Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Actions] Extended ActionTypeRegistry with connector validation to validate config with secrets #116079

Merged

Conversation

YulNaumenko
Copy link
Contributor

@YulNaumenko YulNaumenko commented Oct 25, 2021

Resolves #112459

Currently there was no ability to validate connector config with secrets values together, which causes to the issues in the API validation for .email action type:

  • validate if hasAuth (config) is true the username/password (secrets) should be populated;
  • validate if service (config) is exchange_server then clientSecret (secrets) should be populated;
    Added new validation method for connector, which allows to implement by the action type the ability to validate connector properties secrets with config.

@YulNaumenko YulNaumenko self-assigned this Oct 25, 2021
@YulNaumenko YulNaumenko added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework v8.0.0 release_note:skip Skip the PR/issue when compiling release notes labels Oct 25, 2021
@YulNaumenko YulNaumenko marked this pull request as ready for review October 25, 2021 17:41
@YulNaumenko YulNaumenko requested a review from a team as a code owner October 25, 2021 17:41
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr
Copy link
Member

pmuellr commented Oct 25, 2021

Even though this is how I was thinking of implementing it, having to duplicate the schema references for config and secrets in the connector validation seems like it may be fragile in the future. What happens if someone has different schema for the config and the config section in the connector schema?

Wondering if to make this a little clearer, we'd want to have the connector validator not be config-schema based, but a function that returns the same results as schema.validate() but takes the typed config and secrets objects.

The existing validation function in the PR would then be unchanged! And the definition of the connector validator in types.ts would be:

    connector?: (config: Config, secrets: Secrets) => string | null;

I could go either way though, not sure it's worth having a "different" shaped validation makes sense, since the way this is currently shaped seems more consistent that what I proposed ^^^. And:

  • I think in practice we won't see too much of a need for this anyway
  • referencing the existing schema for config and secrets is likely how it would be used when defining this new validator, exactly how it's done in this PR for email, so that eliminates / greatly reduces the possibility of them getting out of sync
  • if they were wildly out of sync, you'd expect to find out with jest / functional tests
  • since we have control over all the connectors right now, changing this to a slightly different shape (like I suggested) would be a simple thing we could do in the future - that is UNTIL we allow other plugins to define connectors!

@YulNaumenko
Copy link
Contributor Author

Even though this is how I was thinking of implementing it, having to duplicate the schema references for config and secrets in the connector validation seems like it may be fragile in the future. What happens if someone has different schema for the config and the config section in the connector schema?

Wondering if to make this a little clearer, we'd want to have the connector validator not be config-schema based, but a function that returns the same results as schema.validate() but takes the typed config and secrets objects.

The existing validation function in the PR would then be unchanged! And the definition of the connector validator in types.ts would be:

    connector?: (config: Config, secrets: Secrets) => string | null;

I could go either way though, not sure it's worth having a "different" shaped validation makes sense, since the way this is currently shaped seems more consistent that what I proposed ^^^. And:

  • I think in practice we won't see too much of a need for this anyway
  • referencing the existing schema for config and secrets is likely how it would be used when defining this new validator, exactly how it's done in this PR for email, so that eliminates / greatly reduces the possibility of them getting out of sync
  • if they were wildly out of sync, you'd expect to find out with jest / functional tests
  • since we have control over all the connectors right now, changing this to a slightly different shape (like I suggested) would be a simple thing we could do in the future - that is UNTIL we allow other plugins to define connectors!

Thank you for a great thoughts @pmuellr! Yeah, I think you are right about the changes to the different shape of the connector validator.
My initial idea was to implement something which could replace/deprecate the existing separate validation in the future, but probably better to keep it as it is.

Copy link
Contributor

@chrisronline chrisronline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Great work!

Copy link
Member

@pmuellr pmuellr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; made one note about some typing that we should probably fix up, if possible - and could do it later; also there's a test which doesn't seem like it's testing the connector validator, so I'm guessing it's some copy pasta.

x-pack/plugins/actions/server/lib/action_executor.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/actions/server/lib/action_executor.ts Outdated Show resolved Hide resolved
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @YulNaumenko

@YulNaumenko YulNaumenko merged commit fac6286 into elastic:master Oct 26, 2021
jloleysens added a commit to jloleysens/kibana that referenced this pull request Oct 27, 2021
…-migrate-away-from-injected-css-js

* 'master' of github.com:elastic/kibana: (61 commits)
  [ML] Nodes overview for the Model Management page (elastic#116361)
  [Uptime] Uptime index config using kibana.yml (elastic#115775)
  [Controls] Dashboard Integration (elastic#115991)
  skip flaky suite (elastic#104260)
  Include Files in GitHub UI (elastic#115956)
  skip flaky suite (elastic#116060)
  [Canvas] By-Value Embeddables (elastic#113827)
  Skip failing test (elastic#115366)
  [Osquery] Fix live query search doesn't return relevant results for agents (elastic#116332)
  [Integrations] Added link in old Add Data description and fixed alignment in cards (elastic#116213)
  [Actions] Extended ActionTypeRegistry with connector validation to validate config with secrets (elastic#116079)
  skip flaky suite (elastic#109329)
  Grant access to machine learning features when base privileges are used (elastic#115444)
  Skipping failing test (elastic#84957)
  [RAC][Security Solution] Adds migration to new SecuritySolution rule types (elastic#112113)
  skip flaky suite (elastic#115366)
  [Fleet] Marking API spec as experimental (elastic#116331)
  [Docs] Cleaning up the versions in the upgrade paths. Closes elastic#116223 (elastic#116228)
  [Reporting] Suppress debug logs in the mock logger (elastic#116012)
  [Metrics UI] Clear threshold alert groups state when filterQuery changes (elastic#116205)
  ...

# Conflicts:
#	src/plugins/dashboard/public/application/embeddable/dashboard_container.tsx
#	src/plugins/dashboard/public/types.ts
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 116079 or prevent reminders by adding the backport:skip label.

@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Oct 28, 2021
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 116079 or prevent reminders by adding the backport:skip label.

@spalger spalger added the backport:skip This commit does not require backporting label Nov 1, 2021
@kibanamachine kibanamachine removed the backport missing Added to PRs automatically when the are determined to be missing a backport. label Nov 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Actions] There is no possibility to validate action connector secrets and config together.
6 participants