elastic · blakerouse · Jan 23, 2024 · Nov 30, 2023 · Nov 30, 2023 · Nov 30, 2023
@@ -445,7 +445,7 @@ func TestToComponents(t *testing.T) {
 					OutputType: "elasticsearch",
 					ID:         "endpoint-default",
 					InputSpec:  &InputRuntimeSpec{},
-					Err:        NewErrInputRuntimeCheckFail("No support for RHEL7 on arm64"),
+					Err:        NewErrInputRuntimeCheckFail("Elastic Defend doesn't support RHEL7 on arm64"),
 					Units: []Unit{
 						{
 							ID:       "endpoint-default",

@@ -57,13 +57,25 @@ type InstallOpts struct {
 	Insecure       bool   // --insecure
 	NonInteractive bool   // --non-interactive
 	ProxyURL       string // --proxy-url
-	Unprivileged   bool   // --unprivileged
 	DelayEnroll    bool   // --delay-enroll
 
+	// Unprivileged by default installs the Elastic Agent as `--unprivileged` unless
+	// the platform being tested doesn't currently support it, or it's explicitly set
+	// to false.
+	Unprivileged *bool // --unprivileged
+
 	EnrollOpts
 }
 
-func (i InstallOpts) toCmdArgs() []string {
+func (i InstallOpts) IsUnprivileged(operatingSystem string) bool {
+	if i.Unprivileged == nil {
+		// not explicitly set, default to true on Linux only (until other platforms support it)
+		return operatingSystem == "linux"
+	}
+	return *i.Unprivileged
+}
+
+func (i InstallOpts) toCmdArgs(operatingSystem string) ([]string, error) {
 	var args []string
 	if i.BasePath != "" {
 		args = append(args, "--base-path", i.BasePath)
@@ -80,16 +92,26 @@ func (i InstallOpts) toCmdArgs() []string {
 	if i.ProxyURL != "" {
 		args = append(args, "--proxy-url="+i.ProxyURL)
 	}
-	if i.Unprivileged {
-		args = append(args, "--unprivileged")
-	}
 	if i.DelayEnroll {
 		args = append(args, "--delay-enroll")
 	}
 
+	unprivileged := i.IsUnprivileged(operatingSystem)
+	if unprivileged {
+		if operatingSystem != "linux" {
+			return nil, fmt.Errorf("--unprivileged cannot be set to true unless testing is being done on Linux")
+		}
+		args = append(args, "--unprivileged")
+	}
+
 	args = append(args, i.EnrollOpts.toCmdArgs()...)
 
-	return args
+	return args, nil
+}
+
+// NewBool returns a boolean pointer.
+func NewBool(value bool) *bool {
+	return &value
 }
 
 // Install installs the prepared Elastic Agent binary and registers a t.Cleanup
@@ -102,9 +124,15 @@ func (i InstallOpts) toCmdArgs() []string {
 func (f *Fixture) Install(ctx context.Context, installOpts *InstallOpts, opts ...process.CmdOption) ([]byte, error) {
 	f.t.Logf("[test %s] Inside fixture install function", f.t.Name())
 	installArgs := []string{"install"}
-	if installOpts != nil {
-		installArgs = append(installArgs, installOpts.toCmdArgs()...)
+	if installOpts == nil {
+		// default options when not provided
+		installOpts = &InstallOpts{}
+	}
+	installOptsArgs, err := installOpts.toCmdArgs(f.operatingSystem)
+	if err != nil {
+		return nil, err
 	}
+	installArgs = append(installArgs, installOptsArgs...)
 	out, err := f.Exec(ctx, installArgs, opts...)
 	if err != nil {
 		return out, fmt.Errorf("error running agent install command: %w", err)
@@ -125,7 +153,7 @@ func (f *Fixture) Install(ctx context.Context, installOpts *InstallOpts, opts ..
 		// Windows uses a fixed named pipe, that is always the same.
 		// It is the same even running in unprivileged mode.
 		socketPath = paths.WindowsControlSocketInstalledPath
-	} else if installOpts.Unprivileged {
+	} else if installOpts.IsUnprivileged(f.operatingSystem) {
 		// Unprivileged versions move the socket to inside the installed directory
 		// of the Elastic Agent.
 		socketPath = paths.ControlSocketFromPath(runtime.GOOS, f.workDir)

@@ -139,12 +139,3 @@ func InstallAgentForPolicy(ctx context.Context, t *testing.T,
 
 	return nil
 }
-
-// InstallStandaloneAgent force install the Elastic Agent through agentFixture.
-func InstallStandaloneAgent(ctx context.Context, agentFixture *atesting.Fixture) ([]byte, error) {
-	installOpts := atesting.InstallOpts{
-		NonInteractive: true,
-		Force:          true,
-	}
-	return agentFixture.Install(ctx, &installOpts)
-}
@@ -15,9 +15,9 @@ inputs:
     runtime:
       preventions:
         - condition: ${runtime.arch} == 'arm64' and ${runtime.family} == 'redhat' and ${runtime.major} == '7'
-          message: "No support for RHEL7 on arm64"
+          message: "Elastic Defend doesn't support RHEL7 on arm64"
         - condition: ${user.root} == false
-          message: "Elastic Agent must be running as root"
+          message: "Elastic Defend requires Elastic Agent be running as root"
         - condition: ${install.in_default} == false
           message: "Elastic Defend requires Elastic Agent be installed at the default installation path"
     service: &service
@@ -56,6 +56,8 @@ inputs:
     proxied_actions: *proxied_actions
     runtime:
       preventions:
+        - condition: ${user.root} == false
+          message: "Elastic Defend requires Elastic Agent be running as root"
         - condition: ${install.in_default} == false
           message: "Elastic Defend requires Elastic Agent be installed at the default installation path"
     service:
@@ -72,7 +74,7 @@ inputs:
     runtime:
       preventions:
         - condition: ${user.root} == false
-          message: "Elastic Agent must be running as Administrator or SYSTEM"
+          message: "Elastic Defend requires Elastic Agent be running as Administrator or SYSTEM"
         - condition: ${install.in_default} == false
           message: "Elastic Defend requires Elastic Agent be installed at the default installation path"
     service:

@@ -14,6 +14,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 	"text/template"
@@ -184,6 +185,7 @@ func testInstallAndCLIUninstallWithEndpointSecurity(t *testing.T, info *define.I
 	installOpts := atesting.InstallOpts{
 		NonInteractive: true,
 		Force:          true,
+		Unprivileged:   atesting.NewBool(false),
 	}
 
 	policy, err := tools.InstallAgentWithPolicy(ctx, t,
@@ -242,6 +244,7 @@ func testInstallAndUnenrollWithEndpointSecurity(t *testing.T, info *define.Info,
 	installOpts := atesting.InstallOpts{
 		NonInteractive: true,
 		Force:          true,
+		Unprivileged:   atesting.NewBool(false),
 	}
 
 	ctx, cn := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
@@ -354,6 +357,7 @@ func testInstallWithEndpointSecurityAndRemoveEndpointIntegration(t *testing.T, i
 	installOpts := atesting.InstallOpts{
 		NonInteractive: true,
 		Force:          true,
+		Unprivileged:   atesting.NewBool(false),
 	}
 
 	ctx, cn := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
@@ -521,6 +525,7 @@ func TestEndpointSecurityNonDefaultBasePath(t *testing.T) {
 	installOpts := atesting.InstallOpts{
 		NonInteractive: true,
 		Force:          true,
+		Unprivileged:   atesting.NewBool(false),
 		BasePath:       filepath.Join(paths.DefaultBasePath, "not_default"),
 	}
 	policyResp, err := tools.InstallAgentWithPolicy(ctx, t, installOpts, fixture, info.KibanaClient, createPolicyReq)
@@ -561,6 +566,86 @@ func TestEndpointSecurityNonDefaultBasePath(t *testing.T) {
 	}, 2*time.Minute, 10*time.Second, "Agent never became DEGRADED with default install message")
 }
 
+// Tests that install of Elastic Defend fails if Agent is installed unprivileged.
+func TestEndpointSecurityUnprivileged(t *testing.T) {
+	info := define.Require(t, define.Requirements{
+		Group: Fleet,
+		Stack: &define.Stack{},
+		Local: false, // requires Agent installation
+		Sudo:  true,  // requires Agent installation
+
+		// Only supports Linux at the moment.
+		OS: []define.OS{
+			{
+				Type: define.Linux,
+			},
+		},
+	})
+
+	ctx, cn := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cn()
+
+	// Get path to agent executable.
+	fixture, err := define.NewFixture(t, define.Version())
+	require.NoError(t, err)
+
+	t.Log("Enrolling the agent in Fleet")
+	policyUUID := uuid.New().String()
+	createPolicyReq := kibana.AgentPolicy{
+		Name:        "test-policy-" + policyUUID,
+		Namespace:   "default",
+		Description: "Test policy " + policyUUID,
+		MonitoringEnabled: []kibana.MonitoringEnabledOption{
+			kibana.MonitoringEnabledLogs,
+			kibana.MonitoringEnabledMetrics,
+		},
+	}
+	installOpts := atesting.InstallOpts{
+		NonInteractive: true,
+		Force:          true,
+		Unprivileged:   atesting.NewBool(true), // ensure always unprivileged
+	}
+	policyResp, err := tools.InstallAgentWithPolicy(ctx, t, installOpts, fixture, info.KibanaClient, createPolicyReq)
+	require.NoErrorf(t, err, "Policy Response was: %v", policyResp)
+
+	t.Log("Installing Elastic Defend")
+	pkgPolicyResp, err := installElasticDefendPackage(t, info, policyResp.ID)
+	require.NoErrorf(t, err, "Policy Response was: %v", pkgPolicyResp)
+
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
+	c := fixture.Client()
+
+	errMsg := "Elastic Defend requires Elastic Agent be running as root"
+	if runtime.GOOS == define.Windows {
+		errMsg = "Elastic Defend requires Elastic Agent be running as Administrator or SYSTEM"
+	}
+	require.Eventually(t, func() bool {
+		err := c.Connect(ctx)
+		if err != nil {
+			t.Logf("connecting client to agent: %v", err)
+			return false
+		}
+		defer c.Disconnect()
+		state, err := c.State(ctx)
+		if err != nil {
+			t.Logf("error getting the agent state: %v", err)
+			return false
+		}
+		t.Logf("agent state: %+v", state)
+		if state.State != cproto.State_DEGRADED {
+			return false
+		}
+		for _, c := range state.Components {
+			if strings.Contains(c.Message, errMsg) {
+				return true
+			}
+		}
+		return false
+	}, 2*time.Minute, 10*time.Second, "Agent never became DEGRADED with root/Administrator install message")
+}
+
 func agentAndEndpointAreHealthy(t *testing.T, ctx context.Context, agentClient client.Client) bool {
 	t.Helper()
 

@@ -15,9 +15,16 @@ const (
 	// Fleet group of tests. Used for testing Elastic Agent with Fleet.
 	Fleet = "fleet"
 
+	// FleetPrivileged group of tests. Used for testing Elastic Agent with Fleet installed privileged.
+	FleetPrivileged = "fleet-privileged"
+
 	// FleetAirgapped group of tests. Used for testing Elastic Agent with Fleet and airgapped.
 	FleetAirgapped = "fleet-airgapped"
 
+	// FleetAirgappedPrivileged group of tests. Used for testing Elastic Agent with Fleet installed
+	// privileged and airgapped.
+	FleetAirgappedPrivileged = "fleet-airgapped-privileged"
+
 	// FQDN group of tests. Used for testing Elastic Agent with FQDN enabled.
 	FQDN = "fqdn"