[Defend Workflows] Fix endpoint list API to mirror exception list API#246019
Merged
szwarckonrad merged 13 commits intoelastic:mainfrom Dec 19, 2025
Merged
[Defend Workflows] Fix endpoint list API to mirror exception list API#246019szwarckonrad merged 13 commits intoelastic:mainfrom
szwarckonrad merged 13 commits intoelastic:mainfrom
Conversation
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
paul-tavares
approved these changes
Dec 17, 2025
Contributor
paul-tavares
left a comment
There was a problem hiding this comment.
Reviewed code only and looks good
nkhristinin
reviewed
Dec 18, 2025
Contributor
nkhristinin
left a comment
There was a problem hiding this comment.
Code review only, changes looks fine, only have 1 question about return type
| return response.ok({ body: ReadEndpointListItemResponse.parse(exceptionListItem) }); | ||
| // API schema expects an array of items | ||
| return response.ok({ | ||
| body: ReadEndpointListItemResponse.parse([exceptionListItem]), |
Contributor
There was a problem hiding this comment.
Do we change response type here to array?
Is this route consumed by anybody and would it be a breaking change?
Contributor
Author
There was a problem hiding this comment.
Great catch, the schema was incorrectly defined as an array when it should return a single item (matching the exception list API pattern), so I've updated the OpenAPI schema and regenerated the types instead of wrapping the response in an array.
Contributor
gergoabraham
left a comment
There was a problem hiding this comment.
looks great, and works mostly great! 🚀
one use case is missing, which shouldn't be a problem for 9.1/9.2/9.3 without the endpointExceptionsMovedUnderManagement feature flag enabled, so it can be done in a follow-up PR as well.
the use case is _find with space awareness: a per-policy (or non-global) artifact should be only seen in a space where it was either created, or where a package policy to which it's assigned exists. the easiest use case: an unassigned per-policy artifact should be visible only in the space it was created.
and this space aware filtering is provided by the exception_lists API, it's working out of the box for all artifacts, even for endpoint exceptions: you won't see endpoint exceptions on the UI from other spaces. but, endpoint_list API for some reason does not apply the space filtering.
i understood earlier that it should be provided by the validators (here by setFindRequestFilterScopeToActiveSpace), so i don't see why it's not applied based on your changes.
if you chose the follow-up PR, please make sure to don't close the issue for now, as this use case is tracked there 🙌
here are the tests i performed
// -- when endpointExceptionsMovedUnderManagement feature flag is enabled ---
// test 1: fetching should not show item from space B (only when FF enabled) ❌
// for this, you need per-policy endpoint exceptions created in another space, therefore they shouldn't be visible in the current space
// result: exception_list API filters based on space, endpoint_list API does not
GET kbn://api/exception_lists/items/_find?list_id=endpoint_list&namespace_type=agnostic
GET kbn://api/endpoint_list/items/_find
// test 1.5: deleting in another space only with global_artifact_management_all, but in current space without it (only when FF enabled) ✅
DELETE kbn://api/endpoint_list/items?id=24187dc1-c65e-42a6-94a4-d58640161ce5
DELETE kbn://api/exception_lists/items?id=77e62c4a-3e23-40bd-9223-c3a6fd82ec5d&list_id=endpoint_list&namespace_type=agnostic
// -- when feature flag is disabled ---
// test 2: should add space owner + policy:all tags on create ✅
// test 3: should create only with both global_artifact_management AND endpoint_exceptions_all ✅
POST kbn://api/exception_lists/items
{
"comments": [],
"description": "Exception list item",
"entries": [
{
"field": "client.port",
"operator": "included",
"type": "match",
"value": "2"
}
],
"list_id": "endpoint_list",
"name": "through exceptions API",
"namespace_type": "agnostic",
"tags": [],
"type": "simple",
"os_types": [
"linux"
]
}
POST kbn://api/endpoint_list/items
{
"comments": [],
"description": "Exception list item",
"entries": [
{
"field": "client.port",
"operator": "included",
"type": "match",
"value": "3"
}
],
"name": "through endpoint_list_API",
"namespace_type": "agnostic",
"tags": [
],
"type": "simple",
"os_types": [
"linux"
]
}
// test 4: should DELETE only with both global_artifact_management AND endpoint_exceptions_all ✅
DELETE kbn://api/endpoint_list/items?id=9f5d8514-13e1-4262-9dc7-0b52b161f418
DELETE kbn://api/exception_lists/items?id=9f5d8514-13e1-4262-9dc7-0b52b161f418
// test 5: should update only with both global_artifact_management AND endpoint_exceptions_all ✅
PUT kbn://api/exception_lists/items
{
"id": "24187dc1-c65e-42a6-94a4-d58640161ce5",
"item_id": "cb8d988c-ec08-41d3-afc3-15f695aa3d0b",
"type": "simple",
"name": "from UI space default",
"description": "Exception list item",
"entries": [
{
"field": "client.port",
"operator": "included",
"type": "match",
"value": "66"
}
],
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"ownerSpaceId:default"
],
"comments": []
}
PUT kbn://api/endpoint_list/items
{
"id": "24187dc1-c65e-42a6-94a4-d58640161ce5",
"item_id": "cb8d988c-ec08-41d3-afc3-15f695aa3d0b",
"type": "simple",
"name": "from UI space default",
"description": "Exception list item",
"entries": [
{
"field": "client.port",
"operator": "included",
"type": "match",
"value": "666"
}
],
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
],
"comments": []
}
// test 6: should add tags on update ✅
PUT kbn://api/exception_lists/items
{
"id": "44ade8b0-af69-46a0-84a1-2b11102645cf",
"item_id": "3fce5cc9-c8e3-40dc-a7d3-5a3104173de4",
"type": "simple",
"name": "from UI space default",
"description": "Exception list item",
"entries": [
{
"field": "client.port",
"operator": "included",
"type": "match",
"value": "66"
}
],
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [],
"comments": []
}
PUT kbn://api/endpoint_list/items
{
"id": "44ade8b0-af69-46a0-84a1-2b11102645cf",
"item_id": "3fce5cc9-c8e3-40dc-a7d3-5a3104173de4",
"type": "simple",
"name": "from UI space default",
"description": "Exception list item",
"entries": [
{
"field": "client.port",
"operator": "included",
"type": "match",
"value": "666"
}
],
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [],
"comments": []
}
...on/test_suites/edr_workflows/artifacts/trial_license_complete_tier/endpoint_list_api_rbac.ts
Show resolved
Hide resolved
szwarckonrad
added a commit
to szwarckonrad/kibana
that referenced
this pull request
Dec 19, 2025
…elastic#246019) This PR fixes the deprecated `api/endpoint_list` APIs to properly enforce RBAC, space awareness, and security tag assignment through the extension point system. Changes: - Modified 5 ExceptionListClient methods to invoke extension points: `createEndpointListItem`, `updateEndpointListItem`, `deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem` - Added entry validation and disallowed field checks to create route - Fixed return type in read route to match API schema - Added comprehensive unit tests for all 5 methods - Added API integration tests covering all RBAC scenarios All changes mirror the existing exception list API behavior. Closes elastic/security-team#14818 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 70c5025)
This was referenced Dec 19, 2025
Closed
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
szwarckonrad
added a commit
to szwarckonrad/kibana
that referenced
this pull request
Dec 19, 2025
…elastic#246019) This PR fixes the deprecated `api/endpoint_list` APIs to properly enforce RBAC, space awareness, and security tag assignment through the extension point system. Changes: - Modified 5 ExceptionListClient methods to invoke extension points: `createEndpointListItem`, `updateEndpointListItem`, `deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem` - Added entry validation and disallowed field checks to create route - Fixed return type in read route to match API schema - Added comprehensive unit tests for all 5 methods - Added API integration tests covering all RBAC scenarios All changes mirror the existing exception list API behavior. Closes elastic/security-team#14818 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 70c5025) # Conflicts: # x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/endpoint_exceptions.ff_enabled.ts
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
szwarckonrad
added a commit
that referenced
this pull request
Dec 19, 2025
…st API (#246019) (#247041) # Backport This will backport the following commits from `main` to `9.3`: - [[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)](#246019) <!--- Backport version: 10.2.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"konrad.szwarc@elastic.co"},"sourceCommit":{"committedDate":"2025-12-19T09:01:52Z","message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","backport:version","v9.1.0","v9.2.0","v9.3.0","v9.4.0"],"title":"[Defend Workflows] Fix endpoint list API to mirror exception list API","number":246019,"url":"https://github.com/elastic/kibana/pull/246019","mergeCommit":{"message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.2","9.3"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/246019","number":246019,"mergeCommit":{"message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e"}}]}] BACKPORT--> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This was referenced Dec 19, 2025
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
9 similar comments
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
szwarckonrad
added a commit
that referenced
this pull request
Jan 5, 2026
…st API (#246019) (#247050) # Backport This will backport the following commits from `main` to `9.2`: - [[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)](#246019) <!--- Backport version: 10.2.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"konrad.szwarc@elastic.co"},"sourceCommit":{"committedDate":"2025-12-19T09:01:52Z","message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","backport:version","v9.1.0","v9.2.0","v9.3.0","v9.4.0"],"title":"[Defend Workflows] Fix endpoint list API to mirror exception list API","number":246019,"url":"https://github.com/elastic/kibana/pull/246019","mergeCommit":{"message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e"}},"sourceBranch":"main","suggestedTargetBranches":["9.2"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/247047","number":247047,"state":"OPEN"},{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/247041","number":247041,"state":"OPEN"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/246019","number":246019,"mergeCommit":{"message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e"}}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
szwarckonrad
added a commit
that referenced
this pull request
Jan 5, 2026
…st API (#246019) (#247047) # Backport This will backport the following commits from `main` to `9.1`: - [[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)](#246019) <!--- Backport version: 10.2.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"konrad.szwarc@elastic.co"},"sourceCommit":{"committedDate":"2025-12-19T09:01:52Z","message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","backport:version","v9.1.0","v9.2.0","v9.3.0","v9.4.0"],"title":"[Defend Workflows] Fix endpoint list API to mirror exception list API","number":246019,"url":"https://github.com/elastic/kibana/pull/246019","mergeCommit":{"message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.2","9.3"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/246019","number":246019,"mergeCommit":{"message":"[Defend Workflows] Fix endpoint list API to mirror exception list API (#246019)\n\nThis PR fixes the deprecated `api/endpoint_list` APIs to properly\nenforce RBAC, space awareness, and security tag assignment through the\nextension point system.\n\nChanges:\n- Modified 5 ExceptionListClient methods to invoke extension points:\n`createEndpointListItem`, `updateEndpointListItem`,\n`deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem`\n- Added entry validation and disallowed field checks to create route\n- Fixed return type in read route to match API schema\n- Added comprehensive unit tests for all 5 methods\n- Added API integration tests covering all RBAC scenarios\n\nAll changes mirror the existing exception list API behavior.\n\nCloses https://github.com/elastic/security-team/issues/14818\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"70c5025c3c6bab5496df70f207632d1d8aa5fc9e"}}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Jan 6, 2026
…elastic#246019) This PR fixes the deprecated `api/endpoint_list` APIs to properly enforce RBAC, space awareness, and security tag assignment through the extension point system. Changes: - Modified 5 ExceptionListClient methods to invoke extension points: `createEndpointListItem`, `updateEndpointListItem`, `deleteEndpointListItem`, `getEndpointListItem`, `findEndpointListItem` - Added entry validation and disallowed field checks to create route - Fixed return type in read route to match API schema - Added comprehensive unit tests for all 5 methods - Added API integration tests covering all RBAC scenarios All changes mirror the existing exception list API behavior. Closes elastic/security-team#14818 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes the deprecated
api/endpoint_listAPIs to properly enforce RBAC, space awareness, and security tag assignment through the extension point system.Changes:
createEndpointListItem,updateEndpointListItem,deleteEndpointListItem,getEndpointListItem,findEndpointListItemAll changes mirror the existing exception list API behavior.
Closes https://github.com/elastic/security-team/issues/14818