Igor api key validation

e2e/_suites/fleet/features/fleet_mode_agent.feature

@@ -73,12 +73,13 @@ Examples: Debian
 | os     |
 | debian |
 
-@unenroll
+@un-enroll-with-revoke
 @skip:windows
-Scenario Outline: Un-enrolling the <os> agent deactivates the agent
+Scenario Outline: Un-enrolling with revoke the <os> agent deactivates the agent
   Given a "<os>" agent is deployed to Fleet with "tar" installer
   When the agent is un-enrolled
   Then the agent is listed in Fleet as "inactive"
+     And the agent Api key invalidated "true"
 
 @centos
 Examples: Centos
@@ -90,6 +91,24 @@ Examples: Debian
 | os     |
 | debian |
 
+@un-enroll-without-revoke
+@skip:windows
+Scenario Outline: Un-enrolling without revoke the <os> deactivates the agent
+  Given a "<os>" agent is deployed to Fleet with "tar" installer
+  When the agent is un-enrolled without revoke
+  Then the agent is listed in Fleet as "inactive"
+     And the agent Api key invalidated "true"
+
+@centos
+Examples: Centos
+| os     |
+| centos |
+
+@debian
+Examples: Debian
+  | os     |
+  | debian |
+
 @reenroll
 @skip:windows
 Scenario Outline: Re-enrolling the <os> agent activates the agent in Fleet

e2e/_suites/fleet/fleet.go

@@ -11,6 +11,8 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"strconv"
+
 	"strings"
 	"time"
 
@@ -62,6 +64,7 @@ type FleetTestSuite struct {
 	// instrumentation
 	currentContext context.Context
 	DefaultAPIKey  string
+	AgentId        string
 }
 
 // afterScenario destroys the state created by a scenario
@@ -104,7 +107,7 @@ func (fts *FleetTestSuite) afterScenario() {
 			_ = fts.deployer.Logs(fts.currentContext, agentService)
 		}
 
-		err := fts.unenrollHostname()
+		err := fts.unenrollHostname(true)
 		if err != nil {
 			manifest, _ := fts.deployer.Inspect(fts.currentContext, agentService)
 			log.WithFields(log.Fields{
@@ -167,8 +170,10 @@ func (fts *FleetTestSuite) contributeSteps(s *godog.ScenarioContext) {
 	s.Step(`^the host is restarted$`, fts.theHostIsRestarted)
 	s.Step(`^system package dashboards are listed in Fleet$`, fts.systemPackageDashboardsAreListedInFleet)
 	s.Step(`^the agent is un-enrolled$`, fts.theAgentIsUnenrolled)
+	s.Step(`^the agent is un-enrolled without revoke$`, fts.theAgentIsUnenrolledWithoutRevoke)
 	s.Step(`^the agent is re-enrolled on the host$`, fts.theAgentIsReenrolledOnTheHost)
 	s.Step(`^the enrollment token is revoked$`, fts.theEnrollmentTokenIsRevoked)
+	s.Step(`^the agent Api key invalidated "(([^"]*))"$`, fts.theAgentApiKeyIsInvalidated)
 	s.Step(`^an attempt to enroll a new agent fails$`, fts.anAttemptToEnrollANewAgentFails)
 	s.Step(`^the "([^"]*)" process is "([^"]*)" on the host$`, fts.processStateChangedOnTheHost)
 	s.Step(`^the file system Agent folder is empty$`, fts.theFileSystemAgentFolderIsEmpty)
@@ -713,7 +718,6 @@ func theAgentIsListedInFleetWithStatus(ctx context.Context, desiredStatus string
 			retryCount++
 			return err
 		}
-
 		if agentID == "" {
 			// the agent is not listed in Fleet
 			if desiredStatus == "offline" || desiredStatus == "inactive" {
@@ -873,7 +877,11 @@ func (fts *FleetTestSuite) systemPackageDashboardsAreListedInFleet() error {
 }
 
 func (fts *FleetTestSuite) theAgentIsUnenrolled() error {
-	return fts.unenrollHostname()
+	return fts.unenrollHostname(true)
+}
+
+func (fts *FleetTestSuite) theAgentIsUnenrolledWithoutRevoke() error {
+	return fts.unenrollHostname(false)
 }
 
 func (fts *FleetTestSuite) theAgentIsReenrolledOnTheHost() error {
@@ -1253,7 +1261,7 @@ func (fts *FleetTestSuite) anAttemptToEnrollANewAgentFails() error {
 }
 
 // unenrollHostname deletes the statuses for an existing agent, filtering by hostname
-func (fts *FleetTestSuite) unenrollHostname() error {
+func (fts *FleetTestSuite) unenrollHostname(revoke bool) error {
 	span, _ := apm.StartSpanOptions(fts.currentContext, "Unenrolling hostname", "elastic-agent.hostname.unenroll", apm.SpanOptions{
 		Parent: apm.SpanFromContext(fts.currentContext).TraceContext(),
 	})
@@ -1274,7 +1282,8 @@ func (fts *FleetTestSuite) unenrollHostname() error {
 				"hostname": manifest.Hostname,
 			}).Debug("Un-enrolling agent in Fleet")
 
-			err := fts.kibanaClient.UnEnrollAgent(fts.currentContext, agent.LocalMetadata.Host.HostName)
+			fts.AgentId = agent.ID
+			err := fts.kibanaClient.UnEnrollAgent(fts.currentContext, agent.LocalMetadata.Host.HostName, revoke)
 			if err != nil {
 				return err
 			}
@@ -1600,3 +1609,38 @@ func (fts *FleetTestSuite) theMetricsInTheDataStream(name string, set string) er
 
 	return nil
 }
+
+func (fts *FleetTestSuite) theAgentApiKeyIsInvalidated(invalidated string) error {
+	invalidatedBool, _ := strconv.ParseBool(invalidated)
+	body, err := elasticsearch.GetSecurityApiKey()
+	if err != nil {
+		log.WithFields(log.Fields{
+			"Error": err,
+		}).Error("Could not return Security Api Keys")
+		return err
+	}
+	if err != nil {
+		log.WithFields(log.Fields{
+			"error":        err,
+			"responseBody": body,
+		}).Error("Could not parse response into JSON")
+		return err
+	}
+
+	for _, item := range body.Children() {
+		if item.Path("name").Data().(string) == fts.AgentId {
+			if item.Path("invalidated").Data().(bool) == invalidatedBool {
+				log.WithFields(log.Fields{
+					"agentId": fts.AgentId,
+				}).Info("The agent Api key invalidated: ", item.Path("invalidated").Data().(bool))
+			} else {
+				log.WithFields(log.Fields{
+					"agentId": fts.AgentId,
+				}).Error("The agent Api key invalidated: ", item.Path("invalidated").Data().(bool))
+				return errors.New("The agent Api key invalidated is should be: " + invalidated)
+			}
+		}
+	}
+
+	return nil
+}

internal/elasticsearch/client.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/Jeffail/gabs/v2"
 	"net"
 	"net/http"
 	"net/url"
@@ -369,3 +370,39 @@ func WaitForNumberOfHits(ctx context.Context, indexName string, query map[string
 	err := backoff.Retry(numberOfHits, exp)
 	return result, err
 }
+
+// GetSecurityApiKey waits for the elasticsearch SecurityApiKey to return the list of Api Keys.
+func GetSecurityApiKey() (*gabs.Container, error) {
+
+	r := curl.HTTPRequest{
+		URL:               "http://localhost:9200/_security/api_key?",
+		BasicAuthPassword: "changeme",
+		BasicAuthUser:     "elastic",
+	}
+
+	response, err := curl.Get(r)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"error":          err,
+			"statusEndpoint": r.URL,
+		}).Warn("The Elasticsearch Cat Indices API is not available yet")
+
+		return nil, err
+	}
+
+	log.WithFields(log.Fields{
+		"statusEndpoint": r.URL,
+	}).Trace("The Elasticsearch Console SecurityApiKey API is available")
+
+	jsonParsed, err := gabs.ParseJSON([]byte(response))
+	if err != nil {
+		log.WithFields(log.Fields{
+			"error":        err,
+			"responseBody": jsonParsed,
+		}).Error("Could not parse response into JSON")
+		return jsonParsed, err
+	}
+	data := jsonParsed.Path("api_keys")
+
+	return data, err
+}

internal/kibana/agents.go

@@ -78,6 +78,7 @@ func (c *Client) GetAgentIDByHostname(ctx context.Context, hostname string) (str
 		"agentId":  agent.ID,
 		"hostname": hostname,
 	}).Trace("Agent Id found")
+
 	return agent.ID, nil
 }
 
@@ -245,7 +246,8 @@ func (c *Client) ListAgents(ctx context.Context) ([]Agent, error) {
 }
 
 // UnEnrollAgent unenrolls agent from fleet
-func (c *Client) UnEnrollAgent(ctx context.Context, hostname string) error {
+func (c *Client) UnEnrollAgent(ctx context.Context, hostname string, revoke bool) error {
+	var reqBody = `{}`
 	span, _ := apm.StartSpanOptions(ctx, "UnEnrolling Elastic Agent by hostname", "fleet.agent.un-enroll", apm.SpanOptions{
 		Parent: apm.SpanFromContext(ctx).TraceContext(),
 	})
@@ -256,7 +258,12 @@ func (c *Client) UnEnrollAgent(ctx context.Context, hostname string) error {
 		return err
 	}
 
-	reqBody := `{"revoke": true}`
+	if revoke == true {
+		reqBody = `{"revoke": true}`
+	}
+	log.WithFields(log.Fields{
+		"body": reqBody,
+	}).Info("This is the body")
 	statusCode, respBody, _ := c.post(ctx, fmt.Sprintf("%s/agents/%s/unenroll", FleetAPI, agentID), []byte(reqBody))
 	if statusCode != 200 {
 		return fmt.Errorf("could not unenroll agent; API status code = %d, response body = %s", statusCode, respBody)

internal/kibana/url_prefixes.go

@@ -22,6 +22,9 @@ const (
 
 	// EndpointAPI is the endpoint API
 	EndpointAPI = "/api/endpoint"
+
+	// ConsoleAPI is the console API
+	ConsoleAPI = "/api/console"
 )
 
 // getBaseURL will pull in the baseurl or an alternative host based on settings