[8.x] [Fleet] Adjust privileges for GET output and GET download_source endpoints (#194951) (#195536)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Fleet] Adjust privileges for GET output and GET download_source
endpoints (#194951)](https://github.com/elastic/kibana/pull/194951)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Cristina
Amico","email":"criamico@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-10-08T14:36:19Z","message":"[Fleet]
Adjust privileges for GET output and GET download_source endpoints
(#194951)\n\nFixes
https://github.com/elastic/kibana/issues/191266\r\n\r\n##
Summary\r\nUpdating the authz for following endpoints:\r\n- `GET
/agent_download_sources`\r\n- `GET /agent_download_sources/{id}`\r\n-
`GET /outputs`\r\n- `GET /outputs/{id}`\r\nThey need to have
`authz.fleet.readSettings ||\r\nauthz.fleet.readAgentPolicies` as they
should be visible in the agent\r\npolicy settings page as
well.\r\n\r\n\r\n### Testing\r\n- Enable feature flag
`subfeaturePrivileges`\r\n- Create a role with following
privileges:\r\n![Screenshot 2024-10-04 at 15
49\r\n54](https://github.com/user-attachments/assets/4bbc95e4-01d0-43e0-a539-b03b8f4c219e)\r\n-
Create a user that has the previous role\r\n- Log in and go to any agent
policy > settings\r\n- The download source and output fields should be
filled and editable.\r\nThey were previously empty, as the GET endpoints
were failing with 403\r\nForbidden\r\n\r\n### Checklist\r\n- [ ] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"14d5677d073838845074f76f0d9c0edce50533f0","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","v8.16.0","backport:version"],"number":194951,"url":"https://github.com/elastic/kibana/pull/194951","mergeCommit":{"message":"[Fleet]
Adjust privileges for GET output and GET download_source endpoints
(#194951)\n\nFixes
https://github.com/elastic/kibana/issues/191266\r\n\r\n##
Summary\r\nUpdating the authz for following endpoints:\r\n- `GET
/agent_download_sources`\r\n- `GET /agent_download_sources/{id}`\r\n-
`GET /outputs`\r\n- `GET /outputs/{id}`\r\nThey need to have
`authz.fleet.readSettings ||\r\nauthz.fleet.readAgentPolicies` as they
should be visible in the agent\r\npolicy settings page as
well.\r\n\r\n\r\n### Testing\r\n- Enable feature flag
`subfeaturePrivileges`\r\n- Create a role with following
privileges:\r\n![Screenshot 2024-10-04 at 15
49\r\n54](https://github.com/user-attachments/assets/4bbc95e4-01d0-43e0-a539-b03b8f4c219e)\r\n-
Create a user that has the previous role\r\n- Log in and go to any agent
policy > settings\r\n- The download source and output fields should be
filled and editable.\r\nThey were previously empty, as the GET endpoints
were failing with 403\r\nForbidden\r\n\r\n### Checklist\r\n- [ ] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"14d5677d073838845074f76f0d9c0edce50533f0"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194951","number":194951,"mergeCommit":{"message":"[Fleet]
Adjust privileges for GET output and GET download_source endpoints
(#194951)\n\nFixes
https://github.com/elastic/kibana/issues/191266\r\n\r\n##
Summary\r\nUpdating the authz for following endpoints:\r\n- `GET
/agent_download_sources`\r\n- `GET /agent_download_sources/{id}`\r\n-
`GET /outputs`\r\n- `GET /outputs/{id}`\r\nThey need to have
`authz.fleet.readSettings ||\r\nauthz.fleet.readAgentPolicies` as they
should be visible in the agent\r\npolicy settings page as
well.\r\n\r\n\r\n### Testing\r\n- Enable feature flag
`subfeaturePrivileges`\r\n- Create a role with following
privileges:\r\n![Screenshot 2024-10-04 at 15
49\r\n54](https://github.com/user-attachments/assets/4bbc95e4-01d0-43e0-a539-b03b8f4c219e)\r\n-
Create a user that has the previous role\r\n- Log in and go to any agent
policy > settings\r\n- The download source and output fields should be
filled and editable.\r\nThey were previously empty, as the GET endpoints
were failing with 403\r\nForbidden\r\n\r\n### Checklist\r\n- [ ] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"14d5677d073838845074f76f0d9c0edce50533f0"}},{"branch":"8.x","label":"v8.16.0","labelRegex":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

x-pack/plugins/fleet/server/routes/download_source/index.tsx

@@ -30,8 +30,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
   router.versioned
     .get({
       path: DOWNLOAD_SOURCE_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      fleetAuthz: (authz) => {
+        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
       },
     })
     .addVersion(
@@ -45,8 +45,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
   router.versioned
     .get({
       path: DOWNLOAD_SOURCE_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      fleetAuthz: (authz) => {
+        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
       },
     })
     .addVersion(

x-pack/plugins/fleet/server/routes/output/index.ts

@@ -33,8 +33,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
   router.versioned
     .get({
       path: OUTPUT_API_ROUTES.LIST_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      fleetAuthz: (authz) => {
+        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
       },
     })
     .addVersion(
@@ -47,8 +47,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
   router.versioned
     .get({
       path: OUTPUT_API_ROUTES.INFO_PATTERN,
-      fleetAuthz: {
-        fleet: { readSettings: true },
+      fleetAuthz: (authz) => {
+        return authz.fleet.readSettings || authz.fleet.readAgentPolicies;
       },
     })
     .addVersion(
@@ -61,8 +61,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
   router.versioned
     .put({
       path: OUTPUT_API_ROUTES.UPDATE_PATTERN,
-      fleetAuthz: {
-        fleet: { allSettings: true },
+      fleetAuthz: (authz) => {
+        return authz.fleet.allSettings || authz.fleet.allAgentPolicies;
       },
     })
     .addVersion(

x-pack/test/fleet_api_integration/apis/fleet_settings_privileges.ts

@@ -51,6 +51,49 @@ const READ_SCENARIOS = [
     statusCode: 403,
   },
 ];
+// Scenarios updated for download_source and outputs routes that are slightly different
+const READ_SCENARIOS_2 = [
+  {
+    user: testUsers.fleet_all_only,
+    statusCode: 200,
+  },
+  {
+    user: testUsers.fleet_read_only,
+    statusCode: 200,
+  },
+  {
+    user: testUsers.fleet_settings_all_only,
+    statusCode: 200,
+  },
+  {
+    user: testUsers.fleet_settings_read_only,
+    statusCode: 200,
+  },
+  {
+    user: testUsers.fleet_agent_policies_read_only,
+    statusCode: 200,
+  },
+  {
+    user: testUsers.fleet_agent_policies_all_only,
+    statusCode: 200,
+  },
+  {
+    user: testUsers.fleet_agents_read_only,
+    statusCode: 403,
+  },
+  {
+    user: testUsers.fleet_no_access,
+    statusCode: 403,
+  },
+  {
+    user: testUsers.fleet_minimal_all_only,
+    statusCode: 403,
+  },
+  {
+    user: testUsers.fleet_minimal_read_only,
+    statusCode: 403,
+  },
+];
 
 const ALL_SCENARIOS = [
   {
@@ -106,12 +149,12 @@ export default function (providerContext: FtrProviderContext) {
     {
       method: 'GET',
       path: '/api/fleet/outputs',
-      scenarios: READ_SCENARIOS,
+      scenarios: READ_SCENARIOS_2,
     },
     {
       method: 'GET',
       path: '/api/fleet/outputs/test-privileges-output-1',
-      scenarios: READ_SCENARIOS,
+      scenarios: READ_SCENARIOS_2,
     },
     {
       method: 'POST',
@@ -226,12 +269,12 @@ export default function (providerContext: FtrProviderContext) {
     {
       method: 'GET',
       path: '/api/fleet/agent_download_sources',
-      scenarios: READ_SCENARIOS,
+      scenarios: READ_SCENARIOS_2,
     },
     {
       method: 'GET',
       path: '/api/fleet/agent_download_sources/test-privileges-download-source-1',
-      scenarios: READ_SCENARIOS,
+      scenarios: READ_SCENARIOS_2,
     },
     {
       method: 'POST',