[EDR Workflows][Fleet] Improve uninstall token validation in Fleet setup #175679
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fd983c2 to
472cf04
Compare
|
/ci |
f6c1354 to
5a18b3c
Compare
5a18b3c to
a846f8d
Compare
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
| @@ -583,6 +583,9 @@ export class FleetPlugin | |||
| } | |||
| ); | |||
|
|
|||
| // initialize (generate/encrypt/validate) Uninstall Tokens asynchronously | |||
| this.initializeUninstallTokens(); | |||
There was a problem hiding this comment.
The change looks good to me, my only concern is what happens if there is an unexpected error coming from this function, it would stop the Fleet plugin from starting. We should probably make sure to catch any possible errors.
There was a problem hiding this comment.
that makes sense, thanks for the suggestion!
added it here, and unified the error handling of the two functions for generation and validation: a170752
joeypoon
approved these changes
Jan 31, 2024
|
|
||
| if (appContextService.getEncryptedSavedObjectsSetup()?.canEncrypt) { | ||
| logger.debug('Checking for and encrypting plain text uninstall tokens'); | ||
| await appContextService.getUninstallTokenService()?.encryptTokens(); |
There was a problem hiding this comment.
not a big speed gain but we can probably leave this async since nothing depends on it being encrypted.
There was a problem hiding this comment.
I left the await here, so every task that possibly modify tokens (generation and encryption) finishes first, before validation starts on the same dataset, so we validate the final results
the Fleet plugin start does not wait for any of these sequential steps, though
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
fkanout
pushed a commit
to fkanout/kibana
that referenced
this pull request
Feb 7, 2024
…tup (elastic#175679) ## Summary This PR is a proposal for improving Uninstall Token validation inside Fleet. Any feedback from @elastic/fleet team is very welcome 🙌 What it does: - moves Uninstall Token generation and validation from Fleet Setup to Fleet plugin start in order to not perform these steps every time `POST api/fleet/setup` is called - adds a summary to issues with uninstall tokens to Kibana logs e.g. ``` [2024-01-30T12:53:31.803+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,fb652173-7e07-47c1-8f42-e469d789d7ca": Unsupported state or unable to authenticate data [2024-01-30T12:53:31.885+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,2c34c587-f81c-4534-80e3-f45fb0d0c3f9": Unsupported state or unable to authenticate data [2024-01-30T12:53:31.886+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,e4d8cf22-0d8d-43c6-b21a-e11e7aea9932": Unsupported state or unable to authenticate data [2024-01-30T12:53:32.522+01:00][WARN ][plugins.fleet] Failed to decrypt 3 of 1130 Uninstall Token(s) ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this pull request
Feb 15, 2024
…tup (elastic#175679) ## Summary This PR is a proposal for improving Uninstall Token validation inside Fleet. Any feedback from @elastic/fleet team is very welcome 🙌 What it does: - moves Uninstall Token generation and validation from Fleet Setup to Fleet plugin start in order to not perform these steps every time `POST api/fleet/setup` is called - adds a summary to issues with uninstall tokens to Kibana logs e.g. ``` [2024-01-30T12:53:31.803+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,fb652173-7e07-47c1-8f42-e469d789d7ca": Unsupported state or unable to authenticate data [2024-01-30T12:53:31.885+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,2c34c587-f81c-4534-80e3-f45fb0d0c3f9": Unsupported state or unable to authenticate data [2024-01-30T12:53:31.886+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,e4d8cf22-0d8d-43c6-b21a-e11e7aea9932": Unsupported state or unable to authenticate data [2024-01-30T12:53:32.522+01:00][WARN ][plugins.fleet] Failed to decrypt 3 of 1130 Uninstall Token(s) ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
fkanout
pushed a commit
to fkanout/kibana
that referenced
this pull request
Mar 4, 2024
…tup (elastic#175679) ## Summary This PR is a proposal for improving Uninstall Token validation inside Fleet. Any feedback from @elastic/fleet team is very welcome 🙌 What it does: - moves Uninstall Token generation and validation from Fleet Setup to Fleet plugin start in order to not perform these steps every time `POST api/fleet/setup` is called - adds a summary to issues with uninstall tokens to Kibana logs e.g. ``` [2024-01-30T12:53:31.803+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,fb652173-7e07-47c1-8f42-e469d789d7ca": Unsupported state or unable to authenticate data [2024-01-30T12:53:31.885+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,2c34c587-f81c-4534-80e3-f45fb0d0c3f9": Unsupported state or unable to authenticate data [2024-01-30T12:53:31.886+01:00][ERROR][plugins.encryptedSavedObjects] Failed to decrypt attribute "token" of saved object "fleet-uninstall-tokens,e4d8cf22-0d8d-43c6-b21a-e11e7aea9932": Unsupported state or unable to authenticate data [2024-01-30T12:53:32.522+01:00][WARN ][plugins.fleet] Failed to decrypt 3 of 1130 Uninstall Token(s) ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
|
tested on 8.13 BC4:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR is a proposal for improving Uninstall Token validation inside Fleet. Any feedback from @elastic/fleet team is very welcome 🙌
What it does:
POST api/fleet/setupis callede.g.
Checklist
Delete any items that are not applicable to this PR.