Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add secret_paths attributes to policies sent to agents #3908

Merged

Conversation

michel-laterman
Copy link
Contributor

What is the problem this PR solves?

Agent cannot determine where secrets have been injected into a policy.

How does this PR solve the problem?

Add a new attribute secret_paths to the policy data sent to agents. This attribute is a list of keys where the fleet-server has repalced a reference with a secret value. The agent is expected to redact the values of these keys when outputting policy data.

Design Checklist

  • I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
  • I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
  • I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool

Add a new attribute "secret_paths" to the policy data sent to agents.
This attribute is a list of keys where the fleet-server has repalced a
reference with a secret value. The agent is expected to redact the
values of these keys when outputting policy data.
@michel-laterman michel-laterman added enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Sep 16, 2024
Copy link
Contributor

mergify bot commented Sep 16, 2024

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

Copy link
Contributor

mergify bot commented Sep 16, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 16, 2024
@michel-laterman michel-laterman marked this pull request as ready for review September 20, 2024 20:05
@michel-laterman michel-laterman requested a review from a team as a code owner September 20, 2024 20:05
@@ -522,6 +522,11 @@ components:
id:
description: The policy's ID.
type: string
secret_paths:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is outside of the signed section of the policy, in theory it could be modified to cause agent to not redact secrets locally couldn't it?

To put it in the signed section of the policy, we'd have to determine which fields contain secrets in Kibana instead, because that is where the signing key resides.

Is there a reason why we can't put these in Kibana?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, thinking more deeply, I was thinking through a scenario where someone had intercepted the checkin response, and wanted to to force the agent to disclose secrets by removing the redaction hints.

However, if they have the checkin response after Fleet Server has touched it and added these keys, they already have the replaced secret values that Fleet Server inserted.

So I don't think there is a point in doing this because it doesn't protect us from anything.

@cmacknz
Copy link
Member

cmacknz commented Sep 26, 2024

In addition to my bigger picture question about being able to sign the secret_paths, SonarQube says there are some non-error paths in replaceSliceRefs that have no test coverage.

case string:
ref, replaced := replaceStringRef(value, secrets)
if replaced {
keys = append(keys, fmt.Sprintf("[%d]", i))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to delay merging this as I think go-ucfg uses . when accessing array values.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

elastic/elastic-agent#5621
go-ucfg does use . when accessing arrays

@michel-laterman michel-laterman merged commit 4864cf4 into elastic:main Oct 1, 2024
8 checks passed
@michel-laterman michel-laterman deleted the policy-change-list-secert-keys branch October 1, 2024 16:00
mergify bot pushed a commit that referenced this pull request Oct 1, 2024
Add a new attribute "secret_paths" to the policy data sent to agents.
This attribute is a list of keys where the fleet-server has repalced a
reference with a secret value. The agent is expected to redact the
values of these keys when outputting policy data.

(cherry picked from commit 4864cf4)
michel-laterman added a commit that referenced this pull request Oct 1, 2024
Add a new attribute "secret_paths" to the policy data sent to agents.
This attribute is a list of keys where the fleet-server has repalced a
reference with a secret value. The agent is expected to redact the
values of these keys when outputting policy data.

(cherry picked from commit 4864cf4)

Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-8.x Automated backport to the 8.x branch with mergify enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants