From 3c0cd07dcd6979538e2b92b9997f2535aa13798e Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Tue, 16 Mar 2021 13:49:40 -0700 Subject: [PATCH] Backport PR #12749 to 6.8: internal-monitoring: use configured ssl verification mode (#12752) * internal-monitoring: use configured ssl verification mode (#12749) Upstream `ElasticsearchOptions#es_options_from_settings` already uses the setting `elasticsearch.ssl.verification_mode` to produce an appropriate boolean-valued `ssl_certificate_verification` in our `es_settings` hash, so we can rely on it instead of re-checking equality with a string. (cherry picked from commit d5becc00824c62c7afabe97dc050d47a0e770cf7) # Conflicts: # x-pack/spec/monitoring/pipeline_register_hook_spec.rb * monitoring: backport auto-detection of ssl from host --- x-pack/lib/helpers/elasticsearch_options.rb | 2 + x-pack/lib/monitoring/monitoring.rb | 7 ++- .../monitoring/pipeline_register_hook_spec.rb | 52 +++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 x-pack/spec/monitoring/pipeline_register_hook_spec.rb diff --git a/x-pack/lib/helpers/elasticsearch_options.rb b/x-pack/lib/helpers/elasticsearch_options.rb index 0d44678bdce..74e7c82bc10 100644 --- a/x-pack/lib/helpers/elasticsearch_options.rb +++ b/x-pack/lib/helpers/elasticsearch_options.rb @@ -25,6 +25,8 @@ def es_options_from_settings(feature, settings) opts['sniffing'] = settings.get("xpack.#{feature}.elasticsearch.sniffing") opts['ssl_certificate_verification'] = settings.get("xpack.#{feature}.elasticsearch.ssl.verification_mode") == 'certificate' + opts['ssl'] = true if Array(opts['hosts']).all? { |h| h.start_with?('https://') } + if cacert = settings.get("xpack.#{feature}.elasticsearch.ssl.certificate_authority") opts['cacert'] = cacert opts['ssl'] = true diff --git a/x-pack/lib/monitoring/monitoring.rb b/x-pack/lib/monitoring/monitoring.rb index e8565060e6b..f4f21e2b18b 100644 --- a/x-pack/lib/monitoring/monitoring.rb +++ b/x-pack/lib/monitoring/monitoring.rb @@ -29,19 +29,22 @@ def initialize(node_uuid, @es_hosts = es_settings['hosts'] @user = es_settings['user'] @password = es_settings['password'] + @ssl = es_settings['ssl'] @ca_path = es_settings['cacert'] @truststore_path = es_settings['truststore'] @truststore_password = es_settings['truststore_password'] @keystore_path = es_settings['keystore'] @keystore_password = es_settings['keystore_password'] @sniffing = es_settings['sniffing'] - @ssl_certificate_verification = (es_settings['verification_mode'] == 'certificate') + @ssl_certificate_verification = es_settings.fetch('ssl_certificate_verification', true) end attr_accessor :system_api_version, :es_hosts, :user, :password, :node_uuid attr_accessor :ca_path, :truststore_path, :truststore_password attr_accessor :keystore_path, :keystore_password, :sniffing, :ssl_certificate_verification + attr_reader :ssl + def collection_interval TimeUnit::SECONDS.convert(@collection_interval, TimeUnit::NANOSECONDS) end @@ -55,7 +58,7 @@ def auth? end def ssl? - ca_path || (truststore_path && truststore_password) || (keystore_path && keystore_password) + ssl || ca_path || (truststore_path && truststore_password) || (keystore_path && keystore_password) end def truststore? diff --git a/x-pack/spec/monitoring/pipeline_register_hook_spec.rb b/x-pack/spec/monitoring/pipeline_register_hook_spec.rb new file mode 100644 index 00000000000..f0af8234ad4 --- /dev/null +++ b/x-pack/spec/monitoring/pipeline_register_hook_spec.rb @@ -0,0 +1,52 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +require 'monitoring/monitoring' + +describe LogStash::MonitoringExtension::PipelineRegisterHook do + + subject { described_class.new } + + before(:all) { + @extension = LogStash::MonitoringExtension.new + # used to register monitoring xpack's settings + @sys_settings = LogStash::Runner::SYSTEM_SETTINGS.clone + @extension.additionals_settings(@sys_settings) + } + + context 'validate monitoring settings' do + it "work with xpack-namespaced settings" do + settings = @sys_settings.clone + settings.set_value("xpack.monitoring.enabled", true) + settings.set_value("xpack.monitoring.elasticsearch.hosts", "http://localhost:9200") + settings.set_value("xpack.monitoring.elasticsearch.username", "elastic") + settings.set_value("xpack.monitoring.elasticsearch.password", "changeme") + expect(subject.generate_pipeline_config(settings)).to be_truthy + end + + context 'ssl certificate verification setting' do + { + 'certificate' => 'true', + 'none' => 'false', + nil => 'true', # unset, uses default + }.each do |setting_value, expected_result| + context "with `xpack.monitoring.elasticsearch.ssl.verification_mode` #{setting_value ? "set to `#{setting_value}`" : 'unset'}" do + it "the generated pipeline includes `ssl_certificate_verification => #{expected_result}`" do + settings = @sys_settings.clone.tap(&:reset) + settings.set_value("xpack.monitoring.enabled", true) + settings.set_value("xpack.monitoring.elasticsearch.hosts", "https://localhost:9200") + settings.set_value("xpack.monitoring.elasticsearch.username", "elastic") + settings.set_value("xpack.monitoring.elasticsearch.password", "changeme") + + settings.set_value("xpack.monitoring.elasticsearch.ssl.verification_mode", setting_value) unless setting_value.nil? + + generated_pipeline_config = subject.generate_pipeline_config(settings) + + expect(generated_pipeline_config).to include("ssl_certificate_verification => #{expected_result}") + end + end + end + end + end +end