From 028b99332aae2a12f09975236bb19a25322a17be Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Mon, 12 Feb 2024 17:21:41 -0500 Subject: [PATCH] [Fleet] Allow to skip package verification with force flag when creating a policy (#176738) --- .../plugins/fleet/common/openapi/bundled.json | 22 +- .../plugins/fleet/common/openapi/bundled.yaml | 203 +++++++++--------- .../schemas/agent_policy_create_request.yaml | 3 + .../schemas/agent_policy_update_request.yaml | 3 + .../server/routes/agent_policy/handlers.ts | 2 + .../fleet/server/services/agent_policy.ts | 1 + .../server/services/agent_policy_create.ts | 3 + .../fleet/server/types/models/agent_policy.ts | 1 + .../apis/agent_policy/agent_policy.ts | 5 +- 9 files changed, 134 insertions(+), 109 deletions(-) diff --git a/x-pack/plugins/fleet/common/openapi/bundled.json b/x-pack/plugins/fleet/common/openapi/bundled.json index 127ed8a877354..9418cca89888f 100644 --- a/x-pack/plugins/fleet/common/openapi/bundled.json +++ b/x-pack/plugins/fleet/common/openapi/bundled.json @@ -1,6 +1,5 @@ { "openapi": "3.0.0", - "tags": [], "info": { "title": "Fleet", "description": "OpenAPI schema for Fleet API endpoints", @@ -19,6 +18,12 @@ "description": "local" } ], + "security": [ + { + "basicAuth": [] + } + ], + "tags": [], "paths": { "/health_check": { "post": { @@ -7385,6 +7390,10 @@ }, "is_protected": { "type": "boolean" + }, + "force": { + "type": "boolean", + "description": "Force agent policy creation even if packages are not verified." } }, "required": [ @@ -7457,6 +7466,10 @@ }, "is_protected": { "type": "boolean" + }, + "force": { + "type": "boolean", + "description": "Force agent policy creation even if packages are not verified." } }, "required": [ @@ -9066,10 +9079,5 @@ ] } } - }, - "security": [ - { - "basicAuth": [] - } - ] + } } \ No newline at end of file diff --git a/x-pack/plugins/fleet/common/openapi/bundled.yaml b/x-pack/plugins/fleet/common/openapi/bundled.yaml index 849c22b47069a..04f7dc77e184f 100644 --- a/x-pack/plugins/fleet/common/openapi/bundled.yaml +++ b/x-pack/plugins/fleet/common/openapi/bundled.yaml @@ -1,5 +1,4 @@ openapi: 3.0.0 -tags: [] info: title: Fleet description: OpenAPI schema for Fleet API endpoints @@ -12,6 +11,9 @@ info: servers: - url: http://localhost:5601/api/fleet description: local +security: + - basicAuth: [] +tags: [] paths: /health_check: post: @@ -180,9 +182,7 @@ paths: id: type: string nullable: true - description: >- - the key ID of the GPG key used to verify package - signatures + description: the key ID of the GPG key used to verify package signatures statusCode: type: number headers: @@ -245,9 +245,7 @@ paths: schema: type: boolean default: false - description: >- - Whether to include prerelease packages in categories count (e.g. beta, - rc, preview) + description: Whether to include prerelease packages in categories count (e.g. beta, rc, preview) - in: query name: experimental deprecated: true @@ -301,20 +299,13 @@ paths: schema: type: boolean default: false - description: >- - Whether to exclude the install status of each package. Enabling this - option will opt in to caching for the response via `cache-control` - headers. If you don't need up-to-date installation info for a - package, and are querying for a list of available packages, - providing this flag can improve performance substantially. + description: Whether to exclude the install status of each package. Enabling this option will opt in to caching for the response via `cache-control` headers. If you don't need up-to-date installation info for a package, and are querying for a list of available packages, providing this flag can improve performance substantially. - in: query name: prerelease schema: type: boolean default: false - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) + description: Whether to return prerelease versions of packages (e.g. beta, rc, preview) - in: query name: experimental deprecated: true @@ -379,9 +370,7 @@ paths: schema: type: boolean default: false - description: >- - skip data stream rollover during index template mapping or settings - update + description: skip data stream rollover during index template mapping or settings update requestBody: content: application/zip: @@ -413,9 +402,7 @@ paths: schema: type: boolean default: false - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) + description: Whether to return prerelease versions of packages (e.g. beta, rc, preview) requestBody: content: application/json: @@ -487,9 +474,7 @@ paths: schema: type: boolean default: false - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) + description: Whether to return prerelease versions of packages (e.g. beta, rc, preview) deprecated: true post: summary: Install package @@ -541,9 +526,7 @@ paths: schema: type: boolean default: false - description: >- - skip data stream rollover during index template mapping or settings - update + description: skip data stream rollover during index template mapping or settings update requestBody: content: application/json: @@ -662,18 +645,14 @@ paths: - schema: type: boolean name: full - description: >- - Return all fields from the package manifest, not just those supported - by the Elastic Package Registry + description: Return all fields from the package manifest, not just those supported by the Elastic Package Registry in: query - in: query name: prerelease schema: type: boolean default: false - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) + description: Whether to return prerelease versions of packages (e.g. beta, rc, preview) post: summary: Install package tags: @@ -728,9 +707,7 @@ paths: schema: type: boolean default: false - description: >- - skip data stream rollover during index template mapping or settings - update + description: skip data stream rollover during index template mapping or settings update requestBody: content: application/json: @@ -828,6 +805,70 @@ paths: properties: force: type: boolean + /epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + responses: + '200': + description: OK + content: + application/json: + schema: + type: object + properties: + items: + type: array + items: + type: object + properties: + transformId: + type: string + success: + type: boolean + error: + type: string + required: + - transformId + - error + required: + - items + '400': + $ref: '#/components/responses/error' + operationId: reauthorize-transforms + description: '' + parameters: + - $ref: '#/components/parameters/kbn_xsrf' + - schema: + type: string + name: pkgName + in: path + required: true + - schema: + type: string + name: pkgVersion + in: path + required: true + - in: query + name: prerelease + schema: + type: boolean + default: false + description: Whether to include prerelease packages in categories count (e.g. beta, rc, preview) + requestBody: + content: + application/json: + schema: + type: object + properties: + transforms: + type: array + items: + type: object + properties: + transformId: + type: string /epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: summary: Get package file @@ -1301,9 +1342,7 @@ paths: description: creation time of action latestErrors: type: array - description: >- - latest errors that happened when the agents executed - the action + description: latest errors that happened when the agents executed the action items: type: object properties: @@ -1771,9 +1810,7 @@ paths: description: Unenrolls hosted agents too includeInactive: type: boolean - description: >- - When passing agents by KQL query, unenrolls inactive agents - too + description: When passing agents by KQL query, unenrolls inactive agents too required: - agents example: @@ -1956,18 +1993,12 @@ paths: type: boolean in: query name: full - description: >- - When set to true, retrieve the related package policies for each - agent policy. + description: When set to true, retrieve the related package policies for each agent policy. - schema: type: boolean in: query name: noAgentCount - description: >- - When set to true, do not count how many agents are in the agent - policy, this can improve performance if you are searching over a - large number of agent policies. The "agents" property will always be - 0 if set to true. + description: When set to true, do not count how many agents are in the agent policy, this can improve performance if you are searching over a large number of agent policies. The "agents" property will always be 0 if set to true. description: '' post: summary: Create agent policy @@ -2547,9 +2578,7 @@ paths: '409': $ref: '#/components/responses/error' requestBody: - description: >- - You should use inputs as an object and not use the deprecated inputs - array. + description: You should use inputs as an object and not use the deprecated inputs array. content: application/json: schema: @@ -4013,9 +4042,7 @@ components: release: type: string deprecated: true - description: >- - release label is deprecated, derive from the version instead - (packages follow semver) + description: release label is deprecated, derive from the version instead (packages follow semver) enum: - experimental - beta @@ -4294,9 +4321,7 @@ components: properties: cpu_avg: type: number - description: >- - Average agent CPU usage during the last 5 minutes, number - between 0-1 + description: Average agent CPU usage during the last 5 minutes, number between 0-1 memory_size_byte_avg: type: number description: Average agent memory consumption during the last 5 minutes @@ -4557,9 +4582,7 @@ components: - metrics - logs keep_monitoring_alive: - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled type: boolean nullable: true data_output_id: @@ -4579,10 +4602,7 @@ components: inactivity_timeout: type: integer package_policies: - description: >- - This field is present only when retrieving a single agent policy, or - when retrieving a list of agent policies with the ?full=true - parameter + description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter type: array items: $ref: '#/components/schemas/package_policy' @@ -4608,16 +4628,11 @@ components: - name - enabled is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. + description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean overrides: type: object - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true required: - id @@ -4673,6 +4688,9 @@ components: - enabled is_protected: type: boolean + force: + type: boolean + description: Force agent policy creation even if packages are not verified. required: - name - namespace @@ -4723,6 +4741,9 @@ components: - enabled is_protected: type: boolean + force: + type: boolean + description: Force agent policy creation even if packages are not verified. required: - name - namespace @@ -4936,9 +4957,7 @@ components: example: my description namespace: type: string - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. example: customnamespace policy_id: type: string @@ -4960,14 +4979,10 @@ components: - version vars: type: object - description: >- - Package root level variable (see integration documentation for more - information) + description: Package root level variable (see integration documentation for more information) inputs: type: object - description: >- - Package policy inputs (see integration documentation to know what - inputs are available) + description: Package policy inputs (see integration documentation to know what inputs are available) example: nginx-logfile: enabled: true @@ -4989,14 +5004,10 @@ components: description: enable or disable that input, (default to true) vars: type: object - description: >- - Input level variable (see integration documentation for more - information) + description: Input level variable (see integration documentation for more information) streams: type: object - description: >- - Input streams (see integration documentation to know what - streams are available) + description: Input streams (see integration documentation to know what streams are available) additionalProperties: type: object properties: @@ -5005,14 +5016,10 @@ components: description: enable or disable that stream, (default to true) vars: type: object - description: >- - Stream level variable (see integration documentation for - more information) + description: Stream level variable (see integration documentation for more information) force: type: boolean - description: >- - Force package policy creation even if package is not verified, or if - the agent policy is managed. + description: Force package policy creation even if package is not verified, or if the agent policy is managed. required: - name - policy_id @@ -5747,9 +5754,7 @@ components: host: type: string proxy_id: - description: >- - The ID of the proxy to use for this download source. See the proxies - API for more information. + description: The ID of the proxy to use for this download source. See the proxies API for more information. type: string nullable: true required: @@ -5801,5 +5806,3 @@ components: required: - name - url -security: - - basicAuth: [] diff --git a/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_create_request.yaml b/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_create_request.yaml index e1d94c69a0d24..d2b69e37672e8 100644 --- a/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_create_request.yaml +++ b/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_create_request.yaml @@ -46,6 +46,9 @@ properties: - enabled is_protected: type: boolean + force: + type: boolean + description: Force agent policy creation even if packages are not verified. required: - name - namespace diff --git a/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_update_request.yaml b/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_update_request.yaml index 0500c94871192..7fb5581aa79e4 100644 --- a/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_update_request.yaml +++ b/x-pack/plugins/fleet/common/openapi/components/schemas/agent_policy_update_request.yaml @@ -44,6 +44,9 @@ properties: - enabled is_protected: type: boolean + force: + type: boolean + description: Force agent policy creation even if packages are not verified. required: - name - namespace diff --git a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts index 68237bb4e0ac9..259314c0a8c9e 100644 --- a/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts +++ b/x-pack/plugins/fleet/server/routes/agent_policy/handlers.ts @@ -172,6 +172,7 @@ export const createAgentPolicyHandler: FleetRequestHandler< const user = (await appContextService.getSecurity()?.authc.getCurrentUser(request)) || undefined; const withSysMonitoring = request.query.sys_monitoring ?? false; const monitoringEnabled = request.body.monitoring_enabled; + const force = request.body.force; const { has_fleet_server: hasFleetServer, ...newPolicy } = request.body; const spaceId = fleetContext.spaceId; const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); @@ -188,6 +189,7 @@ export const createAgentPolicyHandler: FleetRequestHandler< spaceId, user, authorizationHeader, + force, }), }; diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts index a532aab68b228..5907d07b4da38 100644 --- a/x-pack/plugins/fleet/server/services/agent_policy.ts +++ b/x-pack/plugins/fleet/server/services/agent_policy.ts @@ -603,6 +603,7 @@ class AgentPolicyService { packagesToInstall, spaceId: options?.spaceId || DEFAULT_SPACE_ID, authorizationHeader: options?.authorizationHeader, + force: options?.force, }); } diff --git a/x-pack/plugins/fleet/server/services/agent_policy_create.ts b/x-pack/plugins/fleet/server/services/agent_policy_create.ts index 9d1b3a9f01a5f..a55541c621f83 100644 --- a/x-pack/plugins/fleet/server/services/agent_policy_create.ts +++ b/x-pack/plugins/fleet/server/services/agent_policy_create.ts @@ -91,6 +91,7 @@ interface CreateAgentPolicyParams { spaceId: string; user?: AuthenticatedUser; authorizationHeader?: HTTPAuthorizationHeader | null; + force?: boolean; } export async function createAgentPolicyWithPackages({ @@ -103,6 +104,7 @@ export async function createAgentPolicyWithPackages({ spaceId, user, authorizationHeader, + force, }: CreateAgentPolicyParams) { let agentPolicyId = newPolicy.id; const packagesToInstall = []; @@ -128,6 +130,7 @@ export async function createAgentPolicyWithPackages({ packagesToInstall, spaceId, authorizationHeader, + force, }); } diff --git a/x-pack/plugins/fleet/server/types/models/agent_policy.ts b/x-pack/plugins/fleet/server/types/models/agent_policy.ts index 8fbad6d90fdaa..518510f0b8454 100644 --- a/x-pack/plugins/fleet/server/types/models/agent_policy.ts +++ b/x-pack/plugins/fleet/server/types/models/agent_policy.ts @@ -85,6 +85,7 @@ export const AgentPolicyBaseSchema = { export const NewAgentPolicySchema = schema.object({ ...AgentPolicyBaseSchema, + force: schema.maybe(schema.boolean()), }); export const AgentPolicySchema = schema.object({ diff --git a/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts b/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts index e27dff4e9d081..a8a22bd66ed0c 100644 --- a/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts +++ b/x-pack/test/fleet_api_integration/apis/agent_policy/agent_policy.ts @@ -972,8 +972,7 @@ export default function (providerContext: FtrProviderContext) { ); }); - // Skipped as cannot force install the system and agent integrations as part of policy creation https://github.com/elastic/kibana/issues/137450 - it.skip('should return a 200 if updating monitoring_enabled on a policy', async () => { + it('should return a 200 if updating monitoring_enabled on a policy', async () => { const fetchPackageList = async () => { const response = await supertest .get('/api/fleet/epm/packages') @@ -1017,6 +1016,7 @@ export default function (providerContext: FtrProviderContext) { description: 'Updated description', namespace: 'default', monitoring_enabled: ['logs', 'metrics'], + force: true, }) .expect(200); // eslint-disable-next-line @typescript-eslint/naming-convention @@ -1029,6 +1029,7 @@ export default function (providerContext: FtrProviderContext) { description: 'Updated description', namespace: 'default', is_managed: false, + is_protected: false, revision: 2, schema_version: FLEET_AGENT_POLICIES_SCHEMA_VERSION, updated_by: 'elastic',