Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x] Unauthorized route migration for routes owned by kibana-presentation (#198329) #205006

Merged
merged 1 commit into from
Dec 19, 2024
Merged

[8.x] Unauthorized route migration for routes owned by kibana-presentation (#198329) #205006

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
},
},
validate: false,
},
async (context, _, response) => {
Expand Down
7 changes: 7 additions & 0 deletions src/plugins/controls/server/options_list/options_list_suggestions_route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ export const setupOptionsListSuggestionsRoute = (
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
},
},
validate: {
request: {
params: schema.object(
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/create.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ export function initializeCreateCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: CustomElementSchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/delete.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@ export function initializeDeleteCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/find.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export function initializeFindCustomElementsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
query: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/get.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeGetCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/update.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ export function initializeUpdateCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
34 changes: 27 additions & 7 deletions x-pack/plugins/canvas/server/routes/functions/functions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,26 @@ export function initializeGetFunctionsRoute(deps: RouteInitializerDeps) {
path: API_ROUTE_FUNCTIONS,
access: 'internal',
})
.addVersion({ version: '1', validate: false }, async (context, request, response) => {
const functions = expressions.getFunctions('canvas');
const body = JSON.stringify(functions);
return response.ok({
body,
});
});
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it only provides non-sensitive information about functions available to Canvas.',
},
},
validate: false,
},
async (context, request, response) => {
const functions = expressions.getFunctions('canvas');
const body = JSON.stringify(functions);
return response.ok({
body,
});
}
);
}

export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
Expand All @@ -42,6 +55,13 @@ export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because data source expressions that perform search operations use the Kibana search client which handles permission checking.',
},
},
validate: {
request: {
body: schema.object({
Expand Down
37 changes: 25 additions & 12 deletions x-pack/plugins/canvas/server/routes/shareables/download.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,29 @@ export function initializeDownloadShareableWorkpadRoute(deps: RouteInitializerDe
path: API_ROUTE_SHAREABLE_RUNTIME_DOWNLOAD,
access: 'internal',
})
.addVersion({ version: '1', validate: false }, async (_context, _request, response) => {
// TODO: check if this is still an issue on cloud after migrating to NP
//
// The option setting is not for typical use. We're using it here to avoid
// problems in Cloud environments. See elastic/kibana#47405.
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
return response.ok({
headers: { 'content-type': 'application/octet-stream' },
body: file,
});
});
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it is only serving static files.',
},
},
validate: false,
},
async (_context, _request, response) => {
// TODO: check if this is still an issue on cloud after migrating to NP
//
// The option setting is not for typical use. We're using it here to avoid
// problems in Cloud environments. See elastic/kibana#47405.
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
return response.ok({
headers: { 'content-type': 'application/octet-stream' },
body: file,
});
}
);
}
12 changes: 11 additions & 1 deletion x-pack/plugins/canvas/server/routes/shareables/zip.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,17 @@ export function initializeZipShareableWorkpadRoute(deps: RouteInitializerDeps) {
access: 'internal',
})
.addVersion(
{ version: '1', validate: { request: { body: RenderedWorkpadSchema } } },
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it is only serving static files.',
},
},
validate: { request: { body: RenderedWorkpadSchema } },
},
async (_context, request, response) => {
const workpad = request.body;
const archive = archiver('zip');
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/templates/list.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeListTemplates(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { params: schema.object({}) },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/create.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@ export function initializeCreateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: createRequestBodySchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/delete.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeDeleteWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/find.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export function initializeFindWorkpadsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
query: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/get.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeGetWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/import.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ export function initializeImportWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: createRequestBodySchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/resolve.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeResolveWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
21 changes: 21 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/update.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -71,6 +78,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -109,6 +123,13 @@ export function initializeUpdateWorkpadAssetsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
Loading
Loading