From 8d5b16d9458c7a314671cde18c1252dae5b97196 Mon Sep 17 00:00:00 2001 From: Chris Roberson Date: Fri, 17 Jul 2020 12:51:46 -0400 Subject: [PATCH] [Monitoring] Added a case for Alerting if security/ssl is disabled (#71846) (#72297) * Added a case for Alerting if security/ssl is disabled * Code feedback * Fixed types Co-authored-by: igoristic --- x-pack/plugins/monitoring/kibana.json | 3 +- .../public/alerts/lib/security_toasts.tsx | 137 ++++++++++++++++++ .../monitoring/public/services/clusters.js | 4 +- .../elasticsearch/verify_alerting_security.ts | 49 +++++++ x-pack/plugins/monitoring/server/plugin.ts | 1 + .../server/routes/api/v1/alerts/enable.ts | 25 +++- x-pack/plugins/monitoring/server/types.ts | 3 + 7 files changed, 216 insertions(+), 6 deletions(-) create mode 100644 x-pack/plugins/monitoring/public/alerts/lib/security_toasts.tsx create mode 100644 x-pack/plugins/monitoring/server/lib/elasticsearch/verify_alerting_security.ts diff --git a/x-pack/plugins/monitoring/kibana.json b/x-pack/plugins/monitoring/kibana.json index 3b9e60124b034..2b8756ea0cb46 100644 --- a/x-pack/plugins/monitoring/kibana.json +++ b/x-pack/plugins/monitoring/kibana.json @@ -11,7 +11,8 @@ "kibanaLegacy", "triggers_actions_ui", "alerts", - "actions" + "actions", + "encryptedSavedObjects" ], "optionalPlugins": ["infra", "telemetryCollectionManager", "usageCollection", "home", "cloud"], "server": true, diff --git a/x-pack/plugins/monitoring/public/alerts/lib/security_toasts.tsx b/x-pack/plugins/monitoring/public/alerts/lib/security_toasts.tsx new file mode 100644 index 0000000000000..918c0b5c9b609 --- /dev/null +++ b/x-pack/plugins/monitoring/public/alerts/lib/security_toasts.tsx @@ -0,0 +1,137 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import React from 'react'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n/react'; +import { EuiSpacer, EuiLink, EuiCode, EuiText } from '@elastic/eui'; +import { Legacy } from '../../legacy_shims'; +import { toMountPoint } from '../../../../../../src/plugins/kibana_react/public'; + +export interface AlertingFrameworkHealth { + isSufficientlySecure: boolean; + hasPermanentEncryptionKey: boolean; +} + +const showTlsAndEncryptionError = () => { + const { ELASTIC_WEBSITE_URL, DOC_LINK_VERSION } = Legacy.shims.docLinks; + + Legacy.shims.toastNotifications.addWarning({ + title: toMountPoint( + + ), + text: toMountPoint( +
+

+ {i18n.translate('xpack.monitoring.healthCheck.tlsAndEncryptionError', { + defaultMessage: `You must enable Transport Layer Security between Kibana and Elasticsearch + and configure an encryption key in your kibana.yml file to use the Alerting feature.`, + })} +

+ + + {i18n.translate('xpack.monitoring.healthCheck.encryptionErrorAction', { + defaultMessage: 'Learn how.', + })} + +
+ ), + }); +}; + +const showEncryptionError = () => { + const { ELASTIC_WEBSITE_URL, DOC_LINK_VERSION } = Legacy.shims.docLinks; + + Legacy.shims.toastNotifications.addWarning( + { + title: toMountPoint( + + ), + text: toMountPoint( +
+ {i18n.translate('xpack.monitoring.healthCheck.encryptionErrorBeforeKey', { + defaultMessage: 'To create an alert, set a value for ', + })} + + {'xpack.encryptedSavedObjects.encryptionKey'} + + {i18n.translate('xpack.monitoring.healthCheck.encryptionErrorAfterKey', { + defaultMessage: ' in your kibana.yml file. ', + })} + + {i18n.translate('xpack.monitoring.healthCheck.encryptionErrorAction', { + defaultMessage: 'Learn how.', + })} + +
+ ), + }, + {} + ); +}; + +const showTlsError = () => { + const { ELASTIC_WEBSITE_URL, DOC_LINK_VERSION } = Legacy.shims.docLinks; + + Legacy.shims.toastNotifications.addWarning({ + title: toMountPoint( + + ), + text: toMountPoint( +
+ {i18n.translate('xpack.monitoring.healthCheck.tlsError', { + defaultMessage: + 'Alerting relies on API keys, which require TLS between Elasticsearch and Kibana. ', + })} + + {i18n.translate('xpack.monitoring.healthCheck.tlsErrorAction', { + defaultMessage: 'Learn how to enable TLS.', + })} + +
+ ), + }); +}; + +export const showSecurityToast = (alertingHealth: AlertingFrameworkHealth) => { + const { isSufficientlySecure, hasPermanentEncryptionKey } = alertingHealth; + if ( + Array.isArray(alertingHealth) || + (!alertingHealth.hasOwnProperty('isSufficientlySecure') && + !alertingHealth.hasOwnProperty('hasPermanentEncryptionKey')) + ) { + return; + } + + if (!isSufficientlySecure && !hasPermanentEncryptionKey) { + showTlsAndEncryptionError(); + } else if (!isSufficientlySecure) { + showTlsError(); + } else if (!hasPermanentEncryptionKey) { + showEncryptionError(); + } +}; diff --git a/x-pack/plugins/monitoring/public/services/clusters.js b/x-pack/plugins/monitoring/public/services/clusters.js index f3eadcaf9831b..5173984dbe868 100644 --- a/x-pack/plugins/monitoring/public/services/clusters.js +++ b/x-pack/plugins/monitoring/public/services/clusters.js @@ -7,6 +7,7 @@ import { ajaxErrorHandlersProvider } from '../lib/ajax_error_handler'; import { Legacy } from '../legacy_shims'; import { STANDALONE_CLUSTER_CLUSTER_UUID } from '../../common/constants'; +import { showSecurityToast } from '../alerts/lib/security_toasts'; function formatClusters(clusters) { return clusters.map(formatCluster); @@ -66,7 +67,8 @@ export function monitoringClustersProvider($injector) { return getClusters().then((clusters) => { if (clusters.length) { return ensureAlertsEnabled() - .then(() => { + .then(({ data }) => { + showSecurityToast(data); once = true; return clusters; }) diff --git a/x-pack/plugins/monitoring/server/lib/elasticsearch/verify_alerting_security.ts b/x-pack/plugins/monitoring/server/lib/elasticsearch/verify_alerting_security.ts new file mode 100644 index 0000000000000..047b14bd37fbc --- /dev/null +++ b/x-pack/plugins/monitoring/server/lib/elasticsearch/verify_alerting_security.ts @@ -0,0 +1,49 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { RequestHandlerContext } from 'kibana/server'; +import { EncryptedSavedObjectsPluginSetup } from '../../../../encrypted_saved_objects/server'; + +export interface AlertingFrameworkHealth { + isSufficientlySecure: boolean; + hasPermanentEncryptionKey: boolean; +} + +export interface XPackUsageSecurity { + security?: { + enabled?: boolean; + ssl?: { + http?: { + enabled?: boolean; + }; + }; + }; +} + +export class AlertingSecurity { + public static readonly getSecurityHealth = async ( + context: RequestHandlerContext, + encryptedSavedObjects: EncryptedSavedObjectsPluginSetup + ): Promise => { + const { + security: { + enabled: isSecurityEnabled = false, + ssl: { http: { enabled: isTLSEnabled = false } = {} } = {}, + } = {}, + }: XPackUsageSecurity = await context.core.elasticsearch.legacy.client.callAsInternalUser( + 'transport.request', + { + method: 'GET', + path: '/_xpack/usage', + } + ); + + return { + isSufficientlySecure: !isSecurityEnabled || (isSecurityEnabled && isTLSEnabled), + hasPermanentEncryptionKey: !encryptedSavedObjects.usingEphemeralEncryptionKey, + }; + }; +} diff --git a/x-pack/plugins/monitoring/server/plugin.ts b/x-pack/plugins/monitoring/server/plugin.ts index c20de734effc0..cc02ad17d6eec 100644 --- a/x-pack/plugins/monitoring/server/plugin.ts +++ b/x-pack/plugins/monitoring/server/plugin.ts @@ -206,6 +206,7 @@ export class Plugin { requireUIRoutes(this.monitoringCore, { router, licenseService: this.licenseService, + encryptedSavedObjects: plugins.encryptedSavedObjects, }); initInfraSource(config, plugins.infra); } diff --git a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts index b7cc088d2716c..64beb5c58dc07 100644 --- a/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts +++ b/x-pack/plugins/monitoring/server/routes/api/v1/alerts/enable.ts @@ -10,18 +10,36 @@ import { AlertsFactory } from '../../../../alerts'; import { RouteDependencies } from '../../../../types'; import { ALERT_ACTION_TYPE_LOG } from '../../../../../common/constants'; import { ActionResult } from '../../../../../../actions/common'; -// import { fetchDefaultEmailAddress } from '../../../../lib/alerts/fetch_default_email_address'; +import { AlertingSecurity } from '../../../../lib/elasticsearch/verify_alerting_security'; const DEFAULT_SERVER_LOG_NAME = 'Monitoring: Write to Kibana log'; -export function enableAlertsRoute(server: any, npRoute: RouteDependencies) { +export function enableAlertsRoute(_server: unknown, npRoute: RouteDependencies) { npRoute.router.post( { path: '/api/monitoring/v1/alerts/enable', validate: false, }, - async (context, request, response) => { + async (context, _request, response) => { try { + const alerts = AlertsFactory.getAll().filter((a) => a.isEnabled(npRoute.licenseService)); + + if (alerts.length) { + const { + isSufficientlySecure, + hasPermanentEncryptionKey, + } = await AlertingSecurity.getSecurityHealth(context, npRoute.encryptedSavedObjects); + + if (!isSufficientlySecure || !hasPermanentEncryptionKey) { + return response.ok({ + body: { + isSufficientlySecure, + hasPermanentEncryptionKey, + }, + }); + } + } + const alertsClient = context.alerting?.getAlertsClient(); const actionsClient = context.actions?.getActionsClient(); const types = context.actions?.listTypes(); @@ -57,7 +75,6 @@ export function enableAlertsRoute(server: any, npRoute: RouteDependencies) { }, ]; - const alerts = AlertsFactory.getAll().filter((a) => a.isEnabled(npRoute.licenseService)); const createdAlerts = await Promise.all( alerts.map( async (alert) => await alert.createIfDoesNotExist(alertsClient, actionsClient, actions) diff --git a/x-pack/plugins/monitoring/server/types.ts b/x-pack/plugins/monitoring/server/types.ts index 0c346c8082475..1e7a5acb33644 100644 --- a/x-pack/plugins/monitoring/server/types.ts +++ b/x-pack/plugins/monitoring/server/types.ts @@ -16,6 +16,7 @@ import { import { InfraPluginSetup } from '../../infra/server'; import { LicensingPluginSetup } from '../../licensing/server'; import { PluginSetupContract as FeaturesPluginSetupContract } from '../../features/server'; +import { EncryptedSavedObjectsPluginSetup } from '../../encrypted_saved_objects/server'; export interface MonitoringLicenseService { refresh: () => Promise; @@ -36,6 +37,7 @@ export interface LegacyAPI { } export interface PluginsSetup { + encryptedSavedObjects: EncryptedSavedObjectsPluginSetup; telemetryCollectionManager?: TelemetryCollectionManagerPluginSetup; usageCollection?: UsageCollectionSetup; licensing: LicensingPluginSetup; @@ -56,6 +58,7 @@ export interface MonitoringCoreConfig { export interface RouteDependencies { router: IRouter; licenseService: MonitoringLicenseService; + encryptedSavedObjects: EncryptedSavedObjectsPluginSetup; } export interface MonitoringCore {