[8.x] Authorized route migration for routes owned by @elastic/kibana-core (#198187) (#199489)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by @elastic/kibana-core
(#198187)](https://github.com/elastic/kibana/pull/198187)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"42973632+kibanamachine@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-08T00:48:30Z","message":"Authorized
route migration for routes owned by @elastic/kibana-core
(#198187)\n\nCo-authored-by: Alejandro Fernández Haro
<alejandro.haro@elastic.co>","sha":"543cc2f494e11d50685ff07afeca49f45008ecdd","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Core","enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Cloud
Security","backport:prev-minor","Authz: API
migration"],"title":"Authorized route migration for routes owned by
@elastic/kibana-core","number":198187,"url":"https://github.com/elastic/kibana/pull/198187","mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/kibana-core
(#198187)\n\nCo-authored-by: Alejandro Fernández Haro
<alejandro.haro@elastic.co>","sha":"543cc2f494e11d50685ff07afeca49f45008ecdd"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198187","number":198187,"mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/kibana-core
(#198187)\n\nCo-authored-by: Alejandro Fernández Haro
<alejandro.haro@elastic.co>","sha":"543cc2f494e11d50685ff07afeca49f45008ecdd"}}]}]
BACKPORT-->

src/plugins/ftr_apis/server/routes/kbn_client_so/bulk_delete.ts

@@ -15,8 +15,10 @@ export const registerBulkDeleteRoute = (router: IRouter) => {
   router.post(
     {
       path: `${KBN_CLIENT_API_PREFIX}/_bulk_delete`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         body: schema.arrayOf(

src/plugins/ftr_apis/server/routes/kbn_client_so/clean.ts

@@ -15,8 +15,10 @@ export const registerCleanRoute = (router: IRouter) => {
   router.post(
     {
       path: `${KBN_CLIENT_API_PREFIX}/_clean`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         body: schema.object({

src/plugins/ftr_apis/server/routes/kbn_client_so/create.ts

@@ -15,8 +15,10 @@ export const registerCreateRoute = (router: IRouter) => {
   router.post(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id?}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

src/plugins/ftr_apis/server/routes/kbn_client_so/delete.ts

@@ -15,8 +15,10 @@ export const registerDeleteRoute = (router: IRouter) => {
   router.delete(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

src/plugins/ftr_apis/server/routes/kbn_client_so/find.ts

@@ -15,8 +15,10 @@ export const registerFindRoute = (router: IRouter) => {
   router.get(
     {
       path: `${KBN_CLIENT_API_PREFIX}/_find`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         query: schema.object({

src/plugins/ftr_apis/server/routes/kbn_client_so/get.ts

@@ -15,8 +15,10 @@ export const registerGetRoute = (router: IRouter) => {
   router.get(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

src/plugins/ftr_apis/server/routes/kbn_client_so/update.ts

@@ -15,8 +15,10 @@ export const registerUpdateRoute = (router: IRouter) => {
   router.put(
     {
       path: `${KBN_CLIENT_API_PREFIX}/{type}/{id}`,
-      options: {
-        tags: ['access:ftrApis'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ftrApis'],
+        },
       },
       validate: {
         params: schema.object({

x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.ts

@@ -44,8 +44,10 @@ export const defineBulkActionCspBenchmarkRulesRoute = (router: CspRouter) =>
     .post({
       access: 'internal',
       path: CSP_BENCHMARK_RULES_BULK_ACTION_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-all'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-all'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/find/find.ts

@@ -25,8 +25,10 @@ export const defineFindCspBenchmarkRuleRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: FIND_CSP_BENCHMARK_RULE_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/benchmark_rules/get_states/get_states.ts

@@ -16,8 +16,10 @@ export const defineGetCspBenchmarkRulesStatesRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: CSP_GET_BENCHMARK_RULES_STATE_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/benchmarks/benchmarks.ts

@@ -20,8 +20,10 @@ export const defineGetBenchmarksRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: BENCHMARKS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/compliance_dashboard/compliance_dashboard.ts

@@ -65,8 +65,10 @@ export const defineGetComplianceDashboardRoute = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: STATS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/detection_engine/get_detection_engine_alerts_count_by_rule_tags.ts

@@ -53,8 +53,10 @@ export const defineGetDetectionEngineAlertsStatus = (router: CspRouter) =>
     .get({
       access: 'internal',
       path: GET_DETECTION_RULE_ALERTS_STATUS_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/graph/route.ts

@@ -20,8 +20,10 @@ export const defineGraphRoute = (router: CspRouter) =>
       access: 'internal',
       enableQueryVersion: true,
       path: GRAPH_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/status/status.ts

@@ -437,8 +437,10 @@ export const defineGetCspStatusRoute = (
     .get({
       access: 'internal',
       path: STATUS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/cloud_security_posture/server/routes/vulnerabilities_dashboard/vulnerabilities_dashboard.ts

@@ -20,8 +20,10 @@ export const defineGetVulnerabilitiesDashboardRoute = (router: CspRouter): void
     {
       path: VULNERABILITIES_DASHBOARD_ROUTE_PATH,
       validate: false,
-      options: {
-        tags: ['access:cloud-security-posture-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-security-posture-read'],
+        },
       },
     },
     async (context, request, response) => {

x-pack/plugins/features/server/routes/index.ts

@@ -21,8 +21,12 @@ export function defineRoutes({ router, featureRegistry }: RouteDefinitionParams)
   router.get(
     {
       path: '/api/features',
+      security: {
+        authz: {
+          requiredPrivileges: ['read_features'],
+        },
+      },
       options: {
-        tags: ['access:read_features'],
         access: 'public',
         summary: `Get features`,
       },

x-pack/test/ftr_apis/security_and_spaces/apis/bulk_delete.ts

@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [POST /internal/ftr/kbn_client_so/_bulk_delete] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

x-pack/test/ftr_apis/security_and_spaces/apis/clean.ts

@@ -43,7 +43,8 @@ export default function (ftrContext: FtrProviderContext) {
         expectResponse: ({ body }) => {
           expect(body).to.eql({
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [POST /internal/ftr/kbn_client_so/_clean] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
             statusCode: 403,
           });
         },

x-pack/test/ftr_apis/security_and_spaces/apis/create.ts

@@ -48,7 +48,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [POST /internal/ftr/kbn_client_so/tag] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

x-pack/test/ftr_apis/security_and_spaces/apis/delete.ts

@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [DELETE /internal/ftr/kbn_client_so/visualization/vis-area-1] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

x-pack/test/ftr_apis/security_and_spaces/apis/find.ts

@@ -43,7 +43,8 @@ export default function (ftrContext: FtrProviderContext) {
         expectResponse: ({ body }) => {
           expect(body).to.eql({
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [GET /internal/ftr/kbn_client_so/_find?type=tag] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
             statusCode: 403,
           });
         },

x-pack/test/ftr_apis/security_and_spaces/apis/get.ts

@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [GET /internal/ftr/kbn_client_so/visualization/vis-area-4] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },

x-pack/test/ftr_apis/security_and_spaces/apis/update.ts

@@ -44,7 +44,8 @@ export default function (ftrContext: FtrProviderContext) {
           expect(body).to.eql({
             statusCode: 403,
             error: 'Forbidden',
-            message: 'Forbidden',
+            message:
+              'API [PUT /internal/ftr/kbn_client_so/tag/tag-1] is unauthorized for user, this action is granted by the Kibana privileges [ftrApis]',
           });
         },
       },