[Fleet] Invalidate api keys in agents default_api_key_history on force unenroll (#135910)

2025-04-24 17:59:23 -04:00 · 2022-07-08 08:37:05 -04:00 · 2022-07-08 08:37:05 -04:00 · 71dab14ea5
commit 71dab14ea5
parent 943c3665cf
3 changed files with 50 additions and 4 deletions
--- a/x-pack/plugins/fleet/common/types/models/agent.ts
+++ b/x-pack/plugins/fleet/common/types/models/agent.ts
@ -85,6 +85,7 @@ interface AgentBase {
 export interface Agent extends AgentBase {
  id: string;
  access_api_key?: string;
+  default_api_key_history?: FleetServerAgent['default_api_key_history'];
  status?: AgentStatus;
  packages: string[];
  sort?: Array<number | string | null>;
@ -206,6 +207,13 @@ export interface FleetServerAgent {
   * A list of tags used for organizing/filtering agents
   */
  tags?: string[];
+  /**
+   * Default API Key History
+   */
+  default_api_key_history?: Array<{
+    id: string;
+    retired_at: string;
+  }>;
 }
 /**
 * An Elastic Agent metadata
--- a/x-pack/plugins/fleet/server/services/agents/unenroll.test.ts
+++ b/x-pack/plugins/fleet/server/services/agents/unenroll.test.ts
@ -10,8 +10,13 @@ import type { SavedObject } from '@kbn/core/server';

 import type { AgentPolicy } from '../../types';
 import { HostedAgentPolicyRestrictionRelatedError } from '../../errors';
+import { invalidateAPIKeys } from '../api_keys';

-import { unenrollAgent, unenrollAgents } from './unenroll';
+import { invalidateAPIKeysForAgents, unenrollAgent, unenrollAgents } from './unenroll';
+
+jest.mock('../api_keys');
+
+const mockedInvalidateAPIKeys = invalidateAPIKeys as jest.MockedFunction<typeof invalidateAPIKeys>;

 const agentInHostedDoc = {
  _id: 'agent-in-hosted-policy',
@ -229,6 +234,37 @@ describe('unenrollAgents (plural)', () => {
  });
 });

+describe('invalidateAPIKeysForAgents', () => {
+  beforeEach(() => {
+    mockedInvalidateAPIKeys.mockReset();
+  });
+  it('revoke all the agents API keys', async () => {
+    await invalidateAPIKeysForAgents([
+      {
+        id: 'agent1',
+        default_api_key_id: 'defaultApiKey1',
+        access_api_key_id: 'accessApiKey1',
+        default_api_key_history: [
+          {
+            id: 'defaultApiKeyHistory1',
+          },
+          {
+            id: 'defaultApiKeyHistory2',
+          },
+        ],
+      } as any,
+    ]);
+
+    expect(mockedInvalidateAPIKeys).toBeCalledTimes(1);
+    expect(mockedInvalidateAPIKeys).toBeCalledWith([
+      'accessApiKey1',
+      'defaultApiKey1',
+      'defaultApiKeyHistory1',
+      'defaultApiKeyHistory2',
+    ]);
+  });
+});
+
 function createClientMock() {
  const soClientMock = savedObjectsClientMock.create();

--- a/x-pack/plugins/fleet/server/services/agents/unenroll.ts
+++ b/x-pack/plugins/fleet/server/services/agents/unenroll.ts
@ -8,7 +8,7 @@
 import type { ElasticsearchClient, SavedObjectsClientContract } from '@kbn/core/server';

 import type { Agent, BulkActionResult } from '../../types';
-import * as APIKeyService from '../api_keys';
+import { invalidateAPIKeys } from '../api_keys';
 import { HostedAgentPolicyRestrictionRelatedError } from '../../errors';

 import { createAgentAction } from './actions';
@ -163,12 +163,14 @@ export async function invalidateAPIKeysForAgents(agents: Agent[]) {
    if (agent.default_api_key_id) {
      keys.push(agent.default_api_key_id);
    }
-
+    if (agent.default_api_key_history) {
+      agent.default_api_key_history.forEach((apiKey) => keys.push(apiKey.id));
+    }
    return keys;
  }, []);

  if (apiKeys.length) {
-    await APIKeyService.invalidateAPIKeys(apiKeys);
+    await invalidateAPIKeys(apiKeys);
  }
 }