Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.17](backport #6144) Return actionable error message when enrolling #6421

Merged
merged 1 commit into from
Dec 20, 2024
Merged

[8.17](backport #6144) Return actionable error message when enrolling #6421

merged 1 commit into from
Dec 20, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Dec 20, 2024

  • Enhancement

What does this PR do?

This PR adds checks to the enroll command to respond with an error message in case the user executing the command and the user that's the owner of the elastic program files don't match. Replaces #6038 based on the following comment

Why is it important?

Currently there are no checks in place to prevent or correct the situation where a user who is not the owner of the program files executes enroll. This leads to a broken state.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

How to test this PR locally

The testing steps are only for linux and mac

  • Deploy ess, install agent in unprivileged mode and enroll into fleet
  • Unenroll the agent from the fleet ui
  • Run the enroll command as root user and validate the error message

Related issues

@kaanyalti @mergify
Return actionable error message when enrolling (#6144)
29be999 
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests

* enhancement(4889): added savepassword function

* enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests

* enhancement(4889): added changelog

* enhancement(4889): added windows implementation

* enhancement(4889): added license headers

* enhancement(4889): update test case to execute different commands based on os

* enhancement(4889): ran mage clean

* enhancement(4889): updated function name, updated integration tests

* enhancmenet(4889): updated function name

* enhancement(4889): updated function name, fixed test assertions

* enhancement(4889): update error messages

* enhancement(4889): ran mage update

* enhancements(4889): fix integration test

* enhancement(4889): remove commented code

* enhancement(4889): commiting now, don't push though

* enhancement(4889): added windows unit test

* enhancement(4889): close test file

* enhancement(4889): updated isOwnerExec function, added tests

* enchancement(4889): added log in test

* enhancement(4889): remove unused types

* enhancement(4889): added test for isOwnerExec for windows

* enhancement(4889): added unix tests, ran mage addLicenseHeaders

* enhancement(4889): added testisfileownerunix test

* enhancement(4889): added TestIsOwnerExecUnix test

* enhancement(4889): updated test function name

* enhancement(4889): set file ownership of the test file

* enhancement(4889): remove unnecessary change

* enhancment(4889): updated iOwnerExec windows test

* enhancement(4889): fix file creation in tests

* Update internal/pkg/agent/cmd/enroll.go

Co-authored-by: Paolo Chilà <[email protected]>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go

Co-authored-by: Paolo Chilà <[email protected]>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go

Co-authored-by: Paolo Chilà <[email protected]>

* enhancement(4889): updated summary and issue in changelog

* enhancement(4889): updated variable name, wrap error when returning error

* enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid

* enhancement(4889): refactored isOwnerExec return

* enhancement(4889): differentiating between sid errors

* enhancment(4889): removed redundant unit tests

* enhancement(4889): update command execution in integration tests

---------

Co-authored-by: Paolo Chilà <[email protected]>
(cherry picked from commit c4835ca)
@mergify mergify bot added the backport label Dec 20, 2024
@mergify mergify bot requested a review from a team as a code owner December 20, 2024 00:41
@mergify mergify bot requested review from kaanyalti and andrzej-stencel and removed request for a team December 20, 2024 00:41
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
64.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@jlind23 jlind23 merged commit 53230b9 into 8.17 Dec 20, 2024
15 checks passed
@jlind23 jlind23 deleted the mergify/bp/8.17/pr-6144 branch December 20, 2024 05:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlind23 jlind23 jlind23 approved these changes

@kaanyalti kaanyalti Awaiting requested review from kaanyalti kaanyalti is a code owner automatically assigned from elastic/elastic-agent-control-plane

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@kaanyalti kaanyalti

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jlind23 @kaanyalti