[Fleet] Exception when trying to save CSPM integration with a Secret #173718
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Fleet
Team label for Observability Data Collection Fleet team
Comments
criamico
added
bug
|
Pinging @elastic/fleet (Team:Fleet) |
This was referenced Dec 27, 2023
|
@criamico, could you take a look at fixing this bug for 8.12? |
2 tasks
|
Summarizing some of my findings here. Following the steps to reproduce, the arguments received by {
"secretPaths": [
{
"path": [
"inputs",
"1",
"streams",
"0",
"vars",
"secret_access_key"
],
"value": {
"type": "text"
}
},
{
"path": [
"inputs",
"2",
"streams",
"0",
"vars",
"secret_access_key"
],
"value": {
"value": "changeme"
}
},
{
"path": [
"inputs",
"4",
"streams",
"0",
"vars",
"azure.credentials.client_secret"
],
"value": {
"type": "text"
}
},
{
"path": [
"inputs",
"4",
"streams",
"0",
"vars",
"azure.credentials.client_password"
],
"value": {
"type": "text"
}
},
{
"path": [
"inputs",
"4",
"streams",
"0",
"vars",
"azure.credentials.client_certificate_password"
],
"value": {
"type": "text"
}
}
],
"secrets": [
{
"id": "iGGa1YwBli8js5OpznzB"
}
],
"packagePolicy": {
"name": "cspm-2",
"namespace": "default",
"description": "",
"package": {
"name": "cloud_security_posture",
"title": "Security Posture Management",
"version": "1.8.0-preview02"
},
"enabled": true,
"policy_id": "4bfb3e36-b027-4751-bf9b-5346d46a24c0",
"inputs": [
{
"type": "cloudbeat/cis_k8s",
"policy_template": "kspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"id": "cloudbeat/cis_k8s-cloud_security_posture.findings-1123651f-2e59-4fc7-a6d1-a0ed649b1e4b"
}
]
},
{
"type": "cloudbeat/cis_eks",
"policy_template": "kspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"access_key_id": {
"type": "text"
},
"secret_access_key": {
"type": "text"
},
"session_token": {
"type": "text"
},
"shared_credential_file": {
"type": "text"
},
"credential_profile_name": {
"type": "text"
},
"role_arn": {
"type": "text"
},
"aws.credentials.type": {
"type": "text"
}
},
"id": "cloudbeat/cis_eks-cloud_security_posture.findings-1123651f-2e59-4fc7-a6d1-a0ed649b1e4b"
}
]
},
{
"type": "cloudbeat/cis_aws",
"policy_template": "cspm",
"enabled": true,
"streams": [
{
"enabled": true,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"access_key_id": {
"value": "elastic"
},
"secret_access_key": {
"value": "changeme"
},
"session_token": {
"type": "text"
},
"shared_credential_file": {
"type": "text"
},
"credential_profile_name": {
"type": "text"
},
"role_arn": {
"type": "text"
},
"aws.credentials.type": {
"value": "direct_access_keys"
},
"aws.account_type": {
"value": "organization-account",
"type": "text"
}
},
"id": "cloudbeat/cis_aws-cloud_security_posture.findings-1123651f-2e59-4fc7-a6d1-a0ed649b1e4b"
}
],
"config": {
"cloud_formation_template_url": {}
}
},
{
"type": "cloudbeat/cis_gcp",
"policy_template": "cspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"gcp.account_type": {
"type": "text"
},
"gcp.organization_id": {
"type": "text"
},
"gcp.project_id": {
"type": "text"
},
"gcp.credentials.type": {
"type": "text"
},
"gcp.credentials.file": {
"type": "text"
},
"gcp.credentials.json": {
"type": "text"
}
},
"id": "cloudbeat/cis_gcp-cloud_security_posture.findings-1123651f-2e59-4fc7-a6d1-a0ed649b1e4b"
}
]
},
{
"type": "cloudbeat/cis_azure",
"policy_template": "cspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"azure.account_type": {
"type": "text"
},
"azure.credentials.type": {
"type": "text"
},
"azure.credentials.client_id": {
"type": "text"
},
"azure.credentials.tenant_id": {
"type": "text"
},
"azure.credentials.client_secret": {
"type": "text"
},
"azure.credentials.client_username": {
"type": "text"
},
"azure.credentials.client_password": {
"type": "text"
},
"azure.credentials.client_certificate_path": {
"type": "text"
},
"azure.credentials.client_certificate_password": {
"type": "text"
}
},
"id": "cloudbeat/cis_azure-cloud_security_posture.findings-1123651f-2e59-4fc7-a6d1-a0ed649b1e4b"
}
]
},
{
"type": "cloudbeat/vuln_mgmt_aws",
"policy_template": "vuln_mgmt",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.vulnerabilities"
},
"id": "cloudbeat/vuln_mgmt_aws-cloud_security_posture.vulnerabilities-1123651f-2e59-4fc7-a6d1-a0ed649b1e4b"
}
],
"config": {
"cloud_formation_template_url": {
"value": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cnvm-8.12.0.yml&stackName=Elastic-Vulnerability-Management¶m_EnrollmentToken=FLEET_ENROLLMENT_TOKEN¶m_FleetUrl=FLEET_URL¶m_ElasticAgentVersion=KIBANA_VERSION¶m_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent"
}
}
}
],
"vars": {
"posture": {
"value": "cspm",
"type": "text"
},
"deployment": {
"value": "aws",
"type": "text"
}
}
}
}Here's the raw API request value that's sent when making a {
"name": "cspm-2",
"description": "",
"namespace": "default",
"policy_id": "9755128b-f9e6-403f-9c00-ca9c9b213f64",
"enabled": true,
"inputs": [
{
"type": "cloudbeat/cis_k8s",
"policy_template": "kspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
}
}
]
},
{
"type": "cloudbeat/cis_eks",
"policy_template": "kspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"access_key_id": {
"type": "text"
},
"secret_access_key": {
"type": "text"
},
"session_token": {
"type": "text"
},
"shared_credential_file": {
"type": "text"
},
"credential_profile_name": {
"type": "text"
},
"role_arn": {
"type": "text"
},
"aws.credentials.type": {
"type": "text"
}
}
}
]
},
{
"type": "cloudbeat/cis_aws",
"policy_template": "cspm",
"enabled": true,
"streams": [
{
"enabled": true,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"access_key_id": {
"value": "elastic"
},
"secret_access_key": {
"value": "changeme"
},
"session_token": {
"type": "text"
},
"shared_credential_file": {
"type": "text"
},
"credential_profile_name": {
"type": "text"
},
"role_arn": {
"type": "text"
},
"aws.credentials.type": {
"value": "direct_access_keys"
},
"aws.account_type": {
"value": "organization-account",
"type": "text"
}
}
}
],
"config": {
"cloud_formation_template_url": {}
}
},
{
"type": "cloudbeat/cis_gcp",
"policy_template": "cspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"gcp.account_type": {
"type": "text"
},
"gcp.organization_id": {
"type": "text"
},
"gcp.project_id": {
"type": "text"
},
"gcp.credentials.type": {
"type": "text"
},
"gcp.credentials.file": {
"type": "text"
},
"gcp.credentials.json": {
"type": "text"
}
}
}
]
},
{
"type": "cloudbeat/cis_azure",
"policy_template": "cspm",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.findings"
},
"vars": {
"azure.account_type": {
"type": "text"
},
"azure.credentials.type": {
"type": "text"
},
"azure.credentials.client_id": {
"type": "text"
},
"azure.credentials.tenant_id": {
"type": "text"
},
"azure.credentials.client_secret": {
"type": "text"
},
"azure.credentials.client_username": {
"type": "text"
},
"azure.credentials.client_password": {
"type": "text"
},
"azure.credentials.client_certificate_path": {
"type": "text"
},
"azure.credentials.client_certificate_password": {
"type": "text"
}
}
}
]
},
{
"type": "cloudbeat/vuln_mgmt_aws",
"policy_template": "vuln_mgmt",
"enabled": false,
"streams": [
{
"enabled": false,
"data_stream": {
"type": "logs",
"dataset": "cloud_security_posture.vulnerabilities"
}
}
],
"config": {
"cloud_formation_template_url": {
"value": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cnvm-8.12.0.yml&stackName=Elastic-Vulnerability-Management¶m_EnrollmentToken=FLEET_ENROLLMENT_TOKEN¶m_FleetUrl=FLEET_URL¶m_ElasticAgentVersion=KIBANA_VERSION¶m_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent"
}
}
}
],
"package": {
"name": "cloud_security_posture",
"title": "Security Posture Management",
"version": "1.8.0-preview02"
},
"vars": {
"posture": {
"value": "cspm",
"type": "text"
},
"deployment": {
"value": "aws",
"type": "text"
}
},
"force": false
}Comparing the above to a known successful test case: kibana/x-pack/plugins/fleet/server/services/secrets.test.ts Lines 1017 to 1037 in 33f8368 {
"secretPaths": [
{
"value": {
"value": "pkg-secret-2-val"
},
"path": [
"vars",
"pkg-secret-2"
]
}
],
"secrets": [
{
"id": "e4bc6689-d1b5-433a-9ffa-fdccb72f4f25"
}
],
"packagePolicy": {
"vars": {
"pkg-secret-2": {
"value": "pkg-secret-2-val"
}
},
"inputs": []
}
}This test case should be a similar case to what's happening in CSPM, as we have multiple defined secrets in the package manifest, but only a single secret is provided in the request. They key difference I see here is that with the CSPM request, we're receiving I was able to come up with a better test case by updating a known passing test to pass all secret paths instead of just those with values. I'll use that test case to figure out next steps here and post another followup. |
|
Update: this wound up being a one line fix. We were passing the unfiltered I've updated the test cases related to this change to as mentioned above. |
criamico
added a commit
that referenced
this issue
Jan 8, 2024
…ons (#174264) Closes #173718 ## Summary Fix secrets exception when installing CSPM or other integrations ### Steps to reproduce: - Install `cloud_security_posture-1.8.0-preview02` (note that a licence is needed to install CSPM) - Select Setup access: manual and Preferred manual method: Direct access keys - Add some test values a secrets and try to install - The integration should install correctly with no exceptions. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Kyle Pollich <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Jan 8, 2024
…ons (elastic#174264) Closes elastic#173718 ## Summary Fix secrets exception when installing CSPM or other integrations ### Steps to reproduce: - Install `cloud_security_posture-1.8.0-preview02` (note that a licence is needed to install CSPM) - Select Setup access: manual and Preferred manual method: Direct access keys - Add some test values a secrets and try to install - The integration should install correctly with no exceptions. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Kyle Pollich <[email protected]> Co-authored-by: Kibana Machine <[email protected]> (cherry picked from commit 6a7166c)
kibanamachine
referenced
this issue
Jan 8, 2024
…tegrations (#174264) (#174432) # Backport This will backport the following commits from `main` to `8.12`: - [[Fleet] Fix secrets exception when installing CSPM or other integrations (#174264)](#174264) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Cristina Amico","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-08T09:19:29Z","message":"[Fleet] Fix secrets exception when installing CSPM or other integrations (#174264)\n\nCloses https://github.com/elastic/kibana/issues/173718\r\n\r\n## Summary\r\n\r\nFix secrets exception when installing CSPM or other integrations\r\n\r\n### Steps to reproduce:\r\n\r\n- Install `cloud_security_posture-1.8.0-preview02` (note that a licence\r\nis needed to install CSPM)\r\n- Select Setup access: manual and Preferred manual method: Direct access\r\nkeys\r\n- Add some test values a secrets and try to install\r\n- The integration should install correctly with no exceptions.\r\n\r\n### Checklist\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Kyle Pollich <[email protected]>\r\nCo-authored-by: Kibana Machine <[email protected]>","sha":"6a7166c4e8782fe8067b1f8d93952b282db5627a","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Fleet","v8.12.0","v8.13.0"],"title":"[Fleet] Fix secrets exception when installing CSPM or other integrations","number":174264,"url":"https://github.com/elastic/kibana/pull/174264","mergeCommit":{"message":"[Fleet] Fix secrets exception when installing CSPM or other integrations (#174264)\n\nCloses https://github.com/elastic/kibana/issues/173718\r\n\r\n## Summary\r\n\r\nFix secrets exception when installing CSPM or other integrations\r\n\r\n### Steps to reproduce:\r\n\r\n- Install `cloud_security_posture-1.8.0-preview02` (note that a licence\r\nis needed to install CSPM)\r\n- Select Setup access: manual and Preferred manual method: Direct access\r\nkeys\r\n- Add some test values a secrets and try to install\r\n- The integration should install correctly with no exceptions.\r\n\r\n### Checklist\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Kyle Pollich <[email protected]>\r\nCo-authored-by: Kibana Machine <[email protected]>","sha":"6a7166c4e8782fe8067b1f8d93952b282db5627a"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174264","number":174264,"mergeCommit":{"message":"[Fleet] Fix secrets exception when installing CSPM or other integrations (#174264)\n\nCloses https://github.com/elastic/kibana/issues/173718\r\n\r\n## Summary\r\n\r\nFix secrets exception when installing CSPM or other integrations\r\n\r\n### Steps to reproduce:\r\n\r\n- Install `cloud_security_posture-1.8.0-preview02` (note that a licence\r\nis needed to install CSPM)\r\n- Select Setup access: manual and Preferred manual method: Direct access\r\nkeys\r\n- Add some test values a secrets and try to install\r\n- The integration should install correctly with no exceptions.\r\n\r\n### Checklist\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Kyle Pollich <[email protected]>\r\nCo-authored-by: Kibana Machine <[email protected]>","sha":"6a7166c4e8782fe8067b1f8d93952b282db5627a"}}]}] BACKPORT--> Co-authored-by: Cristina Amico <[email protected]>
delanni
pushed a commit
to delanni/kibana
that referenced
this issue
Jan 11, 2024
…ons (elastic#174264) Closes elastic#173718 ## Summary Fix secrets exception when installing CSPM or other integrations ### Steps to reproduce: - Install `cloud_security_posture-1.8.0-preview02` (note that a licence is needed to install CSPM) - Select Setup access: manual and Preferred manual method: Direct access keys - Add some test values a secrets and try to install - The integration should install correctly with no exceptions. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Kyle Pollich <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana version: Found in 8.12
Describe the bug:
Steps to reproduce:
cloud_security_posture-1.8.0-preview02(note that a licence is needed to install CSPM)Setup access: manualandPreferred manual method: Direct access keysExpected behavior:
The policy should install as expected and show encrypted secrets
** Additional context**
The line that is breaking is this one:
kibana/x-pack/plugins/fleet/server/services/secrets.ts
Line 790 in fbf9fe4
In the reduce function we are trying to access an index in "Secrets" variable that doesn't exists. There is no check for the length of that variable, or it's simply assumed that has the same length as
secretPaths, which in this case is not true.This function isn't tested at all so we should make sure to add regression tests to avoid breaking existing functionality.
I had a PR where I was simply checking for existence of that index, but while testing I found that it wasn't encrypting correctly the policy in the editor, so I closed it. When fixing this bug, make sure that the final policy correctly hides the secrets both in the editor and in the "view policy" panel.
The text was updated successfully, but these errors were encountered: