[8.5](backport #2044) Add active filter for enrollment key queries. (#…

…2047)

* Add active filter for enrollment key queries. (#2044)

* Add active filter for enrollment key queries.

Add an active: true filter to enrollment key queries. This allows
fleet-server to handle cases where there may be 10+ inactive keys
associated with a policy.

* review feedback

* fix linter

* fix tests

* Fix test cases

(cherry picked from commit 3d15e24)

# Conflicts:
#	CHANGELOG.next.asciidoc

* Update CHANGELOG.next.asciidoc

Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>

CHANGELOG.next.asciidoc

@@ -16,6 +16,7 @@
 - Update apikey.cache_hit log field name to match convention. {pull}1900[1900]
 - Fix fleet.migration.total log key overlap {pull}1951[1951]
 - Remove POLICY_CHANGE actions from list retrieved from actions index before sending actions to agent on Checkin. {issue}1773[1773] {pull}1963[1963]
+- Add "active: true" filter to enrollemnent key queries. {issue}2029[2029] {pull}2044[2044]
 
 ==== New Features
 

internal/pkg/dl/enrollment_api_key.go

@@ -19,25 +19,29 @@ const (
 )
 
 var (
-	QueryEnrollmentAPIKeyByID       = prepareFindEnrollmentAPIKeyByID()
-	QueryEnrollmentAPIKeyByPolicyID = prepareFindEnrollmentAPIKeyByPolicyID()
+	QueryEnrollmentAPIKeyByID       = prepareFindActiveEnrollmentAPIKeyByID()
+	QueryEnrollmentAPIKeyByPolicyID = prepareFindActiveEnrollmentAPIKeyByPolicyID()
 )
 
-func prepareFindEnrollmentAPIKeyByID() *dsl.Tmpl {
+func prepareFindActiveEnrollmentAPIKeyByID() *dsl.Tmpl {
 	tmpl := dsl.NewTmpl()
 
 	root := dsl.NewRoot()
-	root.Query().Bool().Filter().Term(FieldAPIKeyID, tmpl.Bind(FieldAPIKeyID), nil)
+	filter := root.Query().Bool().Filter()
+	filter.Term(FieldAPIKeyID, tmpl.Bind(FieldAPIKeyID), nil)
+	filter.Term(FieldActive, true, nil)
 
 	tmpl.MustResolve(root)
 	return tmpl
 }
 
-func prepareFindEnrollmentAPIKeyByPolicyID() *dsl.Tmpl {
+func prepareFindActiveEnrollmentAPIKeyByPolicyID() *dsl.Tmpl {
 	tmpl := dsl.NewTmpl()
 
 	root := dsl.NewRoot()
-	root.Query().Bool().Filter().Term(FieldPolicyID, tmpl.Bind(FieldPolicyID), nil)
+	filter := root.Query().Bool().Filter()
+	filter.Term(FieldPolicyID, tmpl.Bind(FieldPolicyID), nil)
+	filter.Term(FieldActive, true, nil)
 
 	tmpl.MustResolve(root)
 	return tmpl

internal/pkg/dl/enrollment_api_key_integration_test.go

@@ -22,13 +22,13 @@ import (
 	ftesting "github.com/elastic/fleet-server/v7/internal/pkg/testing"
 )
 
-func createRandomEnrollmentAPIKey(policyID string) model.EnrollmentAPIKey {
+func createRandomEnrollmentAPIKey(policyID string, active bool) model.EnrollmentAPIKey {
 	now := time.Now().UTC()
 	return model.EnrollmentAPIKey{
 		ESDocument: model.ESDocument{
 			Id: xid.New().String(),
 		},
-		Active:    true,
+		Active:    active,
 		APIKey:    "d2JndlFIWUJJUVVxWDVia2NJTV86X0d6ZmljZGNTc1d4R1otbklrZFFRZw==",
 		APIKeyID:  xid.New().String(),
 		CreatedAt: now.Format(time.RFC3339),
@@ -38,8 +38,8 @@ func createRandomEnrollmentAPIKey(policyID string) model.EnrollmentAPIKey {
 
 }
 
-func storeRandomEnrollmentAPIKey(ctx context.Context, bulker bulk.Bulk, index string, policyID string) (rec model.EnrollmentAPIKey, err error) {
-	rec = createRandomEnrollmentAPIKey(policyID)
+func storeRandomEnrollmentAPIKey(ctx context.Context, bulker bulk.Bulk, index string, policyID string, active bool) (rec model.EnrollmentAPIKey, err error) {
+	rec = createRandomEnrollmentAPIKey(policyID, active)
 
 	body, err := json.Marshal(rec)
 	if err != nil {
@@ -58,7 +58,7 @@ func TestSearchEnrollmentAPIKeyByID(t *testing.T) {
 
 	index, bulker := ftesting.SetupCleanIndex(ctx, t, FleetEnrollmentAPIKeys)
 
-	rec, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, uuid.Must(uuid.NewV4()).String())
+	rec, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, uuid.Must(uuid.NewV4()).String(), true)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -91,15 +91,15 @@ func TestSearchEnrollmentAPIKeyByPolicyID(t *testing.T) {
 	index, bulker := ftesting.SetupCleanIndex(ctx, t, FleetEnrollmentAPIKeys)
 
 	policyID := uuid.Must(uuid.NewV4()).String()
-	rec1, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, policyID)
+	rec1, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, policyID, true)
 	if err != nil {
 		t.Fatal(err)
 	}
-	rec2, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, policyID)
+	rec2, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, policyID, true)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = storeRandomEnrollmentAPIKey(ctx, bulker, index, uuid.Must(uuid.NewV4()).String())
+	_, err = storeRandomEnrollmentAPIKey(ctx, bulker, index, uuid.Must(uuid.NewV4()).String(), true)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -114,3 +114,32 @@ func TestSearchEnrollmentAPIKeyByPolicyID(t *testing.T) {
 		t.Fatal(diff)
 	}
 }
+
+func TestSearchEnrollmentAPIKeyByPolicyIDWithInactiveIDs(t *testing.T) {
+	ctx, cn := context.WithCancel(context.Background())
+	defer cn()
+
+	index, bulker := ftesting.SetupCleanIndex(ctx, t, FleetEnrollmentAPIKeys)
+
+	policyID := uuid.Must(uuid.NewV4()).String()
+	rec, err := storeRandomEnrollmentAPIKey(ctx, bulker, index, policyID, true)
+	if err != nil {
+		t.Fatalf("unable to store enrollment key: %v", err)
+	}
+	for i := 0; i < 10; i++ {
+		_, err = storeRandomEnrollmentAPIKey(ctx, bulker, index, uuid.Must(uuid.NewV4()).String(), false)
+		if err != nil {
+			t.Fatalf("unable to store enrollment key: %v", err)
+		}
+	}
+
+	foundRecs, err := findEnrollmentAPIKeys(ctx, bulker, index, QueryEnrollmentAPIKeyByPolicyID, FieldPolicyID, policyID)
+	if err != nil {
+		t.Fatalf("unable to find enrollment key: %v", err)
+	}
+
+	diff := cmp.Diff([]model.EnrollmentAPIKey{rec}, foundRecs)
+	if diff != "" {
+		t.Fatalf("expected content does not match: %v", diff)
+	}
+}

internal/pkg/policy/self.go

@@ -228,7 +228,6 @@ func (m *selfMonitorT) updateStatus(ctx context.Context) (proto.StateObserved_St
 		if err != nil {
 			return proto.StateObserved_FAILED, err
 		}
-		tokens = filterActiveTokens(tokens)
 		if len(tokens) == 0 {
 			// no tokens created for the policy, still starting
 			if m.policyID == "" {
@@ -271,13 +270,3 @@ func (d *policyData) HasType(val string) bool {
 func findEnrollmentAPIKeys(ctx context.Context, bulker bulk.Bulk, policyID string) ([]model.EnrollmentAPIKey, error) {
 	return dl.FindEnrollmentAPIKeys(ctx, bulker, dl.QueryEnrollmentAPIKeyByPolicyID, dl.FieldPolicyID, policyID)
 }
-
-func filterActiveTokens(tokens []model.EnrollmentAPIKey) []model.EnrollmentAPIKey {
-	active := make([]model.EnrollmentAPIKey, 0, len(tokens))
-	for _, t := range tokens {
-		if t.Active {
-			active = append(active, t)
-		}
-	}
-	return active
-}

internal/pkg/policy/self_test.go

@@ -262,21 +262,6 @@ func TestSelfMonitor_DefaultPolicy_Degraded(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	// add inactive token that should be filtered out
-	inactiveToken := model.EnrollmentAPIKey{
-		ESDocument: model.ESDocument{
-			Id: xid.New().String(),
-		},
-		Active:   false,
-		APIKey:   "d2JndlFIWUJJUVVxWDVia2NJTV86X0d6ZmljZGNTc1d4R1otbklrZFFRZw==",
-		APIKeyID: xid.New().String(),
-		Name:     "Inactive",
-		PolicyID: policyID,
-	}
-	tokenLock.Lock()
-	tokenResult = append(tokenResult, inactiveToken)
-	tokenLock.Unlock()
-
 	go func() {
 		chHitT <- []es.HitT{{
 			ID:      rId,
@@ -578,21 +563,6 @@ func TestSelfMonitor_SpecificPolicy_Degraded(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	// add inactive token that should be filtered out
-	inactiveToken := model.EnrollmentAPIKey{
-		ESDocument: model.ESDocument{
-			Id: xid.New().String(),
-		},
-		Active:   false,
-		APIKey:   "d2JndlFIWUJJUVVxWDVia2NJTV86X0d6ZmljZGNTc1d4R1otbklrZFFRZw==",
-		APIKeyID: xid.New().String(),
-		Name:     "Inactive",
-		PolicyID: policyID,
-	}
-	tokenLock.Lock()
-	tokenResult = append(tokenResult, inactiveToken)
-	tokenLock.Unlock()
-
 	go func() {
 		chHitT <- []es.HitT{{
 			ID:      rId,