[Fleet] Update final pipeline based on ECS event.agent_id_status (#102805)

This updates the Fleet final pipeline added in #100973 to match the specification of `event.agent_id_status` field as defined in ECS. The field was added to ECS in https://github.com/elastic/ecs/pull/1454. Basically the values of the field were simplified from what was originally proposed and implemented.
2021-06-21 18:48:19 -04:00 · 2021-06-21 18:48:19 -04:00 · 2e3d527696
parent 3084de6782
commit 2e3d527696
2 changed files with 17 additions and 16 deletions
--- a/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts
+++ b/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts
@ -59,25 +59,26 @@ processors:
        }

        String verified(def ctx, def params) {
-          // Agents only use API keys.
-          if (ctx?._security?.authentication_type == null || ctx._security.authentication_type != 'API_KEY') {
-            return "no_api_key";
+          // No agent.id field to validate.
+          if (ctx?.agent?.id == null) {
+            return "missing";
          }

-          // Verify the API key owner before trusting any metadata it contains.
-          if (!is_user_trusted(ctx, params.trusted_users)) {
-            return "untrusted_user";
-          }
-
-          // API keys created by Fleet include metadata about the agent they were issued to.
-          if (ctx?._security?.api_key?.metadata?.agent_id == null || ctx?.agent?.id == null) {
-            return "missing_metadata";
+          // Check auth metadata from API key.
+          if (ctx?._security?.authentication_type == null
+              // Agents only use API keys.
+              || ctx._security.authentication_type != 'API_KEY'
+              // Verify the API key owner before trusting any metadata it contains.
+              || !is_user_trusted(ctx, params.trusted_users)
+              // Verify the API key has metadata indicating the assigned agent ID.
+              || ctx?._security?.api_key?.metadata?.agent_id == null) {
+            return "auth_metadata_missing";
          }

          // The API key can only be used represent the agent.id it was issued to.
          if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {
            // Potential masquerade attempt.
-            return "agent_id_mismatch";
+            return "mismatch";
          }

          return "verified";
--- a/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts
+++ b/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts
@ -112,14 +112,14 @@ export default function (providerContext: FtrProviderContext) {
      // @ts-expect-error
      const event = doc._source.event;

-      expect(event.agent_id_status).to.be('no_api_key');
+      expect(event.agent_id_status).to.be('auth_metadata_missing');
      expect(event).to.have.property('ingested');
    });

    const scenarios = [
      {
        name: 'API key without metadata',
-        expectedStatus: 'missing_metadata',
+        expectedStatus: 'auth_metadata_missing',
        event: { agent: { id: 'agent1' } },
      },
      {
@ -134,7 +134,7 @@ export default function (providerContext: FtrProviderContext) {
      },
      {
        name: 'API key with agent id metadata and no agent id in event',
-        expectedStatus: 'missing_metadata',
+        expectedStatus: 'missing',
        apiKey: {
          metadata: {
            agent_id: 'agent1',
@ -143,7 +143,7 @@ export default function (providerContext: FtrProviderContext) {
      },
      {
        name: 'API key with agent id metadata and tampered agent id in event',
-        expectedStatus: 'agent_id_mismatch',
+        expectedStatus: 'mismatch',
        apiKey: {
          metadata: {
            agent_id: 'agent2',