Add ElasticsearchConfig SSL deprecations

elastic · Jan 9, 2020 · a19698a · a19698a
1 parent b8fd76d
commit a19698a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/src/core/server/elasticsearch/elasticsearch_config.test.ts b/src/core/server/elasticsearch/elasticsearch_config.test.ts
@@ -360,6 +360,24 @@ describe('deprecations', () => {
     const { messages } = applyElasticsearchDeprecations({});
     expect(messages).toHaveLength(0);
   });
+
+  it('logs a warning if ssl.key is set and ssl.certificate is not', () => {
+    const { messages } = applyElasticsearchDeprecations({ ssl: { key: 'foo' } });
+    expect(messages).toMatchInlineSnapshot(`
+      Array [
+        "Setting [${CONFIG_PATH}.ssl.key] without [${CONFIG_PATH}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
+      ]
+    `);
+  });
+
+  it('logs a warning if ssl.certificate is set and ssl.key is not', () => {
+    const { messages } = applyElasticsearchDeprecations({ ssl: { certificate: 'foo' } });
+    expect(messages).toMatchInlineSnapshot(`
+      Array [
+        "Setting [${CONFIG_PATH}.ssl.certificate] without [${CONFIG_PATH}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.",
+      ]
+    `);
+  });
 });
 
 test('#username throws if equal to "elastic", only while running from source', () => {

diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts
@@ -118,6 +118,15 @@ const deprecations: ConfigDeprecationProvider = () => [
         `Setting [${fromPath}.username] to "elastic" is deprecated. You should use the "kibana" user instead.`
       );
     }
+    if (es.ssl?.key && !es.ssl?.certificate) {
+      log(
+        `Setting [${fromPath}.ssl.key] without [${fromPath}.ssl.certificate] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`
+      );
+    } else if (es.ssl?.certificate && !es.ssl?.key) {
+      log(
+        `Setting [${fromPath}.ssl.certificate] without [${fromPath}.ssl.key] is deprecated. This has no effect, you should use both settings to enable TLS client authentication to Elasticsearch.`
+      );
+    }
     return settings;
   },
 ];