[8.x] [RsponseOps][Alerting] Explicitly set access to all API routes …

…of actions, connectors, rules, alerts, and cases plugins (#193520) (#194111)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[RsponseOps][Alerting] Explicitly set access to all API routes of
actions, connectors, rules, alerts, and cases plugins
(#193520)](#193520)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Janki
Salvi","email":"117571355+js-jankisalvi@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-26T10:00:08Z","message":"[RsponseOps][Alerting]
Explicitly set access to all API routes of actions, connectors, rules,
alerts, and cases plugins (#193520)\n\n## Summary\r\nResolves
#192956 PR adds \r\n-
`access: internal` option to internal routes \r\n- `access: public`
option to public routes \r\n\r\nIt which will help restrict access of
internal routes and allow users to\r\naccess all public
routes.\r\n\r\nThis PR updates api routes of following
`x-pack/plugins`\r\n- actions\r\n- alerting\r\n- cases\r\n-
rule_registry\r\n- stack_connectors\r\n-
triggers_actions_ui","sha":"9c7864309ce1c5a3d085151e3b67d1635bc558c8","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","v9.0.0","backport:prev-minor","v8.16.0"],"title":"[RsponseOps][Alerting]
Explicitly set access to all API routes of actions, connectors, rules,
alerts, and cases
plugins","number":193520,"url":"#193520
Explicitly set access to all API routes of actions, connectors, rules,
alerts, and cases plugins (#193520)\n\n## Summary\r\nResolves
#192956 PR adds \r\n-
`access: internal` option to internal routes \r\n- `access: public`
option to public routes \r\n\r\nIt which will help restrict access of
internal routes and allow users to\r\naccess all public
routes.\r\n\r\nThis PR updates api routes of following
`x-pack/plugins`\r\n- actions\r\n- alerting\r\n- cases\r\n-
rule_registry\r\n- stack_connectors\r\n-
triggers_actions_ui","sha":"9c7864309ce1c5a3d085151e3b67d1635bc558c8"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"#193520
Explicitly set access to all API routes of actions, connectors, rules,
alerts, and cases plugins (#193520)\n\n## Summary\r\nResolves
#192956 PR adds \r\n-
`access: internal` option to internal routes \r\n- `access: public`
option to public routes \r\n\r\nIt which will help restrict access of
internal routes and allow users to\r\naccess all public
routes.\r\n\r\nThis PR updates api routes of following
`x-pack/plugins`\r\n- actions\r\n- alerting\r\n- cases\r\n-
rule_registry\r\n- stack_connectors\r\n-
triggers_actions_ui","sha":"9c7864309ce1c5a3d085151e3b67d1635bc558c8"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>

x-pack/plugins/actions/server/routes/connector/get_all_system/get_all_system.ts

@@ -21,6 +21,9 @@ export const getAllConnectorsIncludingSystemRoute = (
  {
  path: `${INTERNAL_BASE_ACTION_API_PATH}/connectors`,
  validate: {},
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/actions/server/routes/connector/list_types_system/list_types_system.ts

@@ -27,6 +27,9 @@ export const listTypesWithSystemRoute = (
  validate: {
  query: connectorTypesQuerySchemaV1,
  },
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/actions/server/routes/get_global_execution_kpi.ts

@@ -45,6 +45,9 @@ export const getGlobalExecutionKPIRoute = (
  validate: {
  body: bodySchema,
  },
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/actions/server/routes/get_global_execution_logs.ts

@@ -57,6 +57,9 @@ export const getGlobalExecutionLogRoute = (
  validate: {
  body: bodySchema,
  },
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/actions/server/routes/get_oauth_access_token.ts

@@ -66,6 +66,9 @@ export const getOAuthAccessToken = (
  validate: {
  body: bodySchema,
  },
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/alerting/server/plugin.ts

@@ -409,6 +409,7 @@ export class AlertingPlugin {
  getAlertIndicesAlias: createGetAlertIndicesAliasFn(this.ruleTypeRegistry!),
  encryptedSavedObjects: plugins.encryptedSavedObjects,
  config$: plugins.unifiedSearch.autocomplete.getInitializerContextConfig().create(),
+ isServerless: !!plugins.serverless,
  });
 
  return {

x-pack/plugins/alerting/server/routes/backfill/apis/delete/delete_backfill_route.ts

@@ -20,6 +20,9 @@ export const deleteBackfillRoute = (
  router.delete(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/{id}`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  params: deleteParamsSchemaV1,
  },

x-pack/plugins/alerting/server/routes/backfill/apis/find/find_backfill_route.ts

@@ -28,6 +28,9 @@ export const findBackfillRoute = (
  validate: {
  query: findQuerySchemaV1,
  },
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/alerting/server/routes/backfill/apis/get/get_backfill_route.ts

@@ -22,6 +22,9 @@ export const getBackfillRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/{id}`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  params: getParamsSchemaV1,
  },

x-pack/plugins/alerting/server/routes/backfill/apis/schedule/schedule_backfill_route.ts

@@ -22,6 +22,7 @@ export const scheduleBackfillRoute = (
  router.post(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/backfill/_schedule`,
+ options: { access: 'internal' },
  validate: {
  body: scheduleBodySchemaV1,
  },

x-pack/plugins/alerting/server/routes/get_action_error_log.ts

@@ -63,6 +63,9 @@ export const getActionErrorLogRoute = (
  params: paramSchema,
  query: querySchema,
  },
+ options: {
+ access: 'internal',
+ },
  },
  router.handleLegacyErrors(
  verifyAccessAndContext(licenseState, async function (context, req, res) {

x-pack/plugins/alerting/server/routes/get_flapping_settings.test.ts

@@ -37,6 +37,7 @@ describe('getFlappingSettingsRoute', () => {
  expect(config).toMatchInlineSnapshot(`
  Object {
  "options": Object {
+ "access": "internal",
  "tags": Array [
  "access:read-flapping-settings",
  ],

x-pack/plugins/alerting/server/routes/get_flapping_settings.ts

@@ -38,6 +38,7 @@ export const getFlappingSettingsRoute = (
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rules/settings/_flapping`,
  validate: false,
  options: {
+ access: 'internal',
  tags: [`access:${API_PRIVILEGES.READ_FLAPPING_SETTINGS}`],
  },
  },

x-pack/plugins/alerting/server/routes/get_global_execution_kpi.ts

@@ -37,6 +37,9 @@ export const getGlobalExecutionKPIRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/_global_execution_kpi`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  query: querySchema,
  },

x-pack/plugins/alerting/server/routes/get_global_execution_logs.ts

@@ -62,6 +62,9 @@ export const getGlobalExecutionLogRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/_global_execution_logs`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  query: querySchema,
  },

x-pack/plugins/alerting/server/routes/get_rule_alert_summary.ts

@@ -65,6 +65,9 @@ export const getRuleAlertSummaryRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_alert_summary`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  params: paramSchema,
  query: querySchema,

x-pack/plugins/alerting/server/routes/get_rule_execution_kpi.ts

@@ -38,6 +38,9 @@ export const getRuleExecutionKPIRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_execution_kpi`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  params: paramSchema,
  query: querySchema,

x-pack/plugins/alerting/server/routes/get_rule_execution_log.ts

@@ -63,6 +63,9 @@ export const getRuleExecutionLogRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/_execution_log`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  params: paramSchema,
  query: querySchema,

x-pack/plugins/alerting/server/routes/get_rule_state.ts

@@ -38,6 +38,9 @@ export const getRuleStateRoute = (
  router.get(
  {
  path: `${INTERNAL_BASE_ALERTING_API_PATH}/rule/{id}/state`,
+ options: {
+ access: 'internal',
+ },
  validate: {
  params: paramSchema,
  },

x-pack/plugins/alerting/server/routes/index.ts

@@ -79,6 +79,7 @@ export interface RouteOptions {
  getAlertIndicesAlias?: GetAlertIndicesAlias;
  usageCounter?: UsageCounter;
  config$?: Observable<ConfigSchema>;
+ isServerless?: boolean;
 }
 
 export function defineRoutes(opts: RouteOptions) {

x-pack/plugins/alerting/server/routes/legacy/create.test.ts

@@ -110,6 +110,8 @@ describe('createAlertRoute', () => {
 
  expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id?}"`);
 
+ expect(config.options?.access).toBe('public');
+
  rulesClient.create.mockResolvedValueOnce(createResult);
 
  const [context, req, res] = mockHandlerArguments(
@@ -164,6 +166,28 @@ describe('createAlertRoute', () => {
  });
  });
 
+ it('should have internal access for serverless', async () => {
+ const licenseState = licenseStateMock.create();
+ const router = httpServiceMock.createRouter();
+ const encryptedSavedObjects = encryptedSavedObjectsMock.createSetup({ canEncrypt: true });
+ const mockUsageCountersSetup = usageCountersServiceMock.createSetupContract();
+ const mockUsageCounter = mockUsageCountersSetup.createUsageCounter('test');
+
+ createAlertRoute({
+ router,
+ licenseState,
+ encryptedSavedObjects,
+ usageCounter: mockUsageCounter,
+ isServerless: true,
+ });
+
+ const [config] = router.post.mock.calls[0];
+
+ expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id?}"`);
+
+ expect(config.options?.access).toBe('internal');
+ });
+
  it('allows providing a custom id when space is undefined', async () => {
  const expectedResult = {
  ...createResult,

x-pack/plugins/alerting/server/routes/legacy/create.ts

@@ -44,7 +44,12 @@ export const bodySchema = schema.object({
  notifyWhen: schema.nullable(schema.string({ validate: validateNotifyWhenType })),
 });
 
-export const createAlertRoute = ({ router, licenseState, usageCounter }: RouteOptions) => {
+export const createAlertRoute = ({
+ router,
+ licenseState,
+ usageCounter,
+ isServerless,
+}: RouteOptions) => {
  router.post(
  {
  path: `${LEGACY_BASE_ALERT_API_PATH}/alert/{id?}`,
@@ -57,6 +62,7 @@ export const createAlertRoute = ({ router, licenseState, usageCounter }: RouteOp
  body: bodySchema,
  },
  options: {
+ access: isServerless ? 'internal' : 'public',
  summary: 'Create an alert',
  tags: ['oas-tag:alerting'],
  deprecated: true,

x-pack/plugins/alerting/server/routes/legacy/delete.test.ts

@@ -38,6 +38,7 @@ describe('deleteAlertRoute', () => {
  const [config, handler] = router.delete.mock.calls[0];
 
  expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}"`);
+ expect(config.options?.access).toBe('public');
 
  rulesClient.delete.mockResolvedValueOnce({});
 
@@ -65,6 +66,18 @@ describe('deleteAlertRoute', () => {
  expect(res.noContent).toHaveBeenCalled();
  });
 
+ it('should have internal access for serverless', async () => {
+ const licenseState = licenseStateMock.create();
+ const router = httpServiceMock.createRouter();
+
+ deleteAlertRoute(router, licenseState, undefined, true);
+
+ const [config] = router.delete.mock.calls[0];
+
+ expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}"`);
+ expect(config.options?.access).toBe('internal');
+ });
+
  it('ensures the license allows deleting alerts', async () => {
  const licenseState = licenseStateMock.create();
  const router = httpServiceMock.createRouter();

x-pack/plugins/alerting/server/routes/legacy/delete.ts

@@ -20,7 +20,8 @@ const paramSchema = schema.object({
 export const deleteAlertRoute = (
  router: AlertingRouter,
  licenseState: ILicenseState,
- usageCounter?: UsageCounter
+ usageCounter?: UsageCounter,
+ isServerless?: boolean
 ) => {
  router.delete(
  {
@@ -29,6 +30,7 @@ export const deleteAlertRoute = (
  params: paramSchema,
  },
  options: {
+ access: isServerless ? 'internal' : 'public',
  summary: 'Delete an alert',
  tags: ['oas-tag:alerting'],
  deprecated: true,

x-pack/plugins/alerting/server/routes/legacy/disable.test.ts

@@ -37,6 +37,7 @@ describe('disableAlertRoute', () => {
  const [config, handler] = router.post.mock.calls[0];
 
  expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_disable"`);
+ expect(config.options?.access).toBe('public');
 
  rulesClient.disableRule.mockResolvedValueOnce();
 
@@ -64,6 +65,18 @@ describe('disableAlertRoute', () => {
  expect(res.noContent).toHaveBeenCalled();
  });
 
+ it('should have internal access for serverless', async () => {
+ const licenseState = licenseStateMock.create();
+ const router = httpServiceMock.createRouter();
+
+ disableAlertRoute(router, licenseState, undefined, true);
+
+ const [config] = router.post.mock.calls[0];
+
+ expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_disable"`);
+ expect(config.options?.access).toBe('internal');
+ });
+
  it('ensures the alert type gets validated for the license', async () => {
  const licenseState = licenseStateMock.create();
  const router = httpServiceMock.createRouter();

x-pack/plugins/alerting/server/routes/legacy/disable.ts

@@ -21,7 +21,8 @@ const paramSchema = schema.object({
 export const disableAlertRoute = (
  router: AlertingRouter,
  licenseState: ILicenseState,
- usageCounter?: UsageCounter
+ usageCounter?: UsageCounter,
+ isServerless?: boolean
 ) => {
  router.post(
  {
@@ -30,6 +31,7 @@ export const disableAlertRoute = (
  params: paramSchema,
  },
  options: {
+ access: isServerless ? 'internal' : 'public',
  summary: 'Disable an alert',
  tags: ['oas-tag:alerting'],
  deprecated: true,

x-pack/plugins/alerting/server/routes/legacy/enable.test.ts

@@ -37,6 +37,7 @@ describe('enableAlertRoute', () => {
  const [config, handler] = router.post.mock.calls[0];
 
  expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_enable"`);
+ expect(config.options?.access).toBe('public');
 
  rulesClient.enableRule.mockResolvedValueOnce();
 
@@ -64,6 +65,18 @@ describe('enableAlertRoute', () => {
  expect(res.noContent).toHaveBeenCalled();
  });
 
+ it('should have internal access for serverless', async () => {
+ const licenseState = licenseStateMock.create();
+ const router = httpServiceMock.createRouter();
+
+ enableAlertRoute(router, licenseState, undefined, true);
+
+ const [config] = router.post.mock.calls[0];
+
+ expect(config.path).toMatchInlineSnapshot(`"/api/alerts/alert/{id}/_enable"`);
+ expect(config.options?.access).toBe('internal');
+ });
+
  it('ensures the alert type gets validated for the license', async () => {
  const licenseState = licenseStateMock.create();
  const router = httpServiceMock.createRouter();

x-pack/plugins/alerting/server/routes/legacy/enable.ts

@@ -22,7 +22,8 @@ const paramSchema = schema.object({
 export const enableAlertRoute = (
  router: AlertingRouter,
  licenseState: ILicenseState,
- usageCounter?: UsageCounter
+ usageCounter?: UsageCounter,
+ isServerless?: boolean
 ) => {
  router.post(
  {
@@ -31,6 +32,7 @@ export const enableAlertRoute = (
  params: paramSchema,
  },
  options: {
+ access: isServerless ? 'internal' : 'public',
  summary: 'Enable an alert',
  tags: ['oas-tag:alerting'],
  deprecated: true,