Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add certificate TLS verification mode #20293

Merged
merged 12 commits into from
Aug 21, 2020
Merged

Add certificate TLS verification mode #20293

merged 12 commits into from
Aug 21, 2020

Conversation

anyasabo
Copy link
Contributor

What does this PR do?

Adds certificate TLS verification mode similar to Kibana and Elasticsearch, essentially skipping the hostname match.

Why is it important?

This is especially useful in k8s-like environments where users may have a certificate in use for their publicly accessible host name, but use a different host name for intra cluster communication. For environments like this in Beats today our only option is to disable TLS verification entirely, but this allows us to keep the majority of verifications enabled without disabling it entirely.

We had to implement essentially the same functionality in ECK for reference, the main difference is that beats also implements cert pinning so there's a little bit of extra logic to combine the two custom verifications: https://github.com/elastic/cloud-on-k8s/blob/master/pkg/utils/cryptutil/tls_verify.go#L18

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

This is something I had difficulty with since it wasn't clear to me how to build a new beat and then use it. I imagine we will want to add additional tests, but I added unit test coverage to start. This is my first libbeat PR and could definitely use guidance here.

Related issues

Closes #8164

Use cases

Screenshots

Logs

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 28, 2020
option for testing only.

The default is `full`.
Controls the verification of certificates. Valid values are:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's also not clear to me where I should update this section of the example config. I see there's multiple tmpl files with identical content, do I edit each one?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh wondering the same here. Do we collect the SSL settings from one common template, or do we need the templates to include SSL settings?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In #20357 I created a template for the SSL options and then included it in each output config. With this change you'll only need to update the one template.

@@ -80,15 +86,12 @@ func (c *TLSConfig) ToConfig() *tls.Config {
minVersion, maxVersion := extractMinMaxVersion(c.Versions)
insecure := c.Verification != VerifyFull
if insecure {
logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.")
logp.NewLogger("tls").Warn("Some SSL/TLS verifications disabled.")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me that this is a useful log message, it is very spammy

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe log only if insecure && verifyPeerCertFn == nil

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 28, 2020

💔 Tests Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [anyasabo commented: jenkins run the tests please]

  • Start Time: 2020-08-20T23:15:34.423+0000

  • Duration: 72 min 51 sec

Test stats 🧪

Test Results
Failed 11
Passed 14623
Skipped 1307
Total 15941

Test errors

Expand to view the tests failures

  • Name: Build and Test / Auditbeat oss Linux / test_dashboards – auditbeat.tests.system.test_base.Test

    • Age: 1
    • Duration: 0.325
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_by_id – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.367
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_by_id_from_space – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.277
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_dev_tool_export_dashboard_from_yml – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.221
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.149
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_by_id_and_decoding – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.193
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_export_dashboard_cmd_export_dashboard_from_yml – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.322
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_dashboard – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.195
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_dashboard_into_space – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 1.018
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_only_index_patterns – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.191
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1
  • Name: Build and Test / Libbeat / Libbeat oss / test_load_without_dashboard – libbeat.tests.system.test_dashboard.Test

    • Age: 1
    • Duration: 0.218
    • Error Details: AssertionError: Expected exit code to be 0, but it was 1

Steps errors

Expand to view the steps failures

  • Name: Install Go 1.14.7

    • Description: .ci/scripts/install-go.sh

    • Duration: 1 min 57 sec

    • Start Time: 2020-08-20T23:39:17.249+0000

    • log

  • Name: Mage build test

    • Description: mage build test

    • Duration: 10 min 36 sec

    • Start Time: 2020-08-20T23:39:27.415+0000

    • log

  • Name: Install docker-compose 1.21.0

    • Description: .ci/scripts/install-docker-compose.sh

    • Duration: 1 min 57 sec

    • Start Time: 2020-08-20T23:39:25.993+0000

    • log

  • Name: Mage build test

    • Description: mage build test

    • Duration: 25 min 12 sec

    • Start Time: 2020-08-20T23:40:37.006+0000

    • log

  • Name: Install docker-compose 1.21.0

    • Description: .ci/scripts/install-docker-compose.sh

    • Duration: 1 min 33 sec

    • Start Time: 2020-08-20T23:39:27.742+0000

    • log

Log output

Expand to view the last 100 lines of log output

[2020-08-21T00:26:28.436Z] + git config user.email [email protected]
[2020-08-21T00:26:28.436Z] + git config user.name beatsmachine
[2020-08-21T00:26:28.810Z] + .ci/scripts/terraform-cleanup.sh x-pack/metricbeat
[2020-08-21T00:26:28.810Z] + DIRECTORY=x-pack/metricbeat
[2020-08-21T00:26:28.810Z] + FAILED=0
[2020-08-21T00:26:28.810Z] ++ find x-pack/metricbeat -name terraform.tfstate
[2020-08-21T00:26:28.810Z] + exit 0
[2020-08-21T00:26:38.258Z] [INFO] unstashV2: JOB_GCS_BUCKET is set. bucket param got precedency instead.
[2020-08-21T00:26:38.279Z] [INFO] unstashV2: JOB_GCS_CREDENTIALS is set. credentialsId param got precedency instead.
[2020-08-21T00:26:38.366Z] [Google Cloud Storage Plugin] Found 1 files to download from pattern: gs://beats-ci-temp/Beats/beats/PR-20293-12/source/source.tgz
[2020-08-21T00:26:38.386Z] [Google Cloud Storage Plugin] Downloading: Beats/beats/PR-20293-12/source/source.tgz to local path: /var/lib/jenkins/workspace/Beats_beats_PR-20293/source.tgz
[2020-08-21T00:26:47.145Z] + tar --version
[2020-08-21T00:26:47.445Z] + tar -xpf source.tgz
[2020-08-21T00:26:57.767Z] + rm source.tgz
[2020-08-21T00:26:57.779Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats
[2020-08-21T00:26:57.801Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Lint
[2020-08-21T00:26:57.899Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-08-21T00:26:57.977Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Winlogbeat-oss
[2020-08-21T00:26:58.056Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-08-21T00:26:58.136Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Journalbeat
[2020-08-21T00:26:58.212Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/dockerlogbeat
[2020-08-21T00:26:58.290Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-08-21T00:26:58.368Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-08-21T00:26:58.445Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-08-21T00:26:58.522Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Packetbeat-Linux
[2020-08-21T00:26:58.599Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-08-21T00:26:58.676Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Heartbeat-oss
[2020-08-21T00:26:58.762Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-08-21T00:26:58.839Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Auditbeat-oss-Windows
[2020-08-21T00:26:58.919Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Heartbeat-Windows
[2020-08-21T00:26:58.996Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Auditbeat-x-pack-Windows
[2020-08-21T00:26:59.072Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Auditbeat-oss-Linux
[2020-08-21T00:26:59.151Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Libbeat-x-pack
[2020-08-21T00:26:59.230Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-08-21T00:26:59.309Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-08-21T00:26:59.384Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Filebeat-Windows
[2020-08-21T00:26:59.459Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-08-21T00:26:59.537Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-08-21T00:26:59.693Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-Windows
[2020-08-21T00:26:59.767Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack-Windows
[2020-08-21T00:26:59.844Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Functionbeat-Windows
[2020-08-21T00:26:59.925Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Packetbeat-Windows
[2020-08-21T00:27:00.002Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Generators-Beat-Linux
[2020-08-21T00:27:00.079Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Filebeat-oss
[2020-08-21T00:27:00.157Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Libbeat-oss
[2020-08-21T00:27:00.236Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Filebeat-x-pack
[2020-08-21T00:27:00.314Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests
[2020-08-21T00:27:00.392Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-OSS-Python-Integration-tests
[2020-08-21T00:27:00.470Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-08-21T00:27:00.881Z] + cat
[2020-08-21T00:27:00.881Z] + /usr/local/bin/runbld ./runbld-script --job-name elastic+beats+pull-request
[2020-08-21T00:27:00.881Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-08-21T00:27:07.483Z] runbld>>> runbld started
[2020-08-21T00:27:07.483Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-08-21T00:27:08.876Z] runbld>>> The following profiles matched the job 'elastic+beats+pull-request' in order of occurrence in the config (last value wins).
[2020-08-21T00:27:08.876Z] runbld>>> Matches in the system config:
[2020-08-21T00:27:08.876Z] runbld>>> - Matched ^elastic\+beats
[2020-08-21T00:27:08.876Z] runbld>>> - Matched ^elastic\+beats\+pull-request
[2020-08-21T00:27:10.263Z] runbld>>> Debug logging enabled.
[2020-08-21T00:27:10.263Z] runbld>>> Storing result
[2020-08-21T00:27:10.526Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-08-21T00:27:10.526Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200821002710-5E992DE7
[2020-08-21T00:27:10.526Z] runbld>>> Adding system facts.
[2020-08-21T00:27:11.484Z] runbld>>> Adding vcs info for the latest commit:  73e3a8e925e3f442ed5d2f9f3a5c9403e45b3f6e
[2020-08-21T00:27:11.484Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-08-21T00:27:11.484Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-08-21T00:27:11.484Z] + echo 'Processing JUnit reports with runbld...'
[2020-08-21T00:27:11.484Z] Processing JUnit reports with runbld...
[2020-08-21T00:27:11.746Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-08-21T00:27:11.746Z] runbld>>> DURATION: 25ms
[2020-08-21T00:27:11.746Z] runbld>>> STDOUT: 40 bytes
[2020-08-21T00:27:11.746Z] runbld>>> STDERR: 49 bytes
[2020-08-21T00:27:11.746Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-08-21T00:27:11.746Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-20293
[2020-08-21T00:27:12.689Z] runbld>>> Storing build metadata: 
[2020-08-21T00:27:12.689Z] runbld>>> Adding test report.
[2020-08-21T00:27:12.689Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats
[2020-08-21T00:27:13.633Z] runbld>>> Found 119 test output files
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-iis.xml
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-tomcat.xml
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-graphite.xml
[2020-08-21T00:27:15.023Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats_PR-20293/src/github.com/elastic/beats/Metricbeat-OSS-Go-Integration-tests/metricbeat/build/TEST-go-integration-windows.xml
[2020-08-21T00:27:15.968Z] runbld>>> Test output logs contained: Errors: 0 Failures: 11 Tests: 15790 Skipped: 1074
[2020-08-21T00:27:16.229Z] runbld>>> Storing result
[2020-08-21T00:27:16.229Z] runbld>>> FAILURES: 11
[2020-08-21T00:27:18.784Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-08-21T00:27:18.784Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200821002710-5E992DE7
[2020-08-21T00:27:18.784Z] runbld>>> Email notification disabled by environment variable.
[2020-08-21T00:27:18.784Z] runbld>>> Slack notification disabled by environment variable.
[2020-08-21T00:27:24.783Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-20293
[2020-08-21T00:27:25.011Z] [INFO] getVaultSecret: Getting secrets
[2020-08-21T00:27:25.066Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-08-21T00:27:25.931Z] + chmod 755 generate-build-data.sh
[2020-08-21T00:27:25.932Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20293/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20293/runs/12 FAILURE 4311248
[2020-08-21T00:27:25.932Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20293/runs/12/steps/?limit=10000 -o steps-info.json
[2020-08-21T00:27:27.794Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20293/runs/12/tests/?status=FAILED -o tests-errors.json
[2020-08-21T00:27:27.794Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20293/runs/12/log/ -o pipeline-log.txt

@anyasabo
Copy link
Contributor Author

anyasabo commented Jul 28, 2020

The docs build is failing because of

INFO:build_docs:Bad cross-document links:

but I didn't change any links (though added the issue link in the changelog), so it's not clear to me why this is breaking

@andresrc andresrc added the Team:Services (Deprecated) Label for the former Integrations-Services team label Jul 29, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-services (Team:Services)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 29, 2020
@andresrc
Copy link
Contributor

Thanks @anyasabo for the PR!!

@andresrc andresrc requested review from ph, urso and exekias July 29, 2020 08:00
Copy link

@urso urso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach looks good. Just some minor nits.


// Time returns the current time as the number of seconds since the epoch.
// If Time is nil, TLS uses time.Now.
Time func() time.Time
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need to export this setting? Looks like it is only needed for internal testing.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's exported in the crypto/tls.Config struct so I also exported it here for symmetry, but you're right it currently is only used for internal testing. I could see it being used by tests at higher levels, but that's something we could revisit in the future if someone ever wants to write tests like that. I'll go ahead and unexport it.

libbeat/common/transport/tlscommon/tls_config.go Outdated Show resolved Hide resolved
continue
}
opts.Intermediates.AddCert(cert)
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

more idiomatic:

for _, cert := range certs[1:] {
	opts.Intermeduates.AddCert(cert)
}

Copy link
Contributor Author

@anyasabo anyasabo Jul 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah good catch, this part was a copy and paste job from our repo I should have caught. And it looks like upstream has it this way too so I don't know why we did it all silly https://github.com/golang/go/blob/master/src/crypto/tls/handshake_client.go#L842

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in case it is copied from the golang/go code base we need to update the file header licence info as well. maybe we can move it to a separate verify.go file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this i just copied it from the ECK repo, which should be okay since we can relicense code we wrote without issue. That's a good catch though and I'm not sure of its provenance. It looks like we added it here elastic/cloud-on-k8s#929 but unfortunately the author is out

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at it more closely, the requirements in the golang license are just a copyright notice, which is already included since this package imports crypto/tls, so I think even if we copied the code line by line (which I do not expect is the case) we are good as is? I am not a lawyer though.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The go repo is BSD licensed. I think BSD requires copies to include a copyright notice.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@urso it looks like having the golang header in verify.go causes the license header CI check to fail. It's not clear to me that the header is required. From the golang src:

// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.

which I believe is covered by including it in the NOTICE.txt at the root of the repo.


// defer to the default verification performed
chains, err := headCert.Verify(opts)
return certs, chains, errors.WithStack(err)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the full stack trace here? The error will be presented to users in log messages. Can we create/ensure a more informative message why validation failed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verify provides useful messages as is -- you can change around the unit test cases' wantErr value so the tests fail and see some examples quickly -- so we may just be able to skip wrapping the error here. Adding stacks when calling out to libraries that don't implement it is habit for me.

@@ -80,15 +86,12 @@ func (c *TLSConfig) ToConfig() *tls.Config {
minVersion, maxVersion := extractMinMaxVersion(c.Versions)
insecure := c.Verification != VerifyFull
if insecure {
logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.")
logp.NewLogger("tls").Warn("Some SSL/TLS verifications disabled.")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe log only if insecure && verifyPeerCertFn == nil

option for testing only.

The default is `full`.
Controls the verification of certificates. Valid values are:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh wondering the same here. Do we collect the SSL settings from one common template, or do we need the templates to include SSL settings?

@urso
Copy link

urso commented Jul 29, 2020

@dedemorton any idea why the docs build is failing?

for i, asn1Data := range rawCerts {
cert, err := x509.ParseCertificate(asn1Data)
if err != nil {
return nil, nil, errors.Wrap(err, "tls: failed to parse certificate from server")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the goal is to avoid stack traces here then this will also have them, can change it to use %w wrapping if that's preferable

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, %w is definitely prefferable.

@ph ph removed their request for review July 30, 2020 14:24
@anyasabo
Copy link
Contributor Author

anyasabo commented Aug 3, 2020

I think I addressed all of the current code comments, waiting on #20357 to be merged and then can finish the doc updates.

@urso
Copy link

urso commented Aug 10, 2020

jenkins run the tests please

@urso urso self-assigned this Aug 10, 2020
@urso
Copy link

urso commented Aug 17, 2020

@anyasabo Change Looks good. The Lint on the CI intake is still failing. Looks like a license file header is missing. Calling mage addLicenseHeaders on the libbeat directory should fix this. If in doubt run make check. make check will keep the modified file, allowing you to create a commit for all linting errors right away.

@anyasabo
Copy link
Contributor Author

I updated the license header in verify.go to have Elastic's at the top, then the golang header underneath. This seems weird but I think it's okay? It's still not clear to me that we need the golang header in the actual file rather than in the NOTICE but 🤷‍♀️

Still waiting on #20357 to make docs updates

@andrewkroh
Copy link
Member

#20357 is merged now.

@anyasabo anyasabo requested review from a team as code owners August 19, 2020 14:45
@anyasabo
Copy link
Contributor Author

jenkins run the tests please

@urso urso added the test-plan Add this PR to be manual test plan label Aug 20, 2020
@anyasabo
Copy link
Contributor Author

jenkins run the tests please

@urso
Copy link

urso commented Aug 21, 2020

Did have a look at the failing tests. There are a few flaky ones on travis. It looks like all dashboard loading tests are failing (beats CI users Kibana snapshot). Either something is broken in Beats master, or there was a breaking change in Kibana. All in all, all tls tests and output tests that use TLS are green. Let's stop rerunning CI.

@urso urso added the needs_backport PR is waiting to be backported to other branches. label Aug 21, 2020
@urso urso merged commit 5050283 into elastic:master Aug 21, 2020
@andresrc
Copy link
Contributor

Thanks a lot @anyasabo

@urso urso added v7.10.0 and removed needs_backport PR is waiting to be backported to other branches. labels Sep 8, 2020
urso pushed a commit to urso/beats that referenced this pull request Sep 10, 2020
urso pushed a commit that referenced this pull request Sep 14, 2020
@andresrc andresrc added the test-plan-added This PR has been added to the test plan label Oct 3, 2020
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@MarcoFlo
Copy link

The option 'certificate' is in the docs, but cannot be used, is it normal ? is there a release date ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Team:Services (Deprecated) Label for the former Integrations-Services team test-plan Add this PR to be manual test plan test-plan-added This PR has been added to the test plan v7.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support 'certificate' in the ssl.verification_mode options for TLS options.
6 participants