Skip to content

Commit

Permalink
[ResponseOps] Remove 7.x deprecated kibana.yml settings (elastic#198435)
Browse files Browse the repository at this point in the history
Resolves elastic#194622

## Summary

Removes the following deprecated configuration settings:

- `xpack.actions.customHostSettings.ssl.rejectUnauthorized`
- `xpack.actions.whitelistedHosts`
- `xpack.actions.rejectUnauthorized`
- `xpack.actions.proxyRejectUnauthorizedCertificates`
- `xpack.alerts.healthCheck`
- `xpack.alerts.invalidateApiKeysTask.interval`
- `xpack.alerts.invalidateApiKeysTask.removalDelay`
- `xpack.alerting.defaultRuleTaskTimeout`

---------

Co-authored-by: kibanamachine <[email protected]>
  • Loading branch information
doakalexi and kibanamachine authored Nov 4, 2024
1 parent cbb211a commit 9efe20e
Show file tree
Hide file tree
Showing 21 changed files with 6 additions and 320 deletions.
14 changes: 0 additions & 14 deletions docs/settings/alert-action-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,6 @@ A boolean value indicating that TLS must be used for this connection.
The options `smtp.ignoreTLS` and `smtp.requireTLS` can not both be set to true.
Default: `false`.

`xpack.actions.customHostSettings[n].ssl.rejectUnauthorized`::
deprecated:[8.0.0] Use <<action-config-custom-host-verification-mode,`xpack.actions.customHostSettings.ssl.verificationMode`>> instead. A boolean value indicating whether to bypass server certificate validation.
Overrides the general `xpack.actions.rejectUnauthorized` configuration
for requests made for this hostname/port.

[[action-config-custom-host-verification-mode]] `xpack.actions.customHostSettings[n].ssl.verificationMode` {ess-icon}::
Controls the verification of the server certificate that {kib} receives when making an outbound SSL/TLS connection to the host server. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>. Overrides the general `xpack.actions.ssl.verificationMode` configuration
Expand Down Expand Up @@ -198,19 +193,10 @@ By default, no hosts will use the proxy, but if an action's hostname is in this
`xpack.actions.proxyHeaders` {ess-icon}::
Specifies HTTP headers for the proxy, if using a proxy for actions. Default: {}.

`xpack.actions.proxyRejectUnauthorizedCertificates` {ess-icon}::
deprecated:[8.0.0] Use <<action-config-proxy-verification-mode,`xpack.actions.ssl.proxyVerificationMode`>> instead. Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Default: `true`.

[[action-config-proxy-verification-mode]]`xpack.actions.ssl.proxyVerificationMode` {ess-icon}::
Controls the verification for the proxy server certificate that Kibana receives when making an outbound SSL/TLS connection to the proxy server. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.

`xpack.actions.rejectUnauthorized` {ess-icon}::
deprecated:[8.0.0] Use <<action-config-verification-mode,`xpack.actions.ssl.verificationMode`>> instead. Set to `false` to bypass certificate validation for actions. Default: `true`.
+
As an alternative to setting `xpack.actions.rejectUnauthorized`, you can use the setting
`xpack.actions.customHostSettings` to set SSL options for specific servers.

[[action-config-verification-mode]] `xpack.actions.ssl.verificationMode` {ess-icon}::
Controls the verification for the server certificate that {hosted-ems} receives when making an outbound SSL/TLS connection for actions. Valid values are `full`, `certificate`, and `none`.
Use `full` to perform hostname verification, `certificate` to skip hostname verification, and `none` to skip verification. Default: `full`. <<elasticsearch-ssl-verificationMode,Equivalent {kib} setting>>.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -221,16 +221,13 @@ kibana_vars=(
xpack.actions.proxyBypassHosts
xpack.actions.proxyHeaders
xpack.actions.proxyOnlyHosts
xpack.actions.proxyRejectUnauthorizedCertificates
xpack.actions.proxyUrl
xpack.actions.rejectUnauthorized
xpack.actions.responseTimeout
xpack.actions.ssl.proxyVerificationMode
xpack.actions.ssl.verificationMode
xpack.alerting.healthCheck.interval
xpack.alerting.invalidateApiKeysTask.interval
xpack.alerting.invalidateApiKeysTask.removalDelay
xpack.alerting.defaultRuleTaskTimeout
xpack.alerting.rules.run.timeout
xpack.alerting.rules.run.ruleTypeOverrides
xpack.alerting.cancelAlertsOnRuleTimeout
Expand All @@ -240,9 +237,6 @@ kibana_vars=(
xpack.alerting.rules.run.alerts.max
xpack.alerting.rules.run.actions.connectorTypeOverrides
xpack.alerting.maxScheduledPerMinute
xpack.alerts.healthCheck.interval
xpack.alerts.invalidateApiKeysTask.interval
xpack.alerts.invalidateApiKeysTask.removalDelay
xpack.apm.indices.error
xpack.apm.indices.metric
xpack.apm.indices.onboarding
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -575,8 +575,6 @@ describe('create()', () => {
allowedHosts: ['*'],
preconfiguredAlertHistoryEsIndex: false,
preconfigured: {},
proxyRejectUnauthorizedCertificates: true, // legacy
rejectUnauthorized: true, // legacy
proxyBypassHosts: undefined,
proxyOnlyHosts: undefined,
maxResponseContentLength: new ByteSizeValue(1000000),
Expand Down
21 changes: 0 additions & 21 deletions x-pack/plugins/actions/server/actions_config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ const defaultActionsConfig: ActionsConfig = {
enabledActionTypes: [],
preconfiguredAlertHistoryEsIndex: false,
preconfigured: {},
proxyRejectUnauthorizedCertificates: true, // legacy
rejectUnauthorized: true, // legacy
maxResponseContentLength: new ByteSizeValue(1000000),
responseTimeout: moment.duration(60000),
ssl: {
Expand Down Expand Up @@ -318,25 +316,6 @@ describe('getProxySettings', () => {
expect(proxySettings?.proxyUrl).toBe(config.proxyUrl);
});

test('returns proper verificationMode values, beased on the legacy config option proxyRejectUnauthorizedCertificates', () => {
const configTrue: ActionsConfig = {
...defaultActionsConfig,
proxyUrl: 'https://proxy.elastic.co',
proxyRejectUnauthorizedCertificates: true,
};
let proxySettings = getActionsConfigurationUtilities(configTrue).getProxySettings();
expect(proxySettings?.proxySSLSettings.verificationMode).toBe('full');

const configFalse: ActionsConfig = {
...defaultActionsConfig,
proxyUrl: 'https://proxy.elastic.co',
proxyRejectUnauthorizedCertificates: false,
ssl: {},
};
proxySettings = getActionsConfigurationUtilities(configFalse).getProxySettings();
expect(proxySettings?.proxySSLSettings.verificationMode).toBe('none');
});

test('returns proper verificationMode value, based on the SSL proxy configuration', () => {
const configTrue: ActionsConfig = {
...defaultActionsConfig,
Expand Down
8 changes: 2 additions & 6 deletions x-pack/plugins/actions/server/actions_config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -122,10 +122,7 @@ function getProxySettingsFromConfig(config: ActionsConfig): undefined | ProxySet
proxyBypassHosts: arrayAsSet(config.proxyBypassHosts),
proxyOnlyHosts: arrayAsSet(config.proxyOnlyHosts),
proxyHeaders: config.proxyHeaders,
proxySSLSettings: getSSLSettingsFromConfig(
config.ssl?.proxyVerificationMode,
config.proxyRejectUnauthorizedCertificates
),
proxySSLSettings: getSSLSettingsFromConfig(config.ssl?.proxyVerificationMode),
};
}

Expand Down Expand Up @@ -200,8 +197,7 @@ export function getActionsConfigurationUtilities(
isActionTypeEnabled,
getProxySettings: () => getProxySettingsFromConfig(config),
getResponseSettings: () => getResponseSettingsFromConfig(config),
getSSLSettings: () =>
getSSLSettingsFromConfig(config.ssl?.verificationMode, config.rejectUnauthorized),
getSSLSettings: () => getSSLSettingsFromConfig(config.ssl?.verificationMode),
ensureUriAllowed(uri: string) {
if (!isUriAllowed(uri)) {
throw new Error(allowListErrorMessage(AllowListingField.URL, uri));
Expand Down
8 changes: 0 additions & 8 deletions x-pack/plugins/actions/server/config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ describe('config validation', () => {
"microsoftGraphApiUrl": "https://graph.microsoft.com/v1.0",
"preconfigured": Object {},
"preconfiguredAlertHistoryEsIndex": false,
"proxyRejectUnauthorizedCertificates": true,
"rejectUnauthorized": true,
"responseTimeout": "PT1M",
"usage": Object {
"url": "https://usage-api.usage-api/api/v1/usage",
Expand All @@ -56,8 +54,6 @@ describe('config validation', () => {
},
},
},
proxyRejectUnauthorizedCertificates: false,
rejectUnauthorized: false,
};
expect(configSchema.validate(config)).toMatchInlineSnapshot(`
Object {
Expand Down Expand Up @@ -85,8 +81,6 @@ describe('config validation', () => {
},
},
"preconfiguredAlertHistoryEsIndex": false,
"proxyRejectUnauthorizedCertificates": false,
"rejectUnauthorized": false,
"responseTimeout": "PT1M",
"usage": Object {
"url": "https://usage-api.usage-api/api/v1/usage",
Expand Down Expand Up @@ -224,8 +218,6 @@ describe('config validation', () => {
"microsoftGraphApiUrl": "https://graph.microsoft.com/v1.0",
"preconfigured": Object {},
"preconfiguredAlertHistoryEsIndex": false,
"proxyRejectUnauthorizedCertificates": true,
"rejectUnauthorized": true,
"responseTimeout": "PT1M",
"ssl": Object {
"proxyVerificationMode": "none",
Expand Down
12 changes: 0 additions & 12 deletions x-pack/plugins/actions/server/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,6 @@ const customHostSettingsSchema = schema.object({
),
ssl: schema.maybe(
schema.object({
/**
* @deprecated in favor of `verificationMode`
**/
rejectUnauthorized: schema.maybe(schema.boolean()),
verificationMode: schema.maybe(
schema.oneOf(
[schema.literal('none'), schema.literal('certificate'), schema.literal('full')],
Expand Down Expand Up @@ -98,16 +94,8 @@ export const configSchema = schema.object({
}),
proxyUrl: schema.maybe(schema.string()),
proxyHeaders: schema.maybe(schema.recordOf(schema.string(), schema.string())),
/**
* @deprecated in favor of `ssl.proxyVerificationMode`
**/
proxyRejectUnauthorizedCertificates: schema.boolean({ defaultValue: true }),
proxyBypassHosts: schema.maybe(schema.arrayOf(schema.string({ hostname: true }))),
proxyOnlyHosts: schema.maybe(schema.arrayOf(schema.string({ hostname: true }))),
/**
* @deprecated in favor of `ssl.verificationMode`
**/
rejectUnauthorized: schema.boolean({ defaultValue: true }),
ssl: schema.maybe(
schema.object({
verificationMode: schema.maybe(
Expand Down
61 changes: 0 additions & 61 deletions x-pack/plugins/actions/server/index.test.ts

This file was deleted.

100 changes: 1 addition & 99 deletions x-pack/plugins/actions/server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,9 @@
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import { get } from 'lodash';
import type { PublicMethodsOf } from '@kbn/utility-types';
import { PluginInitializerContext, PluginConfigDescriptor } from '@kbn/core/server';
import { configSchema, ActionsConfig, CustomHostSettings } from './config';
import { configSchema, ActionsConfig } from './config';
import { ActionsClient as ActionsClientClass } from './actions_client';
import { ActionsAuthorization as ActionsAuthorizationClass } from './authorization/actions_authorization';

Expand Down Expand Up @@ -51,103 +50,6 @@ export const config: PluginConfigDescriptor<ActionsConfig> = {
exposeToBrowser: {
email: { domain_allowlist: true },
},
deprecations: ({ renameFromRoot, unused }) => [
renameFromRoot('xpack.actions.whitelistedHosts', 'xpack.actions.allowedHosts', {
level: 'warning',
}),
(settings, fromPath, addDeprecation) => {
const actions = get(settings, fromPath);
const customHostSettings = actions?.customHostSettings ?? [];
if (
customHostSettings.find(
(customHostSchema: CustomHostSettings) =>
Object.hasOwn(customHostSchema, 'ssl') &&
Object.hasOwn(customHostSchema.ssl ?? {}, 'rejectUnauthorized')
)
) {
addDeprecation({
level: 'warning',
configPath: 'xpack.actions.customHostSettings.ssl.rejectUnauthorized',
message:
`"xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" is deprecated.` +
`Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" instead, ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
correctiveActions: {
manualSteps: [
`Remove "xpack.actions.customHostSettings[<index>].ssl.rejectUnauthorized" from your kibana configs.`,
`Use "xpack.actions.customHostSettings[<index>].ssl.verificationMode" ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
],
},
});
return {
unset: [
{
path: `xpack.actions.customHostSettings.ssl.rejectUnauthorized`,
},
],
};
}
},
(settings, fromPath, addDeprecation) => {
const actions = get(settings, fromPath);
if (Object.hasOwn(actions ?? {}, 'rejectUnauthorized')) {
addDeprecation({
level: 'warning',
configPath: `${fromPath}.rejectUnauthorized`,
message:
`"xpack.actions.rejectUnauthorized" is deprecated. Use "xpack.actions.ssl.verificationMode" instead, ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
correctiveActions: {
manualSteps: [
`Remove "xpack.actions.rejectUnauthorized" from your kibana configs.`,
`Use "xpack.actions.ssl.verificationMode" ` +
`with the setting "verificationMode:full" eql to "rejectUnauthorized:true", ` +
`and "verificationMode:none" eql to "rejectUnauthorized:false".`,
],
},
});
return {
unset: [
{
path: `xpack.actions.rejectUnauthorized`,
},
],
};
}
},
(settings, fromPath, addDeprecation) => {
const actions = get(settings, fromPath);
if (Object.hasOwn(actions ?? {}, 'proxyRejectUnauthorizedCertificates')) {
addDeprecation({
level: 'warning',
configPath: `${fromPath}.proxyRejectUnauthorizedCertificates`,
message:
`"xpack.actions.proxyRejectUnauthorizedCertificates" is deprecated. Use "xpack.actions.ssl.proxyVerificationMode" instead, ` +
`with the setting "proxyVerificationMode:full" eql to "rejectUnauthorized:true",` +
`and "proxyVerificationMode:none" eql to "rejectUnauthorized:false".`,
correctiveActions: {
manualSteps: [
`Remove "xpack.actions.proxyRejectUnauthorizedCertificates" from your kibana configs.`,
`Use "xpack.actions.ssl.proxyVerificationMode" ` +
`with the setting "proxyVerificationMode:full" eql to "rejectUnauthorized:true",` +
`and "proxyVerificationMode:none" eql to "rejectUnauthorized:false".`,
],
},
});
return {
unset: [
{
path: `xpack.actions.proxyRejectUnauthorizedCertificates`,
},
],
};
}
},
],
};

export { urlAllowListValidator } from './sub_action_framework/helpers';
Original file line number Diff line number Diff line change
Expand Up @@ -461,7 +461,6 @@ async function rejectUnauthorizedTargetProxyTest(opts: RunTestOptions) {
await runWithSetup(opts, async (target, proxyInstance, axiosDefaults) => {
const acu = getACUfromConfig({
proxyUrl: proxyInstance.url,
rejectUnauthorized: false,
customHostSettings: [{ url: target.url, ssl: { verificationMode: 'none' } }],
});

Expand Down Expand Up @@ -676,14 +675,12 @@ const BaseActionsConfig: ActionsConfig = {
preconfigured: {},
proxyUrl: undefined,
proxyHeaders: undefined,
proxyRejectUnauthorizedCertificates: true,
ssl: {
proxyVerificationMode: 'full',
verificationMode: 'full',
},
proxyBypassHosts: undefined,
proxyOnlyHosts: undefined,
rejectUnauthorized: true,
maxResponseContentLength: ByteSizeValue.parse('1mb'),
responseTimeout: momentDuration(1000 * 30),
customHostSettings: undefined,
Expand Down
Loading

0 comments on commit 9efe20e

Please sign in to comment.