Merge branch 'master' into alerting/decrypt-error-on-migration-eso

docs/development/plugins/data/public/kibana-plugin-plugins-data-public.fieldformatsstart.md

@@ -8,7 +8,7 @@
 <b>Signature:</b>
 
 ```typescript
-export declare type FieldFormatsStart = Omit<FieldFormatsRegistry, 'init' & 'register'> & {
+export declare type FieldFormatsStart = Omit<FieldFormatsRegistry, 'init' | 'register'> & {
     deserialize: FormatFactory;
 };
 ```

docs/redirects.asciidoc

@@ -7,6 +7,22 @@
 The following pages have moved or been deleted.
 
 --
+[role="exclude",id="configuring-tls"]
+== Encrypt TLS communications in {kib}
+See {ref}/security-basic-setup-https.html#encrypt-kibana-http[Encrypt HTTP client communications for {kib}].
+
+[float]
+[role="exclude",id="configuring-tls-browser-kib"]
+=== Encrypt traffic between the browser and {kib}
+
+See {ref}/security-basic-setup-https.html#encrypt-kibana-browser[Encrypt traffic between your browser and {kib}].
+
+[float]
+[role="exclude",id="configuring-tls-kib-es"]
+=== Encrypt traffic between {kib} and {es}
+
+See {ref}/security-basic-setup-https.html#encrypt-kibana-elasticsearch[Encrypt traffic between {kib} and {es}].
+
 [role="exclude",id="monitoring-xpack-kibana"]
 == Configuring monitoring in {kib}
 

docs/user/security/securing-communications/index.asciidoc

@@ -1,4 +1,4 @@
-[[configuring-tls]]
+[[configuring-tls-communication]]
 === Encrypt communications in {kib}
 ++++
 <titleabbrev>Encrypt communications</titleabbrev>
@@ -13,180 +13,4 @@ TLS requires X.509 certificates to authenticate the communicating parties and pe
 contains a public key and has an associated -- but separate -- private key; these keys are used for cryptographic operations. {kib}
 supports certificates and private keys in PEM or PKCS#12 format.
 
-[[configuring-tls-browser-kib]]
-==== Encrypt traffic between the browser and {kib}
-
-NOTE: You do not need to enable the {es} {security-features} for this type of encryption.
-
-. Obtain a server certificate and private key for {kib}.
-+
---
-{kib} will need to use this "server certificate" and corresponding private key when receiving connections from web browsers.
-
-When you obtain a server certificate, you must set its subject alternative name (SAN) correctly to ensure that modern web browsers with
-hostname verification will trust it. You can set one or more SANs to the {kib} server's fully-qualified domain name (FQDN), hostname, or IP
-address. When choosing the SAN, you should pick whichever attribute you will be using to connect to {kib} in your browser, which is likely
-the FQDN in a production environment.
-
-You may choose to generate a signed certificate and private key using the {ref}/certutil.html[`elasticsearch-certutil`] tool.
-For example:
-
-[source,sh]
---------------------------------------------------------------------------------
-bin/elasticsearch-certutil cert -name kibana-server -dns localhost,127.0.0.1
---------------------------------------------------------------------------------
-
-This will produce a PKCS#12 file named `kibana-server.p12`, which contains the server certificate and private key.
-
-NOTE: In this example, the server certificate is signed by a locally-generated certificate authority (CA). This is not suitable for a
-production environment, and it will result in warnings in your web browser until you configure your browser to trust the certificate. Steps
-to configure certificate trust vary depending upon your browser and operating system. If you want to obtain a server certificate for a
-production environment, you can instead generate a certificate signing request (CSR) with `elasticsearch-certutil` using
-{ref}/certutil.html#certutil-csr[CSR mode].
---
-
-. Configure {kib} to access the server certificate and private key.
-
-.. If your server certificate and private key are contained in a PKCS#12 file:
-+
---
-Specify your PKCS#12 file in `kibana.yml`:
-
-[source,yaml]
---------------------------------------------------------------------------------
-server.ssl.keystore.path: "/path/to/kibana-server.p12"
---------------------------------------------------------------------------------
-
-If your PKCS#12 file is encrypted, add the decryption password to your <<secure-settings,{kib} keystore>>:
-
-[source,yaml]
---------------------------------------------------------------------------------
-bin/kibana-keystore add server.ssl.keystore.password
---------------------------------------------------------------------------------
-
-NOTE: If you used `elasticsearch-certutil` to generate a PKCS#12 file and you did not specify a password, the file is encrypted, and you
-need to set `server.ssl.keystore.password` to an empty string.
---
-
-.. Otherwise, if your server certificate and private key are in PEM format:
-+
---
-Specify your server certificate and private key in `kibana.yml`:
-
-[source,yaml]
---------------------------------------------------------------------------------
-server.ssl.certificate: "/path/to/kibana-server.crt"
-server.ssl.key: "/path/to/kibana-server.key"
---------------------------------------------------------------------------------
-
-If your private key is encrypted, add the decryption password to your <<secure-settings,{kib} keystore>>:
-
-[source,yaml]
---------------------------------------------------------------------------------
-bin/kibana-keystore add server.ssl.keyPassphrase
---------------------------------------------------------------------------------
---
-
-+
-For more information about settings for certificates and keys, see <<settings,{kib} configuration settings>>.
-
-. Configure {kib} to enable TLS for inbound connections.
-+
---
-Specify that TLS is used in `kibana.yml`:
-
-[source,yaml]
---------------------------------------------------------------------------------
-server.ssl.enabled: true
---------------------------------------------------------------------------------
---
-
-. Restart {kib}.
-
-After making these changes, you must always access {kib} via HTTPS. For example, `https://localhost:5601`.
-
-[[configuring-tls-kib-es]]
-==== Encrypt traffic between {kib} and {es}
-
-NOTE: To perform this step, you must {ref}/configuring-security.html[enable the {es} {security-features}] or you must have a proxy that
-provides an HTTPS endpoint for {es}.
-
-. {ref}/configuring-tls.html#tls-http[Enable TLS on the HTTP layer in {es}].
-
-. Obtain the certificate authority (CA) certificate chain for {es}.
-+
-{kib} needs the appropriate CA certificate chain to properly establish trust when connecting to {es}.
-
-.. If you followed the {es} documentation for {ref}/configuring-tls.html#node-certificates[generating node certificates] and used the
-`elasticsearch-certutil http` command, check the `kibana` directory in its output. Depending on what options you chose, the output may
-include the CA certificate chain in PEM format.
-
-.. Otherwise, you likely have a PKCS#12 file for each your {es} nodes. You can extract the CA certificate chain from one of these files. For
-example:
-+
---
-[source,sh]
---------------------------------------------------------------------------------
-openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elasticsearch-ca.pem
---------------------------------------------------------------------------------
-
-This will produce a PEM-formatted file named `elasticsearch-ca.pem` that contains all CA certificates from the PKCS#12 file.
---
-
-. Configure {kib} to trust the {es} CA certificate chain for the HTTP layer.
-
-.. If your CA certificate chain is in PEM format:
-+
---
-Specify one or more CA certificates in `kibana.yml`:
-
-[source,yaml]
---------------------------------------------------------------------------------
-elasticsearch.ssl.certificateAuthorities: ["/path/to/elasticsearch-ca.pem"]
---------------------------------------------------------------------------------
---
-
-.. Otherwise, if your CA certificate chain is contained in a PKCS#12 file:
-+
---
-WARNING: You should not use a PKCS#12 file that contains a private key. This is an unnecessary security risk. If you only have a PKCS#12
-file that contains a private key, a safer approach is to extract the CA certificate chain in PEM format.
-
-Specify your PKCS#12 file in `kibana.yml`:
-
-[source,yaml]
---------------------------------------------------------------------------------
-elasticsearch.ssl.truststore.path: "/path/to/elasticsearch-ca.p12"
---------------------------------------------------------------------------------
-
-If your PKCS#12 file is encrypted, add the decryption password to your <<secure-settings,{kib} keystore>>:
-
-[source,yaml]
---------------------------------------------------------------------------------
-bin/kibana-keystore add elasticsearch.ssl.truststore.password
---------------------------------------------------------------------------------
-
-NOTE: If you used `elasticsearch-certutil` to generate a PKCS#12 file and you did not specify a password, the file is encrypted, and you
-need to set `server.ssl.truststore.password` to an empty string.
---
-
-+
-For more information about settings for certificates and keys, see <<settings,{kib} configuration settings>>.
-
-. Configure {kib} to enable TLS for outbound connections to {es}.
-+
---
-Specify the HTTPS URL for {es} in `kibana.yml`:
-
-[source,yaml]
---------------------------------------------------------------------------------
-elasticsearch.hosts: ["https://<your_elasticsearch_host>.com:9200"]
---------------------------------------------------------------------------------
-
-NOTE: Using the HTTPS protocol results in a default `elasticsearch.ssl.verificationMode` option of `full`, which utilizes hostname
-verification. For more information about this setting, see <<settings,{kib} configuration settings>>.
---
-
-If the Elastic {monitor-features} are enabled and you have set up a separate {es} monitoring cluster, you can also configure {kib} to
-connect to the monitoring cluster via HTTPS. The steps are the same, but each setting is prefixed by `monitoring.`. For
-example, `monitoring.ui.elasticsearch.hosts`, `monitoring.ui.elasticsearch.ssl.truststore.path`, etc.
+See {ref}/security-basic-setup-https.html[Set up basic security for the Elastic Stack] to encrypt HTTP communications for {es} and {kib}.

packages/kbn-securitysolution-io-ts-list-types/src/common/index.ts

@@ -6,14 +6,6 @@
  * Side Public License, v 1.
  */
 
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0 and the Server Side Public License, v 1; you may not use this file except
- * in compliance with, at your election, the Elastic License 2.0 or the Server
- * Side Public License, v 1.
- */
-
 export * from './comment';
 export * from './create_comment';
 export * from './created_at';

src/plugins/data/common/field_formats/field_formats_registry.test.ts

@@ -76,6 +76,27 @@ describe('FieldFormatsRegistry', () => {
       expect(registeredFieldFormatters.get(StringFormat.id)).toBe(StringFormat);
       expect(registeredFieldFormatters.get(PercentFormat.id)).toBeUndefined();
     });
+
+    test('should throw if registering a formatter with existing id ', () => {
+      fieldFormatsRegistry.register([BoolFormat]);
+
+      expect(() => fieldFormatsRegistry.register([BoolFormat])).toThrowErrorMatchingInlineSnapshot(
+        `"Failed to register field format with id \\"boolean\\" as it already has been registered"`
+      );
+    });
+  });
+
+  describe('has', () => {
+    test('should provide an public "has" method', () => {
+      expect(fieldFormatsRegistry.has).toBeDefined();
+      expect(typeof fieldFormatsRegistry.has).toBe('function');
+    });
+
+    test('should check if field format registered', () => {
+      fieldFormatsRegistry.register([StringFormat]);
+      expect(fieldFormatsRegistry.has(StringFormat.id)).toBe(true);
+      expect(fieldFormatsRegistry.has(BoolFormat.id)).toBe(false);
+    });
   });
 
   describe('getType', () => {

src/plugins/data/common/field_formats/field_formats_registry.ts

@@ -253,7 +253,21 @@ export class FieldFormatsRegistry {
   }
 
   register(fieldFormats: FieldFormatInstanceType[]) {
-    fieldFormats.forEach((fieldFormat) => this.fieldFormats.set(fieldFormat.id, fieldFormat));
+    fieldFormats.forEach((fieldFormat) => {
+      if (this.fieldFormats.has(fieldFormat.id))
+        throw new Error(
+          `Failed to register field format with id "${fieldFormat.id}" as it already has been registered`
+        );
+      this.fieldFormats.set(fieldFormat.id, fieldFormat);
+    });
+  }
+
+  /**
+   * Checks if field format with id already registered
+   * @param id
+   */
+  has(id: string): boolean {
+    return this.fieldFormats.has(id);
   }
 
   /**

src/plugins/data/common/field_formats/mocks.ts

@@ -25,6 +25,7 @@ export const fieldFormatsMock: IFieldFormatsRegistry = {
   getTypeNameByEsTypes: jest.fn(),
   init: jest.fn(),
   register: jest.fn(),
+  has: jest.fn(),
   parseDefaultTypeMap: jest.fn(),
   deserialize: jest.fn().mockImplementation(() => {
     const DefaultFieldFormat = FieldFormat.from(identity);

src/plugins/data/common/field_formats/types.ts

@@ -94,4 +94,4 @@ export interface IFieldFormatMetaParams {
   };
 }
 
-export type FieldFormatsStartCommon = Omit<FieldFormatsRegistry, 'init' & 'register'>;
+export type FieldFormatsStartCommon = Omit<FieldFormatsRegistry, 'init' | 'register'>;

src/plugins/data/public/field_formats/field_formats_service.ts

@@ -49,9 +49,9 @@ export class FieldFormatsService {
 }
 
 /** @public */
-export type FieldFormatsSetup = Pick<FieldFormatsRegistry, 'register'>;
+export type FieldFormatsSetup = Pick<FieldFormatsRegistry, 'register' | 'has'>;
 
 /** @public */
-export type FieldFormatsStart = Omit<FieldFormatsRegistry, 'init' & 'register'> & {
+export type FieldFormatsStart = Omit<FieldFormatsRegistry, 'init' | 'register'> & {
   deserialize: FormatFactory;
 };

src/plugins/data/public/public.api.md

@@ -1077,7 +1077,7 @@ export type FieldFormatsContentType = 'html' | 'text';
 export type FieldFormatsGetConfigFn = GetConfigFn;
 
 // @public (undocumented)
-export type FieldFormatsStart = Omit<FieldFormatsRegistry, 'init' & 'register'> & {
+export type FieldFormatsStart = Omit<FieldFormatsRegistry, 'init' | 'register'> & {
     deserialize: FormatFactory;
 };