test integrations with basic installation

elastic · Mar 7, 2025 · 887363d · 887363d
1 parent d7225b2
commit 887363d
Show file tree

Hide file tree

Showing 7 changed files with 1,926 additions and 25 deletions.
diff --git a/testing/integration/auditd_monitoring_test.go b/testing/integration/auditd_monitoring_test.go
@@ -0,0 +1,120 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build integration
+
+package integration
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/gofrs/uuid/v5"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+
+	"github.com/elastic/elastic-agent-libs/kibana"
+	"github.com/elastic/elastic-agent-libs/testing/estools"
+	atesting "github.com/elastic/elastic-agent/pkg/testing"
+	"github.com/elastic/elastic-agent/pkg/testing/define"
+	"github.com/elastic/elastic-agent/pkg/testing/tools"
+)
+
+type AuditDRunner struct {
+	suite.Suite
+	info         *define.Info
+	agentFixture *atesting.Fixture
+
+	ESHost string
+}
+
+func TestAuditdCorrectBinaries(t *testing.T) {
+	info := define.Require(t, define.Requirements{
+		Group: Fleet,
+		Stack: &define.Stack{},
+		Local: false, // requires Agent installation
+		Sudo:  true,  // requires Agent installation
+		OS: []define.OS{
+			{Type: define.Linux},
+		},
+	})
+
+	suite.Run(t, &AuditDRunner{info: info})
+}
+
+func (runner *AuditDRunner) SetupSuite() {
+	fixture, err := define.NewFixtureFromLocalBuild(runner.T(), define.Version())
+	require.NoError(runner.T(), err)
+	runner.agentFixture = fixture
+
+	policyUUID := uuid.Must(uuid.NewV4()).String()
+	basePolicy := kibana.AgentPolicy{
+		Name:        "test-policy-" + policyUUID,
+		Namespace:   "default",
+		Description: "Test policy " + policyUUID,
+		MonitoringEnabled: []kibana.MonitoringEnabledOption{
+			kibana.MonitoringEnabledLogs,
+			kibana.MonitoringEnabledMetrics,
+		},
+	}
+
+	installOpts := atesting.InstallOpts{
+		NonInteractive: true,
+		Force:          true,
+		Privileged:     true,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
+	defer cancel()
+
+	policyResp, err := tools.InstallAgentWithPolicy(ctx, runner.T(), installOpts, runner.agentFixture, runner.info.KibanaClient, basePolicy)
+	require.NoError(runner.T(), err)
+
+	_, err = tools.InstallPackageFromDefaultFile(ctx, runner.info.KibanaClient, "auditd_manager", "1.18.3", "auditd_package.json", uuid.Must(uuid.NewV4()).String(), policyResp.ID)
+	require.NoError(runner.T(), err)
+
+}
+
+func (runner *AuditDRunner) TestBeatsMetrics() {
+	t := runner.T()
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute*20)
+	defer cancel()
+
+	agentStatus, err := runner.agentFixture.ExecStatus(ctx)
+	require.NoError(t, err, "could not to get agent status")
+
+	now := time.Now()
+	var query map[string]any
+	defer func() {
+		if t.Failed() {
+			bs, err := json.Marshal(query)
+			if err != nil {
+				// nothing we can do, just log the map
+				t.Errorf("executed at %s: %v",
+					now.Format(time.RFC3339Nano), query)
+				return
+			}
+			t.Errorf("executed at %s: query: %s",
+				now.Format(time.RFC3339Nano), string(bs))
+		}
+	}()
+
+	t.Logf("starting to ES for metrics at %s", now.Format(time.RFC3339Nano))
+	require.Eventually(t, func() bool {
+		query = genESQuery(agentStatus.Info.ID,
+			[][]string{
+				{"exists", "field", "auditd.summary.actor.primary"},
+			})
+		now = time.Now()
+		res, err := estools.PerformQueryForRawQuery(ctx, query, "logs-auditd_manager.auditd*", runner.info.ESClient)
+		require.NoError(t, err)
+		if res.Hits.Total.Value < 1 {
+			return false
+		}
+		return true
+	}, time.Minute*10, time.Second*10, "could not fetch events for auditd_manager")
+}
diff --git a/testing/integration/auditd_package.json b/testing/integration/auditd_package.json
@@ -0,0 +1,107 @@
+{
+    "id": "9bf446fc-58d4-4767-b42d-3450815d5d3d",
+    "version": "WzYzMSwxXQ==",
+    "name": "auditd_manager-2",
+    "namespace": "default",
+    "package": {
+        "name": "auditd_manager",
+        "version": "1.18.3"
+    },
+    "enabled": true,
+    "policy_id": "0a4f6c12-446a-401a-b0eb-96afea6ca92d",
+    "inputs": [
+        {
+          "type": "audit/auditd",
+          "policy_template": "auditd",
+          "enabled": true,
+          "streams": [
+            {
+              "enabled": true,
+              "data_stream": {
+                "type": "logs",
+                "dataset": "auditd_manager.auditd"
+              },
+              "vars": {
+                "socket_type": {
+                  "value": "",
+                  "type": "select"
+                },
+                "session_data": {
+                  "value": false,
+                  "type": "bool"
+                },
+                "immutable": {
+                  "value": false,
+                  "type": "bool"
+                },
+                "resolve_ids": {
+                  "value": true,
+                  "type": "bool"
+                },
+                "failure_mode": {
+                  "value": "silent",
+                  "type": "text"
+                },
+                "audit_rules": {
+                  "type": "textarea"
+                },
+                "audit_rule_files": {
+                  "value": [],
+                  "type": "text"
+                },
+                "preserve_original_event": {
+                  "value": false,
+                  "type": "bool"
+                },
+                "backlog_limit": {
+                  "value": 8192,
+                  "type": "text"
+                },
+                "rate_limit": {
+                  "value": 0,
+                  "type": "text"
+                },
+                "include_warnings": {
+                  "value": false,
+                  "type": "bool"
+                },
+                "backpressure_strategy": {
+                  "value": "auto",
+                  "type": "text"
+                },
+                "tags": {
+                  "value": [
+                    "auditd_manager-auditd"
+                  ],
+                  "type": "text"
+                },
+                "processors": {
+                  "type": "yaml"
+                },
+                "session_data_processors": {
+                  "value": "  - add_session_metadata:\n     backend: \"auto\"",
+                  "type": "yaml"
+                }
+              },
+              "id": "audit/auditd-auditd_manager.auditd-346b3488-8f0b-4557-84f4-638e3d968af9",
+              "compiled_stream": {
+                "condition": "${host.platform} == 'linux'",
+                "type": "audit/auditd",
+                "include_raw_message": true,
+                "socket_type": "",
+                "immutable": false,
+                "resolve_ids": true,
+                "failure_mode": "silent",
+                "backlog_limit": 8192,
+                "rate_limit": 0,
+                "include_warnings": false,
+                "backpressure_strategy": "auto",
+                "tags": [
+                  "auditd_manager-auditd"
+                ]
+              }
+            }
+          ]
+        }
+      ]
+}
diff --git a/testing/integration/metrics_monitoring_test.go b/testing/integration/metrics_monitoring_test.go
@@ -118,7 +118,12 @@ func (runner *MetricsRunner) TestBeatsMetrics() {
 	t.Logf("starting to ES for metrics at %s", now.Format(time.RFC3339Nano))
 	require.Eventually(t, func() bool {
 		for _, cid := range componentIds {
-			query = genESQuery(agentStatus.Info.ID, cid)
+			query = genESQuery(agentStatus.Info.ID,
+				[][]string{
+					{"match", "component.id", cid},
+					{"exists", "field", "system.process.cpu.total.value"},
+					{"exists", "field", "system.process.memory.size"},
+				})
 			now = time.Now()
 			res, err := estools.PerformQueryForRawQuery(ctx, query, "metrics-elastic_agent*", runner.info.ESClient)
 			require.NoError(t, err)
@@ -131,34 +136,30 @@ func (runner *MetricsRunner) TestBeatsMetrics() {
 	}, time.Minute*10, time.Second*10, "could not fetch metrics for all known components in default install: %v", componentIds)
 }
 
-func genESQuery(agentID string, componentID string) map[string]interface{} {
+func genESQuery(agentID string, requiredFields [][]string) map[string]interface{} {
+	fieldsQ := make([]map[string]interface{}, 0, 2+len(requiredFields))
+	fieldsQ = append(fieldsQ, map[string]interface{}{
+		"match": map[string]interface{}{
+			"agent.id": agentID,
+		},
+	})
+	for _, f := range requiredFields {
+		if len(f) != 3 {
+			continue
+		}
+		fieldsQ = append(fieldsQ,
+			map[string]interface{}{
+				f[0]: map[string]interface{}{
+					f[1]: f[2],
+				},
+			})
+	}
+
 	// see https://github.com/elastic/kibana/blob/main/x-pack/plugins/fleet/server/services/agents/agent_metrics.ts
 	queryRaw := map[string]interface{}{
 		"query": map[string]interface{}{
 			"bool": map[string]interface{}{
-				"must": []map[string]interface{}{
-					{
-						"match": map[string]interface{}{
-							"agent.id": agentID,
-						},
-					},
-					{
-						"match": map[string]interface{}{
-							"component.id": componentID,
-						},
-					},
-					// make sure we fetch documents that have the metric field used by fleet monitoring
-					{
-						"exists": map[string]interface{}{
-							"field": "system.process.cpu.total.value",
-						},
-					},
-					{
-						"exists": map[string]interface{}{
-							"field": "system.process.memory.size",
-						},
-					},
-				},
+				"must": fieldsQ,
 			},
 		},
 	}