Fix issue with --delay-enroll and --unprivileged on Windows (#4779)

* Perform fix permissions after delay enrollment. Add integration tests for privileged/unprivileged and Windows.

* Add changelog entry.

* Fix import.

* Update testing/integration/delay_enroll_test.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

---------

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

Author: blakerouse

changelog/fragments/1716227441-Fix-delay-enrollment-to-work-in-unprivileged-mode-on-Windows.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: Fix delay enrollment to work in unprivileged mode on Windows
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/4779
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4678

internal/pkg/agent/cmd/enroll_cmd.go

@@ -255,7 +255,18 @@ func (c *enrollCmd) Execute(ctx context.Context, streams *cli.IOStreams) error {
 		if c.options.FleetServer.Host != "" {
 			return errors.New("--delay-enroll cannot be used with --fleet-server-es", errors.TypeConfig)
 		}
-		return c.writeDelayEnroll(streams)
+		err = c.writeDelayEnroll(streams)
+		if err != nil {
+			// context for error already provided in writeDelayEnroll
+			return err
+		}
+		if c.options.FixPermissions != nil {
+			err = perms.FixPermissions(paths.Top(), perms.WithOwnership(*c.options.FixPermissions))
+			if err != nil {
+				return errors.New(err, "failed to fix permissions")
+			}
+		}
+		return nil
 	}
 
 	err = c.enrollWithBackoff(ctx, persistentConfig)

testing/integration/delay_enroll_test.go

@@ -9,14 +9,14 @@ package integration
 import (
 	"context"
 	"fmt"
-	"os/exec"
 	"testing"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
 	"github.com/elastic/elastic-agent-libs/kibana"
+	"github.com/elastic/elastic-agent/internal/pkg/agent/install"
 	atesting "github.com/elastic/elastic-agent/pkg/testing"
 	"github.com/elastic/elastic-agent/pkg/testing/define"
 	"github.com/elastic/elastic-agent/pkg/testing/tools"
@@ -30,7 +30,6 @@ func TestDelayEnroll(t *testing.T) {
 		Stack: &define.Stack{},
 		Local: false,
 		Sudo:  true,
-		OS:    []define.OS{{Type: define.Linux}},
 	})
 
 	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
@@ -64,6 +63,7 @@ func TestDelayEnroll(t *testing.T) {
 		NonInteractive: true,
 		Force:          true,
 		DelayEnroll:    true,
+		Privileged:     false,
 	}
 	// Install the Elastic-Agent with the policy that was just
 	// created.
@@ -77,11 +77,69 @@ func TestDelayEnroll(t *testing.T) {
 	require.NoError(t, err)
 
 	// Start elastic-agent via service, this should do the enrollment
-	cmd := exec.Command("/usr/bin/systemctl", "start", "elastic-agent")
-	stdErrStdout, err := cmd.CombinedOutput()
-	require.NoErrorf(t, err, "systemctl start elastic-agent output was %s", stdErrStdout)
+	err = install.StartService("") // topPath can be blank as this is only starting the service
+	require.NoErrorf(t, err, "failed to start service")
 
 	// check to make sure enroll worked
 	check.ConnectedToFleet(ctx, t, agentFixture, 5*time.Minute)
+}
+
+func TestDelayEnrollUnprivileged(t *testing.T) {
+	info := define.Require(t, define.Requirements{
+		Group: Fleet,
+		Stack: &define.Stack{},
+		Local: false,
+		Sudo:  true,
+	})
+
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
+	agentFixture, err := define.NewFixtureFromLocalBuild(t, define.Version())
+	require.NoError(t, err)
+
+	// 1. Create a policy in Fleet with monitoring enabled.
+	// To ensure there are no conflicts with previous test runs against
+	// the same ESS stack, we add a UUID at the end of the policy
+	// name. This policy does not contain any integration.
+	t.Log("Enrolling agent in Fleet with a test policy")
+	createPolicyReq := kibana.AgentPolicy{
+		Name:        fmt.Sprintf("test-policy-enroll-%s", uuid.New().String()),
+		Namespace:   info.Namespace,
+		Description: "test policy for agent enrollment",
+		MonitoringEnabled: []kibana.MonitoringEnabledOption{
+			kibana.MonitoringEnabledLogs,
+			kibana.MonitoringEnabledMetrics,
+		},
+		AgentFeatures: []map[string]interface{}{
+			{
+				"name":    "test_enroll",
+				"enabled": true,
+			},
+		},
+	}
 
+	installOpts := atesting.InstallOpts{
+		NonInteractive: true,
+		Force:          true,
+		DelayEnroll:    true,
+		Privileged:     false,
+	}
+	// Install the Elastic-Agent with the policy that was just
+	// created.
+	_, err = tools.InstallAgentWithPolicy(
+		ctx,
+		t,
+		installOpts,
+		agentFixture,
+		info.KibanaClient,
+		createPolicyReq)
+	require.NoError(t, err)
+
+	// Start elastic-agent via service, this should do the enrollment
+	err = install.StartService("") // topPath can be blank as this is only starting the service
+	require.NoErrorf(t, err, "failed to start service")
+
+	// check to make sure enroll worked
+	check.ConnectedToFleet(ctx, t, agentFixture, 5*time.Minute)
 }