Skip to content

Commit 64dd80b

Browse files
maxcoldmaxcold
authored
Clean up credentials for disabled inputs (#241185)
## Summary For disabled input we don't need to store any credentials Fixes: - #171922 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
1 parent 21e34ea commit 64dd80b

File tree

2 files changed

+147
-17
lines changed

2 files changed

+147
-17
lines changed

x-pack/solutions/security/plugins/cloud_security_posture/common/utils/helpers.test.ts

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,5 +337,131 @@ describe('test helper methods', () => {
337337
'gcp.credentials.json': { value: 'unused' },
338338
});
339339
});
340+
341+
it('cleans all aws credential fields from disabled inputs to prevent storing unnecessary secrets', () => {
342+
const mockPackagePolicy = createPackagePolicyMock();
343+
mockPackagePolicy.inputs = [
344+
{
345+
type: 'cloudbeat/cis_aws',
346+
enabled: true,
347+
streams: [
348+
{
349+
id: 'findings',
350+
enabled: true,
351+
data_stream: {
352+
dataset: 'cloud_security_posture.findings',
353+
type: 'logs',
354+
},
355+
vars: {
356+
'aws.credentials.type': { value: 'direct_access_keys' },
357+
access_key_id: { value: 'used_key', type: 'text' },
358+
secret_access_key: { value: 'used_secret', type: 'text' },
359+
role_arn: { value: 'unused' },
360+
},
361+
},
362+
],
363+
},
364+
{
365+
type: 'cloudbeat/cis_eks',
366+
enabled: false,
367+
streams: [
368+
{
369+
id: 'findings',
370+
enabled: false,
371+
data_stream: {
372+
dataset: 'cloud_security_posture.findings',
373+
type: 'logs',
374+
},
375+
vars: {
376+
'aws.credentials.type': { value: 'assume_role' },
377+
access_key_id: { value: 'should_be_removed', type: 'text' },
378+
secret_access_key: { value: 'should_be_removed', type: 'text' },
379+
role_arn: { value: 'should_be_removed' },
380+
session_token: { value: 'should_be_removed', type: 'text' },
381+
},
382+
},
383+
],
384+
},
385+
];
386+
387+
const cleanedPackage = cleanupCredentials(mockPackagePolicy);
388+
389+
// Enabled input should keep credentials based on credential type
390+
expect(cleanedPackage.inputs[0].streams[0].vars).toEqual({
391+
'aws.credentials.type': { value: 'direct_access_keys' },
392+
access_key_id: { value: 'used_key', type: 'text' },
393+
secret_access_key: { value: 'used_secret', type: 'text' },
394+
role_arn: { value: undefined },
395+
});
396+
397+
// Disabled input should have all credential fields removed
398+
expect(cleanedPackage.inputs[1].streams[0].vars).toEqual({
399+
'aws.credentials.type': { value: 'assume_role' },
400+
access_key_id: { value: undefined, type: 'text' },
401+
secret_access_key: { value: undefined, type: 'text' },
402+
role_arn: { value: undefined },
403+
session_token: { value: undefined, type: 'text' },
404+
});
405+
});
406+
407+
it('cleans all gcp credential fields from disabled inputs', () => {
408+
const mockPackagePolicy = createPackagePolicyMock();
409+
mockPackagePolicy.inputs = [
410+
{
411+
type: 'cloudbeat/cis_gcp',
412+
enabled: true,
413+
streams: [
414+
{
415+
id: 'findings',
416+
enabled: true,
417+
data_stream: {
418+
dataset: 'cloud_security_posture.findings',
419+
type: 'logs',
420+
},
421+
vars: {
422+
'gcp.credentials.type': { value: 'credentials-file' },
423+
'gcp.credentials.file': { value: 'used' },
424+
'gcp.credentials.json': { value: 'unused' },
425+
},
426+
},
427+
],
428+
},
429+
{
430+
type: 'cloudbeat/cis_gcp',
431+
enabled: false,
432+
streams: [
433+
{
434+
id: 'findings',
435+
enabled: false,
436+
data_stream: {
437+
dataset: 'cloud_security_posture.findings',
438+
type: 'logs',
439+
},
440+
vars: {
441+
'gcp.credentials.type': { value: 'credentials-json' },
442+
'gcp.credentials.file': { value: 'should_be_removed' },
443+
'gcp.credentials.json': { value: 'should_be_removed' },
444+
},
445+
},
446+
],
447+
},
448+
];
449+
450+
const cleanedPackage = cleanupCredentials(mockPackagePolicy);
451+
452+
// Enabled input should keep credentials based on credential type
453+
expect(cleanedPackage.inputs[0].streams[0].vars).toEqual({
454+
'gcp.credentials.type': { value: 'credentials-file' },
455+
'gcp.credentials.file': { value: 'used' },
456+
'gcp.credentials.json': { value: undefined },
457+
});
458+
459+
// Disabled input should have all credential fields removed
460+
expect(cleanedPackage.inputs[1].streams[0].vars).toEqual({
461+
'gcp.credentials.type': { value: 'credentials-json' },
462+
'gcp.credentials.file': { value: undefined },
463+
'gcp.credentials.json': { value: undefined },
464+
});
465+
});
340466
});
341467
});

x-pack/solutions/security/plugins/cloud_security_posture/common/utils/helpers.ts

Lines changed: 21 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -138,26 +138,30 @@ export const cleanupCredentials = (packagePolicy: NewPackagePolicy | UpdatePacka
138138
return {
139139
...packagePolicy,
140140
inputs: packagePolicy.inputs.map((input) => {
141-
if (input.enabled) {
142-
return {
143-
...input,
144-
streams: input.streams.map((stream) => {
145-
const vars = stream.vars;
146-
for (const field in vars) {
147-
if (!credsToKeep.includes(field) && credFields.includes(field)) {
141+
return {
142+
...input,
143+
streams: input.streams.map((stream) => {
144+
const vars = stream.vars;
145+
for (const field in vars) {
146+
if (input.enabled) {
147+
// for enabled inputs, clean up unused credentials based on the selected credential type
148+
if (credFields.includes(field) && !credsToKeep.includes(field)) {
149+
vars[field].value = undefined;
150+
}
151+
} else {
152+
// for disabled inputs, remove all credential fields to prevent storing unnecessary secrets
153+
if (credFields.includes(field)) {
148154
vars[field].value = undefined;
149155
}
150156
}
151-
152-
return {
153-
...stream,
154-
vars,
155-
};
156-
}),
157-
};
158-
}
159-
160-
return input;
157+
}
158+
159+
return {
160+
...stream,
161+
vars,
162+
};
163+
}),
164+
};
161165
}),
162166
};
163167
}

0 commit comments

Comments
 (0)