Unauthorized route migration for routes owned by kibana-core (#214780)

elena-shostak · web-flow · commit b9d240b38b3a · 2025-03-18T17:04:01.000+01:00
### Authz API migration for unauthorized routes This PR migrates last unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ```
diff --git a/src/core/packages/apps/server-internal/src/core_app.ts b/src/core/packages/apps/server-internal/src/core_app.ts
@@ -143,7 +143,17 @@ export class CoreAppsService {
     const resources = coreSetup.httpResources.createRegistrar(router);
 
     router.get(
-      { path: '/', validate: false, options: { access: 'public' } },
+      {
+        path: '/',
+        validate: false,
+        options: { access: 'public' },
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is only used for serving the default route.',
+          },
+        },
+      },
       async (context, req, res) => {
         const { uiSettings } = await context.core;
         let defaultRoute = await uiSettings.client.get<string>('defaultRoute', { request: req });
diff --git a/src/core/packages/deprecations/server-internal/src/deprecations_service.test.ts b/src/core/packages/deprecations/server-internal/src/deprecations_service.test.ts
@@ -58,7 +58,17 @@ describe('DeprecationsService', () => {
       // registers get route '/'
       expect(router.get).toHaveBeenCalledTimes(1);
       expect(router.get).toHaveBeenCalledWith(
-        { options: { access: 'public' }, path: '/', validate: false },
+        {
+          options: { access: 'public' },
+          path: '/',
+          validate: false,
+          security: {
+            authz: {
+              enabled: false,
+              reason: expect.any(String),
+            },
+          },
+        },
         expect.any(Function)
       );
     });
diff --git a/src/core/packages/deprecations/server-internal/src/routes/get.ts b/src/core/packages/deprecations/server-internal/src/routes/get.ts
@@ -14,6 +14,12 @@ export const registerGetRoute = (router: InternalDeprecationRouter) => {
   router.get(
     {
       path: '/',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the Core Deprecations Client',
+        },
+      },
       options: {
         access: 'public',
       },
diff --git a/src/core/packages/i18n/server-internal/src/routes/translations.ts b/src/core/packages/i18n/server-internal/src/routes/translations.ts
@@ -38,6 +38,12 @@ export const registerTranslationsRoute = ({
       router.get(
         {
           path: routePath,
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'This route is only used for serving i18n translations.',
+            },
+          },
           validate: {
             params: schema.object({
               locale: schema.string(),
diff --git a/src/core/packages/rendering/server-internal/src/bootstrap/register_bootstrap_route.ts b/src/core/packages/rendering/server-internal/src/bootstrap/register_bootstrap_route.ts
@@ -20,6 +20,12 @@ export const registerBootstrapRoute = ({
   router.get(
     {
       path: '/bootstrap.js',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is only used for serving the bootstrap script.',
+        },
+      },
       options: {
         tags: ['api'],
         access: 'public',
@@ -43,6 +49,12 @@ export const registerBootstrapRoute = ({
   router.get(
     {
       path: '/bootstrap-anonymous.js',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is only used for serving the bootstrap script.',
+        },
+      },
       options: {
         authRequired: 'optional',
         tags: ['api'],
diff --git a/src/core/packages/saved-objects/server-internal/src/routes/deprecations/delete_unknown_types.ts b/src/core/packages/saved-objects/server-internal/src/routes/deprecations/delete_unknown_types.ts
@@ -24,6 +24,12 @@ export const registerDeleteUnknownTypesRoute = (
     {
       path: '/deprecations/_delete_unknown_types',
       validate: false,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the Saved Objects Client',
+        },
+      },
     },
     catchAndReturnBoomErrors(async (context, req, res) => {
       const { elasticsearch, savedObjects } = await context.core;
diff --git a/src/core/packages/status/server-internal/src/routes/status.ts b/src/core/packages/status/server-internal/src/routes/status.ts
@@ -82,6 +82,12 @@ export const registerStatusRoute = ({
   router.get(
     {
       path: '/api/status',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Status route should be accessible without authorization.',
+        },
+      },
       options: {
         authRequired: 'optional',
         // The `api` tag ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page.
diff --git a/src/core/packages/status/server-internal/src/routes/status_preboot.ts b/src/core/packages/status/server-internal/src/routes/status_preboot.ts
@@ -15,8 +15,17 @@ export const registerPrebootStatusRoute = ({ router }: { router: IRouter }) => {
   router.get(
     {
       path: '/api/status',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Preboot status route should be accessible without authorization.',
+        },
+        authc: {
+          enabled: false,
+          reason: 'Preboot status route should be accessible without authentication.',
+        },
+      },
       options: {
-        authRequired: false,
         tags: ['api'],
         access: 'public', // needs to be public to allow access from "system" users like k8s readiness probes.
         excludeFromRateLimiter: true,
diff --git a/src/core/packages/status/server-internal/src/status_service.test.ts b/src/core/packages/status/server-internal/src/status_service.test.ts
@@ -101,12 +101,21 @@ describe('StatusService', () => {
         {
           path: '/api/status',
           options: {
-            authRequired: false,
             tags: ['api'],
             access: 'public',
             excludeFromRateLimiter: true,
           },
           validate: false,
+          security: {
+            authz: {
+              enabled: false,
+              reason: expect.any(String),
+            },
+            authc: {
+              enabled: false,
+              reason: expect.any(String),
+            },
+          },
         },
         expect.any(Function)
       );
diff --git a/x-pack/platform/plugins/shared/cloud/server/routes/get_cloud_data_route.ts b/x-pack/platform/plugins/shared/cloud/server/routes/get_cloud_data_route.ts
@@ -14,6 +14,12 @@ export const setGetCloudSolutionDataRoute = ({ router }: RouteOptions) => {
   router.versioned
     .get({
       path: `/internal/cloud/solution`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the saved objects client',
+        },
+      },
       access: 'internal',
       summary: 'Get cloud data for solutions',
     })
