Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow requestCert option to be set #38920

Merged
merged 1 commit into from
Jun 13, 2019
Merged

Allow requestCert option to be set #38920

merged 1 commit into from
Jun 13, 2019

Conversation

toddself
Copy link
Contributor

Summary

Allow new SslConfig to accept the requestCert boolean option to be
passed into the constructor.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

For maintainers

Dev Docs

This allows us to require an HTTP server created by Kibana to force a
client to provide a certificate for authorization to the server
instance. This enables PKI-based mutual TLS for client/server
interactions

Creating a configuration as such:

const sslConfig = new SslConfig({
  requestCert: true,
  ca: [myCA],
  key: privateKey,
  cert: myCert
})

Would require a client to provide the same cert and key (and ca if
it's a self-signed certificate) to the https request in order to the
server to respond:

const agent = new https.Agent({
  key: privateKey,
  cert: myCert
  ca: myCa
})
https.request('https://kibana.local:3000/', { agent }).end()
// or
Wreck.defaults({
  agent: {
    https: agent
  }
})
await wreck.get('https://kibana.local:3000')

Without the same certificate, key and ca, the Kibana server will reject
the request as being unauthorized

@toddself
Allow requestCert option to be set
8a7aaa6 
This allows you to pass the option in correctly to the constructor
@toddself toddself requested a review from a team as a code owner June 13, 2019 18:29
@toddself toddself added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. v7.3.0 v8.0.0 labels Jun 13, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-platform

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

eliperelman
eliperelman approved these changes Jun 13, 2019
View reviewed changes
Copy link
Contributor

@eliperelman eliperelman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@toddself toddself merged commit ceac552 into elastic:master Jun 13, 2019
@toddself toddself deleted the surface-cert-options branch June 13, 2019 22:09
@toddself toddself mentioned this pull request Jun 13, 2019
Merged
toddself added a commit to toddself/kibana that referenced this pull request Jun 13, 2019
@toddself
Allow requestCert option to be set (elastic#38920)
754e926 
This allows you to pass the option in correctly to the constructor
toddself added a commit that referenced this pull request Jun 14, 2019
@toddself
Allow requestCert option to be set (#38920) (#38941)
abd7ba9 
This allows you to pass the option in correctly to the constructor
azasypkin
azasypkin reviewed Jun 14, 2019
View reviewed changes
src/core/server/http/ssl_config.ts
@@ -49,6 +49,7 @@ export const sslSchema = schema.object(
schema.oneOf([schema.literal('TLSv1'), schema.literal('TLSv1.1'), schema.literal('TLSv1.2')]),
{ defaultValue: ['TLSv1.1', 'TLSv1.2'], minSize: 1 }
),
requestCert: schema.maybe(schema.boolean({ defaultValue: false })),
Copy link
Member

@azasypkin azasypkin Jun 14, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@toddself Hmm, IIRC you either use schema.maybe(schema.boolean()) // requestCert?: boolean or just schema.boolean({ defaultValue: false }) // requestCert: boolean as having default value implies "optionality". Or I'm missing something?

@azasypkin azasypkin mentioned this pull request Aug 5, 2019
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azasypkin azasypkin azasypkin left review comments

@eliperelman eliperelman eliperelman approved these changes

Assignees
No one assigned
Labels
release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc v7.3.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@toddself @elasticmachine @eliperelman @azasypkin