[EDR Workflows][API] Gate Agent Tamper Protection setting on Agent Po…

…licy Settings (elastic#174400) This PR is part of an effort to limit EDR Workflow features to the Endpoint Complete tier on serverless and focuses on server skde part of gating Agent Tamper Protection. Related PRs: elastic#174278 elastic#175129 **We decided to stick with the existing Fleet privileges for this component, and no extra changes are needed RBAC wise (confirmed with @roxana-gheorghe).** **Plugin/Policy Watcher Changes**: To monitor agent policies for a downgrade in tier (from complete to essentials) and disable agent protections if enabled, the following steps have been taken: 1. A new app feature, `endpoint_agent_tamper_protection`, has been introduced and linked to the `endpoint:complete` tier. 2. An additional method, `bumpRevision`, has been exposed in the fleet's agent policy service. This method utilizes the service's internal update function and includes a `disable_protection` flag, allowing it to be used without further modifications. 3. The security solution side calls this method upon successful fleet plugin setup. If the `endpoint_agent_tamper_protection` app feature is not enabled, it retrieves all agent policies with `is_protected: true` and updates these policies with `is_protected: false`. **API Changes**: To respond to attempts to activate agent protection via the API by users on the Essentials tier, the following steps have been taken: 1. External callback functionality has been added to the agentPolicy service, following the implementation in packagePolicy. 2. Update and create agent policy callbacks have been registered in the security solution. These callbacks check for the enabled status of the `endpoint_agent_tamper_protection` app feature. If disabled, the callback throws an error. 3. External callback execution has been added to the update and create methods in agent policy route handlers. --------- Co-authored-by: kibanamachine <[email protected]>
CoenWarmer · Feb 15, 2024 · 4b7ac57 · 4b7ac57
1 parent eb279ad
commit 4b7ac57
Show file tree

Hide file tree

Showing 18 changed files with 742 additions and 36 deletions.
diff --git a/x-pack/plugins/cloud_security_posture/server/plugin.test.ts b/x-pack/plugins/cloud_security_posture/server/plugin.test.ts
@@ -32,10 +32,10 @@ import {
   UpdatePackagePolicy,
 } from '@kbn/fleet-plugin/common';
 import {
-  ExternalCallback,
   FleetStartContract,
   PostPackagePolicyPostDeleteCallback,
   PostPackagePolicyPostCreateCallback,
+  ExternalCallback,
 } from '@kbn/fleet-plugin/server';
 import { CLOUD_SECURITY_POSTURE_PACKAGE_NAME } from '../common/constants';
 import Chance from 'chance';

diff --git a/x-pack/plugins/fleet/server/mocks/index.ts b/x-pack/plugins/fleet/server/mocks/index.ts
@@ -157,6 +157,7 @@ export const createMockAgentPolicyService = (): jest.Mocked<AgentPolicyServiceIn
     list: jest.fn(),
     getFullAgentPolicy: jest.fn(),
     getByIds: jest.fn(),
+    bumpRevision: jest.fn(),
   };
 };
 

diff --git a/x-pack/plugins/fleet/server/plugin.ts b/x-pack/plugins/fleet/server/plugin.ts
@@ -8,33 +8,32 @@
 import { backOff } from 'exponential-backoff';
 import type { Observable } from 'rxjs';
 import { BehaviorSubject } from 'rxjs';
-import { take, filter } from 'rxjs/operators';
+import { filter, take } from 'rxjs/operators';
 import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common';
 import { i18n } from '@kbn/i18n';
 import type {
   CoreSetup,
   CoreStart,
+  ElasticsearchClient,
   ElasticsearchServiceStart,
+  HttpServiceSetup,
+  KibanaRequest,
   Logger,
   Plugin,
   PluginInitializerContext,
+  SavedObjectsClientContract,
   SavedObjectsServiceStart,
-  HttpServiceSetup,
-  KibanaRequest,
   ServiceStatus,
-  ElasticsearchClient,
-  SavedObjectsClientContract,
 } from '@kbn/core/server';
+import { DEFAULT_APP_CATEGORIES, SavedObjectsClient, ServiceStatusLevels } from '@kbn/core/server';
 import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server';
 
 import type { TelemetryPluginSetup, TelemetryPluginStart } from '@kbn/telemetry-plugin/server';
-
-import { DEFAULT_APP_CATEGORIES, SavedObjectsClient, ServiceStatusLevels } from '@kbn/core/server';
 import type { PluginStart as DataPluginStart } from '@kbn/data-plugin/server';
 import type { LicensingPluginStart } from '@kbn/licensing-plugin/server';
 import type {
-  EncryptedSavedObjectsPluginStart,
   EncryptedSavedObjectsPluginSetup,
+  EncryptedSavedObjectsPluginStart,
 } from '@kbn/encrypted-saved-objects-plugin/server';
 import type {
   AuditLogger,
@@ -57,61 +56,60 @@ import { SECURITY_EXTENSION_ID } from '@kbn/core-saved-objects-server';
 
 import type { FleetConfigType } from '../common/types';
 import type { FleetAuthz } from '../common';
-import type { ExperimentalFeatures } from '../common/experimental_features';
-
 import {
-  MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE,
   INTEGRATIONS_PLUGIN_ID,
+  MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE,
   UNINSTALL_TOKENS_SAVED_OBJECT_TYPE,
 } from '../common';
+import type { ExperimentalFeatures } from '../common/experimental_features';
 import { parseExperimentalConfigValue } from '../common/experimental_features';
 
 import { getFilesClientFactory } from './services/files/get_files_client_factory';
 
 import type { MessageSigningServiceInterface } from './services/security';
 import {
-  getRouteRequiredAuthz,
-  makeRouterWithFleetAuthz,
   calculateRouteAuthz,
   getAuthzFromRequest,
+  getRouteRequiredAuthz,
+  makeRouterWithFleetAuthz,
   MessageSigningService,
 } from './services/security';
 
 import {
-  PLUGIN_ID,
-  OUTPUT_SAVED_OBJECT_TYPE,
   AGENT_POLICY_SAVED_OBJECT_TYPE,
-  PACKAGE_POLICY_SAVED_OBJECT_TYPE,
-  PACKAGES_SAVED_OBJECT_TYPE,
   ASSETS_SAVED_OBJECT_TYPE,
-  PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE,
   DOWNLOAD_SOURCE_SAVED_OBJECT_TYPE,
   FLEET_SERVER_HOST_SAVED_OBJECT_TYPE,
+  OUTPUT_SAVED_OBJECT_TYPE,
+  PACKAGE_POLICY_SAVED_OBJECT_TYPE,
+  PACKAGES_SAVED_OBJECT_TYPE,
+  PLUGIN_ID,
+  PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE,
 } from './constants';
-import { registerSavedObjects, registerEncryptedSavedObjects } from './saved_objects';
+import { registerEncryptedSavedObjects, registerSavedObjects } from './saved_objects';
 import { registerRoutes } from './routes';
 
 import type { ExternalCallback, FleetRequestHandlerContext } from './types';
 import type {
-  ESIndexPatternService,
-  AgentService,
   AgentPolicyServiceInterface,
+  AgentService,
+  ESIndexPatternService,
   PackageService,
 } from './services';
-import { FleetUsageSender } from './services';
 import {
+  agentPolicyService,
+  AgentServiceImpl,
   appContextService,
-  licenseService,
   ESIndexPatternSavedObjectService,
-  agentPolicyService,
+  FleetUsageSender,
+  licenseService,
   packagePolicyService,
-  AgentServiceImpl,
   PackageServiceImpl,
 } from './services';
 import {
-  registerFleetUsageCollector,
   fetchAgentsUsage,
   fetchFleetUsage,
+  registerFleetUsageCollector,
 } from './collectors/register';
 import { FleetArtifactsClient } from './services/artifacts';
 import type { FleetRouter } from './types/request_context';
@@ -627,6 +625,7 @@ export class FleetPlugin
         list: agentPolicyService.list,
         getFullAgentPolicy: agentPolicyService.getFullAgentPolicy,
         getByIds: agentPolicyService.getByIDs,
+        bumpRevision: agentPolicyService.bumpRevision.bind(agentPolicyService),
       },
       packagePolicyService,
       registerExternalCallback: (type: ExternalCallback[0], callback: ExternalCallback[1]) => {

diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts
@@ -195,6 +195,12 @@ export const createAgentPolicyHandler: FleetRequestHandler<
       body,
     });
   } catch (error) {
+    if (error.statusCode) {
+      return response.customError({
+        statusCode: error.statusCode,
+        body: { message: error.message },
+      });
+    }
     return defaultFleetErrorHandler({ error, response });
   }
 };
@@ -229,6 +235,12 @@ export const updateAgentPolicyHandler: FleetRequestHandler<
       body,
     });
   } catch (error) {
+    if (error.statusCode) {
+      return response.customError({
+        statusCode: error.statusCode,
+        body: { message: error.message },
+      });
+    }
     return defaultFleetErrorHandler({ error, response });
   }
 };

diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts
@@ -44,6 +44,9 @@ import type {
   FullAgentPolicy,
   ListWithKuery,
   NewPackagePolicy,
+  PostAgentPolicyCreateCallback,
+  PostAgentPolicyUpdateCallback,
+  ExternalCallback,
 } from '../types';
 import {
   getAllowedOutputTypeForPolicy,
@@ -234,6 +237,43 @@ class AgentPolicyService {
     return policyHasSyntheticsIntegration(agentPolicy);
   }
 
+  public async runExternalCallbacks(
+    externalCallbackType: ExternalCallback[0],
+    agentPolicy: NewAgentPolicy | Partial<AgentPolicy>
+  ): Promise<NewAgentPolicy | Partial<AgentPolicy>> {
+    const logger = appContextService.getLogger();
+    logger.debug(`Running external callbacks for ${externalCallbackType}`);
+    try {
+      const externalCallbacks = appContextService.getExternalCallbacks(externalCallbackType);
+      let newAgentPolicy = agentPolicy;
+
+      if (externalCallbacks && externalCallbacks.size > 0) {
+        let updatedNewAgentPolicy = newAgentPolicy;
+        for (const callback of externalCallbacks) {
+          let result;
+          if (externalCallbackType === 'agentPolicyCreate') {
+            result = await (callback as PostAgentPolicyCreateCallback)(
+              newAgentPolicy as NewAgentPolicy
+            );
+            updatedNewAgentPolicy = result;
+          }
+          if (externalCallbackType === 'agentPolicyUpdate') {
+            result = await (callback as PostAgentPolicyUpdateCallback)(
+              newAgentPolicy as Partial<AgentPolicy>
+            );
+            updatedNewAgentPolicy = result;
+          }
+        }
+        newAgentPolicy = updatedNewAgentPolicy;
+      }
+      return newAgentPolicy;
+    } catch (error) {
+      logger.error(`Error running external callbacks for ${externalCallbackType}`);
+      logger.error(error);
+      throw error;
+    }
+  }
+
   public async create(
     soClient: SavedObjectsClientContract,
     esClient: ElasticsearchClient,
@@ -254,7 +294,7 @@ class AgentPolicyService {
       id: options.id,
       savedObjectType: AGENT_POLICY_SAVED_OBJECT_TYPE,
     });
-
+    await this.runExternalCallbacks('agentPolicyCreate', agentPolicy);
     this.checkTamperProtectionLicense(agentPolicy);
 
     const logger = appContextService.getLogger();
@@ -519,7 +559,14 @@ class AgentPolicyService {
     if (!existingAgentPolicy) {
       throw new AgentPolicyNotFoundError('Agent policy not found');
     }
-
+    try {
+      await this.runExternalCallbacks('agentPolicyUpdate', agentPolicy);
+    } catch (error) {
+      logger.error(`Error running external callbacks for agentPolicyUpdate`);
+      if (error.apiPassThrough) {
+        throw error;
+      }
+    }
     this.checkTamperProtectionLicense(agentPolicy);
     await this.checkForValidUninstallToken(agentPolicy, id);
 

diff --git a/x-pack/plugins/fleet/server/services/app_context.ts b/x-pack/plugins/fleet/server/services/app_context.ts
@@ -42,6 +42,8 @@ import type {
   PostPackagePolicyPostDeleteCallback,
   PostPackagePolicyPostCreateCallback,
   PutPackagePolicyUpdateCallback,
+  PostAgentPolicyCreateCallback,
+  PostAgentPolicyUpdateCallback,
 } from '../types';
 import type { FleetAppContext } from '../plugin';
 import type { TelemetryEventsSender } from '../telemetry/sender';
@@ -245,7 +247,11 @@ class AppContextService {
     type: T
   ):
     | Set<
-        T extends 'packagePolicyCreate'
+        T extends 'agentPolicyCreate'
+          ? PostAgentPolicyCreateCallback
+          : T extends 'agentPolicyUpdate'
+          ? PostAgentPolicyUpdateCallback
+          : T extends 'packagePolicyCreate'
           ? PostPackagePolicyCreateCallback
           : T extends 'packagePolicyDelete'
           ? PostPackagePolicyDeleteCallback
@@ -258,7 +264,11 @@ class AppContextService {
     | undefined {
     if (this.externalCallbacks) {
       return this.externalCallbacks.get(type) as Set<
-        T extends 'packagePolicyCreate'
+        T extends 'agentPolicyCreate'
+          ? PostAgentPolicyCreateCallback
+          : T extends 'agentPolicyUpdate'
+          ? PostAgentPolicyUpdateCallback
+          : T extends 'packagePolicyCreate'
           ? PostPackagePolicyCreateCallback
           : T extends 'packagePolicyDelete'
           ? PostPackagePolicyDeleteCallback

diff --git a/x-pack/plugins/fleet/server/services/index.ts b/x-pack/plugins/fleet/server/services/index.ts
@@ -33,6 +33,7 @@ export interface AgentPolicyServiceInterface {
   list: typeof agentPolicyService['list'];
   getFullAgentPolicy: typeof agentPolicyService['getFullAgentPolicy'];
   getByIds: typeof agentPolicyService['getByIDs'];
+  bumpRevision: typeof agentPolicyService['bumpRevision'];
 }
 
 // Agent services

diff --git a/x-pack/plugins/fleet/server/services/preconfiguration.test.ts b/x-pack/plugins/fleet/server/services/preconfiguration.test.ts
@@ -283,6 +283,7 @@ jest.mock('./app_context', () => ({
     getUninstallTokenService: () => ({
       generateTokenForPolicyId: jest.fn(),
     }),
+    getExternalCallbacks: jest.fn(),
   },
 }));
 

diff --git a/x-pack/plugins/fleet/server/types/extensions.ts b/x-pack/plugins/fleet/server/types/extensions.ts
@@ -16,6 +16,8 @@ import type {
   UpdatePackagePolicy,
   PackagePolicy,
   DeletePackagePoliciesResponse,
+  NewAgentPolicy,
+  AgentPolicy,
 } from '../../common/types';
 
 export type PostPackagePolicyDeleteCallback = (
@@ -58,6 +60,14 @@ export type PutPackagePolicyUpdateCallback = (
   request?: KibanaRequest
 ) => Promise<UpdatePackagePolicy>;
 
+export type PostAgentPolicyCreateCallback = (
+  agentPolicy: NewAgentPolicy
+) => Promise<NewAgentPolicy>;
+
+export type PostAgentPolicyUpdateCallback = (
+  agentPolicy: Partial<AgentPolicy>
+) => Promise<Partial<AgentPolicy>>;
+
 export type ExternalCallbackCreate = ['packagePolicyCreate', PostPackagePolicyCreateCallback];
 export type ExternalCallbackPostCreate = [
   'packagePolicyPostCreate',
@@ -71,6 +81,15 @@ export type ExternalCallbackPostDelete = [
 ];
 export type ExternalCallbackUpdate = ['packagePolicyUpdate', PutPackagePolicyUpdateCallback];
 
+export type ExternalCallbackAgentPolicyCreate = [
+  'agentPolicyCreate',
+  PostAgentPolicyCreateCallback
+];
+export type ExternalCallbackAgentPolicyUpdate = [
+  'agentPolicyUpdate',
+  PostAgentPolicyUpdateCallback
+];
+
 /**
  * Callbacks supported by the Fleet plugin
  */
@@ -79,6 +98,8 @@ export type ExternalCallback =
   | ExternalCallbackPostCreate
   | ExternalCallbackDelete
   | ExternalCallbackPostDelete
-  | ExternalCallbackUpdate;
+  | ExternalCallbackUpdate
+  | ExternalCallbackAgentPolicyCreate
+  | ExternalCallbackAgentPolicyUpdate;
 
 export type ExternalCallbacksStorage = Map<ExternalCallback[0], Set<ExternalCallback[1]>>;
-Original file line number
+Diff line change
@@ Expand Up / @@ -283,6 +283,7 @@ jest.mock('./app_context', () => ({ @@
         getUninstallTokenService: () => ({
           generateTokenForPolicyId: jest.fn(),
         }),
+        getExternalCallbacks: jest.fn(),
       },
     }));
@@ Expand Down @@