refactor!(beyondinsight_password_safe): rewrite managedsystem (elastic#15007)

refactor(beyondinsight_password_safe): rewrite managedsystem

Rewrite of the managedsystem data stream to improve code
maintainability and reliability, applying the same improvements made to
managedaccount. The new implementation requires Elastic Agent 8.18.0 or
greater due to sprintf usage for credential formatting.

Key improvements:
- Enhanced CEL program with proper session management and retry logic
- Automatic re-authentication when sessions expire (401 responses)
- Consistent event.original field containing JSON event data
- Drop event processor to filter out dummy CEL control events
- Enhanced ingest pipeline with terminate processors (requires ES 8.16.0)
- Moved event.dataset and event.module to constant_keyword mappings
- Added system test with session expiration scenarios
- Added pipeline test for nullable fields handling
- Updated to use RFC 5737 documentation IP addresses (198.51.100.0/24)
- Fixed field name inconsistencies compared to docs (DnsName -> DNSName)

Test improvements:
- Added Docker mock server configuration for E2E testing
- Added policy tests (note: does not demonstrate secret rendering)
- Enhanced pipeline tests with null value handling

Relates elastic#14999

Author: andrewkroh

packages/beyondinsight_password_safe/changelog.yml

@@ -1,3 +1,11 @@
+- version: "0.7.0"
+  changes:
+    - description: For the `managedsystem` data stream, fixed session management to automatically re-authenticate when sessions expire.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15007
+    - description: For the `managedsystem` data stream, renamed fields to match proper snake_case naming - `ipaddress` to `ip_address` and `isarelease_duration` to `isa_release_duration`.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/15007
 - version: "0.6.0"
   changes:
     - description: For the `managedaccount` data stream, fixed session management to automatically re-authenticate when sessions expire.

packages/beyondinsight_password_safe/data_stream/managedsystem/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,13 @@
+services:
+  beyondinsight-managedsystem-cel:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8080'
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/beyondinsight_password_safe/data_stream/managedsystem/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,204 @@
+# BeyondInsight Password Safe - Managed Systems Test Mock Configuration
+#
+# Test Scenario: Simulates paginated retrieval of managed systems with session expiration and re-authentication:
+# 1. Initial authentication via SignAppin endpoint (returns 200, sets session cookie)
+# 2. First ManagedSystems request with limit=1&offset=0 (returns 200, first session)
+# 3. Second ManagedSystems request with limit=1&offset=1 (returns 401, session expired)
+# 4. Re-authentication via SignAppin endpoint (returns 200, new session cookie)
+# 5. Retry ManagedSystems request with limit=1&offset=1 (returns 200, second session)
+# 6. Final ManagedSystems request with limit=1&offset=2 (returns 200, empty data array - no more data)
+#
+# This tests the integration's ability to handle:
+# - Session-based authentication with BeyondTrust API
+# - Paginated data retrieval with limit/offset parameters
+# - Session expiration (401) and automatic re-authentication
+# - Proper handling of empty result sets indicating end of pagination
+
+rules:
+  # Auth
+  - path: "/BeyondTrust/api/public/v3/Auth/SignAppin"
+    methods: ["POST"]
+    request_headers:
+      Authorization: ['PS-Auth key=test_api_key; runas=testuser; pwd=\[password\];']
+      Content-Type: ['application/json']
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+          Set-Cookie: ['ASP.NET_SessionId={{ if eq .req_num 1 }}cookie_value1{{ else }}cookie_value2{{ end }}']
+        body: |
+          {{ minify_json `
+          {
+            "UserId": 1,
+            "SID": null,
+            "EmailAddress": "[email protected]",
+            "UserName": "testuser",
+            "Name": "Test User"
+          }
+          `}}
+
+  - path: "/BeyondTrust/api/public/v3/ManagedSystems"
+    methods: ["GET"]
+    query_params:
+      offset: '0'
+    request_headers:
+      Content-Type: ['application/json']
+      Cookie: ['ASP.NET_SessionId=cookie_value1']
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+        body: |-
+          {{ minify_json `
+          {
+              "Data": [
+                  {
+                      "ManagedSystemID": 13,
+                      "EntityTypeID": 1,
+                      "AssetID": 13,
+                      "DatabaseID": 5,
+                      "DirectoryID": 3,
+                      "CloudID": 1,
+                      "WorkgroupID": 1,
+                      "HostName": "AardvarkAgreement",
+                      "DNSName": "AardvarkAgreement.example.com",
+                      "IPAddress": "198.51.100.10",
+                      "InstanceName": "InstanceOne",
+                      "IsDefaultInstance": true,
+                      "Template": "ServerTemplate",
+                      "ForestName": "PrimaryForest",
+                      "UseSSL": true,
+                      "OracleInternetDirectoryID": "550e8400-e29b-41d4-a716-446655440000",
+                      "OracleInternetDirectoryServiceName": "OiDService",
+                      "SystemName": "AardvarkAgreement",
+                      "PlatformID": 4,
+                      "NetBiosName": "AardvarkNet",
+                      "Port": 8080,
+                      "Timeout": 30,
+                      "Description": "Primary Managed System for AardvarkAgreement",
+                      "ContactEmail": "[email protected]",
+                      "PasswordRuleID": 0,
+                      "DSSKeyRuleID": 0,
+                      "ReleaseDuration": 120,
+                      "MaxReleaseDuration": 525600,
+                      "ISAReleaseDuration": 120,
+                      "AutoManagementFlag": true,
+                      "FunctionalAccountID": 14,
+                      "LoginAccountID": 20,
+                      "ElevationCommand": "sudo",
+                      "SshKeyEnforcementMode": 1,
+                      "CheckPasswordFlag": false,
+                      "ChangePasswordAfterAnyReleaseFlag": false,
+                      "ResetPasswordOnMismatchFlag": false,
+                      "ChangeFrequencyType": "first",
+                      "ChangeFrequencyDays": 30,
+                      "ChangeTime": "23:30",
+                      "AccountNameFormat": 0,
+                      "RemoteClientType": "None",
+                      "ApplicationHostID": 2,
+                      "IsApplicationHost": false,
+                      "AccessURL": "http://aardvarkagreement.com/manage"
+                  }
+              ],
+              "TotalCount": 2
+          }
+          `}}
+
+  - path: "/BeyondTrust/api/public/v3/ManagedSystems"
+    methods: ["GET"]
+    query_params:
+      offset: '1'
+    request_headers:
+      Content-Type: ['application/json']
+      Cookie: ['ASP.NET_SessionId=cookie_value1']
+    responses:
+      - status_code: 401
+        headers:
+          Content-Type: ['application/json']
+        body: >-
+          "User not authenticated"
+
+  - path: "/BeyondTrust/api/public/v3/ManagedSystems"
+    methods: ["GET"]
+    query_params:
+      offset: '1'
+      limit: '1'
+    request_headers:
+      Content-Type: ['application/json']
+      Cookie: ['ASP.NET_SessionId=cookie_value2']
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+        body: |-
+          {{ minify_json `
+          {
+              "Data": [
+                  {
+                      "ManagedSystemID": 14,
+                      "EntityTypeID": 1,
+                      "AssetID": 14,
+                      "DatabaseID": 6,
+                      "DirectoryID": 4,
+                      "CloudID": 2,
+                      "WorkgroupID": 2,
+                      "HostName": "SecondSystem",
+                      "DNSName": "secondsystem.example.com",
+                      "IPAddress": "198.51.100.20",
+                      "InstanceName": "Primary",
+                      "IsDefaultInstance": true,
+                      "Template": "ServerTemplate",
+                      "ForestName": "SecondaryForest",
+                      "UseSSL": true,
+                      "OracleInternetDirectoryID": "550e8400-e29b-41d4-a716-446655440001",
+                      "OracleInternetDirectoryServiceName": "OiDService2",
+                      "SystemName": "SecondSystem",
+                      "PlatformID": 5,
+                      "NetBiosName": "SecondNet",
+                      "Port": 8081,
+                      "Timeout": 60,
+                      "Description": "Secondary Managed System",
+                      "ContactEmail": "[email protected]",
+                      "PasswordRuleID": 1,
+                      "DSSKeyRuleID": 1,
+                      "ReleaseDuration": 240,
+                      "MaxReleaseDuration": 525600,
+                      "ISAReleaseDuration": 240,
+                      "AutoManagementFlag": false,
+                      "FunctionalAccountID": 15,
+                      "LoginAccountID": 21,
+                      "ElevationCommand": "su",
+                      "SshKeyEnforcementMode": 2,
+                      "CheckPasswordFlag": true,
+                      "ChangePasswordAfterAnyReleaseFlag": true,
+                      "ResetPasswordOnMismatchFlag": true,
+                      "ChangeFrequencyType": "daily",
+                      "ChangeFrequencyDays": 1,
+                      "ChangeTime": "02:00",
+                      "AccountNameFormat": 1,
+                      "RemoteClientType": "SSH",
+                      "ApplicationHostID": 3,
+                      "IsApplicationHost": true,
+                      "AccessURL": "https://secondsystem.example.com/manage"
+                  }
+              ],
+              "TotalCount": 2
+          }
+          `}}
+
+  - path: "/BeyondTrust/api/public/v3/ManagedSystems"
+    methods: ["GET"]
+    request_headers:
+      Content-Type: ['application/json']
+      Cookie: ['ASP.NET_SessionId=cookie_value2']
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+        body: |-
+          {{ minify_json `
+          {
+              "Data": [],
+              "TotalCount": 2
+          }
+          `}}

packages/beyondinsight_password_safe/data_stream/managedsystem/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,12 @@
+{
+    "events": [
+        {
+            "labels": {
+              "test_description": "This tests the pipeline using an event that includes every nullable field documented by the API."
+            },
+            "event": {
+              "original" : "{\"ManagedSystemID\":15,\"EntityTypeID\":2,\"AssetID\":null,\"DatabaseID\":null,\"DirectoryID\":null,\"CloudID\":null,\"WorkgroupID\":3,\"HostName\":\"MinimalSystem\",\"DNSName\":\"minimal.example.com\",\"IPAddress\":\"198.51.100.30\",\"InstanceName\":\"Default\",\"IsDefaultInstance\":null,\"Template\":\"BasicTemplate\",\"ForestName\":\"TestForest\",\"UseSSL\":null,\"OracleInternetDirectoryID\":null,\"OracleInternetDirectoryServiceName\":\"DefaultOiD\",\"SystemName\":\"MinimalSystem\",\"PlatformID\":6,\"NetBiosName\":\"MinimalNet\",\"Port\":null,\"Timeout\":15,\"Description\":\"Minimal system with null values\",\"ContactEmail\":\"[email protected]\",\"PasswordRuleID\":1,\"DSSKeyRuleID\":null,\"ReleaseDuration\":60,\"MaxReleaseDuration\":300000,\"ISAReleaseDuration\":90,\"AutoManagementFlag\":false,\"FunctionalAccountID\":null,\"LoginAccountID\":null,\"ElevationCommand\":null,\"SshKeyEnforcementMode\":null,\"CheckPasswordFlag\":true,\"ChangePasswordAfterAnyReleaseFlag\":true,\"ResetPasswordOnMismatchFlag\":false,\"ChangeFrequencyType\":\"weekly\",\"ChangeFrequencyDays\":7,\"ChangeTime\":\"03:00\",\"AccountNameFormat\":1,\"RemoteClientType\":\"RDP\",\"ApplicationHostID\":null,\"IsApplicationHost\":false,\"AccessURL\":\"https://minimal.example.com/access\"}"
+            }
+        }
+    ]
+}

packages/beyondinsight_password_safe/data_stream/managedsystem/_dev/test/pipeline/test-managedsystem-nullable.json

@@ -0,0 +1,92 @@
+{
+    "expected": [
+        {
+            "beyondinsight_password_safe": {
+                "managedsystem": {
+                    "access_url": "https://minimal.example.com/access",
+                    "account_name_format": 1,
+                    "auto_management_flag": false,
+                    "change_frequency_days": 7,
+                    "change_frequency_type": "weekly",
+                    "change_password_after_any_release_flag": true,
+                    "change_time": "03:00",
+                    "check_password_flag": true,
+                    "contact_email": "[email protected]",
+                    "description": "Minimal system with null values",
+                    "dns_name": "minimal.example.com",
+                    "entity_type_id": 2,
+                    "forest_name": "TestForest",
+                    "host_name": "MinimalSystem",
+                    "instance_name": "Default",
+                    "ip_address": "198.51.100.30",
+                    "is_application_host": false,
+                    "isa_release_duration": 90,
+                    "managed_system_id": 15,
+                    "max_release_duration": 300000,
+                    "net_bios_name": "MinimalNet",
+                    "oracle_internet_directory_service_name": "DefaultOiD",
+                    "password_rule_id": 1,
+                    "platform_id": 6,
+                    "release_duration": 60,
+                    "remote_client_type": "RDP",
+                    "reset_password_on_mismatch_flag": false,
+                    "system_name": "MinimalSystem",
+                    "template": "BasicTemplate",
+                    "timeout": 15,
+                    "workgroup_id": 3
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "iam"
+                ],
+                "kind": "asset",
+                "original": "{\"ManagedSystemID\":15,\"EntityTypeID\":2,\"AssetID\":null,\"DatabaseID\":null,\"DirectoryID\":null,\"CloudID\":null,\"WorkgroupID\":3,\"HostName\":\"MinimalSystem\",\"DNSName\":\"minimal.example.com\",\"IPAddress\":\"198.51.100.30\",\"InstanceName\":\"Default\",\"IsDefaultInstance\":null,\"Template\":\"BasicTemplate\",\"ForestName\":\"TestForest\",\"UseSSL\":null,\"OracleInternetDirectoryID\":null,\"OracleInternetDirectoryServiceName\":\"DefaultOiD\",\"SystemName\":\"MinimalSystem\",\"PlatformID\":6,\"NetBiosName\":\"MinimalNet\",\"Port\":null,\"Timeout\":15,\"Description\":\"Minimal system with null values\",\"ContactEmail\":\"[email protected]\",\"PasswordRuleID\":1,\"DSSKeyRuleID\":null,\"ReleaseDuration\":60,\"MaxReleaseDuration\":300000,\"ISAReleaseDuration\":90,\"AutoManagementFlag\":false,\"FunctionalAccountID\":null,\"LoginAccountID\":null,\"ElevationCommand\":null,\"SshKeyEnforcementMode\":null,\"CheckPasswordFlag\":true,\"ChangePasswordAfterAnyReleaseFlag\":true,\"ResetPasswordOnMismatchFlag\":false,\"ChangeFrequencyType\":\"weekly\",\"ChangeFrequencyDays\":7,\"ChangeTime\":\"03:00\",\"AccountNameFormat\":1,\"RemoteClientType\":\"RDP\",\"ApplicationHostID\":null,\"IsApplicationHost\":false,\"AccessURL\":\"https://minimal.example.com/access\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "domain": "minimal.example.com",
+                "geo": {
+                    "city_name": "Amsterdam",
+                    "continent_name": "Europe",
+                    "country_iso_code": "NL",
+                    "country_name": "Netherlands",
+                    "location": {
+                        "lat": 52.37404,
+                        "lon": 4.88969
+                    },
+                    "region_iso_code": "NL-NH",
+                    "region_name": "North Holland"
+                },
+                "ip": [
+                    "198.51.100.30"
+                ],
+                "name": "MinimalSystem"
+            },
+            "labels": {
+                "test_description": "This tests the pipeline using an event that includes every nullable field documented by the API."
+            },
+            "related": {
+                "hosts": [
+                    "MinimalSystem",
+                    "minimal.example.com",
+                    "198.51.100.30"
+                ],
+                "user": [
+                    "[email protected]"
+                ]
+            },
+            "url": {
+                "full": "https://minimal.example.com/access"
+            },
+            "user": {
+                "email": "[email protected]"
+            }
+        }
+    ]
+}

packages/beyondinsight_password_safe/data_stream/managedsystem/_dev/test/pipeline/test-managedsystem-nullable.json-expected.json

@@ -1,52 +1,8 @@
 {
     "events": [
         {
-            "message": {
-                "ManagedSystemID": 13,
-                "EntityTypeID": 1,
-                "AssetID": 13,
-                "DatabaseID": 5,
-                "DirectoryID": 3,
-                "CloudID": 1,
-                "WorkgroupID": 1,
-                "HostName": "AardvarkAgreement",
-                "DnsName": "AardvarkAgreement.example.com",
-                "IPAddress": "175.16.199.0",
-                "InstanceName": "InstanceOne",
-                "IsDefaultInstance": true,
-                "Template": "ServerTemplate",
-                "ForestName": "PrimaryForest",
-                "UseSSL": true,
-                "OracleInternetDirectoryID": "550e8400-e29b-41d4-a716-446655440000",
-                "OracleInternetDirectoryServiceName": "OiDService",
-                "SystemName": "AardvarkAgreement",
-                "PlatformID": 4,
-                "NetBiosName": "AardvarkNet",
-                "Port": 8080,
-                "Timeout": 30,
-                "Description": "Primary Managed System for AardvarkAgreement",
-                "ContactEmail": "[email protected]",
-                "PasswordRuleID": 0,
-                "DSSKeyRuleID": 0,
-                "ReleaseDuration": 120,
-                "MaxReleaseDuration": 525600,
-                "ISAReleaseDuration": 120,
-                "AutoManagementFlag": true,
-                "FunctionalAccountID": 14,
-                "LoginAccountID": 20,
-                "ElevationCommand": "sudo",
-                "SshKeyEnforcementMode": 1,
-                "CheckPasswordFlag": false,
-                "ChangePasswordAfterAnyReleaseFlag": false,
-                "ResetPasswordOnMismatchFlag": false,
-                "ChangeFrequencyType": "first",
-                "ChangeFrequencyDays": 30,
-                "ChangeTime": "23:30",
-                "AccountNameFormat": 0,
-                "RemoteClientType": "None",
-                "ApplicationHostID": 2,
-                "IsApplicationHost": false,
-                "AccessURL": "http://aardvarkagreement.com/manage"
+            "event": {
+              "original" : "{\"ManagedSystemID\":13,\"EntityTypeID\":1,\"AssetID\":13,\"DatabaseID\":5,\"DirectoryID\":3,\"CloudID\":1,\"WorkgroupID\":1,\"HostName\":\"AardvarkAgreement\",\"DNSName\":\"AardvarkAgreement.example.com\",\"IPAddress\":\"198.51.100.10\",\"InstanceName\":\"InstanceOne\",\"IsDefaultInstance\":true,\"Template\":\"ServerTemplate\",\"ForestName\":\"PrimaryForest\",\"UseSSL\":true,\"OracleInternetDirectoryID\":\"550e8400-e29b-41d4-a716-446655440000\",\"OracleInternetDirectoryServiceName\":\"OiDService\",\"SystemName\":\"AardvarkAgreement\",\"PlatformID\":4,\"NetBiosName\":\"AardvarkNet\",\"Port\":8080,\"Timeout\":30,\"Description\":\"Primary Managed System for AardvarkAgreement\",\"ContactEmail\":\"[email protected]\",\"PasswordRuleID\":0,\"DSSKeyRuleID\":0,\"ReleaseDuration\":120,\"MaxReleaseDuration\":525600,\"ISAReleaseDuration\":120,\"AutoManagementFlag\":true,\"FunctionalAccountID\":14,\"LoginAccountID\":20,\"ElevationCommand\":\"sudo\",\"SshKeyEnforcementMode\":1,\"CheckPasswordFlag\":false,\"ChangePasswordAfterAnyReleaseFlag\":false,\"ResetPasswordOnMismatchFlag\":false,\"ChangeFrequencyType\":\"first\",\"ChangeFrequencyDays\":30,\"ChangeTime\":\"23:30\",\"AccountNameFormat\":0,\"RemoteClientType\":\"None\",\"ApplicationHostID\":2,\"IsApplicationHost\":false,\"AccessURL\":\"http://aardvarkagreement.com/manage\"}"
             }
         }
     ]