[Actions] Converted rejectUnauthorized config usages to verificationMode.

docs/settings/alert-action-settings.asciidoc

@@ -70,6 +70,7 @@ You can configure the following settings in the `kibana.yml` file.
 xpack.actions.customHostSettings:
   - url: smtp://mail.example.com:465
     tls: 
+      verificationMode: 'full'
       certificateAuthoritiesFiles: [ 'one.crt' ]
       certificateAuthoritiesData: |
           -----BEGIN CERTIFICATE-----
@@ -79,7 +80,9 @@ xpack.actions.customHostSettings:
       requireTLS: true
   - url: https://webhook.example.com
     tls: 
+      // legacy
       rejectUnauthorized: false
+      verificationMode: 'none'
 --
 
 [cols="2*<"]
@@ -114,11 +117,16 @@ xpack.actions.customHostSettings:
   The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
 
 | `xpack.actions.customHostSettings[n]`
-`.tls.rejectUnauthorized` {ess-icon}
+`.tls.rejectUnauthorized` [Deprecated. Use `xpack.actions.customHostSettings.tls.verificationMode`] {ess-icon}
   | A boolean value indicating whether to bypass server certificate validation.
   Overrides the general `xpack.actions.rejectUnauthorized` configuration
   for requests made for this hostname/port.
 
+| `xpack.actions.customHostSettings[n]`
+`.tls.verificationMode`
+  | Controls the verification of the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to {es}. Valid values are "`full`", "`certificate`", and "`none`". 
+  Using "`full`" performs hostname verification, using "`certificate`" skips hostname verification, and using "`none`" skips verification entirely. *Default: `full`*. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
+
 | `xpack.actions.customHostSettings[n]`
 `.tls.certificateAuthoritiesFiles`
   | A file name or list of file names of PEM-encoded certificate files to use
@@ -155,15 +163,27 @@ xpack.actions.customHostSettings:
   | Specifies HTTP headers for the proxy, if using a proxy for actions. Defaults to {}.
 
 a|`xpack.actions.`
-`proxyRejectUnauthorizedCertificates` {ess-icon}
+`proxyRejectUnauthorizedCertificates` [Deprecated Use `xpack.actions.tls.proxyVerificationMode`.] {ess-icon}
   | Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Defaults to `true`.
 
-| `xpack.actions.rejectUnauthorized` {ess-icon}
+a|`xpack.actions[n]`
+`.tls.proxyVerificationMode` {ess-icon}
+| Controls the verification for the proxy server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to {es}. Valid values are "`full`", "`certificate`", and "`none`". 
+  Using "`full`" performs hostname verification, using "`certificate`" skips hostname verification, and using "`none`" skips verification entirely. *Default: `full`*. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
+
+| `xpack.actions.rejectUnauthorized` [Deprecated. Use `xpack.actions.tls.verificationMode`.] {ess-icon}
   | Set to `false` to bypass certificate validation for actions. Defaults to `true`. +
   +
   As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
   `xpack.actions.customHostSettings` to set TLS options for specific servers.
 
+a|`xpack.actions[n]`
+`.tls.verificationMode` {ess-icon}
+| Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to {es}. Valid values are "`full`", "`certificate`", and "`none`". 
+  Using "`full`" performs hostname verification, using "`certificate`" skips hostname verification, and using "`none`" skips verification entirely. *Default: `full`*. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
+
+
+
 | `xpack.actions.maxResponseContentLength` {ess-icon}
   | Specifies the max number of bytes of the http response for requests to external resources. Defaults to 1000000 (1MB).
 

src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker

@@ -175,6 +175,8 @@ kibana_vars=(
     xpack.actions.rejectUnauthorized
     xpack.actions.maxResponseContentLength
     xpack.actions.responseTimeout
+    xpack.actions.tls.verificationMode
+    xpack.actions.tls.proxyVerificationMode
     xpack.alerts.healthCheck.interval
     xpack.alerts.invalidateApiKeysTask.interval
     xpack.alerts.invalidateApiKeysTask.removalDelay

x-pack/plugins/actions/server/actions_client.test.ts

@@ -417,8 +417,8 @@ describe('create()', () => {
       allowedHosts: ['*'],
       preconfiguredAlertHistoryEsIndex: false,
       preconfigured: {},
-      proxyRejectUnauthorizedCertificates: true,
-      rejectUnauthorized: true,
+      proxyRejectUnauthorizedCertificates: true, // legacy
+      rejectUnauthorized: true, // legacy
       proxyBypassHosts: undefined,
       proxyOnlyHosts: undefined,
       maxResponseContentLength: new ByteSizeValue(1000000),
@@ -429,6 +429,10 @@ describe('create()', () => {
         idleInterval: schema.duration().validate('1h'),
         pageSize: 100,
       },
+      tls: {
+        verificationMode: 'full',
+        proxyVerificationMode: 'full',
+      },
     });
 
     const localActionTypeRegistryParams = {

x-pack/plugins/actions/server/actions_config.mock.ts

@@ -15,7 +15,9 @@ const createActionsConfigMock = () => {
     ensureHostnameAllowed: jest.fn().mockReturnValue({}),
     ensureUriAllowed: jest.fn().mockReturnValue({}),
     ensureActionTypeEnabled: jest.fn().mockReturnValue({}),
-    isRejectUnauthorizedCertificatesEnabled: jest.fn().mockReturnValue(true),
+    getTLSSettings: jest.fn().mockReturnValue({
+      verificationMode: 'full',
+    }),
     getProxySettings: jest.fn().mockReturnValue(undefined),
     getResponseSettings: jest.fn().mockReturnValue({
       maxContentLength: 1000000,

x-pack/plugins/actions/server/actions_config.test.ts

@@ -27,8 +27,8 @@ const defaultActionsConfig: ActionsConfig = {
   enabledActionTypes: [],
   preconfiguredAlertHistoryEsIndex: false,
   preconfigured: {},
-  proxyRejectUnauthorizedCertificates: true,
-  rejectUnauthorized: true,
+  proxyRejectUnauthorizedCertificates: true, // legacy
+  rejectUnauthorized: true, // legacy
   maxResponseContentLength: new ByteSizeValue(1000000),
   responseTimeout: moment.duration(60000),
   cleanupFailedExecutionsTask: {
@@ -37,6 +37,10 @@ const defaultActionsConfig: ActionsConfig = {
     idleInterval: schema.duration().validate('1h'),
     pageSize: 100,
   },
+  tls: {
+    proxyVerificationMode: 'full',
+    verificationMode: 'full',
+  },
 };
 
 describe('ensureUriAllowed', () => {
@@ -305,22 +309,44 @@ describe('getProxySettings', () => {
     expect(proxySettings?.proxyUrl).toBe(config.proxyUrl);
   });
 
-  test('returns proxyRejectUnauthorizedCertificates', () => {
+  test('returns proper legacyRejectUnauthorized values, beased on the legacy config option proxyRejectUnauthorizedCertificates', () => {
     const configTrue: ActionsConfig = {
       ...defaultActionsConfig,
       proxyUrl: 'https://proxy.elastic.co',
       proxyRejectUnauthorizedCertificates: true,
     };
     let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
-    expect(proxySettings?.proxyRejectUnauthorizedCertificates).toBe(true);
+    expect(proxySettings?.proxyTLSSettings.legacyRejectUnauthorized).toBe(true);
 
     const configFalse: ActionsConfig = {
       ...defaultActionsConfig,
       proxyUrl: 'https://proxy.elastic.co',
       proxyRejectUnauthorizedCertificates: false,
     };
     proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
-    expect(proxySettings?.proxyRejectUnauthorizedCertificates).toBe(false);
+    expect(proxySettings?.proxyTLSSettings.legacyRejectUnauthorized).toBe(false);
+  });
+
+  test('returns proper verificationMode value, based on the TLS proxy configuration', () => {
+    const configTrue: ActionsConfig = {
+      ...defaultActionsConfig,
+      proxyUrl: 'https://proxy.elastic.co',
+      tls: {
+        proxyVerificationMode: 'full',
+      },
+    };
+    let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('full');
+
+    const configFalse: ActionsConfig = {
+      ...defaultActionsConfig,
+      proxyUrl: 'https://proxy.elastic.co',
+      tls: {
+        proxyVerificationMode: 'none',
+      },
+    };
+    proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('none');
   });
 
   test('returns proxy headers', () => {
@@ -406,13 +432,13 @@ describe('getProxySettings', () => {
         {
           url: 'https://elastic.co',
           tls: {
-            rejectUnauthorized: true,
+            verificationMode: 'full',
           },
         },
         {
           url: 'smtp://elastic.co:123',
           tls: {
-            rejectUnauthorized: false,
+            verificationMode: 'none',
           },
           smtp: {
             ignoreTLS: true,
@@ -437,3 +463,25 @@ describe('getProxySettings', () => {
     expect(chs).toEqual(undefined);
   });
 });
+
+describe('getTLSSettings', () => {
+  test('returns proper verificationMode value, based on the TLS proxy configuration', () => {
+    const configTrue: ActionsConfig = {
+      ...defaultActionsConfig,
+      tls: {
+        verificationMode: 'full',
+      },
+    };
+    let tlsSettings = getActionsConfigurationUtilities(configTrue).getTLSSettings();
+    expect(tlsSettings.verificationMode).toBe('full');
+
+    const configFalse: ActionsConfig = {
+      ...defaultActionsConfig,
+      tls: {
+        verificationMode: 'none',
+      },
+    };
+    tlsSettings = getActionsConfigurationUtilities(configFalse).getTLSSettings();
+    expect(tlsSettings.verificationMode).toBe('none');
+  });
+});

x-pack/plugins/actions/server/actions_config.ts

@@ -14,7 +14,7 @@ import { pipe } from 'fp-ts/lib/pipeable';
 import { ActionsConfig, AllowedHosts, EnabledActionTypes, CustomHostSettings } from './config';
 import { getCanonicalCustomHostUrl } from './lib/custom_host_settings';
 import { ActionTypeDisabledError } from './lib';
-import { ProxySettings, ResponseSettings } from './types';
+import { ProxySettings, ResponseSettings, TLSSettings } from './types';
 
 export { AllowedHosts, EnabledActionTypes } from './config';
 
@@ -30,7 +30,7 @@ export interface ActionsConfigurationUtilities {
   ensureHostnameAllowed: (hostname: string) => void;
   ensureUriAllowed: (uri: string) => void;
   ensureActionTypeEnabled: (actionType: string) => void;
-  isRejectUnauthorizedCertificatesEnabled: () => boolean;
+  getTLSSettings: () => TLSSettings;
   getProxySettings: () => undefined | ProxySettings;
   getResponseSettings: () => ResponseSettings;
   getCustomHostSettings: (targetUrl: string) => CustomHostSettings | undefined;
@@ -93,10 +93,20 @@ function getProxySettingsFromConfig(config: ActionsConfig): undefined | ProxySet
     proxyBypassHosts: arrayAsSet(config.proxyBypassHosts),
     proxyOnlyHosts: arrayAsSet(config.proxyOnlyHosts),
     proxyHeaders: config.proxyHeaders,
-    proxyRejectUnauthorizedCertificates: config.proxyRejectUnauthorizedCertificates,
+    proxyTLSSettings: getTLSSettingsFromConfig(
+      config.tls?.proxyVerificationMode,
+      config.proxyRejectUnauthorizedCertificates
+    ),
   };
 }
 
+function getTLSSettingsFromConfig(
+  verificationMode?: 'none' | 'certificate' | 'full',
+  rejectUnauthorized?: boolean
+): TLSSettings {
+  return { legacyRejectUnauthorized: rejectUnauthorized, verificationMode };
+}
+
 function arrayAsSet<T>(arr: T[] | undefined): Set<T> | undefined {
   if (!arr) return;
   return new Set(arr);
@@ -142,8 +152,8 @@ export function getActionsConfigurationUtilities(
     isActionTypeEnabled,
     getProxySettings: () => getProxySettingsFromConfig(config),
     getResponseSettings: () => getResponseSettingsFromConfig(config),
-    // returns the global rejectUnauthorized setting
-    isRejectUnauthorizedCertificatesEnabled: () => config.rejectUnauthorized,
+    getTLSSettings: () =>
+      getTLSSettingsFromConfig(config.tls?.verificationMode, config.rejectUnauthorized),
     ensureUriAllowed(uri: string) {
       if (!isUriAllowed(uri)) {
         throw new Error(allowListErrorMessage(AllowListingField.URL, uri));

x-pack/plugins/actions/server/builtin_action_types/email.test.ts

@@ -285,9 +285,9 @@ describe('execute()', () => {
           "getCustomHostSettings": [MockFunction],
           "getProxySettings": [MockFunction],
           "getResponseSettings": [MockFunction],
+          "getTLSSettings": [MockFunction],
           "isActionTypeEnabled": [MockFunction],
           "isHostnameAllowed": [MockFunction],
-          "isRejectUnauthorizedCertificatesEnabled": [MockFunction],
           "isUriAllowed": [MockFunction],
         },
         "content": Object {
@@ -346,9 +346,9 @@ describe('execute()', () => {
           "getCustomHostSettings": [MockFunction],
           "getProxySettings": [MockFunction],
           "getResponseSettings": [MockFunction],
+          "getTLSSettings": [MockFunction],
           "isActionTypeEnabled": [MockFunction],
           "isHostnameAllowed": [MockFunction],
-          "isRejectUnauthorizedCertificatesEnabled": [MockFunction],
           "isUriAllowed": [MockFunction],
         },
         "content": Object {

x-pack/plugins/actions/server/builtin_action_types/lib/axios_utils.test.ts

@@ -18,7 +18,7 @@ import { getCustomAgents } from './get_custom_agents';
 const TestUrl = 'https://elastic.co/foo/bar/baz';
 
 const logger = loggingSystemMock.create().get() as jest.Mocked<Logger>;
-const configurationUtilities = actionsConfigMock.create();
+let configurationUtilities = actionsConfigMock.create();
 jest.mock('axios');
 const axiosMock = (axios as unknown) as jest.Mock;
 
@@ -42,6 +42,7 @@ describe('request', () => {
       headers: { 'content-type': 'application/json' },
       data: { incidentId: '123' },
     }));
+    configurationUtilities = actionsConfigMock.create();
     configurationUtilities.getResponseSettings.mockReturnValue({
       maxContentLength: 1000000,
       timeout: 360000,
@@ -74,7 +75,9 @@ describe('request', () => {
 
   test('it have been called with proper proxy agent for a valid url', async () => {
     configurationUtilities.getProxySettings.mockReturnValue({
-      proxyRejectUnauthorizedCertificates: true,
+      proxyTLSSettings: {
+        verificationMode: 'full',
+      },
       proxyUrl: 'https://localhost:1212',
       proxyBypassHosts: undefined,
       proxyOnlyHosts: undefined,
@@ -107,7 +110,9 @@ describe('request', () => {
   test('it have been called with proper proxy agent for an invalid url', async () => {
     configurationUtilities.getProxySettings.mockReturnValue({
       proxyUrl: ':nope:',
-      proxyRejectUnauthorizedCertificates: false,
+      proxyTLSSettings: {
+        verificationMode: 'none',
+      },
       proxyBypassHosts: undefined,
       proxyOnlyHosts: undefined,
     });
@@ -136,7 +141,9 @@ describe('request', () => {
 
   test('it bypasses with proxyBypassHosts when expected', async () => {
     configurationUtilities.getProxySettings.mockReturnValue({
-      proxyRejectUnauthorizedCertificates: true,
+      proxyTLSSettings: {
+        verificationMode: 'full',
+      },
       proxyUrl: 'https://elastic.proxy.co',
       proxyBypassHosts: new Set(['elastic.co']),
       proxyOnlyHosts: undefined,
@@ -157,7 +164,9 @@ describe('request', () => {
 
   test('it does not bypass with proxyBypassHosts when expected', async () => {
     configurationUtilities.getProxySettings.mockReturnValue({
-      proxyRejectUnauthorizedCertificates: true,
+      proxyTLSSettings: {
+        verificationMode: 'full',
+      },
       proxyUrl: 'https://elastic.proxy.co',
       proxyBypassHosts: new Set(['not-elastic.co']),
       proxyOnlyHosts: undefined,
@@ -178,7 +187,9 @@ describe('request', () => {
 
   test('it proxies with proxyOnlyHosts when expected', async () => {
     configurationUtilities.getProxySettings.mockReturnValue({
-      proxyRejectUnauthorizedCertificates: true,
+      proxyTLSSettings: {
+        verificationMode: 'full',
+      },
       proxyUrl: 'https://elastic.proxy.co',
       proxyBypassHosts: undefined,
       proxyOnlyHosts: new Set(['elastic.co']),
@@ -199,7 +210,9 @@ describe('request', () => {
 
   test('it does not proxy with proxyOnlyHosts when expected', async () => {
     configurationUtilities.getProxySettings.mockReturnValue({
-      proxyRejectUnauthorizedCertificates: true,
+      proxyTLSSettings: {
+        verificationMode: 'full',
+      },
       proxyUrl: 'https://elastic.proxy.co',
       proxyBypassHosts: undefined,
       proxyOnlyHosts: new Set(['not-elastic.co']),
@@ -252,6 +265,7 @@ describe('patch', () => {
       status: 200,
       headers: { 'content-type': 'application/json' },
     }));
+    configurationUtilities = actionsConfigMock.create();
     configurationUtilities.getResponseSettings.mockReturnValue({
       maxContentLength: 1000000,
       timeout: 360000,