From e7053c4550237e239b9abb86a0a8de052f25d4db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Fern=C3=A1ndez=20G=C3=B3mez?= Date: Tue, 13 Apr 2021 12:01:42 +0200 Subject: [PATCH] Use config flag to send tight permissions with the agent --- .../fleet/server/services/agent_policy.ts | 57 +++++++++++-------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts index 50abe11cdbb4d..054fa3d6baff0 100644 --- a/x-pack/plugins/fleet/server/services/agent_policy.ts +++ b/x-pack/plugins/fleet/server/services/agent_policy.ts @@ -38,7 +38,7 @@ import { AGENT_POLICY_INDEX, DEFAULT_FLEET_SERVER_AGENT_POLICY, } from '../../common'; -import type { PackagePermissions } from '../../common'; +import type { FullAgentPolicyOutputPermissions, PackagePermissions } from '../../common'; import type { DeleteAgentPolicyResponse, Settings, @@ -749,31 +749,40 @@ class AgentPolicyService { }), }; - const permissions = Object.fromEntries( - await Promise.all( - // Original type is `string[] | PackagePolicy[]`, but TS doesn't allow to `map()` over that. - (agentPolicy.package_policies as Array).map( - async (packagePolicy): Promise<[string, PackagePermissions]> => { - if (typeof packagePolicy === 'string' || !packagePolicy.package) { - return ['_fallback', DEFAULT_PERMISSIONS]; + const hasTightPermissions = appContextService.getConfig()?.agents.agentPolicyTightPermissions; + let permissions: FullAgentPolicyOutputPermissions; + + if (hasTightPermissions) { + permissions = Object.fromEntries( + await Promise.all( + // Original type is `string[] | PackagePolicy[]`, but TS doesn't allow to `map()` over that. + (agentPolicy.package_policies as Array).map( + async (packagePolicy): Promise<[string, PackagePermissions]> => { + if (typeof packagePolicy === 'string' || !packagePolicy.package) { + return ['_fallback', DEFAULT_PERMISSIONS]; + } + + const { name, version } = packagePolicy.package; + + const packagePermissions = await getPackagePermissions( + soClient, + name, + version, + packagePolicy.namespace + ); + + return packagePermissions + ? [packagePolicy.name, packagePermissions] + : ['_fallback', DEFAULT_PERMISSIONS]; } - - const { name, version } = packagePolicy.package; - - const packagePermissions = await getPackagePermissions( - soClient, - name, - version, - packagePolicy.namespace - ); - - return packagePermissions - ? [packagePolicy.name, packagePermissions] - : ['_fallback', DEFAULT_PERMISSIONS]; - } + ) ) - ) - ); + ); + } else { + permissions = { + _fallback: DEFAULT_PERMISSIONS, + }; + } // Only add permissions if output.type is "elasticsearch" fullAgentPolicy.output_permissions = Object.keys(fullAgentPolicy.outputs).reduce<