diff --git a/x-pack/plugins/ingest_manager/server/plugin.ts b/x-pack/plugins/ingest_manager/server/plugin.ts index e060eb5e8068ba..fcdb6387fed3ae 100644 --- a/x-pack/plugins/ingest_manager/server/plugin.ts +++ b/x-pack/plugins/ingest_manager/server/plugin.ts @@ -54,7 +54,7 @@ import { AgentService, datasourceService, } from './services'; -import { getAgentStatusById } from './services/agents'; +import { getAgentStatusById, authenticateAgentWithAccessToken } from './services/agents'; import { CloudSetup } from '../../cloud/server'; import { agentCheckinState } from './services/agents/checkin/state'; @@ -256,6 +256,7 @@ export class IngestManagerPlugin esIndexPatternService: new ESIndexPatternSavedObjectService(), agentService: { getAgentStatusById, + authenticateAgentWithAccessToken, }, datasourceService, registerExternalCallback: (...args: ExternalCallback) => { diff --git a/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.test.ts b/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.test.ts index 84923d5c336642..aaed189ae3dddf 100644 --- a/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.test.ts +++ b/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.test.ts @@ -77,7 +77,7 @@ describe('test acks handlers', () => { id: 'action1', }, ]), - getAgentByAccessAPIKeyId: jest.fn().mockReturnValueOnce({ + authenticateAgentWithAccessToken: jest.fn().mockReturnValueOnce({ id: 'agent', }), getSavedObjectsClientContract: jest.fn().mockReturnValueOnce(mockSavedObjectsClient), diff --git a/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.ts b/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.ts index 83d894295c3126..0b719d8a67df74 100644 --- a/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.ts +++ b/x-pack/plugins/ingest_manager/server/routes/agent/acks_handlers.ts @@ -9,7 +9,6 @@ import { RequestHandler } from 'kibana/server'; import { TypeOf } from '@kbn/config-schema'; import { PostAgentAcksRequestSchema } from '../../types/rest_spec'; -import * as APIKeyService from '../../services/api_keys'; import { AcksService } from '../../services/agents'; import { AgentEvent } from '../../../common/types/models'; import { PostAgentAcksResponse } from '../../../common/types/rest_spec'; @@ -24,8 +23,7 @@ export const postAgentAcksHandlerBuilder = function ( return async (context, request, response) => { try { const soClient = ackService.getSavedObjectsClientContract(request); - const res = APIKeyService.parseApiKeyFromHeaders(request.headers); - const agent = await ackService.getAgentByAccessAPIKeyId(soClient, res.apiKeyId as string); + const agent = await ackService.authenticateAgentWithAccessToken(soClient, request); const agentEvents = request.body.events as AgentEvent[]; // validate that all events are for the authorized agent obtained from the api key diff --git a/x-pack/plugins/ingest_manager/server/routes/agent/handlers.ts b/x-pack/plugins/ingest_manager/server/routes/agent/handlers.ts index 0d1c77b8d697fd..d31498599a2b65 100644 --- a/x-pack/plugins/ingest_manager/server/routes/agent/handlers.ts +++ b/x-pack/plugins/ingest_manager/server/routes/agent/handlers.ts @@ -171,8 +171,7 @@ export const postAgentCheckinHandler: RequestHandler< > = async (context, request, response) => { try { const soClient = appContextService.getInternalUserSOClient(request); - const res = APIKeyService.parseApiKeyFromHeaders(request.headers); - const agent = await AgentService.getAgentByAccessAPIKeyId(soClient, res.apiKeyId); + const agent = await AgentService.authenticateAgentWithAccessToken(soClient, request); const abortController = new AbortController(); request.events.aborted$.subscribe(() => { abortController.abort(); diff --git a/x-pack/plugins/ingest_manager/server/routes/agent/index.ts b/x-pack/plugins/ingest_manager/server/routes/agent/index.ts index 87eee4622c80b6..eaab46c7b455c3 100644 --- a/x-pack/plugins/ingest_manager/server/routes/agent/index.ts +++ b/x-pack/plugins/ingest_manager/server/routes/agent/index.ts @@ -109,7 +109,7 @@ export const registerRoutes = (router: IRouter) => { }, postAgentAcksHandlerBuilder({ acknowledgeAgentActions: AgentService.acknowledgeAgentActions, - getAgentByAccessAPIKeyId: AgentService.getAgentByAccessAPIKeyId, + authenticateAgentWithAccessToken: AgentService.authenticateAgentWithAccessToken, getSavedObjectsClientContract: appContextService.getInternalUserSOClient.bind( appContextService ), diff --git a/x-pack/plugins/ingest_manager/server/services/agents/acks.ts b/x-pack/plugins/ingest_manager/server/services/agents/acks.ts index 81ba9754e8aa48..a1b48a879bb890 100644 --- a/x-pack/plugins/ingest_manager/server/services/agents/acks.ts +++ b/x-pack/plugins/ingest_manager/server/services/agents/acks.ts @@ -140,9 +140,9 @@ export interface AcksService { actionIds: AgentEvent[] ) => Promise; - getAgentByAccessAPIKeyId: ( + authenticateAgentWithAccessToken: ( soClient: SavedObjectsClientContract, - accessAPIKeyId: string + request: KibanaRequest ) => Promise; getSavedObjectsClientContract: (kibanaRequest: KibanaRequest) => SavedObjectsClientContract; diff --git a/x-pack/plugins/ingest_manager/server/services/agents/authenticate.test.ts b/x-pack/plugins/ingest_manager/server/services/agents/authenticate.test.ts new file mode 100644 index 00000000000000..b56ca4ca8cc177 --- /dev/null +++ b/x-pack/plugins/ingest_manager/server/services/agents/authenticate.test.ts @@ -0,0 +1,154 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { KibanaRequest } from 'kibana/server'; +import { savedObjectsClientMock } from 'src/core/server/mocks'; + +import { authenticateAgentWithAccessToken } from './authenticate'; + +describe('test agent autenticate services', () => { + it('should succeed with a valid API key and an active agent', async () => { + const mockSavedObjectsClient = savedObjectsClientMock.create(); + mockSavedObjectsClient.find.mockReturnValue( + Promise.resolve({ + page: 1, + per_page: 100, + total: 1, + saved_objects: [ + { + id: 'agent1', + type: 'agent', + references: [], + score: 0, + attributes: { + active: true, + access_api_key_id: 'pedTuHIBTEDt93wW0Fhr', + }, + }, + ], + }) + ); + await authenticateAgentWithAccessToken(mockSavedObjectsClient, { + auth: { isAuthenticated: true }, + headers: { + authorization: 'ApiKey cGVkVHVISUJURUR0OTN3VzBGaHI6TnU1U0JtbHJSeC12Rm9qQWpoSHlUZw==', + }, + } as KibanaRequest); + }); + + it('should throw if the request is not authenticated', async () => { + const mockSavedObjectsClient = savedObjectsClientMock.create(); + mockSavedObjectsClient.find.mockReturnValue( + Promise.resolve({ + page: 1, + per_page: 100, + total: 1, + saved_objects: [ + { + id: 'agent1', + type: 'agent', + references: [], + score: 0, + attributes: { + active: true, + access_api_key_id: 'pedTuHIBTEDt93wW0Fhr', + }, + }, + ], + }) + ); + expect( + authenticateAgentWithAccessToken(mockSavedObjectsClient, { + auth: { isAuthenticated: false }, + headers: { + authorization: 'ApiKey cGVkVHVISUJURUR0OTN3VzBGaHI6TnU1U0JtbHJSeC12Rm9qQWpoSHlUZw==', + }, + } as KibanaRequest) + ).rejects.toThrow(/Request not authenticated/); + }); + + it('should throw if the ApiKey headers is malformed', async () => { + const mockSavedObjectsClient = savedObjectsClientMock.create(); + mockSavedObjectsClient.find.mockReturnValue( + Promise.resolve({ + page: 1, + per_page: 100, + total: 1, + saved_objects: [ + { + id: 'agent1', + type: 'agent', + references: [], + score: 0, + attributes: { + active: false, + access_api_key_id: 'pedTuHIBTEDt93wW0Fhr', + }, + }, + ], + }) + ); + expect( + authenticateAgentWithAccessToken(mockSavedObjectsClient, { + auth: { isAuthenticated: true }, + headers: { + authorization: 'aaaa', + }, + } as KibanaRequest) + ).rejects.toThrow(/Authorization header is malformed/); + }); + + it('should throw if the agent is not active', async () => { + const mockSavedObjectsClient = savedObjectsClientMock.create(); + mockSavedObjectsClient.find.mockReturnValue( + Promise.resolve({ + page: 1, + per_page: 100, + total: 1, + saved_objects: [ + { + id: 'agent1', + type: 'agent', + references: [], + score: 0, + attributes: { + active: false, + access_api_key_id: 'pedTuHIBTEDt93wW0Fhr', + }, + }, + ], + }) + ); + expect( + authenticateAgentWithAccessToken(mockSavedObjectsClient, { + auth: { isAuthenticated: true }, + headers: { + authorization: 'ApiKey cGVkVHVISUJURUR0OTN3VzBGaHI6TnU1U0JtbHJSeC12Rm9qQWpoSHlUZw==', + }, + } as KibanaRequest) + ).rejects.toThrow(/Agent inactive/); + }); + + it('should throw if there is no agent matching the API key', async () => { + const mockSavedObjectsClient = savedObjectsClientMock.create(); + mockSavedObjectsClient.find.mockReturnValue( + Promise.resolve({ + page: 1, + per_page: 100, + total: 1, + saved_objects: [], + }) + ); + expect( + authenticateAgentWithAccessToken(mockSavedObjectsClient, { + auth: { isAuthenticated: true }, + headers: { + authorization: 'ApiKey cGVkVHVISUJURUR0OTN3VzBGaHI6TnU1U0JtbHJSeC12Rm9qQWpoSHlUZw==', + }, + } as KibanaRequest) + ).rejects.toThrow(/Agent not found/); + }); +}); diff --git a/x-pack/plugins/ingest_manager/server/services/agents/authenticate.ts b/x-pack/plugins/ingest_manager/server/services/agents/authenticate.ts new file mode 100644 index 00000000000000..2515a02da4e781 --- /dev/null +++ b/x-pack/plugins/ingest_manager/server/services/agents/authenticate.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import Boom from 'boom'; +import { KibanaRequest, SavedObjectsClientContract } from 'src/core/server'; +import { Agent } from '../../types'; +import * as APIKeyService from '../api_keys'; +import { getAgentByAccessAPIKeyId } from './crud'; + +export async function authenticateAgentWithAccessToken( + soClient: SavedObjectsClientContract, + request: KibanaRequest +): Promise { + if (!request.auth.isAuthenticated) { + throw Boom.unauthorized('Request not authenticated'); + } + let res: { apiKey: string; apiKeyId: string }; + try { + res = APIKeyService.parseApiKeyFromHeaders(request.headers); + } catch (err) { + throw Boom.unauthorized(err.message); + } + + const agent = await getAgentByAccessAPIKeyId(soClient, res.apiKeyId); + + return agent; +} diff --git a/x-pack/plugins/ingest_manager/server/services/agents/index.ts b/x-pack/plugins/ingest_manager/server/services/agents/index.ts index 257091af0ebd0a..400c099af4e936 100644 --- a/x-pack/plugins/ingest_manager/server/services/agents/index.ts +++ b/x-pack/plugins/ingest_manager/server/services/agents/index.ts @@ -14,3 +14,4 @@ export * from './crud'; export * from './update'; export * from './actions'; export * from './reassign'; +export * from './authenticate';