Set user depending on agent.privileges.root field from manifest (elastic#1789)

mrodm · web-flow · commit c2ff98b32e5c · 2024-04-22T12:43:01.000+02:00
Set user root if specified in agent.privileges.root (package manifest). If user is
also specified in the configuration file (system tests), that value from the
configuration file has preference.
diff --git a/internal/packages/packages.go b/internal/packages/packages.go
@@ -115,6 +115,12 @@ type Owner struct {
 	Type   string `config:"type" json:"type" yaml:"type"`
 }
 
+type Agent struct {
+	Privileges struct {
+		Root bool `config:"root" json:"root" yaml:"root"`
+	} `config:"privileges" json:"privileges" yaml:"privileges"`
+}
+
 // PackageManifest represents the basic structure of a package's manifest
 type PackageManifest struct {
 	SpecVersion     string           `config:"format_version" json:"format_version" yaml:"format_version"`
@@ -130,6 +136,7 @@ type PackageManifest struct {
 	Description     string           `config:"description" json:"description" yaml:"description"`
 	License         string           `config:"license" json:"license" yaml:"license"`
 	Categories      []string         `config:"categories" json:"categories" yaml:"categories"`
+	Agent           Agent            `config:"agent" json:"agent" yaml:"agent"`
 }
 
 type Elasticsearch struct {
diff --git a/internal/testrunner/runners/system/runner.go b/internal/testrunner/runners/system/runner.go
@@ -313,7 +313,7 @@ func (r *runner) createServiceOptions(variantName string) servicedeployer.Factor
 	}
 }
 
-func (r *runner) createAgentInfo(policy *kibana.Policy, config *testConfig) (agentdeployer.AgentInfo, error) {
+func (r *runner) createAgentInfo(policy *kibana.Policy, config *testConfig, agentManifest packages.Agent) (agentdeployer.AgentInfo, error) {
 	var info agentdeployer.AgentInfo
 
 	info.Name = r.options.TestFolder.Package
@@ -339,6 +339,12 @@ func (r *runner) createAgentInfo(policy *kibana.Policy, config *testConfig) (age
 	info.Agent.Runtime = config.Agent.Runtime
 	info.Agent.PidMode = config.Agent.PidMode
 
+	// If user is defined in the configuration file, it has preference
+	// and it should not be overwritten by the value in the manifest
+	if info.Agent.User == "" && agentManifest.Privileges.Root {
+		info.Agent.User = "root"
+	}
+
 	return info, nil
 }
 
@@ -819,7 +825,7 @@ func (r *runner) prepareScenario(ctx context.Context, config *testConfig, svcInf
 		return nil
 	}
 
-	agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy)
+	agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy, scenario.pkgManifest.Agent)
 	if err != nil {
 		return nil, err
 	}
@@ -1127,12 +1133,12 @@ func (r *runner) setupService(ctx context.Context, config *testConfig, serviceOp
 	return service, service.Info(), nil
 }
 
-func (r *runner) setupAgent(ctx context.Context, config *testConfig, state ServiceState, policy *kibana.Policy) (agentdeployer.DeployedAgent, agentdeployer.AgentInfo, error) {
+func (r *runner) setupAgent(ctx context.Context, config *testConfig, state ServiceState, policy *kibana.Policy, agentManifest packages.Agent) (agentdeployer.DeployedAgent, agentdeployer.AgentInfo, error) {
 	if !r.options.RunIndependentElasticAgent {
 		return nil, agentdeployer.AgentInfo{}, nil
 	}
 	logger.Warn("setting up agent (technical preview)...")
-	agentInfo, err := r.createAgentInfo(policy, config)
+	agentInfo, err := r.createAgentInfo(policy, config, agentManifest)
 	if err != nil {
 		return nil, agentdeployer.AgentInfo{}, err
 	}
diff --git a/test/packages/with-custom-agent/auditd_manager_independent_agent/data_stream/auditd/_dev/test/system/test-default-config.yml b/test/packages/with-custom-agent/auditd_manager_independent_agent/data_stream/auditd/_dev/test/system/test-default-config.yml
@@ -5,7 +5,6 @@ data_stream:
     preserve_original_event: true
 agent:
   runtime: docker
-  user: "root"
   pid_mode: "host"
   linux_capabilities:
     - AUDIT_CONTROL
diff --git a/test/packages/with-custom-agent/auditd_manager_independent_agent/manifest.yml b/test/packages/with-custom-agent/auditd_manager_independent_agent/manifest.yml
@@ -1,15 +1,17 @@
-format_version: 1.0.0
+format_version: 2.12.0
 name: auditd_manager_independent_agent
 title: "Auditd Manager"
 version: 999.999.999
-license: basic
 description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel."
 type: integration
 categories:
   - os_system
   - security
 conditions:
-  kibana.version: "^8.2.0"
+  elastic:
+    subscription: basic
+  kibana:
+    version: "^8.2.0"
 screenshots:
   - src: /img/sample-screenshot.png
     title: Sample screenshot
@@ -30,3 +32,6 @@ policy_templates:
         description: Collecting auditd events
 owner:
   github: elastic/security-external-integrations
+agent:
+  privileges:
+    root: true

Original file line number	Diff line number	Diff line change
`@@ -313,7 +313,7 @@ func (r *runner) createServiceOptions(variantName string) servicedeployer.Factor`
`313`	`313`	`}`
`314`	`314`	`}`
`315`	`315`
`316`		`-func (r runner) createAgentInfo(policy kibana.Policy, config *testConfig) (agentdeployer.AgentInfo, error) {`
	`316`	`+func (r runner) createAgentInfo(policy kibana.Policy, config *testConfig, agentManifest packages.Agent) (agentdeployer.AgentInfo, error) {`
`317`	`317`	`var info agentdeployer.AgentInfo`
`318`	`318`
`319`	`319`	`info.Name = r.options.TestFolder.Package`
`@@ -339,6 +339,12 @@ func (r runner) createAgentInfo(policy kibana.Policy, config *testConfig) (age`
`339`	`339`	`info.Agent.Runtime = config.Agent.Runtime`
`340`	`340`	`info.Agent.PidMode = config.Agent.PidMode`
`341`	`341`
	`342`	`+ // If user is defined in the configuration file, it has preference`
	`343`	`+ // and it should not be overwritten by the value in the manifest`
	`344`	`+ if info.Agent.User == "" && agentManifest.Privileges.Root {`
	`345`	`+ info.Agent.User = "root"`
	`346`	`+ }`
	`347`	`+`
`342`	`348`	`return info, nil`
`343`	`349`	`}`
`344`	`350`
`@@ -819,7 +825,7 @@ func (r runner) prepareScenario(ctx context.Context, config testConfig, svcInf`
`819`	`825`	`return nil`
`820`	`826`	`}`
`821`	`827`
`822`		`- agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy)`
	`828`	`+ agentDeployed, agentInfo, err := r.setupAgent(ctx, config, serviceStateData, policy, scenario.pkgManifest.Agent)`
`823`	`829`	`if err != nil {`
`824`	`830`	`return nil, err`
`825`	`831`	`}`
`@@ -1127,12 +1133,12 @@ func (r runner) setupService(ctx context.Context, config testConfig, serviceOp`
`1127`	`1133`	`return service, service.Info(), nil`
`1128`	`1134`	`}`
`1129`	`1135`
`1130`		`-func (r runner) setupAgent(ctx context.Context, config testConfig, state ServiceState, policy *kibana.Policy) (agentdeployer.DeployedAgent, agentdeployer.AgentInfo, error) {`
	`1136`	`+func (r runner) setupAgent(ctx context.Context, config testConfig, state ServiceState, policy *kibana.Policy, agentManifest packages.Agent) (agentdeployer.DeployedAgent, agentdeployer.AgentInfo, error) {`
`1131`	`1137`	`if !r.options.RunIndependentElasticAgent {`
`1132`	`1138`	`return nil, agentdeployer.AgentInfo{}, nil`
`1133`	`1139`	`}`
`1134`	`1140`	`logger.Warn("setting up agent (technical preview)...")`
`1135`		`- agentInfo, err := r.createAgentInfo(policy, config)`
	`1141`	`+ agentInfo, err := r.createAgentInfo(policy, config, agentManifest)`
`1136`	`1142`	`if err != nil {`
`1137`	`1143`	`return nil, agentdeployer.AgentInfo{}, err`
`1138`	`1144`	`}`