Revert "[Feature] Secondary fallback for package signature verificati…

…on (#3453)" (#3509) This reverts commit cdca211.
elastic · Oct 4, 2023 · e8dca50 · e8dca50
1 parent 619c90b
commit e8dca50
Show file tree

Hide file tree

Showing 11 changed files with 45 additions and 278 deletions.
diff --git a/changelog/fragments/1695289867-Secondary-fallback-for-package-signature-verification.yaml b/changelog/fragments/1695289867-Secondary-fallback-for-package-signature-verification.yaml
diff --git a/internal/pkg/agent/application/application.go b/internal/pkg/agent/application/application.go
@@ -161,7 +161,7 @@ func New(
 				EndpointSignedComponentModifier(),
 			)
 
-			managed, err = newManagedConfigManager(ctx, log, agentInfo, cfg, store, runtime, fleetInitTimeout, upgrader)
+			managed, err = newManagedConfigManager(ctx, log, agentInfo, cfg, store, runtime, fleetInitTimeout)
 			if err != nil {
 				return nil, nil, nil, err
 			}

diff --git a/internal/pkg/agent/application/managed_mode.go b/internal/pkg/agent/application/managed_mode.go
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
-	"github.com/elastic/elastic-agent/internal/pkg/agent/application/actions"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/actions/handlers"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/dispatcher"
@@ -39,18 +38,17 @@ import (
 const dispatchFlushInterval = time.Minute * 5
 
 type managedConfigManager struct {
-	log                  *logger.Logger
-	agentInfo            *info.AgentInfo
-	cfg                  *configuration.Configuration
-	client               *remote.Client
-	store                storage.Store
-	stateStore           *store.StateStore
-	actionQueue          *queue.ActionQueue
-	dispatcher           *dispatcher.ActionDispatcher
-	runtime              *runtime.Manager
-	coord                *coordinator.Coordinator
-	fleetInitTimeout     time.Duration
-	initialClientSetters []actions.ClientSetter
+	log              *logger.Logger
+	agentInfo        *info.AgentInfo
+	cfg              *configuration.Configuration
+	client           *remote.Client
+	store            storage.Store
+	stateStore       *store.StateStore
+	actionQueue      *queue.ActionQueue
+	dispatcher       *dispatcher.ActionDispatcher
+	runtime          *runtime.Manager
+	coord            *coordinator.Coordinator
+	fleetInitTimeout time.Duration
 
 	ch    chan coordinator.ConfigChange
 	errCh chan error
@@ -64,7 +62,6 @@ func newManagedConfigManager(
 	storeSaver storage.Store,
 	runtime *runtime.Manager,
 	fleetInitTimeout time.Duration,
-	clientSetters ...actions.ClientSetter,
 ) (*managedConfigManager, error) {
 	client, err := fleetclient.NewAuthWithConfig(log, cfg.Fleet.AccessAPIKey, cfg.Fleet.Client)
 	if err != nil {
@@ -91,19 +88,18 @@ func newManagedConfigManager(
 	}
 
 	return &managedConfigManager{
-		log:                  log,
-		agentInfo:            agentInfo,
-		cfg:                  cfg,
-		client:               client,
-		store:                storeSaver,
-		stateStore:           stateStore,
-		actionQueue:          actionQueue,
-		dispatcher:           actionDispatcher,
-		runtime:              runtime,
-		fleetInitTimeout:     fleetInitTimeout,
-		ch:                   make(chan coordinator.ConfigChange),
-		errCh:                make(chan error),
-		initialClientSetters: clientSetters,
+		log:              log,
+		agentInfo:        agentInfo,
+		cfg:              cfg,
+		client:           client,
+		store:            storeSaver,
+		stateStore:       stateStore,
+		actionQueue:      actionQueue,
+		dispatcher:       actionDispatcher,
+		runtime:          runtime,
+		fleetInitTimeout: fleetInitTimeout,
+		ch:               make(chan coordinator.ConfigChange),
+		errCh:            make(chan error),
 	}, nil
 }
 
@@ -200,9 +196,6 @@ func (m *managedConfigManager) Run(ctx context.Context) error {
 		policyChanger.AddSetter(gateway)
 		policyChanger.AddSetter(ack)
 	}
-	for _, cs := range m.initialClientSetters {
-		policyChanger.AddSetter(cs)
-	}
 
 	// Proxy errors from the gateway to our own channel.
 	gatewayErrorsRunner := runner.Start(context.Background(), func(ctx context.Context) error {

diff --git a/internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go b/internal/pkg/agent/application/upgrade/artifact/download/fs/verifier.go
@@ -124,7 +124,7 @@ func (v *Verifier) verifyAsc(fullPath string, skipDefaultPgp bool, pgpSources ..
 		if len(check) == 0 {
 			continue
 		}
-		raw, err := download.PgpBytesFromSource(v.log, check, &v.client)
+		raw, err := download.PgpBytesFromSource(v.log, check, v.client)
 		if err != nil {
 			return err
 		}

diff --git a/internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go b/internal/pkg/agent/application/upgrade/artifact/download/http/verifier.go
@@ -125,7 +125,7 @@ func (v *Verifier) verifyAsc(a artifact.Artifact, version string, skipDefaultPgp
 		if len(check) == 0 {
 			continue
 		}
-		raw, err := download.PgpBytesFromSource(v.log, check, &v.client)
+		raw, err := download.PgpBytesFromSource(v.log, check, v.client)
 		if err != nil {
 			return err
 		}

diff --git a/internal/pkg/agent/application/upgrade/artifact/download/verifier.go b/internal/pkg/agent/application/upgrade/artifact/download/verifier.go
@@ -36,7 +36,6 @@ const (
 var (
 	ErrRemotePGPDownloadFailed = errors.New("Remote PGP download failed")
 	ErrInvalidLocation         = errors.New("Remote PGP location is invalid")
-	ErrUnknownPGPSource        = errors.New("unknown pgp source")
 )
 
 // warnLogger is a logger that only needs to implement Warnf, as that is the only functions
@@ -181,7 +180,7 @@ func VerifyGPGSignature(file string, asciiArmorSignature, publicKey []byte) erro
 	return nil
 }
 
-func PgpBytesFromSource(log warnLogger, source string, client HTTPClient) ([]byte, error) {
+func PgpBytesFromSource(log warnLogger, source string, client http.Client) ([]byte, error) {
 	if strings.HasPrefix(source, PgpSourceRawPrefix) {
 		return []byte(strings.TrimPrefix(source, PgpSourceRawPrefix)), nil
 	}
@@ -190,14 +189,11 @@ func PgpBytesFromSource(log warnLogger, source string, client HTTPClient) ([]byt
 		pgpBytes, err := fetchPgpFromURI(strings.TrimPrefix(source, PgpSourceURIPrefix), client)
 		if errors.Is(err, ErrRemotePGPDownloadFailed) || errors.Is(err, ErrInvalidLocation) {
 			log.Warnf("Skipped remote PGP located at %q because it's unavailable: %v", strings.TrimPrefix(source, PgpSourceURIPrefix), err)
-		} else if err != nil {
-			log.Warnf("Failed to fetch remote PGP")
 		}
-
 		return pgpBytes, nil
 	}
 
-	return nil, ErrUnknownPGPSource
+	return nil, errors.New("unknown pgp source")
 }
 
 func CheckValidDownloadUri(rawURI string) error {
@@ -213,7 +209,7 @@ func CheckValidDownloadUri(rawURI string) error {
 	return nil
 }
 
-func fetchPgpFromURI(uri string, client HTTPClient) ([]byte, error) {
+func fetchPgpFromURI(uri string, client http.Client) ([]byte, error) {
 	if err := CheckValidDownloadUri(uri); err != nil {
 		return nil, err
 	}
@@ -225,7 +221,7 @@ func fetchPgpFromURI(uri string, client HTTPClient) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	resp, err := client.Do(req)
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return nil, multierror.Append(err, ErrRemotePGPDownloadFailed)
 	}
@@ -237,7 +233,3 @@ func fetchPgpFromURI(uri string, client HTTPClient) ([]byte, error) {
 
 	return ioutil.ReadAll(resp.Body)
 }
-
-type HTTPClient interface {
-	Do(*http.Request) (*http.Response, error)
-}
diff --git a/internal/pkg/agent/application/upgrade/artifact/download/verifier_test.go b/internal/pkg/agent/application/upgrade/artifact/download/verifier_test.go
diff --git a/internal/pkg/agent/application/upgrade/step_download.go b/internal/pkg/agent/application/upgrade/step_download.go
@@ -7,7 +7,6 @@ package upgrade
 import (
 	"context"
 	"fmt"
-	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -31,8 +30,7 @@ import (
 )
 
 const (
-	defaultUpgradeFallbackPGP     = "https://artifacts.elastic.co/GPG-KEY-elastic-agent"
-	fleetUpgradeFallbackPGPFormat = "/api/agents/upgrades/%d.%d.%d/pgp-public-key"
+	defaultUpgradeFallbackPGP = "https://artifacts.elastic.co/GPG-KEY-elastic-agent"
 )
 
 func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI string, skipVerifyOverride bool, skipDefaultPgp bool, pgpBytes ...string) (_ string, err error) {
@@ -42,7 +40,7 @@ func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI stri
 		span.End()
 	}()
 
-	pgpBytes = u.appendFallbackPGP(version, pgpBytes)
+	pgpBytes = appendFallbackPGP(pgpBytes)
 
 	// do not update source config
 	settings := *u.settings
@@ -89,35 +87,13 @@ func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI stri
 	return path, nil
 }
 
-func (u *Upgrader) appendFallbackPGP(targetVersion string, pgpBytes []string) []string {
+func appendFallbackPGP(pgpBytes []string) []string {
 	if pgpBytes == nil {
 		pgpBytes = make([]string, 0, 1)
 	}
 
 	fallbackPGP := download.PgpSourceURIPrefix + defaultUpgradeFallbackPGP
 	pgpBytes = append(pgpBytes, fallbackPGP)
-
-	// add a secondary fallback if fleet server is configured
-	u.log.Debugf("Considering fleet server uri for pgp check fallback %q", u.fleetServerURI)
-	if u.fleetServerURI != "" {
-		tpv, err := agtversion.ParseVersion(targetVersion)
-		if err != nil {
-			// best effort, log failure
-			u.log.Warnf("failed to parse agent version (%q) for secondary GPG fallback: %v", targetVersion, err)
-		} else {
-			secondaryPath, err := url.JoinPath(
-				u.fleetServerURI,
-				fmt.Sprintf(fleetUpgradeFallbackPGPFormat, tpv.Major(), tpv.Minor(), tpv.Patch()),
-			)
-			if err != nil {
-				u.log.Warnf("failed to compose Fleet Server URI: %v", err)
-			} else {
-				secondaryFallback := download.PgpSourceURIPrefix + secondaryPath
-				pgpBytes = append(pgpBytes, secondaryFallback)
-			}
-		}
-	}
-
 	return pgpBytes
 }