From 2e3d527696910b58a36ca94506833782110297cc Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 21 Jun 2021 18:48:19 -0400 Subject: [PATCH] [Fleet] Update final pipeline based on ECS event.agent_id_status (#102805) This updates the Fleet final pipeline added in #100973 to match the specification of `event.agent_id_status` field as defined in ECS. The field was added to ECS in https://github.com/elastic/ecs/pull/1454. Basically the values of the field were simplified from what was originally proposed and implemented. --- .../ingest_pipeline/final_pipeline.ts | 25 ++++++++++--------- .../apis/epm/final_pipeline.ts | 8 +++--- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts b/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts index 4c0484c058ab..f929a4f13998 100644 --- a/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts +++ b/x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts @@ -59,25 +59,26 @@ processors: } String verified(def ctx, def params) { - // Agents only use API keys. - if (ctx?._security?.authentication_type == null || ctx._security.authentication_type != 'API_KEY') { - return "no_api_key"; + // No agent.id field to validate. + if (ctx?.agent?.id == null) { + return "missing"; } - // Verify the API key owner before trusting any metadata it contains. - if (!is_user_trusted(ctx, params.trusted_users)) { - return "untrusted_user"; - } - - // API keys created by Fleet include metadata about the agent they were issued to. - if (ctx?._security?.api_key?.metadata?.agent_id == null || ctx?.agent?.id == null) { - return "missing_metadata"; + // Check auth metadata from API key. + if (ctx?._security?.authentication_type == null + // Agents only use API keys. + || ctx._security.authentication_type != 'API_KEY' + // Verify the API key owner before trusting any metadata it contains. + || !is_user_trusted(ctx, params.trusted_users) + // Verify the API key has metadata indicating the assigned agent ID. + || ctx?._security?.api_key?.metadata?.agent_id == null) { + return "auth_metadata_missing"; } // The API key can only be used represent the agent.id it was issued to. if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) { // Potential masquerade attempt. - return "agent_id_mismatch"; + return "mismatch"; } return "verified"; diff --git a/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts b/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts index a800546a27a3..81f712e095c7 100644 --- a/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts +++ b/x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts @@ -112,14 +112,14 @@ export default function (providerContext: FtrProviderContext) { // @ts-expect-error const event = doc._source.event; - expect(event.agent_id_status).to.be('no_api_key'); + expect(event.agent_id_status).to.be('auth_metadata_missing'); expect(event).to.have.property('ingested'); }); const scenarios = [ { name: 'API key without metadata', - expectedStatus: 'missing_metadata', + expectedStatus: 'auth_metadata_missing', event: { agent: { id: 'agent1' } }, }, { @@ -134,7 +134,7 @@ export default function (providerContext: FtrProviderContext) { }, { name: 'API key with agent id metadata and no agent id in event', - expectedStatus: 'missing_metadata', + expectedStatus: 'missing', apiKey: { metadata: { agent_id: 'agent1', @@ -143,7 +143,7 @@ export default function (providerContext: FtrProviderContext) { }, { name: 'API key with agent id metadata and tampered agent id in event', - expectedStatus: 'agent_id_mismatch', + expectedStatus: 'mismatch', apiKey: { metadata: { agent_id: 'agent2',