Skip to content

Commit

Permalink
Unauthorized route migration for routes owned by kibana-presentation (#…
Browse files Browse the repository at this point in the history
…198329)

Migrates unauthorized routes owned by the Presentation team to a new security configuration.

(cherry picked from commit 65a75ff)
  • Loading branch information
kibanamachine committed Dec 19, 2024
1 parent b79e3ac commit 221facc
Show file tree
Hide file tree
Showing 21 changed files with 245 additions and 20 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
},
},
validate: false,
},
async (context, _, response) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ export const setupOptionsListSuggestionsRoute = (
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because permissions will be checked by elasticsearch.',
},
},
validate: {
request: {
params: schema.object(
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/create.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ export function initializeCreateCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: CustomElementSchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/delete.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@ export function initializeDeleteCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/find.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export function initializeFindCustomElementsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
query: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeGetCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/custom_elements/update.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ export function initializeUpdateCustomElementRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
34 changes: 27 additions & 7 deletions x-pack/plugins/canvas/server/routes/functions/functions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,26 @@ export function initializeGetFunctionsRoute(deps: RouteInitializerDeps) {
path: API_ROUTE_FUNCTIONS,
access: 'internal',
})
.addVersion({ version: '1', validate: false }, async (context, request, response) => {
const functions = expressions.getFunctions('canvas');
const body = JSON.stringify(functions);
return response.ok({
body,
});
});
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it only provides non-sensitive information about functions available to Canvas.',
},
},
validate: false,
},
async (context, request, response) => {
const functions = expressions.getFunctions('canvas');
const body = JSON.stringify(functions);
return response.ok({
body,
});
}
);
}

export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
Expand All @@ -42,6 +55,13 @@ export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because data source expressions that perform search operations use the Kibana search client which handles permission checking.',
},
},
validate: {
request: {
body: schema.object({
Expand Down
37 changes: 25 additions & 12 deletions x-pack/plugins/canvas/server/routes/shareables/download.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,29 @@ export function initializeDownloadShareableWorkpadRoute(deps: RouteInitializerDe
path: API_ROUTE_SHAREABLE_RUNTIME_DOWNLOAD,
access: 'internal',
})
.addVersion({ version: '1', validate: false }, async (_context, _request, response) => {
// TODO: check if this is still an issue on cloud after migrating to NP
//
// The option setting is not for typical use. We're using it here to avoid
// problems in Cloud environments. See elastic/kibana#47405.
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
return response.ok({
headers: { 'content-type': 'application/octet-stream' },
body: file,
});
});
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it is only serving static files.',
},
},
validate: false,
},
async (_context, _request, response) => {
// TODO: check if this is still an issue on cloud after migrating to NP
//
// The option setting is not for typical use. We're using it here to avoid
// problems in Cloud environments. See elastic/kibana#47405.
// const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
const file = readFileSync(SHAREABLE_RUNTIME_FILE);
return response.ok({
headers: { 'content-type': 'application/octet-stream' },
body: file,
});
}
);
}
12 changes: 11 additions & 1 deletion x-pack/plugins/canvas/server/routes/shareables/zip.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,17 @@ export function initializeZipShareableWorkpadRoute(deps: RouteInitializerDeps) {
access: 'internal',
})
.addVersion(
{ version: '1', validate: { request: { body: RenderedWorkpadSchema } } },
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because it is only serving static files.',
},
},
validate: { request: { body: RenderedWorkpadSchema } },
},
async (_context, request, response) => {
const workpad = request.body;
const archive = archiver('zip');
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/templates/list.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeListTemplates(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { params: schema.object({}) },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/create.ts
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@ export function initializeCreateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: createRequestBodySchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/delete.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeDeleteWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/find.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ export function initializeFindWorkpadsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
query: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/get.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeGetWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/import.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ export function initializeImportWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: { body: createRequestBodySchema },
},
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/resolve.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ export function initializeResolveWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
21 changes: 21 additions & 0 deletions x-pack/plugins/canvas/server/routes/workpad/update.ts
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -71,6 +78,13 @@ export function initializeUpdateWorkpadRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -109,6 +123,13 @@ export function initializeUpdateWorkpadAssetsRoute(deps: RouteInitializerDeps) {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization because authorization is provided by saved objects client.',
},
},
validate: {
request: {
params: schema.object({
Expand Down
Loading

0 comments on commit 221facc

Please sign in to comment.