[Fleet] Update final pipeline based on ECS event.agent_id_status (#102805)
This updates the Fleet final pipeline added in #100973 to match the specification of `event.agent_id_status` field as defined in ECS. The field was added to ECS in https://github.com/elastic/ecs/pull/1454. Basically the values of the field were simplified from what was originally proposed and implemented.
This commit is contained in:
parent
3084de6782
commit
2e3d527696
|
@ -59,25 +59,26 @@ processors:
|
|||
}
|
||||
|
||||
String verified(def ctx, def params) {
|
||||
// Agents only use API keys.
|
||||
if (ctx?._security?.authentication_type == null || ctx._security.authentication_type != 'API_KEY') {
|
||||
return "no_api_key";
|
||||
// No agent.id field to validate.
|
||||
if (ctx?.agent?.id == null) {
|
||||
return "missing";
|
||||
}
|
||||
|
||||
// Verify the API key owner before trusting any metadata it contains.
|
||||
if (!is_user_trusted(ctx, params.trusted_users)) {
|
||||
return "untrusted_user";
|
||||
}
|
||||
|
||||
// API keys created by Fleet include metadata about the agent they were issued to.
|
||||
if (ctx?._security?.api_key?.metadata?.agent_id == null || ctx?.agent?.id == null) {
|
||||
return "missing_metadata";
|
||||
// Check auth metadata from API key.
|
||||
if (ctx?._security?.authentication_type == null
|
||||
// Agents only use API keys.
|
||||
|| ctx._security.authentication_type != 'API_KEY'
|
||||
// Verify the API key owner before trusting any metadata it contains.
|
||||
|| !is_user_trusted(ctx, params.trusted_users)
|
||||
// Verify the API key has metadata indicating the assigned agent ID.
|
||||
|| ctx?._security?.api_key?.metadata?.agent_id == null) {
|
||||
return "auth_metadata_missing";
|
||||
}
|
||||
|
||||
// The API key can only be used represent the agent.id it was issued to.
|
||||
if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {
|
||||
// Potential masquerade attempt.
|
||||
return "agent_id_mismatch";
|
||||
return "mismatch";
|
||||
}
|
||||
|
||||
return "verified";
|
||||
|
|
|
@ -112,14 +112,14 @@ export default function (providerContext: FtrProviderContext) {
|
|||
// @ts-expect-error
|
||||
const event = doc._source.event;
|
||||
|
||||
expect(event.agent_id_status).to.be('no_api_key');
|
||||
expect(event.agent_id_status).to.be('auth_metadata_missing');
|
||||
expect(event).to.have.property('ingested');
|
||||
});
|
||||
|
||||
const scenarios = [
|
||||
{
|
||||
name: 'API key without metadata',
|
||||
expectedStatus: 'missing_metadata',
|
||||
expectedStatus: 'auth_metadata_missing',
|
||||
event: { agent: { id: 'agent1' } },
|
||||
},
|
||||
{
|
||||
|
@ -134,7 +134,7 @@ export default function (providerContext: FtrProviderContext) {
|
|||
},
|
||||
{
|
||||
name: 'API key with agent id metadata and no agent id in event',
|
||||
expectedStatus: 'missing_metadata',
|
||||
expectedStatus: 'missing',
|
||||
apiKey: {
|
||||
metadata: {
|
||||
agent_id: 'agent1',
|
||||
|
@ -143,7 +143,7 @@ export default function (providerContext: FtrProviderContext) {
|
|||
},
|
||||
{
|
||||
name: 'API key with agent id metadata and tampered agent id in event',
|
||||
expectedStatus: 'agent_id_mismatch',
|
||||
expectedStatus: 'mismatch',
|
||||
apiKey: {
|
||||
metadata: {
|
||||
agent_id: 'agent2',
|
||||
|
|
Loading…
Reference in a new issue