[EDR Workflows][Device Control] Artifact creation license check (#233334)

Extends trusted devices artifacts to require enterprise licensing in
addition to existing feature flag and PLI controls. When users downgrade
from enterprise licenses, trusted devices will serve empty arrays
instead of actual configurations.

Changes:
- Added dual licensing check: PLI (serverless) AND enterprise license
(ESS)
- Maintains existing feature flag requirement
(experimentalFeatures.trustedDevices)
  - Follows same pattern as host isolation exceptions

Author: szwarckonrad

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.mock.ts

@@ -28,6 +28,7 @@ import { parseExperimentalConfigValue } from '../../../../../common/experimental
 import { createProductFeaturesServiceMock } from '../../../../lib/product_features_service/mocks';
 import type { ProductFeaturesService } from '../../../../lib/product_features_service/product_features_service';
 import { createSavedObjectsClientFactoryMock } from '../../saved_objects/saved_objects_client_factory.mocks';
+import { createLicenseServiceMock } from '../../../../../common/license/mocks';
 
 export const createExceptionListResponse = (data: ExceptionListItemSchema[], total?: number) => ({
   data,
@@ -109,6 +110,7 @@ export const buildManifestManagerContextMock = (
       .features,
     packagerTaskPackagePolicyUpdateBatchSize: 10,
     esClient: elasticsearchServiceMock.createElasticsearchClient(),
+    licenseService: createLicenseServiceMock(),
   };
 };
 

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.test.ts

@@ -38,7 +38,7 @@ import { ManifestManager } from './manifest_manager';
 import type { EndpointArtifactClientInterface } from '../artifact_client';
 import { EndpointError } from '../../../../../common/endpoint/errors';
 import type { Artifact } from '@kbn/fleet-plugin/server';
-import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys';
+import { ProductFeatureKey } from '@kbn/security-solution-features/keys';
 import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types/src/response/exception_list_item_schema';
 import {
   createFetchAllArtifactsIterableMock,
@@ -47,6 +47,7 @@ import {
 import type { ExperimentalFeatures } from '../../../../../common';
 import { allowedExperimentalValues } from '../../../../../common';
 import { SavedObjectsErrorHelpers } from '@kbn/core-saved-objects-server';
+import { createLicenseServiceMock } from '../../../../../common/license/mocks';
 
 const getArtifactObject = (artifact: InternalArtifactSchema) =>
   JSON.parse(Buffer.from(artifact.body!, 'base64').toString());
@@ -863,7 +864,7 @@ describe('ManifestManager', () => {
         tags: ['policy:all'],
       });
       const context = buildManifestManagerContextMock({}, [
-        ProductFeatureSecurityKey.endpointArtifactManagement,
+        ProductFeatureKey.endpointArtifactManagement,
       ]);
       const manifestManager = new ManifestManager(context);
 
@@ -943,8 +944,8 @@ describe('ManifestManager', () => {
         tags: ['policy:all'],
       });
       const context = buildManifestManagerContextMock({}, [
-        ProductFeatureSecurityKey.endpointArtifactManagement,
-        ProductFeatureSecurityKey.endpointHostIsolationExceptions,
+        ProductFeatureKey.endpointArtifactManagement,
+        ProductFeatureKey.endpointHostIsolationExceptions,
       ]);
       const manifestManager = new ManifestManager(context);
 
@@ -1129,6 +1130,15 @@ describe('ManifestManager', () => {
       const context = buildManifestManagerContextMock({
         experimentalFeatures: ['trustedDevices'],
       });
+      // Set up licensing to allow trusted devices (both PLI and enterprise)
+      context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
+        return (
+          key === ProductFeatureKey.endpointTrustedDevices ||
+          key === ProductFeatureKey.endpointArtifactManagement
+        );
+      });
+      context.licenseService = createLicenseServiceMock();
+      context.licenseService.isEnterprise = jest.fn().mockReturnValue(true);
       const manifestManager = new ManifestManager(context);
 
       context.exceptionListClient.findExceptionListItem = mockFindExceptionListItemResponses({});
@@ -1224,6 +1234,14 @@ describe('ManifestManager', () => {
       const context = buildManifestManagerContextMock({
         experimentalFeatures: ['trustedDevices'],
       });
+      context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
+        return (
+          key === ProductFeatureKey.endpointTrustedDevices ||
+          key === ProductFeatureKey.endpointArtifactManagement
+        );
+      });
+      context.licenseService = createLicenseServiceMock();
+      context.licenseService.isEnterprise = jest.fn().mockReturnValue(true);
       const manifestManager = new ManifestManager(context);
 
       context.exceptionListClient.findExceptionListItem = mockFindExceptionListItemResponses({
@@ -2428,4 +2446,176 @@ describe('ManifestManager', () => {
       });
     });
   });
+
+  describe('shouldRetrieveExceptions for trusted devices licensing logic', () => {
+    let manifestManager: ManifestManager;
+    let context: ManifestManagerContext;
+
+    beforeEach(() => {
+      context = buildManifestManagerContextMock({});
+    });
+
+    interface ManifestManagerWithPrivateMethods {
+      shouldRetrieveExceptions: (listId: string) => boolean;
+    }
+
+    describe('when trustedDevices feature flag is disabled', () => {
+      beforeEach(() => {
+        context = buildManifestManagerContextMock({
+          experimentalFeatures: [], // No trustedDevices feature
+        });
+        context.licenseService = createLicenseServiceMock();
+        manifestManager = new ManifestManager(context);
+      });
+
+      test('should return false for trusted devices artifacts when feature flag is disabled', () => {
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedDevices.id);
+        expect(shouldRetrieve).toBe(false);
+      });
+
+      test('should return true for other artifact types regardless of feature flag', () => {
+        const shouldRetrieveExceptions = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id);
+        const shouldRetrieveTrustedApps = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedApps.id);
+
+        expect(shouldRetrieveExceptions).toBe(true);
+        expect(shouldRetrieveTrustedApps).toBe(true);
+      });
+    });
+
+    describe('when trustedDevices feature flag is enabled', () => {
+      beforeEach(() => {
+        context = buildManifestManagerContextMock({
+          experimentalFeatures: ['trustedDevices'],
+        });
+        context.licenseService = createLicenseServiceMock();
+      });
+
+      test('should return false when only PLI is enabled (enterprise required)', () => {
+        context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
+          return key === ProductFeatureKey.endpointTrustedDevices;
+        });
+        context.licenseService.isEnterprise = jest.fn().mockReturnValue(false);
+        manifestManager = new ManifestManager(context);
+
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedDevices.id);
+
+        expect(shouldRetrieve).toBe(false);
+        expect(context.productFeaturesService.isEnabled).toHaveBeenCalledWith(
+          ProductFeatureKey.endpointTrustedDevices
+        );
+      });
+
+      test('should return false when only enterprise license is present (PLI required)', () => {
+        context.productFeaturesService.isEnabled = jest.fn().mockReturnValue(false);
+        context.licenseService.isEnterprise = jest.fn().mockReturnValue(true);
+        manifestManager = new ManifestManager(context);
+
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedDevices.id);
+
+        expect(shouldRetrieve).toBe(false);
+      });
+
+      test('should return true when both PLI and enterprise license are enabled', () => {
+        context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
+          return key === ProductFeatureKey.endpointTrustedDevices;
+        });
+        context.licenseService.isEnterprise = jest.fn().mockReturnValue(true);
+        manifestManager = new ManifestManager(context);
+
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedDevices.id);
+
+        expect(shouldRetrieve).toBe(true);
+        expect(context.productFeaturesService.isEnabled).toHaveBeenCalledWith(
+          ProductFeatureKey.endpointTrustedDevices
+        );
+        expect(context.licenseService.isEnterprise).toHaveBeenCalled();
+      });
+
+      test('should return false when neither PLI nor enterprise license are enabled', () => {
+        context.productFeaturesService.isEnabled = jest.fn().mockReturnValue(false);
+        context.licenseService.isEnterprise = jest.fn().mockReturnValue(false);
+        manifestManager = new ManifestManager(context);
+
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.trustedDevices.id);
+
+        expect(shouldRetrieve).toBe(false);
+        expect(context.productFeaturesService.isEnabled).toHaveBeenCalledWith(
+          ProductFeatureKey.endpointTrustedDevices
+        );
+      });
+    });
+
+    describe('host isolation exceptions licensing logic', () => {
+      beforeEach(() => {
+        context = buildManifestManagerContextMock({});
+        context.licenseService = createLicenseServiceMock();
+      });
+
+      test('should return true for host isolation exceptions when product feature is enabled', () => {
+        context.productFeaturesService.isEnabled = jest.fn().mockImplementation((key) => {
+          return key === ProductFeatureKey.endpointHostIsolationExceptions;
+        });
+        manifestManager = new ManifestManager(context);
+
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id);
+
+        expect(shouldRetrieve).toBe(true);
+        expect(context.productFeaturesService.isEnabled).toHaveBeenCalledWith(
+          ProductFeatureKey.endpointHostIsolationExceptions
+        );
+      });
+
+      test('should return false for host isolation exceptions when product feature is disabled', () => {
+        context.productFeaturesService.isEnabled = jest.fn().mockReturnValue(false);
+        manifestManager = new ManifestManager(context);
+
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id);
+
+        expect(shouldRetrieve).toBe(false);
+        expect(context.productFeaturesService.isEnabled).toHaveBeenCalledWith(
+          ProductFeatureKey.endpointHostIsolationExceptions
+        );
+      });
+    });
+
+    describe('default behavior for non-licensed artifacts', () => {
+      beforeEach(() => {
+        context = buildManifestManagerContextMock({});
+        context.licenseService = createLicenseServiceMock();
+        manifestManager = new ManifestManager(context);
+      });
+
+      const nonLicensedArtifacts = [
+        { name: 'exceptions', id: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id },
+        { name: 'trusted apps', id: ENDPOINT_ARTIFACT_LISTS.trustedApps.id },
+        { name: 'event filters', id: ENDPOINT_ARTIFACT_LISTS.eventFilters.id },
+        { name: 'blocklists', id: ENDPOINT_ARTIFACT_LISTS.blocklists.id },
+      ];
+
+      test.each(nonLicensedArtifacts)('should return true for $name artifacts', ({ id }) => {
+        const shouldRetrieve = (
+          manifestManager as unknown as ManifestManagerWithPrivateMethods
+        ).shouldRetrieveExceptions(id);
+        expect(shouldRetrieve).toBe(true);
+      });
+    });
+  });
 });

x-pack/solutions/security/plugins/security_solution/server/endpoint/services/artifacts/manifest_manager/manifest_manager.ts

@@ -28,6 +28,7 @@ import { stringify } from '../../../utils/stringify';
 import { QueueProcessor } from '../../../utils/queue_processor';
 import type { ProductFeaturesService } from '../../../../lib/product_features_service/product_features_service';
 import type { ExperimentalFeatures } from '../../../../../common';
+import type { LicenseService } from '../../../../../common/license';
 import type { ManifestSchemaVersion } from '../../../../../common/endpoint/schema/common';
 import {
   manifestDispatchSchema,
@@ -97,6 +98,7 @@ export interface ManifestManagerContext {
   packagerTaskPackagePolicyUpdateBatchSize: number;
   esClient: ElasticsearchClient;
   productFeaturesService: ProductFeaturesService;
+  licenseService: LicenseService;
 }
 
 const getArtifactIds = (manifest: ManifestSchema) =>
@@ -119,6 +121,7 @@ export class ManifestManager {
   protected packagerTaskPackagePolicyUpdateBatchSize: number;
   protected esClient: ElasticsearchClient;
   protected productFeaturesService: ProductFeaturesService;
+  protected licenseService: LicenseService;
   protected savedObjectsClientFactory: SavedObjectsClientFactory;
 
   constructor(context: ManifestManagerContext) {
@@ -136,6 +139,7 @@ export class ManifestManager {
       context.packagerTaskPackagePolicyUpdateBatchSize;
     this.esClient = context.esClient;
     this.productFeaturesService = context.productFeaturesService;
+    this.licenseService = context.licenseService;
   }
 
   /**
@@ -147,6 +151,39 @@ export class ManifestManager {
     return new ManifestClient(this.savedObjectsClient, this.schemaVersion);
   }
 
+  /**
+   * Determines if exceptions should be retrieved based on licensing conditions
+   * @private
+   */
+  private shouldRetrieveExceptions(listId: ArtifactListId): boolean {
+    // endpointHostIsolationExceptions includes full CRUD support for Host Isolation Exceptions
+    // Host Isolation Exceptions require feature enablement (serverless).
+    const isHostIsolationWithFeatureEnabled =
+      listId === ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
+      this.productFeaturesService.isEnabled(ProductFeatureKey.endpointHostIsolationExceptions);
+
+    // Trusted Devices requires enterprise license (ess) or feature enablement (serverless).
+    // In serverless .isEnterprise() will always yield true, in ESS feature check .isEnabled() will also always yield true.
+    // Therefore both conditions must be met in both environments.
+    const isTrustedDevicesWithFeatureAndEnterpriseLicense =
+      listId === ENDPOINT_ARTIFACT_LISTS.trustedDevices.id &&
+      this.experimentalFeatures.trustedDevices &&
+      this.productFeaturesService.isEnabled(ProductFeatureKey.endpointTrustedDevices) &&
+      this.licenseService.isEnterprise();
+
+    // endpointArtifactManagement includes full CRUD support for all other exception lists + RD support for Host Isolation Exceptions
+    const isOtherArtifactWithFeatureEnabled =
+      listId !== ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
+      listId !== ENDPOINT_ARTIFACT_LISTS.trustedDevices.id &&
+      this.productFeaturesService.isEnabled(ProductFeatureKey.endpointArtifactManagement);
+
+    return (
+      isHostIsolationWithFeatureEnabled ||
+      isTrustedDevicesWithFeatureAndEnterpriseLicense ||
+      isOtherArtifactWithFeatureEnabled
+    );
+  }
+
   /**
    * Search or get exceptions from the cached map by listId and OS and filter those by policyId/global
    */
@@ -167,17 +204,9 @@ export class ManifestManager {
   }): Promise<WrappedTranslatedExceptionList> {
     if (!this.cachedExceptionsListsByOs.has(`${listId}-${os}`)) {
       let itemsByListId: ExceptionListItemSchema[] = [];
-      // endpointHostIsolationExceptions includes full CRUD support for Host Isolation Exceptions
-      // endpointArtifactManagement includes full CRUD support for all other exception lists + RD support for Host Isolation Exceptions
-      // If there are host isolation exceptions in place but there is a downgrade scenario, those shouldn't be taken into account when generating artifacts.
-      if (
-        (listId === ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
-          this.productFeaturesService.isEnabled(
-            ProductFeatureKey.endpointHostIsolationExceptions
-          )) ||
-        (listId !== ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id &&
-          this.productFeaturesService.isEnabled(ProductFeatureKey.endpointArtifactManagement))
-      ) {
+      // If there are host isolation exceptions in place but there is a downgrade scenario (serverless), those shouldn't be taken into account when generating artifacts.
+      // If there are trusted devices in place but there is a downgrade scenario (ess/serverless), those shouldn't be taken into account when generating artifacts.
+      if (this.shouldRetrieveExceptions(listId)) {
         itemsByListId = await getAllItemsFromEndpointExceptionList({
           elClient,
           os,

x-pack/solutions/security/plugins/security_solution/server/plugin.ts

@@ -657,6 +657,7 @@ export class Plugin implements ISecuritySolutionPlugin {
       packagerTaskPackagePolicyUpdateBatchSize: config.packagerTaskPackagePolicyUpdateBatchSize,
       esClient: core.elasticsearch.client.asInternalUser,
       productFeaturesService,
+      licenseService,
     });
 
     this.endpointAppContextService.start({