Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[alerting] Adds Action Type configuration support and whitelisting #44483

Merged
merged 23 commits into from
Sep 6, 2019
Merged

[alerting] Adds Action Type configuration support and whitelisting #44483

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
6c48bc1
feat(action-types-refactor): pass kibana config to builtin action typ…
gmmorris Aug 30, 2019
4113bd2
Merge branch 'master' into refactor-action-types
gmmorris Aug 30, 2019
c03104c
fix(webhook-whitelisting): whitelist support for webhook execution
gmmorris Aug 30, 2019
e46f616
fix(webhook-whitelisting): fixed missing type sig
gmmorris Aug 30, 2019
a12f7b9
Merge branch 'master' into actions/refactor-action-types
gmmorris Sep 2, 2019
ea4580f
refactor(webhook-whitelisting): removed the None option as we can use…
gmmorris Sep 2, 2019
f169c0a
refactor(webhook-whitelisting): unified whitelisting error message
gmmorris Sep 2, 2019
4855bb0
refactor(webhook-whitelisting): curry valdiaiton to make it a little …
gmmorris Sep 2, 2019
cd87387
fix(webhook-whitelisting): removed unused import
gmmorris Sep 2, 2019
057a6ec
fix(webhook-whitelisting): cleaned up messaging around webhook errors
gmmorris Sep 2, 2019
fad46ab
fix(webhook-whitelisting): fixed typing of mocks
gmmorris Sep 2, 2019
7d8ed08
readme(webhook-whitelisting): added documentation of the Built-in-Act…
gmmorris Sep 2, 2019
a93f2f0
Merge branch 'master' into actions/refactor-action-types
gmmorris Sep 2, 2019
7375745
refactor(webhook-whitelisting): extracted unsafeGet out of Result typ…
gmmorris Sep 3, 2019
d5baa69
refactor(webhook-whitelisting): removed usage of result in whitelisting
gmmorris Sep 4, 2019
ac21af9
doc(webhook-whitelisting): Updated documentation for whitelisting
gmmorris Sep 4, 2019
b277445
refactor(webhook-whitelisting): Whitelist Any url by specifying a * i…
gmmorris Sep 4, 2019
2699dd3
doc(webhook-whitelisting): Updated documentation for actions Enabled …
gmmorris Sep 4, 2019
f73fb00
Merge branch 'master' into actions/refactor-action-types
gmmorris Sep 4, 2019
481da21
Merge branch 'master' into actions/refactor-action-types
gmmorris Sep 5, 2019
9a84b8b
refactor(webhook-whitelisting): Provide two ways of checking whitelis…
gmmorris Sep 5, 2019
8a9ddc9
refactor(webhook-whitelisting): Removed whitelisting check in executo…
gmmorris Sep 5, 2019
72f70b4
Merge branch 'master' into actions/refactor-action-types
gmmorris Sep 5, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions x-pack/legacy/plugins/actions/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,27 @@ action types.
2. Create an action by using the RESTful API (see actions -> create action).
3. Use alerts to execute actions or execute manually (see firing actions).

## Kibana Actions Configuration
Implemented under the [Actions Config](./server/actions_config.ts).

### Configuration Options

Built-In-Actions are configured using the _xpack.actions_ namespoace under _kibana.yml_, and have the following configuration options:

| Namespaced Key | Description | Type |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| _xpack.actions._**enabled** | Feature toggle which enabled Actions in Kibana. Currently defaulted to false while Actions are experimental. | boolean |
| _xpack.actions._**WhitelistedHosts** | Which _hostnames_ are whitelisted for the Built-In-Action? This list should contain hostnames of every external service you wish to interact with using Webhooks, Email or any other built in Action. Note that you may use the string "\*" in place of a specific hostname to enable Kibana to target any URL, but keep in mind the potential use of such a feature to execute [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery) attacks from your server. | Array<String> |

### Configuration Utilities

This module provides a Utilities for interacting with the configuration.

| Method | Arguments | Description | Return Type |
| --------------------- | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| isWhitelistedUri | _uri_: The URI you wish to validate is whitelisted | Validates whether the URI is whitelisted. This checkes the configuration and validates that the hostname of the URI is in the list of whitelisted Hosts and returns the Uri if it is whitelisted. If the configuration says that all URI's are whitelisted (using an "\*") then it will always return the Uri. | String \| NotWhitelistedError: Returns a the whitelisted URI as is (if it is whitelisted) or a NotWhitelistedError Error with an error message if it isn't whitelisted. |
| isWhitelistedHostname | _hostname_: The Hostname you wish to validate is whitelisted | Validates whether the Hostname is whitelisted. This checkes the configuration and validates that the hostname is in the list of whitelisted Hosts and returns the Hostname if it is whitelisted. If the configuration says that all Hostnames are whitelisted (using an "\*") then it will always return the Hostname. | String \| NotWhitelistedError: Returns a the whitelisted URI as is (if it is whitelisted) or a NotWhitelistedError Error with an error message if it isn't whitelisted. |

## Action types

### Methods
Expand Down
7 changes: 7 additions & 0 deletions x-pack/legacy/plugins/actions/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ export function actions(kibana: any) {
return Joi.object()
.keys({
enabled: Joi.boolean().default(false),
whitelistedHosts: Joi.alternatives()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think alternatives was here when the property was string | string[]? So, I think we can remove the alternatives() and try() wrappers, just make it a Joi.array()? Or maybe there's some joi sneakiness I don't yet understand :-)

It clearly works now, so fine with shipping this way, create an issue / project card if it should be fixed later.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's not needed anymore, I'll fix in a small PR next

.try(
Joi.array()
.items(Joi.string().hostname())
.sparse(false)
)
.default([]),
})
.default();
},
Expand Down
71 changes: 71 additions & 0 deletions x-pack/legacy/plugins/actions/server/actions_config.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import {
ActionsKibanaConfig,
getActionsConfigurationUtilities,
WhitelistedHosts,
NotWhitelistedError,
} from './actions_config';

describe('isWhitelistedUri', () => {
test('returns true when "any" hostnames are allowed', () => {
const config: ActionsKibanaConfig = {
enabled: false,
whitelistedHosts: [WhitelistedHosts.Any],
};
expect(
getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
).toEqual('https://github.com/elastic/kibana');
});

test('returns a NotWhitelistedError when the hostname in the requested uri is not in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(
getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
).toEqual(new NotWhitelistedError('target url not in whitelist'));
});

test('returns a NotWhitelistedError when the uri cannot be parsed as a valid URI', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(getActionsConfigurationUtilities(config).isWhitelistedUri('github.com/elastic')).toEqual(
new NotWhitelistedError('target url not in whitelist')
);
});

test('returns true when the hostname in the requested uri is in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
expect(
getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
).toEqual('https://github.com/elastic/kibana');
});
});

describe('isWhitelistedHostname', () => {
test('returns true when "any" hostnames are allowed', () => {
const config: ActionsKibanaConfig = {
enabled: false,
whitelistedHosts: [WhitelistedHosts.Any],
};
expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
'github.com'
);
});

test('returns false when the hostname in the requested uri is not in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
new NotWhitelistedError('target url not in whitelist')
);
});

test('returns true when the hostname in the requested uri is in the whitelist', () => {
const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
'github.com'
);
});
});
71 changes: 71 additions & 0 deletions x-pack/legacy/plugins/actions/server/actions_config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/

import { tryCatch } from 'fp-ts/lib/Option';
import { URL } from 'url';
import { curry } from 'lodash';

export enum WhitelistedHosts {
Any = '*',
}

export interface ActionsKibanaConfig {
enabled: boolean;
whitelistedHosts: string[];
}

export class NotWhitelistedError extends Error {
constructor(message: string) {
super(message); // 'Error' breaks prototype chain here
Object.setPrototypeOf(this, new.target.prototype); // restore prototype chain
}
}

export interface ActionsConfigurationUtilities {
isWhitelistedHostname: (hostname: string) => string | NotWhitelistedError;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find the name and semantics of this to be strange. I expect is... methods to return booleans.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair, I could rename it to ensureIsWhitelisted... or something like that.

isWhitelistedUri: (uri: string) => string | NotWhitelistedError;
}

const whitelistingErrorMessage = 'target url not in whitelist';
const doesValueWhitelistAnyHostname = (whitelistedHostname: string): boolean =>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this starts to read as a valuable piece of function, but there's no verbs, or something. Would something like isHostnameWildcard() work instead? Or is this some kind of functional pattern I'm not familiar with?

I also noticed you used const <functionName> = <lambda> as is the style for a lot of code these days, but I think we've generally just used functions in this area of Kibana at least; ie, function doesValueWhitelistAnyHostname(...) {...} instead.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding doesValueWhitelistAnyHostname it's not about FP, it's about communicating intent.
Implementation is easier to communicate (they read the code) but intent is much harder (read the code, and the surrounding code, and how they fit together). I find it helpful to communicate intent in the name of functions rather than implementation.

Hope that helps

whitelistedHostname === WhitelistedHosts.Any;

function isWhitelisted(
config: ActionsKibanaConfig,
hostname: string
): string | NotWhitelistedError {
if (
Array.isArray(config.whitelistedHosts) &&
config.whitelistedHosts.find(
whitelistedHostname =>
doesValueWhitelistAnyHostname(whitelistedHostname) || whitelistedHostname === hostname
)
) {
return hostname;
}
return new NotWhitelistedError(whitelistingErrorMessage);
}
export function getActionsConfigurationUtilities(
config: ActionsKibanaConfig
): ActionsConfigurationUtilities {
const isWhitelistedHostname = curry(isWhitelisted)(config);
return {
isWhitelistedUri(uri: string): string | NotWhitelistedError {
return tryCatch(() => new URL(uri))
.map(url => url.hostname)
.map(hostname => {
const result = isWhitelistedHostname(hostname);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why doesn't this just throw instead of returning an error and then throwing based on instanceof? Seems overcomplicated to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can't typecheck thrown errors in Typescript, so the general recommendation there seems to be to return errors.
I agree it's over complicated- that's why the Result type is a much more elegant solution, but there were concerns about Result type being used on external APIs.

if (result instanceof NotWhitelistedError) {
return result;
} else {
return uri;
}
})
.getOrElse(new NotWhitelistedError(whitelistingErrorMessage));
},
isWhitelistedHostname,
};
}
7 changes: 6 additions & 1 deletion x-pack/legacy/plugins/actions/server/builtin_action_types/email.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jest.mock('./lib/send_email', () => ({
}));

import { ActionType, ActionTypeExecutorOptions } from '../types';
import { ActionsConfigurationUtilities } from '../actions_config';
import { ActionTypeRegistry } from '../action_type_registry';
import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
import { taskManagerMock } from '../../../task_manager/task_manager.mock';
Expand All @@ -22,6 +23,10 @@ const sendEmailMock = sendEmail as jest.Mock;

const ACTION_TYPE_ID = '.email';
const NO_OP_FN = () => {};
const MOCK_KIBANA_CONFIG = {
isWhitelistedUri: _ => _,
isWhitelistedHostname: _ => _,
} as ActionsConfigurationUtilities;

const services = {
log: NO_OP_FN,
Expand All @@ -48,7 +53,7 @@ beforeAll(() => {
getBasePath: jest.fn().mockReturnValue(undefined),
});

registerBuiltInActionTypes(actionTypeRegistry);
registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG);

actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
});
Expand Down
23 changes: 12 additions & 11 deletions x-pack/legacy/plugins/actions/server/builtin_action_types/email.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,17 +97,18 @@ function validateParams(paramsObject: any): string | void {
}

// action type definition

export const actionType: ActionType = {
id: '.email',
name: 'email',
validate: {
config: ConfigSchema,
secrets: SecretsSchema,
params: ParamsSchema,
},
executor,
};
export function getActionType(): ActionType {
return {
id: '.email',
name: 'email',
validate: {
config: ConfigSchema,
secrets: SecretsSchema,
params: ParamsSchema,
},
executor,
};
}

// action executor

Expand Down
7 changes: 6 additions & 1 deletion x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jest.mock('./lib/send_email', () => ({
}));

import { ActionType, ActionTypeExecutorOptions } from '../types';
import { ActionsConfigurationUtilities } from '../actions_config';
import { ActionTypeRegistry } from '../action_type_registry';
import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
import { taskManagerMock } from '../../../task_manager/task_manager.mock';
Expand All @@ -19,6 +20,10 @@ import { ActionParamsType, ActionTypeConfigType } from './es_index';

const ACTION_TYPE_ID = '.index';
const NO_OP_FN = () => {};
const MOCK_KIBANA_CONFIG = {
isWhitelistedUri: _ => _,
isWhitelistedHostname: _ => _,
} as ActionsConfigurationUtilities;

const services = {
log: NO_OP_FN,
Expand All @@ -45,7 +50,7 @@ beforeAll(() => {
getBasePath: jest.fn().mockReturnValue(undefined),
});

registerBuiltInActionTypes(actionTypeRegistry);
registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG);

actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
});
Expand Down
21 changes: 11 additions & 10 deletions x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,17 @@ const ParamsSchema = schema.object({
});

// action type definition

export const actionType: ActionType = {
id: '.index',
name: 'index',
validate: {
config: ConfigSchema,
params: ParamsSchema,
},
executor,
};
export function getActionType(): ActionType {
return {
id: '.index',
name: 'index',
validate: {
config: ConfigSchema,
params: ParamsSchema,
},
executor,
};
}

// action executor

Expand Down
28 changes: 17 additions & 11 deletions x-pack/legacy/plugins/actions/server/builtin_action_types/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,23 @@
*/

import { ActionTypeRegistry } from '../action_type_registry';
import { ActionsConfigurationUtilities } from '../actions_config';

import { actionType as serverLogActionType } from './server_log';
import { actionType as slackActionType } from './slack';
import { actionType as emailActionType } from './email';
import { actionType as indexActionType } from './es_index';
import { actionType as pagerDutyActionType } from './pagerduty';
import { getActionType as getServerLogActionType } from './server_log';
import { getActionType as getSlackActionType } from './slack';
import { getActionType as getEmailActionType } from './email';
import { getActionType as getIndexActionType } from './es_index';
import { getActionType as getPagerDutyActionType } from './pagerduty';
import { getActionType as getWebhookActionType } from './webhook';

export function registerBuiltInActionTypes(actionTypeRegistry: ActionTypeRegistry) {
actionTypeRegistry.register(serverLogActionType);
actionTypeRegistry.register(slackActionType);
actionTypeRegistry.register(emailActionType);
actionTypeRegistry.register(indexActionType);
actionTypeRegistry.register(pagerDutyActionType);
export function registerBuiltInActionTypes(
actionTypeRegistry: ActionTypeRegistry,
actionsConfigUtils: ActionsConfigurationUtilities
) {
actionTypeRegistry.register(getServerLogActionType());
actionTypeRegistry.register(getSlackActionType());
actionTypeRegistry.register(getEmailActionType());
actionTypeRegistry.register(getIndexActionType());
actionTypeRegistry.register(getPagerDutyActionType());
actionTypeRegistry.register(getWebhookActionType(actionsConfigUtils));
}
7 changes: 6 additions & 1 deletion x-pack/legacy/plugins/actions/server/builtin_action_types/pagerduty.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jest.mock('./lib/post_pagerduty', () => ({
}));

import { ActionType, Services, ActionTypeExecutorOptions } from '../types';
import { ActionsConfigurationUtilities } from '../actions_config';
import { ActionTypeRegistry } from '../action_type_registry';
import { taskManagerMock } from '../../../task_manager/task_manager.mock';
import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
Expand All @@ -21,6 +22,10 @@ const postPagerdutyMock = postPagerduty as jest.Mock;

const ACTION_TYPE_ID = '.pagerduty';
const NO_OP_FN = () => {};
const MOCK_KIBANA_CONFIG = {
isWhitelistedUri: _ => _,
isWhitelistedHostname: _ => _,
} as ActionsConfigurationUtilities;

const services: Services = {
log: NO_OP_FN,
Expand All @@ -46,7 +51,7 @@ beforeAll(() => {
spaceIdToNamespace: jest.fn().mockReturnValue(undefined),
getBasePath: jest.fn().mockReturnValue(undefined),
});
registerBuiltInActionTypes(actionTypeRegistry);
registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG);
actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
});

Expand Down
23 changes: 12 additions & 11 deletions x-pack/legacy/plugins/actions/server/builtin_action_types/pagerduty.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,17 +84,18 @@ function validateParams(paramsObject: any): string | void {
}

// action type definition

export const actionType: ActionType = {
id: '.pagerduty',
name: 'pagerduty',
validate: {
config: ConfigSchema,
secrets: SecretsSchema,
params: ParamsSchema,
},
executor,
};
export function getActionType(): ActionType {
return {
id: '.pagerduty',
name: 'pagerduty',
validate: {
config: ConfigSchema,
secrets: SecretsSchema,
params: ParamsSchema,
},
executor,
};
}

// action executor

Expand Down
Loading