[Fleet] Handler api key creation errors when Fleet Admin is invalid

elastic · Nov 30, 2020 · 56170a6 · 56170a6
1 parent 7ba6c73
commit 56170a6
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 10 deletions.
diff --git a/...fleet/sections/agents/enrollment_token_list_page/components/new_enrollment_key_flyout.tsx b/...fleet/sections/agents/enrollment_token_list_page/components/new_enrollment_key_flyout.tsx
@@ -46,6 +46,9 @@ function useCreateApiKeyForm(
           policy_id: policyIdInput.value,
         }),
       });
+      if (res.error) {
+        throw res.error;
+      }
       policyIdInput.clear();
       apiKeyNameInput.clear();
       setIsLoading(false);

diff --git a/x-pack/plugins/fleet/server/errors/index.ts b/x-pack/plugins/fleet/server/errors/index.ts
@@ -5,7 +5,11 @@
  */
 
 /* eslint-disable max-classes-per-file */
-export { defaultIngestErrorHandler, ingestErrorToResponseOptions } from './handlers';
+export {
+  defaultIngestErrorHandler,
+  ingestErrorToResponseOptions,
+  isLegacyESClientError,
+} from './handlers';
 
 export class IngestManagerError extends Error {
   constructor(message?: string) {
@@ -24,3 +28,4 @@ export class PackageUnsupportedMediaTypeError extends IngestManagerError {}
 export class PackageInvalidArchiveError extends IngestManagerError {}
 export class PackageCacheError extends IngestManagerError {}
 export class PackageOperationNotSupportedError extends IngestManagerError {}
+export class FleetAdminUserInvalidError extends IngestManagerError {}
diff --git a/x-pack/plugins/fleet/server/services/api_keys/security.ts b/x-pack/plugins/fleet/server/services/api_keys/security.ts
@@ -5,6 +5,7 @@
  */
 
 import { KibanaRequest, FakeRequest, SavedObjectsClientContract } from 'src/core/server';
+import { FleetAdminUserInvalidError, isLegacyESClientError } from '../../errors';
 import { CallESAsCurrentUser } from '../../types';
 import { appContextService } from '../app_context';
 import { outputService } from '../output';
@@ -30,10 +31,22 @@ export async function createAPIKey(
     throw new Error('Missing security plugin');
   }
 
-  return security.authc.createAPIKey(request as KibanaRequest, {
-    name,
-    role_descriptors: roleDescriptors,
-  });
+  try {
+    const key = await security.authc.createAPIKey(request as KibanaRequest, {
+      name,
+      role_descriptors: roleDescriptors,
+    });
+
+    return key;
+  } catch (err) {
+    if (isLegacyESClientError(err) && err.statusCode === 401) {
+      // Clear Fleet admin user cache as the user is probably not valid anymore
+      outputService.invalidateCache();
+      throw new FleetAdminUserInvalidError(`Fleet Admin user is invalid: ${err.message}`);
+    }
+
+    throw err;
+  }
 }
 export async function authenticate(callCluster: CallESAsCurrentUser) {
   try {
@@ -64,7 +77,19 @@ export async function invalidateAPIKey(soClient: SavedObjectsClientContract, id:
     throw new Error('Missing security plugin');
   }
 
-  return security.authc.invalidateAPIKey(request as KibanaRequest, {
-    id,
-  });
+  try {
+    const res = await security.authc.invalidateAPIKey(request as KibanaRequest, {
+      id,
+    });
+
+    return res;
+  } catch (err) {
+    if (isLegacyESClientError(err) && err.statusCode === 401) {
+      // Clear Fleet admin user cache as the user is probably not valid anymore
+      outputService.invalidateCache();
+      throw new FleetAdminUserInvalidError(`Fleet Admin user is invalid: ${err.message}`);
+    }
+
+    throw err;
+  }
 }
diff --git a/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts b/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
@@ -92,12 +92,12 @@ export default function (providerContext: FtrProviderContext) {
           .expect(400);
       });
 
-      it('should not allow to create an enrollment api key for a non existing agent policy', async () => {
+      it('should return a 400 if the fleet admin user is modifed outside of Fleet', async () => {
         await supertest
           .post(`/api/fleet/enrollment-api-keys`)
           .set('kbn-xsrf', 'xxx')
           .send({
-            policy_id: 'idonotexistspolicy',
+            raoul: 'raoul',
           })
           .expect(400);
       });
@@ -161,6 +161,34 @@ export default function (providerContext: FtrProviderContext) {
           },
         });
       });
+
+      describe('It should handle error when the Fleet user is invalid', () => {
+        before(async () => {});
+        after(async () => {
+          await getService('supertest')
+            .post(`/api/fleet/agents/setup`)
+            .set('kbn-xsrf', 'xxx')
+            .send({ forceRecreate: true });
+        });
+
+        it('should not allow to create an enrollment api key if the Fleet admin user is invalid', async () => {
+          await es.security.changePassword({
+            username: 'fleet_enroll',
+            body: {
+              password: Buffer.from((Math.random() * 10000000).toString()).toString('base64'),
+            },
+          });
+          const res = await supertest
+            .post(`/api/fleet/enrollment-api-keys`)
+            .set('kbn-xsrf', 'xxx')
+            .send({
+              policy_id: 'policy1',
+            })
+            .expect(400);
+
+          expect(res.body.message).match(/Fleet Admin user is Invalid/);
+        });
+      });
     });
   });
 }