[Defend Workflows][8.11] Unblock fleet setup when cannot decrypt uninstall tokens #171998
Conversation
There was a problem hiding this comment.
We should still try to add logic here that checks for the .error property set on saved objects returned from createPointInTimeFinderDecryptedAsInternalUser.
The above method will "strip" encrypted attributes (which is how we get into a state with token = undefined in the first place, generally) here:
kibana/x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts
Lines 163 to 171 in a9c41e5
We need to surface this error property that's appended to the ESO object somewhere in Fleet setup.
| it('rejects if any of the tokens is missing', async () => { | ||
| await expect( | ||
| uninstallTokenService.checkTokenValidityForAllPolicies() | ||
| ).rejects.toThrowError('Uninstall Token is missing the token.'); |
There was a problem hiding this comment.
Could we try to improve this error message? It's not particularly helpful to users in its current state. We could provide something like:
Invalid uninstall token for policy ID ${policyId}. Saved object is missing the "token" attribute.
|
Pinging @elastic/fleet (Team:Fleet) |
We should be able to get into this state by encrypting values once -> changing the encryption key in
|
I'm not sure we can disable agent tamper protection at this point, if encryption key and therefore message signing key is changed, so maybe all we can do is inform the user about the issue, and unblock accessing Fleet pages. I think we should continue investigation, but I'd propose to add this quick fix to tomorrow's 8.11.2 FF. @kpollich, what do you think about this approach? |
SGTM in interest of getting this in for feature freeze 👍 |
Agree with this one. Right now we're ignoring the fact that ESO is returning an error (in the body) so we'll need to add a check for this in |
|
Unblocking Fleet setup with explicit errors messages available in logs is the way to go here. Even if we don't have any real logic, if we can detect the error from the ESO plugin and surface it in Fleet's setup logs that will be good enough here. |
|
@joeypoon @kpollich 👉 please approve the PR if it looks good, approval is needed for the merge 👉 @joeypoon I'd appreciate if you could merge the PR if it looks good, so it can make it before FF - I'm signing off for today |
| ({ id: _id, attributes, created_at: createdAt }) => { | ||
| ({ id: _id, attributes, created_at: createdAt, error }) => { | ||
| if (error) { | ||
| throw new UninstallTokenError(`Error when reading Uninstall Token: ${error.message}`); |
There was a problem hiding this comment.
I think it may be safer to not have error.message within the error here since we don't own what's in the error and it may potentially contain sensitive data. I don't think it's blocking since from what I can tell looking at ESO code, they never expose the sensitive data in the error messages. But given that this is something that can change at anytime and ESO already logs these errors on their end, I think we should update this in a follow up to not contain error.message.
💔 Build FailedFailed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: |
… uninstall tokens (elastic#172058) ## Summary This PR is the `8.12` port of: - elastic#171998 The original PR was opened to `8.11` to make it faster to include it in `8.12.2`. Now this PR is meant to port the changes to `main`, so: - we can build upon it, - and can easily backport any further changes to `8.11.x` > [!Important] > The changes cannot be tested on `main` because they are hidden by other behaviours (namely the retry logic for reading Message SIgning key) that weren't part of `8.11`. Those behaviours will be also adapted in follow up PRs.
…eet setup (#172072) ## Summary When encryption key is rotated improperly, Message Signing key retrieval is retried infinitely, and because this is done in Fleet setup, none of the Fleet pages are loaded when the user tries to visit any of them. This PR re-configures the retry logic so it now attempts significantly less times than infinite. Also, it changes the errors to non-fatal from the Fleet setup point of view, similarly to these PRs: - #171998 - #172058 ## Reproducing the encryption key issue - setup a Kibana, add at least one policy (probably Fleet policy is enough) - modify (or add a new) encryption key in your `kibana.dev.yml`: ```yml xpack.encryptedSavedObjects.encryptionKey: "some-random-encryption-key-min-32-bytes" ``` ## Screenshots After ~15 sec of loading spinner, this is what the user sees:  ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Summary
This PR should help in case of an improper encryption key rotation. Prior to this PR, the user was blocked on Fleet setup:
This PR does the following:
prohibits user to enable tamper protection when the given policy's uninstall token cannot be decrypted
no change: still throws error when trying to decrypt
Reproducing the encryption key issue
kibana.dev.yml:Checklist
Delete any items that are not applicable to this PR.