elastic · criamico · Aug 19, 2024 · Aug 1, 2024 · Aug 5, 2024 · Aug 5, 2024
diff --git a/...pplications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx b/...pplications/fleet/sections/agent_policy/components/agent_policy_advanced_fields/index.tsx
@@ -22,7 +22,6 @@ import {
   EuiText,
   EuiFlexGroup,
   EuiFlexItem,
-  EuiBetaBadge,
   EuiBadge,
   EuiSwitch,
 } from '@elastic/eui';
@@ -732,29 +731,14 @@ export const AgentPolicyAdvancedOptionsContent: React.FunctionComponent<Props> =
           <h3>
             <FormattedMessage
               id="xpack.fleet.agentPolicyForm.unenrollmentTimeoutLabel"
-              defaultMessage="Unenrollment timeout"
+              defaultMessage="Inactive agent unenrollment timeout"
             />
-            &nbsp;
-            <EuiToolTip
-              content={i18n.translate('xpack.fleet.agentPolicyForm.unenrollmentTimeoutTooltip', {
-                defaultMessage:
-                  'This setting is deprecated and will be removed in a future release. Consider using inactivity timeout instead',
-              })}
-            >
-              <EuiBetaBadge
-                label={i18n.translate(
-                  'xpack.fleet.agentPolicyForm.unenrollmentTimeoutDeprecatedLabel',
-                  { defaultMessage: 'Deprecated' }
-                )}
-                size="s"
-              />
-            </EuiToolTip>
           </h3>
         }
         description={
           <FormattedMessage
             id="xpack.fleet.agentPolicyForm.unenrollmentTimeoutDescription"
-            defaultMessage="An optional timeout in seconds. If provided, and fleet server is below version 8.7.0, an agent will automatically unenroll after being gone for this period of time."
+            defaultMessage="An optional timeout in seconds. If configured, inactive agents will be automatically unenrolled and their API keys will be invalidated after they've been inactive for this value in seconds. This can be useful for policies containing ephemeral agents, such as those in a Docker or Kubernetes environment."
           />
         }
       >

diff --git a/x-pack/plugins/fleet/server/mocks/index.ts b/x-pack/plugins/fleet/server/mocks/index.ts
@@ -108,6 +108,7 @@ export const createAppContextStartContractMock = (
           },
         }
       : {}),
+    unenrollInactiveAgentsTask: {} as any,
   };
 };
 

diff --git a/x-pack/plugins/fleet/server/plugin.ts b/x-pack/plugins/fleet/server/plugin.ts
@@ -118,6 +118,7 @@ import type { PackagePolicyService } from './services/package_policy_service';
 import { PackagePolicyServiceImpl } from './services/package_policy';
 import { registerFleetUsageLogger, startFleetUsageLogger } from './services/fleet_usage_logger';
 import { CheckDeletedFilesTask } from './tasks/check_deleted_files_task';
+import { UnenrollInactiveAgentsTask } from './tasks/unenroll_inactive_agents_task';
 import {
   UninstallTokenService,
   type UninstallTokenServiceInterface,
@@ -177,6 +178,7 @@ export interface FleetAppContext {
   messageSigningService: MessageSigningServiceInterface;
   auditLogger?: AuditLogger;
   uninstallTokenService: UninstallTokenServiceInterface;
+  unenrollInactiveAgentsTask: UnenrollInactiveAgentsTask;
 }
 
 export type FleetSetupContract = void;
@@ -264,6 +266,7 @@ export class FleetPlugin
   private fleetUsageSender?: FleetUsageSender;
   private checkDeletedFilesTask?: CheckDeletedFilesTask;
   private fleetMetricsTask?: FleetMetricsTask;
+  private unenrollInactiveAgentsTask?: UnenrollInactiveAgentsTask;
 
   private agentService?: AgentService;
   private packageService?: PackageService;
@@ -594,6 +597,11 @@ export class FleetPlugin
       taskManager: deps.taskManager,
       logFactory: this.initializerContext.logger,
     });
+    this.unenrollInactiveAgentsTask = new UnenrollInactiveAgentsTask({
+      core,
+      taskManager: deps.taskManager,
+      logFactory: this.initializerContext.logger,
+    });
 
     // Register fields metadata extractor
     registerIntegrationFieldsExtractor({ core, fieldsMetadata: deps.fieldsMetadata });
@@ -638,12 +646,14 @@ export class FleetPlugin
       bulkActionsResolver: this.bulkActionsResolver!,
       messageSigningService,
       uninstallTokenService,
+      unenrollInactiveAgentsTask: this.unenrollInactiveAgentsTask!,
     });
     licenseService.start(plugins.licensing.license$);
     this.telemetryEventsSender.start(plugins.telemetry, core).catch(() => {});
     this.bulkActionsResolver?.start(plugins.taskManager).catch(() => {});
     this.fleetUsageSender?.start(plugins.taskManager).catch(() => {});
     this.checkDeletedFilesTask?.start({ taskManager: plugins.taskManager }).catch(() => {});
+    this.unenrollInactiveAgentsTask?.start({ taskManager: plugins.taskManager }).catch(() => {});
     startFleetUsageLogger(plugins.taskManager).catch(() => {});
     this.fleetMetricsTask
       ?.start(plugins.taskManager, core.elasticsearch.client.asInternalUser)

diff --git a/x-pack/plugins/fleet/server/services/agent_policy.ts b/x-pack/plugins/fleet/server/services/agent_policy.ts
@@ -1143,10 +1143,6 @@ class AgentPolicyService {
         default_fleet_server: policy.is_default_fleet_server === true,
       };
 
-      if (policy.unenroll_timeout) {
-        fleetServerPolicy.unenroll_timeout = policy.unenroll_timeout;
-      }
-
       acc.push(fleetServerPolicy);
       return acc;
     }, [] as FleetServerPolicy[]);

diff --git a/x-pack/plugins/fleet/server/tasks/unenroll_inactive_agents_task.test.ts b/x-pack/plugins/fleet/server/tasks/unenroll_inactive_agents_task.test.ts
@@ -0,0 +1,175 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { coreMock } from '@kbn/core/server/mocks';
+import { taskManagerMock } from '@kbn/task-manager-plugin/server/mocks';
+import type { TaskManagerSetupContract } from '@kbn/task-manager-plugin/server';
+import { TaskStatus } from '@kbn/task-manager-plugin/server';
+import { getDeleteTaskRunResult } from '@kbn/task-manager-plugin/server/task';
+import type { CoreSetup, SavedObjectsClientContract } from '@kbn/core/server';
+import { loggingSystemMock } from '@kbn/core/server/mocks';
+
+import { agentPolicyService } from '../services';
+import { createAgentPolicyMock } from '../../common/mocks';
+import { createAppContextStartContractMock } from '../mocks';
+import { getAgentsByKuery } from '../services/agents';
+
+import { appContextService } from '../services';
+
+import { unenrollBatch } from '../services/agents/unenroll_action_runner';
+
+import type { AgentPolicy } from '../types';
+
+import { UnenrollInactiveAgentsTask, TYPE, VERSION } from './unenroll_inactive_agents_task';
+
+jest.mock('../services');
+jest.mock('../services/agents');
+jest.mock('../services/agents/unenroll_action_runner');
+
+const MOCK_TASK_INSTANCE = {
+  id: `${TYPE}:${VERSION}`,
+  runAt: new Date(),
+  attempts: 0,
+  ownerId: '',
+  status: TaskStatus.Running,
+  startedAt: new Date(),
+  scheduledAt: new Date(),
+  retryAt: new Date(),
+  params: {},
+  state: {},
+  taskType: TYPE,
+};
+
+const mockAgentPolicyService = agentPolicyService as jest.Mocked<typeof agentPolicyService>;
+const mockedGetAgentsByKuery = getAgentsByKuery as jest.MockedFunction<typeof getAgentsByKuery>;
+
+describe('UnenrollInactiveAgentsTask', () => {
+  const { createSetup: coreSetupMock } = coreMock;
+  const { createSetup: tmSetupMock, createStart: tmStartMock } = taskManagerMock;
+
+  let mockContract: ReturnType<typeof createAppContextStartContractMock>;
+  let mockTask: UnenrollInactiveAgentsTask;
+  let mockCore: CoreSetup;
+  let mockTaskManagerSetup: jest.Mocked<TaskManagerSetupContract>;
+  const mockedUnenrollBatch = jest.mocked(unenrollBatch);
+
+  const agents = [
+    {
+      id: 'agent-1',
+      policy_id: 'agent-policy-2',
+      status: 'inactive',
+    },
+    {
+      id: 'agent-2',
+      policy_id: 'agent-policy-1',
+      status: 'inactive',
+    },
+    {
+      id: 'agent-3',
+      policy_id: 'agent-policy-1',
+      status: 'active',
+    },
+  ];
+
+  const getMockAgentPolicyFetchAllAgentPolicies = (items: AgentPolicy[]) =>
+    jest.fn(async function* (soClient: SavedObjectsClientContract) {
+      yield items;
+    });
+
+  beforeEach(() => {
+    mockContract = createAppContextStartContractMock();
+    appContextService.start(mockContract);
+    mockCore = coreSetupMock();
+    mockTaskManagerSetup = tmSetupMock();
+    mockTask = new UnenrollInactiveAgentsTask({
+      core: mockCore,
+      taskManager: mockTaskManagerSetup,
+      logFactory: loggingSystemMock.create(),
+    });
+  });
+
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('Task lifecycle', () => {
+    it('Should create task', () => {
+      expect(mockTask).toBeInstanceOf(UnenrollInactiveAgentsTask);
+    });
+
+    it('Should register task', () => {
+      expect(mockTaskManagerSetup.registerTaskDefinitions).toHaveBeenCalled();
+    });
+
+    it('Should schedule task', async () => {
+      const mockTaskManagerStart = tmStartMock();
+      await mockTask.start({ taskManager: mockTaskManagerStart });
+      expect(mockTaskManagerStart.ensureScheduled).toHaveBeenCalled();
+    });
+  });
+
+  describe('Task logic', () => {
+    const runTask = async (taskInstance = MOCK_TASK_INSTANCE) => {
+      const mockTaskManagerStart = tmStartMock();
+      await mockTask.start({ taskManager: mockTaskManagerStart });
+      const createTaskRunner =
+        mockTaskManagerSetup.registerTaskDefinitions.mock.calls[0][0][TYPE].createTaskRunner;
+      const taskRunner = createTaskRunner({ taskInstance });
+      return taskRunner.run();
+    };
+
+    beforeEach(() => {
+      mockAgentPolicyService.fetchAllAgentPolicies = getMockAgentPolicyFetchAllAgentPolicies([
+        createAgentPolicyMock({ unenroll_timeout: 3000 }),
+        createAgentPolicyMock({ id: 'agent-policy-2', unenroll_timeout: 1000 }),
+      ]);
+
+      mockedGetAgentsByKuery.mockResolvedValue({
+        agents,
+      } as any);
+    });
+
+    afterEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it('Should unenroll eligible agents', async () => {
+      mockedUnenrollBatch.mockResolvedValueOnce({ actionId: 'actionid-01' });
+      await runTask();
+      expect(mockedUnenrollBatch).toHaveBeenCalledWith(
+        expect.anything(),
+        expect.anything(),
+        agents,
+        { force: true, revoke: true }
+      );
+    });
+
+    it('Should not run if task is outdated', async () => {
+      const result = await runTask({ ...MOCK_TASK_INSTANCE, id: 'old-id' });
+
+      expect(mockedUnenrollBatch).not.toHaveBeenCalled();
+      expect(result).toEqual(getDeleteTaskRunResult());
+    });
+
+    it('Should exit if there are no agents policies with unenroll_timeout set', async () => {
+      mockAgentPolicyService.list.mockResolvedValue({
+        items: [],
+        total: 0,
+        page: 1,
+        perPage: 1,
+      });
+      expect(mockedUnenrollBatch).not.toHaveBeenCalled();
+    });
+
+    it('Should exit if there are no eligible agents to unenroll', async () => {
+      mockedGetAgentsByKuery.mockResolvedValue({
+        agents: [],
+      } as any);
+      expect(mockedUnenrollBatch).not.toHaveBeenCalled();
+    });
+  });
+});
-Original file line number
+Diff line change
@@ Expand Up / @@ -108,6 +108,7 @@ export const createAppContextStartContractMock = ( @@
               },
             }
           : {}),
+        unenrollInactiveAgentsTask: {} as any,
       };
     };
@@ Expand Down @@