[Fleet] Update final pipeline based on ECS event.agent_id_status (ela…

…stic#102805) (elastic#102832) This updates the Fleet final pipeline added in elastic#100973 to match the specification of `event.agent_id_status` field as defined in ECS. The field was added to ECS in elastic/ecs#1454. Basically the values of the field were simplified from what was originally proposed and implemented. Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
cee-chen · Jun 22, 2021 · 7f7ba0b · 7f7ba0b
1 parent 7f15592
commit 7f7ba0b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 16 deletions.
diff --git a/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts b/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts
@@ -59,25 +59,26 @@ processors:
         }
 
         String verified(def ctx, def params) {
-          // Agents only use API keys.
-          if (ctx?._security?.authentication_type == null || ctx._security.authentication_type != 'API_KEY') {
-            return "no_api_key";
+          // No agent.id field to validate.
+          if (ctx?.agent?.id == null) {
+            return "missing";
           }
 
-          // Verify the API key owner before trusting any metadata it contains.
-          if (!is_user_trusted(ctx, params.trusted_users)) {
-            return "untrusted_user";
-          }
-
-          // API keys created by Fleet include metadata about the agent they were issued to.
-          if (ctx?._security?.api_key?.metadata?.agent_id == null || ctx?.agent?.id == null) {
-            return "missing_metadata";
+          // Check auth metadata from API key.
+          if (ctx?._security?.authentication_type == null
+              // Agents only use API keys.
+              || ctx._security.authentication_type != 'API_KEY'
+              // Verify the API key owner before trusting any metadata it contains.
+              || !is_user_trusted(ctx, params.trusted_users)
+              // Verify the API key has metadata indicating the assigned agent ID.
+              || ctx?._security?.api_key?.metadata?.agent_id == null) {
+            return "auth_metadata_missing";
           }
 
           // The API key can only be used represent the agent.id it was issued to.
           if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {
             // Potential masquerade attempt.
-            return "agent_id_mismatch";
+            return "mismatch";
           }
 
           return "verified";

diff --git a/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts b/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts
@@ -112,14 +112,14 @@ export default function (providerContext: FtrProviderContext) {
       // @ts-expect-error
       const event = doc._source.event;
 
-      expect(event.agent_id_status).to.be('no_api_key');
+      expect(event.agent_id_status).to.be('auth_metadata_missing');
       expect(event).to.have.property('ingested');
     });
 
     const scenarios = [
       {
         name: 'API key without metadata',
-        expectedStatus: 'missing_metadata',
+        expectedStatus: 'auth_metadata_missing',
         event: { agent: { id: 'agent1' } },
       },
       {
@@ -134,7 +134,7 @@ export default function (providerContext: FtrProviderContext) {
       },
       {
         name: 'API key with agent id metadata and no agent id in event',
-        expectedStatus: 'missing_metadata',
+        expectedStatus: 'missing',
         apiKey: {
           metadata: {
             agent_id: 'agent1',
@@ -143,7 +143,7 @@ export default function (providerContext: FtrProviderContext) {
       },
       {
         name: 'API key with agent id metadata and tampered agent id in event',
-        expectedStatus: 'agent_id_mismatch',
+        expectedStatus: 'mismatch',
         apiKey: {
           metadata: {
             agent_id: 'agent2',