[9.0] Unauthorized route migration for routes owned by response-ops (#214785) (#214830)

# Backport

This will backport the following commits from `main` to `9.0`:
- [Unauthorized route migration for routes owned by response-ops
(#214785)](https://github.com/elastic/kibana/pull/214785)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Elena
Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-03-17T16:08:59Z","message":"Unauthorized
route migration for routes owned by response-ops (#214785)\n\n### Authz
API migration for unauthorized routes\n\nThis PR migrates last
unauthorized routes owned by your team to a new\nsecurity
configuration.\nPlease refer to the documentation for more information:
[Authorization\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\n\n###
**Before migration:**\n```ts\nrouter.get({\n path: '/api/path',\n
...\n}, handler);\n```\n\n### **After
migration:**\n```ts\nrouter.get({\n path: '/api/path',\n security: {\n
authz: {\n enabled: false,\n reason: 'This route is opted out from
authorization because ...',\n },\n },\n ...\n},
handler);\n```","sha":"229dca52a613fbe88988f8afef154cd2fcc6d54e","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","Team:ResponseOps","backport:prev-minor","backport:version","Authz:
API migration","v9.1.0","v8.19.0"],"title":"Unauthorized route migration
for routes owned by
response-ops","number":214785,"url":"https://github.com/elastic/kibana/pull/214785","mergeCommit":{"message":"Unauthorized
route migration for routes owned by response-ops (#214785)\n\n### Authz
API migration for unauthorized routes\n\nThis PR migrates last
unauthorized routes owned by your team to a new\nsecurity
configuration.\nPlease refer to the documentation for more information:
[Authorization\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\n\n###
**Before migration:**\n```ts\nrouter.get({\n path: '/api/path',\n
...\n}, handler);\n```\n\n### **After
migration:**\n```ts\nrouter.get({\n path: '/api/path',\n security: {\n
authz: {\n enabled: false,\n reason: 'This route is opted out from
authorization because ...',\n },\n },\n ...\n},
handler);\n```","sha":"229dca52a613fbe88988f8afef154cd2fcc6d54e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/214785","number":214785,"mergeCommit":{"message":"Unauthorized
route migration for routes owned by response-ops (#214785)\n\n### Authz
API migration for unauthorized routes\n\nThis PR migrates last
unauthorized routes owned by your team to a new\nsecurity
configuration.\nPlease refer to the documentation for more information:
[Authorization\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\n\n###
**Before migration:**\n```ts\nrouter.get({\n path: '/api/path',\n
...\n}, handler);\n```\n\n### **After
migration:**\n```ts\nrouter.get({\n path: '/api/path',\n security: {\n
authz: {\n enabled: false,\n reason: 'This route is opted out from
authorization because ...',\n },\n },\n ...\n},
handler);\n```","sha":"229dca52a613fbe88988f8afef154cd2fcc6d54e"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>

x-pack/platform/plugins/shared/alerting/server/routes/gaps/apis/fill/fill_gap_by_id_route.ts

@@ -26,6 +26,12 @@ export const fillGapByIdRoute = (
   router.post(
     {
       path: `${INTERNAL_ALERTING_GAPS_FILL_BY_ID_API_PATH}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client',
+        },
+      },
       validate: {
         query: fillGapByIdQuerySchemaV1,
       },

x-pack/platform/plugins/shared/alerting/server/routes/gaps/apis/find/find_gaps_route.ts

@@ -25,6 +25,12 @@ export const findGapsRoute = (
   router.post(
     {
       path: INTERNAL_ALERTING_GAPS_FIND_API_PATH,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client',
+        },
+      },
       validate: {
         body: findGapsBodySchemaV1,
       },

x-pack/platform/plugins/shared/alerting/server/routes/gaps/apis/get_gaps_summary_by_rule_ids/get_gaps_summary_by_rule_ids_route.ts

@@ -25,6 +25,12 @@ export const getGapsSummaryByRuleIdsRoute = (
   router.post(
     {
       path: `${INTERNAL_ALERTING_GAPS_GET_SUMMARY_BY_RULE_IDS_API_PATH}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client',
+        },
+      },
       validate: {
         body: getGapsSummaryByRuleIdsBodySchemaV1,
       },

x-pack/platform/plugins/shared/alerting/server/routes/gaps/apis/get_rule_ids_with_gaps/get_rule_ids_with_gaps_route.ts

@@ -25,6 +25,12 @@ export const getRuleIdsWithGapsRoute = (
   router.post(
     {
       path: `${INTERNAL_ALERTING_GAPS_GET_RULES_API_PATH}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client',
+        },
+      },
       validate: {
         body: getRuleIdsWithGapBodySchemaV1,
       },

x-pack/platform/plugins/shared/cases/server/routes/api/cases/get_case.ts

@@ -59,6 +59,7 @@ export const getCaseRoute = () =>
 export const resolveCaseRoute = createCasesRoute({
   method: 'get',
   path: `${CASE_DETAILS_URL}/resolve`,
+  security: DEFAULT_CASES_ROUTE_SECURITY,
   routerOptions: {
     access: 'internal',
   },

x-pack/platform/plugins/shared/cases/server/routes/api/cases/similar.ts

@@ -10,10 +10,12 @@ import { INTERNAL_CASE_SIMILAR_CASES_URL } from '../../../../common/constants';
 import { createCaseError } from '../../../common/error';
 import { createCasesRoute } from '../create_cases_route';
 import type { caseApiV1 } from '../../../../common/types/api';
+import { DEFAULT_CASES_ROUTE_SECURITY } from '../constants';
 
 export const similarCaseRoute = createCasesRoute({
   method: 'post',
   path: INTERNAL_CASE_SIMILAR_CASES_URL,
+  security: DEFAULT_CASES_ROUTE_SECURITY,
   params: {
     params: schema.object({
       case_id: schema.string(),

x-pack/platform/plugins/shared/cases/server/routes/api/internal/find_user_actions.ts

@@ -12,6 +12,7 @@ import type { attachmentApiV1, userActionApiV1 } from '../../../../common/types/
 import { INTERNAL_CASE_FIND_USER_ACTIONS_URL } from '../../../../common/constants';
 import { createCaseError } from '../../../common/error';
 import { createCasesRoute } from '../create_cases_route';
+import { DEFAULT_CASES_ROUTE_SECURITY } from '../constants';
 
 const params = {
   params: schema.object({
@@ -22,6 +23,7 @@ const params = {
 export const findUserActionsRoute = createCasesRoute({
   method: 'get',
   path: INTERNAL_CASE_FIND_USER_ACTIONS_URL,
+  security: DEFAULT_CASES_ROUTE_SECURITY,
   params,
   routerOptions: {
     access: 'public',

x-pack/platform/plugins/shared/cases/server/routes/api/observables/delete_observable.ts

@@ -9,10 +9,12 @@ import { schema } from '@kbn/config-schema';
 import { INTERNAL_CASE_OBSERVABLES_DELETE_URL } from '../../../../common/constants';
 import { createCaseError } from '../../../common/error';
 import { createCasesRoute } from '../create_cases_route';
+import { DEFAULT_CASES_ROUTE_SECURITY } from '../constants';
 
 export const deleteObservableRoute = createCasesRoute({
   method: 'delete',
   path: INTERNAL_CASE_OBSERVABLES_DELETE_URL,
+  security: DEFAULT_CASES_ROUTE_SECURITY,
   params: {
     params: schema.object({
       case_id: schema.string(),

x-pack/platform/plugins/shared/cases/server/routes/api/observables/patch_observable.ts

@@ -10,10 +10,12 @@ import { INTERNAL_CASE_OBSERVABLES_PATCH_URL } from '../../../../common/constant
 import { createCaseError } from '../../../common/error';
 import { createCasesRoute } from '../create_cases_route';
 import type { observableApiV1 } from '../../../../common/types/api';
+import { DEFAULT_CASES_ROUTE_SECURITY } from '../constants';
 
 export const patchObservableRoute = createCasesRoute({
   method: 'patch',
   path: INTERNAL_CASE_OBSERVABLES_PATCH_URL,
+  security: DEFAULT_CASES_ROUTE_SECURITY,
   params: {
     params: schema.object({
       case_id: schema.string(),

x-pack/platform/plugins/shared/cases/server/routes/api/observables/post_observable.ts

@@ -10,10 +10,12 @@ import { INTERNAL_CASE_OBSERVABLES_URL } from '../../../../common/constants';
 import { createCaseError } from '../../../common/error';
 import { createCasesRoute } from '../create_cases_route';
 import type { observableApiV1 } from '../../../../common/types/api';
+import { DEFAULT_CASES_ROUTE_SECURITY } from '../constants';
 
 export const postObservableRoute = createCasesRoute({
   method: 'post',
   path: INTERNAL_CASE_OBSERVABLES_URL,
+  security: DEFAULT_CASES_ROUTE_SECURITY,
   params: {
     params: schema.object({
       case_id: schema.string(),