Skip to content

Commit

Permalink
[alerting] Adds Action Type configuration support and whitelisting (#…
Browse files Browse the repository at this point in the history 
…44483)

A wide refactor of Action Types and their configuration:
- Action Types are now initialised with a their associated configuration based on `kibana.yml`
- You may now whitelist certain hostnames to allow built-in actions, such as _Webhooks_, to communicate with the outside world
- The _Webhooks_ Built-in action is now available, if you have `alerting` and `actions` enabled
  • Loading branch information
@gmmorris
gmmorris authored Sep 6, 2019
1 parent 3a158b9 commit 0d1f3cf
Show file tree
Hide file tree
Showing 21 changed files with 496 additions and 89 deletions.
23 changes: 23 additions & 0 deletions x-pack/legacy/plugins/actions/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,29 @@ action types.
2. Create an action by using the RESTful API (see actions -> create action).
3. Use alerts to execute actions or execute manually (see firing actions).

## Kibana Actions Configuration
Implemented under the [Actions Config](./server/actions_config.ts).

### Configuration Options

Built-In-Actions are configured using the _xpack.actions_ namespoace under _kibana.yml_, and have the following configuration options:

| Namespaced Key | Description | Type |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| _xpack.actions._**enabled** | Feature toggle which enabled Actions in Kibana. Currently defaulted to false while Actions are experimental. | boolean |
| _xpack.actions._**WhitelistedHosts** | Which _hostnames_ are whitelisted for the Built-In-Action? This list should contain hostnames of every external service you wish to interact with using Webhooks, Email or any other built in Action. Note that you may use the string "\*" in place of a specific hostname to enable Kibana to target any URL, but keep in mind the potential use of such a feature to execute [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery) attacks from your server. | Array<String> |

### Configuration Utilities

This module provides a Utilities for interacting with the configuration.

| Method | Arguments | Description | Return Type |
| --------------------- | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| isWhitelistedUri | _uri_: The URI you wish to validate is whitelisted | Validates whether the URI is whitelisted. This checks the configuration and validates that the hostname of the URI is in the list of whitelisted Hosts and returns `true` if it is whitelisted. If the configuration says that all URI's are whitelisted (using an "\*") then it will always return `true`. | Boolean |
| isWhitelistedHostname | _hostname_: The Hostname you wish to validate is whitelisted | Validates whether the Hostname is whitelisted. This checks the configuration and validates that the hostname is in the list of whitelisted Hosts and returns `true` if it is whitelisted. If the configuration says that all Hostnames are whitelisted (using an "\*") then it will always return `true`. | Boolean |
| ensureWhitelistedUri | _uri_: The URI you wish to validate is whitelisted | Validates whether the URI is whitelisted. This checks the configuration and validates that the hostname of the URI is in the list of whitelisted Hosts and throws an error if it is not whitelisted. If the configuration says that all URI's are whitelisted (using an "\*") then it will never throw. | No return value, throws if URI isn't whitelisted |
| ensureWhitelistedHostname | _hostname_: The Hostname you wish to validate is whitelisted | Validates whether the Hostname is whitelisted. This checks the configuration and validates that the hostname is in the list of whitelisted Hosts and throws an error if it is not whitelisted. If the configuration says that all Hostnames are whitelisted (using an "\*") then it will never throw | No return value, throws if Hostname isn't whitelisted |

## Action types

### Methods
Expand Down
7 changes: 7 additions & 0 deletions x-pack/legacy/plugins/actions/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ export function actions(kibana: any) {
return Joi.object()
.keys({
enabled: Joi.boolean().default(false),
whitelistedHosts: Joi.alternatives()
.try(
Joi.array()
.items(Joi.string().hostname())
.sparse(false)
)
.default([]),
})
.default();
},
Expand Down
141 changes: 141 additions & 0 deletions x-pack/legacy/plugins/actions/server/actions_config.test.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import {
ActionsKibanaConfig,
getActionsConfigurationUtilities,
WhitelistedHosts,
} from './actions_config';

describe('ensureWhitelistedUri', () => {
test('returns true when "any" hostnames are allowed', () => {
const config: ActionsKibanaConfig = {
enabled: false,
whitelistedHosts: [WhitelistedHosts.Any],
};
expect(
getActionsConfigurationUtilities(config).ensureWhitelistedUri(
'https://github.com/elastic/kibana'
)
).toBeUndefined();
});

test('throws when the hostname in the requested uri is not in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(() =>
getActionsConfigurationUtilities(config).ensureWhitelistedUri(
'https://github.com/elastic/kibana'
)
).toThrowErrorMatchingInlineSnapshot(
`"target url \\"https://github.com/elastic/kibana\\" is not in the Kibana whitelist"`
);
});

test('throws when the uri cannot be parsed as a valid URI', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(() =>
getActionsConfigurationUtilities(config).ensureWhitelistedUri('github.com/elastic')
).toThrowErrorMatchingInlineSnapshot(
`"target url \\"github.com/elastic\\" is not in the Kibana whitelist"`
);
});

test('returns true when the hostname in the requested uri is in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
expect(
getActionsConfigurationUtilities(config).ensureWhitelistedUri(
'https://github.com/elastic/kibana'
)
).toBeUndefined();
});
});

describe('ensureWhitelistedHostname', () => {
test('returns true when "any" hostnames are allowed', () => {
const config: ActionsKibanaConfig = {
enabled: false,
whitelistedHosts: [WhitelistedHosts.Any],
};
expect(
getActionsConfigurationUtilities(config).ensureWhitelistedHostname('github.com')
).toBeUndefined();
});

test('throws when the hostname in the requested uri is not in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(() =>
getActionsConfigurationUtilities(config).ensureWhitelistedHostname('github.com')
).toThrowErrorMatchingInlineSnapshot(
`"target hostname \\"github.com\\" is not in the Kibana whitelist"`
);
});

test('returns true when the hostname in the requested uri is in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
expect(
getActionsConfigurationUtilities(config).ensureWhitelistedHostname('github.com')
).toBeUndefined();
});
});

describe('isWhitelistedUri', () => {
test('returns true when "any" hostnames are allowed', () => {
const config: ActionsKibanaConfig = {
enabled: false,
whitelistedHosts: [WhitelistedHosts.Any],
};
expect(
getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
).toEqual(true);
});

test('throws when the hostname in the requested uri is not in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(
getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
).toEqual(false);
});

test('throws when the uri cannot be parsed as a valid URI', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(getActionsConfigurationUtilities(config).isWhitelistedUri('github.com/elastic')).toEqual(
false
);
});

test('returns true when the hostname in the requested uri is in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
expect(
getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
).toEqual(true);
});
});

describe('isWhitelistedHostname', () => {
test('returns true when "any" hostnames are allowed', () => {
const config: ActionsKibanaConfig = {
enabled: false,
whitelistedHosts: [WhitelistedHosts.Any],
};
expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
true
);
});

test('throws when the hostname in the requested uri is not in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
false
);
});

test('returns true when the hostname in the requested uri is in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
true
);
});
});
85 changes: 85 additions & 0 deletions x-pack/legacy/plugins/actions/server/actions_config.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { i18n } from '@kbn/i18n';
import { tryCatch, fromNullable } from 'fp-ts/lib/Option';
import { URL } from 'url';
import { curry } from 'lodash';

export enum WhitelistedHosts {
Any = '*',
}

enum WhitelistingField {
url = 'url',
hostname = 'hostname',
}

export interface ActionsKibanaConfig {
enabled: boolean;
whitelistedHosts: string[];
}

export interface ActionsConfigurationUtilities {
isWhitelistedHostname: (hostname: string) => boolean;
isWhitelistedUri: (uri: string) => boolean;
ensureWhitelistedHostname: (hostname: string) => void;
ensureWhitelistedUri: (uri: string) => void;
}

function whitelistingErrorMessage(field: WhitelistingField, value: string) {
return i18n.translate('xpack.actions.urlWhitelistConfigurationError', {
defaultMessage: 'target {field} "{value}" is not in the Kibana whitelist',
values: {
value,
field,
},
});
}

function doesValueWhitelistAnyHostname(whitelistedHostname: string): boolean {
return whitelistedHostname === WhitelistedHosts.Any;
}

function isWhitelisted({ whitelistedHosts }: ActionsKibanaConfig, hostname: string): boolean {
return (
Array.isArray(whitelistedHosts) &&
fromNullable(
whitelistedHosts.find(
whitelistedHostname =>
doesValueWhitelistAnyHostname(whitelistedHostname) || whitelistedHostname === hostname
)
).isSome()
);
}

function isWhitelistedHostnameInUri(config: ActionsKibanaConfig, uri: string): boolean {
return tryCatch(() => new URL(uri))
.map(url => url.hostname)
.mapNullable(hostname => isWhitelisted(config, hostname))
.getOrElse(false);
}

export function getActionsConfigurationUtilities(
config: ActionsKibanaConfig
): ActionsConfigurationUtilities {
const isWhitelistedHostname = curry(isWhitelisted)(config);
const isWhitelistedUri = curry(isWhitelistedHostnameInUri)(config);
return {
isWhitelistedHostname,
isWhitelistedUri,
ensureWhitelistedUri(uri: string) {
if (!isWhitelistedUri(uri)) {
throw new Error(whitelistingErrorMessage(WhitelistingField.url, uri));
}
},
ensureWhitelistedHostname(hostname: string) {
if (!isWhitelistedHostname(hostname)) {
throw new Error(whitelistingErrorMessage(WhitelistingField.hostname, hostname));
}
},
};
}
9 changes: 8 additions & 1 deletion x-pack/legacy/plugins/actions/server/builtin_action_types/email.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jest.mock('./lib/send_email', () => ({
}));

import { ActionType, ActionTypeExecutorOptions } from '../types';
import { ActionsConfigurationUtilities } from '../actions_config';
import { ActionTypeRegistry } from '../action_type_registry';
import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
import { taskManagerMock } from '../../../task_manager/task_manager.mock';
Expand All @@ -22,6 +23,12 @@ const sendEmailMock = sendEmail as jest.Mock;

const ACTION_TYPE_ID = '.email';
const NO_OP_FN = () => {};
const MOCK_KIBANA_CONFIG_UTILS: ActionsConfigurationUtilities = {
isWhitelistedHostname: _ => true,
isWhitelistedUri: _ => true,
ensureWhitelistedHostname: _ => {},
ensureWhitelistedUri: _ => {},
};

const services = {
log: NO_OP_FN,
Expand All @@ -48,7 +55,7 @@ beforeAll(() => {
getBasePath: jest.fn().mockReturnValue(undefined),
});

registerBuiltInActionTypes(actionTypeRegistry);
registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG_UTILS);

actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
});
Expand Down
23 changes: 12 additions & 11 deletions x-pack/legacy/plugins/actions/server/builtin_action_types/email.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,17 +97,18 @@ function validateParams(paramsObject: any): string | void {
}

// action type definition

export const actionType: ActionType = {
id: '.email',
name: 'email',
validate: {
config: ConfigSchema,
secrets: SecretsSchema,
params: ParamsSchema,
},
executor,
};
export function getActionType(): ActionType {
return {
id: '.email',
name: 'email',
validate: {
config: ConfigSchema,
secrets: SecretsSchema,
params: ParamsSchema,
},
executor,
};
}

// action executor

Expand Down
9 changes: 8 additions & 1 deletion x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jest.mock('./lib/send_email', () => ({
}));

import { ActionType, ActionTypeExecutorOptions } from '../types';
import { ActionsConfigurationUtilities } from '../actions_config';
import { ActionTypeRegistry } from '../action_type_registry';
import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
import { taskManagerMock } from '../../../task_manager/task_manager.mock';
Expand All @@ -19,6 +20,12 @@ import { ActionParamsType, ActionTypeConfigType } from './es_index';

const ACTION_TYPE_ID = '.index';
const NO_OP_FN = () => {};
const MOCK_KIBANA_CONFIG_UTILS: ActionsConfigurationUtilities = {
isWhitelistedHostname: _ => true,
isWhitelistedUri: _ => true,
ensureWhitelistedHostname: _ => {},
ensureWhitelistedUri: _ => {},
};

const services = {
log: NO_OP_FN,
Expand All @@ -45,7 +52,7 @@ beforeAll(() => {
getBasePath: jest.fn().mockReturnValue(undefined),
});

registerBuiltInActionTypes(actionTypeRegistry);
registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG_UTILS);

actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
});
Expand Down
21 changes: 11 additions & 10 deletions x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,17 @@ const ParamsSchema = schema.object({
});

// action type definition

export const actionType: ActionType = {
id: '.index',
name: 'index',
validate: {
config: ConfigSchema,
params: ParamsSchema,
},
executor,
};
export function getActionType(): ActionType {
return {
id: '.index',
name: 'index',
validate: {
config: ConfigSchema,
params: ParamsSchema,
},
executor,
};
}

// action executor

Expand Down
Loading

0 comments on commit 0d1f3cf

Please sign in to comment.