[Fleet][RBAC v2] Update agent_status route to use calculateRouteAuthz

x-pack/plugins/fleet/server/routes/agent/index.ts

@@ -5,7 +5,9 @@
  * 2.0.
  */
 
-import type { FleetAuthzRouter } from '../../services/security';
+import type { FleetAuthz } from '../../../common';
+
+import { getRouteRequiredAuthz, type FleetAuthzRouter } from '../../services/security';
 
 import { AGENT_API_ROUTES } from '../../constants';
 import {
@@ -35,6 +37,8 @@ import type { FleetConfigType } from '../..';
 
 import { PostBulkUpdateAgentTagsRequestSchema } from '../../types/rest_spec/agent';
 
+import { calculateRouteAuthz } from '../../services/security/security';
+
 import {
   getAgentsHandler,
   getAgentTagsHandler,
@@ -234,9 +238,11 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
     {
       path: AGENT_API_ROUTES.STATUS_PATTERN,
       validate: GetAgentStatusRequestSchema,
-      fleetAuthz: {
-        fleet: { all: true },
-      },
+      fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
+        calculateRouteAuthz(
+          fleetAuthz,
+          getRouteRequiredAuthz('get', AGENT_API_ROUTES.STATUS_PATTERN)
+        ).granted,
     },
     getAgentStatusForAgentPolicyHandler
   );

x-pack/plugins/fleet/server/services/security/route_required_authz.ts

@@ -9,7 +9,7 @@ import { deepFreeze } from '@kbn/std';
 
 import type { RouteMethod } from '@kbn/core-http-server';
 
-import { PACKAGE_POLICY_API_ROUTES } from '../../../common';
+import { PACKAGE_POLICY_API_ROUTES, AGENT_API_ROUTES } from '../../../common';
 
 import type { FleetRouteRequiredAuthz } from './types';
 
@@ -126,6 +126,24 @@ const ROUTE_AUTHZ_REQUIREMENTS = deepFreeze<Record<string, FleetRouteRequiredAut
       },
     },
   },
+
+  // agent status fo policy API
+  [`get:${AGENT_API_ROUTES.STATUS_PATTERN}`]: {
+    any: {
+      fleet: {
+        all: true,
+      },
+      packagePrivileges: {
+        endpoint: {
+          actions: {
+            readPolicyManagement: {
+              executePackageAction: true,
+            },
+          },
+        },
+      },
+    },
+  },
 });
 
 /**

x-pack/test/fleet_api_integration/apis/agents/status.ts

@@ -9,11 +9,13 @@ import expect from '@kbn/expect';
 
 import { AGENTS_INDEX } from '@kbn/fleet-plugin/common';
 import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
+import { testUsers } from '../test_users';
 
 export default function ({ getService }: FtrProviderContext) {
   const es = getService('es');
   const esArchiver = getService('esArchiver');
   const supertest = getService('supertest');
+  const superTestWithoutAuth = getService('supertestWithoutAuth');
 
   describe('fleet_agents_status', () => {
     before(async () => {
@@ -197,5 +199,31 @@ export default function ({ getService }: FtrProviderContext) {
     it('should work with deprecated api', async () => {
       await supertest.get(`/api/fleet/agent-status`).expect(200);
     });
+
+    it('should work with adequate package privileges', async () => {
+      await superTestWithoutAuth
+        .get(`/api/fleet/agent_status`)
+        .set('kbn-xsrf', 'xxxx')
+        .auth(
+          testUsers.endpoint_fleet_all_integr_read_policy.username,
+          testUsers.endpoint_fleet_all_integr_read_policy.password
+        )
+        .expect(200);
+    });
+
+    it('should not work without adequate package privileges', async () => {
+      await superTestWithoutAuth
+        .get(`/api/fleet/agent_status`)
+        .set('kbn-xsrf', 'xxxx')
+        .auth(
+          testUsers.endpoint_fleet_read_integr_none.username,
+          testUsers.endpoint_fleet_read_integr_none.password
+        )
+        .expect(403, {
+          error: 'Forbidden',
+          message: 'Forbidden',
+          statusCode: 403,
+        });
+    });
   });
 }

x-pack/test/fleet_api_integration/apis/test_users.ts

@@ -104,6 +104,30 @@ export const testUsers: {
     username: 'endpoint_integr_write_policy',
     password: 'changeme',
   },
+  // agent status API
+  endpoint_fleet_all_integr_read_policy: {
+    permissions: {
+      feature: {
+        fleet: ['all'],
+        siem: ['minimal_all', 'policy_management_read'],
+      },
+      spaces: ['*'],
+    },
+    username: 'endpoint_fleet_all_integr_read_policy',
+    password: 'changeme',
+  },
+  // no access to integrations or policies
+  endpoint_fleet_read_integr_none: {
+    permissions: {
+      feature: {
+        fleet: ['read'],
+        siem: ['minimal_all'],
+      },
+      spaces: ['*'],
+    },
+    username: 'endpoint_fleet_read_integr_none',
+    password: 'changeme',
+  },
 };
 
 export const setupTestUsers = async (security: SecurityService) => {