[7.x] [Actions] Converted rejectUnauthorized config usages to verificationMode. (#100179)

docs/settings/alert-action-settings.asciidoc

@@ -41,7 +41,7 @@ You can configure the following settings in the `kibana.yml` file.
 [cols="2*<"]
 |===
 | `xpack.actions.enabled`
-  | Feature toggle that enables Actions in {kib}. Defaults to `true`.
+  | Feature toggle that enables Actions in {kib}. Default: `true`.
 
 | `xpack.actions.allowedHosts` {ess-icon}
   | A list of hostnames that {kib} is allowed to connect to when built-in actions are triggered. It defaults to `[*]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections. +
@@ -50,7 +50,7 @@ You can configure the following settings in the `kibana.yml` file.
 
 | `xpack.actions.customHostSettings` {ess-icon} 
   | A list of custom host settings to override existing global settings.
-  Defaults to an empty list. +
+  Default: an empty list. +
   +
   Each entry in the list must have a `url` property, to associate a connection
   type (mail or https), hostname and port with the remaining options in the
@@ -70,6 +70,7 @@ You can configure the following settings in the `kibana.yml` file.
 xpack.actions.customHostSettings:
   - url: smtp://mail.example.com:465
     tls: 
+      verificationMode: 'full'
       certificateAuthoritiesFiles: [ 'one.crt' ]
       certificateAuthoritiesData: |
           -----BEGIN CERTIFICATE-----
@@ -79,7 +80,9 @@ xpack.actions.customHostSettings:
       requireTLS: true
   - url: https://webhook.example.com
     tls: 
+      // legacy
       rejectUnauthorized: false
+      verificationMode: 'none'
 --
 
 [cols="2*<"]
@@ -115,10 +118,16 @@ xpack.actions.customHostSettings:
 
 | `xpack.actions.customHostSettings[n]`
 `.tls.rejectUnauthorized` {ess-icon}
-  | A boolean value indicating whether to bypass server certificate validation.
+  | Deprecated. Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.tls.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
   Overrides the general `xpack.actions.rejectUnauthorized` configuration
   for requests made for this hostname/port.
 
+|[[action-config-custom-host-verification-mode]] `xpack.actions.customHostSettings[n]`
+`.tls.verificationMode`
+  | Controls the verification of the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`. 
+ Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. Overrides the general `xpack.actions.tls.verificationMode` configuration
+  for requests made for this hostname/port.
+
 | `xpack.actions.customHostSettings[n]`
 `.tls.certificateAuthoritiesFiles`
   | A file name or list of file names of PEM-encoded certificate files to use
@@ -137,10 +146,10 @@ xpack.actions.customHostSettings:
 
 | `xpack.actions`
 `.preconfiguredAlertHistoryEsIndex` {ess-icon}
-  | Enables a preconfigured alert history {es} <<index-action-type, Index>> connector. Defaults to `false`.
+  | Enables a preconfigured alert history {es} <<index-action-type, Index>> connector. Default: `false`.
 
 | `xpack.actions.preconfigured`
-  | Specifies preconfigured connector IDs and configs. Defaults to {}.
+  | Specifies preconfigured connector IDs and configs. Default: {}.
 
 | `xpack.actions.proxyUrl` {ess-icon}
   | Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.
@@ -152,27 +161,44 @@ xpack.actions.customHostSettings:
   | Specifies hostnames which should only use the proxy, if using a proxy for actions. The value is an array of hostnames as strings.  By default, no hosts will use the proxy, but if an action's hostname is in this list, the proxy will be used.  The settings `xpack.actions.proxyBypassHosts` and `xpack.actions.proxyOnlyHosts` cannot be used at the same time.
 
 | `xpack.actions.proxyHeaders` {ess-icon}
-  | Specifies HTTP headers for the proxy, if using a proxy for actions. Defaults to {}.
+  | Specifies HTTP headers for the proxy, if using a proxy for actions. Default: {}.
 
 a|`xpack.actions.`
 `proxyRejectUnauthorizedCertificates` {ess-icon}
-  | Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Defaults to `true`.
+  | Deprecated. Use <<action-config-proxy-verification-mode,`xpack.actions.tls.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.
+
+|[[action-config-proxy-verification-mode]]
+`xpack.actions[n]`
+`.tls.proxyVerificationMode` {ess-icon}
+| Controls the verification for the proxy server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`. 
+Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
 
 | `xpack.actions.rejectUnauthorized` {ess-icon}
-  | Set to `false` to bypass certificate validation for actions. Defaults to `true`. +
+  | Deprecated. Use <<action-config-verification-mode,`xpack.actions.tls.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`. +
   +
   As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
   `xpack.actions.customHostSettings` to set TLS options for specific servers.
 
+|[[action-config-verification-mode]]
+`xpack.actions[n]`
+`.tls.verificationMode` {ess-icon}
+| Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`. 
+  Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. +
+  +
+  As an alternative to setting `xpack.actions.tls.verificationMode`, you can use the setting
+  `xpack.actions.customHostSettings` to set TLS options for specific servers.
+
+
+
 | `xpack.actions.maxResponseContentLength` {ess-icon}
-  | Specifies the max number of bytes of the http response for requests to external resources. Defaults to 1000000 (1MB).
+  | Specifies the max number of bytes of the http response for requests to external resources. Default: 1000000 (1MB).
 
 | `xpack.actions.responseTimeout` {ess-icon}
   | Specifies the time allowed for requests to external resources. Requests that take longer are aborted. The time is formatted as: +
   +
   `<count>[ms,s,m,h,d,w,M,Y]` +
   +
-  For example, `20m`, `24h`, `7d`, `1w`. Defaults to `60s`.
+  For example, `20m`, `24h`, `7d`, `1w`. Default: `60s`.
 
 
 |===

src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker

@@ -175,6 +175,8 @@ kibana_vars=(
     xpack.actions.rejectUnauthorized
     xpack.actions.maxResponseContentLength
     xpack.actions.responseTimeout
+    xpack.actions.tls.verificationMode
+    xpack.actions.tls.proxyVerificationMode
     xpack.alerts.healthCheck.interval
     xpack.alerts.invalidateApiKeysTask.interval
     xpack.alerts.invalidateApiKeysTask.removalDelay

x-pack/plugins/actions/server/actions_client.test.ts

@@ -417,8 +417,8 @@ describe('create()', () => {
       allowedHosts: ['*'],
       preconfiguredAlertHistoryEsIndex: false,
       preconfigured: {},
-      proxyRejectUnauthorizedCertificates: true,
-      rejectUnauthorized: true,
+      proxyRejectUnauthorizedCertificates: true, // legacy
+      rejectUnauthorized: true, // legacy
       proxyBypassHosts: undefined,
       proxyOnlyHosts: undefined,
       maxResponseContentLength: new ByteSizeValue(1000000),
@@ -429,6 +429,10 @@ describe('create()', () => {
         idleInterval: schema.duration().validate('1h'),
         pageSize: 100,
       },
+      tls: {
+        verificationMode: 'full',
+        proxyVerificationMode: 'full',
+      },
     });
 
     const localActionTypeRegistryParams = {

x-pack/plugins/actions/server/actions_config.mock.ts

@@ -15,7 +15,9 @@ const createActionsConfigMock = () => {
     ensureHostnameAllowed: jest.fn().mockReturnValue({}),
     ensureUriAllowed: jest.fn().mockReturnValue({}),
     ensureActionTypeEnabled: jest.fn().mockReturnValue({}),
-    isRejectUnauthorizedCertificatesEnabled: jest.fn().mockReturnValue(true),
+    getTLSSettings: jest.fn().mockReturnValue({
+      verificationMode: 'full',
+    }),
     getProxySettings: jest.fn().mockReturnValue(undefined),
     getResponseSettings: jest.fn().mockReturnValue({
       maxContentLength: 1000000,

x-pack/plugins/actions/server/actions_config.test.ts

@@ -27,8 +27,8 @@ const defaultActionsConfig: ActionsConfig = {
   enabledActionTypes: [],
   preconfiguredAlertHistoryEsIndex: false,
   preconfigured: {},
-  proxyRejectUnauthorizedCertificates: true,
-  rejectUnauthorized: true,
+  proxyRejectUnauthorizedCertificates: true, // legacy
+  rejectUnauthorized: true, // legacy
   maxResponseContentLength: new ByteSizeValue(1000000),
   responseTimeout: moment.duration(60000),
   cleanupFailedExecutionsTask: {
@@ -37,6 +37,10 @@ const defaultActionsConfig: ActionsConfig = {
     idleInterval: schema.duration().validate('1h'),
     pageSize: 100,
   },
+  tls: {
+    proxyVerificationMode: 'full',
+    verificationMode: 'full',
+  },
 };
 
 describe('ensureUriAllowed', () => {
@@ -305,22 +309,45 @@ describe('getProxySettings', () => {
     expect(proxySettings?.proxyUrl).toBe(config.proxyUrl);
   });
 
-  test('returns proxyRejectUnauthorizedCertificates', () => {
+  test('returns proper verificationMode values, beased on the legacy config option proxyRejectUnauthorizedCertificates', () => {
     const configTrue: ActionsConfig = {
       ...defaultActionsConfig,
       proxyUrl: 'https://proxy.elastic.co',
       proxyRejectUnauthorizedCertificates: true,
     };
     let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
-    expect(proxySettings?.proxyRejectUnauthorizedCertificates).toBe(true);
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('full');
 
     const configFalse: ActionsConfig = {
       ...defaultActionsConfig,
       proxyUrl: 'https://proxy.elastic.co',
       proxyRejectUnauthorizedCertificates: false,
+      tls: {},
+    };
+    proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('none');
+  });
+
+  test('returns proper verificationMode value, based on the TLS proxy configuration', () => {
+    const configTrue: ActionsConfig = {
+      ...defaultActionsConfig,
+      proxyUrl: 'https://proxy.elastic.co',
+      tls: {
+        proxyVerificationMode: 'full',
+      },
+    };
+    let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('full');
+
+    const configFalse: ActionsConfig = {
+      ...defaultActionsConfig,
+      proxyUrl: 'https://proxy.elastic.co',
+      tls: {
+        proxyVerificationMode: 'none',
+      },
     };
     proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
-    expect(proxySettings?.proxyRejectUnauthorizedCertificates).toBe(false);
+    expect(proxySettings?.proxyTLSSettings.verificationMode).toBe('none');
   });
 
   test('returns proxy headers', () => {
@@ -406,13 +433,13 @@ describe('getProxySettings', () => {
         {
           url: 'https://elastic.co',
           tls: {
-            rejectUnauthorized: true,
+            verificationMode: 'full',
           },
         },
         {
           url: 'smtp://elastic.co:123',
           tls: {
-            rejectUnauthorized: false,
+            verificationMode: 'none',
           },
           smtp: {
             ignoreTLS: true,
@@ -437,3 +464,25 @@ describe('getProxySettings', () => {
     expect(chs).toEqual(undefined);
   });
 });
+
+describe('getTLSSettings', () => {
+  test('returns proper verificationMode value, based on the TLS proxy configuration', () => {
+    const configTrue: ActionsConfig = {
+      ...defaultActionsConfig,
+      tls: {
+        verificationMode: 'full',
+      },
+    };
+    let tlsSettings = getActionsConfigurationUtilities(configTrue).getTLSSettings();
+    expect(tlsSettings.verificationMode).toBe('full');
+
+    const configFalse: ActionsConfig = {
+      ...defaultActionsConfig,
+      tls: {
+        verificationMode: 'none',
+      },
+    };
+    tlsSettings = getActionsConfigurationUtilities(configFalse).getTLSSettings();
+    expect(tlsSettings.verificationMode).toBe('none');
+  });
+});

x-pack/plugins/actions/server/actions_config.ts

@@ -14,7 +14,8 @@ import { pipe } from 'fp-ts/lib/pipeable';
 import { ActionsConfig, AllowedHosts, EnabledActionTypes, CustomHostSettings } from './config';
 import { getCanonicalCustomHostUrl } from './lib/custom_host_settings';
 import { ActionTypeDisabledError } from './lib';
-import { ProxySettings, ResponseSettings } from './types';
+import { ProxySettings, ResponseSettings, TLSSettings } from './types';
+import { getTLSSettingsFromConfig } from './builtin_action_types/lib/get_node_tls_options';
 
 export { AllowedHosts, EnabledActionTypes } from './config';
 
@@ -30,7 +31,7 @@ export interface ActionsConfigurationUtilities {
   ensureHostnameAllowed: (hostname: string) => void;
   ensureUriAllowed: (uri: string) => void;
   ensureActionTypeEnabled: (actionType: string) => void;
-  isRejectUnauthorizedCertificatesEnabled: () => boolean;
+  getTLSSettings: () => TLSSettings;
   getProxySettings: () => undefined | ProxySettings;
   getResponseSettings: () => ResponseSettings;
   getCustomHostSettings: (targetUrl: string) => CustomHostSettings | undefined;
@@ -93,7 +94,10 @@ function getProxySettingsFromConfig(config: ActionsConfig): undefined | ProxySet
     proxyBypassHosts: arrayAsSet(config.proxyBypassHosts),
     proxyOnlyHosts: arrayAsSet(config.proxyOnlyHosts),
     proxyHeaders: config.proxyHeaders,
-    proxyRejectUnauthorizedCertificates: config.proxyRejectUnauthorizedCertificates,
+    proxyTLSSettings: getTLSSettingsFromConfig(
+      config.tls?.proxyVerificationMode,
+      config.proxyRejectUnauthorizedCertificates
+    ),
   };
 }
 
@@ -142,8 +146,8 @@ export function getActionsConfigurationUtilities(
     isActionTypeEnabled,
     getProxySettings: () => getProxySettingsFromConfig(config),
     getResponseSettings: () => getResponseSettingsFromConfig(config),
-    // returns the global rejectUnauthorized setting
-    isRejectUnauthorizedCertificatesEnabled: () => config.rejectUnauthorized,
+    getTLSSettings: () =>
+      getTLSSettingsFromConfig(config.tls?.verificationMode, config.rejectUnauthorized),
     ensureUriAllowed(uri: string) {
       if (!isUriAllowed(uri)) {
         throw new Error(allowListErrorMessage(AllowListingField.URL, uri));

x-pack/plugins/actions/server/builtin_action_types/email.test.ts

@@ -285,9 +285,9 @@ describe('execute()', () => {
           "getCustomHostSettings": [MockFunction],
           "getProxySettings": [MockFunction],
           "getResponseSettings": [MockFunction],
+          "getTLSSettings": [MockFunction],
           "isActionTypeEnabled": [MockFunction],
           "isHostnameAllowed": [MockFunction],
-          "isRejectUnauthorizedCertificatesEnabled": [MockFunction],
           "isUriAllowed": [MockFunction],
         },
         "content": Object {
@@ -346,9 +346,9 @@ describe('execute()', () => {
           "getCustomHostSettings": [MockFunction],
           "getProxySettings": [MockFunction],
           "getResponseSettings": [MockFunction],
+          "getTLSSettings": [MockFunction],
           "isActionTypeEnabled": [MockFunction],
           "isHostnameAllowed": [MockFunction],
-          "isRejectUnauthorizedCertificatesEnabled": [MockFunction],
           "isUriAllowed": [MockFunction],
         },
         "content": Object {