[RsponseOps][Alerting] Explicitly set access to all API routes of act…

…ions, connectors, rules, alerts, and cases plugins (#193520) ## Summary Resolves #192956 This PR adds - `access: internal` option to internal routes - `access: public` option to public routes It which will help restrict access of internal routes and allow users to access all public routes. This PR updates api routes of following `x-pack/plugins` - actions - alerting - cases - rule_registry - stack_connectors - triggers_actions_ui (cherry picked from commit 9c78643)
elastic · Sep 26, 2024 · 0fc2bc2 · 0fc2bc2
1 parent e0fca2a
commit 0fc2bc2
Show file tree

Hide file tree

Showing 128 changed files with 524 additions and 41 deletions.
diff --git a/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts b/x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts
@@ -21,6 +21,9 @@ export const getAllConnectorsIncludingSystemRoute = (
     {
       path: `${INTERNAL_BASE_ACTION_API_PATH}/connectors`,
       validate: {},
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts b/x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts
@@ -27,6 +27,9 @@ export const listTypesWithSystemRoute = (
       validate: {
         query: connectorTypesQuerySchemaV1,
       },
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts b/x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts
@@ -45,6 +45,9 @@ export const getGlobalExecutionKPIRoute = (
       validate: {
         body: bodySchema,
       },
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts b/x-pack/plugins/actions/server/routes/get_global_execution_logs.ts
@@ -57,6 +57,9 @@ export const getGlobalExecutionLogRoute = (
       validate: {
         body: bodySchema,
       },
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts b/x-pack/plugins/actions/server/routes/get_oauth_access_token.ts
@@ -66,6 +66,9 @@ export const getOAuthAccessToken = (
       validate: {
         body: bodySchema,
       },
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
@@ -409,6 +409,7 @@ export class AlertingPlugin {
       getAlertIndicesAlias: createGetAlertIndicesAliasFn(this.ruleTypeRegistry!),
       encryptedSavedObjects: plugins.encryptedSavedObjects,
       config$: plugins.unifiedSearch.autocomplete.getInitializerContextConfig().create(),
+      isServerless: !!plugins.serverless,
     });
 
     return {

diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts
@@ -20,6 +20,9 @@ export const deleteBackfillRoute = (
   router.delete(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/{id}`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         params: deleteParamsSchemaV1,
       },

diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts
@@ -28,6 +28,9 @@ export const findBackfillRoute = (
       validate: {
         query: findQuerySchemaV1,
       },
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts
@@ -22,6 +22,9 @@ export const getBackfillRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/{id}`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         params: getParamsSchemaV1,
       },

diff --git a/x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts b/x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts
@@ -22,6 +22,7 @@ export const scheduleBackfillRoute = (
   router.post(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/_schedule`,
+      options: { access: 'internal' },
       validate: {
         body: scheduleBodySchemaV1,
       },

diff --git a/x-pack/plugins/alerting/server/routes/get_action_error_log.ts b/x-pack/plugins/alerting/server/routes/get_action_error_log.ts
@@ -63,6 +63,9 @@ export const getActionErrorLogRoute = (
         params: paramSchema,
         query: querySchema,
       },
+      options: {
+        access: 'internal',
+      },
     },
     router.handleLegacyErrors(
       verifyAccessAndContext(licenseState, async function (context, req, res) {

diff --git a/x-pack/plugins/alerting/server/routes/get_flapping_settings.test.ts b/x-pack/plugins/alerting/server/routes/get_flapping_settings.test.ts
@@ -37,6 +37,7 @@ describe('getFlappingSettingsRoute', () => {
     expect(config).toMatchInlineSnapshot(`
       Object {
         "options": Object {
+          "access": "internal",
           "tags": Array [
             "access:read-flapping-settings",
           ],

diff --git a/x-pack/plugins/alerting/server/routes/get_flapping_settings.ts b/x-pack/plugins/alerting/server/routes/get_flapping_settings.ts
@@ -38,6 +38,7 @@ export const getFlappingSettingsRoute = (
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/settings/_flapping`,
       validate: false,
       options: {
+        access: 'internal',
         tags: [`access:${API_PRIVILEGES.READ_FLAPPING_SETTINGS}`],
       },
     },

diff --git a/x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts b/x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts
@@ -37,6 +37,9 @@ export const getGlobalExecutionKPIRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/_global_execution_kpi`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         query: querySchema,
       },

diff --git a/x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts b/x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts
@@ -62,6 +62,9 @@ export const getGlobalExecutionLogRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/_global_execution_logs`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         query: querySchema,
       },

diff --git a/x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts b/x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts
@@ -65,6 +65,9 @@ export const getRuleAlertSummaryRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_alert_summary`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         params: paramSchema,
         query: querySchema,

diff --git a/x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts b/x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts
@@ -38,6 +38,9 @@ export const getRuleExecutionKPIRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_execution_kpi`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         params: paramSchema,
         query: querySchema,

diff --git a/x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts b/x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts
@@ -63,6 +63,9 @@ export const getRuleExecutionLogRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_execution_log`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         params: paramSchema,
         query: querySchema,

diff --git a/x-pack/plugins/alerting/server/routes/get_rule_state.ts b/x-pack/plugins/alerting/server/routes/get_rule_state.ts
@@ -38,6 +38,9 @@ export const getRuleStateRoute = (
   router.get(
     {
       path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/state`,
+      options: {
+        access: 'internal',
+      },
       validate: {
         params: paramSchema,
       },

diff --git a/x-pack/plugins/alerting/server/routes/index.ts b/x-pack/plugins/alerting/server/routes/index.ts
@@ -79,6 +79,7 @@ export interface RouteOptions {
   getAlertIndicesAlias?: GetAlertIndicesAlias;
   usageCounter?: UsageCounter;
   config$?: Observable<ConfigSchema>;
+  isServerless?: boolean;
 }
 
 export function defineRoutes(opts: RouteOptions) {

diff --git a/x-pack/plugins/alerting/server/routes/legacy/create.test.ts b/x-pack/plugins/alerting/server/routes/legacy/create.test.ts
@@ -110,6 +110,8 @@ describe('createAlertRoute', () => {
 
     expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id?}"`);
 
+    expect(config.options?.access).toBe('public');
+
     rulesClient.create.mockResolvedValueOnce(createResult);
 
     const [context, req, res] = mockHandlerArguments(
@@ -164,6 +166,28 @@ describe('createAlertRoute', () => {
     });
   });
 
+  it('should have internal access for serverless', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+    const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
+    const mockUsageCountersSetup = usageCountersServiceMock.createSetupContract();
+    const mockUsageCounter = mockUsageCountersSetup.createUsageCounter('test');
+
+    createAlertRoute({
+      router,
+      licenseState,
+      encryptedSavedObjects,
+      usageCounter: mockUsageCounter,
+      isServerless: true,
+    });
+
+    const [config] = router.post.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id?}"`);
+
+    expect(config.options?.access).toBe('internal');
+  });
+
   it('allows providing a custom id when space is undefined', async () => {
     const expectedResult = {
       ...createResult,

diff --git a/x-pack/plugins/alerting/server/routes/legacy/create.ts b/x-pack/plugins/alerting/server/routes/legacy/create.ts
@@ -44,7 +44,12 @@ export const bodySchema = schema.object({
   notifyWhen: schema.nullable(schema.string({ validate: validateNotifyWhenType })),
 });
 
-export const createAlertRoute = ({ router, licenseState, usageCounter }: RouteOptions) => {
+export const createAlertRoute = ({
+  router,
+  licenseState,
+  usageCounter,
+  isServerless,
+}: RouteOptions) => {
   router.post(
     {
       path: `${LEGACY_BASE_ALERT_API_PATH}/alert/{id?}`,
@@ -57,6 +62,7 @@ export const createAlertRoute = ({ router, licenseState, usageCounter }: RouteOp
         body: bodySchema,
       },
       options: {
+        access: isServerless ? 'internal' : 'public',
         summary: 'Create an alert',
         tags: ['oas-tag:alerting'],
         deprecated: true,

diff --git a/x-pack/plugins/alerting/server/routes/legacy/delete.test.ts b/x-pack/plugins/alerting/server/routes/legacy/delete.test.ts
@@ -38,6 +38,7 @@ describe('deleteAlertRoute', () => {
     const [config, handler] = router.delete.mock.calls[0];
 
     expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}"`);
+    expect(config.options?.access).toBe('public');
 
     rulesClient.delete.mockResolvedValueOnce({});
 
@@ -65,6 +66,18 @@ describe('deleteAlertRoute', () => {
     expect(res.noContent).toHaveBeenCalled();
   });
 
+  it('should have internal access for serverless', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+
+    deleteAlertRoute(router, licenseState, undefined, true);
+
+    const [config] = router.delete.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}"`);
+    expect(config.options?.access).toBe('internal');
+  });
+
   it('ensures the license allows deleting alerts', async () => {
     const licenseState = licenseStateMock.create();
     const router = httpServiceMock.createRouter();

diff --git a/x-pack/plugins/alerting/server/routes/legacy/delete.ts b/x-pack/plugins/alerting/server/routes/legacy/delete.ts
@@ -20,7 +20,8 @@ const paramSchema = schema.object({
 export const deleteAlertRoute = (
   router: AlertingRouter,
   licenseState: ILicenseState,
-  usageCounter?: UsageCounter
+  usageCounter?: UsageCounter,
+  isServerless?: boolean
 ) => {
   router.delete(
     {
@@ -29,6 +30,7 @@ export const deleteAlertRoute = (
         params: paramSchema,
       },
       options: {
+        access: isServerless ? 'internal' : 'public',
         summary: 'Delete an alert',
         tags: ['oas-tag:alerting'],
         deprecated: true,

diff --git a/x-pack/plugins/alerting/server/routes/legacy/disable.test.ts b/x-pack/plugins/alerting/server/routes/legacy/disable.test.ts
@@ -37,6 +37,7 @@ describe('disableAlertRoute', () => {
     const [config, handler] = router.post.mock.calls[0];
 
     expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_disable"`);
+    expect(config.options?.access).toBe('public');
 
     rulesClient.disableRule.mockResolvedValueOnce();
 
@@ -64,6 +65,18 @@ describe('disableAlertRoute', () => {
     expect(res.noContent).toHaveBeenCalled();
   });
 
+  it('should have internal access for serverless', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+
+    disableAlertRoute(router, licenseState, undefined, true);
+
+    const [config] = router.post.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_disable"`);
+    expect(config.options?.access).toBe('internal');
+  });
+
   it('ensures the alert type gets validated for the license', async () => {
     const licenseState = licenseStateMock.create();
     const router = httpServiceMock.createRouter();

diff --git a/x-pack/plugins/alerting/server/routes/legacy/disable.ts b/x-pack/plugins/alerting/server/routes/legacy/disable.ts
@@ -21,7 +21,8 @@ const paramSchema = schema.object({
 export const disableAlertRoute = (
   router: AlertingRouter,
   licenseState: ILicenseState,
-  usageCounter?: UsageCounter
+  usageCounter?: UsageCounter,
+  isServerless?: boolean
 ) => {
   router.post(
     {
@@ -30,6 +31,7 @@ export const disableAlertRoute = (
         params: paramSchema,
       },
       options: {
+        access: isServerless ? 'internal' : 'public',
         summary: 'Disable an alert',
         tags: ['oas-tag:alerting'],
         deprecated: true,

diff --git a/x-pack/plugins/alerting/server/routes/legacy/enable.test.ts b/x-pack/plugins/alerting/server/routes/legacy/enable.test.ts
@@ -37,6 +37,7 @@ describe('enableAlertRoute', () => {
     const [config, handler] = router.post.mock.calls[0];
 
     expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_enable"`);
+    expect(config.options?.access).toBe('public');
 
     rulesClient.enableRule.mockResolvedValueOnce();
 
@@ -64,6 +65,18 @@ describe('enableAlertRoute', () => {
     expect(res.noContent).toHaveBeenCalled();
   });
 
+  it('should have internal access for serverless', async () => {
+    const licenseState = licenseStateMock.create();
+    const router = httpServiceMock.createRouter();
+
+    enableAlertRoute(router, licenseState, undefined, true);
+
+    const [config] = router.post.mock.calls[0];
+
+    expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_enable"`);
+    expect(config.options?.access).toBe('internal');
+  });
+
   it('ensures the alert type gets validated for the license', async () => {
     const licenseState = licenseStateMock.create();
     const router = httpServiceMock.createRouter();

diff --git a/x-pack/plugins/alerting/server/routes/legacy/enable.ts b/x-pack/plugins/alerting/server/routes/legacy/enable.ts
@@ -22,7 +22,8 @@ const paramSchema = schema.object({
 export const enableAlertRoute = (
   router: AlertingRouter,
   licenseState: ILicenseState,
-  usageCounter?: UsageCounter
+  usageCounter?: UsageCounter,
+  isServerless?: boolean
 ) => {
   router.post(
     {
@@ -31,6 +32,7 @@ export const enableAlertRoute = (
         params: paramSchema,
       },
       options: {
+        access: isServerless ? 'internal' : 'public',
         summary: 'Enable an alert',
         tags: ['oas-tag:alerting'],
         deprecated: true,