Expose tight permissions in the agent policy

elastic · Apr 1, 2021 · a57160f · a57160f
1 parent 8b90529
commit a57160f
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 19 deletions.
diff --git a/x-pack/plugins/fleet/common/types/models/agent_policy.ts b/x-pack/plugins/fleet/common/types/models/agent_policy.ts
@@ -10,6 +10,7 @@ import type { DataType, ValueOf } from '../../types';
 
 import type { PackagePolicy, PackagePolicyPackage } from './package_policy';
 import type { Output } from './output';
+import type { PackagePermissions } from './epm';
 
 export type AgentPolicyStatus = typeof agentPolicyStatuses;
 
@@ -61,13 +62,7 @@ export interface FullAgentPolicyInput {
 }
 
 export interface FullAgentPolicyOutputPermissions {
-  [role: string]: {
-    cluster: string[];
-    indices: Array<{
-      names: string[];
-      privileges: string[];
-    }>;
-  };
+  [role: string]: PackagePermissions;
 }
 
 export interface FullAgentPolicy {

diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts
@@ -38,6 +38,7 @@ import {
   AGENT_POLICY_INDEX,
   DEFAULT_FLEET_SERVER_AGENT_POLICY,
 } from '../../common';
+import type { PackagePermissions } from '../../common';
 import type {
   DeleteAgentPolicyResponse,
   Settings,
@@ -61,9 +62,20 @@ import { getSettings } from './settings';
 import { normalizeKuery, escapeSearchQueryPhrase } from './saved_object';
 import { isAgentsSetup } from './agents/setup';
 import { appContextService } from './app_context';
+import { getPackagePermissions } from './epm/packages/get';
 
 const SAVED_OBJECT_TYPE = AGENT_POLICY_SAVED_OBJECT_TYPE;
 
+const DEFAULT_PERMISSIONS: PackagePermissions = {
+  cluster: ['monitor'],
+  indices: [
+    {
+      names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
+      privileges: ['auto_configure', 'create_doc'],
+    },
+  ],
+};
+
 class AgentPolicyService {
   private triggerAgentPolicyUpdatedEvent = async (
     soClient: SavedObjectsClientContract,
@@ -737,24 +749,41 @@ class AgentPolicyService {
           }),
     };
 
+    const permissions = Object.fromEntries(
+      await Promise.all(
+        // Original type is `string[] | PackagePolicy[]`, but TS doesn't allow to `map()` over that.
+        (agentPolicy.package_policies as Array<string | PackagePolicy>).map(
+          async (packagePolicy): Promise<[string, PackagePermissions]> => {
+            if (typeof packagePolicy === 'string' || !packagePolicy.package) {
+              return ['_fallback', DEFAULT_PERMISSIONS];
+            }
+
+            const { name, version } = packagePolicy.package;
+
+            const packagePermissions = await getPackagePermissions(
+              soClient,
+              name,
+              version,
+              packagePolicy.namespace
+            );
+
+            return packagePermissions
+              ? [packagePolicy.name, packagePermissions]
+              : ['_fallback', DEFAULT_PERMISSIONS];
+          }
+        )
+      )
+    );
+
     // Only add permissions if output.type is "elasticsearch"
     fullAgentPolicy.output_permissions = Object.keys(fullAgentPolicy.outputs).reduce<
       NonNullable<FullAgentPolicy['output_permissions']>
-    >((permissions, outputName) => {
+    >((p, outputName) => {
       const output = fullAgentPolicy.outputs[outputName];
       if (output && output.type === 'elasticsearch') {
-        permissions[outputName] = {};
-        permissions[outputName]._fallback = {
-          cluster: ['monitor'],
-          indices: [
-            {
-              names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
-              privileges: ['auto_configure', 'create_doc'],
-            },
-          ],
-        };
+        p[outputName] = permissions;
       }
-      return permissions;
+      return p;
     }, {});
 
     // only add settings if not in standalone