[Ingest Manager] Agent includes pgp file

[michalpristas]

What does this PR do?

This PR introduces baked in PGP file with a flag.
If DEV=true is specified during mage build PGP is not included and checks are omitted .
Otherwise PGP is provided and passing check is required.

The solution works well with connected agent to internet, but locally baked in packages are a bit tricky as we need to find a way of including asc files into agent package so they can be checked.

Why is it important?

More security running external binaries

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

[elasticmachine]

💔 Tests Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request #19480 updated]

• Start Time: 2020-09-22T12:33:12.261+0000

• Duration: 79 min 42 sec

Test stats 🧪

Test	Results
Failed	9
Passed	20148
Skipped	1833
Total	21990

Test errors

Expand to view the tests failures

• Name: Build and Test / Filebeat oss / test_default_settings – filebeat.tests.system.test_autodiscover.TestAutodiscover

  • Age: 1
  • Duration: 90.003
  • Error Details: Failed: Timeout >90.0s

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_correct_auth_header – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 10.193
  • Error Details: beat.beat.TimeoutError: Timeout waiting for 'cond' to be true. Waited 10 seconds.

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_empty_body – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 2.596
  • Error Details: AssertionError: assert 401 == 406 + where 401 = <Response [401]>.status_code

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_get_request – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 1.86
  • Error Details: AssertionError: assert 401 == 405 + where 401 = <Response [401]>.status_code

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_malformed_json – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 1.759
  • Error Details: AssertionError: assert 401 == 400 + where 401 = <Response [401]>.status_code

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_request – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 10.457
  • Error Details: beat.beat.TimeoutError: Timeout waiting for 'cond' to be true. Waited 10 seconds.

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_wrong_auth_value – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 1.825
  • Error Details: AssertionError: assert '{"message": ...ader secret"}' == '{"message": ...or password"}' - {"message": "Incorrect username or password"} + {"message": "Incorrect header or header secret"}

• Name: Build and Test / Filebeat x-pack Mac OS X / test_http_endpoint_wrong_content_header – x-pack.filebeat.tests.system.test_http_endpoint.Test

  • Age: 1
  • Duration: 1.806
  • Error Details: AssertionError: assert 401 == 415 + where 401 = <Response [401]>.status_code

• Name: Build and Test / Libbeat / Libbeat oss / TestClientPublishEventKerberosAware – elasticsearch

  • Age: 3
  • Duration: 2.82
  • Error Details: Failed

Steps errors

Expand to view the steps failures

• Name: Mage build test

  • Description: mage build test

  • Duration: 27 min 15 sec

  • Start Time: 2020-09-22T12:58:27.660+0000

  • log

• Name: Mage build unitTest

  • Description: mage build unitTest

  • Duration: 5 min 46 sec

  • Start Time: 2020-09-22T12:57:56.221+0000

  • log

• Name: Recursively delete the current directory from the workspace

  • Description: script returned exit code 1

  • Duration: 0 min 15 sec

  • Start Time: 2020-09-22T13:02:52.622+0000

  • log

• Name: Mage build test

  • Description: mage build test

  • Duration: 20 min 14 sec

  • Start Time: 2020-09-22T12:58:32.389+0000

  • log

Log output

Expand to view the last 100 lines of log output

[2020-09-22T13:51:14.556Z] + tar --version
[2020-09-22T13:51:14.859Z] + tar -xpf source.tgz
[2020-09-22T13:51:25.316Z] + rm source.tgz
[2020-09-22T13:51:25.332Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats
[2020-09-22T13:51:25.356Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Lint
[2020-09-22T13:51:25.509Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-09-22T13:51:25.612Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-oss-Mac-OS-X
[2020-09-22T13:51:25.706Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Heartbeat-Mac-OS-X
[2020-09-22T13:51:25.803Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Winlogbeat-oss
[2020-09-22T13:51:25.897Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-09-22T13:51:25.999Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-09-22T13:51:26.094Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/dockerlogbeat
[2020-09-22T13:51:26.196Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Journalbeat
[2020-09-22T13:51:26.316Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-09-22T13:51:26.413Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-09-22T13:51:26.513Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-09-22T13:51:26.643Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-09-22T13:51:26.738Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Functionbeat-Mac-OS-X-x-pack
[2020-09-22T13:51:26.833Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Packetbeat-Linux
[2020-09-22T13:51:26.966Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack-Mac-OS-X
[2020-09-22T13:51:27.070Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-09-22T13:51:27.182Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-09-22T13:51:27.281Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Packetbeat-Mac-OS-X
[2020-09-22T13:51:27.396Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-x-pack-Mac-OS-X
[2020-09-22T13:51:27.483Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-09-22T13:51:27.573Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-09-22T13:51:27.665Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Heartbeat-oss
[2020-09-22T13:51:27.769Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-09-22T13:51:27.903Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-09-22T13:51:27.997Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Generators-Beat-Mac-OS-X
[2020-09-22T13:51:28.103Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Heartbeat-Windows
[2020-09-22T13:51:28.205Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-09-22T13:51:28.324Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Generators-Metricbeat-Mac-OS-X
[2020-09-22T13:51:28.417Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-09-22T13:51:28.516Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-09-22T13:51:28.609Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Filebeat-Windows
[2020-09-22T13:51:28.704Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-09-22T13:51:28.797Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Libbeat-x-pack
[2020-09-22T13:51:28.894Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Packetbeat-Windows
[2020-09-22T13:51:28.989Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Functionbeat-Windows
[2020-09-22T13:51:29.093Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-09-22T13:51:29.193Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-Windows
[2020-09-22T13:51:29.286Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-09-22T13:51:29.381Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Libbeat-oss
[2020-09-22T13:51:29.503Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Filebeat-oss
[2020-09-22T13:51:29.611Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Filebeat-x-pack
[2020-09-22T13:51:29.715Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-Mac-OS-X
[2020-09-22T13:51:29.822Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests
[2020-09-22T13:51:29.912Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-OSS-Python-Integration-tests
[2020-09-22T13:51:30.008Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-09-22T13:51:30.434Z] + cat
[2020-09-22T13:51:30.435Z] + /usr/local/bin/runbld ./runbld-script --job-name elastic+beats+pull-request
[2020-09-22T13:51:30.435Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-09-22T13:51:37.035Z] runbld>>> runbld started
[2020-09-22T13:51:37.035Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-09-22T13:51:37.985Z] runbld>>> The following profiles matched the job 'elastic+beats+pull-request' in order of occurrence in the config (last value wins).
[2020-09-22T13:51:37.985Z] runbld>>> Matches in the system config:
[2020-09-22T13:51:37.985Z] runbld>>> - Matched ^elastic\+beats
[2020-09-22T13:51:37.985Z] runbld>>> - Matched ^elastic\+beats\+pull-request
[2020-09-22T13:51:39.371Z] runbld>>> Debug logging enabled.
[2020-09-22T13:51:39.371Z] runbld>>> Storing result
[2020-09-22T13:51:39.633Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-09-22T13:51:39.633Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200922135139-7E249A11
[2020-09-22T13:51:39.633Z] runbld>>> Adding system facts.
[2020-09-22T13:51:40.577Z] runbld>>> Adding vcs info for the latest commit:  8958d1efddad8256311fd1af7c618bb7e6d30c39
[2020-09-22T13:51:40.577Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-09-22T13:51:40.577Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-09-22T13:51:40.577Z] Processing JUnit reports with runbld...
[2020-09-22T13:51:40.577Z] + echo 'Processing JUnit reports with runbld...'
[2020-09-22T13:51:40.839Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-09-22T13:51:40.839Z] runbld>>> DURATION: 34ms
[2020-09-22T13:51:40.839Z] runbld>>> STDOUT: 40 bytes
[2020-09-22T13:51:40.839Z] runbld>>> STDERR: 49 bytes
[2020-09-22T13:51:40.839Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-09-22T13:51:40.839Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-19480
[2020-09-22T13:51:41.785Z] runbld>>> Storing build metadata: 
[2020-09-22T13:51:41.785Z] runbld>>> Adding test report.
[2020-09-22T13:51:41.785Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats
[2020-09-22T13:51:42.732Z] runbld>>> Found 139 test output files
[2020-09-22T13:51:42.995Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-09-22T13:51:42.995Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-09-22T13:51:42.995Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-09-22T13:51:42.995Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-09-22T13:51:42.995Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-09-22T13:51:44.390Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-09-22T13:51:44.390Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-19480/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-09-22T13:51:46.310Z] runbld>>> Test output logs contained: Errors: 0 Failures: 9 Tests: 21833 Skipped: 1560
[2020-09-22T13:51:46.310Z] runbld>>> Storing result
[2020-09-22T13:51:46.310Z] runbld>>> FAILURES: 9
[2020-09-22T13:51:48.226Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-09-22T13:51:48.226Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200922135139-7E249A11
[2020-09-22T13:51:48.226Z] runbld>>> Email notification disabled by environment variable.
[2020-09-22T13:51:48.226Z] runbld>>> Slack notification disabled by environment variable.
[2020-09-22T13:51:53.754Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-19480
[2020-09-22T13:51:53.897Z] [INFO] getVaultSecret: Getting secrets
[2020-09-22T13:51:53.995Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-09-22T13:51:54.981Z] + chmod 755 generate-build-data.sh
[2020-09-22T13:51:54.981Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19480/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19480/runs/7 FAILURE 4722453
[2020-09-22T13:51:54.981Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19480/runs/7/steps/?limit=10000 -o steps-info.json
[2020-09-22T13:51:59.105Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-19480/runs/7/tests/?status=FAILED -o tests-errors.json

[michalpristas]

related to this is including ASC files for beats into our package.
these are generated during release process so we need to figure out how. therefore this is still a draft with commented out ASC checks. HTTP downloader/verifyier works ok. problem is only with prepared packages

I contacted Chris to figure this out and come up with feasible strategy which would also help us with including endpoint probably

[blakerouse]

I think this looks good. By default PGP is used and required, only DEV=true at build time allows that to be removed.

[michalpristas]

not activating FS verifier just yet as for: https://github.com/elastic/infra/issues/21487
i think we can keep HTTP one turned on

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[michalpristas]

talking to infra about including asc files not merging before then

[ph]

@michalpristas I think everything is in place in infra to move this forward?

[ph]

@michalpristas This should work with nightly snapshot too correct? When this get in, we need to communicate it with the other teams.

[michalpristas]

should work with snapshots yeah

[scunningham]

It appears this code pulls the PGP Key down from the CDN on the fly. It would be far safer to embed the key in the binary at build time. Unless I'm reading it wrong, this implementation fetches the PGP key dynamically via https and validates against it with no additional validation that we we received the proper key. A determined attacker may be able to man in the middle the HTTPS transaction and deliver an invalid key.

[ruflin]

leftover

[michalpristas]

this whole section will get removed

[blakerouse]

Looks good.

Really like the DEV env for development. Will actually be able to use that for the install/uninstall for self-upgrading, so in dev mode self-upgrading can be tested without it being installed in the correct paths. +1

[ph]

@michalpristas @blakerouse @ruflin we will need to document the DEV usage in the developper docs.

[scunningham]

Thanks. Question; does the PGP Key pull down during each release build; or we do we used a checked-in PGP Key unless somebody explicitly runs the code that pulls down the key and embeds it?

Pulling down the key on the fly during a build slightly concerns me as it allows an admittedly narrow window for attack. Subsequent unit tests should catch an injection, but we should validate that.

[michalpristas]

@scunningham nono key is prepacked in this PR and once we will need it updated we will update the file and run mage update for it to take effect

[scunningham]

@michalpristas Fantastic, thank you!

[michalpristas]

Faliures not related