From acdae1595d1836c6cffe2de393a705a4a3d8bc1b Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Thu, 18 Jun 2020 12:15:13 -0400 Subject: [PATCH] =?UTF-8?q?[Ingest=20Manager]=20Fleet=20require=20encrypte?= =?UTF-8?q?d=20saved=20object=20encryption=20key=20=E2=80=A6=20(#69408)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../common/types/rest_spec/fleet_setup.ts | 7 ++++- .../sections/fleet/setup_page/index.tsx | 7 +++-- .../plugins/ingest_manager/server/plugin.ts | 30 ++++++++++++++----- .../server/routes/setup/handlers.ts | 6 ++++ .../server/services/agents/acks.test.ts | 2 +- .../server/services/app_context.ts | 17 +++++++++-- 6 files changed, 55 insertions(+), 14 deletions(-) diff --git a/x-pack/plugins/ingest_manager/common/types/rest_spec/fleet_setup.ts b/x-pack/plugins/ingest_manager/common/types/rest_spec/fleet_setup.ts index ae4cb4e3fce4..50f275bd5913 100644 --- a/x-pack/plugins/ingest_manager/common/types/rest_spec/fleet_setup.ts +++ b/x-pack/plugins/ingest_manager/common/types/rest_spec/fleet_setup.ts @@ -10,5 +10,10 @@ export interface CreateFleetSetupResponse { export interface GetFleetStatusResponse { isReady: boolean; - missing_requirements: Array<'tls_required' | 'api_keys' | 'fleet_admin_user'>; + missing_requirements: Array< + | 'tls_required' + | 'api_keys' + | 'fleet_admin_user' + | 'encrypted_saved_object_encryption_key_required' + >; } diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/setup_page/index.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/setup_page/index.tsx index ffab5866f3b6..e9c9ce0c513d 100644 --- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/setup_page/index.tsx +++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/setup_page/index.tsx @@ -39,7 +39,9 @@ export const SetupPage: React.FunctionComponent<{ }; const content = - missingRequirements.includes('tls_required') || missingRequirements.includes('api_keys') ? ( + missingRequirements.includes('tls_required') || + missingRequirements.includes('api_keys') || + missingRequirements.includes('encrypted_saved_object_encryption_key_required') ? ( <> @@ -53,12 +55,13 @@ export const SetupPage: React.FunctionComponent<{ - + , diff --git a/x-pack/plugins/ingest_manager/server/plugin.ts b/x-pack/plugins/ingest_manager/server/plugin.ts index cd44b61974b0..0d53092a0a8f 100644 --- a/x-pack/plugins/ingest_manager/server/plugin.ts +++ b/x-pack/plugins/ingest_manager/server/plugin.ts @@ -67,7 +67,8 @@ export interface IngestManagerSetupDeps { export type IngestManagerStartDeps = object; export interface IngestManagerAppContext { - encryptedSavedObjects: EncryptedSavedObjectsPluginStart; + encryptedSavedObjectsStart: EncryptedSavedObjectsPluginStart; + encryptedSavedObjectsSetup?: EncryptedSavedObjectsPluginSetup; security?: SecurityPluginSetup; config$?: Observable; savedObjects: SavedObjectsServiceStart; @@ -115,6 +116,7 @@ export class IngestManagerPlugin private isProductionMode: boolean; private kibanaVersion: string; private httpSetup: HttpServiceSetup | undefined; + private encryptedSavedObjectsSetup: EncryptedSavedObjectsPluginSetup | undefined; constructor(private readonly initializerContext: PluginInitializerContext) { this.config$ = this.initializerContext.config.create(); @@ -129,6 +131,7 @@ export class IngestManagerPlugin if (deps.security) { this.security = deps.security; } + this.encryptedSavedObjectsSetup = deps.encryptedSavedObjects; this.cloud = deps.cloud; registerSavedObjects(core.savedObjects); @@ -187,12 +190,22 @@ export class IngestManagerPlugin } if (config.fleet.enabled) { - registerAgentRoutes(router); - registerEnrollmentApiKeyRoutes(router); - registerInstallScriptRoutes({ - router, - basePath: core.http.basePath, - }); + const isESOUsingEphemeralEncryptionKey = + deps.encryptedSavedObjects.usingEphemeralEncryptionKey; + if (isESOUsingEphemeralEncryptionKey) { + if (this.logger) { + this.logger.warn( + 'Fleet APIs are disabled due to the Encrypted Saved Objects plugin using an ephemeral encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in kibana.yml.' + ); + } + } else { + registerAgentRoutes(router); + registerEnrollmentApiKeyRoutes(router); + registerInstallScriptRoutes({ + router, + basePath: core.http.basePath, + }); + } } } } @@ -204,7 +217,8 @@ export class IngestManagerPlugin } ) { appContextService.start({ - encryptedSavedObjects: plugins.encryptedSavedObjects, + encryptedSavedObjectsStart: plugins.encryptedSavedObjects, + encryptedSavedObjectsSetup: this.encryptedSavedObjectsSetup, security: this.security, config$: this.config$, savedObjects: core.savedObjects, diff --git a/x-pack/plugins/ingest_manager/server/routes/setup/handlers.ts b/x-pack/plugins/ingest_manager/server/routes/setup/handlers.ts index 30eb6c0ae8ca..980834341739 100644 --- a/x-pack/plugins/ingest_manager/server/routes/setup/handlers.ts +++ b/x-pack/plugins/ingest_manager/server/routes/setup/handlers.ts @@ -20,6 +20,8 @@ export const getFleetStatusHandler: RequestHandler = async (context, request, re const isProductionMode = appContextService.getIsProductionMode(); const isCloud = appContextService.getCloud()?.isCloudEnabled ?? false; const isTLSCheckDisabled = appContextService.getConfig()?.fleet?.tlsCheckDisabled ?? false; + const isUsingEphemeralEncryptionKey = appContextService.getEncryptedSavedObjectsSetup() + .usingEphemeralEncryptionKey; const missingRequirements: GetFleetStatusResponse['missing_requirements'] = []; if (!isAdminUserSetup) { @@ -32,6 +34,10 @@ export const getFleetStatusHandler: RequestHandler = async (context, request, re missingRequirements.push('tls_required'); } + if (isUsingEphemeralEncryptionKey) { + missingRequirements.push('encrypted_saved_object_encryption_key_required'); + } + const body: GetFleetStatusResponse = { isReady: missingRequirements.length === 0, missing_requirements: missingRequirements, diff --git a/x-pack/plugins/ingest_manager/server/services/agents/acks.test.ts b/x-pack/plugins/ingest_manager/server/services/agents/acks.test.ts index 0d22529fdb03..efdcbdb5c36b 100644 --- a/x-pack/plugins/ingest_manager/server/services/agents/acks.test.ts +++ b/x-pack/plugins/ingest_manager/server/services/agents/acks.test.ts @@ -24,7 +24,7 @@ describe('test agent acks services', () => { const mockSavedObjectsClient = savedObjectsClientMock.create(); const mockStartEncryptedSOPlugin = encryptedSavedObjectsMock.createStart(); appContextService.start(({ - encryptedSavedObjects: mockStartEncryptedSOPlugin, + encryptedSavedObjectsStart: mockStartEncryptedSOPlugin, } as unknown) as IngestManagerAppContext); const [ diff --git a/x-pack/plugins/ingest_manager/server/services/app_context.ts b/x-pack/plugins/ingest_manager/server/services/app_context.ts index 9e6220b6958f..81a16caa8ce9 100644 --- a/x-pack/plugins/ingest_manager/server/services/app_context.ts +++ b/x-pack/plugins/ingest_manager/server/services/app_context.ts @@ -6,7 +6,10 @@ import { BehaviorSubject, Observable } from 'rxjs'; import { first } from 'rxjs/operators'; import { SavedObjectsServiceStart, HttpServiceSetup, Logger } from 'src/core/server'; -import { EncryptedSavedObjectsClient } from '../../../encrypted_saved_objects/server'; +import { + EncryptedSavedObjectsClient, + EncryptedSavedObjectsPluginSetup, +} from '../../../encrypted_saved_objects/server'; import { SecurityPluginSetup } from '../../../security/server'; import { IngestManagerConfigType } from '../../common'; import { IngestManagerAppContext } from '../plugin'; @@ -14,6 +17,7 @@ import { CloudSetup } from '../../../cloud/server'; class AppContextService { private encryptedSavedObjects: EncryptedSavedObjectsClient | undefined; + private encryptedSavedObjectsSetup: EncryptedSavedObjectsPluginSetup | undefined; private security: SecurityPluginSetup | undefined; private config$?: Observable; private configSubject$?: BehaviorSubject; @@ -25,7 +29,8 @@ class AppContextService { private httpSetup?: HttpServiceSetup; public async start(appContext: IngestManagerAppContext) { - this.encryptedSavedObjects = appContext.encryptedSavedObjects?.getClient(); + this.encryptedSavedObjects = appContext.encryptedSavedObjectsStart?.getClient(); + this.encryptedSavedObjectsSetup = appContext.encryptedSavedObjectsSetup; this.security = appContext.security; this.savedObjects = appContext.savedObjects; this.isProductionMode = appContext.isProductionMode; @@ -95,6 +100,14 @@ class AppContextService { return this.httpSetup; } + public getEncryptedSavedObjectsSetup() { + if (!this.encryptedSavedObjectsSetup) { + throw new Error('encryptedSavedObjectsSetup is not set'); + } + + return this.encryptedSavedObjectsSetup; + } + public getKibanaVersion() { if (!this.kibanaVersion) { throw new Error('Kibana version is not set.');