github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

Unauthorized route migration for routes owned by kibana-core (#214780)

Browse source 
### Authz API migration for unauthorized routes

This PR migrates last unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```
This commit is contained in:
Elena Shostak 2025-03-18 17:04:01 +01:00 committed by GitHub
parent caaea10fb9
commit b9d240b38b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 84 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/core/packages/apps/server-internal/src/core_app.ts
View file

@ -143,7 +143,17 @@ export class CoreAppsService {
const resources = coreSetup.httpResources.createRegistrar(router);
router.get(
{ path: '/', validate: false, options: { access: 'public' } },
{
path: '/',
validate: false,
options: { access: 'public' },
security: {
authz: {
enabled: false,
reason: 'This route is only used for serving the default route.',
},
},
},
async (context, req, res) => {
const { uiSettings } = await context.core;
let defaultRoute = await uiSettings.client.get<string>('defaultRoute', { request: req });

12
src/core/packages/deprecations/server-internal/src/deprecations_service.test.ts
View file

@ -58,7 +58,17 @@ describe('DeprecationsService', () => {
// registers get route '/'
expect(router.get).toHaveBeenCalledTimes(1);
expect(router.get).toHaveBeenCalledWith(
{ options: { access: 'public' }, path: '/', validate: false },
{
options: { access: 'public' },
path: '/',
validate: false,
security: {
authz: {
enabled: false,
reason: expect.any(String),
},
},
},
expect.any(Function)
);
});

6
src/core/packages/deprecations/server-internal/src/routes/get.ts
View file

@ -14,6 +14,12 @@ export const registerGetRoute = (router: InternalDeprecationRouter) => {
router.get(
{
path: '/',
security: {
authz: {
enabled: false,
reason: 'This route delegates authorization to the Core Deprecations Client',
},
},
options: {
access: 'public',
},

6
src/core/packages/i18n/server-internal/src/routes/translations.ts
View file

@ -38,6 +38,12 @@ export const registerTranslationsRoute = ({
router.get(
{
path: routePath,
security: {
authz: {
enabled: false,
reason: 'This route is only used for serving i18n translations.',
},
},
validate: {
params: schema.object({
locale: schema.string(),

12
src/core/packages/rendering/server-internal/src/bootstrap/register_bootstrap_route.ts
View file

@ -20,6 +20,12 @@ export const registerBootstrapRoute = ({
router.get(
{
path: '/bootstrap.js',
security: {
authz: {
enabled: false,
reason: 'This route is only used for serving the bootstrap script.',
},
},
options: {
tags: ['api'],
access: 'public',
@ -43,6 +49,12 @@ export const registerBootstrapRoute = ({
router.get(
{
path: '/bootstrap-anonymous.js',
security: {
authz: {
enabled: false,
reason: 'This route is only used for serving the bootstrap script.',
},
},
options: {
authRequired: 'optional',
tags: ['api'],

6
src/core/packages/saved-objects/server-internal/src/routes/deprecations/delete_unknown_types.ts
View file

@ -24,6 +24,12 @@ export const registerDeleteUnknownTypesRoute = (
{
path: '/deprecations/_delete_unknown_types',
validate: false,
security: {
authz: {
enabled: false,
reason: 'This route delegates authorization to the Saved Objects Client',
},
},
},
catchAndReturnBoomErrors(async (context, req, res) => {
const { elasticsearch, savedObjects } = await context.core;

6
src/core/packages/status/server-internal/src/routes/status.ts
View file

@ -82,6 +82,12 @@ export const registerStatusRoute = ({
router.get(
{
path: '/api/status',
security: {
authz: {
enabled: false,
reason: 'Status route should be accessible without authorization.',
},
},
options: {
authRequired: 'optional',
// The `api` tag ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page.

11
src/core/packages/status/server-internal/src/routes/status_preboot.ts
View file

@ -15,8 +15,17 @@ export const registerPrebootStatusRoute = ({ router }: { router: IRouter }) => {
router.get(
{
path: '/api/status',
security: {
authz: {
enabled: false,
reason: 'Preboot status route should be accessible without authorization.',
},
authc: {
enabled: false,
reason: 'Preboot status route should be accessible without authentication.',
},
},
options: {
authRequired: false,
tags: ['api'],
access: 'public', // needs to be public to allow access from "system" users like k8s readiness probes.
excludeFromRateLimiter: true,

11
src/core/packages/status/server-internal/src/status_service.test.ts
View file

@ -101,12 +101,21 @@ describe('StatusService', () => {
{
path: '/api/status',
options: {
authRequired: false,
tags: ['api'],
access: 'public',
excludeFromRateLimiter: true,
},
validate: false,
security: {
authz: {
enabled: false,
reason: expect.any(String),
},
authc: {
enabled: false,
reason: expect.any(String),
},
},
},
expect.any(Function)
);

6
x-pack/platform/plugins/shared/cloud/server/routes/get_cloud_data_route.ts
View file

@ -14,6 +14,12 @@ export const setGetCloudSolutionDataRoute = ({ router }: RouteOptions) => {
router.versioned
.get({
path: `/internal/cloud/solution`,
security: {
authz: {
enabled: false,
reason: 'This route delegates authorization to the saved objects client',
},
},
access: 'internal',
summary: 'Get cloud data for solutions',
})