-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FLEET][SECURITY_SOLUTION] Fix .fleet-artifacs index property names and add endpoint package policy migrations #94977
Merged
paul-tavares
merged 10 commits into
elastic:master
from
paul-tavares:task/olm-90513-7_13-policy-migration
Mar 22, 2021
Merged
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
2079376
migration code + empty test file for now
paul-tavares 3f9dd4c
Fix ``.fleet-artifacts` property name to be snake_cased
paul-tavares bf2678b
endpoint v7.13 migration tests
paul-tavares 7ae8f77
Add 7.13 migrations to SO type definition
paul-tavares 15edc62
Adjust client and endpoint sub-class to use proper kql
paul-tavares c2367d1
Merge remote-tracking branch 'upstream/master' into task/olm-90513-7_…
paul-tavares 3bb3d6e
merge import statements + rework `esSearchHitToArtifact`
paul-tavares bf8fe42
Fix tests
paul-tavares 2498b3e
fix esArchives for `.fleet-artifacts`
paul-tavares 382ebf9
Merge remote-tracking branch 'upstream/master' into task/olm-90513-7_…
paul-tavares File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
145 changes: 145 additions & 0 deletions
145
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v7_13_0.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { SavedObjectUnsanitizedDoc } from 'kibana/server'; | ||
import { cloneDeepWith, cloneDeep } from 'lodash'; | ||
|
||
import type { PackagePolicy } from '../../../../common'; | ||
|
||
import { migrationMocks } from '../../../../../../../src/core/server/mocks'; | ||
|
||
import { migrateEndpointPackagePolicyToV7130 } from './to_v7_13_0'; | ||
|
||
describe('7.13.0 Endpoint Package Policy migration', () => { | ||
const createOldPackagePolicySO = (): SavedObjectUnsanitizedDoc<PackagePolicy> => { | ||
return { | ||
id: 'mock-saved-object-id', | ||
attributes: { | ||
name: 'Some Policy Name', | ||
package: { | ||
name: 'endpoint', | ||
title: '', | ||
version: '', | ||
}, | ||
id: 'mock-saved-object-id', | ||
policy_id: '', | ||
enabled: true, | ||
namespace: '', | ||
output_id: '', | ||
revision: 0, | ||
updated_at: '', | ||
updated_by: '', | ||
created_at: '', | ||
created_by: '', | ||
inputs: [ | ||
{ | ||
type: 'endpoint', | ||
enabled: true, | ||
streams: [], | ||
config: { | ||
artifact_manifest: { | ||
value: { | ||
manifest_version: '1.0.0', | ||
schema_version: 'v1', | ||
artifacts: { | ||
'endpoint-exceptionlist-macos-v1': { | ||
encryption_algorithm: 'none', | ||
decoded_sha256: | ||
'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
decoded_size: 14, | ||
encoded_sha256: | ||
'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', | ||
encoded_size: 22, | ||
relative_url: | ||
'/api/endpoint/artifacts/download/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
compression_algorithm: 'zlib', | ||
}, | ||
'endpoint-exceptionlist-windows-v1': { | ||
encryption_algorithm: 'none', | ||
decoded_sha256: | ||
'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
decoded_size: 14, | ||
encoded_sha256: | ||
'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', | ||
encoded_size: 22, | ||
relative_url: | ||
'/api/endpoint/artifacts/download/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
compression_algorithm: 'zlib', | ||
}, | ||
'endpoint-trustlist-macos-v1': { | ||
encryption_algorithm: 'none', | ||
decoded_sha256: | ||
'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
decoded_size: 14, | ||
encoded_sha256: | ||
'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', | ||
encoded_size: 22, | ||
relative_url: | ||
'/api/endpoint/artifacts/download/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
compression_algorithm: 'zlib', | ||
}, | ||
'endpoint-trustlist-windows-v1': { | ||
encryption_algorithm: 'none', | ||
decoded_sha256: | ||
'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
decoded_size: 14, | ||
encoded_sha256: | ||
'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', | ||
encoded_size: 22, | ||
relative_url: | ||
'/api/endpoint/artifacts/download/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
compression_algorithm: 'zlib', | ||
}, | ||
'endpoint-trustlist-linux-v1': { | ||
encryption_algorithm: 'none', | ||
decoded_sha256: | ||
'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
decoded_size: 14, | ||
encoded_sha256: | ||
'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', | ||
encoded_size: 22, | ||
relative_url: | ||
'/api/endpoint/artifacts/download/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', | ||
compression_algorithm: 'zlib', | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
], | ||
}, | ||
type: ' nested', | ||
}; | ||
}; | ||
const createNewPackagePolicySO = (): SavedObjectUnsanitizedDoc<PackagePolicy> => { | ||
return cloneDeepWith(createOldPackagePolicySO(), (value, key) => { | ||
if (key === 'relative_url') { | ||
return value.replace('/api/endpoint/artifacts/download/', '/api/fleet/artifacts/'); | ||
} | ||
}); | ||
}; | ||
|
||
const migrationContext = migrationMocks.createContext(); | ||
|
||
it('should adjust the relative url for all artifact manifests', () => { | ||
expect( | ||
migrateEndpointPackagePolicyToV7130(createOldPackagePolicySO(), migrationContext) | ||
).toEqual(createNewPackagePolicySO()); | ||
}); | ||
|
||
it('should NOT touch non-endpoint package policies', () => { | ||
const packagePolicySo = createOldPackagePolicySO(); | ||
packagePolicySo.attributes.package!.name = 'not endpoint'; | ||
|
||
const unchangedPackagePolicySo = cloneDeep(packagePolicySo); | ||
|
||
expect(migrateEndpointPackagePolicyToV7130(packagePolicySo, migrationContext)).toEqual( | ||
unchangedPackagePolicySo | ||
); | ||
}); | ||
}); |
39 changes: 39 additions & 0 deletions
39
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v7_13_0.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { SavedObjectMigrationFn } from 'kibana/server'; | ||
|
||
import type { PackagePolicy } from '../../../../common'; | ||
import { relativeDownloadUrlFromArtifact } from '../../../services/artifacts/mappings'; | ||
import type { ArtifactElasticsearchProperties } from '../../../services'; | ||
|
||
type ArtifactManifestList = Record< | ||
string, | ||
Pick<ArtifactElasticsearchProperties, 'identifier' | 'decoded_sha256' | 'relative_url'> | ||
>; | ||
|
||
export const migrateEndpointPackagePolicyToV7130: SavedObjectMigrationFn< | ||
PackagePolicy, | ||
PackagePolicy | ||
> = (packagePolicyDoc) => { | ||
if (packagePolicyDoc.attributes.package?.name === 'endpoint') { | ||
// Adjust all artifact URLs so that they point at fleet-server | ||
const artifactList: ArtifactManifestList = | ||
packagePolicyDoc.attributes?.inputs[0]?.config?.artifact_manifest.value.artifacts; | ||
|
||
if (artifactList) { | ||
for (const [identifier, artifactManifest] of Object.entries(artifactList)) { | ||
artifactManifest.relative_url = relativeDownloadUrlFromArtifact({ | ||
identifier, | ||
decodedSha256: artifactManifest.decoded_sha256, | ||
}); | ||
} | ||
} | ||
} | ||
|
||
return packagePolicyDoc; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jfsiii , @nchaulet for now, I just turned this off below. This needs to run only when fleet-server is in the picture. Should I bring back the
xpack.fleet.agents.fleetServerEnabled
flag?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the only place in which needs to fork based on that? Are there other options for detecting/inferring Fleet Server?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am okay to bring back the flag dependings on the timing of Fleet server for 7.13 we may have to hide some UI too, so as a temporary workaround it's probably our best solution
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jfsiii I don't know the answers there.
For endpoint, I think this is the only branching we need in fleet - we already have security_solution specific flag in our code to handle one other branch.
@nchaulet thanks. I will add back in with another PR. I want this one to merge since it corrects the index property definition.