Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removing xpack.actions.customHostSettings.ssl.rejectUnauthorized #198435

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 0 additions & 11 deletions docs/settings/alert-action-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,6 @@ A boolean value indicating that TLS must be used for this connection.
The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Default: `false`.

`xpack.actions.customHostSettings[n].ssl.rejectUnauthorized`::
deprecated:[8.0.0] Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.ssl.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
Overrides the general `xpack.actions.rejectUnauthorized` configuration
for requests made for this hostname/port.

[[action-config-custom-host-verification-mode]] `xpack.actions.customHostSettings[n].ssl.verificationMode` {ess-icon}::
Controls the verification of the server certificate that {kib} receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. Overrides the general `xpack.actions.ssl.verificationMode` configuration
Expand Down Expand Up @@ -205,12 +200,6 @@ deprecated:[8.0.0] Use <<action-config-proxy-verification-mode,`xpack.actions.ss
Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.

`xpack.actions.rejectUnauthorized` {ess-icon}::
deprecated:[8.0.0] Use <<action-config-verification-mode,`xpack.actions.ssl.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`.
+
As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
`xpack.actions.customHostSettings` to set SSL options for specific servers.

[[action-config-verification-mode]] `xpack.actions.ssl.verificationMode` {ess-icon}::
Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,6 @@ kibana_vars=(
xpack.actions.proxyOnlyHosts
xpack.actions.proxyRejectUnauthorizedCertificates
xpack.actions.proxyUrl
xpack.actions.rejectUnauthorized
xpack.actions.responseTimeout
xpack.actions.ssl.proxyVerificationMode
xpack.actions.ssl.verificationMode
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -600,7 +600,6 @@ describe('create()', () => {
preconfiguredAlertHistoryEsIndex: false,
preconfigured: {},
proxyRejectUnauthorizedCertificates: true, // legacy
rejectUnauthorized: true, // legacy
proxyBypassHosts: undefined,
proxyOnlyHosts: undefined,
maxResponseContentLength: new ByteSizeValue(1000000),
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/actions/server/actions_config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ const defaultActionsConfig: ActionsConfig = {
preconfiguredAlertHistoryEsIndex: false,
preconfigured: {},
proxyRejectUnauthorizedCertificates: true, // legacy
rejectUnauthorized: true, // legacy
maxResponseContentLength: new ByteSizeValue(1000000),
responseTimeout: moment.duration(60000),
ssl: {
Expand Down
3 changes: 1 addition & 2 deletions x-pack/plugins/actions/server/actions_config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,7 @@ export function getActionsConfigurationUtilities(
isActionTypeEnabled,
getProxySettings: () => getProxySettingsFromConfig(config),
getResponseSettings: () => getResponseSettingsFromConfig(config),
getSSLSettings: () =>
getSSLSettingsFromConfig(config.ssl?.verificationMode, config.rejectUnauthorized),
getSSLSettings: () => getSSLSettingsFromConfig(config.ssl?.verificationMode),
ensureUriAllowed(uri: string) {
if (!isUriAllowed(uri)) {
throw new Error(allowListErrorMessage(AllowListingField.URL, uri));
Expand Down
4 changes: 0 additions & 4 deletions x-pack/plugins/actions/server/config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ describe('config validation', () => {
"preconfigured": Object {},
"preconfiguredAlertHistoryEsIndex": false,
"proxyRejectUnauthorizedCertificates": true,
"rejectUnauthorized": true,
"responseTimeout": "PT1M",
}
`);
Expand All @@ -54,7 +53,6 @@ describe('config validation', () => {
},
},
proxyRejectUnauthorizedCertificates: false,
rejectUnauthorized: false,
};
expect(configSchema.validate(config)).toMatchInlineSnapshot(`
Object {
Expand Down Expand Up @@ -83,7 +81,6 @@ describe('config validation', () => {
},
"preconfiguredAlertHistoryEsIndex": false,
"proxyRejectUnauthorizedCertificates": false,
"rejectUnauthorized": false,
"responseTimeout": "PT1M",
}
`);
Expand Down Expand Up @@ -219,7 +216,6 @@ describe('config validation', () => {
"preconfigured": Object {},
"preconfiguredAlertHistoryEsIndex": false,
"proxyRejectUnauthorizedCertificates": true,
"rejectUnauthorized": true,
"responseTimeout": "PT1M",
"ssl": Object {
"proxyVerificationMode": "none",
Expand Down
8 changes: 0 additions & 8 deletions x-pack/plugins/actions/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,6 @@ const customHostSettingsSchema = schema.object({
),
ssl: schema.maybe(
schema.object({
/**
* @deprecated in favor of `verificationMode`
**/
rejectUnauthorized: schema.maybe(schema.boolean()),
verificationMode: schema.maybe(
schema.oneOf(
[schema.literal('none'), schema.literal('certificate'), schema.literal('full')],
Expand Down Expand Up @@ -102,10 +98,6 @@ export const configSchema = schema.object({
proxyRejectUnauthorizedCertificates: schema.boolean({ defaultValue: true }),
proxyBypassHosts: schema.maybe(schema.arrayOf(schema.string({ hostname: true }))),
proxyOnlyHosts: schema.maybe(schema.arrayOf(schema.string({ hostname: true }))),
/**
* @deprecated in favor of `ssl.verificationMode`
**/
rejectUnauthorized: schema.boolean({ defaultValue: true }),
ssl: schema.maybe(
schema.object({
verificationMode: schema.maybe(
Expand Down
12 changes: 1 addition & 11 deletions x-pack/plugins/actions/server/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -37,23 +37,13 @@ describe('index', () => {
describe('deprecations', () => {
it('should properly unset deprecated configs', () => {
const { messages, changedPaths } = applyStackAlertDeprecations({
customHostSettings: [{ ssl: { rejectUnauthorized: false } }],
rejectUnauthorized: false,
proxyRejectUnauthorizedCertificates: false,
});
expect(changedPaths.unset).toStrictEqual([
'xpack.actions.customHostSettings.ssl.rejectUnauthorized',
'xpack.actions.rejectUnauthorized',
'xpack.actions.proxyRejectUnauthorizedCertificates',
]);
expect(messages.length).toBe(3);
expect(messages.length).toBe(1);
expect(messages[0]).toBe(
'"xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" is deprecated.Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" instead, with the setting "verificationMode:full" eql to "rejectUnauthorized:true", and "verificationMode:none" eql to "rejectUnauthorized:false".'
);
expect(messages[1]).toBe(
'"xpack.actions.rejectUnauthorized" is deprecated. Use "xpack.actions.ssl.verificationMode" instead, with the setting "verificationMode:full" eql to "rejectUnauthorized:true", and "verificationMode:none" eql to "rejectUnauthorized:false".'
);
expect(messages[2]).toBe(
'"xpack.actions.proxyRejectUnauthorizedCertificates" is deprecated. Use "xpack.actions.ssl.proxyVerificationMode" instead, with the setting "proxyVerificationMode:full" eql to "rejectUnauthorized:true",and "proxyVerificationMode:none" eql to "rejectUnauthorized:false".'
);
});
Expand Down
71 changes: 2 additions & 69 deletions x-pack/plugins/actions/server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
import { get } from 'lodash';
import type { PublicMethodsOf } from '@kbn/utility-types';
import { PluginInitializerContext, PluginConfigDescriptor } from '@kbn/core/server';
import { configSchema, ActionsConfig, CustomHostSettings } from './config';
import { configSchema, ActionsConfig } from './config';
import { ActionsClient as ActionsClientClass } from './actions_client';
import { ActionsAuthorization as ActionsAuthorizationClass } from './authorization/actions_authorization';

Expand Down Expand Up @@ -51,74 +51,7 @@ export const config: PluginConfigDescriptor<ActionsConfig> = {
exposeToBrowser: {
email: { domain_allowlist: true },
},
deprecations: ({ renameFromRoot, unused }) => [
renameFromRoot('xpack.actions.whitelistedHosts', 'xpack.actions.allowedHosts', {
level: 'warning',
}),
(settings, fromPath, addDeprecation) => {
const actions = get(settings, fromPath);
const customHostSettings = actions?.customHostSettings ?? [];
if (
customHostSettings.find(
(customHostSchema: CustomHostSettings) =>
Object.hasOwn(customHostSchema, 'ssl') &&
Object.hasOwn(customHostSchema.ssl ?? {}, 'rejectUnauthorized')
)
) {
addDeprecation({
level: 'warning',
configPath: 'xpack.actions.customHostSettings.ssl.rejectUnauthorized',
message:
`"xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" is deprecated.` +
`Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" instead, ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
correctiveActions: {
manualSteps: [
`Remove "xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" from your kibana configs.`,
`Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
],
},
});
return {
unset: [
{
path: `xpack.actions.customHostSettings.ssl.rejectUnauthorized`,
},
],
};
}
},
(settings, fromPath, addDeprecation) => {
const actions = get(settings, fromPath);
if (Object.hasOwn(actions ?? {}, 'rejectUnauthorized')) {
addDeprecation({
level: 'warning',
configPath: `${fromPath}.rejectUnauthorized`,
message:
`"xpack.actions.rejectUnauthorized" is deprecated. Use "xpack.actions.ssl.verificationMode" instead, ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
correctiveActions: {
manualSteps: [
`Remove "xpack.actions.rejectUnauthorized" from your kibana configs.`,
`Use "xpack.actions.ssl.verificationMode" ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
],
},
});
return {
unset: [
{
path: `xpack.actions.rejectUnauthorized`,
},
],
};
}
},
deprecations: () => [
(settings, fromPath, addDeprecation) => {
const actions = get(settings, fromPath);
if (Object.hasOwn(actions ?? {}, 'proxyRejectUnauthorizedCertificates')) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -461,7 +461,6 @@ async function rejectUnauthorizedTargetProxyTest(opts: RunTestOptions) {
await runWithSetup(opts, async (target, proxyInstance, axiosDefaults) => {
const acu = getACUfromConfig({
proxyUrl: proxyInstance.url,
rejectUnauthorized: false,
customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }],
});

Expand Down Expand Up @@ -683,7 +682,6 @@ const BaseActionsConfig: ActionsConfig = {
},
proxyBypassHosts: undefined,
proxyOnlyHosts: undefined,
rejectUnauthorized: true,
maxResponseContentLength: ByteSizeValue.parse('1mb'),
responseTimeout: momentDuration(1000 * 30),
customHostSettings: undefined,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -366,7 +366,6 @@ async function rejectUnauthorizedTargetProxyTest(opts: RunTestOptions) {
await runWithSetup(opts, async (target, proxyInstance, axiosDefaults) => {
const acu = getACUfromConfig({
proxyUrl: proxyInstance.url,
rejectUnauthorized: false,
customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }],
});

Expand Down Expand Up @@ -589,7 +588,6 @@ const BaseActionsConfig: ActionsConfig = {
},
proxyBypassHosts: undefined,
proxyOnlyHosts: undefined,
rejectUnauthorized: true,
maxResponseContentLength: ByteSizeValue.parse('1mb'),
responseTimeout: momentDuration(1000 * 30),
customHostSettings: undefined,
Expand Down
12 changes: 0 additions & 12 deletions x-pack/plugins/actions/server/lib/custom_host_settings.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ describe('custom_host_settings', () => {
preconfiguredAlertHistoryEsIndex: false,
preconfigured: {},
proxyRejectUnauthorizedCertificates: true,
rejectUnauthorized: true,
maxResponseContentLength: new ByteSizeValue(1000000),
responseTimeout: moment.duration(60000),
enableFooterInEmail: true,
Expand Down Expand Up @@ -116,14 +115,12 @@ describe('custom_host_settings', () => {
url: 'https://elastic.co:443',
ssl: {
certificateAuthoritiesData: 'xyz',
rejectUnauthorized: false,
},
},
{
url: 'smtp://mail.elastic.com:25',
ssl: {
certificateAuthoritiesData: 'abc',
rejectUnauthorized: true,
},
smtp: {
ignoreTLS: true,
Expand Down Expand Up @@ -470,15 +467,9 @@ describe('custom_host_settings', () => {
customHostSettings: [
{
url: 'https://almost.purrfect.com/',
ssl: {
rejectUnauthorized: true,
},
},
{
url: 'https://almost.purrfect.com:443',
ssl: {
rejectUnauthorized: false,
},
},
],
};
Expand All @@ -488,9 +479,6 @@ describe('custom_host_settings', () => {
customHostSettings: [
{
url: 'https://almost.purrfect.com:443',
ssl: {
rejectUnauthorized: true,
},
},
],
};
Expand Down
5 changes: 1 addition & 4 deletions x-pack/plugins/actions/server/lib/get_custom_agents.ts
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,7 @@ export function getCustomAgents(
agentOptions.ca = sslSettings.certificateAuthoritiesData;
}

const sslSettingsFromConfig = getSSLSettingsFromConfig(
sslSettings.verificationMode,
sslSettings.rejectUnauthorized
);
const sslSettingsFromConfig = getSSLSettingsFromConfig(sslSettings.verificationMode);
// see: src/core/server/elasticsearch/legacy/elasticsearch_client_config.ts
// This is where the global rejectUnauthorized is overridden by a custom host
const customHostNodeSSLOptions = getNodeSSLOptions(
Expand Down
3 changes: 0 additions & 3 deletions x-pack/plugins/actions/server/plugin.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ function getConfig(overrides = {}) {
proxyRejectUnauthorizedCertificates: true,
proxyBypassHosts: undefined,
proxyOnlyHosts: undefined,
rejectUnauthorized: true,
maxResponseContentLength: new ByteSizeValue(1000000),
responseTimeout: moment.duration('60s'),
enableFooterInEmail: true,
Expand All @@ -77,7 +76,6 @@ describe('Actions Plugin', () => {
preconfiguredAlertHistoryEsIndex: false,
preconfigured: {},
proxyRejectUnauthorizedCertificates: true,
rejectUnauthorized: true,
maxResponseContentLength: new ByteSizeValue(1000000),
responseTimeout: moment.duration(60000),
enableFooterInEmail: true,
Expand Down Expand Up @@ -578,7 +576,6 @@ describe('Actions Plugin', () => {
},
},
proxyRejectUnauthorizedCertificates: true,
rejectUnauthorized: true,
maxResponseContentLength: new ByteSizeValue(1000000),
responseTimeout: moment.duration(60000),
enableFooterInEmail: true,
Expand Down
2 changes: 0 additions & 2 deletions x-pack/test/alerting_api_integration/common/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,6 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions)
verificationMode = 'full',
preconfiguredAlertHistoryEsIndex = false,
customizeLocalHostSsl = false,
rejectUnauthorized = true, // legacy
emailDomainsAllowed = undefined,
testFiles = undefined,
reportName = undefined,
Expand Down Expand Up @@ -212,7 +211,6 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions)
`--xpack.alerting.enableFrameworkAlerts=true`,
`--xpack.alerting.rulesSettings.cacheInterval=10000`,
`--xpack.actions.enabledActionTypes=${JSON.stringify(enabledActionTypes)}`,
`--xpack.actions.rejectUnauthorized=${rejectUnauthorized}`,
`--xpack.actions.microsoftGraphApiUrl=${servers.kibana.protocol}://${servers.kibana.hostname}:${servers.kibana.port}/api/_actions-FTS-external-service-simulators/exchange/users/test@/sendMail`,
`--xpack.actions.ssl.verificationMode=${verificationMode}`,
...actionsProxyUrl,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,24 +100,6 @@ export default function webhookTest({ getService }: FtrProviderContext) {
});

describe('ssl customization', () => {
it('should handle the xpack.actions.rejectUnauthorized: false', async () => {
const connectorId = 'custom.ssl.noCustom';
const port = await getPortOfConnector(connectorId);
const server = await createTlsWebhookServer(port);
const { status, body } = await supertest
.post(`/api/actions/connector/${connectorId}/_execute`)
.set('kbn-xsrf', 'test')
.send({
params: {
body: 'foo',
},
});
expect(status).to.eql(200);
server.close();

expect(body.status).to.eql('ok');
});

it('should handle the customized rejectUnauthorized: false', async () => {
const connectorId = 'custom.ssl.rejectUnauthorizedFalse';
const port = await getPortOfConnector(connectorId);
Expand Down
Loading