Handle new PrivilegeLevelChangeAction (#5154)

Author: michalpristas

changelog/fragments/1752481082-Privileged-level-change-action-added.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: Privileged level change action added
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: Added new PRIVILEGE_LEVEL_CHANGE action type for changing agent privileges.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/fleet-server/issues/4989

internal/pkg/api/handleAck_test.go

@@ -130,6 +130,19 @@ func TestEventToActionResult(t *testing.T) {
 		assert.Equal(t, "2022-02-23T18:26:08.506128Z", r.Timestamp)
 		assert.Equal(t, "error message", r.Error)
 	})
+	t.Run("privilege level change action", func(t *testing.T) {
+		r := eventToActionResult(agentID, "PRIVILEGE_LEVEL_CHANGE", []string{}, AckRequest_Events_Item{json.RawMessage(`{
+		"action_id": "test-action-id",
+		"message": "action message",
+		"timestamp": "2022-02-23T18:26:08.506128Z",
+		"data": {"unprivileged":"true","user_info":{"username": "demo", "password": "1q2w3e"}},
+		"error": "error message"
+		}`)})
+		assert.Equal(t, agentID, r.AgentID)
+		assert.Equal(t, "test-action-id", r.ActionID)
+		assert.Equal(t, "2022-02-23T18:26:08.506128Z", r.Timestamp)
+		assert.Equal(t, "error message", r.Error)
+	})
 }
 
 type searchRequestFilter struct {

internal/pkg/api/handleCheckin.go

@@ -57,14 +57,15 @@ const (
 // unlisted or invalid types are removed with filterActions().
 // action types should have a corresponding case in convertActionData.
 var validActionTypes = map[string]bool{
-	string(CANCEL):             true,
-	string(INPUTACTION):        true,
-	string(POLICYREASSIGN):     true,
-	string(REQUESTDIAGNOSTICS): true,
-	string(SETTINGS):           true,
-	string(UNENROLL):           true,
-	string(UPGRADE):            true,
-	string(MIGRATE):            true,
+	string(CANCEL):               true,
+	string(INPUTACTION):          true,
+	string(POLICYREASSIGN):       true,
+	string(REQUESTDIAGNOSTICS):   true,
+	string(SETTINGS):             true,
+	string(UNENROLL):             true,
+	string(UPGRADE):              true,
+	string(MIGRATE):              true,
+	string(PRIVILEGELEVELCHANGE): true,
 }
 
 type CheckinT struct {
@@ -768,6 +769,14 @@ func convertActionData(aType ActionType, raw json.RawMessage) (ad Action_Data, e
 		}
 		err = ad.FromActionMigrate(d)
 		return
+	case PRIVILEGELEVELCHANGE:
+		d := ActionPrivilegeLevelChange{}
+		err = json.Unmarshal(raw, &d)
+		if err != nil {
+			return
+		}
+		err = ad.FromActionPrivilegeLevelChange(d)
+		return
 	default:
 		return ad, fmt.Errorf("data conversion unsupported action type: %s", aType)
 	}

internal/pkg/api/handleCheckin_test.go

@@ -134,6 +134,18 @@ func TestConvertActionData(t *testing.T) {
 		raw:    json.RawMessage(`{"enrollment_token":"et","target_uri":"turi"}`),
 		expect: Action_Data{json.RawMessage(`{"enrollment_token":"et","target_uri":"turi"}`)},
 		hasErr: false,
+	}, {
+		name:   "privilege level change action - with data",
+		aType:  PRIVILEGELEVELCHANGE,
+		raw:    json.RawMessage(`{"unprivileged":true,"user_info":{"password":"1q2w3e","username":"demo"}}`),
+		expect: Action_Data{json.RawMessage(`{"unprivileged":true,"user_info":{"password":"1q2w3e","username":"demo"}}`)},
+		hasErr: false,
+	}, {
+		name:   "privilege level change action",
+		aType:  PRIVILEGELEVELCHANGE,
+		raw:    json.RawMessage(`{}`),
+		expect: Action_Data{json.RawMessage(`{"unprivileged":false}`)},
+		hasErr: false,
 	}, {
 		name:   "unknown action type",
 		aType:  ActionType("UNKNOWN"),

internal/pkg/api/openapi.gen.go

@@ -437,6 +437,19 @@ components:
           x-oapi-codegen-extra-tags: # oapi-codegen tags
             yaml: "signature"
             json: "signature,omitempty"
+    userInfo:
+      description: Optional user info data.
+      type: object
+      properties:
+        username:
+          type: string
+          description: Username of custom user used to run Elastic Agent.
+        password:
+          type: string
+          description: Password for user specified by username.
+        groupname:
+          type: string
+          description: Custom group used to access Elastic Agent files.
     action:
       description: |
         An action for an elastic-agent.
@@ -488,6 +501,7 @@ components:
             - $ref: "#/components/schemas/actionRequestDiagnostics"
             - $ref: "#/components/schemas/actionInputAction"
             - $ref: "#/components/schemas/actionMigrate"
+            - $ref: "#/components/schemas/actionPrivilegeLevelChange"
         id:
           description: The action ID.
           type: string
@@ -513,6 +527,7 @@ components:
             - "CANCEL"
             - "REQUEST_DIAGNOSTICS"
             - "MIGRATE"
+            - "PRIVILEGE_LEVEL_CHANGE"
           x-go-custom-tag: yaml:"type" # openapi-generator
           x-oapi-codegen-extra-tags: # oapi-codegen tags
             yaml: "type"
@@ -655,6 +670,17 @@ components:
       required:
        - enrollment_token
        - target_uri
+    actionPrivilegeLevelChange:
+      description: The PRIVILEGE_LEVEL_CHANGE action.
+      type: object
+      properties:
+        unprivileged:
+          type: boolean
+          description: Flag indicating whether target level is unprivileged. If not provided unprivileged is assumed.
+        user_info:
+          $ref: "#/components/schemas/userInfo"
+      required: 
+        - unprivileged
     checkinResponse:
       type: object
       required:
@@ -1901,4 +1927,4 @@ paths:
         "500":
           $ref: "#/components/responses/internalServerError"
         "503":
-          $ref: "#/components/responses/unavailable"
+          $ref: "#/components/responses/unavailable"