Skip to content

Commit

Permalink
[Cloud Security][CIS GCP]Migration for new fields (elastic#167545)
Browse files Browse the repository at this point in the history
## Summary

This PR is for migrating account.type fields for GCP when it doesnt have
it

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Kfir Peled <[email protected]>
Co-authored-by: Kfir Peled <[email protected]>
  • Loading branch information
4 people authored Oct 3, 2023
1 parent 60f66ea commit 959f623
Show file tree
Hide file tree
Showing 5 changed files with 184 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"ingest-agent-policies": "f11cc19275f4c3e4ee7c5cd6423b6706b21b989d",
"ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
"ingest-outputs": "b4e636b13a5d0f89f0400fb67811d4cca4736eb0",
"ingest-package-policies": "8ec637429836f80f1fcc798bcee7c5916eceaed5",
"ingest-package-policies": "a0c9fb48e04dcd638e593db55f1c6451523f90ea",
"ingest_manager_settings": "64955ef1b7a9ffa894d4bb9cf863b5602bfa6885",
"inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
"kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",
Expand Down
19 changes: 14 additions & 5 deletions x-pack/plugins/fleet/server/saved_objects/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,14 @@ import {
migratePackagePolicyToV8110,
} from './migrations/security_solution/to_v8_11_0';

import { migrateCspPackagePolicyToV8110 } from './migrations/cloud_security_posture';

import { migrateOutputEvictionsFromV8100, migrateOutputToV8100 } from './migrations/to_v8_10_0';

import { migrateSyntheticsPackagePolicyToV8100 } from './migrations/synthetics/to_v8_10_0';

import { migratePackagePolicyEvictionsFromV8100 } from './migrations/security_solution/to_v8_10_0';

import {
migratePackagePolicyEvictionsFromV81102,
migratePackagePolicyToV81102,
} from './migrations/security_solution/to_v8_11_0_2';

import {
migrateAgentPolicyToV7100,
migratePackagePolicyToV7100,
Expand Down Expand Up @@ -78,6 +75,10 @@ import {
} from './migrations/security_solution';
import { migratePackagePolicyToV880 } from './migrations/to_v8_8_0';
import { migrateAgentPolicyToV890 } from './migrations/to_v8_9_0';
import {
migratePackagePolicyToV81102,
migratePackagePolicyEvictionsFromV81102,
} from './migrations/security_solution/to_v8_11_0_2';

/*
* Saved object types and mappings
Expand Down Expand Up @@ -351,6 +352,14 @@ const getSavedObjectTypes = (): { [key: string]: SavedObjectsType } => ({
forwardCompatibility: migratePackagePolicyEvictionsFromV81102,
},
},
'4': {
changes: [
{
type: 'data_backfill',
backfillFn: migrateCspPackagePolicyToV8110,
},
],
},
},
migrations: {
'7.10.0': migratePackagePolicyToV7100,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

export { migrateCspPackagePolicyToV8110 } from './to_v8_11_0';
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { SavedObjectModelTransformationContext } from '@kbn/core-saved-objects-server';

import { migrateCspPackagePolicyToV8110 as migration } from './to_v8_11_0';

describe('8.11.0 Cloud Security Posture Package Policy migration', () => {
const policyDoc = (
accountType: string,
isAccountTypeCorrect: boolean,
packageName: string
): any => {
return {
id: 'mock-saved-csp-object-id',
attributes: {
name: 'cloud_security_posture_test',
package: {
name: packageName,
title: '',
version: '',
},
id: 'ID_123',
policy_id: '',
enabled: true,
namespace: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: accountType,
enabled: true,
streams: [
{
vars: {
...(isAccountTypeCorrect && {
'gcp.account_type': { value: 'single-account', type: 'text' },
}),
},
},
],
config: {},
},
],
},
type: ' nested',
};
};

it('adds gcp.account_type to policy, set to single', () => {
const initialDoc = policyDoc('cloudbeat/cis_gcp', false, 'cloud_security_posture');
const migratedDoc = policyDoc('cloudbeat/cis_gcp', true, 'cloud_security_posture');
expect(migration(initialDoc, {} as SavedObjectModelTransformationContext)).toEqual({
attributes: migratedDoc.attributes,
});
});

it('if there are no type cloudbeat/cis_gcp, do not add gcp.account_type', () => {
const initialDoc = policyDoc('cloudbeat/cis_aws', false, 'cloud_security_posture');
const migratedDoc = policyDoc('cloudbeat/cis_aws', false, 'cloud_security_posture');
expect(migration(initialDoc, {} as SavedObjectModelTransformationContext)).toEqual({
attributes: migratedDoc.attributes,
});
});

it('if there are no cloud_security_posture package, do not change the doc', () => {
const initialDoc = policyDoc('cloudbeat/cis_gcp', false, 'NOT_cloud_security_posture');
const migratedDoc = policyDoc('cloudbeat/cis_gcp', false, 'NOT_cloud_security_posture');
expect(migration(initialDoc, {} as SavedObjectModelTransformationContext)).toEqual({
attributes: migratedDoc.attributes,
});
});

it('if gcp.account_type exist and already has a value, do not set it to single-account', () => {
const policyDocWithAccountType = (): any => {
return {
id: 'mock-saved-csp-object-id',
attributes: {
name: 'cloud_security_posture_test',
package: {
name: 'cloud_security_posture',
title: '',
version: '',
},
id: 'ID_1234',
policy_id: '',
enabled: true,
namespace: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'cloudbeat/cis_gcp',
enabled: true,
streams: [
{
vars: {
'gcp.account_type': { value: 'single-account-MAYBE', type: 'text' },
},
},
],
config: {},
},
],
},
type: ' nested',
};
};
const initialDoc = policyDocWithAccountType();
const migratedDoc = policyDocWithAccountType();
expect(migration(initialDoc, {} as SavedObjectModelTransformationContext)).toEqual({
attributes: migratedDoc.attributes,
});
});
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { SavedObjectModelDataBackfillFn } from '@kbn/core-saved-objects-server';

import type { PackagePolicy } from '../../../../common';

export const migrateCspPackagePolicyToV8110: SavedObjectModelDataBackfillFn<
PackagePolicy,
PackagePolicy
> = (packagePolicyDoc) => {
if (packagePolicyDoc.attributes.package?.name !== 'cloud_security_posture') {
return { attributes: packagePolicyDoc.attributes };
}

const updatedAttributes = packagePolicyDoc.attributes;

const gcpPackage = updatedAttributes.inputs.find((input) => input.type === 'cloudbeat/cis_gcp');

if (gcpPackage) {
const isGcpAccountTypeExists = gcpPackage.streams[0]?.vars?.hasOwnProperty('gcp.account_type');

if (!isGcpAccountTypeExists) {
const migratedPolicy = { 'gcp.account_type': { value: 'single-account', type: 'text' } };
gcpPackage.streams[0].vars = { ...(gcpPackage.streams[0].vars || {}), ...migratedPolicy };
}
}

return {
attributes: updatedAttributes,
};
};

0 comments on commit 959f623

Please sign in to comment.