From e336deb2166b9845f0315c9cad1881507929546b Mon Sep 17 00:00:00 2001
From: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Wed, 7 Apr 2021 13:26:15 -0400
Subject: [PATCH 1/3] [Fleet] Create enrollment API keys as current user

---
 .../routes/enrollment_api_key/handler.ts      |  3 +-
 .../server/services/agent_policy_update.ts    |  2 +-
 .../services/api_keys/enrollment_api_key.ts   | 47 ++++++++++---------
 3 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/x-pack/plugins/fleet/server/routes/enrollment_api_key/handler.ts b/x-pack/plugins/fleet/server/routes/enrollment_api_key/handler.ts
index c85dc06c382864..0959a9a88704af 100644
--- a/x-pack/plugins/fleet/server/routes/enrollment_api_key/handler.ts
+++ b/x-pack/plugins/fleet/server/routes/enrollment_api_key/handler.ts
@@ -67,10 +67,9 @@ export const postEnrollmentApiKeyHandler: RequestHandler<
 export const deleteEnrollmentApiKeyHandler: RequestHandler<
   TypeOf<typeof DeleteEnrollmentAPIKeyRequestSchema.params>
 > = async (context, request, response) => {
-  const soClient = context.core.savedObjects.client;
   const esClient = context.core.elasticsearch.client.asCurrentUser;
   try {
-    await APIKeyService.deleteEnrollmentApiKey(soClient, esClient, request.params.keyId);
+    await APIKeyService.deleteEnrollmentApiKey(esClient, request.params.keyId);
 
     const body: DeleteEnrollmentAPIKeyResponse = { action: 'deleted' };
 
diff --git a/x-pack/plugins/fleet/server/services/agent_policy_update.ts b/x-pack/plugins/fleet/server/services/agent_policy_update.ts
index dc566b2c435a68..3f5f717c94597e 100644
--- a/x-pack/plugins/fleet/server/services/agent_policy_update.ts
+++ b/x-pack/plugins/fleet/server/services/agent_policy_update.ts
@@ -56,6 +56,6 @@ export async function agentPolicyUpdateEventHandler(
 
   if (action === 'deleted') {
     await unenrollForAgentPolicyId(soClient, esClient, agentPolicyId);
-    await deleteEnrollmentApiKeyForAgentPolicyId(soClient, esClient, agentPolicyId);
+    await deleteEnrollmentApiKeyForAgentPolicyId(esClient, agentPolicyId);
   }
 }
diff --git a/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts b/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts
index 643caa8d3bb6f8..61bf050dc7d91a 100644
--- a/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts
+++ b/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts
@@ -17,7 +17,7 @@ import { ENROLLMENT_API_KEYS_INDEX } from '../../constants';
 import { agentPolicyService } from '../agent_policy';
 import { escapeSearchQueryPhrase } from '../saved_object';
 
-import { createAPIKey, invalidateAPIKeys } from './security';
+import { invalidateAPIKeys } from './security';
 
 const uuidRegex = /^\([0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}\)$/;
 
@@ -76,14 +76,9 @@ export async function getEnrollmentAPIKey(
 
 /**
  * Invalidate an api key and mark it as inactive
- * @param soClient
  * @param id
  */
-export async function deleteEnrollmentApiKey(
-  soClient: SavedObjectsClientContract,
-  esClient: ElasticsearchClient,
-  id: string
-) {
+export async function deleteEnrollmentApiKey(esClient: ElasticsearchClient, id: string) {
   const enrollmentApiKey = await getEnrollmentAPIKey(esClient, id);
 
   await invalidateAPIKeys([enrollmentApiKey.api_key_id]);
@@ -101,7 +96,6 @@ export async function deleteEnrollmentApiKey(
 }
 
 export async function deleteEnrollmentApiKeyForAgentPolicyId(
-  soClient: SavedObjectsClientContract,
   esClient: ElasticsearchClient,
   agentPolicyId: string
 ) {
@@ -119,7 +113,7 @@ export async function deleteEnrollmentApiKeyForAgentPolicyId(
     }
 
     for (const apiKey of items) {
-      await deleteEnrollmentApiKey(soClient, esClient, apiKey.id);
+      await deleteEnrollmentApiKey(esClient, apiKey.id);
     }
   }
 }
@@ -181,19 +175,30 @@ export async function generateEnrollmentAPIKey(
   }
 
   const name = providedKeyName ? `${providedKeyName} (${id})` : id;
-  const key = await createAPIKey(soClient, name, {
-    // Useless role to avoid to have the privilege of the user that created the key
-    'fleet-apikey-enroll': {
-      cluster: [],
-      applications: [
-        {
-          application: '.fleet',
-          privileges: ['no-privileges'],
-          resources: ['*'],
+
+  const { body: key } = await esClient.security
+    .createApiKey({
+      body: {
+        name,
+        role_descriptors: {
+          // Useless role to avoid to have the privilege of the user that created the key
+          'fleet-apikey-enroll': {
+            cluster: [],
+            index: [],
+            applications: [
+              {
+                application: '.fleet',
+                privileges: ['no-privileges'],
+                resources: ['*'],
+              },
+            ],
+          },
         },
-      ],
-    },
-  });
+      },
+    })
+    .catch((err) => {
+      throw new Error(`Impossible to create an api key: ${err.message}`);
+    });
 
   if (!key) {
     throw new Error(

From b4e388260ea22d7a590521766d5b0e16c97bbd88 Mon Sep 17 00:00:00 2001
From: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Wed, 7 Apr 2021 21:13:00 -0400
Subject: [PATCH 2/3] Fix tests

---
 .../apis/enrollment_api_keys/crud.ts          | 27 -------------------
 1 file changed, 27 deletions(-)

diff --git a/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts b/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
index 2569d9aef4b5b3..071f06a3c495bc 100644
--- a/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
+++ b/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
@@ -162,33 +162,6 @@ export default function (providerContext: FtrProviderContext) {
           },
         });
       });
-
-      describe('It should handle error when the Fleet user is invalid', () => {
-        before(async () => {});
-        after(async () => {
-          await getService('supertest')
-            .post(`/api/fleet/agents/setup`)
-            .set('kbn-xsrf', 'xxx')
-            .send({ forceRecreate: true });
-        });
-
-        it('should not allow to create an enrollment api key if the Fleet admin user is invalid', async () => {
-          await es.security.changePassword({
-            username: 'fleet_enroll',
-            body: {
-              password: Buffer.from((Math.random() * 10000000).toString()).toString('base64'),
-            },
-          });
-          const res = await supertest
-            .post(`/api/fleet/enrollment-api-keys`)
-            .set('kbn-xsrf', 'xxx')
-            .send({
-              policy_id: 'policy1',
-            })
-            .expect(400);
-          expect(res.body.message).match(/Fleet Admin user is invalid/);
-        });
-      });
     });
   });
 }

From 9833563d2ea3d907f4908e71bfdec0a298a4e9f9 Mon Sep 17 00:00:00 2001
From: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Thu, 8 Apr 2021 08:40:27 -0400
Subject: [PATCH 3/3] Add metatada to the enrollment api key

---
 .../services/api_keys/enrollment_api_key.ts   |  7 ++++++
 .../apis/enrollment_api_keys/crud.ts          | 22 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts b/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts
index b432399553dfbf..b8a24a006a6749 100644
--- a/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts
+++ b/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts
@@ -181,6 +181,13 @@ export async function generateEnrollmentAPIKey(
     .createApiKey({
       body: {
         name,
+        // @ts-expect-error Metadata in api keys
+        metadata: {
+          managed_by: 'fleet',
+          managed: true,
+          type: 'enroll',
+          policy_id: data.agentPolicyId,
+        },
         role_descriptors: {
           // Useless role to avoid to have the privilege of the user that created the key
           'fleet-apikey-enroll': {
diff --git a/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts b/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
index 071f06a3c495bc..d9946bb174f5da 100644
--- a/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
+++ b/x-pack/test/fleet_api_integration/apis/enrollment_api_keys/crud.ts
@@ -115,6 +115,28 @@ export default function (providerContext: FtrProviderContext) {
         expect(apiResponse.item).to.have.keys('id', 'api_key', 'api_key_id', 'name', 'policy_id');
       });
 
+      it('should create an ES ApiKey with metadata', async () => {
+        const { body: apiResponse } = await supertest
+          .post(`/api/fleet/enrollment-api-keys`)
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            policy_id: 'policy1',
+          })
+          .expect(200);
+
+        const { body: apiKeyRes } = await es.security.getApiKey({
+          id: apiResponse.item.api_key_id,
+        });
+
+        // @ts-expect-error Metadata not yet in the client type
+        expect(apiKeyRes.api_keys[0].metadata).eql({
+          policy_id: 'policy1',
+          managed_by: 'fleet',
+          managed: true,
+          type: 'enroll',
+        });
+      });
+
       it('should create an ES ApiKey with limited privileges', async () => {
         const { body: apiResponse } = await supertest
           .post(`/api/fleet/enrollment-api-keys`)