Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized route migration for routes owned by kibana-presentation #198329

Merged
Merged
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
},
},
validate: false,
},
async (context, _, response) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ export const setupOptionsListSuggestionsRoute = (
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
},
},
validate: {
request: {
params: schema.object(
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/create.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ export function initializeCreateCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: CustomElementSchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/delete.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@ export function initializeDeleteCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/find.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export function initializeFindCustomElementsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
query: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeGetCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/update.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ export function initializeUpdateCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
33 changes: 26 additions & 7 deletions x-pack/plugins/canvas/server/routes/functions/functions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,26 @@ export function initializeGetFunctionsRoute(deps: RouteInitializerDeps) {
path: API_ROUTE_FUNCTIONS,
access: 'internal',
})
.addVersion({ version: '1', validate: false }, async (context, request, response) => {
const functions = expressions.getFunctions('canvas');
const body = JSON.stringify(functions);
return response.ok({
body,
});
});
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it only provides non-sensitive information about functions available to Canvas.',
},
},
validate: false,
},
async (context, request, response) => {
const functions = expressions.getFunctions('canvas');
const body = JSON.stringify(functions);
return response.ok({
body,
});
}
);
}

export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
Expand All @@ -42,6 +55,12 @@ export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization',
nickpeihl marked this conversation as resolved.
Show resolved Hide resolved
},
},
validate: {
request: {
body: schema.object({
Expand Down
36 changes: 24 additions & 12 deletions x-pack/plugins/canvas/server/routes/shareables/download.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,28 @@ export function initializeDownloadShareableWorkpadRoute(deps: RouteInitializerDe
path: API_ROUTE_SHAREABLE_RUNTIME_DOWNLOAD,
access: 'internal',
})
.addVersion({ version: '1', validate: false }, async (_context, _request, response) => {
// TODO: check if this is still an issue on cloud after migrating to NP
//
// The option setting is not for typical use. We're using it here to avoid
// problems in Cloud environments. See elastic/kibana#47405.
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
return response.ok({
headers: { 'content-type': 'application/octet-stream' },
body: file,
});
});
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization',
nickpeihl marked this conversation as resolved.
Show resolved Hide resolved
},
},
validate: false,
},
async (_context, _request, response) => {
// TODO: check if this is still an issue on cloud after migrating to NP
//
// The option setting is not for typical use. We're using it here to avoid
// problems in Cloud environments. See elastic/kibana#47405.
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
return response.ok({
headers: { 'content-type': 'application/octet-stream' },
body: file,
});
}
);
}
11 changes: 10 additions & 1 deletion x-pack/plugins/canvas/server/routes/shareables/zip.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,16 @@ export function initializeZipShareableWorkpadRoute(deps: RouteInitializerDeps) {
access: 'internal',
})
.addVersion(
{ version: '1', validate: { request: { body: RenderedWorkpadSchema } } },
{
version: '1',
security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization',
nickpeihl marked this conversation as resolved.
Show resolved Hide resolved
},
},
validate: { request: { body: RenderedWorkpadSchema } },
},
async (_context, request, response) => {
const workpad = request.body;
const archive = archiver('zip');
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/templates/list.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeListTemplates(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { params: schema.object({}) },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/create.ts
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@ export function initializeCreateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: createRequestBodySchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/delete.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeDeleteWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/find.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export function initializeFindWorkpadsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
query: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeGetWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/import.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ export function initializeImportWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: createRequestBodySchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/resolve.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeResolveWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
21 changes: 21 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/update.ts
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -71,6 +78,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -109,6 +123,13 @@ export function initializeUpdateWorkpadAssetsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
Loading