diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index 6d52b5ad55d..367c8059a37 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -82,6 +82,7 @@ - Fix issue with install directory in state path in K8s {pull}27396[27396] - Disable monitoring during fleet-server bootstrapping. {pull}27222[27222] - Change output.elasticsearch.proxy_disabled flag to output.elasticsearch.proxy_disable so fleet uses it. {issue}27670[27670] {pull}27671[27671] +- Add validation for certificate flags to ensure they are absolute paths. {pull}27779[27779] ==== New features diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index f5c5acdbe84..20407ac1af1 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -9,6 +9,7 @@ import ( "fmt" "os" "os/signal" + "path/filepath" "strconv" "strings" "syscall" @@ -71,6 +72,26 @@ func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().BoolP("delay-enroll", "", false, "Delays enrollment to occur on first start of the Elastic Agent service") } +func validateEnrollFlags(cmd *cobra.Command) error { + ca, _ := cmd.Flags().GetString("certificate-authorities") + if ca != "" && !filepath.IsAbs(ca) { + return errors.New("--certificate-authorities must be provided as an absolute path", errors.M("path", ca), errors.TypeConfig) + } + esCa, _ := cmd.Flags().GetString("fleet-server-es-ca") + if esCa != "" && !filepath.IsAbs(esCa) { + return errors.New("--fleet-server-es-ca must be provided as an absolute path", errors.M("path", esCa), errors.TypeConfig) + } + fCert, _ := cmd.Flags().GetString("fleet-server-cert") + if fCert != "" && !filepath.IsAbs(fCert) { + return errors.New("--fleet-server-cert must be provided as an absolute path", errors.M("path", fCert), errors.TypeConfig) + } + fCertKey, _ := cmd.Flags().GetString("fleet-server-cert-key") + if fCertKey != "" && !filepath.IsAbs(fCertKey) { + return errors.New("--fleet-server-cert-key must be provided as an absolute path", errors.M("path", fCertKey), errors.TypeConfig) + } + return nil +} + func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string { if url == "" { url, _ = cmd.Flags().GetString("url") @@ -184,6 +205,11 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string } func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { + err := validateEnrollFlags(cmd) + if err != nil { + return err + } + fromInstall, _ := cmd.Flags().GetBool("from-install") pathConfigFile := paths.ConfigFile() diff --git a/x-pack/elastic-agent/pkg/agent/cmd/install.go b/x-pack/elastic-agent/pkg/agent/cmd/install.go index 42a1540a3c9..3796b64915e 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/install.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/install.go @@ -42,6 +42,11 @@ would like the Agent to operate. } func installCmd(streams *cli.IOStreams, cmd *cobra.Command, args []string) error { + err := validateEnrollFlags(cmd) + if err != nil { + return err + } + isAdmin, err := install.HasRoot() if err != nil { return fmt.Errorf("unable to perform install command while checking for administrator rights, %v", err)