[Cloud Security] limit setup options for Agentless CSPM (#172562)

## Summary Follow up after - #171671 Closes - elastic/security-team#7969 Includes: - limiting setup options for agentless to only Direct Access Keys and Temporary Keys - covering Agentless for edit flow ### How to test Make sure to have the FF in your `serverless.security.dev.yml` (it's similar to the `kibana.dev.yml` but specifically for Serverless Security Projects) enabled. Also specify some serverless project id, to enable the logic of `isServerlessEnabled` ``` xpack.fleet.enableExperimental: ['agentless'] xpack.cloud.serverless.project_id: 'some_fake_project_id' ``` The follow the steps from this comment elastic/security-team#7972 (comment) to have the Agentless artifacts (agent, policy, output, and fleet server host) locally After that, you should be able to test the flow. ### Screencast [screencast-mail.google.com-2023.12.08-16_37_35.webm](https://github.com/elastic/kibana/assets/478762/b94b685f-ed37-4e45-9907-bbd95cb8975a) ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) --------- Co-authored-by: kibanamachine <[email protected]>
elastic · Dec 14, 2023 · 73d0a46 · 73d0a46
1 parent 5067645
commit 73d0a46
Show file tree

Hide file tree

Showing 17 changed files with 649 additions and 228 deletions.
diff --git a/..._posture/public/components/fleet_extensions/aws_credentials_form/aws_credentials_form.tsx b/..._posture/public/components/fleet_extensions/aws_credentials_form/aws_credentials_form.tsx
@@ -4,44 +4,41 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import React from 'react';
+import React, { ReactNode } from 'react';
 import {
-  EuiFieldText,
-  EuiFieldPassword,
+  EuiCallOut,
   EuiFormRow,
+  EuiHorizontalRule,
   EuiLink,
+  EuiSelect,
   EuiSpacer,
   EuiText,
   EuiTitle,
-  EuiSelect,
-  EuiCallOut,
-  EuiHorizontalRule,
 } from '@elastic/eui';
 import type { NewPackagePolicy } from '@kbn/fleet-plugin/public';
 import { NewPackagePolicyInput, PackageInfo } from '@kbn/fleet-plugin/common';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { css } from '@emotion/react';
 import { i18n } from '@kbn/i18n';
 import {
+  AwsCredentialsTypeOptions,
   getAwsCredentialsFormManualOptions,
-  AwsOptions,
-  DEFAULT_MANUAL_AWS_CREDENTIALS_TYPE,
 } from './get_aws_credentials_form_options';
-import { RadioGroup } from '../csp_boxed_radio_group';
-import {
-  getCspmCloudFormationDefaultValue,
-  getPosturePolicy,
-  NewPackagePolicyPostureInput,
-} from '../utils';
+import { CspRadioOption, RadioGroup } from '../csp_boxed_radio_group';
+import { getPosturePolicy, NewPackagePolicyPostureInput } from '../utils';
 import { SetupFormat, useAwsCredentialsForm } from './hooks';
 import { AWS_ORGANIZATION_ACCOUNT } from '../policy_template_form';
 import { AwsCredentialsType } from '../../../../common/types_old';
+import { AwsInputVarFields } from './aws_input_var_fields';
+import {
+  AWS_CREDENTIALS_TYPE_OPTIONS_TEST_SUBJ,
+  AWS_CREDENTIALS_TYPE_SELECTOR_TEST_SUBJ,
+} from '../../test_subjects';
 
 interface AWSSetupInfoContentProps {
-  integrationLink: string;
+  info: ReactNode;
 }
-
-const AWSSetupInfoContent = ({ integrationLink }: AWSSetupInfoContentProps) => {
+export const AWSSetupInfoContent = ({ info }: AWSSetupInfoContentProps) => {
   return (
     <>
       <EuiHorizontalRule margin="xl" />
@@ -55,48 +52,28 @@ const AWSSetupInfoContent = ({ integrationLink }: AWSSetupInfoContentProps) => {
       </EuiTitle>
       <EuiSpacer size="l" />
       <EuiText color="subdued" size="s">
-        <FormattedMessage
-          id="xpack.csp.awsIntegration.gettingStarted.setupInfoContent"
-          defaultMessage="Utilize AWS CloudFormation (a built-in AWS tool) or a series of manual steps to set up and deploy CSPM for assessing your AWS environment's security posture. Refer to our {gettingStartedLink} guide for details."
-          values={{
-            gettingStartedLink: (
-              <EuiLink href={integrationLink} target="_blank">
-                <FormattedMessage
-                  id="xpack.csp.awsIntegration.gettingStarted.setupInfoContentLink"
-                  defaultMessage="Getting Started"
-                />
-              </EuiLink>
-            ),
-          }}
-        />
+        {info}
       </EuiText>
     </>
   );
 };
 
-const getSetupFormatOptions = (): Array<{ id: SetupFormat; label: string }> => [
+const getSetupFormatOptions = (): CspRadioOption[] => [
   {
     id: 'cloud_formation',
     label: 'CloudFormation',
+    testId: AWS_CREDENTIALS_TYPE_OPTIONS_TEST_SUBJ.CLOUDFORMATION,
   },
   {
     id: 'manual',
     label: i18n.translate('xpack.csp.awsIntegration.setupFormatOptions.manual', {
       defaultMessage: 'Manual',
     }),
+    testId: AWS_CREDENTIALS_TYPE_OPTIONS_TEST_SUBJ.MANUAL,
   },
 ];
 
-export const getDefaultAwsVarsGroup = (packageInfo: PackageInfo): AwsCredentialsType => {
-  const hasCloudFormationTemplate = !!getCspmCloudFormationDefaultValue(packageInfo);
-  if (hasCloudFormationTemplate) {
-    return 'cloud_formation';
-  }
-
-  return DEFAULT_MANUAL_AWS_CREDENTIALS_TYPE;
-};
-
-interface Props {
+export interface AwsFormProps {
   newPolicy: NewPackagePolicy;
   input: Extract<NewPackagePolicyPostureInput, { type: 'cloudbeat/cis_aws' }>;
   updatePolicy(updatedPolicy: NewPackagePolicy): void;
@@ -217,7 +194,7 @@ export const AwsCredentialsForm = ({
   onChange,
   setIsValid,
   disabled,
-}: Props) => {
+}: AwsFormProps) => {
   const {
     awsCredentialsType,
     setupFormat,
@@ -237,7 +214,24 @@ export const AwsCredentialsForm = ({
 
   return (
     <>
-      <AWSSetupInfoContent integrationLink={integrationLink} />
+      <AWSSetupInfoContent
+        info={
+          <FormattedMessage
+            id="xpack.csp.awsIntegration.gettingStarted.setupInfoContent"
+            defaultMessage="Utilize AWS CloudFormation (a built-in AWS tool) or a series of manual steps to set up and deploy CSPM for assessing your AWS environment's security posture. Refer to our {gettingStartedLink} guide for details."
+            values={{
+              gettingStartedLink: (
+                <EuiLink href={integrationLink} target="_blank">
+                  <FormattedMessage
+                    id="xpack.csp.awsIntegration.gettingStarted.setupInfoContentLink"
+                    defaultMessage="Getting Started"
+                  />
+                </EuiLink>
+              ),
+            }}
+          />
+        }
+      />
       <EuiSpacer size="l" />
       <RadioGroup
         disabled={disabled}
@@ -255,6 +249,10 @@ export const AwsCredentialsForm = ({
       {setupFormat === 'manual' && (
         <>
           <AwsCredentialTypeSelector
+            label={i18n.translate('xpack.csp.awsIntegration.awsCredentialTypeSelectorLabel', {
+              defaultMessage: 'Preferred manual method',
+            })}
+            options={getAwsCredentialsFormManualOptions()}
             type={awsCredentialsType}
             onChange={(optionId) => {
               updatePolicy(
@@ -281,60 +279,26 @@ export const AwsCredentialsForm = ({
     </>
   );
 };
-const AwsCredentialTypeSelector = ({
+export const AwsCredentialTypeSelector = ({
   type,
   onChange,
+  label,
+  options,
 }: {
   onChange(type: AwsCredentialsType): void;
   type: AwsCredentialsType;
+  label: string;
+  options: AwsCredentialsTypeOptions;
 }) => (
-  <EuiFormRow
-    fullWidth
-    label={i18n.translate('xpack.csp.awsIntegration.awsCredentialTypeSelectorLabel', {
-      defaultMessage: 'Preferred manual method',
-    })}
-  >
+  <EuiFormRow fullWidth label={label}>
     <EuiSelect
       fullWidth
-      options={getAwsCredentialsFormManualOptions()}
+      options={options}
       value={type}
       onChange={(optionElem) => {
         onChange(optionElem.target.value as AwsCredentialsType);
       }}
+      data-test-subj={AWS_CREDENTIALS_TYPE_SELECTOR_TEST_SUBJ}
     />
   </EuiFormRow>
 );
-
-const AwsInputVarFields = ({
-  fields,
-  onChange,
-}: {
-  fields: Array<AwsOptions[keyof AwsOptions]['fields'][number] & { value: string; id: string }>;
-  onChange: (key: string, value: string) => void;
-}) => (
-  <div>
-    {fields.map((field) => (
-      <EuiFormRow key={field.id} label={field.label} fullWidth hasChildLabel={true} id={field.id}>
-        <>
-          {field.type === 'password' && (
-            <EuiFieldPassword
-              id={field.id}
-              type="dual"
-              fullWidth
-              value={field.value || ''}
-              onChange={(event) => onChange(field.id, event.target.value)}
-            />
-          )}
-          {field.type === 'text' && (
-            <EuiFieldText
-              id={field.id}
-              fullWidth
-              value={field.value || ''}
-              onChange={(event) => onChange(field.id, event.target.value)}
-            />
-          )}
-        </>
-      </EuiFormRow>
-    ))}
-  </div>
-);
diff --git a/...ublic/components/fleet_extensions/aws_credentials_form/aws_credentials_form_agentless.tsx b/...ublic/components/fleet_extensions/aws_credentials_form/aws_credentials_form_agentless.tsx
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { EuiLink, EuiSpacer } from '@elastic/eui';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { i18n } from '@kbn/i18n';
+import { cspIntegrationDocsNavigation } from '../../../common/navigation/constants';
+import {
+  DEFAULT_AGENTLESS_AWS_CREDENTIALS_TYPE,
+  getAwsCredentialsFormAgentlessOptions,
+  getAwsCredentialsFormOptions,
+  getInputVarsFields,
+} from './get_aws_credentials_form_options';
+import { getAwsCredentialsType, getPosturePolicy } from '../utils';
+import { AwsInputVarFields } from './aws_input_var_fields';
+import {
+  AwsFormProps,
+  ReadDocumentation,
+  AWSSetupInfoContent,
+  AwsCredentialTypeSelector,
+} from './aws_credentials_form';
+
+export const AwsCredentialsFormAgentless = ({ input, newPolicy, updatePolicy }: AwsFormProps) => {
+  const awsCredentialsType = getAwsCredentialsType(input) || DEFAULT_AGENTLESS_AWS_CREDENTIALS_TYPE;
+  const options = getAwsCredentialsFormOptions();
+  const group = options[awsCredentialsType];
+  const fields = getInputVarsFields(input, group.fields);
+  const integrationLink = cspIntegrationDocsNavigation.cspm.getStartedPath;
+
+  return (
+    <>
+      <AWSSetupInfoContent
+        info={
+          <FormattedMessage
+            id="xpack.csp.awsIntegration.gettingStarted.setupInfoContentAgentless"
+            defaultMessage="Utilize AWS Access Keys to set up and deploy CSPM for assessing your AWS environment's security posture. Refer to our {gettingStartedLink} guide for details."
+            values={{
+              gettingStartedLink: (
+                <EuiLink href={integrationLink} target="_blank">
+                  <FormattedMessage
+                    id="xpack.csp.awsIntegration.gettingStarted.setupInfoContentLink"
+                    defaultMessage="Getting Started"
+                  />
+                </EuiLink>
+              ),
+            }}
+          />
+        }
+      />
+      <EuiSpacer size="l" />
+      <AwsCredentialTypeSelector
+        label={i18n.translate('xpack.csp.awsIntegration.awsCredentialTypeSelectorLabelAgentless', {
+          defaultMessage: 'Preferred method',
+        })}
+        type={awsCredentialsType}
+        options={getAwsCredentialsFormAgentlessOptions()}
+        onChange={(optionId) => {
+          updatePolicy(
+            getPosturePolicy(newPolicy, input.type, {
+              'aws.credentials.type': { value: optionId },
+            })
+          );
+        }}
+      />
+      <EuiSpacer size="m" />
+      {group.info}
+      <EuiSpacer size="m" />
+      <ReadDocumentation url={integrationLink} />
+      <EuiSpacer size="l" />
+      <AwsInputVarFields
+        fields={fields}
+        onChange={(key, value) => {
+          updatePolicy(getPosturePolicy(newPolicy, input.type, { [key]: { value } }));
+        }}
+      />
+    </>
+  );
+};
diff --git a/..._posture/public/components/fleet_extensions/aws_credentials_form/aws_input_var_fields.tsx b/..._posture/public/components/fleet_extensions/aws_credentials_form/aws_input_var_fields.tsx
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { EuiFieldPassword, EuiFieldText, EuiFormRow } from '@elastic/eui';
+import { AwsOptions } from './get_aws_credentials_form_options';
+
+export const AwsInputVarFields = ({
+  fields,
+  onChange,
+}: {
+  fields: Array<AwsOptions[keyof AwsOptions]['fields'][number] & { value: string; id: string }>;
+  onChange: (key: string, value: string) => void;
+}) => (
+  <div>
+    {fields.map((field) => (
+      <EuiFormRow key={field.id} label={field.label} fullWidth hasChildLabel={true} id={field.id}>
+        <>
+          {field.type === 'password' && (
+            <EuiFieldPassword
+              id={field.id}
+              type="dual"
+              fullWidth
+              value={field.value || ''}
+              onChange={(event) => onChange(field.id, event.target.value)}
+            />
+          )}
+          {field.type === 'text' && (
+            <EuiFieldText
+              id={field.id}
+              fullWidth
+              value={field.value || ''}
+              onChange={(event) => onChange(field.id, event.target.value)}
+            />
+          )}
+        </>
+      </EuiFormRow>
+    ))}
+  </div>
+);
diff --git a/...lic/components/fleet_extensions/aws_credentials_form/get_aws_credentials_form_options.tsx b/...lic/components/fleet_extensions/aws_credentials_form/get_aws_credentials_form_options.tsx
@@ -92,20 +92,33 @@ export const getInputVarsFields = (input: NewPackagePolicyInput, fields: AwsCred
     });
 
 export type AwsOptions = Record<AwsCredentialsType, AwsOptionValue>;
-
-export const getAwsCredentialsFormManualOptions = (): Array<{
+export type AwsCredentialsTypeOptions = Array<{
   value: AwsCredentialsType;
   text: string;
-}> => {
+}>;
+
+const getAwsCredentialsTypeSelectorOptions = (
+  filterFn: ({ value }: { value: AwsCredentialsType }) => boolean
+): AwsCredentialsTypeOptions => {
   return Object.entries(getAwsCredentialsFormOptions())
     .map(([key, value]) => ({
       value: key as AwsCredentialsType,
       text: value.label,
     }))
-    .filter(({ value }) => value !== 'cloud_formation');
+    .filter(filterFn);
 };
 
+export const getAwsCredentialsFormManualOptions = (): AwsCredentialsTypeOptions =>
+  getAwsCredentialsTypeSelectorOptions(({ value }) => value !== 'cloud_formation');
+
+export const getAwsCredentialsFormAgentlessOptions = (): AwsCredentialsTypeOptions =>
+  getAwsCredentialsTypeSelectorOptions(
+    ({ value }) => value === 'direct_access_keys' || value === 'temporary_keys'
+  );
+
+export const DEFAULT_AWS_CREDENTIALS_TYPE = 'cloud_formation';
 export const DEFAULT_MANUAL_AWS_CREDENTIALS_TYPE = 'assume_role';
+export const DEFAULT_AGENTLESS_AWS_CREDENTIALS_TYPE = 'direct_access_keys';
 
 export const getAwsCredentialsFormOptions = (): AwsOptions => ({
   assume_role: {