fix: enforce policy-based access control on artifact downloads

[ycombinator]

What is the problem this PR solves?

The artifact download endpoint (/api/fleet/artifacts/{id}/{sha256}) only validates the agent's API key but never checks whether the requested artifact belongs to the agent's assigned policy. This means an agent enrolled under one policy can download artifacts belonging to a different policy if it knows the artifact ID and SHA256 hash. For example, an agent enrolled under a policy with no integrations can retrieve Elastic Defend trust lists, exception lists, and other security artifacts from another policy.

How does this PR solve the problem?

Implements the authorizeArtifact() function (previously a no-op that returned nil) to enforce policy-based access control:

1. Adds a GetPolicy(ctx, policyID) method to the policy.Monitor interface that returns the cached policy for a given ID (reloads from ES on cache miss).
2. In authorizeArtifact, fetches the agent's policy via the monitor using agent.AgentPolicyID and verifies that the requested artifact (identifier + decoded_sha256) appears in the policy's inputs[].artifact_manifest.artifacts.
3. Returns 403 Forbidden (ErrUnauthorizedArtifact) if the artifact is not listed in the agent's assigned policy.

How to test this PR locally

1. Set up Fleet Server with Elasticsearch and Kibana
2. Create two agent policies: Victim-Policy with Elastic Defend integration (add a trusted application), and Attacker-Policy with no integrations
3. Create an enrollment token for Attacker-Policy and enroll an agent
4. Attempt to download an artifact belonging to Victim-Policy using the attacker agent's API key — should now receive 403 Forbidden instead of the artifact contents
5. Verify that an agent enrolled under Victim-Policy can still download its own artifacts normally (200 OK)

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

[mergify]

This pull request does not have a backport label. Could you fix it @ycombinator? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[michel-laterman]

lgtm

[cmacknz]

Marshalling to then unmarshal feels a bit weird, there's no way to just unmarshal this? Maybe an intermediate type that has artifact_manifest as json.RawMessage instead of an any?

[ycombinator]

Removed the marshal-then-unmarshal; agree, it was awkward. Just went with directly accessing map fields, with type assertions for safety: 535b14f

[michel-laterman]

lgtm, just have nitpicks

[michel-laterman]

(nitpick) we should use tester.T().Context() instead of background

[michel-laterman]

(nitpick) we should use tester.T().Context() instead of background

[github-actions]

TL;DR

The Buildkite E2E step failed due to the entire testing/e2e package timing out, not from a direct assertion failure in the captured log. Immediate next action is to re-run E2E once; if it reproduces, isolate the hanging test with TEST_RUN and capture full go test output.

Remediation

• Re-run the failing E2E job once (this looks like a timeout/flaky-style failure rather than a deterministic compile/type error).
• If it reproduces, bisect with TEST_RUN to identify the exact hanging test case in testing/e2e.
• Ensure the detailed test output file (build/test-e2e-<os>.out, written by Mage) is uploaded in CI for future failures so we can pinpoint the exact test name quickly.

Investigation details

Root Cause

The failure is a test timeout at the suite/package level:

• E2E is launched via .buildkite/scripts/e2e_test.sh at mage test:e2e (.buildkite/scripts/e2e_test.sh#L16).
• Mage runs E2E with go test -timeout 30m (magefile.go#L2162).
• Build log shows the package failed after 1980.095s (~33m), which is consistent with timeout + teardown overhead.

Because the captured log is truncated to goroutine dump tail + package FAIL, it does not include the specific test name that hung.

Evidence

• Build: https://buildkite.com/elastic/fleet-server/builds/14911
• Job/step: E2E Test (.buildkite/scripts/e2e_test.sh)
• Key log excerpt (/tmp/gh-aw/buildkite-logs/fleet-server-e2e-test.txt):
  • FAIL github.com/elastic/fleet-server/testing/e2e 1980.095s (line 125)
  • goroutine dump tail (lines 1-124)
  • Error: exit status 1 (line 133)
• Timeout config in source:
  • magefile.go:2162 → go test ... -timeout 30m ... ./...

Verification

• Not run locally (full E2E is heavyweight and requires dockerized env + build artifacts).

Follow-up

I could not deduplicate against prior detective comments on this PR because PR read endpoints were blocked by integrity policy in this runtime. If this exact timeout diagnosis was already posted, please treat this as confirmation.

Related flaky-test references (not an exact match to this log due missing test name):

• TestAgentContainerSuite/TestDockerAgent #5627
• [Flaky Test] TestStandAloneRunningSuite/TestOpAMP signal: killed #6590

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• fix: enforce policy-based access control on artifact downloads #7009 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7009 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7009 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[samuelvl]

Should we return ErrUnauthorizedArtifact here? As it is now, it would return 500 (default in error.go) but I think 403 is more appropriate. Returning 404 would leak whether the policy ID exists.

[samuelvl]

nit: this can be re-used from policyHasArtifact in handleArtifacts.go if we define it as:

func policyHasArtifact(pd *model.PolicyData, id, sha2 string) bool {
    for _, input := range pd.Inputs {
        if inputHasArtifact(input, id, sha2) {
            return true
        }
    }
    return false
}

func inputHasArtifact(input map[string]any, id, sha2 string) bool {
...
}

[samuelvl]

nit: we can read decoded_sha256 from https://github.com/elastic/fleet-server/blob/main/internal/pkg/dl/constants.go#L68

It can be worth to also add artifact_manifest and artifacts to this constants.go file.