From b24bfb4f259ffabf01cef4485165e9af05e18baa Mon Sep 17 00:00:00 2001 From: Dominique Clarke Date: Tue, 8 Nov 2022 12:43:05 -0500 Subject: [PATCH] [Uptime] TLS alert - do not alert when status cannot be determined (#144767) ## Summary Resolves https://github.com/elastic/kibana/issues/143981 When the status of a cert cannot be terminated from Kibana server, do not alert for that certificate. ### Testing While we haven't be able to reproduce this error locally, a unit test was added to cover this code path. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../legacy_uptime/lib/alerts/tls.test.ts | 62 +++++++++++++++++++ .../server/legacy_uptime/lib/alerts/tls.ts | 4 ++ 2 files changed, 66 insertions(+) diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.test.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.test.ts index fefeb3cf4e20f..b1ee98d4bc900 100644 --- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.test.ts +++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.test.ts @@ -156,6 +156,68 @@ describe('tls alert', () => { expect(alertInstanceMock.scheduleActions).toHaveBeenCalledTimes(4); }); + it('does not trigger when cert is not considered aging or expiring', async () => { + toISOStringSpy.mockImplementation(() => mockDate); + const mockGetter: jest.Mock = jest.fn(); + + mockGetter.mockReturnValue({ + certs: [ + { + not_after: '2021-07-16T03:15:39.000Z', + not_before: '2019-07-24T03:15:39.000Z', + issuer: 'Sample issuer', + common_name: 'Common-One', + monitors: [{ name: 'monitor-one', id: 'monitor1' }], + sha256: 'abc', + }, + { + not_after: '2021-07-18T03:15:39.000Z', + not_before: '2019-07-20T03:15:39.000Z', + issuer: 'Sample issuer', + common_name: 'Common-Two', + monitors: [{ name: 'monitor-two', id: 'monitor2' }], + sha256: 'bcd', + }, + { + not_after: '2021-07-19T03:15:39.000Z', + not_before: '2019-07-22T03:15:39.000Z', + issuer: 'Sample issuer', + common_name: 'Common-Three', + monitors: [{ name: 'monitor-three', id: 'monitor3' }], + sha256: 'cde', + }, + { + not_after: '2021-07-25T03:15:39.000Z', + not_before: '2019-07-25T03:15:39.000Z', + issuer: 'Sample issuer', + common_name: 'Common-Four', + monitors: [{ name: 'monitor-four', id: 'monitor4' }], + sha256: 'def', + }, + ], + total: 4, + }); + const { server, libs, plugins } = bootstrapDependencies({ getCerts: mockGetter }); + const alert = tlsAlertFactory(server, libs, plugins); + const options = mockOptions(); + const { + services: { alertWithLifecycle }, + } = options; + await alert.executor(options); + expect(mockGetter).toHaveBeenCalledTimes(1); + expect(alertWithLifecycle).toHaveBeenCalledTimes(0); + expect(mockGetter).toBeCalledWith( + expect.objectContaining({ + pageIndex: 0, + size: 1000, + notValidAfter: `now+${DYNAMIC_SETTINGS_DEFAULTS.certExpirationThreshold}d`, + notValidBefore: `now-${DYNAMIC_SETTINGS_DEFAULTS.certAgeThreshold}d`, + sortBy: 'common_name', + direction: 'desc', + }) + ); + }); + it('handles dynamic settings for aging or expiration threshold', async () => { toISOStringSpy.mockImplementation(() => mockDate); const certSettings = { diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts index 50e123aeaacd9..da62602db374b 100644 --- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts +++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/alerts/tls.ts @@ -159,6 +159,10 @@ export const tlsAlertFactory: UptimeAlertTypeFactory = (_server, .valueOf(); const summary = getCertSummary(cert, absoluteExpirationThreshold, absoluteAgeThreshold); + if (!summary.summary || !summary.status) { + return; + } + const alertInstance = alertWithLifecycle({ id: `${cert.common_name}-${cert.issuer?.replace(/\s/g, '_')}-${cert.sha256}`, fields: {