Skip to content

Commit

Permalink
[windows][cws] remove conditional inclusion of cws (#24998)
Browse files Browse the repository at this point in the history
* [windows][cws] remove conditional inclusion of cws

CWS is now always included in the installer, so we can remove the conditional.

* Remove more unneeded checks

* missed a spot
  • Loading branch information
derekwbrown authored Apr 24, 2024
1 parent fac6122 commit 1497b89
Show file tree
Hide file tree
Showing 8 changed files with 78 additions and 140 deletions.
1 change: 0 additions & 1 deletion test/kitchen/test-definitions/upgrade6-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,5 @@ suites:
dd-agent-upgrade-rspec:
# Used by the rspec test to know the version to which the agent should be upgraded
agent_expected_version: &agent_expected_version <%= ENV['DD_AGENT_EXPECTED_VERSION'] || "5.99.0" %>
cws_included: &cws_included <%= ENV['WINDOWS_DDPROCMON_DRIVER'] || false %>
dd-agent-rspec:
skip_windows_signing_test: &skip_windows_signing_test <%= ENV['SKIP_SIGNATURE_TEST'] || false %>
1 change: 0 additions & 1 deletion test/kitchen/test-definitions/upgrade7-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,5 @@ suites:
dd-agent-upgrade-rspec:
# Used by the rspec test to know the version to which the agent should be upgraded
agent_expected_version: &agent_expected_version <%= ENV['DD_AGENT_EXPECTED_VERSION'] || "5.99.0" %>
cws_included: &cws_included <%= ENV['WINDOWS_DDPROCMON_DRIVER'] || false %>
dd-agent-rspec:
skip_windows_signing_test: &skip_windows_signing_test <%= ENV['SKIP_SIGNATURE_TEST'] || false %>
1 change: 0 additions & 1 deletion test/kitchen/test-definitions/windows-cwsinstall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,3 @@ suites:
dd-agent-rspec:
agent_flavor: <%= ENV['AGENT_FLAVOR'] || "datadog-agent" %>
skip_windows_signing_test: &skip_windows_signing_test <%= ENV['SKIP_SIGNATURE_TEST'] || false %>
cws_included: &cws_included <%= ENV['WINDOWS_DDPROCMON_DRIVER'] || false %>
11 changes: 0 additions & 11 deletions test/kitchen/test/integration/common/rspec_datadog/spec_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -370,17 +370,6 @@ def dogstatsd_processes_running?
false
end

def expect_windows_cws?
if os == :windows && get_agent_flavor == 'datadog-agent'
cws = parse_dna().fetch('dd-agent-rspec').fetch('cws_included')
if cws == "testsigned" || cws == "release-signed" || cws == "attestation-signed"
return true
end
end
return false

end

def deploy_cws?
os != :windows &&
get_agent_flavor == 'datadog-agent' &&
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,8 @@


shared_examples_for 'a Windows Agent with CWS driver disabled' do
if expect_windows_cws?
it 'has the service disabled' do
expect(is_windows_service_disabled("ddprocmon")).to be_truthy
end
it 'has the service disabled' do
expect(is_windows_service_disabled("ddprocmon")).to be_truthy
end
end

Expand All @@ -15,80 +13,61 @@
expect(is_windows_service_installed("datadog-system-probe")).to be_truthy
end

if expect_windows_cws?
it 'has required services installed' do
expect(is_windows_service_installed("datadog-security-agent")).to be_truthy
expect(is_windows_service_installed("ddprocmon")).to be_truthy
end
it 'has driver files' do
program_files = safe_program_files
expect(File).to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.cat")
expect(File).to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.sys")
expect(File).to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.inf")
end
it 'has required services installed' do
expect(is_windows_service_installed("datadog-security-agent")).to be_truthy
expect(is_windows_service_installed("ddprocmon")).to be_truthy
end
it 'has driver files' do
program_files = safe_program_files
expect(File).to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.cat")
expect(File).to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.sys")
expect(File).to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.inf")
end

it 'does not have the driver running on install' do
## verify that the driver is not started yet
expect(is_service_running?("ddprocmon")).to be_falsey
end
else
## if windows CWS is not expected, do the reverse check (that services aren't installed, files
## not present, etc.) Once CWS is released, remove this part of the test.
it 'does not have cws services installed' do
expect(is_windows_service_installed("datadog-security-agent")).to be_falsey
expect(is_windows_service_installed("ddprocmon")).to be_falsey
end
it 'does not have driver files' do
program_files = safe_program_files
expect(File).not_to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.cat")
expect(File).not_to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.sys")
expect(File).not_to exist("#{program_files}\\DataDog\\Datadog Agent\\bin\\agent\\driver\\ddprocmon.inf")
end
it 'does not have the driver running on install' do
## verify that the driver is not started yet
expect(is_service_running?("ddprocmon")).to be_falsey
end



end

shared_examples_for 'a Windows Agent with CWS running' do
if expect_windows_cws?
it 'has cws services not started by default' do
expect(is_service_running?("datadog-system-probe")).to be_falsey
expect(is_service_running?("datadog-security-agent")).to be_falsey
end
it 'has cws services not started by default' do
expect(is_service_running?("datadog-system-probe")).to be_falsey
expect(is_service_running?("datadog-security-agent")).to be_falsey
end

it 'has default config files' do
expect(File).to exist(get_conf_file("system-probe.yaml"))
expect(File).to exist(get_conf_file("security-agent.yaml"))
end
it 'can start security agent' do
it 'has default config files' do
expect(File).to exist(get_conf_file("system-probe.yaml"))
expect(File).to exist(get_conf_file("security-agent.yaml"))
end
it 'can start security agent' do

enable_cws(get_conf_file("system-probe.yaml"), true)
enable_cws(get_conf_file("security-agent.yaml"), true)
enable_cws(get_conf_file("system-probe.yaml"), true)
enable_cws(get_conf_file("security-agent.yaml"), true)

stop "datadog-agent"
start "datadog-agent"
sleep 30
expect(is_service_running?("datadogagent")).to be_truthy
expect(is_service_running?("datadog-system-probe")).to be_truthy
expect(is_service_running?("datadog-security-agent")).to be_truthy
end
it 'can gracefully shut down security agent' do
stop "datadog-agent"
## these tests return false for any state other than running. So "shutting down"
## will erroneously pass here
expect(is_service_running?("datadogagent")).to be_falsey
expect(is_service_running?("datadog-system-probe")).to be_falsey
expect(is_service_running?("datadog-security-agent")).to be_falsey
stop "datadog-agent"

start "datadog-agent"
sleep 30
expect(is_service_running?("datadogagent")).to be_truthy
expect(is_service_running?("datadog-system-probe")).to be_truthy
expect(is_service_running?("datadog-security-agent")).to be_truthy
end
it 'can gracefully shut down security agent' do
stop "datadog-agent"

## these tests return false for any state other than running. So "shutting down"
## will erroneously pass here
expect(is_service_running?("datadogagent")).to be_falsey
expect(is_service_running?("datadog-system-probe")).to be_falsey
expect(is_service_running?("datadog-security-agent")).to be_falsey

## so also check that the process is actually gone
expect(security_agent_running?).to be_falsey
expect(system_probe_running?).to be_falsey
## so also check that the process is actually gone
expect(security_agent_running?).to be_falsey
expect(system_probe_running?).to be_falsey

end
end ## endif expect CWS, no tests at all if not expected.
end
end


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -193,11 +193,7 @@ private void ConfigureServiceUsers(string ddAgentUserName, SecurityIdentifier dd
_serviceController.SetCredentials(Constants.SystemProbeServiceName, "LocalSystem", "");
_serviceController.SetCredentials(Constants.ProcessAgentServiceName, "LocalSystem", "");

var installCWS = _session.Property("INSTALL_CWS");
if (!string.IsNullOrEmpty(installCWS))
{
_serviceController.SetCredentials(Constants.SecurityAgentServiceName, ddAgentUserName, ddAgentUserPassword);
}
_serviceController.SetCredentials(Constants.SecurityAgentServiceName, ddAgentUserName, ddAgentUserPassword);
}

private void UpdateAndLogAccessControl(string serviceName, CommonSecurityDescriptor securityDescriptor)
Expand Down Expand Up @@ -229,10 +225,7 @@ private void ConfigureServicePermissions(SecurityIdentifier ddAgentUserSID)
Constants.AgentServiceName,
};

if (!string.IsNullOrEmpty(_session.Property("INSTALL_CWS")))
{
services.Add(Constants.SecurityAgentServiceName);
}
services.Add(Constants.SecurityAgentServiceName);

foreach (var serviceName in services)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -429,8 +429,7 @@ public AgentCustomActions()
Impersonate = false
}
.SetProperties("DDAGENTUSER_PROCESSED_PASSWORD=[DDAGENTUSER_PROCESSED_PASSWORD], " +
"DDAGENTUSER_PROCESSED_FQ_NAME=[DDAGENTUSER_PROCESSED_FQ_NAME], " +
"INSTALL_CWS=[INSTALL_CWS]")
"DDAGENTUSER_PROCESSED_FQ_NAME=[DDAGENTUSER_PROCESSED_FQ_NAME], ")
.HideTarget(true);

ConfigureServicesRollback = new CustomAction<ServiceCustomAction>(
Expand All @@ -445,8 +444,7 @@ public AgentCustomActions()
Execute = Execute.rollback,
Impersonate = false
}
.SetProperties("DDAGENTUSER_PROCESSED_FQ_NAME=[DDAGENTUSER_PROCESSED_FQ_NAME], " +
"INSTALL_CWS=[INSTALL_CWS]")
.SetProperties("DDAGENTUSER_PROCESSED_FQ_NAME=[DDAGENTUSER_PROCESSED_FQ_NAME], ")
.HideTarget(true);

// WiX built-in StopServices only stops services if the component is changing.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -129,13 +129,6 @@ public Project ConfigureProject()
}
);

// Conditionally include the PROCMON MSM while it is in active development to make it easier
// to build/ship without it.
if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WINDOWS_DDPROCMON_DRIVER")))
{
project.AddProperty(new Property("INSTALL_CWS", "1"));
}

// Always generate a new GUID otherwise WixSharp will generate one based on
// the version
project.ProductId = Guid.NewGuid();
Expand Down Expand Up @@ -296,20 +289,15 @@ public Project ConfigureProject()
.First(x => x.HasAttribute("Id", value => value == "MainApplication"))
.AddElement("MergeRef", "Id=ddapminstall");
}
// Conditionally include the PROCMON MSM while it is in active development to make it easier
// to build/ship without it.
if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WINDOWS_DDPROCMON_DRIVER")))
{
document
.FindAll("Directory")
.First(x => x.HasAttribute("Id", value => value == "AGENT"))
.AddElement("Merge",
$"Id=ddprocmoninstall; SourceFile={BinSource}\\agent\\ddprocmon.msm; DiskId=1; Language=1033");
document
.FindAll("Feature")
.First(x => x.HasAttribute("Id", value => value == "MainApplication"))
.AddElement("MergeRef", "Id=ddprocmoninstall");
}
document
.FindAll("Directory")
.First(x => x.HasAttribute("Id", value => value == "AGENT"))
.AddElement("Merge",
$"Id=ddprocmoninstall; SourceFile={BinSource}\\agent\\ddprocmon.msm; DiskId=1; Language=1033");
document
.FindAll("Feature")
.First(x => x.HasAttribute("Id", value => value == "MainApplication"))
.AddElement("MergeRef", "Id=ddprocmoninstall");
};
project.WixSourceFormated += (ref string content) => WixSourceFormated?.Invoke(content);
project.WixSourceSaved += name => WixSourceSaved?.Invoke(name);
Expand Down Expand Up @@ -502,26 +490,23 @@ private Dir CreateBinFolder()
}

);
if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WINDOWS_DDPROCMON_DRIVER")))
var securityAgentService = GenerateDependentServiceInstaller(
new Id("ddagentsecurityservice"),
Constants.SecurityAgentServiceName,
"Datadog Security Service",
"Send Security events to Datadog",
"[DDAGENTUSER_PROCESSED_FQ_NAME]",
"[DDAGENTUSER_PROCESSED_PASSWORD]");
agentBinDir.AddFile(new WixSharp.File(_agentBinaries.SecurityAgent, securityAgentService));

agentBinDir.Add(new EventSource
{
var securityAgentService = GenerateDependentServiceInstaller(
new Id("ddagentsecurityservice"),
Constants.SecurityAgentServiceName,
"Datadog Security Service",
"Send Security events to Datadog",
"[DDAGENTUSER_PROCESSED_FQ_NAME]",
"[DDAGENTUSER_PROCESSED_PASSWORD]");
agentBinDir.AddFile(new WixSharp.File(_agentBinaries.SecurityAgent, securityAgentService));

agentBinDir.Add(new EventSource
{
Name = Constants.SecurityAgentServiceName,
Log = "Application",
EventMessageFile = $"[AGENT]{Path.GetFileName(_agentBinaries.SecurityAgent)}",
AttributesDefinition = "SupportsErrors=yes; SupportsInformationals=yes; SupportsWarnings=yes; KeyPath=yes"
}
);
Name = Constants.SecurityAgentServiceName,
Log = "Application",
EventMessageFile = $"[AGENT]{Path.GetFileName(_agentBinaries.SecurityAgent)}",
AttributesDefinition = "SupportsErrors=yes; SupportsInformationals=yes; SupportsWarnings=yes; KeyPath=yes"
}
);
var targetBinFolder = new Dir(new Id("BIN"), "bin",
new WixSharp.File(_agentBinaries.Agent, agentService),
// Each EventSource must have KeyPath=yes to avoid having the parent directory placed in the CreateFolder table.
Expand Down Expand Up @@ -559,13 +544,10 @@ private Dir CreateAppDataFolder()
new Files($@"{EtcSource}\extra_package_files\EXAMPLECONFSLOCATION\*")
));

if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WINDOWS_DDPROCMON_DRIVER")))
{
appData.AddDir(new Dir(new Id("security.d"),
"runtime-security.d",
new WixSharp.File($@"{EtcSource}\runtime-security.d\default.policy.example")
));
}
appData.AddDir(new Dir(new Id("security.d"),
"runtime-security.d",
new WixSharp.File($@"{EtcSource}\runtime-security.d\default.policy.example")
));
return new Dir(new Id("%CommonAppData%"), appData)
{
Attributes = { { "Name", "CommonAppData" } }
Expand Down

0 comments on commit 1497b89

Please sign in to comment.