Skip to content

Commit

Permalink
[Fleet] Missing policy filter in Fleet Server check to enable secrets (
Browse files Browse the repository at this point in the history
…#187935)

## Summary

Closes #187933
Closes #186845

Fixed missing policy filter when checking if Fleet Servers met minimum
version to enable secrets storage.
The integration tests cover now a case where there are no fleet servers
but there are agents with minimum version, to verify that the query
filters them out.

Manual verification is hard because you can't enroll an agent without
enrolling FS with at least the same version.
It could be done by manually creating docs in `.fleet-agents`.

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
  • Loading branch information
juliaElastic authored Jul 11, 2024
1 parent 12bd8fe commit 5761a38
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,13 @@ describe('checkFleetServerVersionsForSecretsStorage', () => {
version
);
expect(result).toBe(true);
expect(mockedGetAgentsByKuery).toHaveBeenCalledWith(
esClientMock,
soClientMock,
expect.objectContaining({
kuery: 'policy_id:("1" or "2")',
})
);
});
});

Expand Down
8 changes: 8 additions & 0 deletions x-pack/plugins/fleet/server/services/fleet_server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -128,11 +128,19 @@ export async function checkFleetServerVersionsForSecretsStorage(
hasMore = false;
}
}
if (policyIds.size === 0) {
return false;
}

const kuery = `policy_id:(${Array.from(policyIds)
.map((id) => `"${id}"`)
.join(' or ')})`;

const managedAgentPolicies = await agentPolicyService.getAllManagedAgentPolicies(soClient);
const fleetServerAgents = await getAgentsByKuery(esClient, soClient, {
showInactive: true,
perPage: SO_SEARCH_LIMIT,
kuery,
});

if (fleetServerAgents.agents.length === 0) {
Expand Down
5 changes: 5 additions & 0 deletions x-pack/test/fleet_api_integration/apis/policy_secrets.ts
Original file line number Diff line number Diff line change
Expand Up @@ -847,6 +847,8 @@ export default function (providerContext: FtrProviderContext) {
it('should not store secrets if fleet server does not meet minimum version', async () => {
const { fleetServerAgentPolicy } = await createFleetServerAgentPolicy();
await createFleetServerAgent(fleetServerAgentPolicy.id, 'server_1', '7.0.0');
const { fleetServerAgentPolicy: fleetServerPolicy2 } = await createFleetServerAgentPolicy(); // extra policy to verify `or` condition
await createFleetServerAgent(fleetServerPolicy2.id, 'server_1', '8.12.0');

await callFleetSetup();

Expand All @@ -865,7 +867,10 @@ export default function (providerContext: FtrProviderContext) {
});

it('should not store secrets if there are no fleet servers', async () => {
await createFleetServerAgentPolicy();
const agentPolicy = await createAgentPolicy();
// agent with new version shouldn't make storage secrets enabled
await createFleetServerAgent(agentPolicy.id, 'server_2', '8.12.0');
const packagePolicyWithSecrets = await createPackagePolicyWithSecrets(agentPolicy.id);

// secret should be in plain text i.e not a secret refrerence
Expand Down

0 comments on commit 5761a38

Please sign in to comment.