Authorized route migration for routes owned by security-detection-engine (#198384)

### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
2025-04-24 09:48:58 -04:00 · 2024-11-06 20:34:13 +11:00 · 2024-11-06 20:34:13 +11:00 · bf51662b7b
commit bf51662b7b
parent bde5e11526
16 changed files with 66 additions and 31 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts
@ -40,8 +40,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
    .post({
      path: DETECTION_ENGINE_INDEX_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/delete_index_route.ts
@ -35,8 +35,10 @@ export const deleteIndexRoute = (router: SecuritySolutionPluginRouter) => {
    .delete({
      path: DETECTION_ENGINE_INDEX_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_alerts_index_exists_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_alerts_index_exists_route.ts
@ -18,8 +18,10 @@ export const readAlertsIndexExistsRoute = (router: SecuritySolutionPluginRouter)
    .get({
      path: DETECTION_ENGINE_ALERTS_INDEX_URL,
      access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/read_index_route.ts
@ -26,8 +26,10 @@ export const readIndexRoute = (
    .get({
      path: DETECTION_ENGINE_INDEX_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts
@ -24,8 +24,10 @@ export const createSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
    .post({
      path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts
@ -20,8 +20,10 @@ export const deleteSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
    .delete({
      path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts
@ -25,8 +25,10 @@ export const finalizeSignalsMigrationRoute = (
    .post({
      path: DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/get_signals_migration_status_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/get_signals_migration_status_route.ts
@ -23,8 +23,10 @@ export const getSignalsMigrationStatusRoute = (router: SecuritySolutionPluginRou
    .get({
      path: DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts
@ -37,8 +37,10 @@ export const setSignalsStatusRoute = (
    .post({
      path: DETECTION_ENGINE_SIGNALS_STATUS_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/query_signals_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/query_signals_route.ts
@ -23,8 +23,10 @@ export const querySignalsRoute = (
    .post({
      path: DETECTION_ENGINE_QUERY_SIGNALS_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/set_alert_assignees_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/set_alert_assignees_route.ts
@ -22,8 +22,10 @@ export const setAlertAssigneesRoute = (router: SecuritySolutionPluginRouter) =>
    .post({
      path: DETECTION_ENGINE_ALERT_ASSIGNEES_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/set_alert_tags_route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/set_alert_tags_route.ts
@ -22,8 +22,10 @@ export const setAlertTagsRoute = (router: SecuritySolutionPluginRouter) => {
    .post({
      path: DETECTION_ENGINE_ALERT_TAGS_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/api/create_legacy_notification/route.ts
@ -34,8 +34,10 @@ export const legacyCreateLegacyNotificationRoute = (
    .post({
      path: UPDATE_OR_CREATE_LEGACY_ACTIONS,
      access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts
@ -36,8 +36,10 @@ export const createRuleExceptionsRoute = (router: SecuritySolutionPluginRouter)
    .post({
      path: CREATE_RULE_EXCEPTIONS_URL,
      access: 'public',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/find_exception_references/route.ts
@ -29,8 +29,10 @@ export const findRuleExceptionReferencesRoute = (router: SecuritySolutionPluginR
    .get({
      path: DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL,
      access: 'internal',
-      options: {
-        tags: ['access:securitySolution'],
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
@ -89,8 +89,13 @@ export const previewRulesRoute = (
    .post({
      path: DETECTION_ENGINE_RULES_PREVIEW,
      access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
      options: {
-        tags: ['access:securitySolution', routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
+        tags: [routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
      },
    })
    .addVersion(