diff --git a/x-pack/plugins/fleet/server/routes/preconfiguration/index.ts b/x-pack/plugins/fleet/server/routes/preconfiguration/index.ts index 5d427b49bed69..2d46599988f1a 100644 --- a/x-pack/plugins/fleet/server/routes/preconfiguration/index.ts +++ b/x-pack/plugins/fleet/server/routes/preconfiguration/index.ts @@ -17,6 +17,9 @@ export const registerRoutes = (router: FleetAuthzRouter) => { { path: PRECONFIGURATION_API_ROUTES.RESET_PATTERN, validate: false, + options: { + access: 'internal', + }, fleetAuthz: { fleet: { all: true }, }, @@ -27,6 +30,9 @@ export const registerRoutes = (router: FleetAuthzRouter) => { { path: PRECONFIGURATION_API_ROUTES.RESET_ONE_PATTERN, validate: PostResetOnePreconfiguredAgentPoliciesSchema, + options: { + access: 'internal', + }, fleetAuthz: { fleet: { all: true }, }, diff --git a/x-pack/plugins/fleet/server/services/security/fleet_router.test.ts b/x-pack/plugins/fleet/server/services/security/fleet_router.test.ts index 6af9c891b31fc..bb6ea59eeec82 100644 --- a/x-pack/plugins/fleet/server/services/security/fleet_router.test.ts +++ b/x-pack/plugins/fleet/server/services/security/fleet_router.test.ts @@ -201,4 +201,64 @@ describe('FleetAuthzRouter', () => { ).toEqual('forbidden'); }); }); + + describe('default access', () => { + let fakeRouter: jest.Mocked>; + beforeEach(() => { + fakeRouter = { + get: jest.fn(), + post: jest.fn(), + delete: jest.fn(), + put: jest.fn(), + patch: jest.fn(), + } as unknown as jest.Mocked>; + }); + + const METHODS: Array<'get' | 'post' | 'delete' | 'put' | 'patch'> = [ + 'get', + 'post', + 'delete', + 'put', + 'patch', + ]; + + for (const method of METHODS) { + describe(`${method}`, () => { + it('should set default access to public', () => { + const fleetAuthzRouter = makeRouterWithFleetAuthz(fakeRouter, mockLogger); + fleetAuthzRouter[method]( + { + path: '/test', + validate: false, + }, + (() => {}) as any + ); + expect(fakeRouter[method]).toBeCalledWith( + expect.objectContaining({ + options: { access: 'public' }, + }), + expect.anything() + ); + }); + + it('should not allow to define internal routes', () => { + const fleetAuthzRouter = makeRouterWithFleetAuthz(fakeRouter, mockLogger); + fleetAuthzRouter[method]( + { + path: '/test', + validate: false, + options: { access: 'internal' }, + }, + (() => {}) as any + ); + expect(fakeRouter[method]).toBeCalledWith( + expect.objectContaining({ + options: { access: 'internal' }, + }), + expect.anything() + ); + }); + }); + } + }); }); diff --git a/x-pack/plugins/fleet/server/services/security/fleet_router.ts b/x-pack/plugins/fleet/server/services/security/fleet_router.ts index 32fd25a38a948..a956f1522161c 100644 --- a/x-pack/plugins/fleet/server/services/security/fleet_router.ts +++ b/x-pack/plugins/fleet/server/services/security/fleet_router.ts @@ -13,6 +13,8 @@ import type { Logger, RequestHandler, RouteMethod, + RouteConfig, + RouteConfigOptions, } from '@kbn/core/server'; import type { FleetRequestHandlerContext } from '../..'; @@ -26,6 +28,25 @@ import { doesNotHaveRequiredFleetAuthz, } from './security'; +function withDefaultPublicAccess( + routeConfig: RouteConfig +): RouteConfig { + let newOptions: RouteConfigOptions; + if (routeConfig?.options) { + newOptions = { ...routeConfig?.options }; + } else { + newOptions = {}; + } + + if (!newOptions.access) { + newOptions.access = 'public'; + } + return { + ...routeConfig, + options: newOptions, + }; +} + export function makeRouterWithFleetAuthz( router: IRouter, logger: Logger @@ -106,27 +127,27 @@ export function makeRouterWithFleetAuthz = { get: ({ fleetAuthz: hasRequiredAuthz, ...options }, handler) => { - router.get(options, (context, request, response) => + router.get(withDefaultPublicAccess(options), (context, request, response) => fleetHandlerWrapper({ context, request, response, handler, hasRequiredAuthz }) ); }, delete: ({ fleetAuthz: hasRequiredAuthz, ...options }, handler) => { - router.delete(options, (context, request, response) => + router.delete(withDefaultPublicAccess(options), (context, request, response) => fleetHandlerWrapper({ context, request, response, handler, hasRequiredAuthz }) ); }, post: ({ fleetAuthz: hasRequiredAuthz, ...options }, handler) => { - router.post(options, (context, request, response) => + router.post(withDefaultPublicAccess(options), (context, request, response) => fleetHandlerWrapper({ context, request, response, handler, hasRequiredAuthz }) ); }, put: ({ fleetAuthz: hasRequiredAuthz, ...options }, handler) => { - router.put(options, (context, request, response) => + router.put(withDefaultPublicAccess(options), (context, request, response) => fleetHandlerWrapper({ context, request, response, handler, hasRequiredAuthz }) ); }, patch: ({ fleetAuthz: hasRequiredAuthz, ...options }, handler) => { - router.patch(options, (context, request, response) => + router.patch(withDefaultPublicAccess(options), (context, request, response) => fleetHandlerWrapper({ context, request, response, handler, hasRequiredAuthz }) ); },