[8.x] Authorized route migration for routes owned by security-detection-engine (#198384) (#199093)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by
security-detection-engine
(#198384)](https://github.com/elastic/kibana/pull/198384)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"42973632+kibanamachine@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-06T09:34:13Z","message":"Authorized
route migration for routes owned by security-detection-engine
(#198384)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security` team.\r\n\r\nCo-authored-by: Elastic
Machine <elasticmachine@users.noreply.github.com>\r\nCo-authored-by:
Yara Tercero
<yctercero@users.noreply.github.com>","sha":"bf51662b7b42ac296a768ef4344138ec3f6c9ca1","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","backport:prev-minor","Team:Detection
Engine","Authz: API migration"],"title":"Authorized route migration for
routes owned by
security-detection-engine","number":198384,"url":"https://github.com/elastic/kibana/pull/198384","mergeCommit":{"message":"Authorized
route migration for routes owned by security-detection-engine
(#198384)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security` team.\r\n\r\nCo-authored-by: Elastic
Machine <elasticmachine@users.noreply.github.com>\r\nCo-authored-by:
Yara Tercero
<yctercero@users.noreply.github.com>","sha":"bf51662b7b42ac296a768ef4344138ec3f6c9ca1"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198384","number":198384,"mergeCommit":{"message":"Authorized
route migration for routes owned by security-detection-engine
(#198384)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security` team.\r\n\r\nCo-authored-by: Elastic
Machine <elasticmachine@users.noreply.github.com>\r\nCo-authored-by:
Yara Tercero
<yctercero@users.noreply.github.com>","sha":"bf51662b7b42ac296a768ef4344138ec3f6c9ca1"}}]}]
BACKPORT-->

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts

@@ -40,8 +40,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
     .post({
       path: DETECTION_ENGINE_INDEX_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts

@@ -35,8 +35,10 @@ export const deleteIndexRoute = (router: SecuritySolutionPluginRouter) => {
     .delete({
       path: DETECTION_ENGINE_INDEX_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_alerts_index_exists_route.ts

@@ -18,8 +18,10 @@ export const readAlertsIndexExistsRoute = (router: SecuritySolutionPluginRouter)
     .get({
       path: DETECTION_ENGINE_ALERTS_INDEX_URL,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts

@@ -26,8 +26,10 @@ export const readIndexRoute = (
     .get({
       path: DETECTION_ENGINE_INDEX_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts

@@ -24,8 +24,10 @@ export const createSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
     .post({
       path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts

@@ -20,8 +20,10 @@ export const deleteSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
     .delete({
       path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts

@@ -25,8 +25,10 @@ export const finalizeSignalsMigrationRoute = (
     .post({
       path: DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/get_signals_migration_status_route.ts

@@ -23,8 +23,10 @@ export const getSignalsMigrationStatusRoute = (router: SecuritySolutionPluginRou
     .get({
       path: DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts

@@ -37,8 +37,10 @@ export const setSignalsStatusRoute = (
     .post({
       path: DETECTION_ENGINE_SIGNALS_STATUS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/query_signals_route.ts

@@ -23,8 +23,10 @@ export const querySignalsRoute = (
     .post({
       path: DETECTION_ENGINE_QUERY_SIGNALS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/set_alert_assignees_route.ts

@@ -22,8 +22,10 @@ export const setAlertAssigneesRoute = (router: SecuritySolutionPluginRouter) =>
     .post({
       path: DETECTION_ENGINE_ALERT_ASSIGNEES_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/set_alert_tags_route.ts

@@ -22,8 +22,10 @@ export const setAlertTagsRoute = (router: SecuritySolutionPluginRouter) => {
     .post({
       path: DETECTION_ENGINE_ALERT_TAGS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts

@@ -34,8 +34,10 @@ export const legacyCreateLegacyNotificationRoute = (
     .post({
       path: UPDATE_OR_CREATE_LEGACY_ACTIONS,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts

@@ -36,8 +36,10 @@ export const createRuleExceptionsRoute = (router: SecuritySolutionPluginRouter)
     .post({
       path: CREATE_RULE_EXCEPTIONS_URL,
       access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts

@@ -29,8 +29,10 @@ export const findRuleExceptionReferencesRoute = (router: SecuritySolutionPluginR
     .get({
       path: DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL,
       access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts

@@ -89,8 +89,13 @@ export const previewRulesRoute = (
     .post({
       path: DETECTION_ENGINE_RULES_PREVIEW,
       access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
       options: {
-        tags: ['access:securitySolution', routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
+        tags: [routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
       },
     })
     .addVersion(