collect and dedup output_paths when sending policy change actions

elastic · Sep 20, 2024 · a87d4ca · a87d4ca
1 parent ff8b0c7
commit a87d4ca
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/internal/pkg/api/handleCheckin.go b/internal/pkg/api/handleCheckin.go
@@ -16,6 +16,7 @@ import (
 	"math/rand"
 	"net/http"
 	"reflect"
+	"slices"
 	"sync"
 	"time"
 
@@ -818,11 +819,13 @@ func processPolicy(ctx context.Context, zlog zerolog.Logger, bulker bulk.Bulk, a
 
 	data := model.ClonePolicyData(pp.Policy.Data)
 	for policyName, policyOutput := range data.Outputs {
-		_, err := policy.ProcessOutputSecret(ctx, policyOutput, bulker) // FIXME: Do we need to handle output keys here?
+		// NOTE: Not sure if output secret keys collected here include new entries, but they are collected for completeness
+		ks, err := policy.ProcessOutputSecret(ctx, policyOutput, bulker)
 		if err != nil {
 			return nil, fmt.Errorf("failed to process output secrets %q: %w",
 				policyName, err)
 		}
+		pp.SecretKeys = append(pp.SecretKeys, ks...)
 	}
 	// Iterate through the policy outputs and prepare them
 	for _, policyOutput := range pp.Outputs {
@@ -845,7 +848,10 @@ func processPolicy(ctx context.Context, zlog zerolog.Logger, bulker bulk.Bulk, a
 	if err != nil {
 		return nil, err
 	}
-	d.SecretPaths = &pp.SecretKeys
+	// remove duplicates from secretkeys
+	slices.Sort(pp.SecretKeys)
+	keys := slices.Compact(pp.SecretKeys)
+	d.SecretPaths = &keys
 	ad := Action_Data{}
 	err = ad.FromActionPolicyChange(ActionPolicyChange{d})
 	if err != nil {