[Fleet][Endpoint][RBAC V2] Update fleet router and config to allow API access via RBAC controls

x-pack/plugins/fleet/common/services/routes.ts

@@ -257,7 +257,7 @@ export const settingsRoutesService = {
 };
 
 export const appRoutesService = {
-  getCheckPermissionsPath: (fleetServerSetup?: boolean) => APP_API_ROUTES.CHECK_PERMISSIONS_PATTERN,
+  getCheckPermissionsPath: () => APP_API_ROUTES.CHECK_PERMISSIONS_PATTERN,
   getRegenerateServiceTokenPath: () => APP_API_ROUTES.GENERATE_SERVICE_TOKEN_PATTERN,
   postHealthCheckPath: () => APP_API_ROUTES.HEALTH_CHECK_PATTERN,
 };

x-pack/plugins/fleet/server/mocks/index.ts

@@ -90,10 +90,9 @@ export const createFleetRequestHandlerContextMock = (): jest.Mocked<
       asCurrentUser: createPackagePolicyServiceMock(),
       asInternalUser: createPackagePolicyServiceMock(),
     },
-    epm: {
-      internalSoClient: savedObjectsClientMock.create(),
-    },
+    internalSoClient: savedObjectsClientMock.create(),
     spaceId: 'default',
+    limitedToPackages: undefined,
   };
 };
 

x-pack/plugins/fleet/server/plugin.ts

@@ -57,6 +57,13 @@ import type { ExperimentalFeatures } from '../common/experimental_features';
 import { INTEGRATIONS_PLUGIN_ID } from '../common';
 import { parseExperimentalConfigValue } from '../common/experimental_features';
 
+import {
+  getRouteRequiredAuthz,
+  makeRouterWithFleetAuthz,
+  calculateRouteAuthz,
+  getAuthzFromRequest,
+} from './services/security';
+
 import {
   PLUGIN_ID,
   OUTPUT_SAVED_OBJECT_TYPE,
@@ -93,7 +100,6 @@ import {
   fetchAgentsUsage,
   fetchFleetUsage,
 } from './collectors/register';
-import { getAuthzFromRequest, makeRouterWithFleetAuthz } from './routes/security';
 import { FleetArtifactsClient } from './services/artifacts';
 import type { FleetRouter } from './types/request_context';
 import { TelemetryEventsSender } from './telemetry/sender';
@@ -337,7 +343,19 @@ export class FleetPlugin
       PLUGIN_ID,
       async (context, request) => {
         const plugin = this;
-        const esClient = (await context.core).elasticsearch.client;
+        const coreContext = await context.core;
+        const authz = await getAuthzFromRequest(request);
+        const esClient = coreContext.elasticsearch.client;
+
+        const routeRequiredAuthz = getRouteRequiredAuthz(request.route.method, request.route.path);
+        const routeAuthz = routeRequiredAuthz
+          ? calculateRouteAuthz(authz, routeRequiredAuthz)
+          : undefined;
+
+        const getInternalSoClient = (): SavedObjectsClientContract =>
+          appContextService
+            .getSavedObjects()
+            .getScopedClient(request, { excludedExtensions: [SECURITY_EXTENSION_ID] });
 
         return {
           get agentClient() {
@@ -356,18 +374,21 @@ export class FleetPlugin
               asInternalUser: service.asInternalUser,
             };
           },
-          authz: await getAuthzFromRequest(request),
-          epm: {
+          authz,
+
+          get internalSoClient() {
             // Use a lazy getter to avoid constructing this client when not used by a request handler
-            get internalSoClient() {
-              return appContextService
-                .getSavedObjects()
-                .getScopedClient(request, { excludedExtensions: [SECURITY_EXTENSION_ID] });
-            },
+            return getInternalSoClient();
           },
           get spaceId() {
             return deps.spaces.spacesService.getSpaceId(request);
           },
+
+          get limitedToPackages() {
+            if (routeAuthz && routeAuthz.granted) {
+              return routeAuthz.scopeDataToPackages;
+            }
+          },
         };
       }
     );
@@ -384,10 +405,11 @@ export class FleetPlugin
     // Only some endpoints require superuser so we pass a raw IRouter here
 
     // For all the routes we enforce the user to have role superuser
-    const { router: fleetAuthzRouter, onPostAuthHandler: fleetAuthzOnPostAuthHandler } =
-      makeRouterWithFleetAuthz(router);
+    const fleetAuthzRouter = makeRouterWithFleetAuthz(
+      router,
+      this.initializerContext.logger.get('fleet_authz_router')
+    );
 
-    core.http.registerOnPostAuth(fleetAuthzOnPostAuthHandler);
     registerRoutes(fleetAuthzRouter, config);
 
     this.telemetryEventsSender.setup(deps.telemetry);

x-pack/plugins/fleet/server/routes/agent/index.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { AGENT_API_ROUTES } from '../../constants';
 import {
   GetAgentsRequestSchema,
@@ -30,7 +32,6 @@ import {
 } from '../../types';
 import * as AgentService from '../../services/agents';
 import type { FleetConfigType } from '../..';
-import type { FleetAuthzRouter } from '../security';
 
 import { PostBulkUpdateAgentTagsRequestSchema } from '../../types/rest_spec/agent';
 

x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts

@@ -67,7 +67,7 @@ export const getAgentPoliciesHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   const coreContext = await context.core;
   const fleetContext = await context.fleet;
-  const soClient = fleetContext.epm.internalSoClient;
+  const soClient = fleetContext.internalSoClient;
   const esClient = coreContext.elasticsearch.client.asInternalUser;
   const { full: withPackagePolicies = false, ...restOfQuery } = request.query;
   try {
@@ -98,7 +98,7 @@ export const bulkGetAgentPoliciesHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   const coreContext = await context.core;
   const fleetContext = await context.fleet;
-  const soClient = fleetContext.epm.internalSoClient;
+  const soClient = fleetContext.internalSoClient;
   const esClient = coreContext.elasticsearch.client.asInternalUser;
   const { full: withPackagePolicies = false, ignoreMissing = false, ids } = request.body;
   try {
@@ -158,7 +158,7 @@ export const createAgentPolicyHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   const coreContext = await context.core;
   const fleetContext = await context.fleet;
-  const soClient = fleetContext.epm.internalSoClient;
+  const soClient = fleetContext.internalSoClient;
   const esClient = coreContext.elasticsearch.client.asInternalUser;
   const user = (await appContextService.getSecurity()?.authc.getCurrentUser(request)) || undefined;
   const withSysMonitoring = request.query.sys_monitoring ?? false;
@@ -276,7 +276,7 @@ export const getFullAgentPolicy: FleetRequestHandler<
   TypeOf<typeof GetFullAgentPolicyRequestSchema.query>
 > = async (context, request, response) => {
   const fleetContext = await context.fleet;
-  const soClient = fleetContext.epm.internalSoClient;
+  const soClient = fleetContext.internalSoClient;
 
   if (request.query.kubernetes === true) {
     try {
@@ -332,7 +332,7 @@ export const downloadFullAgentPolicy: FleetRequestHandler<
   TypeOf<typeof GetFullAgentPolicyRequestSchema.query>
 > = async (context, request, response) => {
   const fleetContext = await context.fleet;
-  const soClient = fleetContext.epm.internalSoClient;
+  const soClient = fleetContext.internalSoClient;
   const {
     params: { agentPolicyId },
   } = request;

x-pack/plugins/fleet/server/routes/agent_policy/index.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { AGENT_POLICY_API_ROUTES } from '../../constants';
 import {
   GetAgentPoliciesRequestSchema,
@@ -17,7 +19,6 @@ import {
   GetK8sManifestRequestSchema,
   BulkGetAgentPoliciesRequestSchema,
 } from '../../types';
-import type { FleetAuthzRouter } from '../security';
 
 import { K8S_API_ROUTES } from '../../../common/constants';
 

x-pack/plugins/fleet/server/routes/app/index.ts

@@ -8,11 +8,12 @@
 import type { RequestHandler } from '@kbn/core/server';
 import type { TypeOf } from '@kbn/config-schema';
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { APP_API_ROUTES } from '../../constants';
 import { appContextService } from '../../services';
 import type { CheckPermissionsResponse, GenerateServiceTokenResponse } from '../../../common/types';
 import { defaultFleetErrorHandler, GenerateServiceTokenError } from '../../errors';
-import type { FleetAuthzRouter } from '../security';
 import type { FleetRequestHandler } from '../../types';
 import { CheckPermissionsRequestSchema } from '../../types';
 
@@ -90,7 +91,6 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
     {
       path: APP_API_ROUTES.CHECK_PERMISSIONS_PATTERN,
       validate: CheckPermissionsRequestSchema,
-      options: { tags: [] },
     },
     getCheckPermissionsHandler
   );

x-pack/plugins/fleet/server/routes/data_streams/index.ts

@@ -5,8 +5,9 @@
  * 2.0.
  */
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { DATA_STREAM_API_ROUTES } from '../../constants';
-import type { FleetAuthzRouter } from '../security';
 
 import { getListHandler } from './handlers';
 

x-pack/plugins/fleet/server/routes/download_source/index.tsx

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { DOWNLOAD_SOURCE_API_ROUTES } from '../../constants';
 import {
   getDownloadSourcesRequestSchema,
@@ -13,7 +15,6 @@ import {
   PostDownloadSourcesRequestSchema,
   DeleteDownloadSourcesRequestSchema,
 } from '../../types';
-import type { FleetAuthzRouter } from '../security';
 
 import {
   getDownloadSourcesHandler,

x-pack/plugins/fleet/server/routes/enrollment_api_key/index.ts

@@ -5,14 +5,15 @@
  * 2.0.
  */
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { ENROLLMENT_API_KEY_ROUTES } from '../../constants';
 import {
   GetEnrollmentAPIKeysRequestSchema,
   GetOneEnrollmentAPIKeyRequestSchema,
   DeleteEnrollmentAPIKeyRequestSchema,
   PostEnrollmentAPIKeyRequestSchema,
 } from '../../types';
-import type { FleetAuthzRouter } from '../security';
 
 import {
   getEnrollmentApiKeysHandler,

x-pack/plugins/fleet/server/routes/epm/handlers.ts

@@ -86,7 +86,7 @@ export const getListHandler: FleetRequestHandler<
   TypeOf<typeof GetPackagesRequestSchema.query>
 > = async (context, request, response) => {
   try {
-    const savedObjectsClient = (await context.fleet).epm.internalSoClient;
+    const savedObjectsClient = (await context.fleet).internalSoClient;
     const res = await getPackages({
       savedObjectsClient,
       ...request.query,
@@ -112,7 +112,7 @@ export const getLimitedListHandler: FleetRequestHandler<
   undefined
 > = async (context, request, response) => {
   try {
-    const savedObjectsClient = (await context.fleet).epm.internalSoClient;
+    const savedObjectsClient = (await context.fleet).internalSoClient;
     const res = await getLimitedPackages({
       savedObjectsClient,
       prerelease: request.query.prerelease,
@@ -134,7 +134,7 @@ export const getFileHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   try {
     const { pkgName, pkgVersion, filePath } = request.params;
-    const savedObjectsClient = (await context.fleet).epm.internalSoClient;
+    const savedObjectsClient = (await context.fleet).internalSoClient;
     const installation = await getInstallation({ savedObjectsClient, pkgName });
     const useLocalFile = pkgVersion === installation?.version;
 
@@ -208,7 +208,7 @@ export const getInfoHandler: FleetRequestHandler<
   TypeOf<typeof GetInfoRequestSchema.query>
 > = async (context, request, response) => {
   try {
-    const savedObjectsClient = (await context.fleet).epm.internalSoClient;
+    const savedObjectsClient = (await context.fleet).internalSoClient;
     const { pkgName, pkgVersion } = request.params;
     const { ignoreUnverified = false, full = false, prerelease } = request.query;
     if (pkgVersion && !semverValid(pkgVersion)) {
@@ -237,7 +237,7 @@ export const updatePackageHandler: FleetRequestHandler<
   TypeOf<typeof UpdatePackageRequestSchema.body>
 > = async (context, request, response) => {
   try {
-    const savedObjectsClient = (await context.fleet).epm.internalSoClient;
+    const savedObjectsClient = (await context.fleet).internalSoClient;
     const { pkgName } = request.params;
 
     const res = await updatePackage({ savedObjectsClient, pkgName, ...request.body });
@@ -256,7 +256,7 @@ export const getStatsHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   try {
     const { pkgName } = request.params;
-    const savedObjectsClient = (await context.fleet).epm.internalSoClient;
+    const savedObjectsClient = (await context.fleet).internalSoClient;
     const body: GetStatsResponse = {
       response: await getPackageUsageStats({ savedObjectsClient, pkgName }),
     };
@@ -273,7 +273,7 @@ export const installPackageFromRegistryHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   const coreContext = await context.core;
   const fleetContext = await context.fleet;
-  const savedObjectsClient = fleetContext.epm.internalSoClient;
+  const savedObjectsClient = fleetContext.internalSoClient;
   const esClient = coreContext.elasticsearch.client.asInternalUser;
   const { pkgName, pkgVersion } = request.params;
 
@@ -323,7 +323,7 @@ export const bulkInstallPackagesFromRegistryHandler: FleetRequestHandler<
 > = async (context, request, response) => {
   const coreContext = await context.core;
   const fleetContext = await context.fleet;
-  const savedObjectsClient = fleetContext.epm.internalSoClient;
+  const savedObjectsClient = fleetContext.internalSoClient;
   const esClient = coreContext.elasticsearch.client.asInternalUser;
   const spaceId = fleetContext.spaceId;
   const bulkInstalledResponses = await bulkInstallPackages({
@@ -354,7 +354,7 @@ export const installPackageByUploadHandler: FleetRequestHandler<
   }
   const coreContext = await context.core;
   const fleetContext = await context.fleet;
-  const savedObjectsClient = fleetContext.epm.internalSoClient;
+  const savedObjectsClient = fleetContext.internalSoClient;
   const esClient = coreContext.elasticsearch.client.asInternalUser;
   const contentType = request.headers['content-type'] as string; // from types it could also be string[] or undefined but this is checked later
   const archiveBuffer = Buffer.from(request.body);
@@ -390,7 +390,7 @@ export const deletePackageHandler: FleetRequestHandler<
     const { pkgName, pkgVersion } = request.params;
     const coreContext = await context.core;
     const fleetContext = await context.fleet;
-    const savedObjectsClient = fleetContext.epm.internalSoClient;
+    const savedObjectsClient = fleetContext.internalSoClient;
     const esClient = coreContext.elasticsearch.client.asInternalUser;
     const res = await removeInstallation({
       savedObjectsClient,

x-pack/plugins/fleet/server/routes/epm/index.ts

@@ -7,6 +7,8 @@
 
 import type { IKibanaResponse } from '@kbn/core/server';
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import type {
   DeletePackageResponse,
   GetInfoResponse,
@@ -32,7 +34,6 @@ import {
   UpdatePackageRequestSchema,
   UpdatePackageRequestSchemaDeprecated,
 } from '../../types';
-import type { FleetAuthzRouter } from '../security';
 
 import {
   getCategoriesHandler,

x-pack/plugins/fleet/server/routes/fleet_proxies/index.ts

@@ -4,15 +4,15 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { FLEET_PROXY_API_ROUTES } from '../../../common/constants';
 import {
   GetOneFleetProxyRequestSchema,
   PostFleetProxyRequestSchema,
   PutFleetProxyRequestSchema,
 } from '../../types';
 
-import type { FleetAuthzRouter } from '../security';
-
 import {
   getAllFleetProxyHandler,
   postFleetProxyHandler,

x-pack/plugins/fleet/server/routes/fleet_server_policy_config/index.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import type { FleetAuthzRouter } from '../../services/security';
+
 import { FLEET_SERVER_HOST_API_ROUTES } from '../../../common/constants';
 import {
   GetAllFleetServerHostRequestSchema,
@@ -13,8 +15,6 @@ import {
   PutFleetServerHostRequestSchema,
 } from '../../types';
 
-import type { FleetAuthzRouter } from '../security';
-
 import {
   deleteFleetServerPolicyHandler,
   getAllFleetServerPolicyHandler,