[Actions] Converted rejectUnauthorized config usages to `verificati…

…onMode`. (#100179) * [Actions] Converted `rejectUnauthorized` config usages to `verificationMode`. * added new verificationMode config options for tls, proxy tls and custom hosts * added unit tests * added unit tests * added kibana docker * Apply suggestions from code review Co-authored-by: gchaps <[email protected]> * Update alert-action-settings.asciidoc * Apply suggestions from code review Co-authored-by: Joe Portner <[email protected]> * removed legacyRegectUnauthorized logic from getNodeTLSOptions * added deprecations * fixed doc links * fixed docs * Update x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts Co-authored-by: Joe Portner <[email protected]> * [DOCS] Fixes build error * fixed deprecations to set custom message * fixed doc * changed to not throw exception on non existing verification mode * added tests * fixed tests * fixed tests * added integration tests for legacy rejectUnauthorized fale * fixed tests Co-authored-by: gchaps <[email protected]> Co-authored-by: Joe Portner <[email protected]> Co-authored-by: lcawl <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
elastic · May 27, 2021 · 134a3de · 134a3de
1 parent a6bbf1b
commit 134a3de
Show file tree

Hide file tree

Showing 28 changed files with 800 additions and 107 deletions.
diff --git a/docs/settings/alert-action-settings.asciidoc b/docs/settings/alert-action-settings.asciidoc
@@ -41,7 +41,7 @@ You can configure the following settings in the `kibana.yml` file.
 [cols="2*<"]
 |===
 | `xpack.actions.enabled`
-  | Feature toggle that enables Actions in {kib}. Defaults to `true`.
+  | Feature toggle that enables Actions in {kib}. Default: `true`.
 
 | `xpack.actions.allowedHosts` {ess-icon}
   | A list of hostnames that {kib} is allowed to connect to when built-in actions are triggered. It defaults to `[*]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections. +
@@ -50,7 +50,7 @@ You can configure the following settings in the `kibana.yml` file.
 
 | `xpack.actions.customHostSettings` {ess-icon} 
   | A list of custom host settings to override existing global settings.
-  Defaults to an empty list. +
+  Default: an empty list. +
   +
   Each entry in the list must have a `url` property, to associate a connection
   type (mail or https), hostname and port with the remaining options in the
@@ -70,6 +70,7 @@ You can configure the following settings in the `kibana.yml` file.
 xpack.actions.customHostSettings:
   - url: smtp://mail.example.com:465
     tls: 
+      verificationMode: 'full'
       certificateAuthoritiesFiles: [ 'one.crt' ]
       certificateAuthoritiesData: |
           -----BEGIN CERTIFICATE-----
@@ -79,7 +80,9 @@ xpack.actions.customHostSettings:
       requireTLS: true
   - url: https://webhook.example.com
     tls: 
+      // legacy
       rejectUnauthorized: false
+      verificationMode: 'none'
 --
 
 [cols="2*<"]
@@ -115,10 +118,16 @@ xpack.actions.customHostSettings:
 
 | `xpack.actions.customHostSettings[n]`
 `.tls.rejectUnauthorized` {ess-icon}
-  | A boolean value indicating whether to bypass server certificate validation.
+  | Deprecated. Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.tls.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
   Overrides the general `xpack.actions.rejectUnauthorized` configuration
   for requests made for this hostname/port.
 
+|[[action-config-custom-host-verification-mode]] `xpack.actions.customHostSettings[n]`
+`.tls.verificationMode`
+  | Controls the verification of the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`. 
+ Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. Overrides the general `xpack.actions.tls.verificationMode` configuration
+  for requests made for this hostname/port.
+
 | `xpack.actions.customHostSettings[n]`
 `.tls.certificateAuthoritiesFiles`
   | A file name or list of file names of PEM-encoded certificate files to use
@@ -137,10 +146,10 @@ xpack.actions.customHostSettings:
 
 | `xpack.actions`
 `.preconfiguredAlertHistoryEsIndex` {ess-icon}
-  | Enables a preconfigured alert history {es} <<index-action-type, Index>> connector. Defaults to `false`.
+  | Enables a preconfigured alert history {es} <<index-action-type, Index>> connector. Default: `false`.
 
 | `xpack.actions.preconfigured`
-  | Specifies preconfigured connector IDs and configs. Defaults to {}.
+  | Specifies preconfigured connector IDs and configs. Default: {}.
 
 | `xpack.actions.proxyUrl` {ess-icon}
   | Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.
@@ -152,27 +161,44 @@ xpack.actions.customHostSettings:
   | Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.  By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used.  The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
 
 | `xpack.actions.proxyHeaders` {ess-icon}
-  | Specifies HTTP headers for the proxy, if using a proxy for actions. Defaults to {}.
+  | Specifies HTTP headers for the proxy, if using a proxy for actions. Default: {}.
 
 a|`xpack.actions.`
 `proxyRejectUnauthorizedCertificates` {ess-icon}
-  | Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Defaults to `true`.
+  | Deprecated. Use <<action-config-proxy-verification-mode,`xpack.actions.tls.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.
+
+|[[action-config-proxy-verification-mode]]
+`xpack.actions[n]`
+`.tls.proxyVerificationMode` {ess-icon}
+| Controls the verification for the proxy server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`. 
+Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
 
 | `xpack.actions.rejectUnauthorized` {ess-icon}
-  | Set to `false` to bypass certificate validation for actions. Defaults to `true`. +
+  | Deprecated. Use <<action-config-verification-mode,`xpack.actions.tls.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`. +
   +
   As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
   `xpack.actions.customHostSettings` to set TLS options for specific servers.
 
+|[[action-config-verification-mode]]
+`xpack.actions[n]`
+`.tls.verificationMode` {ess-icon}
+| Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`. 
+  Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. +
+  +
+  As an alternative to setting `xpack.actions.tls.verificationMode`, you can use the setting
+  `xpack.actions.customHostSettings` to set TLS options for specific servers.
+
+
+
 | `xpack.actions.maxResponseContentLength` {ess-icon}
-  | Specifies the max number of bytes of the http response for requests to external resources. Defaults to 1000000 (1MB).
+  | Specifies the max number of bytes of the http response for requests to external resources. Default: 1000000 (1MB).
 
 | `xpack.actions.responseTimeout` {ess-icon}
   | Specifies the time allowed for requests to external resources. Requests that take longer are aborted. The time is formatted as: +
   +
   `<count>[ms,s,m,h,d,w,M,Y]` +
   +
-  For example, `20m`, `24h`, `7d`, `1w`. Defaults to `60s`.
+  For example, `20m`, `24h`, `7d`, `1w`. Default: `60s`.
 
 
 |===

diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
@@ -175,6 +175,8 @@ kibana_vars=(
     xpack.actions.rejectUnauthorized
     xpack.actions.maxResponseContentLength
     xpack.actions.responseTimeout
+    xpack.actions.tls.verificationMode
+    xpack.actions.tls.proxyVerificationMode
     xpack.alerts.healthCheck.interval
     xpack.alerts.invalidateApiKeysTask.interval
     xpack.alerts.invalidateApiKeysTask.removalDelay

diff --git a/x-pack/plugins/actions/server/actions_client.test.ts b/x-pack/plugins/actions/server/actions_client.test.ts
@@ -417,8 +417,8 @@ describe('create()', () => {
       allowedHosts: ['*'],
       preconfiguredAlertHistoryEsIndex: false,
       preconfigured: {},
-      proxyRejectUnauthorizedCertificates: true,
-      rejectUnauthorized: true,
+      proxyRejectUnauthorizedCertificates: true, // legacy
+      rejectUnauthorized: true, // legacy
       proxyBypassHosts: undefined,
       proxyOnlyHosts: undefined,
       maxResponseContentLength: new ByteSizeValue(1000000),
@@ -429,6 +429,10 @@ describe('create()', () => {
         idleInterval: schema.duration().validate('1h'),
         pageSize: 100,
       },
+      tls: {
+        verificationMode: 'full',
+        proxyVerificationMode: 'full',
+      },
     });
 
     const localActionTypeRegistryParams = {

diff --git a/x-pack/plugins/actions/server/actions_config.mock.ts b/x-pack/plugins/actions/server/actions_config.mock.ts
@@ -15,7 +15,9 @@ const createActionsConfigMock = () => {
     ensureHostnameAllowed: jest.fn().mockReturnValue({}),
     ensureUriAllowed: jest.fn().mockReturnValue({}),
     ensureActionTypeEnabled: jest.fn().mockReturnValue({}),
-    isRejectUnauthorizedCertificatesEnabled: jest.fn().mockReturnValue(true),
+    getTLSSettings: jest.fn().mockReturnValue({
+      verificationMode: 'full',
+    }),
     getProxySettings: jest.fn().mockReturnValue(undefined),
     getResponseSettings: jest.fn().mockReturnValue({
       maxContentLength: 1000000,

diff --git a/x-pack/plugins/actions/server/actions_config.test.ts b/x-pack/plugins/actions/server/actions_config.test.ts
@@ -27,8 +27,8 @@ const defaultActionsConfig: ActionsConfig = {
   enabledActionTypes: [],
   preconfiguredAlertHistoryEsIndex: false,
   preconfigured: {},
-  proxyRejectUnauthorizedCertificates: true,
-  rejectUnauthorized: true,
+  proxyRejectUnauthorizedCertificates: true, // legacy
+  rejectUnauthorized: true, // legacy
   maxResponseContentLength: new ByteSizeValue(1000000),
   responseTimeout: moment.duration(60000),
   cleanupFailedExecutionsTask: {
@@ -37,6 +37,10 @@ const defaultActionsConfig: ActionsConfig = {
     idleInterval: schema.duration().validate('1h'),
     pageSize: 100,
   },
+  tls: {
+    proxyVerificationMode: 'full',
+    verificationMode: 'full',
+  },
 };
 
 describe('ensureUriAllowed', () => {
@@ -305,22 +309,45 @@ describe('getProxySettings', () => {
     expect(proxySettings?.proxyUrl).toBe(config.proxyUrl);
   });
 
-  test('returns proxyRejectUnauthorizedCertificates', () => {
+  test('returns proper verificationMode values, beased on the legacy config option proxyRejectUnauthorizedCertificates', () => {
     const configTrue: ActionsConfig = {
       ...defaultActionsConfig,
       proxyUrl: 'https://proxy.elastic.co',
       proxyRejectUnauthorizedCertificates: true,
     };
     let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
-    expect(proxySettings?.proxyRejectUnauthorizedCertificates).toBe(true);
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('full');
 
     const configFalse: ActionsConfig = {
       ...defaultActionsConfig,
       proxyUrl: 'https://proxy.elastic.co',
       proxyRejectUnauthorizedCertificates: false,
+      tls: {},
+    };
+    proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('none');
+  });
+
+  test('returns proper verificationMode value, based on the TLS proxy configuration', () => {
+    const configTrue: ActionsConfig = {
+      ...defaultActionsConfig,
+      proxyUrl: 'https://proxy.elastic.co',
+      tls: {
+        proxyVerificationMode: 'full',
+      },
+    };
+    let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('full');
+
+    const configFalse: ActionsConfig = {
+      ...defaultActionsConfig,
+      proxyUrl: 'https://proxy.elastic.co',
+      tls: {
+        proxyVerificationMode: 'none',
+      },
     };
     proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
-    expect(proxySettings?.proxyRejectUnauthorizedCertificates).toBe(false);
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('none');
   });
 
   test('returns proxy headers', () => {
@@ -406,13 +433,13 @@ describe('getProxySettings', () => {
         {
           url: 'https://elastic.co',
           tls: {
-            rejectUnauthorized: true,
+            verificationMode: 'full',
           },
         },
         {
           url: 'smtp://elastic.co:123',
           tls: {
-            rejectUnauthorized: false,
+            verificationMode: 'none',
           },
           smtp: {
             ignoreTLS: true,
@@ -437,3 +464,25 @@ describe('getProxySettings', () => {
     expect(chs).toEqual(undefined);
   });
 });
+
+describe('getTLSSettings', () => {
+  test('returns proper verificationMode value, based on the TLS proxy configuration', () => {
+    const configTrue: ActionsConfig = {
+      ...defaultActionsConfig,
+      tls: {
+        verificationMode: 'full',
+      },
+    };
+    let tlsSettings = getActionsConfigurationUtilities(configTrue).getTLSSettings();
+    expect(tlsSettings.verificationMode).toBe('full');
+
+    const configFalse: ActionsConfig = {
+      ...defaultActionsConfig,
+      tls: {
+        verificationMode: 'none',
+      },
+    };
+    tlsSettings = getActionsConfigurationUtilities(configFalse).getTLSSettings();
+    expect(tlsSettings.verificationMode).toBe('none');
+  });
+});
diff --git a/x-pack/plugins/actions/server/actions_config.ts b/x-pack/plugins/actions/server/actions_config.ts
@@ -14,7 +14,8 @@ import { pipe } from 'fp-ts/lib/pipeable';
 import { ActionsConfig, AllowedHosts, EnabledActionTypes, CustomHostSettings } from './config';
 import { getCanonicalCustomHostUrl } from './lib/custom_host_settings';
 import { ActionTypeDisabledError } from './lib';
-import { ProxySettings, ResponseSettings } from './types';
+import { ProxySettings, ResponseSettings, TLSSettings } from './types';
+import { getTLSSettingsFromConfig } from './builtin_action_types/lib/get_node_tls_options';
 
 export { AllowedHosts, EnabledActionTypes } from './config';
 
@@ -30,7 +31,7 @@ export interface ActionsConfigurationUtilities {
   ensureHostnameAllowed: (hostname: string) => void;
   ensureUriAllowed: (uri: string) => void;
   ensureActionTypeEnabled: (actionType: string) => void;
-  isRejectUnauthorizedCertificatesEnabled: () => boolean;
+  getTLSSettings: () => TLSSettings;
   getProxySettings: () => undefined | ProxySettings;
   getResponseSettings: () => ResponseSettings;
   getCustomHostSettings: (targetUrl: string) => CustomHostSettings | undefined;
@@ -93,7 +94,10 @@ function getProxySettingsFromConfig(config: ActionsConfig): undefined | ProxySet
     proxyBypassHosts: arrayAsSet(config.proxyBypassHosts),
     proxyOnlyHosts: arrayAsSet(config.proxyOnlyHosts),
     proxyHeaders: config.proxyHeaders,
-    proxyRejectUnauthorizedCertificates: config.proxyRejectUnauthorizedCertificates,
+    proxyTLSSettings: getTLSSettingsFromConfig(
+      config.tls?.proxyVerificationMode,
+      config.proxyRejectUnauthorizedCertificates
+    ),
   };
 }
 
@@ -142,8 +146,8 @@ export function getActionsConfigurationUtilities(
     isActionTypeEnabled,
     getProxySettings: () => getProxySettingsFromConfig(config),
     getResponseSettings: () => getResponseSettingsFromConfig(config),
-    // returns the global rejectUnauthorized setting
-    isRejectUnauthorizedCertificatesEnabled: () => config.rejectUnauthorized,
+    getTLSSettings: () =>
+      getTLSSettingsFromConfig(config.tls?.verificationMode, config.rejectUnauthorized),
     ensureUriAllowed(uri: string) {
       if (!isUriAllowed(uri)) {
         throw new Error(allowListErrorMessage(AllowListingField.URL, uri));

diff --git a/x-pack/plugins/actions/server/builtin_action_types/email.test.ts b/x-pack/plugins/actions/server/builtin_action_types/email.test.ts
@@ -285,9 +285,9 @@ describe('execute()', () => {
           "getCustomHostSettings": [MockFunction],
           "getProxySettings": [MockFunction],
           "getResponseSettings": [MockFunction],
+          "getTLSSettings": [MockFunction],
           "isActionTypeEnabled": [MockFunction],
           "isHostnameAllowed": [MockFunction],
-          "isRejectUnauthorizedCertificatesEnabled": [MockFunction],
           "isUriAllowed": [MockFunction],
         },
         "content": Object {
@@ -346,9 +346,9 @@ describe('execute()', () => {
           "getCustomHostSettings": [MockFunction],
           "getProxySettings": [MockFunction],
           "getResponseSettings": [MockFunction],
+          "getTLSSettings": [MockFunction],
           "isActionTypeEnabled": [MockFunction],
           "isHostnameAllowed": [MockFunction],
-          "isRejectUnauthorizedCertificatesEnabled": [MockFunction],
           "isUriAllowed": [MockFunction],
         },
         "content": Object {