add socket.getPeerCertificate to KibanaRequest#42929
add socket.getPeerCertificate to KibanaRequest#42929mshustov merged 3 commits intoelastic:masterfrom
Conversation
mshustov
added
review
Team:Core
|
Pinging @elastic/kibana-platform |
mshustov
added
release_note:plugin_api_changes
💔 Build Failed |
| export interface IKibanaSocket { | ||
| // (undocumented) | ||
| getPeerCertificate(detailed: true): DetailedPeerCertificate | null; | ||
| // (undocumented) |
There was a problem hiding this comment.
I'd expect api-extractor to merge all overloads in the one file.
There was a problem hiding this comment.
Yeah that's kinda strange. You might be able to use the @inheritDoc directive?
There was a problem hiding this comment.
nope, neither @inheritDoc nor @link.
The @link reference could not be resolved: The reference is ambiguous because "getPeerCertificate" has more than one declaration; you need to add a TSDoc member reference selector^M
seems the problem is not solved yet microsoft/rushstack#881
💚 Build Succeeded |
|
ACK: looking.. |
azasypkin
left a comment
azasypkin
left a comment
There was a problem hiding this comment.
LGTM, thanks for the quick turnaround on this one! Tested with PKI auth provider locally and it seems everything works as expected.
| * The returned object has some properties corresponding to the field of the certificate. | ||
| * If detailed argument is true the full chain with issuer property will be returned, | ||
| * if false only the top certificate without issuer property. | ||
| * If the peer does not provide a certificate, it returns null. |
There was a problem hiding this comment.
nit: it can also be null if socket has been destroyed (please ignore if it's the only change needed for merge).
| getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate | null; | ||
|
|
||
| public getPeerCertificate(detailed?: boolean) { | ||
| if (this.socket instanceof TLSSocket) { |
There was a problem hiding this comment.
note: PKI authentication provider will consume certificate chain returned from this method, but it works on the assumption that rejectUnauthorized is set to true in the core server and hence we don't need to verify socket.authorized. rejectUnauthorized in the core server isn't configurable right now and hence relies on Node's default value which is true.
So everything is fine right now, but in case we decide to expose rejectUnauthorized as a configuration option for some reason (hopefully not) we may need to expose socket.authorized from IKibanaSocket. Just wanted to note.
/cc @kobelb
* add socket.getPeerCertificate to KibanaRequest * update request mocks * update docs
…p-metrics-selectall * 'master' of github.com:elastic/kibana: (306 commits) [ML] Adding job overrides to the module setup endpoint (elastic#42946) [APM] Fix missing RUM url (elastic#42940) close socket timeouts without message (elastic#42456) Upgrade elastic/charts to 8.1.6 (elastic#42518) [ML] Delete old AngularJS data visualizer and refactor folders (elastic#42962) Add custom formatting for Date Nanos Format (elastic#42445) [Vega] Shim new platform - vega_fn.js -> vega_fn.js , use ExpressionFunction (elastic#42582) add socket.getPeerCertificate to KibanaRequest (elastic#42929) [Automation] ISTANBUL PRESET PATH is not working fine with constructor(private foo) (elastic#42683) [ML] Data frames: Updated stats structure. (elastic#42923) [Code] fixed the issue that the repository can not be deleted in some cases. (elastic#42841) [kbn-es] Support for passing regex value to ES (elastic#42651) Connect to Elasticsearch via SSL when starting kibana with `--ssl` (elastic#42840) Add Elasticsearch SSL support for integration tests (elastic#41765) Fix duplicate fetch in Visualize (elastic#41204) [DOCS] TSVB and Timelion clean up (elastic#42953) [Maps] [File upload] Fix maps geojson upload hanging on index step (elastic#42623) [APM] Use rounded bucket sizes for transaction distribution (elastic#42830) [yarn.lock] consistent resolve domain (elastic#42969) [Uptime] [Test] Repurpose unit test assertions to avoid flakiness (elastic#40650) ...
4 participants
Summary
Security plugin needs to access request certificate to implement PKI authentication.
I added a separate abstraction for sockets in case we need to access other properties.
Don't want to expose the whole socket object as it provides too many low-level details.
blocker for #42606
Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for cross-browser compatibility, including a check against IE11[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] Documentation was added for features that require explanation or tutorials[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
Dev Docs
KibanaRequest object can provide peer certificate