mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
Unauthorized route migration for routes owned by kibana-presentation (#198329)
Migrates unauthorized routes owned by the Presentation team to a new security configuration.
This commit is contained in:
Kibana Machine
GitHub
parent
d7ef161d8d
commit
65a75ffcb7
21 changed files with 245 additions and 20 deletions
|
|
@ -20,6 +20,13 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
|
||||
},
|
||||
},
|
||||
validate: false,
|
||||
},
|
||||
async (context, _, response) => {
|
||||
|
|
|
|||
|
|
@ -33,6 +33,13 @@ export const setupOptionsListSuggestionsRoute = (
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object(
|
||||
|
|
|
|||
|
|
@ -29,6 +29,13 @@ export function initializeCreateCustomElementRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: { body: CustomElementSchema },
|
||||
},
|
||||
|
|
|
|||
|
|
@ -22,6 +22,13 @@ export function initializeDeleteCustomElementRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -20,6 +20,13 @@ export function initializeFindCustomElementsRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
query: schema.object({
|
||||
|
|
|
|||
|
|
@ -21,6 +21,13 @@ export function initializeGetCustomElementRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -30,6 +30,13 @@ export function initializeUpdateCustomElementRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -23,13 +23,26 @@ export function initializeGetFunctionsRoute(deps: RouteInitializerDeps) {
|
|||
path: API_ROUTE_FUNCTIONS,
|
||||
access: 'internal',
|
||||
})
|
||||
.addVersion({ version: '1', validate: false }, async (context, request, response) => {
|
||||
const functions = expressions.getFunctions('canvas');
|
||||
const body = JSON.stringify(functions);
|
||||
return response.ok({
|
||||
body,
|
||||
});
|
||||
});
|
||||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because it only provides non-sensitive information about functions available to Canvas.',
|
||||
},
|
||||
},
|
||||
validate: false,
|
||||
},
|
||||
async (context, request, response) => {
|
||||
const functions = expressions.getFunctions('canvas');
|
||||
const body = JSON.stringify(functions);
|
||||
return response.ok({
|
||||
body,
|
||||
});
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
|
||||
|
|
@ -42,6 +55,13 @@ export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because data source expressions that perform search operations use the Kibana search client which handles permission checking.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
body: schema.object({
|
||||
|
|
|
|||
|
|
@ -18,16 +18,29 @@ export function initializeDownloadShareableWorkpadRoute(deps: RouteInitializerDe
|
|||
path: API_ROUTE_SHAREABLE_RUNTIME_DOWNLOAD,
|
||||
access: 'internal',
|
||||
})
|
||||
.addVersion({ version: '1', validate: false }, async (_context, _request, response) => {
|
||||
// TODO: check if this is still an issue on cloud after migrating to NP
|
||||
//
|
||||
// The option setting is not for typical use. We're using it here to avoid
|
||||
// problems in Cloud environments. See elastic/kibana#47405.
|
||||
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
|
||||
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
|
||||
return response.ok({
|
||||
headers: { 'content-type': 'application/octet-stream' },
|
||||
body: file,
|
||||
});
|
||||
});
|
||||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because it is only serving static files.',
|
||||
},
|
||||
},
|
||||
validate: false,
|
||||
},
|
||||
async (_context, _request, response) => {
|
||||
// TODO: check if this is still an issue on cloud after migrating to NP
|
||||
//
|
||||
// The option setting is not for typical use. We're using it here to avoid
|
||||
// problems in Cloud environments. See elastic/kibana#47405.
|
||||
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
|
||||
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
|
||||
return response.ok({
|
||||
headers: { 'content-type': 'application/octet-stream' },
|
||||
body: file,
|
||||
});
|
||||
}
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,7 +24,17 @@ export function initializeZipShareableWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
access: 'internal',
|
||||
})
|
||||
.addVersion(
|
||||
{ version: '1', validate: { request: { body: RenderedWorkpadSchema } } },
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because it is only serving static files.',
|
||||
},
|
||||
},
|
||||
validate: { request: { body: RenderedWorkpadSchema } },
|
||||
},
|
||||
async (_context, request, response) => {
|
||||
const workpad = request.body;
|
||||
const archive = archiver('zip');
|
||||
|
|
|
|||
|
|
@ -21,6 +21,13 @@ export function initializeListTemplates(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: { params: schema.object({}) },
|
||||
},
|
||||
|
|
|
|||
|
|
@ -47,6 +47,13 @@ export function initializeCreateWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: { body: createRequestBodySchema },
|
||||
},
|
||||
|
|
|
|||
|
|
@ -21,6 +21,13 @@ export function initializeDeleteWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -20,6 +20,13 @@ export function initializeFindWorkpadsRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
query: schema.object({
|
||||
|
|
|
|||
|
|
@ -21,6 +21,13 @@ export function initializeGetWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -30,6 +30,13 @@ export function initializeImportWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: { body: createRequestBodySchema },
|
||||
},
|
||||
|
|
|
|||
|
|
@ -21,6 +21,13 @@ export function initializeResolveWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -38,6 +38,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
@ -71,6 +78,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
@ -109,6 +123,13 @@ export function initializeUpdateWorkpadAssetsRoute(deps: RouteInitializerDeps) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because authorization is provided by saved objects client.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -46,6 +46,13 @@ export function initIndexingRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
body: schema.object({
|
||||
|
|
@ -98,6 +105,13 @@ export function initIndexingRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
body: schema.object({
|
||||
|
|
@ -134,6 +148,13 @@ export function initIndexingRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
@ -196,6 +217,13 @@ export function initIndexingRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
query: schema.object({
|
||||
|
|
@ -223,6 +251,13 @@ export function initIndexingRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
query: schema.object({
|
||||
|
|
|
|||
|
|
@ -41,6 +41,13 @@ export function initMVTRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
@ -117,6 +124,13 @@ export function initMVTRoutes({
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
|
|||
|
|
@ -27,6 +27,13 @@ export function initRoutes(coreSetup: CoreSetup<StartDeps>, logger: Logger) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because it is only serving static files.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
params: schema.object({
|
||||
|
|
@ -66,6 +73,13 @@ export function initRoutes(coreSetup: CoreSetup<StartDeps>, logger: Logger) {
|
|||
.addVersion(
|
||||
{
|
||||
version: '1',
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
|
||||
},
|
||||
},
|
||||
validate: {
|
||||
request: {
|
||||
query: schema.object({
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue