[8.x] [Authz] Superuser privileges (#196586) (#197369)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Authz] Superuser privileges
(#196586)](#196586)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Elena
Shostak","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-23T07:39:49Z","message":"[Authz]
Superuser privileges (#196586)\n\n## Summary\r\n\r\nThis PR adds support
for explicit indication whether endpoint is\r\nrestricted to superusers
only.\r\nMoved `api/encrypted_saved_objects/_rotate_key` endpoint to the
new\r\nconfiguration.\r\n\r\n__Relates:
https://github.com/elastic/kibana/issues/196271__\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n## Release
note\r\n\r\nIntroduced explicit configuration for routes that require
superuser\r\naccess. Moved `api/encrypted_saved_objects/_rotate_key`
endpoint to the\r\nnew
configuration.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<[email protected]>","sha":"598706c7d1d171bf7012e91d1389ade9734e8b35","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Security","Feature:Security/Authorization","v9.0.0","backport:prev-minor"],"title":"[Authz]
Superuser
privileges","number":196586,"url":"https://github.com/elastic/kibana/pull/196586","mergeCommit":{"message":"[Authz]
Superuser privileges (#196586)\n\n## Summary\r\n\r\nThis PR adds support
for explicit indication whether endpoint is\r\nrestricted to superusers
only.\r\nMoved `api/encrypted_saved_objects/_rotate_key` endpoint to the
new\r\nconfiguration.\r\n\r\n__Relates:
https://github.com/elastic/kibana/issues/196271__\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n## Release
note\r\n\r\nIntroduced explicit configuration for routes that require
superuser\r\naccess. Moved `api/encrypted_saved_objects/_rotate_key`
endpoint to the\r\nnew
configuration.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<[email protected]>","sha":"598706c7d1d171bf7012e91d1389ade9734e8b35"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196586","number":196586,"mergeCommit":{"message":"[Authz]
Superuser privileges (#196586)\n\n## Summary\r\n\r\nThis PR adds support
for explicit indication whether endpoint is\r\nrestricted to superusers
only.\r\nMoved `api/encrypted_saved_objects/_rotate_key` endpoint to the
new\r\nconfiguration.\r\n\r\n__Relates:
https://github.com/elastic/kibana/issues/196271__\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n## Release
note\r\n\r\nIntroduced explicit configuration for routes that require
superuser\r\naccess. Moved `api/encrypted_saved_objects/_rotate_key`
endpoint to the\r\nnew
configuration.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<[email protected]>","sha":"598706c7d1d171bf7012e91d1389ade9734e8b35"}}]}]
BACKPORT-->

Co-authored-by: Elena Shostak <[email protected]>

packages/core/http/core-http-router-server-internal/src/security_route_config_validator.test.ts

@@ -8,6 +8,7 @@
  */
 
 import { validRouteSecurity } from './security_route_config_validator';
+import { ReservedPrivilegesSet } from '@kbn/core-http-server';
 
 describe('RouteSecurity validation', () => {
   it('should pass validation for valid route security with authz enabled and valid required privileges', () => {
@@ -276,4 +277,31 @@ describe('RouteSecurity validation', () => {
       `"[authz.requiredPrivileges]: anyRequired privileges must contain unique values"`
     );
   });
+
+  it('should fail validation when anyRequired has superuser privileges set', () => {
+    const invalidRouteSecurity = {
+      authz: {
+        requiredPrivileges: [
+          { anyRequired: ['privilege1', 'privilege1'], allRequired: ['privilege4'] },
+          { anyRequired: ['privilege5', ReservedPrivilegesSet.superuser] },
+        ],
+      },
+    };
+
+    expect(() => validRouteSecurity(invalidRouteSecurity)).toThrowErrorMatchingInlineSnapshot(
+      `"[authz.requiredPrivileges]: Combining superuser with other privileges is redundant, superuser privileges set can be only used as a standalone privilege."`
+    );
+  });
+
+  it('should fail validation when allRequired combines superuser privileges set with other privileges', () => {
+    const invalidRouteSecurity = {
+      authz: {
+        requiredPrivileges: [ReservedPrivilegesSet.superuser, 'privilege1'],
+      },
+    };
+
+    expect(() => validRouteSecurity(invalidRouteSecurity)).toThrowErrorMatchingInlineSnapshot(
+      `"[authz.requiredPrivileges]: Combining superuser with other privileges is redundant, superuser privileges set can be only used as a standalone privilege."`
+    );
+  });
 });

packages/core/http/core-http-router-server-internal/src/security_route_config_validator.ts

@@ -9,6 +9,7 @@
 
 import { schema } from '@kbn/config-schema';
 import type { RouteSecurity, RouteConfigOptions } from '@kbn/core-http-server';
+import { ReservedPrivilegesSet } from '@kbn/core-http-server';
 import type { DeepPartial } from '@kbn/utility-types';
 
 const privilegeSetSchema = schema.object(
@@ -49,6 +50,15 @@ const requiredPrivilegesSchema = schema.arrayOf(
         }
       });
 
+      // Combining superuser with other privileges is redundant.
+      // If user is a superuser, they inherently have access to all the privileges that may come with other roles.
+      if (
+        anyRequired.includes(ReservedPrivilegesSet.superuser) ||
+        (allRequired.includes(ReservedPrivilegesSet.superuser) && allRequired.length > 1)
+      ) {
+        return 'Combining superuser with other privileges is redundant, superuser privileges set can be only used as a standalone privilege.';
+      }
+
       if (anyRequired.length && allRequired.length) {
         for (const privilege of anyRequired) {
           if (allRequired.includes(privilege)) {

packages/core/http/core-http-server/index.ts

@@ -127,6 +127,7 @@ export {
   getResponseValidation,
   isFullValidatorContainer,
   isKibanaResponse,
+  ReservedPrivilegesSet,
 } from './src/router';
 
 export type { ICspConfig } from './src/csp';

packages/core/http/core-http-server/src/router/index.ts

@@ -66,7 +66,7 @@ export type {
   PrivilegeSet,
 } from './route';
 
-export { validBodyOutput } from './route';
+export { validBodyOutput, ReservedPrivilegesSet } from './route';
 export type {
   RouteValidationFunction,
   RouteValidationResultFactory,

packages/core/http/core-http-server/src/router/route.ts

@@ -187,6 +187,14 @@ export interface RouteSecurity {
   authc?: RouteAuthc;
 }
 
+/**
+ * A set of reserved privileges that can be used to check access to the route.
+ */
+export enum ReservedPrivilegesSet {
+  operator = 'operator',
+  superuser = 'superuser',
+}
+
 /**
  * Additional route options.
  * @public

src/core/server/index.ts

@@ -242,7 +242,11 @@ export type {
 } from '@kbn/core-http-server';
 export type { IExternalUrlPolicy } from '@kbn/core-http-common';
 
-export { validBodyOutput, OnPostAuthResultType } from '@kbn/core-http-server';
+export {
+  validBodyOutput,
+  OnPostAuthResultType,
+  ReservedPrivilegesSet,
+} from '@kbn/core-http-server';
 
 export type {
   HttpResourcesRenderOptions,

x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.test.ts

@@ -7,7 +7,7 @@
 
 import { Type } from '@kbn/config-schema';
 import type { IRouter, RequestHandler, RequestHandlerContext, RouteConfig } from '@kbn/core/server';
-import { kibanaResponseFactory } from '@kbn/core/server';
+import { kibanaResponseFactory, ReservedPrivilegesSet } from '@kbn/core/server';
 import { httpServerMock } from '@kbn/core/server/mocks';
 
 import { routeDefinitionParamsMock } from './index.mock';
@@ -43,9 +43,14 @@ describe('Key rotation routes', () => {
     });
 
     it('correctly defines route.', () => {
+      expect(routeConfig.security).toEqual({
+        authz: {
+          requiredPrivileges: [ReservedPrivilegesSet.superuser],
+        },
+      });
       expect(routeConfig.options).toEqual({
         access: 'public',
-        tags: ['access:rotateEncryptionKey', 'oas-tag:saved objects'],
+        tags: ['oas-tag:saved objects'],
         summary: `Rotate a key for encrypted saved objects`,
         description: `If a saved object cannot be decrypted using the primary encryption key, Kibana attempts to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
         NOTE: Bulk key rotation can consume a considerable amount of resources and hence only user with a superuser role can trigger it.`,
@@ -96,7 +101,7 @@ describe('Key rotation routes', () => {
 
       expect(config.options).toEqual({
         access: 'internal',
-        tags: ['access:rotateEncryptionKey', 'oas-tag:saved objects'],
+        tags: ['oas-tag:saved objects'],
         summary: `Rotate a key for encrypted saved objects`,
         description: `If a saved object cannot be decrypted using the primary encryption key, Kibana attempts to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
         NOTE: Bulk key rotation can consume a considerable amount of resources and hence only user with a superuser role can trigger it.`,

x-pack/plugins/encrypted_saved_objects/server/routes/key_rotation.ts

@@ -6,6 +6,7 @@
  */
 
 import { schema } from '@kbn/config-schema';
+import { ReservedPrivilegesSet } from '@kbn/core/server';
 
 import type { RouteDefinitionParams } from '.';
 
@@ -39,9 +40,14 @@ export function defineKeyRotationRoutes({
           type: schema.maybe(schema.string()),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: [ReservedPrivilegesSet.superuser],
+        },
+      },
       options: {
-        tags: ['access:rotateEncryptionKey', 'oas-tag:saved objects'],
         access: buildFlavor === 'serverless' ? 'internal' : 'public',
+        tags: ['oas-tag:saved objects'],
         summary: `Rotate a key for encrypted saved objects`,
         description: `If a saved object cannot be decrypted using the primary encryption key, Kibana attempts to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
         NOTE: Bulk key rotation can consume a considerable amount of resources and hence only user with a superuser role can trigger it.`,

x-pack/plugins/security/common/constants.ts

@@ -127,3 +127,14 @@ export const API_VERSIONS = {
     },
   },
 };
+
+/**
+ * Privileges that define the superuser role or the role equivalent to the superuser role.
+ */
+export const SUPERUSER_PRIVILEGES = {
+  kibana: ['*'],
+  elasticsearch: {
+    cluster: ['all'],
+    index: { '*': ['all'] },
+  },
+};