Skip to content

Commit

Permalink
[8.x] [Security Solution][Endpoint] Ensure that DS indices for respon…
Browse files Browse the repository at this point in the history 
…se actions are created prior to sending action to Endpoint (#196953) (#197901)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Endpoint] Ensure that DS indices for response
actions are created prior to sending action to Endpoint
(#196953)](#196953)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Paul
Tavares","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-25T19:18:12Z","message":"[Security
Solution][Endpoint] Ensure that DS indices for response actions are
created prior to sending action to Endpoint (#196953)\n\n##
Summary\r\n\r\nPR adds changes to Security Solution so that DOT indices
(restricted in\r\nServerless) are created in Kibana prior to Elastic
Defend (Endpoint)\r\nattempting to stream documents to these indices.
The indices that are\r\nnow created in kibana are:\r\n\r\n-
`.logs-endpoint.diagnostic.collection-<namespace_from_policy>`\r\n-
`.logs-endpoint.action.responses-<namespace_from_policy>`\r\n-
`.logs-endpoint.heartbeat-<namespace_from_policy>` _(⚠️ created
only\r\nin serverless only)_\r\n\r\n\r\n### Fleet changes:\r\n\r\n-
Added support for the following two server-side extension points:\r\n-
`packagePolicyPostUpdate` : callbacks invoked after an
integration\r\npolicy has been updated successfully\r\n-
`agentPolicyPostUpdate` : callbacks invoked after an agent policy
has\r\nbeen updated successfully\r\n\r\n\r\n### Security
Solution:\r\n\r\n- Logic was added to the following Fleet server-side
extension points\r\nthat checks if the necessary indices exist and if
not, it creates them:\r\n - After creating an Elastic Defend integration
policy\r\n - After updating an Elastic Defend integration policy\r\n-
After updating a Fleet Agent Policy that includes Elastic
Defend\r\nintegration
policy","sha":"ae9c0d385015f3068a04af46678e18e2f00b519a","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","Team:Defend
Workflows","backport:prev-minor"],"number":196953,"url":"https://github.com/elastic/kibana/pull/196953","mergeCommit":{"message":"[Security
Solution][Endpoint] Ensure that DS indices for response actions are
created prior to sending action to Endpoint (#196953)\n\n##
Summary\r\n\r\nPR adds changes to Security Solution so that DOT indices
(restricted in\r\nServerless) are created in Kibana prior to Elastic
Defend (Endpoint)\r\nattempting to stream documents to these indices.
The indices that are\r\nnow created in kibana are:\r\n\r\n-
`.logs-endpoint.diagnostic.collection-<namespace_from_policy>`\r\n-
`.logs-endpoint.action.responses-<namespace_from_policy>`\r\n-
`.logs-endpoint.heartbeat-<namespace_from_policy>` _(⚠️ created
only\r\nin serverless only)_\r\n\r\n\r\n### Fleet changes:\r\n\r\n-
Added support for the following two server-side extension points:\r\n-
`packagePolicyPostUpdate` : callbacks invoked after an
integration\r\npolicy has been updated successfully\r\n-
`agentPolicyPostUpdate` : callbacks invoked after an agent policy
has\r\nbeen updated successfully\r\n\r\n\r\n### Security
Solution:\r\n\r\n- Logic was added to the following Fleet server-side
extension points\r\nthat checks if the necessary indices exist and if
not, it creates them:\r\n - After creating an Elastic Defend integration
policy\r\n - After updating an Elastic Defend integration policy\r\n-
After updating a Fleet Agent Policy that includes Elastic
Defend\r\nintegration
policy","sha":"ae9c0d385015f3068a04af46678e18e2f00b519a"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196953","number":196953,"mergeCommit":{"message":"[Security
Solution][Endpoint] Ensure that DS indices for response actions are
created prior to sending action to Endpoint (#196953)\n\n##
Summary\r\n\r\nPR adds changes to Security Solution so that DOT indices
(restricted in\r\nServerless) are created in Kibana prior to Elastic
Defend (Endpoint)\r\nattempting to stream documents to these indices.
The indices that are\r\nnow created in kibana are:\r\n\r\n-
`.logs-endpoint.diagnostic.collection-<namespace_from_policy>`\r\n-
`.logs-endpoint.action.responses-<namespace_from_policy>`\r\n-
`.logs-endpoint.heartbeat-<namespace_from_policy>` _(⚠️ created
only\r\nin serverless only)_\r\n\r\n\r\n### Fleet changes:\r\n\r\n-
Added support for the following two server-side extension points:\r\n-
`packagePolicyPostUpdate` : callbacks invoked after an
integration\r\npolicy has been updated successfully\r\n-
`agentPolicyPostUpdate` : callbacks invoked after an agent policy
has\r\nbeen updated successfully\r\n\r\n\r\n### Security
Solution:\r\n\r\n- Logic was added to the following Fleet server-side
extension points\r\nthat checks if the necessary indices exist and if
not, it creates them:\r\n - After creating an Elastic Defend integration
policy\r\n - After updating an Elastic Defend integration policy\r\n-
After updating a Fleet Agent Policy that includes Elastic
Defend\r\nintegration
policy","sha":"ae9c0d385015f3068a04af46678e18e2f00b519a"}}]}]
BACKPORT-->
  • Loading branch information
@paul-tavares
paul-tavares authored Oct 28, 2024
1 parent 9a7dafc commit 61e17b1
Show file tree
Hide file tree
Showing 19 changed files with 1,028 additions and 136 deletions.
16 changes: 8 additions & 8 deletions x-pack/plugins/fleet/server/mocks/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ export const createPackagePolicyServiceMock = (): jest.Mocked<PackagePolicyClien
inspect: jest.fn(),
delete: jest.fn(),
get: jest.fn(),
getByIDs: jest.fn(),
getByIDs: jest.fn().mockResolvedValue(Promise.resolve([])),
list: jest.fn(),
listIds: jest.fn(),
update: jest.fn(),
Expand Down Expand Up @@ -224,13 +224,13 @@ export const createPackagePolicyServiceMock = (): jest.Mocked<PackagePolicyClien
*/
export const createMockAgentPolicyService = (): jest.Mocked<AgentPolicyServiceInterface> => {
return {
get: jest.fn(),
list: jest.fn(),
getFullAgentPolicy: jest.fn(),
getByIds: jest.fn(),
turnOffAgentTamperProtections: jest.fn(),
fetchAllAgentPolicies: jest.fn(),
fetchAllAgentPolicyIds: jest.fn(),
get: jest.fn().mockReturnValue(Promise.resolve()),
list: jest.fn().mockReturnValue(Promise.resolve()),
getFullAgentPolicy: jest.fn().mockReturnValue(Promise.resolve()),
getByIds: jest.fn().mockReturnValue(Promise.resolve()),
turnOffAgentTamperProtections: jest.fn().mockReturnValue(Promise.resolve()),
fetchAllAgentPolicies: jest.fn().mockReturnValue(Promise.resolve()),
fetchAllAgentPolicyIds: jest.fn().mockReturnValue(Promise.resolve()),
};
};

Expand Down
32 changes: 32 additions & 0 deletions x-pack/plugins/fleet/server/services/agent_policy.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1285,6 +1285,38 @@ describe('Agent policy', () => {
})
).resolves.not.toThrow();
});

it('should run external "agentPolicyPostUpdate" callbacks when update is successful', async () => {
const soClient = getAgentPolicyCreateMock();
const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;

const postUpdateCallback = jest.fn(async (policy) => policy);
mockedAppContextService.getExternalCallbacks.mockImplementation((type) => {
if (type === 'agentPolicyPostUpdate') {
return new Set([postUpdateCallback]);
}
});

soClient.get.mockResolvedValue({
attributes: {},
id: 'test-id',
type: 'mocked',
references: [],
});

await expect(
agentPolicyService.update(soClient, esClient, 'test-id', {
name: 'test',
namespace: 'default',
})
).resolves.not.toThrow();

expect(mockedAppContextService.getExternalCallbacks).toHaveBeenCalledWith(
'agentPolicyPostUpdate'
);

expect(postUpdateCallback).toHaveBeenCalled();
});
});

describe('deployPolicy', () => {
Expand Down
16 changes: 14 additions & 2 deletions x-pack/plugins/fleet/server/services/agent_policy.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ import type {
PostAgentPolicyCreateCallback,
PostAgentPolicyUpdateCallback,
PreconfiguredAgentPolicy,
PostAgentPolicyPostUpdateCallback,
} from '../types';
import {
AGENT_POLICY_INDEX,
Expand Down Expand Up @@ -306,8 +307,8 @@ class AgentPolicyService {

public async runExternalCallbacks(
externalCallbackType: ExternalCallback[0],
agentPolicy: NewAgentPolicy | Partial<AgentPolicy>
): Promise<NewAgentPolicy | Partial<AgentPolicy>> {
agentPolicy: NewAgentPolicy | Partial<AgentPolicy> | AgentPolicy
): Promise<NewAgentPolicy | Partial<AgentPolicy> | AgentPolicy> {
const logger = appContextService.getLogger();
logger.debug(`Running external callbacks for ${externalCallbackType}`);
try {
Expand All @@ -330,6 +331,12 @@ class AgentPolicyService {
);
updatedNewAgentPolicy = result;
}
if (externalCallbackType === 'agentPolicyPostUpdate') {
result = await (callback as PostAgentPolicyPostUpdateCallback)(
newAgentPolicy as AgentPolicy
);
updatedNewAgentPolicy = result;
}
}
newAgentPolicy = updatedNewAgentPolicy;
}
Expand Down Expand Up @@ -738,6 +745,11 @@ class AgentPolicyService {
bumpRevision: true,
removeProtection: false,
skipValidation: options?.skipValidation ?? false,
}).then((updatedAgentPolicy) => {
return this.runExternalCallbacks(
'agentPolicyPostUpdate',
updatedAgentPolicy
) as unknown as AgentPolicy;
});
}

Expand Down
35 changes: 35 additions & 0 deletions x-pack/plugins/fleet/server/services/package_policy.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1718,6 +1718,41 @@ describe('Package policy service', () => {
});
});

it('should run "packagePolicyPostUpdate" external callbacks', async () => {
const soClient = savedObjectsClientMock.create();
const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
const mockPackagePolicy = createPackagePolicyMock();
const attributes = {
...mockPackagePolicy,
inputs: [],
};

jest.spyOn(appContextService, 'getExternalCallbacks');

soClient.get.mockResolvedValue({
id: 'test-package-policy',
type: LEGACY_PACKAGE_POLICY_SAVED_OBJECT_TYPE,
references: [],
attributes,
});

soClient.update.mockResolvedValue({
id: 'test-package-policy',
type: LEGACY_PACKAGE_POLICY_SAVED_OBJECT_TYPE,
references: [],
attributes,
});

await packagePolicyService.update(soClient, esClient, 'test-package-policy', {
...mockPackagePolicy,
inputs: [],
});

expect(appContextService.getExternalCallbacks).toHaveBeenCalledWith(
'packagePolicyPostUpdate'
);
});

describe('remove protections', () => {
beforeEach(() => {
mockAgentPolicyService.bumpRevision.mockReset();
Expand Down
90 changes: 45 additions & 45 deletions x-pack/plugins/fleet/server/services/package_policy.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ import type {
DryRunPackagePolicy,
PostPackagePolicyCreateCallback,
PostPackagePolicyPostCreateCallback,
PutPackagePolicyPostUpdateCallback,
} from '../types';
import type { ExternalCallback } from '..';

Expand Down Expand Up @@ -127,6 +128,8 @@ import type {
PackagePolicyClient,
PackagePolicyClientFetchAllItemsOptions,
PackagePolicyService,
RunExternalCallbacksPackagePolicyArgument,
RunExternalCallbacksPackagePolicyResponse,
} from './package_policy_service';
import { installAssetsForInputPackagePolicy } from './epm/packages/install';
import { auditLoggingService } from './audit_logging';
Expand Down Expand Up @@ -1091,9 +1094,16 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
await Promise.all([...bumpPromises, assetRemovePromise, deleteSecretsPromise]);

sendUpdatePackagePolicyTelemetryEvent(soClient, [packagePolicyUpdate], [oldPackagePolicy]);

logger.debug(`Package policy ${id} update completed`);

return newPolicy;
// Run external post-update callbacks and return
return packagePolicyService.runExternalCallbacks(
'packagePolicyPostUpdate',
newPolicy,
soClient,
esClient
);
}

public async bulkUpdate(
Expand Down Expand Up @@ -1930,56 +1940,29 @@ class PackagePolicyClientImpl implements PackagePolicyClient {

public async runExternalCallbacks<A extends ExternalCallback[0]>(
externalCallbackType: A,
packagePolicy: A extends 'packagePolicyDelete'
? DeletePackagePoliciesResponse
: A extends 'packagePolicyPostDelete'
? PostDeletePackagePoliciesResponse
: A extends 'packagePolicyPostCreate'
? PackagePolicy
: A extends 'packagePolicyCreate'
? NewPackagePolicy
: never,
packagePolicy: RunExternalCallbacksPackagePolicyArgument<A>,
soClient: SavedObjectsClientContract,
esClient: ElasticsearchClient,
context?: RequestHandlerContext,
request?: KibanaRequest
): Promise<
A extends 'packagePolicyDelete'
? void
: A extends 'packagePolicyPostDelete'
? void
: A extends 'packagePolicyPostCreate'
? PackagePolicy
: A extends 'packagePolicyCreate'
? NewPackagePolicy
: never
>;
public async runExternalCallbacks(
externalCallbackType: ExternalCallback[0],
packagePolicy:
| PackagePolicy
| NewPackagePolicy
| PostDeletePackagePoliciesResponse
| DeletePackagePoliciesResponse,
soClient: SavedObjectsClientContract,
esClient: ElasticsearchClient,
context?: RequestHandlerContext,
request?: KibanaRequest
): Promise<PackagePolicy | NewPackagePolicy | void> {
): Promise<RunExternalCallbacksPackagePolicyResponse<A>> {
const logger = appContextService.getLogger();
const numberOfCallbacks = appContextService.getExternalCallbacks(externalCallbackType)?.size;
let runResult: any;

logger.debug(`Running ${numberOfCallbacks} external callbacks for ${externalCallbackType}`);

try {
if (externalCallbackType === 'packagePolicyPostDelete') {
return await this.runPostDeleteExternalCallbacks(
runResult = await this.runPostDeleteExternalCallbacks(
packagePolicy as PostDeletePackagePoliciesResponse,
soClient,
esClient,
context,
request
);
} else if (externalCallbackType === 'packagePolicyDelete') {
return await this.runDeleteExternalCallbacks(
runResult = await this.runDeleteExternalCallbacks(
packagePolicy as DeletePackagePoliciesResponse,
soClient,
esClient
Expand All @@ -1988,21 +1971,33 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
if (!Array.isArray(packagePolicy)) {
let newData = packagePolicy;
const externalCallbacks = appContextService.getExternalCallbacks(externalCallbackType);

if (externalCallbacks && externalCallbacks.size > 0) {
let updatedNewData = newData;
let updatedNewData: any = newData;

for (const callback of externalCallbacks) {
let result;
let thisCallbackResponse;

if (externalCallbackType === 'packagePolicyPostCreate') {
result = await (callback as PostPackagePolicyPostCreateCallback)(
thisCallbackResponse = await (callback as PostPackagePolicyPostCreateCallback)(
updatedNewData as PackagePolicy,
soClient,
esClient,
context,
request
);
updatedNewData = PackagePolicySchema.validate(result) as NewPackagePolicy;
updatedNewData = PackagePolicySchema.validate(thisCallbackResponse);
} else if (externalCallbackType === 'packagePolicyPostUpdate') {
thisCallbackResponse = await (callback as PutPackagePolicyPostUpdateCallback)(
updatedNewData as PackagePolicy,
soClient,
esClient,
context,
request
);
updatedNewData = PackagePolicySchema.validate(thisCallbackResponse);
} else {
result = await (callback as PostPackagePolicyCreateCallback)(
thisCallbackResponse = await (callback as PostPackagePolicyCreateCallback)(
updatedNewData as NewPackagePolicy,
soClient,
esClient,
Expand All @@ -2012,10 +2007,10 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
}

if (externalCallbackType === 'packagePolicyCreate') {
updatedNewData = NewPackagePolicySchema.validate(result) as NewPackagePolicy;
updatedNewData = NewPackagePolicySchema.validate(thisCallbackResponse);
} else if (externalCallbackType === 'packagePolicyUpdate') {
const omitted = {
...omit(result, [
...omit(thisCallbackResponse, [
'id',
'spaceIds',
'version',
Expand All @@ -2026,23 +2021,28 @@ class PackagePolicyClientImpl implements PackagePolicyClient {
'created_by',
'elasticsearch',
]),
inputs: result.inputs.map((input) => omit(input, ['compiled_input'])),
inputs: thisCallbackResponse.inputs.map((input) =>
omit(input, ['compiled_input'])
),
};

updatedNewData = UpdatePackagePolicySchema.validate(omitted) as PackagePolicy;
updatedNewData = UpdatePackagePolicySchema.validate(omitted);
}
}

newData = updatedNewData;
}
return newData;

runResult = newData;
}
}
} catch (error) {
logger.error(`Error running external callbacks for ${externalCallbackType}:`);
logger.error(error);
throw error;
}

return runResult as unknown as RunExternalCallbacksPackagePolicyResponse<A>;
}

public async runPostDeleteExternalCallbacks(
Expand Down
Loading

0 comments on commit 61e17b1

Please sign in to comment.