From 0e5b3d800731c0e96702292b7bdbe6bae5aeda00 Mon Sep 17 00:00:00 2001 From: Julia Bardi <90178898+juliaElastic@users.noreply.github.com> Date: Thu, 11 Jul 2024 12:57:01 +0200 Subject: [PATCH] [Fleet] Missing policy filter in Fleet Server check to enable secrets (#187935) ## Summary Closes https://github.com/elastic/kibana/issues/187933 Closes https://github.com/elastic/kibana/issues/186845 Fixed missing policy filter when checking if Fleet Servers met minimum version to enable secrets storage. The integration tests cover now a case where there are no fleet servers but there are agents with minimum version, to verify that the query filters them out. Manual verification is hard because you can't enroll an agent without enrolling FS with at least the same version. It could be done by manually creating docs in `.fleet-agents`. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 5761a382e144799b09e45fe5cd59e0c1a012c81e) --- .../fleet/server/services/fleet_server/index.test.ts | 7 +++++++ .../plugins/fleet/server/services/fleet_server/index.ts | 8 ++++++++ x-pack/test/fleet_api_integration/apis/policy_secrets.ts | 5 +++++ 3 files changed, 20 insertions(+) diff --git a/x-pack/plugins/fleet/server/services/fleet_server/index.test.ts b/x-pack/plugins/fleet/server/services/fleet_server/index.test.ts index f00d78cd59ad9..7faea8c526819 100644 --- a/x-pack/plugins/fleet/server/services/fleet_server/index.test.ts +++ b/x-pack/plugins/fleet/server/services/fleet_server/index.test.ts @@ -115,6 +115,13 @@ describe('checkFleetServerVersionsForSecretsStorage', () => { version ); expect(result).toBe(true); + expect(mockedGetAgentsByKuery).toHaveBeenCalledWith( + esClientMock, + soClientMock, + expect.objectContaining({ + kuery: 'policy_id:("1" or "2")', + }) + ); }); }); diff --git a/x-pack/plugins/fleet/server/services/fleet_server/index.ts b/x-pack/plugins/fleet/server/services/fleet_server/index.ts index 004a0deeea7b7..a0d508f0929e9 100644 --- a/x-pack/plugins/fleet/server/services/fleet_server/index.ts +++ b/x-pack/plugins/fleet/server/services/fleet_server/index.ts @@ -128,11 +128,19 @@ export async function checkFleetServerVersionsForSecretsStorage( hasMore = false; } } + if (policyIds.size === 0) { + return false; + } + + const kuery = `policy_id:(${Array.from(policyIds) + .map((id) => `"${id}"`) + .join(' or ')})`; const managedAgentPolicies = await agentPolicyService.getAllManagedAgentPolicies(soClient); const fleetServerAgents = await getAgentsByKuery(esClient, soClient, { showInactive: true, perPage: SO_SEARCH_LIMIT, + kuery, }); if (fleetServerAgents.agents.length === 0) { diff --git a/x-pack/test/fleet_api_integration/apis/policy_secrets.ts b/x-pack/test/fleet_api_integration/apis/policy_secrets.ts index 226c22d6ca924..d8e641b7af0a5 100644 --- a/x-pack/test/fleet_api_integration/apis/policy_secrets.ts +++ b/x-pack/test/fleet_api_integration/apis/policy_secrets.ts @@ -847,6 +847,8 @@ export default function (providerContext: FtrProviderContext) { it('should not store secrets if fleet server does not meet minimum version', async () => { const { fleetServerAgentPolicy } = await createFleetServerAgentPolicy(); await createFleetServerAgent(fleetServerAgentPolicy.id, 'server_1', '7.0.0'); + const { fleetServerAgentPolicy: fleetServerPolicy2 } = await createFleetServerAgentPolicy(); // extra policy to verify `or` condition + await createFleetServerAgent(fleetServerPolicy2.id, 'server_1', '8.12.0'); await callFleetSetup(); @@ -865,7 +867,10 @@ export default function (providerContext: FtrProviderContext) { }); it('should not store secrets if there are no fleet servers', async () => { + await createFleetServerAgentPolicy(); const agentPolicy = await createAgentPolicy(); + // agent with new version shouldn't make storage secrets enabled + await createFleetServerAgent(agentPolicy.id, 'server_2', '8.12.0'); const packagePolicyWithSecrets = await createPackagePolicyWithSecrets(agentPolicy.id); // secret should be in plain text i.e not a secret refrerence