fix: enforce policy-based access control on artifact downloads

[ycombinator]

What is the problem this PR solves?

The artifact download endpoint (/api/fleet/artifacts/{id}/{sha256}) only validates the agent's API key but never checks whether the requested artifact belongs to the agent's assigned policy. This means an agent enrolled under one policy can download artifacts belonging to a different policy if it knows the artifact ID and SHA256 hash. For example, an agent enrolled under a policy with no integrations can retrieve Elastic Defend trust lists, exception lists, and other security artifacts from another policy.

How does this PR solve the problem?

Implements the authorizeArtifact() function (previously a no-op that returned nil) to enforce policy-based access control:

1. Adds a GetPolicy(ctx, policyID) method to the policy.Monitor interface that returns the cached policy for a given ID (reloads from ES on cache miss).
2. In authorizeArtifact, fetches the agent's policy via the monitor using agent.AgentPolicyID and verifies that the requested artifact (identifier + decoded_sha256) appears in the policy's inputs[].artifact_manifest.artifacts.
3. Returns 403 Forbidden (ErrUnauthorizedArtifact) if the artifact is not listed in the agent's assigned policy.

How to test this PR locally

1. Set up Fleet Server with Elasticsearch and Kibana
2. Create two agent policies: Victim-Policy with Elastic Defend integration (add a trusted application), and Attacker-Policy with no integrations
3. Create an enrollment token for Attacker-Policy and enroll an agent
4. Attempt to download an artifact belonging to Victim-Policy using the attacker agent's API key — should now receive 403 Forbidden instead of the artifact contents
5. Verify that an agent enrolled under Victim-Policy can still download its own artifacts normally (200 OK)

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

[mergify]

This pull request does not have a backport label. Could you fix it @ycombinator? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[michel-laterman]

go's newer conventions prefers any over interface{}
this is being enforced by the go fix check that can be ran with mage check:fix

[ycombinator]

Updated in b00c5df.

[michel-laterman]

Should we define this artifact_manifest as a struct somewhere?

[ycombinator]

Added model.ArtifactManifest and model.ManifestEntry structs in 3e57a6e.

[michel-laterman]

lgtm

[cmacknz]

Marshalling to then unmarshal feels a bit weird, there's no way to just unmarshal this? Maybe an intermediate type that has artifact_manifest as json.RawMessage instead of an any?

[ycombinator]

Removed the marshal-then-unmarshal; agree, it was awkward. Just went with directly accessing map fields, with type assertions for safety: 535b14f

[github-actions]

TL;DR

Buildkite failed in Run check-ci because mage check:ci modified a tracked file, so the no-changes gate failed. The immediate fix is to commit the header update in internal/pkg/api/handleArtifacts_test.go (license text changed to Elastic License 2.0).

Remediation

• Update and commit the file header in internal/pkg/api/handleArtifacts_test.go to the expected Elastic License 2.0 form (or run mage check:ci locally and commit all resulting changes).
• Re-run mage check:ci (or CI) to confirm the tree stays clean after Generate, Imports, Fix, Headers, and Notice.

Investigation details

Root Cause

check_ci.sh runs mage check:ci, which includes Check.NoChanges.

• magefile.go#L641-L642: Check.Ci() runs Generate, Check.Imports, Check.Fix, Check.Headers, Check.Notice, Check.NoChanges.
• magefile.go#L612-L626: Check.NoChanges() fails if git update-index --refresh or later diff checks see modified files.

The Buildkite log shows a diff for internal/pkg/api/handleArtifacts_test.go where the header changed from:

// ... Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

to:

// ... Licensed under the Elastic License 2.0;
// you may not use this file except in compliance with the Elastic License 2.0.

That mutation made the repo dirty and triggered:
Error: git update-index failure: running "git update-index --refresh" failed with exit code 1.

Evidence

• Build: https://buildkite.com/elastic/fleet-server/builds/14740
• Job/step: Run check-ci (.buildkite/scripts/check_ci.sh)
• Key log excerpt: /tmp/gh-aw/buildkite-logs/fleet-server-white_check_mark-run-check-ci.txt shows the header diff and internal/pkg/api/handleArtifacts_test.go: needs update immediately before the git update-index failure.

Verification

• Not run in this workflow; diagnosis is from Buildkite logs and repository mage target wiring.

Follow-up

• If this file was newly added in the PR, apply the repository’s current license header template for new Go files to avoid repeated check:ci failures.

Note

🔒 Integrity filter blocked 4 items

The following items were blocked because they don't meet the GitHub integrity level.

• fix: enforce policy-based access control on artifact downloads #7009 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7009 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #7009 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• fix: enforce policy-based access control on artifact downloads #7009 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.