From 978ed29568644310db8f91fec7e1d69ec1d9f381 Mon Sep 17 00:00:00 2001 From: Evgeniy Belyi Date: Wed, 3 Jun 2026 16:13:36 -0500 Subject: [PATCH 1/6] Support roles and permissions mapping --- code/go/pkg/validator/validator_test.go | 25 +++ spec/changelog.yml | 3 + .../integration/data_stream/manifest.spec.yml | 7 + spec/integration/manifest.spec.yml | 85 ++++++++ .../bad_provider_permissions/LICENSE.txt | 202 ++++++++++++++++++ .../bad_provider_permissions/changelog.yml | 6 + .../bad_provider_permissions/docs/README.md | 3 + .../bad_provider_permissions/manifest.yml | 31 +++ .../LICENSE.txt | 202 ++++++++++++++++++ .../changelog.yml | 6 + .../docs/README.md | 1 + .../manifest.yml | 32 +++ .../LICENSE.txt | 202 ++++++++++++++++++ .../changelog.yml | 6 + .../docs/README.md | 1 + .../manifest.yml | 30 +++ .../LICENSE.txt | 202 ++++++++++++++++++ .../changelog.yml | 6 + .../docs/README.md | 1 + .../manifest.yml | 31 +++ .../good_provider_permissions/LICENSE.txt | 202 ++++++++++++++++++ .../good_provider_permissions/changelog.yml | 6 + .../ec2_metrics/agent/stream/stream.yml.hbs | 1 + .../data_stream/ec2_metrics/fields/fields.yml | 12 ++ .../data_stream/ec2_metrics/manifest.yml | 13 ++ .../good_provider_permissions/docs/README.md | 3 + .../good_provider_permissions/manifest.yml | 80 +++++++ 27 files changed, 1399 insertions(+) create mode 100644 test/packages/bad_provider_permissions/LICENSE.txt create mode 100644 test/packages/bad_provider_permissions/changelog.yml create mode 100644 test/packages/bad_provider_permissions/docs/README.md create mode 100644 test/packages/bad_provider_permissions/manifest.yml create mode 100644 test/packages/bad_provider_permissions_extra_field/LICENSE.txt create mode 100644 test/packages/bad_provider_permissions_extra_field/changelog.yml create mode 100644 test/packages/bad_provider_permissions_extra_field/docs/README.md create mode 100644 test/packages/bad_provider_permissions_extra_field/manifest.yml create mode 100644 test/packages/bad_provider_permissions_missing_name/LICENSE.txt create mode 100644 test/packages/bad_provider_permissions_missing_name/changelog.yml create mode 100644 test/packages/bad_provider_permissions_missing_name/docs/README.md create mode 100644 test/packages/bad_provider_permissions_missing_name/manifest.yml create mode 100644 test/packages/bad_provider_permissions_old_version/LICENSE.txt create mode 100644 test/packages/bad_provider_permissions_old_version/changelog.yml create mode 100644 test/packages/bad_provider_permissions_old_version/docs/README.md create mode 100644 test/packages/bad_provider_permissions_old_version/manifest.yml create mode 100644 test/packages/good_provider_permissions/LICENSE.txt create mode 100644 test/packages/good_provider_permissions/changelog.yml create mode 100644 test/packages/good_provider_permissions/data_stream/ec2_metrics/agent/stream/stream.yml.hbs create mode 100644 test/packages/good_provider_permissions/data_stream/ec2_metrics/fields/fields.yml create mode 100644 test/packages/good_provider_permissions/data_stream/ec2_metrics/manifest.yml create mode 100644 test/packages/good_provider_permissions/docs/README.md create mode 100644 test/packages/good_provider_permissions/manifest.yml diff --git a/code/go/pkg/validator/validator_test.go b/code/go/pkg/validator/validator_test.go index d8d1af80f..e5446c27c 100644 --- a/code/go/pkg/validator/validator_test.go +++ b/code/go/pkg/validator/validator_test.go @@ -66,6 +66,7 @@ func TestValidateFile(t *testing.T) { "logs_synthetic_mode": {}, "kibana_configuration_links": {}, "with_links": {}, + "good_provider_permissions": {}, "bad_duration_vars": { "manifest.yml", []string{ @@ -246,6 +247,30 @@ func TestValidateFile(t *testing.T) { "\"Dashboard with mixed by-value visualizations\" contains legacy visualization: \"Timelion time series\" (timelion, Timelion)", }, }, + "bad_provider_permissions": { + "manifest.yml", + []string{ + `field provider_permissions.0: provider is required`, + }, + }, + "bad_provider_permissions_old_version": { + "manifest.yml", + []string{ + `field (root): Additional property provider_permissions is not allowed`, + }, + }, + "bad_provider_permissions_missing_name": { + "manifest.yml", + []string{ + `field provider_permissions.0.permissions.0: name is required`, + }, + }, + "bad_provider_permissions_extra_field": { + "manifest.yml", + []string{ + `field provider_permissions.0.permissions.0: Additional property resources is not allowed`, + }, + }, "bad_deployment_mode": { "manifest.yml", []string{ diff --git a/spec/changelog.yml b/spec/changelog.yml index 0f846785f..1b38f1726 100644 --- a/spec/changelog.yml +++ b/spec/changelog.yml @@ -8,6 +8,9 @@ - description: Add support for semantic_text field definition. type: enhancement link: https://github.com/elastic/package-spec/pull/807 + - description: Add provider_permissions field to package, policy_template, input, and data_stream levels for declaring provider-specific permissions. + type: enhancement + link: https://github.com/elastic/package-spec/pull/0000 - version: 3.6.3 changes: - description: Add optional `release` field to agentless deployment mode to explicitly declare its release stage. diff --git a/spec/integration/data_stream/manifest.spec.yml b/spec/integration/data_stream/manifest.spec.yml index 640ca5cf6..9e0e03825 100644 --- a/spec/integration/data_stream/manifest.spec.yml +++ b/spec/integration/data_stream/manifest.spec.yml @@ -706,10 +706,17 @@ spec: $ref: "../../integration/manifest.spec.yml#/definitions/categories" deprecated: $ref: "../../integration/manifest.spec.yml#/definitions/deprecated" + provider_permissions: + $ref: "../../integration/manifest.spec.yml#/definitions/provider_permissions" required: - title # JSON patches for newer versions should be placed on top versions: + - before: 3.7.0 + patch: + # provider_permissions field for provider-specific permission declarations. + - op: remove + path: "/properties/provider_permissions" - before: 3.6.0 patch: - op: add diff --git a/spec/integration/manifest.spec.yml b/spec/integration/manifest.spec.yml index 9578e3655..17858bc59 100644 --- a/spec/integration/manifest.spec.yml +++ b/spec/integration/manifest.spec.yml @@ -736,6 +736,74 @@ spec: type: string examples: - httpjson + provider_permissions: + description: > + Provider-specific permissions and managed-policy roles required by this unit. + type: array + items: + type: object + additionalProperties: false + required: + - provider + properties: + provider: + description: Provider name (e.g. "aws" for AWS, "gcp" for Google Cloud Platform, "azure" for Microsoft Azure, "okta" for Okta). + type: string + examples: + - aws + - gcp + - azure + - okta + description: + description: Human-readable description of why these permissions are needed. + type: string + roles: + description: > + Managed-policy roles to attach alongside inline permissions. + Rendered as ManagedPolicyArns on the IAM identity; Kibana deduplicates + roles that appear at multiple levels. + type: array + items: + type: object + additionalProperties: false + required: + - name + properties: + name: + description: Short name of the managed policy (e.g. SecurityAudit). + type: string + examples: + - SecurityAudit + id: + description: ARN of the managed policy. + type: string + examples: + - arn:aws:iam::aws:policy/SecurityAudit + description: + description: Human-readable description of this role. + type: string + permissions: + description: > + Individual IAM actions. Rendered as the Action list in a single + Effect: Allow, Resource: "*" statement. Kibana deduplicates actions + that appear at multiple levels. + type: array + items: + type: object + additionalProperties: false + required: + - name + properties: + name: + description: IAM action name (e.g. s3:GetObject, ec2:Describe*). + type: string + examples: + - s3:GetObject + - ec2:Describe* + - cloudwatch:GetMetricData + description: + description: Human-readable description of why this action is needed. + type: string properties: format_version: description: The version of the package specification format used by this package. @@ -766,6 +834,8 @@ spec: $ref: "#/definitions/categories" conditions: $ref: "#/definitions/conditions" + provider_permissions: + $ref: "#/definitions/provider_permissions" # requires a conditional JSON schema to update the value depending # on the policy_templates length policy_templates_behavior: @@ -903,6 +973,8 @@ spec: type: string examples: - credential_type: [cloud_connectors] + provider_permissions: + $ref: "#/definitions/provider_permissions" required: - title - description @@ -923,6 +995,8 @@ spec: $ref: "#/definitions/sections" deprecated: $ref: "#/definitions/deprecated" + provider_permissions: + $ref: "#/definitions/provider_permissions" required: - name - title @@ -991,6 +1065,17 @@ spec: # JSON patches for newer versions should be placed on top versions: + - before: 3.7.0 + patch: + # provider_permissions field for provider-specific permission declarations. + - op: remove + path: "/definitions/provider_permissions" + - op: remove + path: "/properties/provider_permissions" + - op: remove + path: "/properties/policy_templates/items/properties/provider_permissions" + - op: remove + path: "/properties/policy_templates/items/properties/inputs/items/properties/provider_permissions" - before: 3.6.0 patch: # Input qualifier (named inputs). diff --git a/test/packages/bad_provider_permissions/LICENSE.txt b/test/packages/bad_provider_permissions/LICENSE.txt new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/test/packages/bad_provider_permissions/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/test/packages/bad_provider_permissions/changelog.yml b/test/packages/bad_provider_permissions/changelog.yml new file mode 100644 index 000000000..e00f88133 --- /dev/null +++ b/test/packages/bad_provider_permissions/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 diff --git a/test/packages/bad_provider_permissions/docs/README.md b/test/packages/bad_provider_permissions/docs/README.md new file mode 100644 index 000000000..125b30aae --- /dev/null +++ b/test/packages/bad_provider_permissions/docs/README.md @@ -0,0 +1,3 @@ +# Bad Provider Permissions + +Test package for rejecting `provider_permissions` with missing required `provider` field. diff --git a/test/packages/bad_provider_permissions/manifest.yml b/test/packages/bad_provider_permissions/manifest.yml new file mode 100644 index 000000000..124fd456e --- /dev/null +++ b/test/packages/bad_provider_permissions/manifest.yml @@ -0,0 +1,31 @@ +format_version: 3.7.0 +name: bad_provider_permissions +title: Bad package with invalid provider permissions +description: Tests that provider_permissions with missing required fields is rejected. +version: 0.0.1 +type: integration +categories: + - aws +source: + license: "Apache-2.0" +conditions: + kibana: + version: '^8.0.0' + elastic: + subscription: basic +# Invalid: provider_permissions item is missing the required `provider` field. +provider_permissions: + - description: Missing the required provider field. + permissions: + - name: s3:GetObject +policy_templates: + - name: sample + title: Sample logs + description: Collect sample logs + inputs: + - type: logfile + title: Collect sample logs from instances + description: Collecting sample logs +owner: + github: elastic/foobar + type: elastic diff --git a/test/packages/bad_provider_permissions_extra_field/LICENSE.txt b/test/packages/bad_provider_permissions_extra_field/LICENSE.txt new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/test/packages/bad_provider_permissions_extra_field/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/test/packages/bad_provider_permissions_extra_field/changelog.yml b/test/packages/bad_provider_permissions_extra_field/changelog.yml new file mode 100644 index 000000000..bb0320a52 --- /dev/null +++ b/test/packages/bad_provider_permissions_extra_field/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link diff --git a/test/packages/bad_provider_permissions_extra_field/docs/README.md b/test/packages/bad_provider_permissions_extra_field/docs/README.md new file mode 100644 index 000000000..76dfcf54f --- /dev/null +++ b/test/packages/bad_provider_permissions_extra_field/docs/README.md @@ -0,0 +1 @@ +# bad_provider_permissions_extra_field diff --git a/test/packages/bad_provider_permissions_extra_field/manifest.yml b/test/packages/bad_provider_permissions_extra_field/manifest.yml new file mode 100644 index 000000000..2824251dd --- /dev/null +++ b/test/packages/bad_provider_permissions_extra_field/manifest.yml @@ -0,0 +1,32 @@ +format_version: 3.7.0 +name: bad_provider_permissions_extra_field +title: Bad package with extra field in permissions item +description: A permissions item contains resources which is a V2+ field not allowed in V1. +version: 0.0.1 +type: integration +categories: + - aws +source: + license: "Apache-2.0" +conditions: + kibana: + version: '^8.0.0' + elastic: + subscription: basic +provider_permissions: + - provider: aws + permissions: + - name: s3:GetObject + resources: + - arn:aws:s3:::my-bucket/* +policy_templates: + - name: sample + title: Sample logs + description: Collect sample logs + inputs: + - type: logfile + title: Collect sample logs from instances + description: Collecting sample logs +owner: + github: elastic/foobar + type: elastic diff --git a/test/packages/bad_provider_permissions_missing_name/LICENSE.txt b/test/packages/bad_provider_permissions_missing_name/LICENSE.txt new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/test/packages/bad_provider_permissions_missing_name/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/test/packages/bad_provider_permissions_missing_name/changelog.yml b/test/packages/bad_provider_permissions_missing_name/changelog.yml new file mode 100644 index 000000000..bb0320a52 --- /dev/null +++ b/test/packages/bad_provider_permissions_missing_name/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link diff --git a/test/packages/bad_provider_permissions_missing_name/docs/README.md b/test/packages/bad_provider_permissions_missing_name/docs/README.md new file mode 100644 index 000000000..670bf44a8 --- /dev/null +++ b/test/packages/bad_provider_permissions_missing_name/docs/README.md @@ -0,0 +1 @@ +# bad_provider_permissions_missing_name diff --git a/test/packages/bad_provider_permissions_missing_name/manifest.yml b/test/packages/bad_provider_permissions_missing_name/manifest.yml new file mode 100644 index 000000000..9db537d01 --- /dev/null +++ b/test/packages/bad_provider_permissions_missing_name/manifest.yml @@ -0,0 +1,30 @@ +format_version: 3.7.0 +name: bad_provider_permissions_missing_name +title: Bad package with permissions item missing name +description: A permissions item is missing the required name field. +version: 0.0.1 +type: integration +categories: + - aws +source: + license: "Apache-2.0" +conditions: + kibana: + version: '^8.0.0' + elastic: + subscription: basic +provider_permissions: + - provider: aws + permissions: + - description: Missing the required name field. +policy_templates: + - name: sample + title: Sample logs + description: Collect sample logs + inputs: + - type: logfile + title: Collect sample logs from instances + description: Collecting sample logs +owner: + github: elastic/foobar + type: elastic diff --git a/test/packages/bad_provider_permissions_old_version/LICENSE.txt b/test/packages/bad_provider_permissions_old_version/LICENSE.txt new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/test/packages/bad_provider_permissions_old_version/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/test/packages/bad_provider_permissions_old_version/changelog.yml b/test/packages/bad_provider_permissions_old_version/changelog.yml new file mode 100644 index 000000000..bb0320a52 --- /dev/null +++ b/test/packages/bad_provider_permissions_old_version/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link diff --git a/test/packages/bad_provider_permissions_old_version/docs/README.md b/test/packages/bad_provider_permissions_old_version/docs/README.md new file mode 100644 index 000000000..f1d5d4d6a --- /dev/null +++ b/test/packages/bad_provider_permissions_old_version/docs/README.md @@ -0,0 +1 @@ +# bad_provider_permissions_old_version diff --git a/test/packages/bad_provider_permissions_old_version/manifest.yml b/test/packages/bad_provider_permissions_old_version/manifest.yml new file mode 100644 index 000000000..230b47470 --- /dev/null +++ b/test/packages/bad_provider_permissions_old_version/manifest.yml @@ -0,0 +1,31 @@ +format_version: 3.6.0 +name: bad_provider_permissions_old_version +title: Bad package using provider_permissions below spec 3.7.0 +description: provider_permissions is not available before format_version 3.7.0. +version: 0.0.1 +type: integration +categories: + - aws +source: + license: "Apache-2.0" +conditions: + kibana: + version: '^8.0.0' + elastic: + subscription: basic +# provider_permissions was introduced in 3.7.0 — should be rejected here. +provider_permissions: + - provider: aws + permissions: + - name: s3:GetObject +policy_templates: + - name: sample + title: Sample logs + description: Collect sample logs + inputs: + - type: logfile + title: Collect sample logs from instances + description: Collecting sample logs +owner: + github: elastic/foobar + type: elastic diff --git a/test/packages/good_provider_permissions/LICENSE.txt b/test/packages/good_provider_permissions/LICENSE.txt new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/test/packages/good_provider_permissions/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/test/packages/good_provider_permissions/changelog.yml b/test/packages/good_provider_permissions/changelog.yml new file mode 100644 index 000000000..e00f88133 --- /dev/null +++ b/test/packages/good_provider_permissions/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 diff --git a/test/packages/good_provider_permissions/data_stream/ec2_metrics/agent/stream/stream.yml.hbs b/test/packages/good_provider_permissions/data_stream/ec2_metrics/agent/stream/stream.yml.hbs new file mode 100644 index 000000000..ad7430eeb --- /dev/null +++ b/test/packages/good_provider_permissions/data_stream/ec2_metrics/agent/stream/stream.yml.hbs @@ -0,0 +1 @@ +{{fields "stream"}} diff --git a/test/packages/good_provider_permissions/data_stream/ec2_metrics/fields/fields.yml b/test/packages/good_provider_permissions/data_stream/ec2_metrics/fields/fields.yml new file mode 100644 index 000000000..7c798f453 --- /dev/null +++ b/test/packages/good_provider_permissions/data_stream/ec2_metrics/fields/fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/test/packages/good_provider_permissions/data_stream/ec2_metrics/manifest.yml b/test/packages/good_provider_permissions/data_stream/ec2_metrics/manifest.yml new file mode 100644 index 000000000..eb684dab5 --- /dev/null +++ b/test/packages/good_provider_permissions/data_stream/ec2_metrics/manifest.yml @@ -0,0 +1,13 @@ +title: EC2 Metrics +type: metrics +# Data-stream-level permissions: EC2-specific API calls layered on top of input/template/package permissions. +provider_permissions: + - provider: aws + description: EC2 describe calls for instance metrics. + permissions: + - name: ec2:DescribeInstances + - name: ec2:DescribeInstanceStatus +streams: + - input: aws/metrics + title: EC2 metrics + description: Collect EC2 metrics from CloudWatch. diff --git a/test/packages/good_provider_permissions/docs/README.md b/test/packages/good_provider_permissions/docs/README.md new file mode 100644 index 000000000..4ab6117f9 --- /dev/null +++ b/test/packages/good_provider_permissions/docs/README.md @@ -0,0 +1,3 @@ +# Good Provider Permissions + +Test package for `provider_permissions` at package, policy_template, input, and data_stream levels. diff --git a/test/packages/good_provider_permissions/manifest.yml b/test/packages/good_provider_permissions/manifest.yml new file mode 100644 index 000000000..18c5a8da1 --- /dev/null +++ b/test/packages/good_provider_permissions/manifest.yml @@ -0,0 +1,80 @@ +format_version: 3.7.0 +name: good_provider_permissions +title: Good package with provider permissions +description: Tests provider_permissions at package, policy_template, input, and data_stream levels, including multiple providers per entry. +version: 0.0.1 +type: integration +categories: + - aws +source: + license: "Apache-2.0" +conditions: + kibana: + version: '^8.0.0' + elastic: + subscription: basic +# Package-level permissions: always included regardless of which inputs are enabled. +# Two providers in the same array — each provider gets its own entry. +provider_permissions: + - provider: aws + description: Bootstrap checks needed by every AWS integration. + permissions: + - name: sts:GetCallerIdentity + description: Verify the IAM identity on startup. + - name: iam:ListAccountAliases + - name: ec2:DescribeRegions + - provider: azure + description: Bootstrap check for Azure integrations. + permissions: + - name: Microsoft.Resources/subscriptions/read +policy_templates: + - name: aws_observability + title: AWS Observability + description: Collect metrics and logs from AWS services. + # Policy-template-level permissions: included for any enabled input/stream under this template. + provider_permissions: + - provider: aws + description: Tag enrichment shared across all EC2 streams. + permissions: + - name: tag:GetResources + inputs: + - type: aws/metrics + title: Collect AWS CloudWatch metrics + description: Collect CloudWatch metrics from AWS services. + # Input-level permissions: multiple providers in one array. + provider_permissions: + - provider: aws + description: CloudWatch access required for all metrics data streams. + permissions: + - name: cloudwatch:GetMetricData + - name: cloudwatch:ListMetrics + - provider: kubernetes + description: Pod metrics access for EKS-based collection. + permissions: + - name: get,list pods,nodes + - type: logfile + title: Collect generic logs + description: Collect logs without additional cloud permissions. + data_streams: + - ec2_metrics + - name: aws_security + title: AWS Security Findings + description: Collect Security Hub findings. + inputs: + - type: httpjson + title: Collect Security Hub findings + description: Pull findings via the Security Hub API. + provider_permissions: + - provider: aws + description: Security Hub read access plus SecurityAudit managed policy. + roles: + - name: SecurityAudit + id: arn:aws:iam::aws:policy/SecurityAudit + description: Read-only access to AWS services for security auditing. + permissions: + - name: securityhub:GetFindings + - name: securityhub:GetEnabledStandards + - name: securityhub:GetInsights +owner: + github: elastic/foobar + type: elastic From ad1750501195446e2c534b5eb1ac6d0ca2000fbf Mon Sep 17 00:00:00 2001 From: Evgeniy Belyi Date: Wed, 3 Jun 2026 16:28:21 -0500 Subject: [PATCH 2/6] Update manifest.spec.yml --- spec/integration/manifest.spec.yml | 43 +++++++++++++++++++----------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/spec/integration/manifest.spec.yml b/spec/integration/manifest.spec.yml index 17858bc59..727ed17a4 100644 --- a/spec/integration/manifest.spec.yml +++ b/spec/integration/manifest.spec.yml @@ -738,7 +738,8 @@ spec: - httpjson provider_permissions: description: > - Provider-specific permissions and managed-policy roles required by this unit. + Permissions and roles this integration unit requires from the named provider. + May be declared at package, policy_template, input, and data_stream levels. type: array items: type: object @@ -747,21 +748,22 @@ spec: - provider properties: provider: - description: Provider name (e.g. "aws" for AWS, "gcp" for Google Cloud Platform, "azure" for Microsoft Azure, "okta" for Okta). + description: > + Identifier of the provider these permissions apply to + (e.g. "aws", "gcp", "azure", "kubernetes", "okta"). type: string examples: - aws - gcp - azure + - kubernetes - okta + - github description: description: Human-readable description of why these permissions are needed. type: string roles: - description: > - Managed-policy roles to attach alongside inline permissions. - Rendered as ManagedPolicyArns on the IAM identity; Kibana deduplicates - roles that appear at multiple levels. + description: Pre-defined roles or managed policies to attach alongside inline permissions. type: array items: type: object @@ -770,23 +772,25 @@ spec: - name properties: name: - description: Short name of the managed policy (e.g. SecurityAudit). + description: Display name of the role or managed policy. type: string examples: - SecurityAudit + - Storage Blob Data Reader + - roles/logging.viewer + - cluster-reader id: - description: ARN of the managed policy. + description: Provider-specific identifier for this role or managed policy. type: string examples: - arn:aws:iam::aws:policy/SecurityAudit + - roles/storage.objectViewer + - 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 description: description: Human-readable description of this role. type: string permissions: - description: > - Individual IAM actions. Rendered as the Action list in a single - Effect: Allow, Resource: "*" statement. Kibana deduplicates actions - that appear at multiple levels. + description: Individual permission grants required by this integration unit. type: array items: type: object @@ -795,14 +799,21 @@ spec: - name properties: name: - description: IAM action name (e.g. s3:GetObject, ec2:Describe*). + description: Provider-specific permission or action name. type: string examples: - s3:GetObject - - ec2:Describe* - - cloudwatch:GetMetricData + - ec2:DescribeInstances + - storage.objects.get + - monitoring.timeSeries.list + - Microsoft.Compute/virtualMachines/read + - Microsoft.Insights/metrics/read + - pods:list + - namespaces:get + - okta.users.read + - contents:read description: - description: Human-readable description of why this action is needed. + description: Human-readable description of why this permission is needed. type: string properties: format_version: From ec060d5d2a4b645f0710fc53dc85bc2dfa06a8c8 Mon Sep 17 00:00:00 2001 From: Evgeniy Belyi Date: Wed, 3 Jun 2026 17:06:30 -0500 Subject: [PATCH 3/6] input spec --- code/go/pkg/validator/validator_test.go | 1 + spec/input/manifest.spec.yml | 10 +++++ .../LICENSE.txt | 1 + .../agent/input/input.yml.hbs | 9 +++++ .../changelog.yml | 6 +++ .../docs/README.md | 3 ++ .../fields/base-fields.yml | 12 ++++++ .../manifest.yml | 40 +++++++++++++++++++ 8 files changed, 82 insertions(+) create mode 100644 test/packages/good_provider_permissions_input/LICENSE.txt create mode 100644 test/packages/good_provider_permissions_input/agent/input/input.yml.hbs create mode 100644 test/packages/good_provider_permissions_input/changelog.yml create mode 100644 test/packages/good_provider_permissions_input/docs/README.md create mode 100644 test/packages/good_provider_permissions_input/fields/base-fields.yml create mode 100644 test/packages/good_provider_permissions_input/manifest.yml diff --git a/code/go/pkg/validator/validator_test.go b/code/go/pkg/validator/validator_test.go index e5446c27c..d186d881b 100644 --- a/code/go/pkg/validator/validator_test.go +++ b/code/go/pkg/validator/validator_test.go @@ -67,6 +67,7 @@ func TestValidateFile(t *testing.T) { "kibana_configuration_links": {}, "with_links": {}, "good_provider_permissions": {}, + "good_provider_permissions_input": {}, "bad_duration_vars": { "manifest.yml", []string{ diff --git a/spec/input/manifest.spec.yml b/spec/input/manifest.spec.yml index 8cc68dd65..711d36dad 100644 --- a/spec/input/manifest.spec.yml +++ b/spec/input/manifest.spec.yml @@ -84,6 +84,8 @@ spec: $ref: "../integration/manifest.spec.yml#/definitions/var_groups" sections: $ref: "../integration/manifest.spec.yml#/definitions/sections" + provider_permissions: + $ref: "../integration/manifest.spec.yml#/definitions/provider_permissions" input: type: string examples: @@ -146,6 +148,8 @@ spec: $ref: "../integration/manifest.spec.yml#/definitions/var_groups" sections: $ref: "../integration/manifest.spec.yml#/definitions/sections" + provider_permissions: + $ref: "../integration/manifest.spec.yml#/definitions/provider_permissions" owner: $ref: "../integration/manifest.spec.yml#/definitions/owner" agent: @@ -172,6 +176,12 @@ spec: # JSON patches for newer versions should be placed on top versions: + - before: 3.7.0 + patch: + - op: remove + path: "/properties/provider_permissions" + - op: remove + path: "/properties/policy_templates/items/properties/provider_permissions" - before: 3.6.0 patch: - op: remove diff --git a/test/packages/good_provider_permissions_input/LICENSE.txt b/test/packages/good_provider_permissions_input/LICENSE.txt new file mode 100644 index 000000000..3d74f227e --- /dev/null +++ b/test/packages/good_provider_permissions_input/LICENSE.txt @@ -0,0 +1 @@ +Apache License 2.0 diff --git a/test/packages/good_provider_permissions_input/agent/input/input.yml.hbs b/test/packages/good_provider_permissions_input/agent/input/input.yml.hbs new file mode 100644 index 000000000..b3ac63a0b --- /dev/null +++ b/test/packages/good_provider_permissions_input/agent/input/input.yml.hbs @@ -0,0 +1,9 @@ +data_stream: + dataset: {{data_stream.dataset}} +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +processors: + - add_locale: ~ diff --git a/test/packages/good_provider_permissions_input/changelog.yml b/test/packages/good_provider_permissions_input/changelog.yml new file mode 100644 index 000000000..e00f88133 --- /dev/null +++ b/test/packages/good_provider_permissions_input/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 diff --git a/test/packages/good_provider_permissions_input/docs/README.md b/test/packages/good_provider_permissions_input/docs/README.md new file mode 100644 index 000000000..695d18d97 --- /dev/null +++ b/test/packages/good_provider_permissions_input/docs/README.md @@ -0,0 +1,3 @@ +# Good Provider Permissions Input Package + +Tests `provider_permissions` at package and policy_template levels in an input package. diff --git a/test/packages/good_provider_permissions_input/fields/base-fields.yml b/test/packages/good_provider_permissions_input/fields/base-fields.yml new file mode 100644 index 000000000..7c798f453 --- /dev/null +++ b/test/packages/good_provider_permissions_input/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/test/packages/good_provider_permissions_input/manifest.yml b/test/packages/good_provider_permissions_input/manifest.yml new file mode 100644 index 000000000..049092fc3 --- /dev/null +++ b/test/packages/good_provider_permissions_input/manifest.yml @@ -0,0 +1,40 @@ +format_version: 3.7.0 +name: good_provider_permissions_input +title: Good Provider Permissions Input Package +description: Tests provider_permissions at package and policy_template levels in an input package. +version: 0.0.1 +type: input +source: + license: "Apache-2.0" +conditions: + kibana: + version: "^8.0.0" + elastic: + subscription: "basic" +# Package-level permissions apply regardless of which policy template is used. +provider_permissions: + - provider: aws + description: Credentials check on startup. + permissions: + - name: sts:GetCallerIdentity + - provider: gcp + description: Identity check on startup. + permissions: + - name: iam.serviceAccounts.get +policy_templates: + - name: s3_logs + type: logs + title: S3 Logs + description: Collect logs from S3 buckets. + input: aws-s3 + template_path: input.yml.hbs + # Policy-template-level permissions for this specific input type. + provider_permissions: + - provider: aws + description: Read log objects from S3. + permissions: + - name: s3:GetObject + - name: s3:ListBucket +owner: + github: elastic/foobar + type: elastic From e3607a03d5f18f89f3d2492c122d9b21ca70473d Mon Sep 17 00:00:00 2001 From: Evgeniy Belyi Date: Wed, 3 Jun 2026 21:53:45 -0500 Subject: [PATCH 4/6] CR changes --- spec/changelog.yml | 2 +- spec/integration/manifest.spec.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/changelog.yml b/spec/changelog.yml index 1b38f1726..775e096a5 100644 --- a/spec/changelog.yml +++ b/spec/changelog.yml @@ -10,7 +10,7 @@ link: https://github.com/elastic/package-spec/pull/807 - description: Add provider_permissions field to package, policy_template, input, and data_stream levels for declaring provider-specific permissions. type: enhancement - link: https://github.com/elastic/package-spec/pull/0000 + link: https://github.com/elastic/package-spec/pull/1180 - version: 3.6.3 changes: - description: Add optional `release` field to agentless deployment mode to explicitly declare its release stage. diff --git a/spec/integration/manifest.spec.yml b/spec/integration/manifest.spec.yml index 727ed17a4..5d9ad16ff 100644 --- a/spec/integration/manifest.spec.yml +++ b/spec/integration/manifest.spec.yml @@ -1079,14 +1079,14 @@ versions: - before: 3.7.0 patch: # provider_permissions field for provider-specific permission declarations. - - op: remove - path: "/definitions/provider_permissions" - op: remove path: "/properties/provider_permissions" - op: remove path: "/properties/policy_templates/items/properties/provider_permissions" - op: remove path: "/properties/policy_templates/items/properties/inputs/items/properties/provider_permissions" + - op: remove + path: "/definitions/provider_permissions" - before: 3.6.0 patch: # Input qualifier (named inputs). From dc5e401ee63c8577e17181846d66b1fcbf2f1697 Mon Sep 17 00:00:00 2001 From: Evgeniy Belyi Date: Thu, 4 Jun 2026 17:02:16 -0500 Subject: [PATCH 5/6] CR --- code/go/pkg/validator/validator_test.go | 6 - spec/changelog.yml | 2 + spec/input/manifest.spec.yml | 6 - .../integration/data_stream/manifest.spec.yml | 5 - spec/integration/manifest.spec.yml | 18 +- .../bad_provider_permissions/manifest.yml | 2 +- .../manifest.yml | 2 +- .../manifest.yml | 2 +- .../LICENSE.txt | 202 ------------------ .../changelog.yml | 6 - .../docs/README.md | 1 - .../manifest.yml | 31 --- .../good_provider_permissions/manifest.yml | 2 +- .../manifest.yml | 2 +- 14 files changed, 10 insertions(+), 277 deletions(-) delete mode 100644 test/packages/bad_provider_permissions_old_version/LICENSE.txt delete mode 100644 test/packages/bad_provider_permissions_old_version/changelog.yml delete mode 100644 test/packages/bad_provider_permissions_old_version/docs/README.md delete mode 100644 test/packages/bad_provider_permissions_old_version/manifest.yml diff --git a/code/go/pkg/validator/validator_test.go b/code/go/pkg/validator/validator_test.go index d186d881b..283641df4 100644 --- a/code/go/pkg/validator/validator_test.go +++ b/code/go/pkg/validator/validator_test.go @@ -254,12 +254,6 @@ func TestValidateFile(t *testing.T) { `field provider_permissions.0: provider is required`, }, }, - "bad_provider_permissions_old_version": { - "manifest.yml", - []string{ - `field (root): Additional property provider_permissions is not allowed`, - }, - }, "bad_provider_permissions_missing_name": { "manifest.yml", []string{ diff --git a/spec/changelog.yml b/spec/changelog.yml index 775e096a5..de3182c38 100644 --- a/spec/changelog.yml +++ b/spec/changelog.yml @@ -8,6 +8,8 @@ - description: Add support for semantic_text field definition. type: enhancement link: https://github.com/elastic/package-spec/pull/807 +- version: 3.6.4 + changes: - description: Add provider_permissions field to package, policy_template, input, and data_stream levels for declaring provider-specific permissions. type: enhancement link: https://github.com/elastic/package-spec/pull/1180 diff --git a/spec/input/manifest.spec.yml b/spec/input/manifest.spec.yml index 711d36dad..8f4591bb7 100644 --- a/spec/input/manifest.spec.yml +++ b/spec/input/manifest.spec.yml @@ -176,12 +176,6 @@ spec: # JSON patches for newer versions should be placed on top versions: - - before: 3.7.0 - patch: - - op: remove - path: "/properties/provider_permissions" - - op: remove - path: "/properties/policy_templates/items/properties/provider_permissions" - before: 3.6.0 patch: - op: remove diff --git a/spec/integration/data_stream/manifest.spec.yml b/spec/integration/data_stream/manifest.spec.yml index 9e0e03825..9e3ff54ac 100644 --- a/spec/integration/data_stream/manifest.spec.yml +++ b/spec/integration/data_stream/manifest.spec.yml @@ -712,11 +712,6 @@ spec: - title # JSON patches for newer versions should be placed on top versions: - - before: 3.7.0 - patch: - # provider_permissions field for provider-specific permission declarations. - - op: remove - path: "/properties/provider_permissions" - before: 3.6.0 patch: - op: add diff --git a/spec/integration/manifest.spec.yml b/spec/integration/manifest.spec.yml index 5d9ad16ff..6389bb589 100644 --- a/spec/integration/manifest.spec.yml +++ b/spec/integration/manifest.spec.yml @@ -739,7 +739,8 @@ spec: provider_permissions: description: > Permissions and roles this integration unit requires from the named provider. - May be declared at package, policy_template, input, and data_stream levels. + May be declared at package, policy_template, input, and data_stream levels; + entries across all applicable levels are accumulated into a single set and deduplicated. type: array items: type: object @@ -748,9 +749,7 @@ spec: - provider properties: provider: - description: > - Identifier of the provider these permissions apply to - (e.g. "aws", "gcp", "azure", "kubernetes", "okta"). + description: Identifier of the provider these permissions apply to. type: string examples: - aws @@ -1076,17 +1075,6 @@ spec: # JSON patches for newer versions should be placed on top versions: - - before: 3.7.0 - patch: - # provider_permissions field for provider-specific permission declarations. - - op: remove - path: "/properties/provider_permissions" - - op: remove - path: "/properties/policy_templates/items/properties/provider_permissions" - - op: remove - path: "/properties/policy_templates/items/properties/inputs/items/properties/provider_permissions" - - op: remove - path: "/definitions/provider_permissions" - before: 3.6.0 patch: # Input qualifier (named inputs). diff --git a/test/packages/bad_provider_permissions/manifest.yml b/test/packages/bad_provider_permissions/manifest.yml index 124fd456e..b672429b0 100644 --- a/test/packages/bad_provider_permissions/manifest.yml +++ b/test/packages/bad_provider_permissions/manifest.yml @@ -1,4 +1,4 @@ -format_version: 3.7.0 +format_version: 3.6.4 name: bad_provider_permissions title: Bad package with invalid provider permissions description: Tests that provider_permissions with missing required fields is rejected. diff --git a/test/packages/bad_provider_permissions_extra_field/manifest.yml b/test/packages/bad_provider_permissions_extra_field/manifest.yml index 2824251dd..bcfe26dc5 100644 --- a/test/packages/bad_provider_permissions_extra_field/manifest.yml +++ b/test/packages/bad_provider_permissions_extra_field/manifest.yml @@ -1,4 +1,4 @@ -format_version: 3.7.0 +format_version: 3.6.4 name: bad_provider_permissions_extra_field title: Bad package with extra field in permissions item description: A permissions item contains resources which is a V2+ field not allowed in V1. diff --git a/test/packages/bad_provider_permissions_missing_name/manifest.yml b/test/packages/bad_provider_permissions_missing_name/manifest.yml index 9db537d01..d29714e08 100644 --- a/test/packages/bad_provider_permissions_missing_name/manifest.yml +++ b/test/packages/bad_provider_permissions_missing_name/manifest.yml @@ -1,4 +1,4 @@ -format_version: 3.7.0 +format_version: 3.6.4 name: bad_provider_permissions_missing_name title: Bad package with permissions item missing name description: A permissions item is missing the required name field. diff --git a/test/packages/bad_provider_permissions_old_version/LICENSE.txt b/test/packages/bad_provider_permissions_old_version/LICENSE.txt deleted file mode 100644 index d64569567..000000000 --- a/test/packages/bad_provider_permissions_old_version/LICENSE.txt +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/test/packages/bad_provider_permissions_old_version/changelog.yml b/test/packages/bad_provider_permissions_old_version/changelog.yml deleted file mode 100644 index bb0320a52..000000000 --- a/test/packages/bad_provider_permissions_old_version/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: "0.0.1" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link diff --git a/test/packages/bad_provider_permissions_old_version/docs/README.md b/test/packages/bad_provider_permissions_old_version/docs/README.md deleted file mode 100644 index f1d5d4d6a..000000000 --- a/test/packages/bad_provider_permissions_old_version/docs/README.md +++ /dev/null @@ -1 +0,0 @@ -# bad_provider_permissions_old_version diff --git a/test/packages/bad_provider_permissions_old_version/manifest.yml b/test/packages/bad_provider_permissions_old_version/manifest.yml deleted file mode 100644 index 230b47470..000000000 --- a/test/packages/bad_provider_permissions_old_version/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -format_version: 3.6.0 -name: bad_provider_permissions_old_version -title: Bad package using provider_permissions below spec 3.7.0 -description: provider_permissions is not available before format_version 3.7.0. -version: 0.0.1 -type: integration -categories: - - aws -source: - license: "Apache-2.0" -conditions: - kibana: - version: '^8.0.0' - elastic: - subscription: basic -# provider_permissions was introduced in 3.7.0 — should be rejected here. -provider_permissions: - - provider: aws - permissions: - - name: s3:GetObject -policy_templates: - - name: sample - title: Sample logs - description: Collect sample logs - inputs: - - type: logfile - title: Collect sample logs from instances - description: Collecting sample logs -owner: - github: elastic/foobar - type: elastic diff --git a/test/packages/good_provider_permissions/manifest.yml b/test/packages/good_provider_permissions/manifest.yml index 18c5a8da1..286ccaa26 100644 --- a/test/packages/good_provider_permissions/manifest.yml +++ b/test/packages/good_provider_permissions/manifest.yml @@ -1,4 +1,4 @@ -format_version: 3.7.0 +format_version: 3.6.4 name: good_provider_permissions title: Good package with provider permissions description: Tests provider_permissions at package, policy_template, input, and data_stream levels, including multiple providers per entry. diff --git a/test/packages/good_provider_permissions_input/manifest.yml b/test/packages/good_provider_permissions_input/manifest.yml index 049092fc3..7885237f0 100644 --- a/test/packages/good_provider_permissions_input/manifest.yml +++ b/test/packages/good_provider_permissions_input/manifest.yml @@ -1,4 +1,4 @@ -format_version: 3.7.0 +format_version: 3.6.4 name: good_provider_permissions_input title: Good Provider Permissions Input Package description: Tests provider_permissions at package and policy_template levels in an input package. From 16453397f8e378d9411cdb4451a7637ae05bdbc1 Mon Sep 17 00:00:00 2001 From: Evgeniy Belyi Date: Fri, 5 Jun 2026 09:33:23 -0500 Subject: [PATCH 6/6] Update spec/changelog.yml Co-authored-by: Tere --- spec/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/changelog.yml b/spec/changelog.yml index de3182c38..6f5f615f2 100644 --- a/spec/changelog.yml +++ b/spec/changelog.yml @@ -8,7 +8,7 @@ - description: Add support for semantic_text field definition. type: enhancement link: https://github.com/elastic/package-spec/pull/807 -- version: 3.6.4 +- version: 3.6.4-next changes: - description: Add provider_permissions field to package, policy_template, input, and data_stream levels for declaring provider-specific permissions. type: enhancement