Default fleet policy removal

CHANGELOG.next.asciidoc

@@ -1,3 +1,7 @@
 ==== Bugfixes
 
 - Return a better error on enrolling and the Elasticsearch version is incompatible. {pull}1211[1211]
+
+==== Breaking changes
+
+- Removed the reliance on the default fleet policy flag; added the `fleet.default_policy_id` configuration option, used to define the ID of the default policy fleet server will subscribe to. {pull}1157[1157]

Makefile

@@ -54,7 +54,7 @@ clean: ## - Clean up build artifacts
 .PHONY: generate
 generate: ## - Generate schema models
 	@printf "${CMD_COLOR_ON} Installing module for go generate\n${CMD_COLOR_OFF}"
-	env GOBIN=${GOBIN} go install github.com/elastic/go-json-schema-generate/cmd/schema-generate@c47877ac4d0624482caa0f6201b61bd6dc6f5899
+	env GOBIN=${GOBIN} go install github.com/elastic/go-json-schema-generate/cmd/schema-generate@ec19b88f6b5ef7825a928df8274a99337b855d1f
 	@printf "${CMD_COLOR_ON} Running go generate\n${CMD_COLOR_OFF}"
 	env PATH="${GOBIN}:${PATH}" go generate ./...
 

cmd/fleet/auth.go

@@ -128,10 +128,10 @@ func authAgent(r *http.Request, id *string, bulker bulk.Bulk, c cache.Cache) (*m
 
 	// validate that the Access ApiKey identifier stored in the agent's record
 	// is in alignment when the authenticated key provided on this transaction
-	if agent.AccessApiKeyId != key.Id {
+	if agent.AccessAPIKeyID != key.Id {
 		zlog.Warn().
 			Err(ErrAgentCorrupted).
-			Str("agent.AccessApiKeyId", agent.AccessApiKeyId).
+			Str("agent.AccessApiKeyId", agent.AccessAPIKeyID).
 			Msg("agent access ApiKey id mismatch agent record")
 		return nil, ErrAgentCorrupted
 	}

cmd/fleet/handleAck.go

@@ -103,7 +103,7 @@ func (ack *AckT) handleAcks(zlog *zerolog.Logger, w http.ResponseWriter, r *http
 
 	// Pointer is passed in to allow UpdateContext by child function
 	zlog.UpdateContext(func(ctx zerolog.Context) zerolog.Context {
-		return ctx.Str(LogAccessApiKeyId, agent.AccessApiKeyId)
+		return ctx.Str(LogAccessApiKeyId, agent.AccessAPIKeyID)
 	})
 
 	// Metrics; serenity now.
@@ -167,8 +167,8 @@ func (ack *AckT) processRequest(zlog zerolog.Logger, w http.ResponseWriter, r *h
 
 func eventToActionResult(agentId string, ev Event) (acr model.ActionResult) {
 	return model.ActionResult{
-		ActionId:        ev.ActionId,
-		AgentId:         agentId,
+		ActionID:        ev.ActionId,
+		AgentID:         agentId,
 		ActionInputType: ev.ActionInputType,
 		StartedAt:       ev.StartedAt,
 		CompletedAt:     ev.CompletedAt,
@@ -329,15 +329,15 @@ func (ack *AckT) handlePolicyChange(ctx context.Context, zlog zerolog.Logger, ag
 		rev, ok := policy.RevisionFromString(a)
 
 		zlog.Debug().
-			Str("agent.policyId", agent.PolicyId).
+			Str("agent.policyId", agent.PolicyID).
 			Int64("agent.revisionIdx", currRev).
 			Int64("agent.coordinatorIdx", currCoord).
 			Str("rev.policyId", rev.PolicyId).
 			Int64("rev.revisionIdx", rev.RevisionIdx).
 			Int64("rev.coordinatorIdx", rev.CoordinatorIdx).
 			Msg("ack policy revision")
 
-		if ok && rev.PolicyId == agent.PolicyId && (rev.RevisionIdx > currRev ||
+		if ok && rev.PolicyId == agent.PolicyID && (rev.RevisionIdx > currRev ||
 			(rev.RevisionIdx == currRev && rev.CoordinatorIdx > currCoord)) {
 			found = true
 			currRev = rev.RevisionIdx
@@ -349,11 +349,11 @@ func (ack *AckT) handlePolicyChange(ctx context.Context, zlog zerolog.Logger, ag
 		return nil
 	}
 
-	sz := len(agent.DefaultApiKeyHistory)
+	sz := len(agent.DefaultAPIKeyHistory)
 	if sz > 0 {
 		ids := make([]string, sz)
 		for i := 0; i < sz; i++ {
-			ids[i] = agent.DefaultApiKeyHistory[i].Id
+			ids[i] = agent.DefaultAPIKeyHistory[i].ID
 		}
 		log.Info().Strs("ids", ids).Msg("Invalidate old API keys")
 		if err := ack.bulk.ApiKeyInvalidate(ctx, ids...); err != nil {
@@ -362,7 +362,7 @@ func (ack *AckT) handlePolicyChange(ctx context.Context, zlog zerolog.Logger, ag
 	}
 
 	body := makeUpdatePolicyBody(
-		agent.PolicyId,
+		agent.PolicyID,
 		currRev,
 		currCoord,
 	)
@@ -377,7 +377,7 @@ func (ack *AckT) handlePolicyChange(ctx context.Context, zlog zerolog.Logger, ag
 	)
 
 	zlog.Info().Err(err).
-		Str(LogPolicyId, agent.PolicyId).
+		Str(LogPolicyId, agent.PolicyID).
 		Int64("policyRevision", currRev).
 		Int64("policyCoordinator", currCoord).
 		Msg("ack policy")
@@ -442,11 +442,11 @@ func (ack *AckT) handleUpgrade(ctx context.Context, zlog zerolog.Logger, agent *
 
 func _getAPIKeyIDs(agent *model.Agent) []string {
 	keys := make([]string, 0, 1)
-	if agent.AccessApiKeyId != "" {
-		keys = append(keys, agent.AccessApiKeyId)
+	if agent.AccessAPIKeyID != "" {
+		keys = append(keys, agent.AccessAPIKeyID)
 	}
-	if agent.DefaultApiKeyId != "" {
-		keys = append(keys, agent.DefaultApiKeyId)
+	if agent.DefaultAPIKeyID != "" {
+		keys = append(keys, agent.DefaultAPIKeyID)
 	}
 	return keys
 }

cmd/fleet/handleAck_test.go

@@ -89,8 +89,8 @@ func TestEventToActionResult(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			acr := eventToActionResult(agentId, tc.ev)
-			assert.Equal(t, agentId, acr.AgentId)
-			assert.Equal(t, tc.ev.ActionId, acr.ActionId)
+			assert.Equal(t, agentId, acr.AgentID)
+			assert.Equal(t, tc.ev.ActionId, acr.ActionID)
 			assert.Equal(t, tc.ev.ActionInputType, acr.ActionInputType)
 			assert.Equal(t, tc.ev.StartedAt, acr.StartedAt)
 			assert.Equal(t, tc.ev.CompletedAt, acr.CompletedAt)
@@ -141,7 +141,7 @@ func (m mockBulk) Search(ctx context.Context, index string, body []byte, opts ..
 			ok     bool
 		)
 		for _, a := range m.actions {
-			if a.ActionId == req.Query.Bool.Filter[0].Term.ActionID {
+			if a.ActionID == req.Query.Bool.Filter[0].Term.ActionID {
 				action = a
 				ok = true
 			}
@@ -151,7 +151,7 @@ func (m mockBulk) Search(ctx context.Context, index string, body []byte, opts ..
 				HitsT: es.HitsT{
 					Hits: []es.HitT{
 						{
-							Source: []byte(`{"action_id":"` + action.ActionId + `","type":"` + action.Type + `"}`),
+							Source: []byte(`{"action_id":"` + action.ActionID + `","type":"` + action.Type + `"}`),
 						},
 					},
 				},
@@ -283,7 +283,7 @@ func TestHandleAckEvents(t *testing.T) {
 				Message: http.StatusText(http.StatusOK),
 			}}),
 			bulker: mockBulk{actions: []model.Action{
-				{ActionId: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
+				{ActionID: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
 			}},
 		},
 		{
@@ -296,7 +296,7 @@ func TestHandleAckEvents(t *testing.T) {
 			res: newAckResponse(true, []AckResponseItem{newAckResponseItem(http.StatusInternalServerError)}),
 			bulker: mockBulk{
 				actions: []model.Action{
-					{ActionId: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
+					{ActionID: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
 				},
 				createErr: errors.New("network error"),
 			},
@@ -312,7 +312,7 @@ func TestHandleAckEvents(t *testing.T) {
 			res: newAckResponse(true, []AckResponseItem{newAckResponseItem(http.StatusServiceUnavailable)}),
 			bulker: mockBulk{
 				actions: []model.Action{
-					{ActionId: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
+					{ActionID: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
 				},
 				createErr: &es.ErrElastic{Status: http.StatusServiceUnavailable, Reason: http.StatusText(http.StatusServiceUnavailable)},
 			},
@@ -332,7 +332,7 @@ func TestHandleAckEvents(t *testing.T) {
 			}}),
 			bulker: mockBulk{
 				actions: []model.Action{
-					{ActionId: "2b12dcd8-bde0-4045-92dc-c4b27668d733", Type: "UPGRADE"},
+					{ActionID: "2b12dcd8-bde0-4045-92dc-c4b27668d733", Type: "UPGRADE"},
 				},
 				updateErr: &es.ErrElastic{Status: http.StatusServiceUnavailable, Reason: http.StatusText(http.StatusServiceUnavailable)},
 			},
@@ -391,10 +391,10 @@ func TestHandleAckEvents(t *testing.T) {
 				},
 			}),
 			bulker: mockBulk{actions: []model.Action{
-				{ActionId: "policy:2b12dcd8-bde0-4045-92dc-c4b27668d733:1:1"},
-				{ActionId: "1b12dcd8-bde0-4045-92dc-c4b27668d731", Type: "UNENROLL"},
-				{ActionId: "ab12dcd8-bde0-4045-92dc-c4b27668d73a", Type: "UPGRADE"},
-				{ActionId: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
+				{ActionID: "policy:2b12dcd8-bde0-4045-92dc-c4b27668d733:1:1"},
+				{ActionID: "1b12dcd8-bde0-4045-92dc-c4b27668d731", Type: "UNENROLL"},
+				{ActionID: "ab12dcd8-bde0-4045-92dc-c4b27668d73a", Type: "UPGRADE"},
+				{ActionID: "2b12dcd8-bde0-4045-92dc-c4b27668d733"},
 			}},
 			err: &HTTPError{Status: http.StatusNotFound},
 		},

cmd/fleet/handleArtifacts.go

@@ -128,7 +128,7 @@ func (at ArtifactT) handleArtifacts(zlog *zerolog.Logger, r *http.Request, id, s
 
 	// Pointer is passed in to allow UpdateContext by child function
 	zlog.UpdateContext(func(ctx zerolog.Context) zerolog.Context {
-		return ctx.Str(LogAccessApiKeyId, agent.AccessApiKeyId)
+		return ctx.Str(LogAccessApiKeyId, agent.AccessAPIKeyID)
 	})
 
 	// Metrics; serenity now.

cmd/fleet/handleCheckin.go

@@ -152,7 +152,7 @@ func (ct *CheckinT) handleCheckin(zlog *zerolog.Logger, w http.ResponseWriter, r
 
 	// Pointer is passed in to allow UpdateContext by child function
 	zlog.UpdateContext(func(ctx zerolog.Context) zerolog.Context {
-		return ctx.Str(LogAccessApiKeyId, agent.AccessApiKeyId)
+		return ctx.Str(LogAccessApiKeyId, agent.AccessAPIKeyID)
 	})
 
 	ver, err := validateUserAgent(*zlog, r, ct.verCon)
@@ -209,7 +209,7 @@ func (ct *CheckinT) processRequest(zlog zerolog.Logger, w http.ResponseWriter, r
 	actCh := aSub.Ch()
 
 	// Subscribe to policy manager for changes on PolicyId > policyRev
-	sub, err := ct.pm.Subscribe(agent.Id, agent.PolicyId, agent.PolicyRevisionIdx, agent.PolicyCoordinatorIdx)
+	sub, err := ct.pm.Subscribe(agent.Id, agent.PolicyID, agent.PolicyRevisionIdx, agent.PolicyCoordinatorIdx)
 	if err != nil {
 		return errors.Wrap(err, "subscribe policy monitor")
 	}
@@ -401,7 +401,7 @@ func convertActions(agentId string, actions []model.Action) ([]ActionResp, strin
 			AgentId:   agentId,
 			CreatedAt: action.Timestamp,
 			Data:      action.Data,
-			Id:        action.ActionId,
+			Id:        action.ActionID,
 			Type:      action.Type,
 			InputType: action.InputType,
 			Timeout:   action.Timeout,
@@ -425,7 +425,7 @@ func processPolicy(ctx context.Context, zlog zerolog.Logger, bulker bulk.Bulk, a
 		Str("ctx", "processPolicy").
 		Int64("policyRevision", pp.Policy.RevisionIdx).
 		Int64("policyCoordinator", pp.Policy.CoordinatorIdx).
-		Str(LogPolicyId, pp.Policy.PolicyId).
+		Str(LogPolicyId, pp.Policy.PolicyID).
 		Logger()
 
 	// The parsed policy object contains a map of name->role with a precalculated sha2.
@@ -446,7 +446,7 @@ func processPolicy(ctx context.Context, zlog zerolog.Logger, bulker bulk.Bulk, a
 	// record with the precalculated sha2 hash of the role.
 	needKey := true
 	switch {
-	case agent.DefaultApiKey == "":
+	case agent.DefaultAPIKey == "":
 		zlog.Debug().Msg("must generate api key as default API key is not present")
 	case pp.Default.Role.Sha2 != agent.PolicyOutputPermissionsHash:
 		zlog.Debug().Msg("must generate api key as policy output permissions changed")
@@ -478,9 +478,9 @@ func processPolicy(ctx context.Context, zlog zerolog.Logger, bulker bulk.Bulk, a
 			dl.FieldDefaultApiKeyId:             defaultOutputApiKey.Id,
 			dl.FieldPolicyOutputPermissionsHash: pp.Default.Role.Sha2,
 		}
-		if agent.DefaultApiKeyId != "" {
-			fields[dl.FieldDefaultApiKeyHistory] = model.DefaultApiKeyHistoryItems{
-				Id:        agent.DefaultApiKeyId,
+		if agent.DefaultAPIKeyID != "" {
+			fields[dl.FieldDefaultApiKeyHistory] = model.DefaultAPIKeyHistoryItems{
+				ID:        agent.DefaultAPIKeyID,
 				RetiredAt: time.Now().UTC().Format(time.RFC3339),
 			}
 		}
@@ -496,10 +496,10 @@ func processPolicy(ctx context.Context, zlog zerolog.Logger, bulker bulk.Bulk, a
 			zlog.Error().Err(err).Msg("fail update agent record")
 			return nil, err
 		}
-		agent.DefaultApiKey = defaultOutputApiKey.Agent()
+		agent.DefaultAPIKey = defaultOutputApiKey.Agent()
 	}
 
-	rewrittenPolicy, err := rewritePolicy(pp, agent.DefaultApiKey)
+	rewrittenPolicy, err := rewritePolicy(pp, agent.DefaultAPIKey)
 	if err != nil {
 		zlog.Error().Err(err).Msg("fail rewrite policy")
 		return nil, err

cmd/fleet/handleChecking_test.go

@@ -24,7 +24,7 @@ func TestConvertActionsEmpty(t *testing.T) {
 func TestConvertActions(t *testing.T) {
 	actions := []model.Action{
 		{
-			ActionId: "1234",
+			ActionID: "1234",
 		},
 	}
 	resp, token := convertActions("agent-id", actions)

cmd/fleet/handleEnroll.go

@@ -185,7 +185,7 @@ func (et *EnrollerT) processRequest(rb *rollback.Rollback, zlog zerolog.Logger,
 
 	cntEnroll.bodyIn.Add(readCounter.Count())
 
-	return et._enroll(r.Context(), rb, zlog, req, erec.PolicyId, ver)
+	return et._enroll(r.Context(), rb, zlog, req, erec.PolicyID, ver)
 }
 
 func (et *EnrollerT) _enroll(ctx context.Context, rb *rollback.Rollback, zlog zerolog.Logger, req *EnrollRequest, policyId, ver string) (*EnrollResponse, error) {
@@ -224,14 +224,14 @@ func (et *EnrollerT) _enroll(ctx context.Context, rb *rollback.Rollback, zlog ze
 
 	agentData := model.Agent{
 		Active:         true,
-		PolicyId:       policyId,
+		PolicyID:       policyId,
 		Type:           req.Type,
 		EnrolledAt:     now.UTC().Format(time.RFC3339),
 		LocalMetadata:  localMeta,
-		AccessApiKeyId: accessApiKey.Id,
+		AccessAPIKeyID: accessApiKey.Id,
 		ActionSeqNo:    []int64{sqn.UndefinedSeqNo},
 		Agent: &model.AgentMetadata{
-			Id:      agentId,
+			ID:      agentId,
 			Version: ver,
 		},
 	}
@@ -251,12 +251,12 @@ func (et *EnrollerT) _enroll(ctx context.Context, rb *rollback.Rollback, zlog ze
 		Item: EnrollResponseItem{
 			ID:             agentId,
 			Active:         agentData.Active,
-			PolicyId:       agentData.PolicyId,
+			PolicyId:       agentData.PolicyID,
 			Type:           agentData.Type,
 			EnrolledAt:     agentData.EnrolledAt,
 			UserMeta:       agentData.UserProvidedMetadata,
 			LocalMeta:      agentData.LocalMetadata,
-			AccessApiKeyId: agentData.AccessApiKeyId,
+			AccessApiKeyId: agentData.AccessAPIKeyID,
 			AccessAPIKey:   accessApiKey.Token(),
 			Status:         "online",
 		},
@@ -441,9 +441,9 @@ func generateOutputApiKey(ctx context.Context, bulk bulk.Bulk, agentId, outputNa
 	)
 }
 
-func (et *EnrollerT) fetchEnrollmentKeyRecord(ctx context.Context, id string) (*model.EnrollmentApiKey, error) {
+func (et *EnrollerT) fetchEnrollmentKeyRecord(ctx context.Context, id string) (*model.EnrollmentAPIKey, error) {
 
-	if key, ok := et.cache.GetEnrollmentApiKey(id); ok {
+	if key, ok := et.cache.GetEnrollmentAPIKey(id); ok {
 		return &key, nil
 	}
 
@@ -457,8 +457,8 @@ func (et *EnrollerT) fetchEnrollmentKeyRecord(ctx context.Context, id string) (*
 		return nil, ErrInactiveEnrollmentKey
 	}
 
-	cost := int64(len(rec.ApiKey))
-	et.cache.SetEnrollmentApiKey(id, rec, cost)
+	cost := int64(len(rec.APIKey))
+	et.cache.SetEnrollmentAPIKey(id, rec, cost)
 
 	return &rec, nil
 }

cmd/fleet/main_integration_test.go

@@ -86,19 +86,18 @@ func (s *agentSuite) TestAgentMode(t *testing.T) {
 	// add a real default fleet server policy
 	policyId := uuid.Must(uuid.NewV4()).String()
 	_, err := dl.CreatePolicy(ctx, bulker, model.Policy{
-		PolicyId:           policyId,
-		RevisionIdx:        1,
-		DefaultFleetServer: true,
-		Data:               policyData,
+		PolicyID:    policyId,
+		RevisionIdx: 1,
+		Data:        policyData,
 	})
 	require.NoError(t, err)
 
 	// add entry for enrollment key (doesn't have to be a real key)
-	_, err = dl.CreateEnrollmentAPIKey(ctx, bulker, model.EnrollmentApiKey{
+	_, err = dl.CreateEnrollmentAPIKey(ctx, bulker, model.EnrollmentAPIKey{
 		Name:     "Default",
-		ApiKey:   "keyvalue",
-		ApiKeyId: "keyid",
-		PolicyId: policyId,
+		APIKey:   "keyvalue",
+		APIKeyID: "keyid",
+		PolicyID: policyId,
 		Active:   true,
 	})
 	require.NoError(t, err)