diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/input/input.yml.hbs b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/input/input.yml.hbs index 3c3b8b5df23c2..a562a8dacdae8 100644 --- a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/input/input.yml.hbs +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/input/input.yml.hbs @@ -1,2 +1,4 @@ package_var_secret: {{package_var_secret}} +package_var_non_secret: {{package_var_non_secret}} input_var_secret: {{input_var_secret}} +input_var_non_secret: {{input_var_non_secret}} diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/stream/stream.yml.hbs b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/stream/stream.yml.hbs index 81cce3223c9f4..c8a3b08abd942 100644 --- a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/stream/stream.yml.hbs +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/agent/stream/stream.yml.hbs @@ -1,4 +1,7 @@ config.version: "2" package_var_secret: {{package_var_secret}} +package_var_non_secret: {{package_var_non_secret}} input_var_secret: {{input_var_secret}} +input_var_non_secret: {{input_var_non_secret}} stream_var_secret: {{stream_var_secret}} +stream_var_non_secret: {{stream_var_non_secret}} diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/manifest.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/manifest.yml index 8ecffc0e4e7d4..46504ff58a894 100644 --- a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/manifest.yml +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/data_stream/log/manifest.yml @@ -10,3 +10,8 @@ streams: multi: false show_user: true secret: true + - name: stream_var_non_secret + type: text + title: Stream Var Non Secret + multi: false + show_user: true diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/manifest.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/manifest.yml index 9efcf03ea13ca..d577e1b930713 100644 --- a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/manifest.yml +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.0.0/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: secrets title: Package with secrets -description: This integration package has 3 secrets. +description: This integration package has 3 secret and 3 non secret vars. version: 1.0.0 categories: [] # Options are experimental, beta, ga @@ -32,6 +32,12 @@ vars: required: true show_user: true secret: true + - name: package_var_non_secret + type: text + title: Package Var Non Secret + multi: false + required: true + show_user: true policy_templates: - name: secrets title: This @@ -48,4 +54,9 @@ policy_templates: title: Input Var Secret multi: false show_user: true - secret: true \ No newline at end of file + secret: true + - name: input_var_non_secret + type: text + title: Input Var Non Secret + multi: false + show_user: true diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/input/input.yml.hbs b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/input/input.yml.hbs new file mode 100644 index 0000000000000..a562a8dacdae8 --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/input/input.yml.hbs @@ -0,0 +1,4 @@ +package_var_secret: {{package_var_secret}} +package_var_non_secret: {{package_var_non_secret}} +input_var_secret: {{input_var_secret}} +input_var_non_secret: {{input_var_non_secret}} diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/stream/stream.yml.hbs b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/stream/stream.yml.hbs new file mode 100644 index 0000000000000..c8a3b08abd942 --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,7 @@ +config.version: "2" +package_var_secret: {{package_var_secret}} +package_var_non_secret: {{package_var_non_secret}} +input_var_secret: {{input_var_secret}} +input_var_non_secret: {{input_var_non_secret}} +stream_var_secret: {{stream_var_secret}} +stream_var_non_secret: {{stream_var_non_secret}} diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/fields/fields.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/fields/fields.yml new file mode 100644 index 0000000000000..6e003ed0ad147 --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/fields/fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + type: constant_keyword + description: > + Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: > + Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: > + Data stream namespace. +- name: '@timestamp' + type: date + description: > + Event timestamp. diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/manifest.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/manifest.yml new file mode 100644 index 0000000000000..ffe3c3ad44fe2 --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/data_stream/log/manifest.yml @@ -0,0 +1,18 @@ +title: Test stream +type: logs +streams: + - input: test_input + title: test input + vars: + - name: stream_var_secret + type: text + title: Stream Var Secret + multi: false + show_user: true + secret: true + - name: stream_var_non_secret + type: text + title: Stream Var Non Secret + multi: false + show_user: true + secret: true diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/docs/README.md b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/docs/README.md new file mode 100644 index 0000000000000..d4265d37b5b63 --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/docs/README.md @@ -0,0 +1,3 @@ +# secrets + +This package has secrets \ No newline at end of file diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/img/logo.svg b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/img/logo.svg new file mode 100644 index 0000000000000..15b49bcf28aec --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/img/logo.svg @@ -0,0 +1,7 @@ +<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64" viewBox="0 0 64 64"> + <g fill="none" fill-rule="evenodd"> + <path fill="#F04E98" d="M29,32.0001 L15.935,9.4321 C13.48,5.1941 7,6.9351 7,11.8321 L7,52.1681 C7,57.0651 13.48,58.8061 15.935,54.5671 L29,32.0001 Z"/> + <path fill="#FA744E" d="M34.7773,32.0001 L33.3273,34.5051 L20.2613,57.0731 C19.8473,57.7871 19.3533,58.4271 18.8023,59.0001 L34.9273,59.0001 C38.7073,59.0001 42.2213,57.0601 44.2363,53.8611 L58.0003,32.0001 L34.7773,32.0001 Z"/> + <path fill="#343741" d="M44.2363,10.1392 C42.2213,6.9402 38.7073,5.0002 34.9273,5.0002 L18.8023,5.0002 C19.3533,5.5732 19.8473,6.2122 20.2613,6.9272 L33.3273,29.4942 L34.7773,32.0002 L58.0003,32.0002 L44.2363,10.1392 Z"/> + </g> +</svg> \ No newline at end of file diff --git a/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/manifest.yml b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/manifest.yml new file mode 100644 index 0000000000000..1f616128e2d0b --- /dev/null +++ b/x-pack/test/fleet_api_integration/apis/fixtures/test_packages/secrets/1.1.0/manifest.yml @@ -0,0 +1,64 @@ +format_version: 1.0.0 +name: secrets +title: Package with secrets +description: This integration package has 3 secret and 3 non secret vars. +version: 1.1.0 +categories: [] +# Options are experimental, beta, ga +release: beta +# The package type. The options for now are [integration, solution], more type might be added in the future. +# The default type is integration and will be set if empty. +type: integration +license: basic +owner: + github: elastic/fleet + +requirement: + elasticsearch: + versions: ">7.7.0" + kibana: + versions: ">7.7.0" + +icons: + - src: "/img/logo.svg" + size: "16x16" + type: "image/svg+xml" + +vars: + - name: package_var_secret + type: password + title: Package Var Secret + multi: false + required: true + show_user: true + secret: true + - name: package_var_non_secret + type: text + title: Package Var Non Secret + multi: false + required: true + show_user: true + secret: true +policy_templates: + - name: secrets + title: This + description: Test Package for Upgrading Package Policies + inputs: + - type: test_input + title: Test Input + description: Test Input + enabled: true + template_path: input.yml.hbs + vars: + - name: input_var_secret + type: text + title: Input Var Secret + multi: false + show_user: true + secret: true + - name: input_var_non_secret + type: text + title: Input Var Non Secret + multi: false + show_user: true + secret: true diff --git a/x-pack/test/fleet_api_integration/apis/policy_secrets.ts b/x-pack/test/fleet_api_integration/apis/policy_secrets.ts index 63878420084a2..3ebbe28d2dd47 100644 --- a/x-pack/test/fleet_api_integration/apis/policy_secrets.ts +++ b/x-pack/test/fleet_api_integration/apis/policy_secrets.ts @@ -106,12 +106,14 @@ export default function (providerContext: FtrProviderContext) { enabled: true, vars: { input_var_secret: 'input_secret_val', + input_var_non_secret: 'input_non_secret_val', }, streams: { 'secrets.log': { enabled: true, vars: { stream_var_secret: 'stream_secret_val', + stream_var_non_secret: 'stream_non_secret_val', }, }, }, @@ -119,6 +121,7 @@ export default function (providerContext: FtrProviderContext) { }, vars: { package_var_secret: 'package_secret_val', + package_var_non_secret: 'package_non_secret_val', }, package: { name: 'secrets', @@ -128,6 +131,12 @@ export default function (providerContext: FtrProviderContext) { .expect(200); }; + async function createPolicyWSecretVar() { + const { body: createResBody } = await createPolicyWithSecrets(); + const createdPolicy = createResBody.item; + return createdPolicy; + } + const createFleetServerAgent = async ( agentPolicyId: string, hostname: string, @@ -338,12 +347,14 @@ export default function (providerContext: FtrProviderContext) { enabled: true, vars: { input_var_secret: 'input_secret_val', + input_var_non_secret: 'input_non_secret_val', }, streams: { 'secrets.log': { enabled: true, vars: { stream_var_secret: 'stream_secret_val', + stream_var_non_secret: 'stream_non_secret_val', }, }, }, @@ -351,6 +362,7 @@ export default function (providerContext: FtrProviderContext) { }, vars: { package_var_secret: 'package_secret_val', + package_var_non_secret: 'package_non_secret_val', }, package: { name: 'secrets', @@ -376,10 +388,13 @@ export default function (providerContext: FtrProviderContext) { ]) ).to.eql(true); expectedCompiledStream = { - 'config.version': 2, + 'config.version': '2', package_var_secret: secretVar(packageVarId), + package_var_non_secret: 'package_non_secret_val', input_var_secret: secretVar(inputVarId), + input_var_non_secret: 'input_non_secret_val', stream_var_secret: secretVar(streamVarId), + stream_var_non_secret: 'stream_non_secret_val', }; expect(createdPackagePolicy.inputs[0].streams[0].compiled_stream).to.eql( expectedCompiledStream @@ -387,7 +402,9 @@ export default function (providerContext: FtrProviderContext) { expectedCompiledInput = { package_var_secret: secretVar(packageVarId), + package_var_non_secret: 'package_non_secret_val', input_var_secret: secretVar(inputVarId), + input_var_non_secret: 'input_non_secret_val', }; expect(createdPackagePolicy.inputs[0].compiled_input).to.eql(expectedCompiledInput); @@ -468,12 +485,17 @@ export default function (providerContext: FtrProviderContext) { expect(updatedPackagePolicy.inputs[0].streams[0].compiled_stream).to.eql({ 'config.version': 2, package_var_secret: secretVar(updatedPackageVarId), + package_var_non_secret: 'package_non_secret_val', input_var_secret: secretVar(inputVarId), + input_var_non_secret: 'input_non_secret_val', stream_var_secret: secretVar(streamVarId), + stream_var_non_secret: 'stream_non_secret_val', }); expect(updatedPackagePolicy.inputs[0].compiled_input).to.eql({ package_var_secret: secretVar(updatedPackageVarId), + package_var_non_secret: 'package_non_secret_val', input_var_secret: secretVar(inputVarId), + input_var_non_secret: 'input_non_secret_val', }); expect(updatedPackagePolicy.vars.package_var_secret.value.isSecretRef).to.eql(true); expect(updatedPackagePolicy.vars.package_var_secret.value.id).eql(updatedPackageVarId); @@ -594,18 +616,10 @@ export default function (providerContext: FtrProviderContext) { expect(createdPolicy.vars.package_var_secret.value).eql('package_secret_val'); }); - async function createPolicyWSecretVar() { - const { body: createResBody } = await createPolicyWithSecrets(); - const createdPolicy = createResBody.item; - return createdPolicy; - } - it('should not store secrets if there are no fleet servers', async () => { await clearAgents(); - const { body: createResBody } = await createPolicyWithSecrets(); - - const createdPolicy = createResBody.item; + const createdPolicy = await createPolicyWSecretVar(); // secret should be in plain text i.e not a secret refrerence expect(createdPolicy.vars.package_var_secret.value).eql('package_secret_val'); @@ -645,5 +659,76 @@ export default function (providerContext: FtrProviderContext) { expect(createdPolicy.vars.package_var_secret.value.isSecretRef).eql(true); }); + + it('should store new secrets after package upgrade', async () => { + const createdPolicy = await createPolicyWSecretVar(); + + // Install newer version of secrets package + await supertest + .post('/api/fleet/epm/packages/secrets/1.1.0') + .set('kbn-xsrf', 'xxxx') + .send({ force: true }) + .expect(200); + + // Upgrade package policy + await supertest + .post(`/api/fleet/package_policies/upgrade`) + .set('kbn-xsrf', 'xxxx') + .send({ + packagePolicyIds: [createdPolicy.id], + }) + .expect(200); + + // Fetch policy again + const res = await supertest.get(`/api/fleet/package_policies/${createdPolicy.id}`); + const upgradedPolicy = res.body.item; + + const packageSecretVarId = upgradedPolicy.vars.package_var_secret.value.id; + const packageNonSecretVarId = upgradedPolicy.vars.package_var_non_secret.value.id; + const inputSecretVarId = upgradedPolicy.inputs[0].vars.input_var_secret.value.id; + const inputNonSecretVarId = upgradedPolicy.inputs[0].vars.input_var_non_secret.value.id; + const streamSecretVarId = upgradedPolicy.inputs[0].streams[0].vars.stream_var_secret.value.id; + const streamNonSecretVarId = + upgradedPolicy.inputs[0].streams[0].vars.stream_var_non_secret.value.id; + + expect( + arrayIdsEqual(upgradedPolicy.secret_references, [ + { id: packageSecretVarId }, + { id: packageNonSecretVarId }, + { id: inputSecretVarId }, + { id: inputNonSecretVarId }, + { id: streamSecretVarId }, + { id: streamNonSecretVarId }, + ]) + ).to.eql(true); + + expect(upgradedPolicy.inputs[0].compiled_input).to.eql({ + package_var_secret: secretVar(packageSecretVarId), + package_var_non_secret: secretVar(packageNonSecretVarId), + input_var_secret: secretVar(inputSecretVarId), + input_var_non_secret: secretVar(inputNonSecretVarId), + }); + + expect(upgradedPolicy.inputs[0].streams[0].compiled_stream).to.eql({ + 'config.version': '2', + package_var_secret: secretVar(packageSecretVarId), + package_var_non_secret: secretVar(packageNonSecretVarId), + input_var_secret: secretVar(inputSecretVarId), + input_var_non_secret: secretVar(inputNonSecretVarId), + stream_var_secret: secretVar(streamSecretVarId), + stream_var_non_secret: secretVar(streamNonSecretVarId), + }); + + expect(upgradedPolicy.vars.package_var_secret.value.isSecretRef).to.eql(true); + expect(upgradedPolicy.vars.package_var_non_secret.value.isSecretRef).to.eql(true); + expect(upgradedPolicy.inputs[0].vars.input_var_secret.value.isSecretRef).to.eql(true); + expect(upgradedPolicy.inputs[0].vars.input_var_non_secret.value.isSecretRef).to.eql(true); + expect(upgradedPolicy.inputs[0].streams[0].vars.stream_var_secret.value.isSecretRef).to.eql( + true + ); + expect( + upgradedPolicy.inputs[0].streams[0].vars.stream_var_non_secret.value.isSecretRef + ).to.eql(true); + }); }); }