[Authz] Added justification for authz opt out for security routes (#209527)

## Summary Added justification for authz opt out for security routes. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-23 09:19:04 -04:00 · 2025-02-06 15:29:24 +01:00 · 2025-02-06 15:29:24 +01:00 · f058b50f93
commit f058b50f93
parent 3394b691b1
12 changed files with 153 additions and 12 deletions
--- a/x-pack/platform/plugins/shared/security/server/routes/authorization/reset_session_page.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/authorization/reset_session_page.ts
@ -12,7 +12,19 @@ export function resetSessionPageRoutes({ httpResources }: RouteDefinitionParams)
    {
      path: '/internal/security/reset_session_page.js',
      validate: false,
-      options: { authRequired: false, excludeFromOAS: true },
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authentication because it is a host for reset session page.',
+        },
+        authc: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it is a host for reset session page.',
+        },
+      },
    },
    (context, request, response) => {
      return response.renderJs({
--- a/x-pack/platform/plugins/shared/security/server/routes/views/access_agreement.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/access_agreement.ts
@ -24,7 +24,18 @@ export function defineAccessAgreementRoutes({
  const canHandleRequest = () => license.getFeatures().allowAccessAgreement;

  httpResources.register(
-    { path: '/security/access_agreement', validate: false, options: { excludeFromOAS: true } },
+    {
+      path: '/security/access_agreement',
+      validate: false,
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it requires only proper license in order to function',
+        },
+      },
+    },
    createLicensedRouteHandler(async (context, request, response) =>
      canHandleRequest()
        ? response.renderCoreApp()
--- a/x-pack/platform/plugins/shared/security/server/routes/views/account_management.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/account_management.ts
@ -12,7 +12,18 @@ import type { RouteDefinitionParams } from '..';
 */
 export function defineAccountManagementRoutes({ httpResources }: RouteDefinitionParams) {
  httpResources.register(
-    { path: '/security/account', validate: false, options: { excludeFromOAS: true } },
+    {
+      path: '/security/account',
+      validate: false,
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it a host for the account management view.',
+        },
+      },
+    },
    (context, req, res) => res.renderCoreApp()
  );
 }
--- a/x-pack/platform/plugins/shared/security/server/routes/views/capture_url.test.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/capture_url.test.ts
@ -34,7 +34,17 @@ describe('Capture URL view routes', () => {
  });

  it('correctly defines route.', () => {
-    expect(routeConfig.options).toEqual({ authRequired: false, excludeFromOAS: true });
+    expect(routeConfig.options).toEqual({ excludeFromOAS: true });
+
+    expect(routeConfig.security).toEqual(
+      expect.objectContaining({
+        authc: { enabled: false, reason: expect.any(String) },
+        authz: {
+          enabled: false,
+          reason: expect.any(String),
+        },
+      })
+    );

    expect(routeConfig.validate).toEqual({
      body: undefined,
--- a/x-pack/platform/plugins/shared/security/server/routes/views/capture_url.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/capture_url.ts
@ -19,7 +19,19 @@ export function defineCaptureURLRoutes({ httpResources }: RouteDefinitionParams)
      validate: {
        query: schema.object({ next: schema.maybe(schema.string()) }, { unknowns: 'ignore' }),
      },
-      options: { authRequired: false, excludeFromOAS: true },
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it is used for anonymous access.',
+        },
+        authc: {
+          enabled: false,
+          reason:
+            'This route is opted out from authentication because it is used for anonymous access.',
+        },
+      },
    },
    (context, request, response) => response.renderAnonymousCoreApp()
  );
--- a/x-pack/platform/plugins/shared/security/server/routes/views/logged_out.test.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/logged_out.test.ts
@ -35,7 +35,16 @@ describe('LoggedOut view routes', () => {
  });

  it('correctly defines route.', () => {
-    expect(routeConfig.options).toEqual({ authRequired: false, excludeFromOAS: true });
+    expect(routeConfig.options).toEqual({ excludeFromOAS: true });
+    expect(routeConfig.security).toEqual(
+      expect.objectContaining({
+        authc: { enabled: false, reason: expect.any(String) },
+        authz: {
+          enabled: false,
+          reason: expect.any(String),
+        },
+      })
+    );
    expect(routeConfig.validate).toBe(false);
  });

--- a/x-pack/platform/plugins/shared/security/server/routes/views/logged_out.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/logged_out.ts
@ -20,7 +20,19 @@ export function defineLoggedOutRoutes({
    {
      path: '/security/logged_out',
      validate: false,
-      options: { authRequired: false, excludeFromOAS: true },
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it is a host for the logged out view.',
+        },
+        authc: {
+          enabled: false,
+          reason:
+            'This route is opted out from authentication because it is a host for the logged out view.',
+        },
+      },
    },
    async (context, request, response) => {
      // Authentication flow isn't triggered automatically for this route, so we should explicitly
--- a/x-pack/platform/plugins/shared/security/server/routes/views/login.test.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/login.test.ts
@ -52,7 +52,17 @@ describe('Login view routes', () => {
    });

    it('correctly defines route.', () => {
-      expect(routeConfig.options).toEqual({ authRequired: 'optional', excludeFromOAS: true });
+      expect(routeConfig.options).toEqual({ excludeFromOAS: true });
+
+      expect(routeConfig.security).toEqual(
+        expect.objectContaining({
+          authc: { enabled: 'optional' },
+          authz: {
+            enabled: false,
+            reason: expect.any(String),
+          },
+        })
+      );

      expect(routeConfig.validate).toEqual({
        body: undefined,
--- a/x-pack/platform/plugins/shared/security/server/routes/views/login.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/login.ts
@ -39,7 +39,16 @@ export function defineLoginRoutes({
          { unknowns: 'allow' }
        ),
      },
-      options: { authRequired: 'optional', excludeFromOAS: true },
+      options: { excludeFromOAS: true },
+      security: {
+        authc: {
+          enabled: 'optional',
+        },
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization because it is a host for login view.',
+        },
+      },
    },
    async (context, request, response) => {
      // Default to true if license isn't available or it can't be resolved for some reason.
--- a/x-pack/platform/plugins/shared/security/server/routes/views/logout.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/logout.ts
@ -12,7 +12,23 @@ import type { RouteDefinitionParams } from '..';
 */
 export function defineLogoutRoutes({ httpResources }: RouteDefinitionParams) {
  httpResources.register(
-    { path: '/logout', validate: false, options: { authRequired: false, excludeFromOAS: true } },
+    {
+      path: '/logout',
+      validate: false,
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it is a host for the logout view.',
+        },
+        authc: {
+          enabled: false,
+          reason:
+            'This route is opted out from authentication because it is a host for the logout view.',
+        },
+      },
+    },
    (context, request, response) => response.renderAnonymousCoreApp()
  );
 }
--- a/x-pack/platform/plugins/shared/security/server/routes/views/overwritten_session.ts
+++ b/x-pack/platform/plugins/shared/security/server/routes/views/overwritten_session.ts
@ -12,7 +12,18 @@ import type { RouteDefinitionParams } from '..';
 */
 export function defineOverwrittenSessionRoutes({ httpResources }: RouteDefinitionParams) {
  httpResources.register(
-    { path: '/security/overwritten_session', validate: false, options: { excludeFromOAS: true } },
+    {
+      path: '/security/overwritten_session',
+      validate: false,
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it is a host for the overwritten session view.',
+        },
+      },
+    },
    (context, req, res) => res.renderCoreApp()
  );
 }
--- a/x-pack/platform/plugins/shared/spaces/server/routes/views/index.ts
+++ b/x-pack/platform/plugins/shared/spaces/server/routes/views/index.ts
@ -20,7 +20,18 @@ export interface ViewRouteDeps {

 export function initSpacesViewsRoutes(deps: ViewRouteDeps) {
  deps.httpResources.register(
-    { path: '/spaces/space_selector', validate: false, options: { excludeFromOAS: true } },
+    {
+      path: '/spaces/space_selector',
+      validate: false,
+      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it a host for the spaces selector view.',
+        },
+      },
+    },
    (context, request, response) => response.renderCoreApp()
  );

@ -33,6 +44,13 @@ export function initSpacesViewsRoutes(deps: ViewRouteDeps) {
        ),
      },
      options: { excludeFromOAS: true },
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'The route is opted out from authorization because it handles redirects to internal routes.',
+        },
+      },
    },
    async (context, request, response) => {
      try {