[ResponseOps] Remove 7.x deprecated kibana.yml settings (#198435)

Resolves #194622 ## Summary Removes the following deprecated configuration settings: - `xpack.actions.customHostSettings.ssl.rejectUnauthorized` - `xpack.actions.whitelistedHosts` - `xpack.actions.rejectUnauthorized` - `xpack.actions.proxyRejectUnauthorizedCertificates` - `xpack.alerts.healthCheck` - `xpack.alerts.invalidateApiKeysTask.interval` - `xpack.alerts.invalidateApiKeysTask.removalDelay` - `xpack.alerting.defaultRuleTaskTimeout` --------- Co-authored-by: kibanamachine <[email protected]>
elastic · Nov 4, 2024 · 9efe20e · 9efe20e
1 parent cbb211a
commit 9efe20e
Show file tree

Hide file tree

Showing 21 changed files with 6 additions and 320 deletions.
diff --git a/docs/settings/alert-action-settings.asciidoc b/docs/settings/alert-action-settings.asciidoc
@@ -112,11 +112,6 @@ A boolean value indicating that TLS must be used for this connection.
 The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
 Default: `false`.
 
-`xpack.actions.customHostSettings[n].ssl.rejectUnauthorized`::
-deprecated:[8.0.0] Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.ssl.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
-Overrides the general `xpack.actions.rejectUnauthorized` configuration
-for requests made for this hostname/port.
-
 [[action-config-custom-host-verification-mode]] `xpack.actions.customHostSettings[n].ssl.verificationMode` {ess-icon}::
 Controls the verification of the server certificate that {kib} receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`.
 Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. Overrides the general `xpack.actions.ssl.verificationMode` configuration
@@ -198,19 +193,10 @@ By default, no hosts will use the proxy, but if an action's hostname is in this
 `xpack.actions.proxyHeaders` {ess-icon}::
 Specifies HTTP headers for the proxy, if using a proxy for actions. Default: {}.
 
-`xpack.actions.proxyRejectUnauthorizedCertificates` {ess-icon}::
-deprecated:[8.0.0] Use <<action-config-proxy-verification-mode,`xpack.actions.ssl.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.
-
 [[action-config-proxy-verification-mode]]`xpack.actions.ssl.proxyVerificationMode` {ess-icon}::
 Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`.
 Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
 
-`xpack.actions.rejectUnauthorized` {ess-icon}::
-deprecated:[8.0.0] Use <<action-config-verification-mode,`xpack.actions.ssl.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`.
-+
-As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
-`xpack.actions.customHostSettings` to set SSL options for specific servers.
-
 [[action-config-verification-mode]] `xpack.actions.ssl.verificationMode` {ess-icon}::
 Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`.
 Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.

diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
@@ -221,16 +221,13 @@ kibana_vars=(
     xpack.actions.proxyBypassHosts
     xpack.actions.proxyHeaders
     xpack.actions.proxyOnlyHosts
-    xpack.actions.proxyRejectUnauthorizedCertificates
     xpack.actions.proxyUrl
-    xpack.actions.rejectUnauthorized
     xpack.actions.responseTimeout
     xpack.actions.ssl.proxyVerificationMode
     xpack.actions.ssl.verificationMode
     xpack.alerting.healthCheck.interval
     xpack.alerting.invalidateApiKeysTask.interval
     xpack.alerting.invalidateApiKeysTask.removalDelay
-    xpack.alerting.defaultRuleTaskTimeout
     xpack.alerting.rules.run.timeout
     xpack.alerting.rules.run.ruleTypeOverrides
     xpack.alerting.cancelAlertsOnRuleTimeout
@@ -240,9 +237,6 @@ kibana_vars=(
     xpack.alerting.rules.run.alerts.max
     xpack.alerting.rules.run.actions.connectorTypeOverrides
     xpack.alerting.maxScheduledPerMinute
-    xpack.alerts.healthCheck.interval
-    xpack.alerts.invalidateApiKeysTask.interval
-    xpack.alerts.invalidateApiKeysTask.removalDelay
     xpack.apm.indices.error
     xpack.apm.indices.metric
     xpack.apm.indices.onboarding

diff --git a/x-pack/plugins/actions/server/actions_client/actions_client.test.ts b/x-pack/plugins/actions/server/actions_client/actions_client.test.ts
@@ -575,8 +575,6 @@ describe('create()', () => {
       allowedHosts: ['*'],
       preconfiguredAlertHistoryEsIndex: false,
       preconfigured: {},
-      proxyRejectUnauthorizedCertificates: true, // legacy
-      rejectUnauthorized: true, // legacy
       proxyBypassHosts: undefined,
       proxyOnlyHosts: undefined,
       maxResponseContentLength: new ByteSizeValue(1000000),

diff --git a/x-pack/plugins/actions/server/actions_config.test.ts b/x-pack/plugins/actions/server/actions_config.test.ts
@@ -30,8 +30,6 @@ const defaultActionsConfig: ActionsConfig = {
   enabledActionTypes: [],
   preconfiguredAlertHistoryEsIndex: false,
   preconfigured: {},
-  proxyRejectUnauthorizedCertificates: true, // legacy
-  rejectUnauthorized: true, // legacy
   maxResponseContentLength: new ByteSizeValue(1000000),
   responseTimeout: moment.duration(60000),
   ssl: {
@@ -318,25 +316,6 @@ describe('getProxySettings', () => {
     expect(proxySettings?.proxyUrl).toBe(config.proxyUrl);
   });
 
-  test('returns proper verificationMode values, beased on the legacy config option proxyRejectUnauthorizedCertificates', () => {
-    const configTrue: ActionsConfig = {
-      ...defaultActionsConfig,
-      proxyUrl: 'https://proxy.elastic.co',
-      proxyRejectUnauthorizedCertificates: true,
-    };
-    let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
-    expect(proxySettings?.proxySSLSettings.verificationMode).toBe('full');
-
-    const configFalse: ActionsConfig = {
-      ...defaultActionsConfig,
-      proxyUrl: 'https://proxy.elastic.co',
-      proxyRejectUnauthorizedCertificates: false,
-      ssl: {},
-    };
-    proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
-    expect(proxySettings?.proxySSLSettings.verificationMode).toBe('none');
-  });
-
   test('returns proper verificationMode value, based on the SSL proxy configuration', () => {
     const configTrue: ActionsConfig = {
       ...defaultActionsConfig,

diff --git a/x-pack/plugins/actions/server/actions_config.ts b/x-pack/plugins/actions/server/actions_config.ts
@@ -122,10 +122,7 @@ function getProxySettingsFromConfig(config: ActionsConfig): undefined | ProxySet
     proxyBypassHosts: arrayAsSet(config.proxyBypassHosts),
     proxyOnlyHosts: arrayAsSet(config.proxyOnlyHosts),
     proxyHeaders: config.proxyHeaders,
-    proxySSLSettings: getSSLSettingsFromConfig(
-      config.ssl?.proxyVerificationMode,
-      config.proxyRejectUnauthorizedCertificates
-    ),
+    proxySSLSettings: getSSLSettingsFromConfig(config.ssl?.proxyVerificationMode),
   };
 }
 
@@ -200,8 +197,7 @@ export function getActionsConfigurationUtilities(
     isActionTypeEnabled,
     getProxySettings: () => getProxySettingsFromConfig(config),
     getResponseSettings: () => getResponseSettingsFromConfig(config),
-    getSSLSettings: () =>
-      getSSLSettingsFromConfig(config.ssl?.verificationMode, config.rejectUnauthorized),
+    getSSLSettings: () => getSSLSettingsFromConfig(config.ssl?.verificationMode),
     ensureUriAllowed(uri: string) {
       if (!isUriAllowed(uri)) {
         throw new Error(allowListErrorMessage(AllowListingField.URL, uri));

diff --git a/x-pack/plugins/actions/server/config.test.ts b/x-pack/plugins/actions/server/config.test.ts
@@ -35,8 +35,6 @@ describe('config validation', () => {
         "microsoftGraphApiUrl": "https://graph.microsoft.com/v1.0",
         "preconfigured": Object {},
         "preconfiguredAlertHistoryEsIndex": false,
-        "proxyRejectUnauthorizedCertificates": true,
-        "rejectUnauthorized": true,
         "responseTimeout": "PT1M",
         "usage": Object {
           "url": "https://usage-api.usage-api/api/v1/usage",
@@ -56,8 +54,6 @@ describe('config validation', () => {
           },
         },
       },
-      proxyRejectUnauthorizedCertificates: false,
-      rejectUnauthorized: false,
     };
     expect(configSchema.validate(config)).toMatchInlineSnapshot(`
       Object {
@@ -85,8 +81,6 @@ describe('config validation', () => {
           },
         },
         "preconfiguredAlertHistoryEsIndex": false,
-        "proxyRejectUnauthorizedCertificates": false,
-        "rejectUnauthorized": false,
         "responseTimeout": "PT1M",
         "usage": Object {
           "url": "https://usage-api.usage-api/api/v1/usage",
@@ -224,8 +218,6 @@ describe('config validation', () => {
         "microsoftGraphApiUrl": "https://graph.microsoft.com/v1.0",
         "preconfigured": Object {},
         "preconfiguredAlertHistoryEsIndex": false,
-        "proxyRejectUnauthorizedCertificates": true,
-        "rejectUnauthorized": true,
         "responseTimeout": "PT1M",
         "ssl": Object {
           "proxyVerificationMode": "none",

diff --git a/x-pack/plugins/actions/server/config.ts b/x-pack/plugins/actions/server/config.ts
@@ -44,10 +44,6 @@ const customHostSettingsSchema = schema.object({
   ),
   ssl: schema.maybe(
     schema.object({
-      /**
-       * @deprecated in favor of `verificationMode`
-       **/
-      rejectUnauthorized: schema.maybe(schema.boolean()),
       verificationMode: schema.maybe(
         schema.oneOf(
           [schema.literal('none'), schema.literal('certificate'), schema.literal('full')],
@@ -98,16 +94,8 @@ export const configSchema = schema.object({
   }),
   proxyUrl: schema.maybe(schema.string()),
   proxyHeaders: schema.maybe(schema.recordOf(schema.string(), schema.string())),
-  /**
-   * @deprecated in favor of `ssl.proxyVerificationMode`
-   **/
-  proxyRejectUnauthorizedCertificates: schema.boolean({ defaultValue: true }),
   proxyBypassHosts: schema.maybe(schema.arrayOf(schema.string({ hostname: true }))),
   proxyOnlyHosts: schema.maybe(schema.arrayOf(schema.string({ hostname: true }))),
-  /**
-   * @deprecated in favor of `ssl.verificationMode`
-   **/
-  rejectUnauthorized: schema.boolean({ defaultValue: true }),
   ssl: schema.maybe(
     schema.object({
       verificationMode: schema.maybe(

diff --git a/x-pack/plugins/actions/server/index.test.ts b/x-pack/plugins/actions/server/index.test.ts
diff --git a/x-pack/plugins/actions/server/index.ts b/x-pack/plugins/actions/server/index.ts
@@ -4,10 +4,9 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { get } from 'lodash';
 import type { PublicMethodsOf } from '@kbn/utility-types';
 import { PluginInitializerContext, PluginConfigDescriptor } from '@kbn/core/server';
-import { configSchema, ActionsConfig, CustomHostSettings } from './config';
+import { configSchema, ActionsConfig } from './config';
 import { ActionsClient as ActionsClientClass } from './actions_client';
 import { ActionsAuthorization as ActionsAuthorizationClass } from './authorization/actions_authorization';
 
@@ -51,103 +50,6 @@ export const config: PluginConfigDescriptor<ActionsConfig> = {
   exposeToBrowser: {
     email: { domain_allowlist: true },
   },
-  deprecations: ({ renameFromRoot, unused }) => [
-    renameFromRoot('xpack.actions.whitelistedHosts', 'xpack.actions.allowedHosts', {
-      level: 'warning',
-    }),
-    (settings, fromPath, addDeprecation) => {
-      const actions = get(settings, fromPath);
-      const customHostSettings = actions?.customHostSettings ?? [];
-      if (
-        customHostSettings.find(
-          (customHostSchema: CustomHostSettings) =>
-            Object.hasOwn(customHostSchema, 'ssl') &&
-            Object.hasOwn(customHostSchema.ssl ?? {}, 'rejectUnauthorized')
-        )
-      ) {
-        addDeprecation({
-          level: 'warning',
-          configPath: 'xpack.actions.customHostSettings.ssl.rejectUnauthorized',
-          message:
-            `"xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" is deprecated.` +
-            `Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" instead, ` +
-            `with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
-            `and "verificationMode:none" eql to "rejectUnauthorized:false".`,
-          correctiveActions: {
-            manualSteps: [
-              `Remove "xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" from your kibana configs.`,
-              `Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" ` +
-                `with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
-                `and "verificationMode:none" eql to "rejectUnauthorized:false".`,
-            ],
-          },
-        });
-        return {
-          unset: [
-            {
-              path: `xpack.actions.customHostSettings.ssl.rejectUnauthorized`,
-            },
-          ],
-        };
-      }
-    },
-    (settings, fromPath, addDeprecation) => {
-      const actions = get(settings, fromPath);
-      if (Object.hasOwn(actions ?? {}, 'rejectUnauthorized')) {
-        addDeprecation({
-          level: 'warning',
-          configPath: `${fromPath}.rejectUnauthorized`,
-          message:
-            `"xpack.actions.rejectUnauthorized" is deprecated. Use "xpack.actions.ssl.verificationMode" instead, ` +
-            `with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
-            `and "verificationMode:none" eql to "rejectUnauthorized:false".`,
-          correctiveActions: {
-            manualSteps: [
-              `Remove "xpack.actions.rejectUnauthorized" from your kibana configs.`,
-              `Use "xpack.actions.ssl.verificationMode" ` +
-                `with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
-                `and "verificationMode:none" eql to "rejectUnauthorized:false".`,
-            ],
-          },
-        });
-        return {
-          unset: [
-            {
-              path: `xpack.actions.rejectUnauthorized`,
-            },
-          ],
-        };
-      }
-    },
-    (settings, fromPath, addDeprecation) => {
-      const actions = get(settings, fromPath);
-      if (Object.hasOwn(actions ?? {}, 'proxyRejectUnauthorizedCertificates')) {
-        addDeprecation({
-          level: 'warning',
-          configPath: `${fromPath}.proxyRejectUnauthorizedCertificates`,
-          message:
-            `"xpack.actions.proxyRejectUnauthorizedCertificates" is deprecated. Use "xpack.actions.ssl.proxyVerificationMode" instead, ` +
-            `with the setting "proxyVerificationMode:full" eql to "rejectUnauthorized:true",` +
-            `and "proxyVerificationMode:none" eql to "rejectUnauthorized:false".`,
-          correctiveActions: {
-            manualSteps: [
-              `Remove "xpack.actions.proxyRejectUnauthorizedCertificates" from your kibana configs.`,
-              `Use "xpack.actions.ssl.proxyVerificationMode" ` +
-                `with the setting "proxyVerificationMode:full" eql to "rejectUnauthorized:true",` +
-                `and "proxyVerificationMode:none" eql to "rejectUnauthorized:false".`,
-            ],
-          },
-        });
-        return {
-          unset: [
-            {
-              path: `xpack.actions.proxyRejectUnauthorizedCertificates`,
-            },
-          ],
-        };
-      }
-    },
-  ],
 };
 
 export { urlAllowListValidator } from './sub_action_framework/helpers';
diff --git a/x-pack/plugins/actions/server/integration_tests/axios_utils_connection.test.ts b/x-pack/plugins/actions/server/integration_tests/axios_utils_connection.test.ts
@@ -461,7 +461,6 @@ async function rejectUnauthorizedTargetProxyTest(opts: RunTestOptions) {
   await runWithSetup(opts, async (target, proxyInstance, axiosDefaults) => {
     const acu = getACUfromConfig({
       proxyUrl: proxyInstance.url,
-      rejectUnauthorized: false,
       customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }],
     });
 
@@ -676,14 +675,12 @@ const BaseActionsConfig: ActionsConfig = {
   preconfigured: {},
   proxyUrl: undefined,
   proxyHeaders: undefined,
-  proxyRejectUnauthorizedCertificates: true,
   ssl: {
     proxyVerificationMode: 'full',
     verificationMode: 'full',
   },
   proxyBypassHosts: undefined,
   proxyOnlyHosts: undefined,
-  rejectUnauthorized: true,
   maxResponseContentLength: ByteSizeValue.parse('1mb'),
   responseTimeout: momentDuration(1000 * 30),
   customHostSettings: undefined,