Skip to content

Commit

Permalink
[Ingest Manager] Fleet require encrypted saved object encryption key … (
Browse files Browse the repository at this point in the history
  • Loading branch information
nchaulet authored Jun 18, 2020
1 parent 03a24fb commit acdae15
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,10 @@ export interface CreateFleetSetupResponse {

export interface GetFleetStatusResponse {
isReady: boolean;
missing_requirements: Array<'tls_required' | 'api_keys' | 'fleet_admin_user'>;
missing_requirements: Array<
| 'tls_required'
| 'api_keys'
| 'fleet_admin_user'
| 'encrypted_saved_object_encryption_key_required'
>;
}
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@ export const SetupPage: React.FunctionComponent<{
};

const content =
missingRequirements.includes('tls_required') || missingRequirements.includes('api_keys') ? (
missingRequirements.includes('tls_required') ||
missingRequirements.includes('api_keys') ||
missingRequirements.includes('encrypted_saved_object_encryption_key_required') ? (
<>
<EuiSpacer size="m" />
<EuiIcon type="lock" color="subdued" size="xl" />
Expand All @@ -53,12 +55,13 @@ export const SetupPage: React.FunctionComponent<{
</h2>
</EuiTitle>
<EuiSpacer size="xl" />
<EuiText color="subdued">
<EuiText color="subdued" textAlign={'left'}>
<FormattedMessage
id="xpack.ingestManager.setupPage.missingRequirementsDescription"
defaultMessage="To use Fleet, you must enable the following features:
{space}- Enable Elasticsearch API keys.
{space}- Enable TLS to secure the communication between Agents and Kibana.
{space}- Set the encryption key for encrypted saved objects.
"
values={{
space: <EuiSpacer size="m" />,
Expand Down
30 changes: 22 additions & 8 deletions x-pack/plugins/ingest_manager/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ export interface IngestManagerSetupDeps {
export type IngestManagerStartDeps = object;

export interface IngestManagerAppContext {
encryptedSavedObjects: EncryptedSavedObjectsPluginStart;
encryptedSavedObjectsStart: EncryptedSavedObjectsPluginStart;
encryptedSavedObjectsSetup?: EncryptedSavedObjectsPluginSetup;
security?: SecurityPluginSetup;
config$?: Observable<IngestManagerConfigType>;
savedObjects: SavedObjectsServiceStart;
Expand Down Expand Up @@ -115,6 +116,7 @@ export class IngestManagerPlugin
private isProductionMode: boolean;
private kibanaVersion: string;
private httpSetup: HttpServiceSetup | undefined;
private encryptedSavedObjectsSetup: EncryptedSavedObjectsPluginSetup | undefined;

constructor(private readonly initializerContext: PluginInitializerContext) {
this.config$ = this.initializerContext.config.create<IngestManagerConfigType>();
Expand All @@ -129,6 +131,7 @@ export class IngestManagerPlugin
if (deps.security) {
this.security = deps.security;
}
this.encryptedSavedObjectsSetup = deps.encryptedSavedObjects;
this.cloud = deps.cloud;

registerSavedObjects(core.savedObjects);
Expand Down Expand Up @@ -187,12 +190,22 @@ export class IngestManagerPlugin
}

if (config.fleet.enabled) {
registerAgentRoutes(router);
registerEnrollmentApiKeyRoutes(router);
registerInstallScriptRoutes({
router,
basePath: core.http.basePath,
});
const isESOUsingEphemeralEncryptionKey =
deps.encryptedSavedObjects.usingEphemeralEncryptionKey;
if (isESOUsingEphemeralEncryptionKey) {
if (this.logger) {
this.logger.warn(
'Fleet APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml.'
);
}
} else {
registerAgentRoutes(router);
registerEnrollmentApiKeyRoutes(router);
registerInstallScriptRoutes({
router,
basePath: core.http.basePath,
});
}
}
}
}
Expand All @@ -204,7 +217,8 @@ export class IngestManagerPlugin
}
) {
appContextService.start({
encryptedSavedObjects: plugins.encryptedSavedObjects,
encryptedSavedObjectsStart: plugins.encryptedSavedObjects,
encryptedSavedObjectsSetup: this.encryptedSavedObjectsSetup,
security: this.security,
config$: this.config$,
savedObjects: core.savedObjects,
Expand Down
6 changes: 6 additions & 0 deletions x-pack/plugins/ingest_manager/server/routes/setup/handlers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ export const getFleetStatusHandler: RequestHandler = async (context, request, re
const isProductionMode = appContextService.getIsProductionMode();
const isCloud = appContextService.getCloud()?.isCloudEnabled ?? false;
const isTLSCheckDisabled = appContextService.getConfig()?.fleet?.tlsCheckDisabled ?? false;
const isUsingEphemeralEncryptionKey = appContextService.getEncryptedSavedObjectsSetup()
.usingEphemeralEncryptionKey;

const missingRequirements: GetFleetStatusResponse['missing_requirements'] = [];
if (!isAdminUserSetup) {
Expand All @@ -32,6 +34,10 @@ export const getFleetStatusHandler: RequestHandler = async (context, request, re
missingRequirements.push('tls_required');
}

if (isUsingEphemeralEncryptionKey) {
missingRequirements.push('encrypted_saved_object_encryption_key_required');
}

const body: GetFleetStatusResponse = {
isReady: missingRequirements.length === 0,
missing_requirements: missingRequirements,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ describe('test agent acks services', () => {
const mockSavedObjectsClient = savedObjectsClientMock.create();
const mockStartEncryptedSOPlugin = encryptedSavedObjectsMock.createStart();
appContextService.start(({
encryptedSavedObjects: mockStartEncryptedSOPlugin,
encryptedSavedObjectsStart: mockStartEncryptedSOPlugin,
} as unknown) as IngestManagerAppContext);

const [
Expand Down
17 changes: 15 additions & 2 deletions x-pack/plugins/ingest_manager/server/services/app_context.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,18 @@
import { BehaviorSubject, Observable } from 'rxjs';
import { first } from 'rxjs/operators';
import { SavedObjectsServiceStart, HttpServiceSetup, Logger } from 'src/core/server';
import { EncryptedSavedObjectsClient } from '../../../encrypted_saved_objects/server';
import {
EncryptedSavedObjectsClient,
EncryptedSavedObjectsPluginSetup,
} from '../../../encrypted_saved_objects/server';
import { SecurityPluginSetup } from '../../../security/server';
import { IngestManagerConfigType } from '../../common';
import { IngestManagerAppContext } from '../plugin';
import { CloudSetup } from '../../../cloud/server';

class AppContextService {
private encryptedSavedObjects: EncryptedSavedObjectsClient | undefined;
private encryptedSavedObjectsSetup: EncryptedSavedObjectsPluginSetup | undefined;
private security: SecurityPluginSetup | undefined;
private config$?: Observable<IngestManagerConfigType>;
private configSubject$?: BehaviorSubject<IngestManagerConfigType>;
Expand All @@ -25,7 +29,8 @@ class AppContextService {
private httpSetup?: HttpServiceSetup;

public async start(appContext: IngestManagerAppContext) {
this.encryptedSavedObjects = appContext.encryptedSavedObjects?.getClient();
this.encryptedSavedObjects = appContext.encryptedSavedObjectsStart?.getClient();
this.encryptedSavedObjectsSetup = appContext.encryptedSavedObjectsSetup;
this.security = appContext.security;
this.savedObjects = appContext.savedObjects;
this.isProductionMode = appContext.isProductionMode;
Expand Down Expand Up @@ -95,6 +100,14 @@ class AppContextService {
return this.httpSetup;
}

public getEncryptedSavedObjectsSetup() {
if (!this.encryptedSavedObjectsSetup) {
throw new Error('encryptedSavedObjectsSetup is not set');
}

return this.encryptedSavedObjectsSetup;
}

public getKibanaVersion() {
if (!this.kibanaVersion) {
throw new Error('Kibana version is not set.');
Expand Down

0 comments on commit acdae15

Please sign in to comment.