[Fleet] fixed bug in output secret diff logic (#172081)

## Summary

Related to #104986

Found a bug in `diffOutputSecretPaths` where output secret was deleted
if updating an output without change of service_token. Added unit tests
to cover the logic.

Steps to verify:
- enable feature flags: `xpack.fleet.enableExperimental:
['remoteESOutput', 'outputSecretsStorage']`
- create a remote es output with a service_token
- check that the service_token is stored as secret in `.fleet-secrets`
- update host in remote es output
- verify that the secret is not deleted


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

x-pack/plugins/fleet/public/applications/fleet/sections/settings/components/edit_output_flyout/use_output_form.tsx

@@ -866,7 +866,7 @@ export function useOutputForm(onSucess: () => void, output?: Output) {
               is_default: false,
               is_default_monitoring: defaultMonitoringOutputInput.value,
               config_yaml: additionalYamlConfigInput.value,
-              service_token: serviceTokenInput.value,
+              service_token: serviceTokenInput.value || undefined,
               ...(!serviceTokenInput.value &&
                 serviceTokenSecretInput.value && {
                   secrets: {

x-pack/plugins/fleet/server/services/secrets.test.ts

@@ -21,8 +21,12 @@ import { createAppContextStartContractMock } from '../mocks';
 import type { NewPackagePolicy, PackageInfo } from '../types';
 
 import { appContextService } from './app_context';
-
-import { getPolicySecretPaths, diffSecretPaths, extractAndWriteSecrets } from './secrets';
+import {
+  getPolicySecretPaths,
+  diffSecretPaths,
+  diffOutputSecretPaths,
+  extractAndWriteSecrets,
+} from './secrets';
 
 describe('secrets', () => {
   let mockContract: ReturnType<typeof createAppContextStartContractMock>;
@@ -916,3 +920,183 @@ describe('secrets', () => {
     });
   });
 });
+
+describe('diffOutputSecretPaths', () => {
+  it('should return empty array if no secrets', () => {
+    expect(diffOutputSecretPaths([], [])).toEqual({
+      toCreate: [],
+      toDelete: [],
+      noChange: [],
+    });
+  });
+  it('should return empty array if single secret not changed', () => {
+    const paths = [
+      {
+        path: 'somepath',
+        value: {
+          id: 'secret-1',
+        },
+      },
+    ];
+    expect(diffOutputSecretPaths(paths, paths)).toEqual({
+      toCreate: [],
+      toDelete: [],
+      noChange: paths,
+    });
+  });
+  it('should return empty array if multiple secrets not changed', () => {
+    const paths = [
+      {
+        path: 'somepath',
+        value: {
+          id: 'secret-1',
+        },
+      },
+      {
+        path: 'somepath2',
+        value: {
+          id: 'secret-2',
+        },
+      },
+      {
+        path: 'somepath3',
+        value: {
+          id: 'secret-3',
+        },
+      },
+    ];
+
+    expect(diffOutputSecretPaths(paths, paths.slice().reverse())).toEqual({
+      toCreate: [],
+      toDelete: [],
+      noChange: paths,
+    });
+  });
+  it('single secret modified', () => {
+    const paths1 = [
+      {
+        path: 'somepath1',
+        value: {
+          id: 'secret-1',
+        },
+      },
+      {
+        path: 'somepath2',
+        value: {
+          id: 'secret-2',
+        },
+      },
+    ];
+
+    const paths2 = [
+      paths1[0],
+      {
+        path: 'somepath2',
+        value: 'newvalue',
+      },
+    ];
+
+    expect(diffOutputSecretPaths(paths1, paths2)).toEqual({
+      toCreate: [
+        {
+          path: 'somepath2',
+          value: 'newvalue',
+        },
+      ],
+      toDelete: [
+        {
+          path: 'somepath2',
+          value: {
+            id: 'secret-2',
+          },
+        },
+      ],
+      noChange: [paths1[0]],
+    });
+  });
+  it('double secret modified', () => {
+    const paths1 = [
+      {
+        path: 'somepath1',
+        value: {
+          id: 'secret-1',
+        },
+      },
+      {
+        path: 'somepath2',
+        value: {
+          id: 'secret-2',
+        },
+      },
+    ];
+
+    const paths2 = [
+      {
+        path: 'somepath1',
+        value: 'newvalue1',
+      },
+      {
+        path: 'somepath2',
+        value: 'newvalue2',
+      },
+    ];
+
+    expect(diffOutputSecretPaths(paths1, paths2)).toEqual({
+      toCreate: [
+        {
+          path: 'somepath1',
+          value: 'newvalue1',
+        },
+        {
+          path: 'somepath2',
+          value: 'newvalue2',
+        },
+      ],
+      toDelete: [
+        {
+          path: 'somepath1',
+          value: {
+            id: 'secret-1',
+          },
+        },
+        {
+          path: 'somepath2',
+          value: {
+            id: 'secret-2',
+          },
+        },
+      ],
+      noChange: [],
+    });
+  });
+
+  it('single secret added', () => {
+    const paths1 = [
+      {
+        path: 'somepath1',
+        value: {
+          id: 'secret-1',
+        },
+      },
+    ];
+
+    const paths2 = [
+      paths1[0],
+      {
+        path: 'somepath2',
+        value: 'newvalue',
+      },
+    ];
+
+    expect(diffOutputSecretPaths(paths1, paths2)).toEqual({
+      toCreate: [
+        {
+          path: 'somepath2',
+          value: 'newvalue',
+        },
+      ],
+      toDelete: [],
+      noChange: [paths1[0]],
+    });
+  });
+});

x-pack/plugins/fleet/server/services/secrets.ts

@@ -545,10 +545,12 @@ export function diffOutputSecretPaths(
     const newPath = newPathsByPath[oldPath.path];
     if (newPath && newPath.value) {
       const newValue = newPath.value;
-      if (typeof newValue === 'string') toCreate.push(newPath);
-      toDelete.push(oldPath);
-    } else {
-      noChange.push(newPath);
+      if (typeof newValue === 'string') {
+        toCreate.push(newPath);
+        toDelete.push(oldPath);
+      } else {
+        noChange.push(newPath);
+      }
     }
     delete newPathsByPath[oldPath.path];
   }