-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution] Add Endpoint policy feature checks (#83972)
- Loading branch information
Showing
5 changed files
with
198 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
110 changes: 110 additions & 0 deletions
110
x-pack/plugins/security_solution/common/license/policy_config.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { | ||
isEndpointPolicyValidForLicense, | ||
unsetPolicyFeaturesAboveLicenseLevel, | ||
} from './policy_config'; | ||
import { DefaultMalwareMessage, factory } from '../endpoint/models/policy_config'; | ||
import { licenseMock } from '../../../licensing/common/licensing.mock'; | ||
|
||
describe('policy_config and licenses', () => { | ||
const Platinum = licenseMock.createLicense({ license: { type: 'platinum', mode: 'platinum' } }); | ||
const Gold = licenseMock.createLicense({ license: { type: 'gold', mode: 'gold' } }); | ||
const Basic = licenseMock.createLicense({ license: { type: 'basic', mode: 'basic' } }); | ||
|
||
describe('isEndpointPolicyValidForLicense', () => { | ||
it('allows malware notification to be disabled with a Platinum license', () => { | ||
const policy = factory(); | ||
policy.windows.popup.malware.enabled = false; // make policy change | ||
const valid = isEndpointPolicyValidForLicense(policy, Platinum); | ||
expect(valid).toBeTruthy(); | ||
}); | ||
it('blocks windows malware notification changes below Platinum licenses', () => { | ||
const policy = factory(); | ||
policy.windows.popup.malware.enabled = false; // make policy change | ||
let valid = isEndpointPolicyValidForLicense(policy, Gold); | ||
expect(valid).toBeFalsy(); | ||
|
||
valid = isEndpointPolicyValidForLicense(policy, Basic); | ||
expect(valid).toBeFalsy(); | ||
}); | ||
|
||
it('blocks mac malware notification changes below Platinum licenses', () => { | ||
const policy = factory(); | ||
policy.mac.popup.malware.enabled = false; // make policy change | ||
let valid = isEndpointPolicyValidForLicense(policy, Gold); | ||
expect(valid).toBeFalsy(); | ||
|
||
valid = isEndpointPolicyValidForLicense(policy, Basic); | ||
expect(valid).toBeFalsy(); | ||
}); | ||
|
||
it('allows malware notification message changes with a Platinum license', () => { | ||
const policy = factory(); | ||
policy.windows.popup.malware.message = 'BOOM'; // make policy change | ||
const valid = isEndpointPolicyValidForLicense(policy, Platinum); | ||
expect(valid).toBeTruthy(); | ||
}); | ||
it('blocks windows malware notification message changes below Platinum licenses', () => { | ||
const policy = factory(); | ||
policy.windows.popup.malware.message = 'BOOM'; // make policy change | ||
let valid = isEndpointPolicyValidForLicense(policy, Gold); | ||
expect(valid).toBeFalsy(); | ||
|
||
valid = isEndpointPolicyValidForLicense(policy, Basic); | ||
expect(valid).toBeFalsy(); | ||
}); | ||
it('blocks mac malware notification message changes below Platinum licenses', () => { | ||
const policy = factory(); | ||
policy.mac.popup.malware.message = 'BOOM'; // make policy change | ||
let valid = isEndpointPolicyValidForLicense(policy, Gold); | ||
expect(valid).toBeFalsy(); | ||
|
||
valid = isEndpointPolicyValidForLicense(policy, Basic); | ||
expect(valid).toBeFalsy(); | ||
}); | ||
|
||
it('allows default policyConfig with Basic', () => { | ||
const policy = factory(); | ||
const valid = isEndpointPolicyValidForLicense(policy, Basic); | ||
expect(valid).toBeTruthy(); | ||
}); | ||
}); | ||
|
||
describe('unsetPolicyFeaturesAboveLicenseLevel', () => { | ||
it('does not change any fields with a Platinum license', () => { | ||
const policy = factory(); | ||
const popupMessage = 'WOOP WOOP'; | ||
policy.windows.popup.malware.message = popupMessage; | ||
policy.mac.popup.malware.message = popupMessage; | ||
policy.windows.popup.malware.enabled = false; | ||
|
||
const retPolicy = unsetPolicyFeaturesAboveLicenseLevel(policy, Platinum); | ||
expect(retPolicy.windows.popup.malware.enabled).toBeFalsy(); | ||
expect(retPolicy.windows.popup.malware.message).toEqual(popupMessage); | ||
expect(retPolicy.mac.popup.malware.message).toEqual(popupMessage); | ||
}); | ||
it('resets Platinum-paid fields for lower license tiers', () => { | ||
const defaults = factory(); // reference | ||
const policy = factory(); // what we will modify, and should be reset | ||
const popupMessage = 'WOOP WOOP'; | ||
policy.windows.popup.malware.message = popupMessage; | ||
policy.mac.popup.malware.message = popupMessage; | ||
policy.windows.popup.malware.enabled = false; | ||
|
||
const retPolicy = unsetPolicyFeaturesAboveLicenseLevel(policy, Gold); | ||
expect(retPolicy.windows.popup.malware.enabled).toEqual( | ||
defaults.windows.popup.malware.enabled | ||
); | ||
expect(retPolicy.windows.popup.malware.message).not.toEqual(popupMessage); | ||
expect(retPolicy.mac.popup.malware.message).not.toEqual(popupMessage); | ||
|
||
// need to invert the test, since it could be either value | ||
expect(['', DefaultMalwareMessage]).toContain(retPolicy.windows.popup.malware.message); | ||
}); | ||
}); | ||
}); |
66 changes: 66 additions & 0 deletions
66
x-pack/plugins/security_solution/common/license/policy_config.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { ILicense } from '../../../licensing/common/types'; | ||
import { isAtLeast } from './license'; | ||
import { PolicyConfig } from '../endpoint/types'; | ||
import { DefaultMalwareMessage, factory } from '../endpoint/models/policy_config'; | ||
|
||
/** | ||
* Given an endpoint package policy, verifies that all enabled features that | ||
* require a certain license level have a valid license for them. | ||
*/ | ||
export const isEndpointPolicyValidForLicense = ( | ||
policy: PolicyConfig, | ||
license: ILicense | null | ||
): boolean => { | ||
if (isAtLeast(license, 'platinum')) { | ||
return true; // currently, platinum allows all features | ||
} | ||
|
||
const defaults = factory(); | ||
|
||
// only platinum or higher may disable malware notification | ||
if ( | ||
policy.windows.popup.malware.enabled !== defaults.windows.popup.malware.enabled || | ||
policy.mac.popup.malware.enabled !== defaults.mac.popup.malware.enabled | ||
) { | ||
return false; | ||
} | ||
|
||
// Only Platinum or higher may change the malware message (which can be blank or what Endpoint defaults) | ||
if ( | ||
[policy.windows, policy.mac].some( | ||
(p) => p.popup.malware.message !== '' && p.popup.malware.message !== DefaultMalwareMessage | ||
) | ||
) { | ||
return false; | ||
} | ||
|
||
return true; | ||
}; | ||
|
||
/** | ||
* Resets paid features in a PolicyConfig back to default values | ||
* when unsupported by the given license level. | ||
*/ | ||
export const unsetPolicyFeaturesAboveLicenseLevel = ( | ||
policy: PolicyConfig, | ||
license: ILicense | null | ||
): PolicyConfig => { | ||
if (isAtLeast(license, 'platinum')) { | ||
return policy; | ||
} | ||
|
||
const defaults = factory(); | ||
// set any license-gated features back to the defaults | ||
policy.windows.popup.malware.enabled = defaults.windows.popup.malware.enabled; | ||
policy.mac.popup.malware.enabled = defaults.mac.popup.malware.enabled; | ||
policy.windows.popup.malware.message = defaults.windows.popup.malware.message; | ||
policy.mac.popup.malware.message = defaults.mac.popup.malware.message; | ||
|
||
return policy; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters