From a57160f640e76a53bc39aeccd2ddc77fa51c62ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Fern=C3=A1ndez=20G=C3=B3mez?= Date: Thu, 1 Apr 2021 17:32:27 +0200 Subject: [PATCH] Expose tight permissions in the agent policy --- .../fleet/common/types/models/agent_policy.ts | 9 +--- .../fleet/server/services/agent_policy.ts | 53 ++++++++++++++----- 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/x-pack/plugins/fleet/common/types/models/agent_policy.ts b/x-pack/plugins/fleet/common/types/models/agent_policy.ts index 439d00695a7376..d6516014ef3665 100644 --- a/x-pack/plugins/fleet/common/types/models/agent_policy.ts +++ b/x-pack/plugins/fleet/common/types/models/agent_policy.ts @@ -10,6 +10,7 @@ import type { DataType, ValueOf } from '../../types'; import type { PackagePolicy, PackagePolicyPackage } from './package_policy'; import type { Output } from './output'; +import type { PackagePermissions } from './epm'; export type AgentPolicyStatus = typeof agentPolicyStatuses; @@ -61,13 +62,7 @@ export interface FullAgentPolicyInput { } export interface FullAgentPolicyOutputPermissions { - [role: string]: { - cluster: string[]; - indices: Array<{ - names: string[]; - privileges: string[]; - }>; - }; + [role: string]: PackagePermissions; } export interface FullAgentPolicy { diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts index fa71a67025e3ee..7daf10382d126d 100644 --- a/x-pack/plugins/fleet/server/services/agent_policy.ts +++ b/x-pack/plugins/fleet/server/services/agent_policy.ts @@ -38,6 +38,7 @@ import { AGENT_POLICY_INDEX, DEFAULT_FLEET_SERVER_AGENT_POLICY, } from '../../common'; +import type { PackagePermissions } from '../../common'; import type { DeleteAgentPolicyResponse, Settings, @@ -61,9 +62,20 @@ import { getSettings } from './settings'; import { normalizeKuery, escapeSearchQueryPhrase } from './saved_object'; import { isAgentsSetup } from './agents/setup'; import { appContextService } from './app_context'; +import { getPackagePermissions } from './epm/packages/get'; const SAVED_OBJECT_TYPE = AGENT_POLICY_SAVED_OBJECT_TYPE; +const DEFAULT_PERMISSIONS: PackagePermissions = { + cluster: ['monitor'], + indices: [ + { + names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], + privileges: ['auto_configure', 'create_doc'], + }, + ], +}; + class AgentPolicyService { private triggerAgentPolicyUpdatedEvent = async ( soClient: SavedObjectsClientContract, @@ -737,24 +749,41 @@ class AgentPolicyService { }), }; + const permissions = Object.fromEntries( + await Promise.all( + // Original type is `string[] | PackagePolicy[]`, but TS doesn't allow to `map()` over that. + (agentPolicy.package_policies as Array).map( + async (packagePolicy): Promise<[string, PackagePermissions]> => { + if (typeof packagePolicy === 'string' || !packagePolicy.package) { + return ['_fallback', DEFAULT_PERMISSIONS]; + } + + const { name, version } = packagePolicy.package; + + const packagePermissions = await getPackagePermissions( + soClient, + name, + version, + packagePolicy.namespace + ); + + return packagePermissions + ? [packagePolicy.name, packagePermissions] + : ['_fallback', DEFAULT_PERMISSIONS]; + } + ) + ) + ); + // Only add permissions if output.type is "elasticsearch" fullAgentPolicy.output_permissions = Object.keys(fullAgentPolicy.outputs).reduce< NonNullable - >((permissions, outputName) => { + >((p, outputName) => { const output = fullAgentPolicy.outputs[outputName]; if (output && output.type === 'elasticsearch') { - permissions[outputName] = {}; - permissions[outputName]._fallback = { - cluster: ['monitor'], - indices: [ - { - names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'], - privileges: ['auto_configure', 'create_doc'], - }, - ], - }; + p[outputName] = permissions; } - return permissions; + return p; }, {}); // only add settings if not in standalone