Allow Fleet post secret and get secret to accept array of strings

jen-huang · jen-huang · commit 4fe3ef97da89 · 2025-03-11T17:41:07.000-07:00
Add tests

Fix tests

[CI] Auto commit changes from spotless
diff --git a/x-pack/plugin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/30_secrets_post.yml b/x-pack/plugin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/30_secrets_post.yml
@@ -7,6 +7,16 @@
       fleet.delete_secret:
         id: $id
 
+---
+"Create Fleet Secret with multiple values":
+  - do:
+      fleet.post_secret:
+        body: '{"value": ["test secret 1", "test secret 2"]}'
+  - set:  { id: id }
+  - do:
+      fleet.delete_secret:
+        id: $id
+
 ---
 "Create secret fails for unprivileged user":
   - skip:
diff --git a/x-pack/plugin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/40_secrets_get.yml b/x-pack/plugin/fleet/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/fleet/40_secrets_get.yml
@@ -18,6 +18,27 @@
       fleet.delete_secret:
         id: $id
 
+---
+"Get Fleet Secret with multiple values":
+  - do:
+      fleet.post_secret:
+        body: '{"value": ["test secret 1", "test secret 2"]}'
+  - set:  { id: id }
+  # search node needs to be available for fleet.get_secret to work in stateless.
+  # The `.fleet-secrets` index is created on demand, and its search replica starts out unassigned,
+  # so wait_for_no_uninitialized_shards can miss it.
+  - do:
+      cluster.health:
+        wait_for_active_shards: all
+  - do:
+      fleet.get_secret:
+        id: $id
+  - match: { id: $id }
+  - match: { value: ["test secret 1", "test secret 2"] }
+  - do:
+      fleet.delete_secret:
+        id: $id
+
 ---
 "Get non existent Fleet Secret":
   - do:
diff --git a/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/action/GetSecretResponse.java b/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/action/GetSecretResponse.java
@@ -20,15 +20,19 @@
 public class GetSecretResponse extends ActionResponse implements ToXContentObject {
 
     private final String id;
-    private final String value;
+    private final Object value;
 
     public GetSecretResponse(StreamInput in) throws IOException {
         super(in);
         id = in.readString();
-        value = in.readString();
+        if (in.readByte() == 0) {
+            value = in.readString();
+        } else {
+            value = in.readStringArray();
+        }
     }
 
-    public GetSecretResponse(String id, String value) {
+    public GetSecretResponse(String id, Object value) {
         this.id = id;
         this.value = value;
     }
@@ -40,15 +44,24 @@ public String id() {
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         out.writeString(id);
-        out.writeString(value);
+        if (value instanceof String) {
+            out.writeString((String) value);
+        } else if (value instanceof String[]) {
+            out.writeStringArray((String[]) value);
+        }
     }
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
         builder.startObject();
         builder.field("id", id);
-        builder.field("value", value);
-        return builder.endObject();
+        if (value instanceof String) {
+            builder.field("value", (String) value);
+        } else if (value instanceof String[]) {
+            builder.field("value", (String[]) value);
+        }
+        builder.endObject();
+        return builder;
     }
 
     @Override
diff --git a/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/action/PostSecretRequest.java b/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/action/PostSecretRequest.java
@@ -27,49 +27,69 @@ public class PostSecretRequest extends ActionRequest {
     public static final ConstructingObjectParser<PostSecretRequest, Void> PARSER = new ConstructingObjectParser<>(
         "post_secret_request",
         args -> {
-            return new PostSecretRequest((String) args[0]);
+            return new PostSecretRequest(args[0]);
         }
     );
 
     static {
-        PARSER.declareField(
-            ConstructingObjectParser.optionalConstructorArg(),
-            (p, c) -> p.text(),
-            VALUE_FIELD,
-            ObjectParser.ValueType.STRING
-        );
+        PARSER.declareField(ConstructingObjectParser.optionalConstructorArg(), (p, c) -> {
+            if (p.currentToken() == XContentParser.Token.VALUE_STRING) {
+                return p.text();
+            } else if (p.currentToken() == XContentParser.Token.START_ARRAY) {
+                return p.list().stream().map(s -> (String) s).toArray(String[]::new);
+            } else {
+                throw new IllegalArgumentException("Unexpected token: " + p.currentToken());
+            }
+        }, VALUE_FIELD, ObjectParser.ValueType.STRING_ARRAY);
     }
 
     public static PostSecretRequest fromXContent(XContentParser parser) throws IOException {
         return PARSER.parse(parser, null);
     }
 
-    private final String value;
+    private final Object value;
 
-    public PostSecretRequest(String value) {
+    public PostSecretRequest(Object value) {
+        if (!(value instanceof String) && !(value instanceof String[])) {
+            throw new IllegalArgumentException("value must be a string or an array of strings");
+        }
         this.value = value;
     }
 
     public PostSecretRequest(StreamInput in) throws IOException {
         super(in);
-        this.value = in.readString();
+        if (in.readByte() == 0) {
+            this.value = in.readString();
+        } else {
+            this.value = in.readStringArray();
+        }
     }
 
-    public String value() {
+    public Object value() {
         return value;
     }
 
     public XContentBuilder toXContent(XContentBuilder builder) throws IOException {
         builder.startObject();
-        builder.field(VALUE_FIELD.getPreferredName(), this.value);
+        if (value instanceof String) {
+            builder.field(VALUE_FIELD.getPreferredName(), (String) value);
+        } else if (value instanceof String[]) {
+            builder.field(VALUE_FIELD.getPreferredName(), (String[]) value);
+        }
         builder.endObject();
         return builder;
     }
 
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
-        out.writeString(value);
+        if (value instanceof String) {
+            out.writeBoolean(true);
+            out.writeString((String) value);
+        } else if (value instanceof String[]) {
+            out.writeBoolean(false);
+            out.writeStringArray((String[]) value);
+        }
     }
 
     @Override
diff --git a/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/action/TransportGetSecretAction.java b/x-pack/plugin/fleet/src/main/java/org/elasticsearch/xpack/fleet/action/TransportGetSecretAction.java
@@ -18,6 +18,8 @@
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
 
+import java.util.List;
+
 import static org.elasticsearch.xpack.core.ClientHelper.FLEET_ORIGIN;
 import static org.elasticsearch.xpack.fleet.Fleet.FLEET_SECRETS_INDEX_NAME;
 
@@ -36,7 +38,19 @@ protected void doExecute(Task task, GetSecretRequest request, ActionListener<Get
                 delegate.onFailure(new ResourceNotFoundException("No secret with id [" + request.id() + "]"));
                 return;
             }
-            delegate.onResponse(new GetSecretResponse(getResponse.getId(), getResponse.getSource().get("value").toString()));
+            Object value = getResponse.getSource().get("value");
+            if (value instanceof String) {
+                delegate.onResponse(new GetSecretResponse(getResponse.getId(), value.toString()));
+            } else if (value instanceof List) {
+                List<?> valueList = (List<?>) value;
+                if (valueList.stream().allMatch(item -> item instanceof String)) {
+                    delegate.onResponse(new GetSecretResponse(getResponse.getId(), valueList.toArray(new String[0])));
+                } else {
+                    delegate.onFailure(new IllegalArgumentException("Unexpected value type in list for id [" + request.id() + "]"));
+                }
+            } else {
+                delegate.onFailure(new IllegalArgumentException("Unexpected value type for id [" + request.id() + "]"));
+            }
         }));
     }
 }
diff --git a/x-pack/plugin/fleet/src/test/java/org/elasticsearch/xpack/fleet/action/GetSecretResponseTests.java b/x-pack/plugin/fleet/src/test/java/org/elasticsearch/xpack/fleet/action/GetSecretResponseTests.java
@@ -7,9 +7,12 @@
 
 package org.elasticsearch.xpack.fleet.action;
 
+import org.elasticsearch.action.ActionResponseValidationException;
 import org.elasticsearch.common.io.stream.Writeable;
 import org.elasticsearch.test.AbstractWireSerializingTestCase;
 
+import static org.junit.Assert.assertArrayEquals;
+
 public class GetSecretResponseTests extends AbstractWireSerializingTestCase<GetSecretResponse> {
 
     @Override
@@ -26,4 +29,12 @@ protected GetSecretResponse createTestInstance() {
     protected GetSecretResponse mutateInstance(GetSecretResponse instance) {
         return new GetSecretResponse(instance.id(), randomAlphaOfLength(10));
     }
+
+    public void testValidateResponseWithMultiValue() {
+        String[] secrets = { "secret1", "secret2" };
+        GetSecretResponse res = new GetSecretResponse(randomAlphaOfLength(10), secrets);
+        ActionResponseValidationException e = res.validate();
+        assertNull(e);
+        assertArrayEquals(secrets, (String[]) res.value());
+    }
 }
diff --git a/x-pack/plugin/fleet/src/test/java/org/elasticsearch/xpack/fleet/action/PostSecretRequestTests.java b/x-pack/plugin/fleet/src/test/java/org/elasticsearch/xpack/fleet/action/PostSecretRequestTests.java
@@ -37,6 +37,13 @@ public void testValidateRequest() {
         assertNull(e);
     }
 
+    public void testValidateRequestWithMultiValue() {
+        String[] secrets = { "secret1", "secret2" };
+        PostSecretRequest req = new PostSecretRequest(secrets);
+        ActionRequestValidationException e = req.validate();
+        assertNull(e);
+    }
+
     public void testValidateRequestWithoutValue() {
         PostSecretRequest req = new PostSecretRequest((String) null);
         ActionRequestValidationException e = req.validate();
