[Fleet] Add secrets package API integration test (#164583)

## Summary Closes #162045 This PR adds an API integration test for the following scenario: - Given an integration with some non secret (plain text) vars that become secret in a newer version; - When Fleet has an agent policy with this integration and upgrades from the old to the newer version; - Then the vars that have become secrets should correctly be stored as secret values. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Julia Bardi <[email protected]> (cherry picked from commit 766ff8f)
elastic · Aug 24, 2023 · 23d25bb · 23d25bb
1 parent 1e077b1
commit 23d25bb
Show file tree

Hide file tree

Showing 12 changed files with 237 additions and 12 deletions.
diff --git a/...ation/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/input/input.yml.hbs b/...ation/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/input/input.yml.hbs
@@ -1,2 +1,4 @@
 package_var_secret: {{package_var_secret}}
+package_var_non_secret: {{package_var_non_secret}}
 input_var_secret: {{input_var_secret}}
+input_var_non_secret: {{input_var_non_secret}}
diff --git a/...ion/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/stream/stream.yml.hbs b/...ion/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/stream/stream.yml.hbs
@@ -1,4 +1,7 @@
 config.version: "2"
 package_var_secret: {{package_var_secret}}
+package_var_non_secret: {{package_var_non_secret}}
 input_var_secret: {{input_var_secret}}
+input_var_non_secret: {{input_var_non_secret}}
 stream_var_secret: {{stream_var_secret}}
+stream_var_non_secret: {{stream_var_non_secret}}
diff --git a/...et_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/manifest.yml b/...et_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/manifest.yml
@@ -10,3 +10,8 @@ streams:
         multi: false
         show_user: true
         secret: true
+      - name: stream_var_non_secret
+        type: text
+        title: Stream Var Non Secret
+        multi: false
+        show_user: true
diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/manifest.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: secrets
 title: Package with secrets
-description: This integration package has 3 secrets.
+description: This integration package has 3 secret and 3 non secret vars.
 version: 1.0.0
 categories: []
 # Options are experimental, beta, ga
@@ -32,6 +32,12 @@ vars:
     required: true
     show_user: true
     secret: true
+  - name: package_var_non_secret
+    type: text
+    title: Package Var Non Secret
+    multi: false
+    required: true
+    show_user: true
 policy_templates:
   - name: secrets
     title: This 
@@ -48,4 +54,9 @@ policy_templates:
             title: Input Var Secret
             multi: false
             show_user: true
-            secret: true
+            secret: true
+          - name: input_var_non_secret
+            type: text
+            title: Input Var Non Secret
+            multi: false
+            show_user: true
diff --git a/...ation/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/input/input.yml.hbs b/...ation/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/input/input.yml.hbs
@@ -0,0 +1,4 @@
+package_var_secret: {{package_var_secret}}
+package_var_non_secret: {{package_var_non_secret}}
+input_var_secret: {{input_var_secret}}
+input_var_non_secret: {{input_var_non_secret}}
diff --git a/...ion/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/stream/stream.yml.hbs b/...ion/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,7 @@
+config.version: "2"
+package_var_secret: {{package_var_secret}}
+package_var_non_secret: {{package_var_non_secret}}
+input_var_secret: {{input_var_secret}}
+input_var_non_secret: {{input_var_non_secret}}
+stream_var_secret: {{stream_var_secret}}
+stream_var_non_secret: {{stream_var_non_secret}}
diff --git a/...i_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/fields/fields.yml b/...i_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/fields/fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: >
+    Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: >
+    Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: >
+    Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: >
+    Event timestamp.
diff --git a/...et_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/manifest.yml b/...et_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/manifest.yml
@@ -0,0 +1,18 @@
+title: Test stream
+type: logs
+streams:
+  - input: test_input
+    title: test input
+    vars:
+      - name: stream_var_secret
+        type: text
+        title: Stream Var Secret
+        multi: false
+        show_user: true
+        secret: true
+      - name: stream_var_non_secret
+        type: text
+        title: Stream Var Non Secret
+        multi: false
+        show_user: true
+        secret: true
diff --git a/.../fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/docs/README.md b/.../fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/docs/README.md
@@ -0,0 +1,3 @@
+# secrets
+
+This package has secrets
diff --git a/...st/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/img/logo.svg b/...st/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/img/logo.svg
diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/manifest.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/manifest.yml
@@ -0,0 +1,64 @@
+format_version: 1.0.0
+name: secrets
+title: Package with secrets
+description: This integration package has 3 secret and 3 non secret vars.
+version: 1.1.0
+categories: []
+# Options are experimental, beta, ga
+release: beta
+# The package type. The options for now are [integration, solution], more type might be added in the future.
+# The default type is integration and will be set if empty.
+type: integration
+license: basic
+owner:
+  github: elastic/fleet
+
+requirement:
+  elasticsearch:
+    versions: ">7.7.0"
+  kibana:
+    versions: ">7.7.0"
+
+icons:
+  - src: "/img/logo.svg"
+    size: "16x16"
+    type: "image/svg+xml"
+
+vars:
+  - name: package_var_secret
+    type: password
+    title: Package Var Secret
+    multi: false
+    required: true
+    show_user: true
+    secret: true
+  - name: package_var_non_secret
+    type: text
+    title: Package Var Non Secret
+    multi: false
+    required: true
+    show_user: true
+    secret: true
+policy_templates:
+  - name: secrets
+    title: This 
+    description: Test Package for Upgrading Package Policies
+    inputs:
+      - type: test_input
+        title: Test Input
+        description: Test Input
+        enabled: true
+        template_path: input.yml.hbs
+        vars:
+          - name: input_var_secret
+            type: text
+            title: Input Var Secret
+            multi: false
+            show_user: true
+            secret: true
+          - name: input_var_non_secret
+            type: text
+            title: Input Var Non Secret
+            multi: false
+            show_user: true
+            secret: true
diff --git a/x-pack/test/fleet_api_integration/apis/policy_secrets.ts b/x-pack/test/fleet_api_integration/apis/policy_secrets.ts
@@ -106,19 +106,22 @@ export default function (providerContext: FtrProviderContext) {
               enabled: true,
               vars: {
                 input_var_secret: 'input_secret_val',
+                input_var_non_secret: 'input_non_secret_val',
               },
               streams: {
                 'secrets.log': {
                   enabled: true,
                   vars: {
                     stream_var_secret: 'stream_secret_val',
+                    stream_var_non_secret: 'stream_non_secret_val',
                   },
                 },
               },
             },
           },
           vars: {
             package_var_secret: 'package_secret_val',
+            package_var_non_secret: 'package_non_secret_val',
           },
           package: {
             name: 'secrets',
@@ -128,6 +131,12 @@ export default function (providerContext: FtrProviderContext) {
         .expect(200);
     };
 
+    async function createPolicyWSecretVar() {
+      const { body: createResBody } = await createPolicyWithSecrets();
+      const createdPolicy = createResBody.item;
+      return createdPolicy;
+    }
+
     const createFleetServerAgent = async (
       agentPolicyId: string,
       hostname: string,
@@ -338,19 +347,22 @@ export default function (providerContext: FtrProviderContext) {
               enabled: true,
               vars: {
                 input_var_secret: 'input_secret_val',
+                input_var_non_secret: 'input_non_secret_val',
               },
               streams: {
                 'secrets.log': {
                   enabled: true,
                   vars: {
                     stream_var_secret: 'stream_secret_val',
+                    stream_var_non_secret: 'stream_non_secret_val',
                   },
                 },
               },
             },
           },
           vars: {
             package_var_secret: 'package_secret_val',
+            package_var_non_secret: 'package_non_secret_val',
           },
           package: {
             name: 'secrets',
@@ -376,18 +388,23 @@ export default function (providerContext: FtrProviderContext) {
         ])
       ).to.eql(true);
       expectedCompiledStream = {
-        'config.version': 2,
+        'config.version': '2',
         package_var_secret: secretVar(packageVarId),
+        package_var_non_secret: 'package_non_secret_val',
         input_var_secret: secretVar(inputVarId),
+        input_var_non_secret: 'input_non_secret_val',
         stream_var_secret: secretVar(streamVarId),
+        stream_var_non_secret: 'stream_non_secret_val',
       };
       expect(createdPackagePolicy.inputs[0].streams[0].compiled_stream).to.eql(
         expectedCompiledStream
       );
 
       expectedCompiledInput = {
         package_var_secret: secretVar(packageVarId),
+        package_var_non_secret: 'package_non_secret_val',
         input_var_secret: secretVar(inputVarId),
+        input_var_non_secret: 'input_non_secret_val',
       };
 
       expect(createdPackagePolicy.inputs[0].compiled_input).to.eql(expectedCompiledInput);
@@ -468,12 +485,17 @@ export default function (providerContext: FtrProviderContext) {
       expect(updatedPackagePolicy.inputs[0].streams[0].compiled_stream).to.eql({
         'config.version': 2,
         package_var_secret: secretVar(updatedPackageVarId),
+        package_var_non_secret: 'package_non_secret_val',
         input_var_secret: secretVar(inputVarId),
+        input_var_non_secret: 'input_non_secret_val',
         stream_var_secret: secretVar(streamVarId),
+        stream_var_non_secret: 'stream_non_secret_val',
       });
       expect(updatedPackagePolicy.inputs[0].compiled_input).to.eql({
         package_var_secret: secretVar(updatedPackageVarId),
+        package_var_non_secret: 'package_non_secret_val',
         input_var_secret: secretVar(inputVarId),
+        input_var_non_secret: 'input_non_secret_val',
       });
       expect(updatedPackagePolicy.vars.package_var_secret.value.isSecretRef).to.eql(true);
       expect(updatedPackagePolicy.vars.package_var_secret.value.id).eql(updatedPackageVarId);
@@ -594,18 +616,10 @@ export default function (providerContext: FtrProviderContext) {
       expect(createdPolicy.vars.package_var_secret.value).eql('package_secret_val');
     });
 
-    async function createPolicyWSecretVar() {
-      const { body: createResBody } = await createPolicyWithSecrets();
-      const createdPolicy = createResBody.item;
-      return createdPolicy;
-    }
-
     it('should not store secrets if there are no fleet servers', async () => {
       await clearAgents();
 
-      const { body: createResBody } = await createPolicyWithSecrets();
-
-      const createdPolicy = createResBody.item;
+      const createdPolicy = await createPolicyWSecretVar();
 
       // secret should be in plain text i.e not a secret refrerence
       expect(createdPolicy.vars.package_var_secret.value).eql('package_secret_val');
@@ -645,5 +659,76 @@ export default function (providerContext: FtrProviderContext) {
 
       expect(createdPolicy.vars.package_var_secret.value.isSecretRef).eql(true);
     });
+
+    it('should store new secrets after package upgrade', async () => {
+      const createdPolicy = await createPolicyWSecretVar();
+
+      // Install newer version of secrets package
+      await supertest
+        .post('/api/fleet/epm/packages/secrets/1.1.0')
+        .set('kbn-xsrf', 'xxxx')
+        .send({ force: true })
+        .expect(200);
+
+      // Upgrade package policy
+      await supertest
+        .post(`/api/fleet/package_policies/upgrade`)
+        .set('kbn-xsrf', 'xxxx')
+        .send({
+          packagePolicyIds: [createdPolicy.id],
+        })
+        .expect(200);
+
+      // Fetch policy again
+      const res = await supertest.get(`/api/fleet/package_policies/${createdPolicy.id}`);
+      const upgradedPolicy = res.body.item;
+
+      const packageSecretVarId = upgradedPolicy.vars.package_var_secret.value.id;
+      const packageNonSecretVarId = upgradedPolicy.vars.package_var_non_secret.value.id;
+      const inputSecretVarId = upgradedPolicy.inputs[0].vars.input_var_secret.value.id;
+      const inputNonSecretVarId = upgradedPolicy.inputs[0].vars.input_var_non_secret.value.id;
+      const streamSecretVarId = upgradedPolicy.inputs[0].streams[0].vars.stream_var_secret.value.id;
+      const streamNonSecretVarId =
+        upgradedPolicy.inputs[0].streams[0].vars.stream_var_non_secret.value.id;
+
+      expect(
+        arrayIdsEqual(upgradedPolicy.secret_references, [
+          { id: packageSecretVarId },
+          { id: packageNonSecretVarId },
+          { id: inputSecretVarId },
+          { id: inputNonSecretVarId },
+          { id: streamSecretVarId },
+          { id: streamNonSecretVarId },
+        ])
+      ).to.eql(true);
+
+      expect(upgradedPolicy.inputs[0].compiled_input).to.eql({
+        package_var_secret: secretVar(packageSecretVarId),
+        package_var_non_secret: secretVar(packageNonSecretVarId),
+        input_var_secret: secretVar(inputSecretVarId),
+        input_var_non_secret: secretVar(inputNonSecretVarId),
+      });
+
+      expect(upgradedPolicy.inputs[0].streams[0].compiled_stream).to.eql({
+        'config.version': '2',
+        package_var_secret: secretVar(packageSecretVarId),
+        package_var_non_secret: secretVar(packageNonSecretVarId),
+        input_var_secret: secretVar(inputSecretVarId),
+        input_var_non_secret: secretVar(inputNonSecretVarId),
+        stream_var_secret: secretVar(streamSecretVarId),
+        stream_var_non_secret: secretVar(streamNonSecretVarId),
+      });
+
+      expect(upgradedPolicy.vars.package_var_secret.value.isSecretRef).to.eql(true);
+      expect(upgradedPolicy.vars.package_var_non_secret.value.isSecretRef).to.eql(true);
+      expect(upgradedPolicy.inputs[0].vars.input_var_secret.value.isSecretRef).to.eql(true);
+      expect(upgradedPolicy.inputs[0].vars.input_var_non_secret.value.isSecretRef).to.eql(true);
+      expect(upgradedPolicy.inputs[0].streams[0].vars.stream_var_secret.value.isSecretRef).to.eql(
+        true
+      );
+      expect(
+        upgradedPolicy.inputs[0].streams[0].vars.stream_var_non_secret.value.isSecretRef
+      ).to.eql(true);
+    });
   });
 }