[ConnectorsV2] Adding pfx and crt certificate auth types
#243897
Conversation
ymao1
changed the title
pfx and crt certificate auth types
| export type { CustomHostSettings, ProxySettings, SSLSettings } from './utils/types'; | ||
| export { customHostSettingsSchema } from './utils/types'; | ||
| export { getNodeSSLOptions, getSSLSettingsFromConfig } from './utils/get_node_ssl_options'; | ||
| export { getCustomAgents } from './utils/get_custom_agents'; |
There was a problem hiding this comment.
Moved these functions to a package so we could use them from another package.
ymao1
force-pushed
the
connector-v2-auth-cert
branch
from
183f1a2 to
0032321
Compare
| url: string; | ||
| } | ||
|
|
||
| export function getCustomAgents(opts: GetCustomAgentsOpts): GetCustomAgentsResponse { |
There was a problem hiding this comment.
this is the getCustomAgents function from the actions plugin, but with the settings passed in as parameters instead of using actionConfigurationUtilities to retrieve configuration settings.
| secret: AuthSchemaType | ||
| ): AxiosInstance => { | ||
| const sslOverrides: SSLSettings = { | ||
| cert: Buffer.from(secret.crt, 'base64'), |
There was a problem hiding this comment.
This is based off our current webhook connector, where the cert and key are base 64 encoded before being passed to the create API. Perhaps we can add a meta designation that a field should be base64 encoded so the form builder knows what to do? cc @jcger
There was a problem hiding this comment.
We render an <input type="file"... /> for this in the webhook connector. Do you think we could use https://zod.dev/api#files ?
There was a problem hiding this comment.
seems like it could be worth a try
There was a problem hiding this comment.
I looked at the docs for z.file and it only allows you to set a mime type, from which the other properties of the file are derived. None of the mime types identify a base 64 encoding. I did see that there's a z.base64 type that validates an input is base 64 encoded, so I switched to using that, but we can probably change it as needed when the form builder part is worked on.
|
@elasticmachine merge upstream |
|
@elasticmachine run docs-build |
ymao1
added
release_note:skip
|
Pinging @elastic/response-ops (Team:ResponseOps) |
| /** | ||
| * Authenticate with PFX certificate | ||
| */ | ||
| export const PFX: AuthTypeSpec<AuthSchemaType> = { |
There was a problem hiding this comment.
there is a Kibana config called xpack.actions.webhook.ssl.pfx.enabled, it looks like it should only apply to the webhook connector because of its name, but in FedRAMP's spirit, it should apply to all connectors that have SSL auth type. I'll create an issue to add a more generic option, something like xpack.actions.auth.ssl.pfx.enabled or similar, done: #245079)
Anyways, with this context, now that we will activate SSL auth type as an option to choose from when creating a workflow connector, we should check whether pfx is actually enabled and handle it accordingly
There was a problem hiding this comment.
Thanks for calling that out! Updated in 73f4623
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Public APIs missing comments
Async chunks
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
cc @ymao1 |
4 participants
Resolves #243819
Summary
Adding two auth types to handle
pfxandcrtcertificate authentication. If a connector is configured with custom certificates, we need to regenerate thehttpandhttpsagents that are used by the axios instance to take into account the custom SSL settings for the connector.