Skip to content

Commit

Permalink
[Fleet] Missing policy filter in Fleet Server check to enable secrets (
Browse files Browse the repository at this point in the history
…elastic#187935)

## Summary

Closes elastic#187933
Closes elastic#186845

Fixed missing policy filter when checking if Fleet Servers met minimum
version to enable secrets storage.
The integration tests cover now a case where there are no fleet servers
but there are agents with minimum version, to verify that the query
filters them out.

Manual verification is hard because you can't enroll an agent without
enrolling FS with at least the same version.
It could be done by manually creating docs in `.fleet-agents`.

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 5761a38)
  • Loading branch information
juliaElastic committed Jul 11, 2024
1 parent 8bba594 commit 0e5b3d8
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,13 @@ describe('checkFleetServerVersionsForSecretsStorage', () => {
version
);
expect(result).toBe(true);
expect(mockedGetAgentsByKuery).toHaveBeenCalledWith(
esClientMock,
soClientMock,
expect.objectContaining({
kuery: 'policy_id:("1" or "2")',
})
);
});
});

Expand Down
8 changes: 8 additions & 0 deletions x-pack/plugins/fleet/server/services/fleet_server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -128,11 +128,19 @@ export async function checkFleetServerVersionsForSecretsStorage(
hasMore = false;
}
}
if (policyIds.size === 0) {
return false;
}

const kuery = `policy_id:(${Array.from(policyIds)
.map((id) => `"${id}"`)
.join(' or ')})`;

const managedAgentPolicies = await agentPolicyService.getAllManagedAgentPolicies(soClient);
const fleetServerAgents = await getAgentsByKuery(esClient, soClient, {
showInactive: true,
perPage: SO_SEARCH_LIMIT,
kuery,
});

if (fleetServerAgents.agents.length === 0) {
Expand Down
5 changes: 5 additions & 0 deletions x-pack/test/fleet_api_integration/apis/policy_secrets.ts
Original file line number Diff line number Diff line change
Expand Up @@ -847,6 +847,8 @@ export default function (providerContext: FtrProviderContext) {
it('should not store secrets if fleet server does not meet minimum version', async () => {
const { fleetServerAgentPolicy } = await createFleetServerAgentPolicy();
await createFleetServerAgent(fleetServerAgentPolicy.id, 'server_1', '7.0.0');
const { fleetServerAgentPolicy: fleetServerPolicy2 } = await createFleetServerAgentPolicy(); // extra policy to verify `or` condition
await createFleetServerAgent(fleetServerPolicy2.id, 'server_1', '8.12.0');

await callFleetSetup();

Expand All @@ -865,7 +867,10 @@ export default function (providerContext: FtrProviderContext) {
});

it('should not store secrets if there are no fleet servers', async () => {
await createFleetServerAgentPolicy();
const agentPolicy = await createAgentPolicy();
// agent with new version shouldn't make storage secrets enabled
await createFleetServerAgent(agentPolicy.id, 'server_2', '8.12.0');
const packagePolicyWithSecrets = await createPackagePolicyWithSecrets(agentPolicy.id);

// secret should be in plain text i.e not a secret refrerence
Expand Down

0 comments on commit 0e5b3d8

Please sign in to comment.