From 5c0fbd0edec7e4dbd70c280fd351522b724a8845 Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Thu, 26 Dec 2024 19:43:25 -0600 Subject: [PATCH 1/4] add some authz info --- .../console/autocomplete_entities/index.ts | 6 ++++ .../routes/api/console/es_config/index.ts | 36 ++++++++++++------- .../api/console/spec_definitions/index.ts | 14 +++++++- 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/src/platform/plugins/shared/console/server/routes/api/console/autocomplete_entities/index.ts b/src/platform/plugins/shared/console/server/routes/api/console/autocomplete_entities/index.ts index 0dacd8e93cc9b..50eb9e42cda44 100644 --- a/src/platform/plugins/shared/console/server/routes/api/console/autocomplete_entities/index.ts +++ b/src/platform/plugins/shared/console/server/routes/api/console/autocomplete_entities/index.ts @@ -90,6 +90,12 @@ export const registerAutocompleteEntitiesRoute = (deps: RouteDependencies) => { options: { tags: ['access:console'], }, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: autoCompleteEntitiesValidationConfig, }, async (context, request, response) => { diff --git a/src/platform/plugins/shared/console/server/routes/api/console/es_config/index.ts b/src/platform/plugins/shared/console/server/routes/api/console/es_config/index.ts index a1d1a6cdb7950..817d8d7cc7e3a 100644 --- a/src/platform/plugins/shared/console/server/routes/api/console/es_config/index.ts +++ b/src/platform/plugins/shared/console/server/routes/api/console/es_config/index.ts @@ -11,19 +11,31 @@ import { EsConfigApiResponse } from '../../../../../common/types/api_responses'; import { RouteDependencies } from '../../..'; export const registerEsConfigRoute = ({ router, services }: RouteDependencies): void => { - router.get({ path: '/api/console/es_config', validate: false }, async (ctx, req, res) => { - const cloudUrl = services.esLegacyConfigService.getCloudUrl(); - if (cloudUrl) { - const body: EsConfigApiResponse = { host: cloudUrl }; + router.get( + { + path: '/api/console/es_config', + security: { + authz: { + enabled: false, + reason: 'Low effort request for config content', + }, + }, + validate: false, + }, + async (ctx, req, res) => { + const cloudUrl = services.esLegacyConfigService.getCloudUrl(); + if (cloudUrl) { + const body: EsConfigApiResponse = { host: cloudUrl }; - return res.ok({ body }); - } - const { - hosts: [host], - } = await services.esLegacyConfigService.readConfig(); + return res.ok({ body }); + } + const { + hosts: [host], + } = await services.esLegacyConfigService.readConfig(); - const body: EsConfigApiResponse = { host }; + const body: EsConfigApiResponse = { host }; - return res.ok({ body }); - }); + return res.ok({ body }); + } + ); }; diff --git a/src/platform/plugins/shared/console/server/routes/api/console/spec_definitions/index.ts b/src/platform/plugins/shared/console/server/routes/api/console/spec_definitions/index.ts index 2b2e003e7eb39..e4f500fb14e7b 100644 --- a/src/platform/plugins/shared/console/server/routes/api/console/spec_definitions/index.ts +++ b/src/platform/plugins/shared/console/server/routes/api/console/spec_definitions/index.ts @@ -32,5 +32,17 @@ export const registerSpecDefinitionsRoute = ({ router, services }: RouteDependen }); }; - router.get({ path: '/api/console/api_server', validate: false }, handler); + router.get( + { + path: '/api/console/api_server', + security: { + authz: { + enabled: false, + reason: 'Low effort request for config info', + }, + }, + validate: false, + }, + handler + ); }; From fb4e8eca5c52d3d7f7d4d281d6ab63b438cce472 Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Fri, 27 Dec 2024 15:51:02 -0600 Subject: [PATCH 2/4] add proxy endpoint authz --- .../shared/console/server/routes/api/console/proxy/index.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts b/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts index d30aa32060b73..4ab2cac16a7ea 100644 --- a/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts +++ b/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts @@ -23,6 +23,12 @@ export const registerProxyRoute = (deps: RouteDependencies) => { parse: false, }, }, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: routeValidationConfig, }, createHandler(deps) From 904b4e964cba0743d59968c5010123e96a54c57d Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Sun, 5 Jan 2025 20:50:31 -0600 Subject: [PATCH 3/4] why doesn't authz work like tags? --- .../shared/console/server/routes/api/console/proxy/index.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts b/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts index 4ab2cac16a7ea..3de320157b094 100644 --- a/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts +++ b/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts @@ -17,7 +17,7 @@ export const registerProxyRoute = (deps: RouteDependencies) => { { path: '/api/console/proxy', options: { - tags: ['access:console'], + // tags: ['access:console'], body: { output: 'stream', parse: false, @@ -25,8 +25,7 @@ export const registerProxyRoute = (deps: RouteDependencies) => { }, security: { authz: { - enabled: false, - reason: 'Relies on es client for authorization', + requiredPrivileges: ['access:console'], }, }, validate: routeValidationConfig, From 8d0aa27a46dab47fbefe18bf096c86e16bb3b4fc Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Mon, 6 Jan 2025 07:11:54 -0600 Subject: [PATCH 4/4] fix auth tag --- .../shared/console/server/routes/api/console/proxy/index.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts b/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts index 3de320157b094..5b0e3c6103762 100644 --- a/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts +++ b/src/platform/plugins/shared/console/server/routes/api/console/proxy/index.ts @@ -17,7 +17,6 @@ export const registerProxyRoute = (deps: RouteDependencies) => { { path: '/api/console/proxy', options: { - // tags: ['access:console'], body: { output: 'stream', parse: false, @@ -25,7 +24,7 @@ export const registerProxyRoute = (deps: RouteDependencies) => { }, security: { authz: { - requiredPrivileges: ['access:console'], + requiredPrivileges: ['console'], }, }, validate: routeValidationConfig,