[SECURITY_SOLUTION][ENDPOINT] Create artifact manifests with new rela…

…tive URL (if fleet-server is enabled) (#94499) * When xpack.securitySolution.fleetServerEnabled is true, then Endpoint artifact manifest will use a fleet-server relative url for the artifacts generated (note: this flag is temporary until we ship v7.13) * Refactors the security solution fleet integration extension point callbacks so that some action handlers can be executed in parallel (the creation of detection engine prepackaged rules can sometime take some time to complete
elastic · Mar 15, 2021 · 8390629 · 8390629
1 parent 3e1a3da
commit 8390629
Show file tree

Hide file tree

Showing 17 changed files with 457 additions and 247 deletions.
diff --git a/x-pack/plugins/fleet/server/index.ts b/x-pack/plugins/fleet/server/index.ts
@@ -79,6 +79,8 @@ export type FleetConfigType = TypeOf<typeof config.schema>;
 
 export { PackagePolicyServiceInterface } from './services/package_policy';
 
+export { relativeDownloadUrlFromArtifact } from './services/artifacts/mappings';
+
 export const plugin = (initializerContext: PluginInitializerContext) => {
   return new FleetPlugin(initializerContext);
 };
diff --git a/x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts b/x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
@@ -24,7 +24,7 @@ import { PluginStartContract as AlertsPluginStartContract } from '../../../alert
 import {
   getPackagePolicyCreateCallback,
   getPackagePolicyUpdateCallback,
-} from './ingest_integration';
+} from '../fleet_integration/fleet_integration';
 import { ManifestManager } from './services/artifacts';
 import { MetadataQueryStrategy } from './types';
 import { MetadataQueryStrategyVersions } from '../../common/endpoint/types';

diff --git a/x-pack/plugins/security_solution/server/endpoint/ingest_integration.ts b/x-pack/plugins/security_solution/server/endpoint/ingest_integration.ts
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.test.ts
@@ -10,6 +10,7 @@ import { InternalArtifactCompleteSchema } from '../../schemas';
 import { getArtifactId } from './common';
 import { isEmptyManifestDiff, Manifest } from './manifest';
 import { getMockArtifacts, toArtifactRecords } from './mocks';
+import { cloneDeepWith, CloneDeepWithCustomizer } from 'lodash';
 
 describe('manifest', () => {
   const TEST_POLICY_ID_1 = 'c6d16e42-c32d-4dce-8a88-113cfe276ad1';
@@ -694,4 +695,50 @@ describe('manifest', () => {
       expect(isEmptyManifestDiff(diff)).toBe(false);
     });
   });
+
+  describe('and Fleet Server is enabled', () => {
+    const convertToFleetServerRelativeUrl: CloneDeepWithCustomizer<unknown> = (value, key) => {
+      if (key === 'relative_url') {
+        return value.replace('/api/endpoint/artifacts/download/', '/api/fleet/artifacts/');
+      }
+    };
+    let manifest: Manifest;
+
+    beforeEach(() => {
+      manifest = new Manifest({ schemaVersion: 'v1', semanticVersion: '1.0.0' }, true);
+
+      manifest.addEntry(ARTIFACT_EXCEPTIONS_MACOS);
+      manifest.addEntry(ARTIFACT_EXCEPTIONS_WINDOWS);
+      manifest.addEntry(ARTIFACT_EXCEPTIONS_WINDOWS, TEST_POLICY_ID_1);
+      manifest.addEntry(ARTIFACT_TRUSTED_APPS_MACOS, TEST_POLICY_ID_1);
+    });
+
+    test('should write manifest for global artifacts with fleet-server relative url', () => {
+      expect(manifest.toPackagePolicyManifest()).toStrictEqual({
+        schema_version: 'v1',
+        manifest_version: '1.0.0',
+        artifacts: cloneDeepWith(
+          toArtifactRecords({
+            'endpoint-exceptionlist-windows-v1': ARTIFACT_EXCEPTIONS_WINDOWS,
+            'endpoint-exceptionlist-macos-v1': ARTIFACT_EXCEPTIONS_MACOS,
+          }),
+          convertToFleetServerRelativeUrl
+        ),
+      });
+    });
+
+    test('should write policy specific manifest with fleet-server relative url', () => {
+      expect(manifest.toPackagePolicyManifest(TEST_POLICY_ID_1)).toStrictEqual({
+        schema_version: 'v1',
+        manifest_version: '1.0.0',
+        artifacts: cloneDeepWith(
+          toArtifactRecords({
+            'endpoint-exceptionlist-windows-v1': ARTIFACT_EXCEPTIONS_WINDOWS,
+            'endpoint-trustlist-macos-v1': ARTIFACT_TRUSTED_APPS_MACOS,
+          }),
+          convertToFleetServerRelativeUrl
+        ),
+      });
+    });
+  });
 });
diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest.ts
@@ -56,7 +56,10 @@ export class Manifest {
   private readonly policySpecificEntries: Map<string, Map<string, ManifestEntry>>;
   private version: ManifestVersion;
 
-  constructor(version?: Partial<ManifestVersion>) {
+  constructor(
+    version?: Partial<ManifestVersion>,
+    private readonly isFleetServerEnabled: boolean = false
+  ) {
     this.allEntries = new Map();
     this.defaultEntries = new Map();
     this.policySpecificEntries = new Map();
@@ -75,8 +78,8 @@ export class Manifest {
     this.version = validated;
   }
 
-  public static getDefault(schemaVersion?: ManifestSchemaVersion) {
-    return new Manifest({ schemaVersion, semanticVersion: '1.0.0' });
+  public static getDefault(schemaVersion?: ManifestSchemaVersion, isFleetServerEnabled?: boolean) {
+    return new Manifest({ schemaVersion, semanticVersion: '1.0.0' }, isFleetServerEnabled);
   }
 
   public bumpSemanticVersion() {
@@ -104,7 +107,7 @@ export class Manifest {
     const descriptor = {
       isDefaultEntry: existingDescriptor?.isDefaultEntry || policyId === undefined,
       specificTargetPolicies: addValueToSet(existingDescriptor?.specificTargetPolicies, policyId),
-      entry: existingDescriptor?.entry || new ManifestEntry(artifact),
+      entry: existingDescriptor?.entry || new ManifestEntry(artifact, this.isFleetServerEnabled),
     };
 
     this.allEntries.set(descriptor.entry.getDocId(), descriptor);

diff --git a/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.ts b/x-pack/plugins/security_solution/server/endpoint/lib/artifacts/manifest_entry.ts
@@ -9,11 +9,12 @@ import { InternalArtifactSchema } from '../../schemas/artifacts';
 import { CompressionAlgorithm } from '../../../../common/endpoint/schema/common';
 import { ManifestEntrySchema } from '../../../../common/endpoint/schema/manifest';
 import { getArtifactId } from './common';
+import { relativeDownloadUrlFromArtifact } from '../../../../../fleet/server';
 
 export class ManifestEntry {
   private artifact: InternalArtifactSchema;
 
-  constructor(artifact: InternalArtifactSchema) {
+  constructor(artifact: InternalArtifactSchema, private isFleetServerEnabled: boolean = false) {
     this.artifact = artifact;
   }
 
@@ -46,6 +47,13 @@ export class ManifestEntry {
   }
 
   public getUrl(): string {
+    if (this.isFleetServerEnabled) {
+      return relativeDownloadUrlFromArtifact({
+        identifier: this.getIdentifier(),
+        decodedSha256: this.getDecodedSha256(),
+      });
+    }
+
     return `/api/endpoint/artifacts/download/${this.getIdentifier()}/${this.getDecodedSha256()}`;
   }