From d43019b69f4aa30af1ab967cfc939fae930b68dd Mon Sep 17 00:00:00 2001 From: Brandon Kobel Date: Thu, 3 May 2018 08:53:13 -0400 Subject: [PATCH] No longer setting certs and keys for proxied calls to Elasticsearch (#17804) --- .../__tests__/elasticsearch_proxy_config.js | 10 ++++----- .../server/elasticsearch_proxy_config.js | 7 ------ .../lib/__tests__/parse_config.js | 22 +++++++++++++++++-- src/core_plugins/elasticsearch/lib/cluster.js | 6 ++--- .../elasticsearch/lib/create_agent.js | 2 +- .../elasticsearch/lib/parse_config.js | 4 ++-- 6 files changed, 31 insertions(+), 20 deletions(-) diff --git a/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js b/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js index 7bd963dd9f9540..c83bacd4338968 100644 --- a/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js +++ b/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js @@ -99,22 +99,22 @@ describe('plugins/console', function () { expect(agent.options.ca).to.contain('test ca certificate\n'); }); - it(`sets cert and key when certificate and key paths are specified`, function () { + it(`doesn't set cert and key when certificate and key paths are specified`, function () { setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt'); setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key'); const { agent } = getElasticsearchProxyConfig(server); - expect(agent.options.cert).to.be('test certificate\n'); - expect(agent.options.key).to.be('test key\n'); + expect(agent.options.cert).to.be(undefined); + expect(agent.options.key).to.be(undefined); }); - it(`sets passphrase when certificate, key and keyPassphrase are specified`, function () { + it(`doesn't set passphrase when certificate, key and keyPassphrase are specified`, function () { setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt'); setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key'); setElasticsearchConfig('ssl.keyPassphrase', 'secret'); const { agent } = getElasticsearchProxyConfig(server); - expect(agent.options.passphrase).to.be('secret'); + expect(agent.options.passphrase).to.be(undefined); }); }); }); diff --git a/src/core_plugins/console/server/elasticsearch_proxy_config.js b/src/core_plugins/console/server/elasticsearch_proxy_config.js index 110cde0913a504..2cb161b876afd4 100644 --- a/src/core_plugins/console/server/elasticsearch_proxy_config.js +++ b/src/core_plugins/console/server/elasticsearch_proxy_config.js @@ -36,13 +36,6 @@ const createAgent = (server) => { agentOptions.ca = config.get('elasticsearch.ssl.certificateAuthorities').map(readFile); } - // Add client certificate and key if required by elasticsearch - if (config.get('elasticsearch.ssl.certificate') && config.get('elasticsearch.ssl.key')) { - agentOptions.cert = readFile(config.get('elasticsearch.ssl.certificate')); - agentOptions.key = readFile(config.get('elasticsearch.ssl.key')); - agentOptions.passphrase = config.get('elasticsearch.ssl.keyPassphrase'); - } - return new https.Agent(agentOptions); }; diff --git a/src/core_plugins/elasticsearch/lib/__tests__/parse_config.js b/src/core_plugins/elasticsearch/lib/__tests__/parse_config.js index 3cc30d31fc25de..2dde5a89368506 100644 --- a/src/core_plugins/elasticsearch/lib/__tests__/parse_config.js +++ b/src/core_plugins/elasticsearch/lib/__tests__/parse_config.js @@ -69,7 +69,7 @@ describe('plugins/elasticsearch', function () { expect(config.ssl.ca).to.contain('test ca certificate\n'); }); - it(`sets cert and key when certificate and key paths are specified`, function () { + it(`by default sets cert and key when certificate and key paths are specified`, function () { serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt'; serverConfig.ssl.key = __dirname + '/fixtures/cert.key'; @@ -78,7 +78,7 @@ describe('plugins/elasticsearch', function () { expect(config.ssl.key).to.be('test key\n'); }); - it(`sets passphrase when certificate, key and keyPassphrase are specified`, function () { + it(`by default sets passphrase when certificate, key and keyPassphrase are specified`, function () { serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt'; serverConfig.ssl.key = __dirname + '/fixtures/cert.key'; serverConfig.ssl.keyPassphrase = 'secret'; @@ -86,6 +86,24 @@ describe('plugins/elasticsearch', function () { const config = parseConfig(serverConfig); expect(config.ssl.passphrase).to.be('secret'); }); + + it(`doesn't set cert and key when ignoreCertAndKey is true`, function () { + serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt'; + serverConfig.ssl.key = __dirname + '/fixtures/cert.key'; + + const config = parseConfig(serverConfig, { ignoreCertAndKey: true }); + expect(config.ssl.cert).to.be(undefined); + expect(config.ssl.key).to.be(undefined); + }); + + it(`by default sets passphrase when ignoreCertAndKey is true`, function () { + serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt'; + serverConfig.ssl.key = __dirname + '/fixtures/cert.key'; + serverConfig.ssl.keyPassphrase = 'secret'; + + const config = parseConfig(serverConfig, { ignoreCertAndKey: true }); + expect(config.ssl.passphrase).to.be(undefined); + }); }); }); }); diff --git a/src/core_plugins/elasticsearch/lib/cluster.js b/src/core_plugins/elasticsearch/lib/cluster.js index 119e3f1ae4d460..f154f5958646dc 100644 --- a/src/core_plugins/elasticsearch/lib/cluster.js +++ b/src/core_plugins/elasticsearch/lib/cluster.js @@ -15,7 +15,7 @@ export class Cluster { this._clients = new Set(); this._client = this.createClient(); - this._noAuthClient = this.createClient({ auth: false }); + this._noAuthClient = this.createClient({ auth: false }, { ignoreCertAndKey: true }); return this; } @@ -53,13 +53,13 @@ export class Cluster { this._clients.clear(); } - createClient = configOverrides => { + createClient = (configOverrides, parseOptions) => { const config = { ...this._getClientConfig(), ...configOverrides }; - const client = new elasticsearch.Client(parseConfig(config)); + const client = new elasticsearch.Client(parseConfig(config, parseOptions)); this._clients.add(client); return client; } diff --git a/src/core_plugins/elasticsearch/lib/create_agent.js b/src/core_plugins/elasticsearch/lib/create_agent.js index 190a51670dd1f7..4b4974f585ee66 100644 --- a/src/core_plugins/elasticsearch/lib/create_agent.js +++ b/src/core_plugins/elasticsearch/lib/create_agent.js @@ -10,5 +10,5 @@ export default function (config) { if (!/^https/.test(target.protocol)) return new http.Agent(); - return new https.Agent(parseConfig(config).ssl); + return new https.Agent(parseConfig(config, { ignoreCertAndKey: true }).ssl); } diff --git a/src/core_plugins/elasticsearch/lib/parse_config.js b/src/core_plugins/elasticsearch/lib/parse_config.js index 50d22bb5825e08..45cd5a9a582433 100644 --- a/src/core_plugins/elasticsearch/lib/parse_config.js +++ b/src/core_plugins/elasticsearch/lib/parse_config.js @@ -6,7 +6,7 @@ import Bluebird from 'bluebird'; const readFile = (file) => readFileSync(file, 'utf8'); -export function parseConfig(serverConfig = {}) { +export function parseConfig(serverConfig = {}, { ignoreCertAndKey = false } = {}) { const config = { keepAlive: true, ...pick(serverConfig, [ @@ -56,7 +56,7 @@ export function parseConfig(serverConfig = {}) { } // Add client certificate and key if required by elasticsearch - if (get(serverConfig, 'ssl.certificate') && get(serverConfig, 'ssl.key')) { + if (!ignoreCertAndKey && get(serverConfig, 'ssl.certificate') && get(serverConfig, 'ssl.key')) { config.ssl.cert = readFile(serverConfig.ssl.certificate); config.ssl.key = readFile(serverConfig.ssl.key); config.ssl.passphrase = serverConfig.ssl.keyPassphrase;