Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Synthetics] Omit or include ssl keys when appropriate for project monitors and private locations #149298

Conversation

dominiqueclarke
Copy link
Contributor

@dominiqueclarke dominiqueclarke commented Jan 23, 2023

Summary

Resolves #149083

  1. Prevents tls fields from being saved on the Synthetics Integration policy when is_tls_enabled is false
  2. Ensures is_tls_enabled is set properly for project monitors (http and tcp). This ensures that when a monitor is sent to a public location or a private location, the ssl fields are sent or stripped appropriately.

Testing

  1. Create a private location
  2. Create 2 lightweight project monitors using the following configuration
- type: tcp
  id: 'tls-enabled'
  name: 'TLS-Enabled'
  hosts: ["8.8.8.8:80"]
  ssl:
     verification_mode: 'strict'
- type: tcp
  id: 'tls-disabled'
  name: 'TLS-Disabled'
  hosts: ["8.8.8.8:80"]
  1. Set these monitors to execute from both a private and public location via the monitor key in your synthetics.config.ts file.
    monitor: {
      schedule: 3,
      privateLocations: ["YOUR PRIVATE LOCATION"],
      locations: ["us_central"], // to test against dev environment
    },
  1. Navigate to the agent policy for the private location and inspect the full policy. Ensure the Synthetics policy on the agent package policy does not have ssl fields set for ssl disabled monitor. Ensure the ssl fields are set for the ssl enabled monitor.

@dominiqueclarke dominiqueclarke added Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability 8.6.1 bug Fixes for quality problems that affect the customer experience release_note:fix v8.7.0 v8.6.1 and removed 8.6.1 labels Jan 23, 2023
@dominiqueclarke dominiqueclarke changed the title Fix/synthetics tls private project [Synthetics] Omit or include ssl keys when appropriate for project monitors and private locations Jan 23, 2023
@dominiqueclarke dominiqueclarke marked this pull request as ready for review January 23, 2023 04:22
@dominiqueclarke dominiqueclarke requested a review from a team as a code owner January 23, 2023 04:22
@elasticmachine
Copy link
Contributor

Pinging @elastic/uptime (Team:uptime)

Copy link
Contributor

@awahab07 awahab07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
synthetics 1.3MB 1.3MB +942.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@dominiqueclarke dominiqueclarke merged commit 0592abd into elastic:main Jan 24, 2023
@dominiqueclarke dominiqueclarke deleted the fix/synthetics-tls-private-project branch January 24, 2023 19:56
@kibanamachine
Copy link
Contributor

💔 All backports failed

Status Branch Result
8.6 Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 149298

Questions ?

Please refer to the Backport tool documentation

@dominiqueclarke
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.6

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

dominiqueclarke added a commit to dominiqueclarke/kibana that referenced this pull request Jan 24, 2023
…monitors and private locations (elastic#149298)

## Summary

Resolves elastic#149083

1. [Prevents tls fields from being
saved](https://github.com/elastic/kibana/pull/149298/files#diff-56296f634bf379eb71629f426c670cd030d2a15263a59964847c0d10af09a767R14)
on the Synthetics Integration policy when `is_tls_enabled` is false
2. Ensures `is_tls_enabled` is set properly for project monitors
([http](https://github.com/elastic/kibana/pull/149298/files#diff-0f42bb3b11a6ab864dee3488d5e9f7282adc009a261b3caee743a880b825c766R73)
and
[tcp](https://github.com/elastic/kibana/pull/149298/files#diff-3ad87e629abc6f17c395e8435c94f0f1a6274c9efea7d24ab81b7635ef0e43dfR69)).
This ensures that when a monitor is sent to a public location or a
private location, the `ssl` fields are sent or stripped appropriately.

### Testing

1. Create a private location
2. Create 2 lightweight project monitors using the following
configuration
```
- type: tcp
  id: 'tls-enabled'
  name: 'TLS-Enabled'
  hosts: ["8.8.8.8:80"]
  ssl:
     verification_mode: 'strict'
```
```
- type: tcp
  id: 'tls-disabled'
  name: 'TLS-Disabled'
  hosts: ["8.8.8.8:80"]
```
3. Set these monitors to execute from both a private and public location
via the `monitor` key in your `synthetics.config.ts` file.
```
    monitor: {
      schedule: 3,
      privateLocations: ["YOUR PRIVATE LOCATION"],
      locations: ["us_central"], // to test against dev environment
    },
```
4. Navigate to the agent policy for the private location and inspect the
full policy. Ensure the Synthetics policy on the agent package policy
does not have `ssl` fields set for ssl disabled monitor. Ensure the
`ssl` fields are set for the ssl enabled monitor.

(cherry picked from commit 0592abd)

# Conflicts:
#	x-pack/plugins/synthetics/common/formatters/format_synthetics_policy.test.ts
#	x-pack/plugins/synthetics/server/synthetics_service/project_monitor/normalizers/http_monitor.ts
#	x-pack/test/api_integration/apis/synthetics/sample_data/test_policy.ts
dominiqueclarke added a commit that referenced this pull request Jan 25, 2023
…oject monitors and private locations (#149298) (#149447)

# Backport

This will backport the following commits from `main` to `8.6`:
- [[Synthetics] Omit or include `ssl` keys when appropriate for project
monitors and private locations
(#149298)](#149298)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Dominique
Clarke","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-01-24T19:56:38Z","message":"[Synthetics]
Omit or include `ssl` keys when appropriate for project monitors and
private locations (#149298)\n\n## Summary\r\n\r\nResolves
https://github.com/elastic/kibana/issues/149083\r\n\r\n1. [Prevents tls
fields from
being\r\nsaved](https://github.com/elastic/kibana/pull/149298/files#diff-56296f634bf379eb71629f426c670cd030d2a15263a59964847c0d10af09a767R14)\r\non
the Synthetics Integration policy when `is_tls_enabled` is false\r\n2.
Ensures `is_tls_enabled` is set properly for project
monitors\r\n([http](https://github.com/elastic/kibana/pull/149298/files#diff-0f42bb3b11a6ab864dee3488d5e9f7282adc009a261b3caee743a880b825c766R73)\r\nand\r\n[tcp](https://github.com/elastic/kibana/pull/149298/files#diff-3ad87e629abc6f17c395e8435c94f0f1a6274c9efea7d24ab81b7635ef0e43dfR69)).\r\nThis
ensures that when a monitor is sent to a public location or a\r\nprivate
location, the `ssl` fields are sent or stripped
appropriately.\r\n\r\n### Testing\r\n\r\n1. Create a private
location\r\n2. Create 2 lightweight project monitors using the
following\r\nconfiguration\r\n```\r\n- type: tcp\r\n id:
'tls-enabled'\r\n name: 'TLS-Enabled'\r\n hosts: [\"8.8.8.8:80\"]\r\n
ssl:\r\n verification_mode: 'strict'\r\n```\r\n```\r\n- type: tcp\r\n
id: 'tls-disabled'\r\n name: 'TLS-Disabled'\r\n hosts:
[\"8.8.8.8:80\"]\r\n```\r\n3. Set these monitors to execute from both a
private and public location\r\nvia the `monitor` key in your
`synthetics.config.ts` file.\r\n```\r\n monitor: {\r\n schedule: 3,\r\n
privateLocations: [\"YOUR PRIVATE LOCATION\"],\r\n locations:
[\"us_central\"], // to test against dev environment\r\n },\r\n```\r\n4.
Navigate to the agent policy for the private location and inspect
the\r\nfull policy. Ensure the Synthetics policy on the agent package
policy\r\ndoes not have `ssl` fields set for ssl disabled monitor.
Ensure the\r\n`ssl` fields are set for the ssl enabled
monitor.","sha":"0592abdab5c2d074468465380066b3dbeea89f4a","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:uptime","v8.7.0","v8.6.1"],"number":149298,"url":"https://github.com/elastic/kibana/pull/149298","mergeCommit":{"message":"[Synthetics]
Omit or include `ssl` keys when appropriate for project monitors and
private locations (#149298)\n\n## Summary\r\n\r\nResolves
https://github.com/elastic/kibana/issues/149083\r\n\r\n1. [Prevents tls
fields from
being\r\nsaved](https://github.com/elastic/kibana/pull/149298/files#diff-56296f634bf379eb71629f426c670cd030d2a15263a59964847c0d10af09a767R14)\r\non
the Synthetics Integration policy when `is_tls_enabled` is false\r\n2.
Ensures `is_tls_enabled` is set properly for project
monitors\r\n([http](https://github.com/elastic/kibana/pull/149298/files#diff-0f42bb3b11a6ab864dee3488d5e9f7282adc009a261b3caee743a880b825c766R73)\r\nand\r\n[tcp](https://github.com/elastic/kibana/pull/149298/files#diff-3ad87e629abc6f17c395e8435c94f0f1a6274c9efea7d24ab81b7635ef0e43dfR69)).\r\nThis
ensures that when a monitor is sent to a public location or a\r\nprivate
location, the `ssl` fields are sent or stripped
appropriately.\r\n\r\n### Testing\r\n\r\n1. Create a private
location\r\n2. Create 2 lightweight project monitors using the
following\r\nconfiguration\r\n```\r\n- type: tcp\r\n id:
'tls-enabled'\r\n name: 'TLS-Enabled'\r\n hosts: [\"8.8.8.8:80\"]\r\n
ssl:\r\n verification_mode: 'strict'\r\n```\r\n```\r\n- type: tcp\r\n
id: 'tls-disabled'\r\n name: 'TLS-Disabled'\r\n hosts:
[\"8.8.8.8:80\"]\r\n```\r\n3. Set these monitors to execute from both a
private and public location\r\nvia the `monitor` key in your
`synthetics.config.ts` file.\r\n```\r\n monitor: {\r\n schedule: 3,\r\n
privateLocations: [\"YOUR PRIVATE LOCATION\"],\r\n locations:
[\"us_central\"], // to test against dev environment\r\n },\r\n```\r\n4.
Navigate to the agent policy for the private location and inspect
the\r\nfull policy. Ensure the Synthetics policy on the agent package
policy\r\ndoes not have `ssl` fields set for ssl disabled monitor.
Ensure the\r\n`ssl` fields are set for the ssl enabled
monitor.","sha":"0592abdab5c2d074468465380066b3dbeea89f4a"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/149298","number":149298,"mergeCommit":{"message":"[Synthetics]
Omit or include `ssl` keys when appropriate for project monitors and
private locations (#149298)\n\n## Summary\r\n\r\nResolves
https://github.com/elastic/kibana/issues/149083\r\n\r\n1. [Prevents tls
fields from
being\r\nsaved](https://github.com/elastic/kibana/pull/149298/files#diff-56296f634bf379eb71629f426c670cd030d2a15263a59964847c0d10af09a767R14)\r\non
the Synthetics Integration policy when `is_tls_enabled` is false\r\n2.
Ensures `is_tls_enabled` is set properly for project
monitors\r\n([http](https://github.com/elastic/kibana/pull/149298/files#diff-0f42bb3b11a6ab864dee3488d5e9f7282adc009a261b3caee743a880b825c766R73)\r\nand\r\n[tcp](https://github.com/elastic/kibana/pull/149298/files#diff-3ad87e629abc6f17c395e8435c94f0f1a6274c9efea7d24ab81b7635ef0e43dfR69)).\r\nThis
ensures that when a monitor is sent to a public location or a\r\nprivate
location, the `ssl` fields are sent or stripped
appropriately.\r\n\r\n### Testing\r\n\r\n1. Create a private
location\r\n2. Create 2 lightweight project monitors using the
following\r\nconfiguration\r\n```\r\n- type: tcp\r\n id:
'tls-enabled'\r\n name: 'TLS-Enabled'\r\n hosts: [\"8.8.8.8:80\"]\r\n
ssl:\r\n verification_mode: 'strict'\r\n```\r\n```\r\n- type: tcp\r\n
id: 'tls-disabled'\r\n name: 'TLS-Disabled'\r\n hosts:
[\"8.8.8.8:80\"]\r\n```\r\n3. Set these monitors to execute from both a
private and public location\r\nvia the `monitor` key in your
`synthetics.config.ts` file.\r\n```\r\n monitor: {\r\n schedule: 3,\r\n
privateLocations: [\"YOUR PRIVATE LOCATION\"],\r\n locations:
[\"us_central\"], // to test against dev environment\r\n },\r\n```\r\n4.
Navigate to the agent policy for the private location and inspect
the\r\nfull policy. Ensure the Synthetics policy on the agent package
policy\r\ndoes not have `ssl` fields set for ssl disabled monitor.
Ensure the\r\n`ssl` fields are set for the ssl enabled
monitor.","sha":"0592abdab5c2d074468465380066b3dbeea89f4a"}},{"branch":"8.6","label":"v8.6.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: kibanamachine <[email protected]>
@mistic
Copy link
Member

mistic commented Jan 26, 2023

The backport for the 8.6 branch missed the v8.6.1 release. Updating the tag to v8.6.2.

@mistic mistic added v8.6.2 and removed v8.6.1 labels Jan 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience release_note:fix Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability v8.6.2 v8.7.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Synthetics] [Uptime] Omit ssl fields when tls is disabled
6 participants