-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return actionable error message when enrolling #6144
Return actionable error message when enrolling #6144
Conversation
This pull request does not have a backport label. Could you fix it @kaanyalti? 🙏
|
|
6834e0b
to
38be49e
Compare
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
5718b15
to
1d02094
Compare
return fmt.Errorf("ran into an error while figuring out if user is allowed to execute the enroll command") | ||
} | ||
if !isEnroll { | ||
return UserOwnerMismatchError |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Windows you cannot actually open a shell as the elastic-agent-user
so how would they be able to run enroll command on Windows as the elastic-agent-user
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can return an error message stating the fact that user cannot execute the command as admin for windows. Linux/mac error message can still mention running the command as the elastic-agent-user
This pull request is now in conflicts. Could you fix it? 🙏
|
4da5297
to
7e8b714
Compare
changelog/fragments/1732656422-add-actionable-error-message-for-enroll-command.yaml
Outdated
Show resolved
Hide resolved
changelog/fragments/1732656422-add-actionable-error-message-for-enroll-command.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall, some refactoring may be needed on the tests to make sure we keep relevant behavior tests rather than unit tests that are too small and too fine-grained
A couple of comments about error handling to avoid swallowing inner errors that should be addressed before merging though
func TestIsFileOwnerWindows(t *testing.T) { | ||
var token windows.Token | ||
err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY, &token) | ||
require.NoError(t, err) | ||
defer token.Close() | ||
|
||
tokenUser, err := token.GetTokenUser() | ||
require.NoError(t, err) | ||
|
||
tStr := tokenUser.User.Sid.String() | ||
|
||
eq, err := isFileOwner(tStr, tStr) | ||
require.NoError(t, err) | ||
require.True(t, eq, fmt.Sprintf("expected \"true\" received \"%v\"", eq)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this and the corresponding unix unit test really add value.. If I am reading this correctly in both cases we are testing equality of a user id (UID or Sid) to itself and the equality boils down to a string comparison (with some extra steps in windows case, granted)
I feel this is kinda implied in TestGetFileOwner*
and (as a bonus) we can write a single test for both unix and windows implementations without the need of tags in the test files (I am assuming that the ownership of the files and dirs in windows is correctly set when creating the directories and files, if that is not the case we may still need some OS-specific setup sadly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mainly added the unit tests to satisfy sonarqube requirements. I think the integration test covers the behaviour well enough. That being said, the TestGetFileOwner
and TestIsFileOwner
tests are redundant when TestIsOwnerExec
already covers what the other two tests cover. I will remove the unnecessary tests right away. When it comes to having a single test file, unfortunately as you suspected, windows does not set the file ownership correctly. I have to explicitly set it. So I don't think I can combine them both, unless I go with runtime.GOOS
check.
346eed7
to
49d887b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tested on darwin and windows. works ok
thanks for addressing all the comments
Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
…problems with stat.Uid
340cd78
to
ce809c1
Compare
Quality Gate passedIssues Measures |
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests * enhancement(4889): added savepassword function * enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests * enhancement(4889): added changelog * enhancement(4889): added windows implementation * enhancement(4889): added license headers * enhancement(4889): update test case to execute different commands based on os * enhancement(4889): ran mage clean * enhancement(4889): updated function name, updated integration tests * enhancmenet(4889): updated function name * enhancement(4889): updated function name, fixed test assertions * enhancement(4889): update error messages * enhancement(4889): ran mage update * enhancements(4889): fix integration test * enhancement(4889): remove commented code * enhancement(4889): commiting now, don't push though * enhancement(4889): added windows unit test * enhancement(4889): close test file * enhancement(4889): updated isOwnerExec function, added tests * enchancement(4889): added log in test * enhancement(4889): remove unused types * enhancement(4889): added test for isOwnerExec for windows * enhancement(4889): added unix tests, ran mage addLicenseHeaders * enhancement(4889): added testisfileownerunix test * enhancement(4889): added TestIsOwnerExecUnix test * enhancement(4889): updated test function name * enhancement(4889): set file ownership of the test file * enhancement(4889): remove unnecessary change * enhancment(4889): updated iOwnerExec windows test * enhancement(4889): fix file creation in tests * Update internal/pkg/agent/cmd/enroll.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * enhancement(4889): updated summary and issue in changelog * enhancement(4889): updated variable name, wrap error when returning error * enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid * enhancement(4889): refactored isOwnerExec return * enhancement(4889): differentiating between sid errors * enhancment(4889): removed redundant unit tests * enhancement(4889): update command execution in integration tests --------- Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> (cherry picked from commit c4835ca)
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests * enhancement(4889): added savepassword function * enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests * enhancement(4889): added changelog * enhancement(4889): added windows implementation * enhancement(4889): added license headers * enhancement(4889): update test case to execute different commands based on os * enhancement(4889): ran mage clean * enhancement(4889): updated function name, updated integration tests * enhancmenet(4889): updated function name * enhancement(4889): updated function name, fixed test assertions * enhancement(4889): update error messages * enhancement(4889): ran mage update * enhancements(4889): fix integration test * enhancement(4889): remove commented code * enhancement(4889): commiting now, don't push though * enhancement(4889): added windows unit test * enhancement(4889): close test file * enhancement(4889): updated isOwnerExec function, added tests * enchancement(4889): added log in test * enhancement(4889): remove unused types * enhancement(4889): added test for isOwnerExec for windows * enhancement(4889): added unix tests, ran mage addLicenseHeaders * enhancement(4889): added testisfileownerunix test * enhancement(4889): added TestIsOwnerExecUnix test * enhancement(4889): updated test function name * enhancement(4889): set file ownership of the test file * enhancement(4889): remove unnecessary change * enhancment(4889): updated iOwnerExec windows test * enhancement(4889): fix file creation in tests * Update internal/pkg/agent/cmd/enroll.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * enhancement(4889): updated summary and issue in changelog * enhancement(4889): updated variable name, wrap error when returning error * enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid * enhancement(4889): refactored isOwnerExec return * enhancement(4889): differentiating between sid errors * enhancment(4889): removed redundant unit tests * enhancement(4889): update command execution in integration tests --------- Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> (cherry picked from commit c4835ca) Co-authored-by: Kaan Yalti <kaan.yalti@elastic.co>
@kaanyalti shall we backport this to 8.17 too? For now by backporting to 8.x it will only be included in 8.18 |
@jlind23 I think we can, I don't see any reason not to backport it to 8.17. |
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests * enhancement(4889): added savepassword function * enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests * enhancement(4889): added changelog * enhancement(4889): added windows implementation * enhancement(4889): added license headers * enhancement(4889): update test case to execute different commands based on os * enhancement(4889): ran mage clean * enhancement(4889): updated function name, updated integration tests * enhancmenet(4889): updated function name * enhancement(4889): updated function name, fixed test assertions * enhancement(4889): update error messages * enhancement(4889): ran mage update * enhancements(4889): fix integration test * enhancement(4889): remove commented code * enhancement(4889): commiting now, don't push though * enhancement(4889): added windows unit test * enhancement(4889): close test file * enhancement(4889): updated isOwnerExec function, added tests * enchancement(4889): added log in test * enhancement(4889): remove unused types * enhancement(4889): added test for isOwnerExec for windows * enhancement(4889): added unix tests, ran mage addLicenseHeaders * enhancement(4889): added testisfileownerunix test * enhancement(4889): added TestIsOwnerExecUnix test * enhancement(4889): updated test function name * enhancement(4889): set file ownership of the test file * enhancement(4889): remove unnecessary change * enhancment(4889): updated iOwnerExec windows test * enhancement(4889): fix file creation in tests * Update internal/pkg/agent/cmd/enroll.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * enhancement(4889): updated summary and issue in changelog * enhancement(4889): updated variable name, wrap error when returning error * enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid * enhancement(4889): refactored isOwnerExec return * enhancement(4889): differentiating between sid errors * enhancment(4889): removed redundant unit tests * enhancement(4889): update command execution in integration tests --------- Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> (cherry picked from commit c4835ca)
* enhancement(4889): updated enroll command to reexec the command if the executing user and binary owner don't match, added tests * enhancement(4889): added savepassword function * enhancement(4889): removed user impersonation, implemented noop for windows, updated integration tests * enhancement(4889): added changelog * enhancement(4889): added windows implementation * enhancement(4889): added license headers * enhancement(4889): update test case to execute different commands based on os * enhancement(4889): ran mage clean * enhancement(4889): updated function name, updated integration tests * enhancmenet(4889): updated function name * enhancement(4889): updated function name, fixed test assertions * enhancement(4889): update error messages * enhancement(4889): ran mage update * enhancements(4889): fix integration test * enhancement(4889): remove commented code * enhancement(4889): commiting now, don't push though * enhancement(4889): added windows unit test * enhancement(4889): close test file * enhancement(4889): updated isOwnerExec function, added tests * enchancement(4889): added log in test * enhancement(4889): remove unused types * enhancement(4889): added test for isOwnerExec for windows * enhancement(4889): added unix tests, ran mage addLicenseHeaders * enhancement(4889): added testisfileownerunix test * enhancement(4889): added TestIsOwnerExecUnix test * enhancement(4889): updated test function name * enhancement(4889): set file ownership of the test file * enhancement(4889): remove unnecessary change * enhancment(4889): updated iOwnerExec windows test * enhancement(4889): fix file creation in tests * Update internal/pkg/agent/cmd/enroll.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_windows.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * Update internal/pkg/agent/cmd/enroll_match_fileowner_unix.go Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> * enhancement(4889): updated summary and issue in changelog * enhancement(4889): updated variable name, wrap error when returning error * enhancement(4889): added comments describing isOwnerExec. fixed type problems with stat.Uid * enhancement(4889): refactored isOwnerExec return * enhancement(4889): differentiating between sid errors * enhancment(4889): removed redundant unit tests * enhancement(4889): update command execution in integration tests --------- Co-authored-by: Paolo Chilà <paolo.chila@elastic.co> (cherry picked from commit c4835ca) Co-authored-by: Kaan Yalti <kaan.yalti@elastic.co>
What does this PR do?
This PR adds checks to the enroll command to respond with an error message in case the user executing the command and the user that's the owner of the elastic program files don't match. Replaces #6038 based on the following comment
Why is it important?
Currently there are no checks in place to prevent or correct the situation where a user who is not the owner of the program files executes enroll. This leads to a broken state.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature works./changelog/fragments
using the changelog toolHow to test this PR locally
The testing steps are only for linux and mac
Related issues
enroll
an unprivileged Agent as a privileged user #4889