-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add socket.getPeerCertificate to KibanaRequest #42929
Conversation
Pinging @elastic/kibana-platform |
💔 Build Failed |
export interface IKibanaSocket { | ||
// (undocumented) | ||
getPeerCertificate(detailed: true): DetailedPeerCertificate | null; | ||
// (undocumented) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd expect api-extractor to merge all overloads in the one file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's kinda strange. You might be able to use the @inheritDoc
directive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nope, neither @inheritDoc
nor @link
.
The @link reference could not be resolved: The reference is ambiguous because "getPeerCertificate" has more than one declaration; you need to add a TSDoc member reference selector^M
seems the problem is not solved yet microsoft/rushstack#881
💚 Build Succeeded |
ACK: looking.. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the quick turnaround on this one! Tested with PKI auth provider locally and it seems everything works as expected.
* The returned object has some properties corresponding to the field of the certificate. | ||
* If detailed argument is true the full chain with issuer property will be returned, | ||
* if false only the top certificate without issuer property. | ||
* If the peer does not provide a certificate, it returns null. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it can also be null
if socket has been destroyed (please ignore if it's the only change needed for merge).
getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate | null; | ||
|
||
public getPeerCertificate(detailed?: boolean) { | ||
if (this.socket instanceof TLSSocket) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: PKI authentication provider will consume certificate chain returned from this method, but it works on the assumption that rejectUnauthorized
is set to true
in the core server and hence we don't need to verify socket.authorized
. rejectUnauthorized
in the core server isn't configurable right now and hence relies on Node's default value which is true
.
So everything is fine right now, but in case we decide to expose rejectUnauthorized
as a configuration option for some reason (hopefully not) we may need to expose socket.authorized
from IKibanaSocket
. Just wanted to note.
/cc @kobelb
* add socket.getPeerCertificate to KibanaRequest * update request mocks * update docs
…p-metrics-selectall * 'master' of github.com:elastic/kibana: (306 commits) [ML] Adding job overrides to the module setup endpoint (elastic#42946) [APM] Fix missing RUM url (elastic#42940) close socket timeouts without message (elastic#42456) Upgrade elastic/charts to 8.1.6 (elastic#42518) [ML] Delete old AngularJS data visualizer and refactor folders (elastic#42962) Add custom formatting for Date Nanos Format (elastic#42445) [Vega] Shim new platform - vega_fn.js -> vega_fn.js , use ExpressionFunction (elastic#42582) add socket.getPeerCertificate to KibanaRequest (elastic#42929) [Automation] ISTANBUL PRESET PATH is not working fine with constructor(private foo) (elastic#42683) [ML] Data frames: Updated stats structure. (elastic#42923) [Code] fixed the issue that the repository can not be deleted in some cases. (elastic#42841) [kbn-es] Support for passing regex value to ES (elastic#42651) Connect to Elasticsearch via SSL when starting kibana with `--ssl` (elastic#42840) Add Elasticsearch SSL support for integration tests (elastic#41765) Fix duplicate fetch in Visualize (elastic#41204) [DOCS] TSVB and Timelion clean up (elastic#42953) [Maps] [File upload] Fix maps geojson upload hanging on index step (elastic#42623) [APM] Use rounded bucket sizes for transaction distribution (elastic#42830) [yarn.lock] consistent resolve domain (elastic#42969) [Uptime] [Test] Repurpose unit test assertions to avoid flakiness (elastic#40650) ...
Summary
Security plugin needs to access request certificate to implement PKI authentication.
I added a separate abstraction for sockets in case we need to access other properties.
Don't want to expose the whole socket object as it provides too many low-level details.
blocker for #42606
Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for cross-browser compatibility, including a check against IE11[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] Documentation was added for features that require explanation or tutorials[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
Dev Docs
KibanaRequest object can provide peer certificate