Skip to content

[Cloud Security] [Fleet] Add var_group components and validation #249449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
seanrathier merged 15 commits into from
Jan 28, 2026
Merged

[Cloud Security] [Fleet] Add var_group components and validation #249449

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
499551e
var-group: initial working draft
seanrathier Jan 16, 2026
54c1788
var-group: validation
seanrathier Jan 16, 2026
1ee6121
var-group: validation
seanrathier Jan 19, 2026
1744017
var-group: manual code review
seanrathier Jan 19, 2026
1399c3c
Changes from yarn openapi:bundle
kibanamachine Jan 19, 2026
4bfe31d
Changes from make api-docs
kibanamachine Jan 20, 2026
031b6da
var-groups: code review
seanrathier Jan 20, 2026
73cae65
fix tests
seanrathier Jan 20, 2026
8053f17
removed console log
seanrathier Jan 20, 2026
38566af
var-group: update flakey tests
seanrathier Jan 22, 2026
99a4ebd
var_group: clean up
seanrathier Jan 23, 2026
c537143
fix types
seanrathier Jan 26, 2026
08ca7f5
var-group: revert test changes
seanrathier Jan 27, 2026
cea37cb
Merge branch 'main' of github.com:elastic/kibana into var_groups
seanrathier Jan 27, 2026
ec524b7
Merge branch 'main' into var_groups
seanrathier Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104,994 changes: 0 additions & 104,994 deletions oas_docs/bundle.json
View file
Open in desktop

This file was deleted.

104,065 changes: 0 additions & 104,065 deletions oas_docs/bundle.serverless.json
View file
Open in desktop

This file was deleted.

405 changes: 405 additions & 0 deletions oas_docs/output/kibana.serverless.yaml
View file
Open in desktop

Large diffs are not rendered by default.

405 changes: 405 additions & 0 deletions oas_docs/output/kibana.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions x-pack/platform/plugins/shared/fleet/common/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,8 @@ export type {
PackageSpecConditions,
PackageSpecIcon,
PackageSpecScreenshot,
RegistryVarGroup,
RegistryVarGroupOption,
RegistryPolicyTemplate,
RegistrySearchResult,
RegistryInput,
Expand Down
1 change: 1 addition & 0 deletions .../shared/fleet/common/services/__snapshots__/simplified_package_policy_helper.test.ts.snap
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

37 changes: 37 additions & 0 deletions ...ck/platform/plugins/shared/fleet/common/services/simplified_package_policy_helper.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import nginxPackageInfo from '../../server/services/package_policies/fixtures/pa

import {
simplifiedPackagePolicytoNewPackagePolicy,
packagePolicyToSimplifiedPackagePolicy,
generateInputId,
} from './simplified_package_policy_helper';

Expand Down Expand Up @@ -176,5 +177,41 @@ describe('toPackagePolicy', () => {

expect(res.additional_datastreams_permissions).toEqual(['logs-test-123']);
});

it('should preserve var_group_selections when creating package policy', () => {
const varGroupSelections = { auth_method: 'api_key' };
const res = simplifiedPackagePolicytoNewPackagePolicy(
{
name: 'nginx-1',
namespace: 'default',
policy_id: 'policy123',
policy_ids: ['policy123'],
description: 'Test description',
var_group_selections: varGroupSelections,
},
nginxPackageInfo as unknown as PackageInfo
);

expect(res.var_group_selections).toEqual(varGroupSelections);
});

it('should include var_group_selections when converting back to simplified policy', () => {
const varGroupSelections = { auth_method: 'api_key' };
const packagePolicy = simplifiedPackagePolicytoNewPackagePolicy(
{
name: 'nginx-1',
namespace: 'default',
policy_id: 'policy123',
policy_ids: ['policy123'],
description: 'Test description',
var_group_selections: varGroupSelections,
},
nginxPackageInfo as unknown as PackageInfo
);

const simplified = packagePolicyToSimplifiedPackagePolicy(packagePolicy as any);

expect((simplified as any).var_group_selections).toEqual(varGroupSelections);
});
});
});
6 changes: 6 additions & 0 deletions x-pack/platform/plugins/shared/fleet/common/services/simplified_package_policy_helper.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ export interface SimplifiedPackagePolicy {
name: string;
description?: string;
vars?: SimplifiedVars;
var_group_selections?: Record<string, string>;
inputs?: SimplifiedInputs;
supports_agentless?: boolean | null;
supports_cloud_connector?: boolean | null;
Expand All @@ -84,6 +85,9 @@ export function packagePolicyToSimplifiedPackagePolicy(packagePolicy: PackagePol
if (packagePolicy.vars) {
formattedPackagePolicy.vars = formatVars(packagePolicy.vars);
}
if (packagePolicy.var_group_selections) {
(formattedPackagePolicy as any).var_group_selections = packagePolicy.var_group_selections;
}

return formattedPackagePolicy;
}
Expand Down Expand Up @@ -184,6 +188,7 @@ export function simplifiedPackagePolicytoNewPackagePolicy(
description,
inputs = {},
vars: packageLevelVars,
var_group_selections: varGroupSelections,
supports_agentless: supportsAgentless,
supports_cloud_connector: supportsCloudConnector,
cloud_connector_id: cloudConnectorId,
Expand All @@ -202,6 +207,7 @@ export function simplifiedPackagePolicytoNewPackagePolicy(
supports_cloud_connector: supportsCloudConnector,
cloud_connector_id: cloudConnectorId,
output_id: outputId,
var_group_selections: varGroupSelections,
};

if (additionalDatastreamsPermissions) {
Expand Down
224 changes: 224 additions & 0 deletions x-pack/platform/plugins/shared/fleet/common/services/validate_package_policy.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2213,3 +2213,227 @@ describe('Fleet - parseDuration()', () => {
expect(result.errors[0]).toContain('Invalid duration format');
});
});

describe('Fleet - validatePackagePolicy with var_groups', () => {
const packageInfoWithVarGroups: PackageInfo = {
name: 'test_package',
version: '1.0.0',
title: 'Test Package',
description: 'Test package with var_groups',
type: 'integration',
format_version: '3.0.0',
owner: { github: 'elastic/integrations', type: 'elastic' },
categories: ['custom'],
status: installationStatuses.NotInstalled,
assets: { kibana: {} },
data_streams: [],
policy_templates: [],
vars: [
{ name: 'api_key', type: 'password', title: 'API Key' },
{ name: 'api_url', type: 'text', title: 'API URL' },
{ name: 'client_id', type: 'text', title: 'Client ID' },
{ name: 'client_secret', type: 'password', title: 'Client Secret' },
{ name: 'proxy_url', type: 'text', title: 'Proxy URL' },
],
var_groups: [
{
name: 'auth_method',
title: 'Authentication',
selector_title: 'Select method',
required: true,
options: [
{
name: 'api_key',
title: 'API Key',
vars: ['api_key', 'api_url'],
},
{
name: 'oauth',
title: 'OAuth',
vars: ['client_id', 'client_secret'],
},
],
},
],
} as unknown as PackageInfo;

const basePackagePolicy: NewPackagePolicy = {
name: 'test-policy',
namespace: 'default',
description: '',
policy_ids: ['policy-1'],
enabled: true,
inputs: [],
vars: {
api_key: { type: 'password', value: '' },
api_url: { type: 'text', value: '' },
client_id: { type: 'text', value: '' },
client_secret: { type: 'password', value: '' },
proxy_url: { type: 'text', value: '' },
},
var_group_selections: { auth_method: 'api_key' },
};

it('should validate vars in selected var_group option as required when var_group.required is true', () => {
const policyWithUndefinedApiKey = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: undefined }, // Undefined - should be invalid
api_url: { type: 'text', value: undefined }, // Undefined - should be invalid
},
var_group_selections: { auth_method: 'api_key' },
};

const result = validatePackagePolicy(policyWithUndefinedApiKey, packageInfoWithVarGroups, load);

// api_key and api_url should have validation errors because they're required by var_group
expect(result.vars?.api_key).toEqual([expect.stringContaining('is required')]);
expect(result.vars?.api_url).toEqual([expect.stringContaining('is required')]);
});

it('should allow empty strings for var_group required vars (same as regular required vars)', () => {
const policyWithEmptyApiKey = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: '' }, // Empty string is allowed
api_url: { type: 'text', value: '' }, // Empty string is allowed
},
var_group_selections: { auth_method: 'api_key' },
};

const result = validatePackagePolicy(policyWithEmptyApiKey, packageInfoWithVarGroups, load);

// Empty strings are allowed for var_group required vars (same as regular required vars)
expect(result.vars?.api_key).toBeNull();
expect(result.vars?.api_url).toBeNull();
});

it('should not validate vars outside selected var_group option', () => {
const policyWithApiKeySelected = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: 'my-api-key' },
api_url: { type: 'text', value: 'https://api.example.com' },
client_id: { type: 'text', value: '' }, // Empty but not in selected option
client_secret: { type: 'password', value: '' }, // Empty but not in selected option
},
var_group_selections: { auth_method: 'api_key' },
};

const result = validatePackagePolicy(policyWithApiKeySelected, packageInfoWithVarGroups, load);

// api_key and api_url have values, should be valid (null)
expect(result.vars?.api_key).toBeNull();
expect(result.vars?.api_url).toBeNull();
// client_id and client_secret are not in selected option, should be skipped (null)
expect(result.vars?.client_id).toBeNull();
expect(result.vars?.client_secret).toBeNull();
});

it('should validate oauth vars when oauth option is selected', () => {
const policyWithOAuthSelected = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: '' }, // Not in selected option
api_url: { type: 'text', value: '' }, // Not in selected option
client_id: { type: 'text', value: undefined }, // In selected option - should be required
client_secret: { type: 'password', value: undefined }, // In selected option - should be required
},
var_group_selections: { auth_method: 'oauth' },
};

const result = validatePackagePolicy(policyWithOAuthSelected, packageInfoWithVarGroups, load);

// api_key and api_url are not in selected option, should be skipped
expect(result.vars?.api_key).toBeNull();
expect(result.vars?.api_url).toBeNull();
// client_id and client_secret are in selected option and undefined, should be invalid
expect(result.vars?.client_id).toEqual([expect.stringContaining('is required')]);
expect(result.vars?.client_secret).toEqual([expect.stringContaining('is required')]);
});

it('should always validate vars not controlled by any var_group', () => {
const packageInfoWithRequiredNonGroupVar: PackageInfo = {
...packageInfoWithVarGroups,
vars: [
...packageInfoWithVarGroups.vars!,
{ name: 'required_var', type: 'text', title: 'Required Var', required: true },
],
} as unknown as PackageInfo;

// Test with undefined value - should fail required validation
const policyWithMissingRequiredVar = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: 'my-key' },
api_url: { type: 'text', value: 'https://api.example.com' },
required_var: { type: 'text', value: undefined }, // Required by varDef, value is undefined
},
var_group_selections: { auth_method: 'api_key' },
};

const result = validatePackagePolicy(
policyWithMissingRequiredVar,
packageInfoWithRequiredNonGroupVar,
load
);

// required_var is not controlled by var_group but has required: true and undefined value
expect(result.vars?.required_var).toEqual([expect.stringContaining('is required')]);
});

it('should allow empty strings for regular required vars (not required by var_group)', () => {
const packageInfoWithRequiredNonGroupVar: PackageInfo = {
...packageInfoWithVarGroups,
vars: [
...packageInfoWithVarGroups.vars!,
{ name: 'required_var', type: 'text', title: 'Required Var', required: true },
],
} as unknown as PackageInfo;

// Note: Empty strings are allowed for regular required vars in Fleet
// Only undefined values trigger required validation error
const policyWithEmptyRequiredVar = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: 'my-key' },
api_url: { type: 'text', value: 'https://api.example.com' },
required_var: { type: 'text', value: '' }, // Required by varDef but empty string is OK
},
var_group_selections: { auth_method: 'api_key' },
};

const result = validatePackagePolicy(
policyWithEmptyRequiredVar,
packageInfoWithRequiredNonGroupVar,
load
);

// Empty strings are allowed for regular required vars
expect(result.vars?.required_var).toBeNull();
});

it('should pass validation when all required var_group vars have values', () => {
const validPolicy = {
...basePackagePolicy,
vars: {
...basePackagePolicy.vars,
api_key: { type: 'password', value: 'my-api-key' },
api_url: { type: 'text', value: 'https://api.example.com' },
},
var_group_selections: { auth_method: 'api_key' },
};

const result = validatePackagePolicy(validPolicy, packageInfoWithVarGroups, load);

expect(result.vars?.api_key).toBeNull();
expect(result.vars?.api_url).toBeNull();
expect(validationHasErrors(result)).toBe(false);
});
});
Loading
Loading