Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Restrict integration changes for managed policies #90675

Merged
merged 8 commits into from
Feb 10, 2021
Merged

[Fleet] Restrict integration changes for managed policies #90675

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
30225be
service layer changes to limit add integrations
Feb 8, 2021
6d9f231
More restrictions on updating integrations on managed policies
Feb 8, 2021
90d93ac
Merge branch 'master' into 90445-no-integration-changes-for-managed-p…
Feb 9, 2021
66ba36a
Tests for 'cannot add integrations to managed policies'
Feb 9, 2021
45f420c
Cannot update integrations on a managed policy
Feb 9, 2021
a810ce6
Merge branch 'master' into 90445-no-integration-changes-for-managed-p…
kibanamachine Feb 9, 2021
3399029
"can't remove managed policy integrations" tests
Feb 10, 2021
28526e0
Merge branch '90445-no-integration-changes-for-managed-policies' of g…
Feb 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions x-pack/plugins/fleet/server/routes/package_policy/handlers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,10 @@ export const createPackagePolicyHandler: RequestHandler<
const esClient = context.core.elasticsearch.client.asCurrentUser;
const callCluster = context.core.elasticsearch.legacy.client.callAsCurrentUser;
const user = (await appContextService.getSecurity()?.authc.getCurrentUser(request)) || undefined;
let newData = { ...request.body };
try {
newData = await packagePolicyService.runExternalCallbacks(
const newData = await packagePolicyService.runExternalCallbacks(
'packagePolicyCreate',
newData,
{ ...request.body },
context,
request
);
Expand Down
14 changes: 13 additions & 1 deletion x-pack/plugins/fleet/server/services/agent_policy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,11 @@ import {
FleetServerPolicy,
AGENT_POLICY_INDEX,
} from '../../common';
import { AgentPolicyNameExistsError, AgentPolicyDeletionError } from '../errors';
import {
AgentPolicyNameExistsError,
AgentPolicyDeletionError,
IngestManagerError,
} from '../errors';
import { createAgentPolicyAction, listAgents } from './agents';
import { packagePolicyService } from './package_policy';
import { outputService } from './output';
Expand Down Expand Up @@ -382,6 +386,10 @@ class AgentPolicyService {
throw new Error('Agent policy not found');
}

if (oldAgentPolicy.is_managed) {
throw new IngestManagerError(`Cannot update integrations of managed policy ${id}`);
}

return await this._update(
soClient,
esClient,
Expand Down Expand Up @@ -409,6 +417,10 @@ class AgentPolicyService {
throw new Error('Agent policy not found');
}

if (oldAgentPolicy.is_managed) {
throw new IngestManagerError(`Cannot remove integrations of managed policy ${id}`);
}

return await this._update(
soClient,
esClient,
Expand Down
30 changes: 20 additions & 10 deletions x-pack/plugins/fleet/server/services/package_policy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import {
doesAgentPolicyAlreadyIncludePackage,
} from '../../common';
import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../constants';
import { IngestManagerError, ingestErrorToResponseOptions } from '../errors';
import {
NewPackagePolicy,
UpdatePackagePolicy,
Expand Down Expand Up @@ -63,15 +64,20 @@ class PackagePolicyService {
const parentAgentPolicy = await agentPolicyService.get(soClient, packagePolicy.policy_id);
if (!parentAgentPolicy) {
throw new Error('Agent policy not found');
} else {
if (
(parentAgentPolicy.package_policies as PackagePolicy[]).find(
(siblingPackagePolicy) => siblingPackagePolicy.name === packagePolicy.name
)
) {
throw new Error('There is already a package with the same name on this agent policy');
}
}
if (parentAgentPolicy.is_managed) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(not blocking) I have the feeling that is time to refactor L64-L80 to a new function something like _validateParentAgentPolicy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I wanted to consolidate the two sources of the "There is already a package named..." errors

kibana/x-pack/plugins/fleet/server/services/package_policy.ts

Lines 297 to 304 in 45f420c

if (
(parentAgentPolicy.package_policies as PackagePolicy[]).find(
(siblingPackagePolicy) =>
siblingPackagePolicy.id !== id && siblingPackagePolicy.name === packagePolicy.name
)
) {
throw new Error('There is already a package with the same name on this agent policy');
}

And perhaps give it a specific error name/type. I plan on circling back to that after I get the other features in.

I'll open a ticket

throw new IngestManagerError(
`Cannot add integrations to managed policy ${parentAgentPolicy.id}`
);
}
if (
(parentAgentPolicy.package_policies as PackagePolicy[]).find(
(siblingPackagePolicy) => siblingPackagePolicy.name === packagePolicy.name
)
) {
throw new Error('There is already a package with the same name on this agent policy');
}

// Add ids to stream
const packagePolicyId = options?.id || uuid.v4();
let inputs: PackagePolicyInput[] = packagePolicy.inputs.map((input) =>
Expand Down Expand Up @@ -285,6 +291,9 @@ class PackagePolicyService {
if (!parentAgentPolicy) {
throw new Error('Agent policy not found');
} else {
if (parentAgentPolicy.is_managed) {
throw new IngestManagerError(`Cannot update integrations of managed policy ${id}`);
}
if (
(parentAgentPolicy.package_policies as PackagePolicy[]).find(
(siblingPackagePolicy) =>
Expand All @@ -295,7 +304,7 @@ class PackagePolicyService {
}
}

let inputs = await restOfPackagePolicy.inputs.map((input) =>
let inputs = restOfPackagePolicy.inputs.map((input) =>
assignStreamIdToInput(oldPackagePolicy.id, input)
);

Expand Down Expand Up @@ -363,10 +372,11 @@ class PackagePolicyService {
name: packagePolicy.name,
success: true,
});
} catch (e) {
} catch (error) {
result.push({
id,
success: false,
...ingestErrorToResponseOptions(error),
});
}
}
Expand Down
1 change: 1 addition & 0 deletions x-pack/test/fleet_api_integration/apis/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ export default function ({ loadTestFile }) {
loadTestFile(require.resolve('./package_policy/create'));
loadTestFile(require.resolve('./package_policy/update'));
loadTestFile(require.resolve('./package_policy/get'));
loadTestFile(require.resolve('./package_policy/delete'));

// Agent policies
loadTestFile(require.resolve('./agent_policy/index'));
Expand Down
48 changes: 47 additions & 1 deletion x-pack/test/fleet_api_integration/apis/package_policy/create.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import expect from '@kbn/expect';
import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
import { warnAndSkipTest } from '../../helpers';

Expand Down Expand Up @@ -39,6 +39,52 @@ export default function ({ getService }: FtrProviderContext) {
.send({ agentPolicyId });
});

it('should fail for managed agent policies', async function () {
if (server.enabled) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick we have a helper that does the same thing but I found it less verbose https://github.com/elastic/kibana/blob/master/x-pack/test/fleet_api_integration/apis/epm/data_stream.ts/#L37

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the reminder. I was just copy/pasting from the rest of the file. I'll update

// get a managed policy
const {
body: { item: managedPolicy },
} = await supertest
.post(`/api/fleet/agent_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: `Managed policy from ${Date.now()}`,
namespace: 'default',
is_managed: true,
});

// try to add an integration to the managed policy
const { body } = await supertest
.post(`/api/fleet/package_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'filetest-1',
description: '',
namespace: 'default',
policy_id: managedPolicy.id,
enabled: true,
output_id: '',
inputs: [],
package: {
name: 'filetest',
title: 'For File Tests',
version: '0.1.0',
},
})
.expect(400);

expect(body.statusCode).to.be(400);
expect(body.message).to.contain('Cannot add integrations to managed policy');

// delete policy we just made
await supertest.post(`/api/fleet/agent_policies/delete`).set('kbn-xsrf', 'xxxx').send({
agentPolicyId: managedPolicy.id,
});
} else {
warnAndSkipTest(this, log);
}
});

it('should work with valid values', async function () {
if (server.enabled) {
await supertest
Expand Down
127 changes: 127 additions & 0 deletions x-pack/test/fleet_api_integration/apis/package_policy/delete.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import expect from '@kbn/expect';
import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
import { skipIfNoDockerRegistry } from '../../helpers';

export default function (providerContext: FtrProviderContext) {
const { getService } = providerContext;
const supertest = getService('supertest');

// use function () {} and not () => {} here
// because `this` has to point to the Mocha context
// see https://mochajs.org/#arrow-functions

describe('Package Policy - delete', async function () {
skipIfNoDockerRegistry(providerContext);
let agentPolicy: any;
let packagePolicy: any;

before(async function () {
let agentPolicyResponse = await supertest
.post(`/api/fleet/agent_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'Test policy',
namespace: 'default',
is_managed: false,
});

// if one already exists, re-use that
if (agentPolicyResponse.body.statusCode === 409) {
const errorRegex = /^agent policy \'(?<id>[\w,\-]+)\' already exists/i;
const result = errorRegex.exec(agentPolicyResponse.body.message);
if (result?.groups?.id) {
agentPolicyResponse = await supertest
.put(`/api/fleet/agent_policies/${result.groups.id}`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'Test policy',
namespace: 'default',
is_managed: false,
});
}
}
agentPolicy = agentPolicyResponse.body.item;

const { body: packagePolicyResponse } = await supertest
.post(`/api/fleet/package_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'filetest-1',
description: '',
namespace: 'default',
policy_id: agentPolicy.id,
enabled: true,
output_id: '',
inputs: [],
package: {
name: 'filetest',
title: 'For File Tests',
version: '0.1.0',
},
});
packagePolicy = packagePolicyResponse.item;
});

after(async function () {
await supertest
.post(`/api/fleet/agent_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ agentPolicyId: agentPolicy.id });

await supertest
.post(`/api/fleet/package_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ packagePolicyIds: [packagePolicy.id] });
});

it('should fail on managed agent policies', async function () {
// update existing policy to managed
await supertest
.put(`/api/fleet/agent_policies/${agentPolicy.id}`)
.set('kbn-xsrf', 'xxxx')
.send({
name: agentPolicy.name,
namespace: agentPolicy.namespace,
is_managed: true,
})
.expect(200);

// try to delete
const { body: results } = await supertest
.post(`/api/fleet/package_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ packagePolicyIds: [packagePolicy.id] })
.expect(200);

// delete always succeeds (returns 200) with Array<{success: boolean}>
expect(Array.isArray(results));
expect(results.length).to.be(1);
expect(results[0].success).to.be(false);
expect(results[0].body.message).to.contain('Cannot remove integrations of managed policy');

// revert existing policy to unmanaged
await supertest
.put(`/api/fleet/agent_policies/${agentPolicy.id}`)
.set('kbn-xsrf', 'xxxx')
.send({
name: agentPolicy.name,
namespace: agentPolicy.namespace,
is_managed: false,
})
.expect(200);
});

it('should work for unmanaged policies', async function () {
await supertest
.post(`/api/fleet/package_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ packagePolicyIds: [packagePolicy.id] });
});
});
}
48 changes: 47 additions & 1 deletion x-pack/test/fleet_api_integration/apis/package_policy/update.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import expect from '@kbn/expect';
import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
import { skipIfNoDockerRegistry } from '../../helpers';

Expand All @@ -21,6 +21,7 @@ export default function (providerContext: FtrProviderContext) {
describe('Package Policy - update', async function () {
skipIfNoDockerRegistry(providerContext);
let agentPolicyId: string;
let managedAgentPolicyId: string;
let packagePolicyId: string;
let packagePolicyId2: string;

Expand All @@ -35,8 +36,30 @@ export default function (providerContext: FtrProviderContext) {
name: 'Test policy',
namespace: 'default',
});

agentPolicyId = agentPolicyResponse.item.id;

const { body: managedAgentPolicyResponse } = await supertest
.post(`/api/fleet/agent_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'Test managed policy',
namespace: 'default',
is_managed: true,
});

// if one already exists, re-use that
const managedExists = managedAgentPolicyResponse.statusCode === 409;
if (managedExists) {
const errorRegex = /^agent policy \'(?<id>[\w,\-]+)\' already exists/i;
const result = errorRegex.exec(managedAgentPolicyResponse.message);
if (result?.groups?.id) {
managedAgentPolicyId = result.groups.id;
}
} else {
managedAgentPolicyId = managedAgentPolicyResponse.item.id;
}

const { body: packagePolicyResponse } = await supertest
.post(`/api/fleet/package_policies`)
.set('kbn-xsrf', 'xxxx')
Expand Down Expand Up @@ -83,6 +106,29 @@ export default function (providerContext: FtrProviderContext) {
.send({ agentPolicyId });
});

it('should fail on managed agent policies', async function () {
const { body } = await supertest
.put(`/api/fleet/package_policies/${packagePolicyId}`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'filetest-1',
description: '',
namespace: 'updated_namespace',
policy_id: managedAgentPolicyId,
enabled: true,
output_id: '',
inputs: [],
package: {
name: 'filetest',
title: 'For File Tests',
version: '0.1.0',
},
})
.expect(400);

expect(body.message).to.contain('Cannot update integrations of managed policy');
});

it('should work with valid values', async function () {
await supertest
.put(`/api/fleet/package_policies/${packagePolicyId}`)
Expand Down