Skip to content

Commit

Permalink
[Fleet] Allow to restrict namespace prefix (#188003)
Browse files Browse the repository at this point in the history
  • Loading branch information
nchaulet authored Jul 15, 2024
1 parent d4ba879 commit 25916ff
Show file tree
Hide file tree
Showing 34 changed files with 899 additions and 53 deletions.
1 change: 1 addition & 0 deletions packages/kbn-check-mappings-update-cli/current_fields.json
Original file line number Diff line number Diff line change
Expand Up @@ -480,6 +480,7 @@
"status",
"uuid"
],
"fleet-space-settings": [],
"fleet-uninstall-tokens": [
"policy_id",
"token_plain"
Expand Down
4 changes: 4 additions & 0 deletions packages/kbn-check-mappings-update-cli/current_mappings.json
Original file line number Diff line number Diff line change
Expand Up @@ -1612,6 +1612,10 @@
}
}
},
"fleet-space-settings": {
"dynamic": false,
"properties": {}
},
"fleet-uninstall-tokens": {
"dynamic": false,
"properties": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ const STANDARD_LIST_TYPES = [
'fleet-fleet-server-host',
'fleet-proxy',
'fleet-uninstall-tokens',
'fleet-space-settings',
];

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"fleet-preconfiguration-deletion-record": "c52ea1e13c919afe8a5e8e3adbb7080980ecc08e",
"fleet-proxy": "6cb688f0d2dd856400c1dbc998b28704ff70363d",
"fleet-setup-lock": "0dc784792c79b5af5a6e6b5dcac06b0dbaa90bde",
"fleet-space-settings": "b278e82a33978900e53a1253884b5bdbd929c9bb",
"fleet-uninstall-tokens": "ed8aa37e3cdd69e4360709e64944bb81cae0c025",
"graph-workspace": "5cc6bb1455b078fd848c37324672163f09b5e376",
"guided-onboarding-guide-state": "d338972ed887ac480c09a1a7fbf582d6a3827c91",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ const previouslyRegisteredTypes = [
'fleet-proxy',
'fleet-uninstall-tokens',
'fleet-setup-lock',
'fleet-space-settings',
'graph-workspace',
'guided-setup-state',
'guided-onboarding-guide-state',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/fleet/common/constants/routes.ts
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,8 @@ export const SETTINGS_API_ROUTES = {
INFO_PATTERN: `${API_ROOT}/settings`,
UPDATE_PATTERN: `${API_ROOT}/settings`,
ENROLLMENT_INFO_PATTERN: `${INTERNAL_ROOT}/settings/enrollment`,
SPACE_INFO_PATTERN: `${API_ROOT}/space_settings`,
SPACE_UPDATE_PATTERN: `${API_ROOT}/space_settings`,
};

// App API routes
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/fleet/common/constants/settings.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,8 @@

export const GLOBAL_SETTINGS_SAVED_OBJECT_TYPE = 'ingest_manager_settings';

export const SPACE_SETTINGS_SAVED_OBJECT_TYPE = 'fleet-space-settings';

export const SPACE_SETTINGS_ID_SUFFIX = '-default-settings';

export const GLOBAL_SETTINGS_ID = 'fleet-default-settings';
1 change: 1 addition & 0 deletions x-pack/plugins/fleet/common/errors.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ export class FleetError extends Error {
}
}

export class PolicyNamespaceValidationError extends FleetError {}
export class PackagePolicyValidationError extends FleetError {}

export class MessageSigningError extends FleetError {}
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/fleet/common/types/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ export interface FleetConfigType {
url: string;
};
};
spaceSettings?: Array<{
space_id: string;
allowed_namespace_prefixes: string[] | null;
}>;
agentPolicies?: PreconfiguredAgentPolicy[];
packages?: PreconfiguredPackage[];
outputs?: PreconfiguredOutput[];
Expand Down
11 changes: 11 additions & 0 deletions x-pack/plugins/fleet/common/types/rest_spec/settings.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,14 @@ export interface GetEnrollmentSettingsResponse {
};
download_source?: DownloadSource;
}
export interface PutSpaceSettingsRequest {
body: {
allowed_namespace_prefixes?: string[];
};
}

export interface GetSpaceSettingsResponse {
item: {
allowed_namespace_prefixes?: string[];
};
}
2 changes: 2 additions & 0 deletions x-pack/plugins/fleet/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import {
PreconfiguredOutputsSchema,
PreconfiguredFleetServerHostsSchema,
PreconfiguredFleetProxiesSchema,
PreconfiguredSpaceSettingsSchema,
} from './types';
import { BULK_CREATE_MAX_ARTIFACTS_BYTES } from './services/artifacts/artifacts';

Expand Down Expand Up @@ -154,6 +155,7 @@ export const config: PluginConfigDescriptor = {
outputs: PreconfiguredOutputsSchema,
fleetServerHosts: PreconfiguredFleetServerHostsSchema,
proxies: PreconfiguredFleetProxiesSchema,
spaceSettings: PreconfiguredSpaceSettingsSchema,
agentIdVerificationEnabled: schema.boolean({ defaultValue: true }),
setup: schema.maybe(
schema.object({
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/fleet/server/constants/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ export {
OUTPUT_SAVED_OBJECT_TYPE,
PACKAGES_SAVED_OBJECT_TYPE,
ASSETS_SAVED_OBJECT_TYPE,
SPACE_SETTINGS_SAVED_OBJECT_TYPE,
GLOBAL_SETTINGS_SAVED_OBJECT_TYPE,
MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE,
UNINSTALL_TOKENS_SAVED_OBJECT_TYPE,
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/fleet/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ import {
PLUGIN_ID,
PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE,
FLEET_PROXY_SAVED_OBJECT_TYPE,
SPACE_SETTINGS_SAVED_OBJECT_TYPE,
} from './constants';
import { registerEncryptedSavedObjects, registerSavedObjects } from './saved_objects';
import { registerRoutes } from './routes';
Expand Down Expand Up @@ -190,6 +191,7 @@ const allSavedObjectTypes = [
DOWNLOAD_SOURCE_SAVED_OBJECT_TYPE,
FLEET_SERVER_HOST_SAVED_OBJECT_TYPE,
FLEET_PROXY_SAVED_OBJECT_TYPE,
SPACE_SETTINGS_SAVED_OBJECT_TYPE,
];

/**
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/fleet/server/routes/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ export function registerRoutes(fleetAuthzRouter: FleetAuthzRouter, config: Fleet
registerAgentPolicyRoutes(fleetAuthzRouter);
registerPackagePolicyRoutes(fleetAuthzRouter);
registerOutputRoutes(fleetAuthzRouter);
registerSettingsRoutes(fleetAuthzRouter);
registerSettingsRoutes(fleetAuthzRouter, config);
registerDataStreamRoutes(fleetAuthzRouter);
registerPreconfigurationRoutes(fleetAuthzRouter);
registerFleetServerHostRoutes(fleetAuthzRouter);
Expand Down
97 changes: 47 additions & 50 deletions x-pack/plugins/fleet/server/routes/settings/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,71 +5,68 @@
* 2.0.
*/

import type { TypeOf } from '@kbn/config-schema';

import { parseExperimentalConfigValue } from '../../../common/experimental_features';
import { API_VERSIONS } from '../../../common/constants';
import type { FleetAuthzRouter } from '../../services/security';

import { SETTINGS_API_ROUTES } from '../../constants';
import type { FleetRequestHandler } from '../../types';
import {
PutSettingsRequestSchema,
GetSettingsRequestSchema,
GetEnrollmentSettingsRequestSchema,
GetSpaceSettingsRequestSchema,
PutSpaceSettingsRequestSchema,
} from '../../types';
import { defaultFleetErrorHandler } from '../../errors';
import { settingsService, agentPolicyService, appContextService } from '../../services';
import type { FleetConfigType } from '../../config';

import { getEnrollmentSettingsHandler } from './enrollment_settings_handler';

export const getSettingsHandler: FleetRequestHandler = async (context, request, response) => {
const soClient = (await context.fleet).internalSoClient;

try {
const settings = await settingsService.getSettings(soClient);
const body = {
item: settings,
};
return response.ok({ body });
} catch (error) {
if (error.isBoom && error.output.statusCode === 404) {
return response.notFound({
body: { message: `Settings not found` },
});
}

return defaultFleetErrorHandler({ error, response });
}
};

export const putSettingsHandler: FleetRequestHandler<
undefined,
undefined,
TypeOf<typeof PutSettingsRequestSchema.body>
> = async (context, request, response) => {
const soClient = (await context.fleet).internalSoClient;
const esClient = (await context.core).elasticsearch.client.asInternalUser;
const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined;
import {
getSettingsHandler,
getSpaceSettingsHandler,
putSettingsHandler,
putSpaceSettingsHandler,
} from './settings_handler';

try {
const settings = await settingsService.saveSettings(soClient, request.body);
await agentPolicyService.bumpAllAgentPolicies(esClient, { user });
const body = {
item: settings,
};
return response.ok({ body });
} catch (error) {
if (error.isBoom && error.output.statusCode === 404) {
return response.notFound({
body: { message: `Settings not found` },
});
}
export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType) => {
const experimentalFeatures = parseExperimentalConfigValue(config.enableExperimental);
if (experimentalFeatures.useSpaceAwareness) {
router.versioned
.get({
path: SETTINGS_API_ROUTES.SPACE_INFO_PATTERN,
fleetAuthz: (authz) => {
return (
authz.fleet.readSettings ||
authz.integrations.writeIntegrationPolicies ||
authz.fleet.allAgentPolicies
);
},
description: `Get space settings`,
})
.addVersion(
{
version: API_VERSIONS.public.v1,
validate: { request: GetSpaceSettingsRequestSchema },
},
getSpaceSettingsHandler
);

return defaultFleetErrorHandler({ error, response });
router.versioned
.put({
path: SETTINGS_API_ROUTES.SPACE_UPDATE_PATTERN,
fleetAuthz: {
fleet: { allSettings: true },
},
description: `Put space settings`,
})
.addVersion(
{
version: API_VERSIONS.public.v1,
validate: { request: PutSpaceSettingsRequestSchema },
},
putSpaceSettingsHandler
);
}
};

export const registerRoutes = (router: FleetAuthzRouter) => {
router.versioned
.get({
path: SETTINGS_API_ROUTES.INFO_PATTERN,
Expand Down
100 changes: 100 additions & 0 deletions x-pack/plugins/fleet/server/routes/settings/settings_handler.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { TypeOf } from '@kbn/config-schema';

import type {
FleetRequestHandler,
PutSettingsRequestSchema,
PutSpaceSettingsRequestSchema,
} from '../../types';
import { defaultFleetErrorHandler } from '../../errors';
import { settingsService, agentPolicyService, appContextService } from '../../services';
import { getSpaceSettings, saveSpaceSettings } from '../../services/spaces/space_settings';

export const getSpaceSettingsHandler: FleetRequestHandler = async (context, request, response) => {
try {
const soClient = (await context.fleet).internalSoClient;
const settings = await getSpaceSettings(soClient.getCurrentNamespace());
const body = {
item: settings,
};
return response.ok({ body });
} catch (error) {
return defaultFleetErrorHandler({ error, response });
}
};

export const putSpaceSettingsHandler: FleetRequestHandler<
undefined,
undefined,
TypeOf<typeof PutSpaceSettingsRequestSchema.body>
> = async (context, request, response) => {
try {
const soClient = (await context.fleet).internalSoClient;
await saveSpaceSettings({
settings: {
allowed_namespace_prefixes: request.body.allowed_namespace_prefixes,
},
spaceId: soClient.getCurrentNamespace(),
});
const settings = await settingsService.getSettings(soClient);
const body = {
item: settings,
};
return response.ok({ body });
} catch (error) {
return defaultFleetErrorHandler({ error, response });
}
};

export const getSettingsHandler: FleetRequestHandler = async (context, request, response) => {
const soClient = (await context.fleet).internalSoClient;

try {
const settings = await settingsService.getSettings(soClient);
const body = {
item: settings,
};
return response.ok({ body });
} catch (error) {
if (error.isBoom && error.output.statusCode === 404) {
return response.notFound({
body: { message: `Settings not found` },
});
}

return defaultFleetErrorHandler({ error, response });
}
};

export const putSettingsHandler: FleetRequestHandler<
undefined,
undefined,
TypeOf<typeof PutSettingsRequestSchema.body>
> = async (context, request, response) => {
const soClient = (await context.fleet).internalSoClient;
const esClient = (await context.core).elasticsearch.client.asInternalUser;
const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined;

try {
const settings = await settingsService.saveSettings(soClient, request.body);
await agentPolicyService.bumpAllAgentPolicies(esClient, { user });
const body = {
item: settings,
};
return response.ok({ body });
} catch (error) {
if (error.isBoom && error.output.statusCode === 404) {
return response.notFound({
body: { message: `Settings not found` },
});
}

return defaultFleetErrorHandler({ error, response });
}
};
17 changes: 17 additions & 0 deletions x-pack/plugins/fleet/server/saved_objects/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import {
INGEST_SAVED_OBJECT_INDEX,
UNINSTALL_TOKENS_SAVED_OBJECT_TYPE,
FLEET_SETUP_LOCK_TYPE,
SPACE_SETTINGS_SAVED_OBJECT_TYPE,
} from '../constants';

import { migrateSyntheticsPackagePolicyToV8120 } from './migrations/synthetics/to_v8_12_0';
Expand Down Expand Up @@ -123,6 +124,22 @@ export const getSavedObjectTypes = (
},
},
},
[SPACE_SETTINGS_SAVED_OBJECT_TYPE]: {
name: SPACE_SETTINGS_SAVED_OBJECT_TYPE,
indexPattern: INGEST_SAVED_OBJECT_INDEX,
hidden: false,
namespaceType: 'single',
management: {
importableAndExportable: false,
},
mappings: {
dynamic: false,
properties: {
// allowed_namespace_prefixes: { enabled: false },
// managed_by: { type: 'keyword', index: false },
},
},
},
// Deprecated
[GLOBAL_SETTINGS_SAVED_OBJECT_TYPE]: {
name: GLOBAL_SETTINGS_SAVED_OBJECT_TYPE,
Expand Down
Loading

0 comments on commit 25916ff

Please sign in to comment.