[Fleet] Support secretRef as value for simplified package policies (#189070)

x-pack/plugins/fleet/common/services/simplified_package_policy_helper.ts

@@ -50,8 +50,9 @@ export interface SimplifiedPackagePolicy {
   inputs?: SimplifiedInputs;
 }
 
-export interface FormattedPackagePolicy extends Omit<PackagePolicy, 'inputs'> {
+export interface FormattedPackagePolicy extends Omit<PackagePolicy, 'inputs' | 'vars'> {
   inputs?: SimplifiedInputs;
+  vars?: SimplifiedVars;
 }
 
 export interface FormattedCreatePackagePolicyResponse {
@@ -61,6 +62,10 @@ export interface FormattedCreatePackagePolicyResponse {
 export function packagePolicyToSimplifiedPackagePolicy(packagePolicy: PackagePolicy) {
   const formattedPackagePolicy = packagePolicy as unknown as FormattedPackagePolicy;
   formattedPackagePolicy.inputs = formatInputs(packagePolicy.inputs);
+  if (packagePolicy.vars) {
+    formattedPackagePolicy.vars = formatVars(packagePolicy.vars);
+  }
+
   return formattedPackagePolicy;
 }
 

x-pack/plugins/fleet/server/types/models/package_policy.ts

@@ -177,6 +177,11 @@ const SimplifiedVarsSchema = schema.recordOf(
       schema.number(),
       schema.arrayOf(schema.string()),
       schema.arrayOf(schema.number()),
+      // Secrets
+      schema.object({
+        id: schema.string(),
+        isSecretRef: schema.boolean(),
+      }),
     ])
   )
 );

x-pack/test/fleet_api_integration/apis/outputs/crud.ts

@@ -13,7 +13,7 @@ import {
 } from '@kbn/fleet-plugin/common/constants';
 import { v4 as uuidV4 } from 'uuid';
 import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
-import { skipIfNoDockerRegistry } from '../../helpers';
+import { enableSecrets, skipIfNoDockerRegistry } from '../../helpers';
 import { setupFleetAndAgents } from '../agents/services';
 
 export default function (providerContext: FtrProviderContext) {
@@ -47,21 +47,6 @@ export default function (providerContext: FtrProviderContext) {
     }
   };
 
-  const enableSecrets = async () => {
-    try {
-      await kibanaServer.savedObjects.update({
-        type: GLOBAL_SETTINGS_SAVED_OBJECT_TYPE,
-        id: 'fleet-default-settings',
-        attributes: {
-          secret_storage_requirements_met: true,
-        },
-        overwrite: false,
-      });
-    } catch (e) {
-      throw e;
-    }
-  };
-
   const enableOutputSecrets = async () => {
     try {
       await kibanaServer.savedObjects.update({
@@ -194,7 +179,7 @@ export default function (providerContext: FtrProviderContext) {
     let fleetServerPolicyWithCustomOutputId: string;
 
     before(async function () {
-      await enableSecrets();
+      await enableSecrets(providerContext);
       await enableOutputSecrets();
       await kibanaServer.spaces
         .create({

x-pack/test/fleet_api_integration/apis/package_policy/update.ts

@@ -6,11 +6,16 @@
  */
 import expect from '@kbn/expect';
 import { policyFactory } from '@kbn/security-solution-plugin/common/endpoint/models/policy_config';
-import type { NewPackagePolicy } from '@kbn/fleet-plugin/common';
+import { NewPackagePolicy } from '@kbn/fleet-plugin/common';
 import { sortBy } from 'lodash';
 import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
-import { skipIfNoDockerRegistry, isDockerRegistryEnabledOrSkipped } from '../../helpers';
+import {
+  skipIfNoDockerRegistry,
+  isDockerRegistryEnabledOrSkipped,
+  enableSecrets,
+} from '../../helpers';
 import { testUsers } from '../test_users';
+
 export default function (providerContext: FtrProviderContext) {
   const { getService } = providerContext;
   const supertest = getService('supertest');
@@ -58,20 +63,26 @@ export default function (providerContext: FtrProviderContext) {
     let packagePolicyId: string;
     let packagePolicyId2: string;
     let packagePolicyId3: string;
+    let packagePolicySecretsId: string;
+    let packagePolicySecrets: any;
     let endpointPackagePolicyId: string;
     let inputOnlyPackagePolicyId: string;
 
     let inputOnlyBasePackagePolicy: NewPackagePolicy;
 
     before(async () => {
-      await kibanaServer.savedObjects.cleanStandardList();
       await esArchiver.load('x-pack/test/functional/es_archives/fleet/empty_fleet_server');
+      await kibanaServer.savedObjects.cleanStandardList();
     });
 
     before(async function () {
       if (!isDockerRegistryEnabledOrSkipped(providerContext)) {
         return;
       }
+
+      await enableSecrets(providerContext);
+
+      await supertest.delete(`/api/fleet/epm/packages/endpoint/8.6.1`).set('kbn-xsrf', 'xxxx');
       const [{ body: agentPolicyResponse }, { body: managedAgentPolicyResponse }] =
         await Promise.all([
           supertest.post(`/api/fleet/agent_policies`).set('kbn-xsrf', 'xxxx').send({
@@ -213,6 +224,34 @@ export default function (providerContext: FtrProviderContext) {
         });
       endpointPackagePolicyId = endpointPackagePolicyResponse.item.id;
 
+      const { body: secretsPackagePolicyResponse } = await supertest
+        .post(`/api/fleet/package_policies?format=simplified`)
+        .set('kbn-xsrf', 'xxxx')
+        .send({
+          name: 'secrets-1',
+          description: '',
+          namespace: 'default',
+          policy_id: agentPolicyId,
+          inputs: {
+            'secrets-test_input': {
+              vars: {
+                input_var_secret: 'input_var_secret_value',
+              },
+            },
+          },
+          vars: {
+            package_var_non_secret: 'package_var_non_secret_value',
+            package_var_secret: 'package_var_secret_value',
+          },
+          force: true,
+          package: {
+            name: 'secrets',
+            version: '1.1.0',
+          },
+        });
+      packagePolicySecrets = secretsPackagePolicyResponse.item;
+      packagePolicySecretsId = secretsPackagePolicyResponse.item.id;
+
       const { body: inputOnlyPolicyResponse } = await supertest
         .post(`/api/fleet/package_policies`)
         .set('kbn-xsrf', 'xxxx')
@@ -623,6 +662,25 @@ export default function (providerContext: FtrProviderContext) {
           .expect(200);
       });
 
+      it('should work with secret values', async function () {
+        await supertest
+          .put(`/api/fleet/package_policies/${packagePolicySecretsId}`)
+          .set('kbn-xsrf', 'xxxx')
+          .send({
+            name: `update-simplified-package-policy-with_required_variables-${Date.now()}`,
+            description: '',
+            namespace: 'default',
+            policy_id: agentPolicyId,
+            inputs: packagePolicySecrets.inputs,
+            vars: packagePolicySecrets.vars,
+            package: {
+              name: 'secrets',
+              version: '1.1.0',
+            },
+          })
+          .expect(200);
+      });
+
       it('should return a 400 with invalid inputs', async function () {
         const { body } = await supertest
           .put(`/api/fleet/package_policies/${packagePolicyId3}`)

x-pack/test/fleet_api_integration/helpers.ts

@@ -8,6 +8,7 @@
 import * as uuid from 'uuid';
 import { ToolingLog } from '@kbn/tooling-log';
 import { agentPolicyRouteService } from '@kbn/fleet-plugin/common/services';
+import { GLOBAL_SETTINGS_SAVED_OBJECT_TYPE } from '@kbn/fleet-plugin/common/constants';
 import {
   AgentPolicy,
   CreateAgentPolicyRequest,
@@ -141,6 +142,17 @@ export function setPrereleaseSetting(supertest: SuperTestAgent) {
   });
 }
 
+export async function enableSecrets(providerContext: FtrProviderContext) {
+  await providerContext.getService('kibanaServer').savedObjects.update({
+    type: GLOBAL_SETTINGS_SAVED_OBJECT_TYPE,
+    id: 'fleet-default-settings',
+    attributes: {
+      secret_storage_requirements_met: true,
+    },
+    overwrite: false,
+  });
+}
+
 export const generateNAgentPolicies = async (
   supertest: SuperTestAgent,
   number: number,