Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Return actionable error message when enrolling #6144

Merged

Conversation

kaanyalti
Copy link
Contributor

@kaanyalti kaanyalti commented Nov 25, 2024

  • Enhancement

What does this PR do?

This PR adds checks to the enroll command to respond with an error message in case the user executing the command and the user that's the owner of the elastic program files don't match. Replaces #6038 based on the following comment

Why is it important?

Currently there are no checks in place to prevent or correct the situation where a user who is not the owner of the program files executes enroll. This leads to a broken state.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

How to test this PR locally

The testing steps are only for linux and mac

  • Deploy ess, install agent in unprivileged mode and enroll into fleet
  • Unenroll the agent from the fleet ui
  • Run the enroll command as root user and validate the error message

Related issues

Copy link
Contributor

mergify bot commented Nov 25, 2024

This pull request does not have a backport label. Could you fix it @kaanyalti? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

Copy link
Contributor

mergify bot commented Nov 25, 2024

backport-v8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Nov 25, 2024
@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Nov 26, 2024
@kaanyalti kaanyalti changed the title Reexec enroll command if the user and file owner don't match Add error message to linux and mac for the enroll command Nov 26, 2024
@kaanyalti kaanyalti force-pushed the enhancement/4889_enroll_match_file_owner branch from 6834e0b to 38be49e Compare November 26, 2024 21:35
@kaanyalti kaanyalti marked this pull request as ready for review November 26, 2024 21:35
@kaanyalti kaanyalti requested a review from a team as a code owner November 26, 2024 21:35
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@kaanyalti kaanyalti changed the title Add error message to linux and mac for the enroll command Return actionable error message when enrolling Nov 26, 2024
@kaanyalti kaanyalti force-pushed the enhancement/4889_enroll_match_file_owner branch from 5718b15 to 1d02094 Compare November 27, 2024 10:25
return fmt.Errorf("ran into an error while figuring out if user is allowed to execute the enroll command")
}
if !isEnroll {
return UserOwnerMismatchError
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On Windows you cannot actually open a shell as the elastic-agent-user so how would they be able to run enroll command on Windows as the elastic-agent-user.

Copy link
Contributor Author

@kaanyalti kaanyalti Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can return an error message stating the fact that user cannot execute the command as admin for windows. Linux/mac error message can still mention running the command as the elastic-agent-user

internal/pkg/agent/cmd/enroll_match_fileowner_unix.go Outdated Show resolved Hide resolved
Copy link
Contributor

mergify bot commented Dec 5, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b enhancement/4889_enroll_match_file_owner upstream/enhancement/4889_enroll_match_file_owner
git merge upstream/main
git push upstream enhancement/4889_enroll_match_file_owner

@kaanyalti kaanyalti force-pushed the enhancement/4889_enroll_match_file_owner branch 3 times, most recently from 4da5297 to 7e8b714 Compare December 7, 2024 03:33
Copy link
Member

@pchila pchila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, some refactoring may be needed on the tests to make sure we keep relevant behavior tests rather than unit tests that are too small and too fine-grained

A couple of comments about error handling to avoid swallowing inner errors that should be addressed before merging though

internal/pkg/agent/cmd/enroll.go Outdated Show resolved Hide resolved
internal/pkg/agent/cmd/enroll.go Outdated Show resolved Hide resolved
internal/pkg/agent/cmd/enroll_match_fileowner_unix.go Outdated Show resolved Hide resolved
internal/pkg/agent/cmd/enroll_match_fileowner_windows.go Outdated Show resolved Hide resolved
Comment on lines 55 to 69
func TestIsFileOwnerWindows(t *testing.T) {
var token windows.Token
err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY, &token)
require.NoError(t, err)
defer token.Close()

tokenUser, err := token.GetTokenUser()
require.NoError(t, err)

tStr := tokenUser.User.Sid.String()

eq, err := isFileOwner(tStr, tStr)
require.NoError(t, err)
require.True(t, eq, fmt.Sprintf("expected \"true\" received \"%v\"", eq))
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this and the corresponding unix unit test really add value.. If I am reading this correctly in both cases we are testing equality of a user id (UID or Sid) to itself and the equality boils down to a string comparison (with some extra steps in windows case, granted)
I feel this is kinda implied in TestGetFileOwner* and (as a bonus) we can write a single test for both unix and windows implementations without the need of tags in the test files (I am assuming that the ownership of the files and dirs in windows is correctly set when creating the directories and files, if that is not the case we may still need some OS-specific setup sadly

Copy link
Contributor Author

@kaanyalti kaanyalti Dec 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mainly added the unit tests to satisfy sonarqube requirements. I think the integration test covers the behaviour well enough. That being said, the TestGetFileOwner and TestIsFileOwner tests are redundant when TestIsOwnerExec already covers what the other two tests cover. I will remove the unnecessary tests right away. When it comes to having a single test file, unfortunately as you suspected, windows does not set the file ownership correctly. I have to explicitly set it. So I don't think I can combine them both, unless I go with runtime.GOOS check.

testing/integration/enroll_unprivileged_test.go Outdated Show resolved Hide resolved
@kaanyalti kaanyalti force-pushed the enhancement/4889_enroll_match_file_owner branch 2 times, most recently from 346eed7 to 49d887b Compare December 13, 2024 15:47
Copy link
Contributor

@michalpristas michalpristas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested on darwin and windows. works ok

thanks for addressing all the comments

@kaanyalti kaanyalti force-pushed the enhancement/4889_enroll_match_file_owner branch from 340cd78 to ce809c1 Compare December 18, 2024 16:08
@kaanyalti kaanyalti merged commit c4835ca into elastic:main Dec 19, 2024
13 checks passed
@kaanyalti kaanyalti deleted the enhancement/4889_enroll_match_file_owner branch December 19, 2024 02:58
mergify bot pushed a commit that referenced this pull request Dec 19, 2024
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests

* enhancement(4889): added savepassword function

* enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests

* enhancement(4889): added changelog

* enhancement(4889): added windows implementation

* enhancement(4889): added license headers

* enhancement(4889): update test case to execute different commands based on os

* enhancement(4889): ran mage clean

* enhancement(4889): updated function name, updated integration tests

* enhancmenet(4889): updated function name

* enhancement(4889): updated function name, fixed test assertions

* enhancement(4889): update error messages

* enhancement(4889): ran mage update

* enhancements(4889): fix integration test

* enhancement(4889): remove commented code

* enhancement(4889): commiting now, don't push though

* enhancement(4889): added windows unit test

* enhancement(4889): close test file

* enhancement(4889): updated isOwnerExec function, added tests

* enchancement(4889): added log in test

* enhancement(4889): remove unused types

* enhancement(4889): added test for isOwnerExec for windows

* enhancement(4889): added unix tests, ran mage addLicenseHeaders

* enhancement(4889): added testisfileownerunix test

* enhancement(4889): added TestIsOwnerExecUnix test

* enhancement(4889): updated test function name

* enhancement(4889): set file ownership of the test file

* enhancement(4889): remove unnecessary change

* enhancment(4889): updated iOwnerExec windows test

* enhancement(4889): fix file creation in tests

* Update internal/pkg/agent/cmd/enroll.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* enhancement(4889): updated summary and issue in changelog

* enhancement(4889): updated variable name, wrap error when returning error

* enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid

* enhancement(4889): refactored isOwnerExec return

* enhancement(4889): differentiating between sid errors

* enhancment(4889): removed redundant unit tests

* enhancement(4889): update command execution in integration tests

---------

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
(cherry picked from commit c4835ca)
jlind23 pushed a commit that referenced this pull request Dec 19, 2024
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests

* enhancement(4889): added savepassword function

* enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests

* enhancement(4889): added changelog

* enhancement(4889): added windows implementation

* enhancement(4889): added license headers

* enhancement(4889): update test case to execute different commands based on os

* enhancement(4889): ran mage clean

* enhancement(4889): updated function name, updated integration tests

* enhancmenet(4889): updated function name

* enhancement(4889): updated function name, fixed test assertions

* enhancement(4889): update error messages

* enhancement(4889): ran mage update

* enhancements(4889): fix integration test

* enhancement(4889): remove commented code

* enhancement(4889): commiting now, don't push though

* enhancement(4889): added windows unit test

* enhancement(4889): close test file

* enhancement(4889): updated isOwnerExec function, added tests

* enchancement(4889): added log in test

* enhancement(4889): remove unused types

* enhancement(4889): added test for isOwnerExec for windows

* enhancement(4889): added unix tests, ran mage addLicenseHeaders

* enhancement(4889): added testisfileownerunix test

* enhancement(4889): added TestIsOwnerExecUnix test

* enhancement(4889): updated test function name

* enhancement(4889): set file ownership of the test file

* enhancement(4889): remove unnecessary change

* enhancment(4889): updated iOwnerExec windows test

* enhancement(4889): fix file creation in tests

* Update internal/pkg/agent/cmd/enroll.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* enhancement(4889): updated summary and issue in changelog

* enhancement(4889): updated variable name, wrap error when returning error

* enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid

* enhancement(4889): refactored isOwnerExec return

* enhancement(4889): differentiating between sid errors

* enhancment(4889): removed redundant unit tests

* enhancement(4889): update command execution in integration tests

---------

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
(cherry picked from commit c4835ca)

Co-authored-by: Kaan Yalti <kaan.yalti@elastic.co>
@jlind23
Copy link
Contributor

jlind23 commented Dec 19, 2024

@kaanyalti shall we backport this to 8.17 too? For now by backporting to 8.x it will only be included in 8.18

@kaanyalti
Copy link
Contributor Author

@jlind23 I think we can, I don't see any reason not to backport it to 8.17.

@ycombinator ycombinator added the backport-8.17 Automated backport with mergify label Dec 20, 2024
mergify bot pushed a commit that referenced this pull request Dec 20, 2024
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests

* enhancement(4889): added savepassword function

* enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests

* enhancement(4889): added changelog

* enhancement(4889): added windows implementation

* enhancement(4889): added license headers

* enhancement(4889): update test case to execute different commands based on os

* enhancement(4889): ran mage clean

* enhancement(4889): updated function name, updated integration tests

* enhancmenet(4889): updated function name

* enhancement(4889): updated function name, fixed test assertions

* enhancement(4889): update error messages

* enhancement(4889): ran mage update

* enhancements(4889): fix integration test

* enhancement(4889): remove commented code

* enhancement(4889): commiting now, don't push though

* enhancement(4889): added windows unit test

* enhancement(4889): close test file

* enhancement(4889): updated isOwnerExec function, added tests

* enchancement(4889): added log in test

* enhancement(4889): remove unused types

* enhancement(4889): added test for isOwnerExec for windows

* enhancement(4889): added unix tests, ran mage addLicenseHeaders

* enhancement(4889): added testisfileownerunix test

* enhancement(4889): added TestIsOwnerExecUnix test

* enhancement(4889): updated test function name

* enhancement(4889): set file ownership of the test file

* enhancement(4889): remove unnecessary change

* enhancment(4889): updated iOwnerExec windows test

* enhancement(4889): fix file creation in tests

* Update internal/pkg/agent/cmd/enroll.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* enhancement(4889): updated summary and issue in changelog

* enhancement(4889): updated variable name, wrap error when returning error

* enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid

* enhancement(4889): refactored isOwnerExec return

* enhancement(4889): differentiating between sid errors

* enhancment(4889): removed redundant unit tests

* enhancement(4889): update command execution in integration tests

---------

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
(cherry picked from commit c4835ca)
jlind23 pushed a commit that referenced this pull request Dec 20, 2024
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests

* enhancement(4889): added savepassword function

* enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests

* enhancement(4889): added changelog

* enhancement(4889): added windows implementation

* enhancement(4889): added license headers

* enhancement(4889): update test case to execute different commands based on os

* enhancement(4889): ran mage clean

* enhancement(4889): updated function name, updated integration tests

* enhancmenet(4889): updated function name

* enhancement(4889): updated function name, fixed test assertions

* enhancement(4889): update error messages

* enhancement(4889): ran mage update

* enhancements(4889): fix integration test

* enhancement(4889): remove commented code

* enhancement(4889): commiting now, don't push though

* enhancement(4889): added windows unit test

* enhancement(4889): close test file

* enhancement(4889): updated isOwnerExec function, added tests

* enchancement(4889): added log in test

* enhancement(4889): remove unused types

* enhancement(4889): added test for isOwnerExec for windows

* enhancement(4889): added unix tests, ran mage addLicenseHeaders

* enhancement(4889): added testisfileownerunix test

* enhancement(4889): added TestIsOwnerExecUnix test

* enhancement(4889): updated test function name

* enhancement(4889): set file ownership of the test file

* enhancement(4889): remove unnecessary change

* enhancment(4889): updated iOwnerExec windows test

* enhancement(4889): fix file creation in tests

* Update internal/pkg/agent/cmd/enroll.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* enhancement(4889): updated summary and issue in changelog

* enhancement(4889): updated variable name, wrap error when returning error

* enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid

* enhancement(4889): refactored isOwnerExec return

* enhancement(4889): differentiating between sid errors

* enhancment(4889): removed redundant unit tests

* enhancement(4889): update command execution in integration tests

---------

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
(cherry picked from commit c4835ca)

Co-authored-by: Kaan Yalti <kaan.yalti@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.17 Automated backport with mergify Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Actionable error message when attempting to enroll an unprivileged Agent as a privileged user
8 participants