[7.11] [Fleet] Add updateFleetRoleIfExists() in order to update `fl…

…eet_enroll` permissions if role already exists (elastic#88000) (elastic#89063) * [Fleet] Add `updateFleetRoleIfExists()` in order to update `fleet_enroll` permissions if role already exists (elastic#88000) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/fleet/server/services/setup.ts * correct license Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
brokensound77 · Feb 17, 2021 · b8908af · b8908af
1 parent 6a3bef6
commit b8908af
Show file tree

Hide file tree

Showing 3 changed files with 158 additions and 8 deletions.
diff --git a/x-pack/plugins/fleet/server/services/setup.ts b/x-pack/plugins/fleet/server/services/setup.ts
@@ -58,6 +58,7 @@ async function createSetupSideEffects(
     ensureInstalledDefaultPackages(soClient, callCluster),
     outputService.ensureDefaultOutput(soClient),
     agentPolicyService.ensureDefaultAgentPolicy(soClient),
+    updateFleetRoleIfExists(callCluster),
     settingsService.getSettings(soClient).catch((e: any) => {
       if (e.isBoom && e.output.statusCode === 404) {
         const defaultSettings = createDefaultSettings();
@@ -124,14 +125,25 @@ async function createSetupSideEffects(
   return { isIntialized: true };
 }
 
-export async function setupFleet(
-  soClient: SavedObjectsClientContract,
-  callCluster: CallESAsCurrentUser,
-  options?: { forceRecreate?: boolean }
-) {
-  // Create fleet_enroll role
-  // This should be done directly in ES at some point
-  const res = await callCluster('transport.request', {
+async function updateFleetRoleIfExists(callCluster: CallESAsCurrentUser) {
+  try {
+    await callCluster('transport.request', {
+      method: 'GET',
+      path: `/_security/role/${FLEET_ENROLL_ROLE}`,
+    });
+  } catch (e) {
+    if (e.status === 404) {
+      return;
+    }
+
+    throw e;
+  }
+
+  return putFleetRole(callCluster);
+}
+
+async function putFleetRole(callCluster: CallESAsCurrentUser) {
+  return callCluster('transport.request', {
     method: 'PUT',
     path: `/_security/role/${FLEET_ENROLL_ROLE}`,
     body: {
@@ -153,6 +165,17 @@ export async function setupFleet(
       ],
     },
   });
+}
+
+export async function setupFleet(
+  soClient: SavedObjectsClientContract,
+  callCluster: CallESAsCurrentUser,
+  options?: { forceRecreate?: boolean }
+) {
+  // Create fleet_enroll role
+  // This should be done directly in ES at some point
+  const res = await putFleetRole(callCluster);
+
   // If the role is already created skip the rest unless you have forceRecreate set to true
   if (options?.forceRecreate !== true && res.role.created === false) {
     return;

diff --git a/x-pack/test/fleet_api_integration/apis/fleet_setup.ts b/x-pack/test/fleet_api_integration/apis/fleet_setup.ts
@@ -0,0 +1,125 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { FtrProviderContext } from '../../api_integration/ftr_provider_context';
+import { skipIfNoDockerRegistry } from '../helpers';
+
+export default function (providerContext: FtrProviderContext) {
+  const { getService } = providerContext;
+  const supertest = getService('supertest');
+  const es = getService('es');
+
+  describe('fleet_setup', () => {
+    skipIfNoDockerRegistry(providerContext);
+    beforeEach(async () => {
+      try {
+        await es.security.deleteUser({
+          username: 'fleet_enroll',
+        });
+      } catch (e) {
+        if (e.meta?.statusCode !== 404) {
+          throw e;
+        }
+      }
+      try {
+        await es.security.deleteRole({
+          name: 'fleet_enroll',
+        });
+      } catch (e) {
+        if (e.meta?.statusCode !== 404) {
+          throw e;
+        }
+      }
+    });
+
+    it('should not create a fleet_enroll role if one does not already exist', async () => {
+      const { body: apiResponse } = await supertest
+        .post(`/api/fleet/setup`)
+        .set('kbn-xsrf', 'xxxx')
+        .expect(200);
+
+      expect(apiResponse.isInitialized).to.be(true);
+
+      try {
+        await es.security.getUser({
+          username: 'fleet_enroll',
+        });
+      } catch (e) {
+        expect(e.meta?.statusCode).to.eql(404);
+      }
+    });
+
+    it('should update the fleet_enroll role with new index permissions if one does already exist', async () => {
+      try {
+        await es.security.putRole({
+          name: 'fleet_enroll',
+          body: {
+            cluster: ['monitor', 'manage_api_key'],
+            indices: [
+              {
+                names: [
+                  'logs-*',
+                  'metrics-*',
+                  'traces-*',
+                  '.ds-logs-*',
+                  '.ds-metrics-*',
+                  '.ds-traces-*',
+                ],
+                privileges: ['write', 'create_index', 'indices:admin/auto_create'],
+                allow_restricted_indices: false,
+              },
+            ],
+            applications: [],
+            run_as: [],
+            metadata: {},
+            transient_metadata: { enabled: true },
+          },
+        });
+      } catch (e) {
+        if (e.meta?.statusCode !== 404) {
+          throw e;
+        }
+      }
+
+      const { body: apiResponse } = await supertest
+        .post(`/api/fleet/setup`)
+        .set('kbn-xsrf', 'xxxx')
+        .expect(200);
+
+      expect(apiResponse.isInitialized).to.be(true);
+
+      const { body: roleResponse } = await es.security.getRole({
+        name: 'fleet_enroll',
+      });
+      expect(roleResponse).to.have.key('fleet_enroll');
+      expect(roleResponse.fleet_enroll).to.eql({
+        cluster: ['monitor', 'manage_api_key'],
+        indices: [
+          {
+            names: [
+              'logs-*',
+              'metrics-*',
+              'traces-*',
+              '.ds-logs-*',
+              '.ds-metrics-*',
+              '.ds-traces-*',
+              '.logs-endpoint.diagnostic.collection-*',
+              '.ds-.logs-endpoint.diagnostic.collection-*',
+            ],
+            privileges: ['write', 'create_index', 'indices:admin/auto_create'],
+            allow_restricted_indices: false,
+          },
+        ],
+        applications: [],
+        run_as: [],
+        metadata: {},
+        transient_metadata: { enabled: true },
+      });
+    });
+  });
+}
diff --git a/x-pack/test/fleet_api_integration/apis/index.js b/x-pack/test/fleet_api_integration/apis/index.js
@@ -8,6 +8,8 @@
 export default function ({ loadTestFile }) {
   describe('Fleet Endpoints', function () {
     this.tags('ciGroup10');
+    // Fleet setup
+    loadTestFile(require.resolve('./fleet_setup'));
     // Agent setup
     loadTestFile(require.resolve('./agents_setup'));