Add wildcard only for osquery

elastic · Jun 28, 2021 · 95c7406 · 95c7406
1 parent de7699e
commit 95c7406
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 10 deletions.
diff --git a/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts b/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts
@@ -177,7 +177,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
       'test-policy': {
         indices: [
           {
-            names: ['logs-some-logs-test*'],
+            names: ['logs-some-logs-test'],
             privileges: ['auto_configure', 'create_doc'],
           },
         ],
@@ -267,7 +267,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
       'test-policy': {
         indices: [
           {
-            names: ['logs-compiled-test*'],
+            names: ['logs-compiled-test'],
             privileges: ['auto_configure', 'create_doc'],
           },
         ],
@@ -371,7 +371,7 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
       'test-policy': {
         indices: [
           {
-            names: ['logs-osquery_manager.result-test'],
+            names: ['logs-osquery_manager.result-test*'],
             privileges: ['auto_configure', 'create_doc'],
           },
         ],
@@ -396,7 +396,7 @@ describe('getDataStreamPermissions()', () => {
     const permissions = getDataStreamPermissions(dataStream, 'namespace');
 
     expect(permissions).toMatchObject({
-      names: ['logs-test-namespace*'],
+      names: ['logs-test-namespace'],
       privileges: ['auto_configure', 'create_doc'],
     });
   });
@@ -410,7 +410,7 @@ describe('getDataStreamPermissions()', () => {
     const permissions = getDataStreamPermissions(dataStream, 'namespace');
 
     expect(permissions).toMatchObject({
-      names: ['logs-test.*-namespace*'],
+      names: ['logs-test.*-namespace'],
       privileges: ['auto_configure', 'create_doc'],
     });
   });
@@ -423,6 +423,20 @@ describe('getDataStreamPermissions()', () => {
     } as RegistryDataStream;
     const permissions = getDataStreamPermissions(dataStream, 'namespace');
 
+    expect(permissions).toMatchObject({
+      names: ['.logs-test-namespace'],
+      privileges: ['auto_configure', 'create_doc'],
+    });
+  });
+
+  it('Appends a wildcard suffix when specified', () => {
+    const dataStream = {
+      type: 'logs',
+      dataset: 'test',
+      hidden: true,
+    } as RegistryDataStream;
+    const permissions = getDataStreamPermissions(dataStream, 'namespace', true);
+
     expect(permissions).toMatchObject({
       names: ['.logs-test-namespace*'],
       privileges: ['auto_configure', 'create_doc'],
@@ -438,7 +452,7 @@ describe('getDataStreamPermissions()', () => {
     const permissions = getDataStreamPermissions(dataStream, 'namespace');
 
     expect(permissions).toMatchObject({
-      names: ['logs-test-namespace*'],
+      names: ['logs-test-namespace'],
       privileges: ['read', 'write'],
     });
   });

diff --git a/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.ts
@@ -57,6 +57,7 @@ export async function storedPackagePoliciesToAgentPermissions(
       }
 
       let dataStreamsForPermissions: DataStreamMeta[];
+      let wildcardSuffix = false;
 
       switch (pkg.name) {
         case 'endpoint':
@@ -78,6 +79,7 @@ export async function storedPackagePoliciesToAgentPermissions(
           //   `packagePolicy.inputs`, so we will use _all_ data_streams from
           //   the package.
           dataStreamsForPermissions = pkg.data_streams;
+          wildcardSuffix = true;
           break;
 
         default:
@@ -121,7 +123,7 @@ export async function storedPackagePoliciesToAgentPermissions(
         packagePolicy.name,
         {
           indices: dataStreamsForPermissions.map((ds) =>
-            getDataStreamPermissions(ds, packagePolicy.namespace)
+            getDataStreamPermissions(ds, packagePolicy.namespace, wildcardSuffix)
           ),
         },
       ];
@@ -139,7 +141,11 @@ interface DataStreamMeta {
   permissions?: RegistryDataStreamPermissions;
 }
 
-export function getDataStreamPermissions(dataStream: DataStreamMeta, namespace: string = '*') {
+export function getDataStreamPermissions(
+  dataStream: DataStreamMeta,
+  namespace: string = '*',
+  wildcardSuffix: boolean = false
+) {
   let index = `${dataStream.type}-${dataStream.dataset}`;
 
   if (dataStream.dataset_is_prefix) {
@@ -152,8 +158,8 @@ export function getDataStreamPermissions(dataStream: DataStreamMeta, namespace:
 
   index += `-${namespace}`;
 
-  // Integrations may append a date to the end of the index.
-  if (namespace !== '*') {
+  // Some integrations append a date to the end of the index.
+  if (wildcardSuffix) {
     index += '*';
   }