting is not for typical use. We're using it here to avoid - // problems in Cloud environments. See elastic/kibana#47405. - // const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false }); - const file = readFileSync(SHAREABLE_RUNTIME_FILE); - return response.ok({ - headers: { 'content-type': 'application/octet-stream' }, - body: file, - }); - }); + .addVersion( + { + version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it is only serving static files.', + }, + }, + validate: false, + }, + async (_context, _request, response) => { + // TODO: check if this is still an issue on cloud after migrating to NP + // + // The option setting is not for typical use. We're using it here to avoid + // problems in Cloud environments. See elastic/kibana#47405. + // const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false }); + const file = readFileSync(SHAREABLE_RUNTIME_FILE); + return response.ok({ + headers: { 'content-type': 'application/octet-stream' }, + body: file, + }); + } + ); } diff --git a/x-pack/plugins/canvas/server/routes/shareables/zip.ts b/x-pack/plugins/canvas/server/routes/shareables/zip.ts index d476edb8ca4ac..34e1a9a01789f 100644 --- a/x-pack/plugins/canvas/server/routes/shareables/zip.ts +++ b/x-pack/plugins/canvas/server/routes/shareables/zip.ts @@ -24,7 +24,17 @@ export function initializeZipShareableWorkpadRoute(deps: RouteInitializerDeps) { access: 'internal', }) .addVersion( - { version: '1', validate: { request: { body: RenderedWorkpadSchema } } }, + { + version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it is only serving static files.', + }, + }, + validate: { request: { body: RenderedWorkpadSchema } }, + }, async (_context, request, response) => { const workpad = request.body; const archive = archiver('zip'); diff --git a/x-pack/plugins/canvas/server/routes/templates/list.ts b/x-pack/plugins/canvas/server/routes/templates/list.ts index e311ef3c8c24b..a6ec0d54f6425 100644 --- a/x-pack/plugins/canvas/server/routes/templates/list.ts +++ b/x-pack/plugins/canvas/server/routes/templates/list.ts @@ -21,6 +21,13 @@ export function initializeListTemplates(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({}) }, }, diff --git a/x-pack/plugins/canvas/server/routes/workpad/create.ts b/x-pack/plugins/canvas/server/routes/workpad/create.ts index c1e4f7e2f8353..79492c94e5882 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/create.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/create.ts @@ -47,6 +47,13 @@ export function initializeCreateWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { body: createRequestBodySchema }, }, diff --git a/x-pack/plugins/canvas/server/routes/workpad/delete.ts b/x-pack/plugins/canvas/server/routes/workpad/delete.ts index d5abbbfed7a78..292e8e4b73080 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/delete.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/delete.ts @@ -21,6 +21,13 @@ export function initializeDeleteWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/workpad/find.ts b/x-pack/plugins/canvas/server/routes/workpad/find.ts index 1e993a347d89f..39258afadfabf 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/find.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/find.ts @@ -20,6 +20,13 @@ export function initializeFindWorkpadsRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/workpad/get.ts b/x-pack/plugins/canvas/server/routes/workpad/get.ts index 8ce7687627611..57d1bf3517ca5 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/get.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/get.ts @@ -21,6 +21,13 @@ export function initializeGetWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/workpad/import.ts b/x-pack/plugins/canvas/server/routes/workpad/import.ts index 5490d460f8834..5c3d82521ec4d 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/import.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/import.ts @@ -30,6 +30,13 @@ export function initializeImportWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { body: createRequestBodySchema }, }, diff --git a/x-pack/plugins/canvas/server/routes/workpad/resolve.ts b/x-pack/plugins/canvas/server/routes/workpad/resolve.ts index b6260e9e47694..9d0ea3139e043 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/resolve.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/resolve.ts @@ -21,6 +21,13 @@ export function initializeResolveWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/canvas/server/routes/workpad/update.ts b/x-pack/plugins/canvas/server/routes/workpad/update.ts index ead5a097a6945..55be02a888bb1 100644 --- a/x-pack/plugins/canvas/server/routes/workpad/update.ts +++ b/x-pack/plugins/canvas/server/routes/workpad/update.ts @@ -38,6 +38,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ @@ -71,6 +78,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ @@ -109,6 +123,13 @@ export function initializeUpdateWorkpadAssetsRoute(deps: RouteInitializerDeps) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because authorization is provided by saved objects client.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts b/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts index e7cb10427a297..987fd23a13d4f 100644 --- a/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts +++ b/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts @@ -46,6 +46,13 @@ export function initIndexingRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { body: schema.object({ @@ -98,6 +105,13 @@ export function initIndexingRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { body: schema.object({ @@ -134,6 +148,13 @@ export function initIndexingRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { params: schema.object({ @@ -196,6 +217,13 @@ export function initIndexingRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { query: schema.object({ @@ -223,6 +251,13 @@ export function initIndexingRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/maps/server/mvt/mvt_routes.ts b/x-pack/plugins/maps/server/mvt/mvt_routes.ts index f768eb93dd9a3..aa3f0c51f69ea 100644 --- a/x-pack/plugins/maps/server/mvt/mvt_routes.ts +++ b/x-pack/plugins/maps/server/mvt/mvt_routes.ts @@ -41,6 +41,13 @@ export function initMVTRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { params: schema.object({ @@ -117,6 +124,13 @@ export function initMVTRoutes({ .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/maps/server/routes.ts b/x-pack/plugins/maps/server/routes.ts index 32f7a9e6c18ea..7bfa80dfe5bd4 100644 --- a/x-pack/plugins/maps/server/routes.ts +++ b/x-pack/plugins/maps/server/routes.ts @@ -27,6 +27,13 @@ export function initRoutes(coreSetup: CoreSetup, logger: Logger) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it is only serving static files.', + }, + }, validate: { request: { params: schema.object({ @@ -66,6 +73,13 @@ export function initRoutes(coreSetup: CoreSetup, logger: Logger) { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because permissions will be checked by elasticsearch.', + }, + }, validate: { request: { query: schema.object({