[Uptime] TLS alert - do not alert when status cannot be determined (#…

…144767) ## Summary Resolves #143981 When the status of a cert cannot be terminated from Kibana server, do not alert for that certificate. ### Testing While we haven't be able to reproduce this error locally, a unit test was added to cover this code path. Co-authored-by: Kibana Machine <[email protected]>
elastic · Nov 8, 2022 · b24bfb4 · b24bfb4
1 parent 9bf262d
commit b24bfb4
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.test.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.test.ts
@@ -156,6 +156,68 @@ describe('tls alert', () => {
       expect(alertInstanceMock.scheduleActions).toHaveBeenCalledTimes(4);
     });
 
+    it('does not trigger when cert is not considered aging or expiring', async () => {
+      toISOStringSpy.mockImplementation(() => mockDate);
+      const mockGetter: jest.Mock<CertResult> = jest.fn();
+
+      mockGetter.mockReturnValue({
+        certs: [
+          {
+            not_after: '2021-07-16T03:15:39.000Z',
+            not_before: '2019-07-24T03:15:39.000Z',
+            issuer: 'Sample issuer',
+            common_name: 'Common-One',
+            monitors: [{ name: 'monitor-one', id: 'monitor1' }],
+            sha256: 'abc',
+          },
+          {
+            not_after: '2021-07-18T03:15:39.000Z',
+            not_before: '2019-07-20T03:15:39.000Z',
+            issuer: 'Sample issuer',
+            common_name: 'Common-Two',
+            monitors: [{ name: 'monitor-two', id: 'monitor2' }],
+            sha256: 'bcd',
+          },
+          {
+            not_after: '2021-07-19T03:15:39.000Z',
+            not_before: '2019-07-22T03:15:39.000Z',
+            issuer: 'Sample issuer',
+            common_name: 'Common-Three',
+            monitors: [{ name: 'monitor-three', id: 'monitor3' }],
+            sha256: 'cde',
+          },
+          {
+            not_after: '2021-07-25T03:15:39.000Z',
+            not_before: '2019-07-25T03:15:39.000Z',
+            issuer: 'Sample issuer',
+            common_name: 'Common-Four',
+            monitors: [{ name: 'monitor-four', id: 'monitor4' }],
+            sha256: 'def',
+          },
+        ],
+        total: 4,
+      });
+      const { server, libs, plugins } = bootstrapDependencies({ getCerts: mockGetter });
+      const alert = tlsAlertFactory(server, libs, plugins);
+      const options = mockOptions();
+      const {
+        services: { alertWithLifecycle },
+      } = options;
+      await alert.executor(options);
+      expect(mockGetter).toHaveBeenCalledTimes(1);
+      expect(alertWithLifecycle).toHaveBeenCalledTimes(0);
+      expect(mockGetter).toBeCalledWith(
+        expect.objectContaining({
+          pageIndex: 0,
+          size: 1000,
+          notValidAfter: `now+${DYNAMIC_SETTINGS_DEFAULTS.certExpirationThreshold}d`,
+          notValidBefore: `now-${DYNAMIC_SETTINGS_DEFAULTS.certAgeThreshold}d`,
+          sortBy: 'common_name',
+          direction: 'desc',
+        })
+      );
+    });
+
     it('handles dynamic settings for aging or expiration threshold', async () => {
       toISOStringSpy.mockImplementation(() => mockDate);
       const certSettings = {

diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts
@@ -159,6 +159,10 @@ export const tlsAlertFactory: UptimeAlertTypeFactory<ActionGroupIds> = (_server,
           .valueOf();
         const summary = getCertSummary(cert, absoluteExpirationThreshold, absoluteAgeThreshold);
 
+        if (!summary.summary || !summary.status) {
+          return;
+        }
+
         const alertInstance = alertWithLifecycle({
           id: `${cert.common_name}-${cert.issuer?.replace(/\s/g, '_')}-${cert.sha256}`,
           fields: {