Unauthorized route migration for routes owned by kibana-presentation (#198329)

Migrates unauthorized routes owned by the Presentation team to a new security configuration.

Author: kibanamachine

src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts

@@ -20,6 +20,13 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
+          },
+        },
         validate: false,
       },
       async (context, _, response) => {

src/plugins/controls/server/options_list/options_list_suggestions_route.ts

@@ -33,6 +33,13 @@ export const setupOptionsListSuggestionsRoute = (
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because permissions will be checked by elasticsearch.',
+          },
+        },
         validate: {
           request: {
             params: schema.object(

x-pack/plugins/canvas/server/routes/custom_elements/create.ts

@@ -29,6 +29,13 @@ export function initializeCreateCustomElementRoute(deps: RouteInitializerDeps) {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because authorization is provided by saved objects client.',
+          },
+        },
         validate: {
           request: { body: CustomElementSchema },
         },

x-pack/plugins/canvas/server/routes/custom_elements/delete.ts

@@ -22,6 +22,13 @@ export function initializeDeleteCustomElementRoute(deps: RouteInitializerDeps) {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because authorization is provided by saved objects client.',
+          },
+        },
         validate: {
           request: {
             params: schema.object({

x-pack/plugins/canvas/server/routes/custom_elements/find.ts

@@ -20,6 +20,13 @@ export function initializeFindCustomElementsRoute(deps: RouteInitializerDeps) {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because authorization is provided by saved objects client.',
+          },
+        },
         validate: {
           request: {
             query: schema.object({

x-pack/plugins/canvas/server/routes/custom_elements/get.ts

@@ -21,6 +21,13 @@ export function initializeGetCustomElementRoute(deps: RouteInitializerDeps) {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because authorization is provided by saved objects client.',
+          },
+        },
         validate: {
           request: {
             params: schema.object({

x-pack/plugins/canvas/server/routes/custom_elements/update.ts

@@ -30,6 +30,13 @@ export function initializeUpdateCustomElementRoute(deps: RouteInitializerDeps) {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because authorization is provided by saved objects client.',
+          },
+        },
         validate: {
           request: {
             params: schema.object({

x-pack/plugins/canvas/server/routes/functions/functions.ts

@@ -23,13 +23,26 @@ export function initializeGetFunctionsRoute(deps: RouteInitializerDeps) {
       path: API_ROUTE_FUNCTIONS,
       access: 'internal',
     })
-    .addVersion({ version: '1', validate: false }, async (context, request, response) => {
-      const functions = expressions.getFunctions('canvas');
-      const body = JSON.stringify(functions);
-      return response.ok({
-        body,
-      });
-    });
+    .addVersion(
+      {
+        version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because it only provides non-sensitive information about functions available to Canvas.',
+          },
+        },
+        validate: false,
+      },
+      async (context, request, response) => {
+        const functions = expressions.getFunctions('canvas');
+        const body = JSON.stringify(functions);
+        return response.ok({
+          body,
+        });
+      }
+    );
 }
 
 export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
@@ -42,6 +55,13 @@ export function initializeBatchFunctionsRoute(deps: RouteInitializerDeps) {
     .addVersion(
       {
         version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because data source expressions that perform search operations use the Kibana search client which handles permission checking.',
+          },
+        },
         validate: {
           request: {
             body: schema.object({

x-pack/plugins/canvas/server/routes/shareables/download.ts

@@ -18,16 +18,29 @@ export function initializeDownloadShareableWorkpadRoute(deps: RouteInitializerDe
       path: API_ROUTE_SHAREABLE_RUNTIME_DOWNLOAD,
       access: 'internal',
     })
-    .addVersion({ version: '1', validate: false }, async (_context, _request, response) => {
-      // TODO: check if this is still an issue on cloud after migrating to NP
-      //
-      // The option setting is not for typical use.  We're using it here to avoid
-      // problems in Cloud environments.  See elastic/kibana#47405.
-      // const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
-      const file = readFileSync(SHAREABLE_RUNTIME_FILE);
-      return response.ok({
-        headers: { 'content-type': 'application/octet-stream' },
-        body: file,
-      });
-    });
+    .addVersion(
+      {
+        version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because it is only serving static files.',
+          },
+        },
+        validate: false,
+      },
+      async (_context, _request, response) => {
+        // TODO: check if this is still an issue on cloud after migrating to NP
+        //
+        // The option setting is not for typical use.  We're using it here to avoid
+        // problems in Cloud environments.  See elastic/kibana#47405.
+        // const file = handler.file(SHAREABLE_RUNTIME_FILE, { confine: false });
+        const file = readFileSync(SHAREABLE_RUNTIME_FILE);
+        return response.ok({
+          headers: { 'content-type': 'application/octet-stream' },
+          body: file,
+        });
+      }
+    );
 }

x-pack/plugins/canvas/server/routes/shareables/zip.ts

@@ -24,7 +24,17 @@ export function initializeZipShareableWorkpadRoute(deps: RouteInitializerDeps) {
       access: 'internal',
     })
     .addVersion(
-      { version: '1', validate: { request: { body: RenderedWorkpadSchema } } },
+      {
+        version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because it is only serving static files.',
+          },
+        },
+        validate: { request: { body: RenderedWorkpadSchema } },
+      },
       async (_context, request, response) => {
         const workpad = request.body;
         const archive = archiver('zip');