Add explicit check for token and tamper protection in Uninstall func

elastic · Jun 19, 2024 · 2332b43 · 2332b43
1 parent 4ccdd09
commit 2332b43
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/changelog/fragments/1718833116-Check-for-tamper-protection-when-uninstalling.yaml b/changelog/fragments/1718833116-Check-for-tamper-protection-when-uninstalling.yaml
@@ -0,0 +1,34 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug
+
+# Change summary; a 80ish characters long description of the change.
+summary: Check for tamper protection when uninstalling
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  The uninstall function will now explictily check if tamper protection is enabled
+  and if a token has been passed before proceeding.
+
+# Affected component; a word indicating the component this changeset affects.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4506
diff --git a/internal/pkg/agent/install/uninstall.go b/internal/pkg/agent/install/uninstall.go
@@ -37,6 +37,14 @@ import (
 
 // Uninstall uninstalls persistently Elastic Agent on the system.
 func Uninstall(cfgFile, topPath, uninstallToken string, log *logp.Logger, pt *progressbar.ProgressBar) error {
+	// Immediatly fail it tamper protection is enabled but no uninstallToken is specified
+	if features.TamperProtection() && uninstallToken == "" {
+		return aerrors.New(
+			fmt.Errorf("missing uninstall token"),
+			"tamper protection detected, elastic-agent uninstall command must be ran with a valid --uninstall-token arg",
+		)
+	}
+
 	cwd, err := os.Getwd()
 	if err != nil {
 		return fmt.Errorf("unable to get current working directory")