[8.x][Fleet] flag package policy SO to trigger agent policy bump (#20…

…0536) (#201542) Backport #200536 to 8.x branch --------- Co-authored-by: kibanamachine <[email protected]>
elastic · Nov 26, 2024 · c5b964e · c5b964e
1 parent 85778e9
commit c5b964e
Show file tree

Hide file tree

Showing 18 changed files with 381 additions and 88 deletions.
diff --git a/packages/kbn-check-mappings-update-cli/current_fields.json b/packages/kbn-check-mappings-update-cli/current_fields.json
@@ -511,6 +511,7 @@
   ],
   "fleet-message-signing-keys": [],
   "fleet-package-policies": [
+    "bump_agent_policy_revision",
     "created_at",
     "created_by",
     "description",
@@ -692,6 +693,7 @@
     "version"
   ],
   "ingest-package-policies": [
+    "bump_agent_policy_revision",
     "created_at",
     "created_by",
     "description",

diff --git a/packages/kbn-check-mappings-update-cli/current_mappings.json b/packages/kbn-check-mappings-update-cli/current_mappings.json
@@ -1715,6 +1715,9 @@
   },
   "fleet-package-policies": {
     "properties": {
+      "bump_agent_policy_revision": {
+        "type": "boolean"
+      },
       "created_at": {
         "type": "date"
       },
@@ -2300,6 +2303,9 @@
   },
   "ingest-package-policies": {
     "properties": {
+      "bump_agent_policy_revision": {
+        "type": "boolean"
+      },
       "created_at": {
         "type": "date"
       },

diff --git a/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts b/src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
@@ -108,7 +108,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "fleet-agent-policies": "f57d3b70e4175a19a18f18ee72a379ceec82e1fc",
         "fleet-fleet-server-host": "69be15f6b6f2a2875ad3c7050ddea7a87f505417",
         "fleet-message-signing-keys": "93421f43fed2526b59092a4e3c65d64bc2266c0f",
-        "fleet-package-policies": "2f4d524adb49a5281d3af0b66bb3003ba0ff2e44",
+        "fleet-package-policies": "8be2cabfed89e103e0d413f2900e9cf6cd31bc68",
         "fleet-preconfiguration-deletion-record": "c52ea1e13c919afe8a5e8e3adbb7080980ecc08e",
         "fleet-proxy": "6cb688f0d2dd856400c1dbc998b28704ff70363d",
         "fleet-setup-lock": "0dc784792c79b5af5a6e6b5dcac06b0dbaa90bde",
@@ -124,7 +124,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "ingest-agent-policies": "5e95e539826a40ad08fd0c1d161da0a4d86ffc6d",
         "ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
         "ingest-outputs": "daafff49255ab700e07491376fe89f04fc998b91",
-        "ingest-package-policies": "53a94064674835fdb35e5186233bcd7052eabd22",
+        "ingest-package-policies": "dfa7b1045a2667a822181f40f012786724492439",
         "ingest_manager_settings": "111a616eb72627c002029c19feb9e6c439a10505",
         "inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
         "kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",

diff --git a/x-pack/plugins/fleet/dev_docs/space_awareness.md b/x-pack/plugins/fleet/dev_docs/space_awareness.md
@@ -15,7 +15,7 @@ xpack.fleet.enableExperimental: ['useSpaceAwareness', 'subfeaturePrivileges']
 After the feature flag is enabled you will have to do another step to opt-in for the feature, that call will migrate the current space agnostic saved objects to new space aware saved objects.
 
 ```shell
-curl -u elastic:changeme -XPOST "http://localhost:5601/internal/fleet/enable_space_awareness" -H "kbn-xsrf: reporting" -H 'elastic-api-version: 1'
+curl -u elastic:changeme -XPOST "http://localhost:5601/internal/fleet/enable_space_awareness" -H "kbn-xsrf: reporting" -H 'elastic-api-version: 1' -H 'x-elastic-internal-origin: 1'
 ```
 
 ## Space aware entities in Fleet

diff --git a/x-pack/plugins/fleet/scripts/create_agent_policies/create_agent_policies.ts b/x-pack/plugins/fleet/scripts/create_agent_policies/create_agent_policies.ts
@@ -9,8 +9,7 @@ import { ToolingLog } from '@kbn/tooling-log';
 import yargs from 'yargs';
 import { chunk } from 'lodash';
 
-import { LEGACY_PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../common/constants';
-import { LEGACY_AGENT_POLICY_SAVED_OBJECT_TYPE } from '../../common';
+import { AGENT_POLICY_SAVED_OBJECT_TYPE } from '../../common/constants';
 
 import { packagePolicyFixture } from './fixtures';
 
@@ -30,20 +29,18 @@ const printUsage = () =>
 
 const INDEX_BULK_OP = '{ "index":{ "_id": "{{id}}" } }\n';
 
+const space = 'default';
 function getPolicyId(idx: number | string) {
-  return `test-policy-${idx}`;
+  return `test-policy-${space}-${idx}`;
 }
 
 async function createAgentPoliciesDocsBulk(range: number[]) {
   const auth = 'Basic ' + Buffer.from(ES_SUPERUSER + ':' + ES_PASSWORD).toString('base64');
   const body = range
     .flatMap((idx) => [
-      INDEX_BULK_OP.replace(
-        /{{id}}/,
-        `${LEGACY_AGENT_POLICY_SAVED_OBJECT_TYPE}:${getPolicyId(idx)}`
-      ),
+      INDEX_BULK_OP.replace(/{{id}}/, `${AGENT_POLICY_SAVED_OBJECT_TYPE}:${getPolicyId(idx)}`),
       JSON.stringify({
-        [LEGACY_AGENT_POLICY_SAVED_OBJECT_TYPE]: {
+        [AGENT_POLICY_SAVED_OBJECT_TYPE]: {
           namespace: 'default',
           monitoring_enabled: ['logs', 'metrics', 'traces'],
           name: `Test Policy ${idx}`,
@@ -60,11 +57,11 @@ async function createAgentPoliciesDocsBulk(range: number[]) {
           schema_version: '1.1.1',
           is_protected: false,
         },
-        type: LEGACY_AGENT_POLICY_SAVED_OBJECT_TYPE,
+        namespaces: [space],
+        type: AGENT_POLICY_SAVED_OBJECT_TYPE,
         references: [],
         managed: false,
         coreMigrationVersion: '8.8.0',
-        typeMigrationVersion: '10.3.0',
         created_at: new Date().toISOString(),
         updated_at: new Date().toISOString(),
       }) + '\n',
@@ -81,7 +78,7 @@ async function createAgentPoliciesDocsBulk(range: number[]) {
   const data = await res.json();
 
   if (!data.items) {
-    logger.error('Error creating agent policies docs: ' + JSON.stringify(data));
+    logger.error('Error creating agent policy docs: ' + JSON.stringify(data));
     process.exit(1);
   }
   return data;
@@ -91,14 +88,14 @@ async function createEnrollmentToken(range: number[]) {
   const auth = 'Basic ' + Buffer.from(ES_SUPERUSER + ':' + ES_PASSWORD).toString('base64');
   const body = range
     .flatMap((idx) => [
-      INDEX_BULK_OP.replace(/{{id}}/, `test-enrollment-token-${idx}`),
+      INDEX_BULK_OP.replace(/{{id}}/, `test-enrollment-token-${space}-${idx}`),
       JSON.stringify({
         active: true,
         api_key_id: 'faketest123',
         api_key: 'test==',
         name: `Test Policy ${idx}`,
         policy_id: `${getPolicyId(idx)}`,
-        namespaces: [],
+        namespaces: [space],
         created_at: new Date().toISOString(),
       }) + '\n',
     ])
@@ -115,7 +112,7 @@ async function createEnrollmentToken(range: number[]) {
   const data = await res.json();
 
   if (!data.items) {
-    logger.error('Error creating agent policies docs: ' + JSON.stringify(data));
+    logger.error('Error creating enrollment key docs: ' + JSON.stringify(data));
     process.exit(1);
   }
   return data;
@@ -125,14 +122,12 @@ async function createPackagePolicies(range: number[]) {
   const auth = 'Basic ' + Buffer.from(ES_SUPERUSER + ':' + ES_PASSWORD).toString('base64');
   const body = range
     .flatMap((idx) => [
-      INDEX_BULK_OP.replace(
-        /{{id}}/,
-        `${LEGACY_PACKAGE_POLICY_SAVED_OBJECT_TYPE}:test-policy-${idx}`
-      ),
+      INDEX_BULK_OP.replace(/{{id}}/, `fleet-package-policies:test-policy-${space}-${idx}`),
       JSON.stringify(
         packagePolicyFixture({
           idx,
           agentPolicyId: getPolicyId(idx),
+          space,
         })
       ) + '\n',
     ])
@@ -150,7 +145,7 @@ async function createPackagePolicies(range: number[]) {
   const data = await res.json();
 
   if (!data.items) {
-    logger.error('Error creating agent policies docs: ' + JSON.stringify(data));
+    logger.error('Error creating package policy docs: ' + JSON.stringify(data));
     process.exit(1);
   }
   return data;

diff --git a/x-pack/plugins/fleet/scripts/create_agent_policies/fixtures.ts b/x-pack/plugins/fleet/scripts/create_agent_policies/fixtures.ts
@@ -8,11 +8,13 @@
 export const packagePolicyFixture = ({
   agentPolicyId,
   idx,
+  space,
 }: {
   idx: number;
   agentPolicyId: string;
+  space: string;
 }) => ({
-  'ingest-package-policies': {
+  'fleet-package-policies': {
     name: `system-test-${idx}`,
     namespace: '',
     description: '',
@@ -790,11 +792,12 @@ export const packagePolicyFixture = ({
     updated_at: '2024-08-30T13:45:51.197Z',
     updated_by: 'system',
   },
-  type: 'ingest-package-policies',
+  namespaces: [space],
+  type: 'fleet-package-policies',
   references: [],
   managed: false,
   coreMigrationVersion: '8.8.0',
-  typeMigrationVersion: '10.14.0',
+  typeMigrationVersion: '10.1.0',
   updated_at: '2024-08-30T13:45:51.197Z',
   created_at: '2024-08-30T13:45:51.197Z',
 });
diff --git a/x-pack/plugins/fleet/scripts/create_agent_policies/index.js b/x-pack/plugins/fleet/scripts/create_agent_policies/index.js
@@ -12,6 +12,6 @@ require('./create_agent_policies').run();
 Usage:
 
 cd x-pack/plugins/fleet
-node scripts/create_agents/index.js
+node scripts/create_agent_policies/index.js
 
 */
diff --git a/x-pack/plugins/fleet/server/plugin.ts b/x-pack/plugins/fleet/server/plugin.ts
@@ -143,6 +143,7 @@ import { registerFieldsMetadataExtractors } from './services/register_fields_met
 import { registerUpgradeManagedPackagePoliciesTask } from './services/setup/managed_package_policies';
 import { registerDeployAgentPoliciesTask } from './services/agent_policies/deploy_agent_policies_task';
 import { DeleteUnenrolledAgentsTask } from './tasks/delete_unenrolled_agents_task';
+import { registerBumpAgentPoliciesTask } from './services/agent_policies/bump_agent_policies_task';
 
 export interface FleetSetupDeps {
   security: SecurityPluginSetup;
@@ -619,6 +620,7 @@ export class FleetPlugin
     // Register task
     registerUpgradeManagedPackagePoliciesTask(deps.taskManager);
     registerDeployAgentPoliciesTask(deps.taskManager);
+    registerBumpAgentPoliciesTask(deps.taskManager);
 
     this.bulkActionsResolver = new BulkActionsResolver(deps.taskManager, core);
     this.checkDeletedFilesTask = new CheckDeletedFilesTask({

diff --git a/x-pack/plugins/fleet/server/saved_objects/index.ts b/x-pack/plugins/fleet/server/saved_objects/index.ts
@@ -606,6 +606,7 @@ export const getSavedObjectTypes = (
           updated_by: { type: 'keyword' },
           created_at: { type: 'date' },
           created_by: { type: 'keyword' },
+          bump_agent_policy_revision: { type: 'boolean' },
         },
       },
       modelVersions: {
@@ -750,6 +751,16 @@ export const getSavedObjectTypes = (
             },
           ],
         },
+        '15': {
+          changes: [
+            {
+              type: 'mappings_addition',
+              addedMappings: {
+                bump_agent_policy_revision: { type: 'boolean' },
+              },
+            },
+          ],
+        },
       },
       migrations: {
         '7.10.0': migratePackagePolicyToV7100,
@@ -810,6 +821,19 @@ export const getSavedObjectTypes = (
           updated_by: { type: 'keyword' },
           created_at: { type: 'date' },
           created_by: { type: 'keyword' },
+          bump_agent_policy_revision: { type: 'boolean' },
+        },
+      },
+      modelVersions: {
+        '1': {
+          changes: [
+            {
+              type: 'mappings_addition',
+              addedMappings: {
+                bump_agent_policy_revision: { type: 'boolean' },
+              },
+            },
+          ],
         },
       },
     },

diff --git a/x-pack/plugins/fleet/server/services/agent_policies/bump_agent_policies_task.test.ts b/x-pack/plugins/fleet/server/services/agent_policies/bump_agent_policies_task.test.ts
@@ -0,0 +1,115 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { loggingSystemMock } from '@kbn/core/server/mocks';
+
+import { agentPolicyService } from '../agent_policy';
+
+import { appContextService } from '..';
+import { getPackagePolicySavedObjectType } from '../package_policy';
+
+import { _updatePackagePoliciesThatNeedBump } from './bump_agent_policies_task';
+
+jest.mock('../app_context');
+jest.mock('../agent_policy');
+jest.mock('../package_policy');
+
+const mockedAgentPolicyService = jest.mocked(agentPolicyService);
+const mockedAppContextService = jest.mocked(appContextService);
+const mockSoClient = {
+  find: jest.fn(),
+  bulkUpdate: jest.fn(),
+} as any;
+const mockGetPackagePolicySavedObjectType = jest.mocked(getPackagePolicySavedObjectType);
+
+describe('_updatePackagePoliciesThatNeedBump', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockSoClient.find.mockResolvedValue({
+      total: 3,
+      saved_objects: [
+        {
+          id: 'packagePolicy1',
+          namespaces: ['default'],
+          attributes: {
+            policy_ids: ['policy1'],
+          },
+        },
+        {
+          id: 'packagePolicy12',
+          namespaces: ['default'],
+          attributes: {
+            policy_ids: ['policy1'],
+          },
+        },
+        {
+          id: 'packagePolicy2',
+          namespaces: ['space'],
+          attributes: {
+            policy_ids: ['policy2'],
+          },
+        },
+        {
+          id: 'packagePolicy3',
+          namespaces: ['space'],
+          attributes: {
+            policy_ids: ['policy3'],
+          },
+        },
+      ],
+      page: 1,
+      perPage: 100,
+    });
+    mockedAppContextService.getInternalUserSOClientWithoutSpaceExtension.mockReturnValue(
+      mockSoClient
+    );
+    mockedAppContextService.getInternalUserSOClientForSpaceId.mockReturnValue(mockSoClient);
+    mockGetPackagePolicySavedObjectType.mockResolvedValue('fleet-package-policies');
+  });
+
+  it('should update package policy if bump agent policy revision needed', async () => {
+    const logger = loggingSystemMock.createLogger();
+
+    await _updatePackagePoliciesThatNeedBump(logger, () => false);
+
+    expect(mockSoClient.bulkUpdate).toHaveBeenCalledWith([
+      {
+        attributes: { bump_agent_policy_revision: false },
+        id: 'packagePolicy1',
+        type: 'fleet-package-policies',
+      },
+      {
+        attributes: { bump_agent_policy_revision: false },
+        id: 'packagePolicy12',
+        type: 'fleet-package-policies',
+      },
+    ]);
+    expect(mockSoClient.bulkUpdate).toHaveBeenCalledWith([
+      {
+        attributes: { bump_agent_policy_revision: false },
+        id: 'packagePolicy2',
+        type: 'fleet-package-policies',
+      },
+      {
+        attributes: { bump_agent_policy_revision: false },
+        id: 'packagePolicy3',
+        type: 'fleet-package-policies',
+      },
+    ]);
+
+    expect(mockedAgentPolicyService.bumpAgentPoliciesByIds).toHaveBeenCalledWith(
+      expect.anything(),
+      undefined,
+      ['policy1']
+    );
+    expect(mockedAgentPolicyService.bumpAgentPoliciesByIds).toHaveBeenCalledWith(
+      expect.anything(),
+      undefined,
+      ['policy2', 'policy3']
+    );
+  });
+});