From 6e0a772e05f09efcd79b2cee00a5b0457d7f95ad Mon Sep 17 00:00:00 2001
From: Gerard Soldevila <gerard.soldevila@elastic.co>
Date: Mon, 23 Feb 2026 17:08:07 +0100
Subject: [PATCH] [CPS] Update kibana-security asScoped call sites

---
 packages/kbn-mock-idp-plugin/server/plugin.ts        |  8 +++++---
 .../anonymous_access/anonymous_access_service.ts     |  3 ++-
 .../server/authentication/api_keys/api_keys.ts       | 12 ++++++++----
 .../server/authorization/check_privileges.ts         |  3 ++-
 .../server/user_profile/user_profile_service.ts      |  3 ++-
 .../plugins/test_endpoints/server/init_routes.ts     |  6 ++++--
 6 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/packages/kbn-mock-idp-plugin/server/plugin.ts b/packages/kbn-mock-idp-plugin/server/plugin.ts
index 879e1acfccb53..1e56c450f35d2 100644
--- a/packages/kbn-mock-idp-plugin/server/plugin.ts
+++ b/packages/kbn-mock-idp-plugin/server/plugin.ts
@@ -271,9 +271,11 @@ export const plugin: PluginInitializer<void, void, PluginSetupDependencies> = as
             const [{ elasticsearch }] = await core.getStartServices();
 
             // Get scoped client with UIAM headers
-            const scopedClient = elasticsearch.client.asScoped({
-              headers: { authorization: `ApiKey ${request.body.apiKey}` },
-            });
+            // TODO REVIEW
+            const scopedClient = elasticsearch.client.asScoped(
+              { headers: { authorization: `ApiKey ${request.body.apiKey}` } },
+              { projectRouting: 'origin-only' }
+            );
 
             if (!scopedClient) {
               return response.badRequest({
diff --git a/x-pack/platform/plugins/shared/security/server/anonymous_access/anonymous_access_service.ts b/x-pack/platform/plugins/shared/security/server/anonymous_access/anonymous_access_service.ts
index e308fc420c5f2..14c3ed7cea107 100644
--- a/x-pack/platform/plugins/shared/security/server/anonymous_access/anonymous_access_service.ts
+++ b/x-pack/platform/plugins/shared/security/server/anonymous_access/anonymous_access_service.ts
@@ -138,8 +138,9 @@ export class AnonymousAccessService {
    */
   private async canAuthenticateAnonymousServiceAccount(clusterClient: IClusterClient) {
     try {
+      // TODO REVIEW
       await clusterClient
-        .asScoped(this.createFakeAnonymousRequest({ authenticateRequest: true }))
+        .asScoped(this.createFakeAnonymousRequest({ authenticateRequest: true }), { projectRouting: 'origin-only' })
         .asCurrentUser.security.authenticate();
     } catch (err) {
       this.logger.warn(
diff --git a/x-pack/platform/plugins/shared/security/server/authentication/api_keys/api_keys.ts b/x-pack/platform/plugins/shared/security/server/authentication/api_keys/api_keys.ts
index 249a6d8996f92..aee6a7beb1eb7 100644
--- a/x-pack/platform/plugins/shared/security/server/authentication/api_keys/api_keys.ts
+++ b/x-pack/platform/plugins/shared/security/server/authentication/api_keys/api_keys.ts
@@ -160,7 +160,8 @@ export class APIKeys implements NativeAPIKeysType {
       return null;
     }
     const { type, expiration, name, metadata } = createParams;
-    const scopedClusterClient = this.clusterClient.asScoped(request);
+    // TODO REVIEW
+    const scopedClusterClient = this.clusterClient.asScoped(request, { projectRouting: 'space' });
 
     this.logger.debug('Trying to create an API key');
 
@@ -215,7 +216,8 @@ export class APIKeys implements NativeAPIKeysType {
     }
 
     const { type, id, metadata } = updateParams;
-    const scopedClusterClient = this.clusterClient.asScoped(request);
+    // TODO REVIEW
+    const scopedClusterClient = this.clusterClient.asScoped(request, { projectRouting: 'space' });
 
     this.logger.debug('Trying to edit an API key');
 
@@ -338,7 +340,8 @@ export class APIKeys implements NativeAPIKeysType {
     let result: InvalidateAPIKeyResult;
     try {
       // User needs `manage_api_key` privilege to use this API
-      result = await this.clusterClient.asScoped(request).asCurrentUser.security.invalidateApiKey({
+      // TODO REVIEW
+      result = await this.clusterClient.asScoped(request, { projectRouting: 'space' }).asCurrentUser.security.invalidateApiKey({
         ids: params.ids,
       });
       this.logger.debug(
@@ -398,7 +401,8 @@ export class APIKeys implements NativeAPIKeysType {
 
     this.logger.debug(`Trying to validate an API key`);
     try {
-      await this.clusterClient.asScoped(fakeRequest).asCurrentUser.security.authenticate();
+      // TODO REVIEW
+      await this.clusterClient.asScoped(fakeRequest, { projectRouting: 'origin-only' }).asCurrentUser.security.authenticate();
       this.logger.debug(`API key was validated successfully`);
       return true;
     } catch (e) {
diff --git a/x-pack/platform/plugins/shared/security/server/authorization/check_privileges.ts b/x-pack/platform/plugins/shared/security/server/authorization/check_privileges.ts
index 57052a40449dc..a297bc2b02bc3 100644
--- a/x-pack/platform/plugins/shared/security/server/authorization/check_privileges.ts
+++ b/x-pack/platform/plugins/shared/security/server/authorization/check_privileges.ts
@@ -106,7 +106,8 @@ export function checkPrivilegesFactory(
         { requireLoginAction }
       );
 
-      const clusterClient = (await getClusterClient()).asScoped(request);
+      // TODO REVIEW
+      const clusterClient = (await getClusterClient()).asScoped(request, { projectRouting: 'space' });
       const hasPrivilegesResponse = await clusterClient.asCurrentUser.security.hasPrivileges({
         cluster: privileges.elasticsearch?.cluster as estypes.SecurityClusterPrivilege[],
         index: Object.entries(privileges.elasticsearch?.index ?? {}).map(
diff --git a/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts b/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
index ccaed723b5404..517c5b47cb589 100644
--- a/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
+++ b/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
@@ -288,7 +288,8 @@ export class UserProfileService {
     request: UserProfileGetCurrentParams['request']
   ): Promise<string | undefined> {
     try {
-      const response = await clusterClient.asScoped(request).asCurrentUser.security.getApiKey({
+      // TODO REVIEW
+      const response = await clusterClient.asScoped(request, { projectRouting: 'space' }).asCurrentUser.security.getApiKey({
         with_profile_uid: true,
       });
 
diff --git a/x-pack/platform/test/security_functional/plugins/test_endpoints/server/init_routes.ts b/x-pack/platform/test/security_functional/plugins/test_endpoints/server/init_routes.ts
index 96fd539f4aea9..aa93725d26308 100644
--- a/x-pack/platform/test/security_functional/plugins/test_endpoints/server/init_routes.ts
+++ b/x-pack/platform/test/security_functional/plugins/test_endpoints/server/init_routes.ts
@@ -122,13 +122,15 @@ export function initRoutes(
 
       let scopedClient;
       if (request.body.client === 'start-contract') {
-        scopedClient = (await core.getStartServices())[0].elasticsearch.client.asScoped(request);
+        // TODO REVIEW
+        scopedClient = (await core.getStartServices())[0].elasticsearch.client.asScoped(request, { projectRouting: 'space' });
       } else if (request.body.client === 'request-context') {
         scopedClient = (await context.core).elasticsearch.client;
       } else {
         scopedClient = (await core.getStartServices())[0].elasticsearch
           .createClient('custom')
-          .asScoped(request);
+          // TODO REVIEW
+          .asScoped(request, { projectRouting: 'space' });
       }
 
       await scopedClient.asCurrentUser.security.authenticate();