Revert "Adding option to always present the certificate when connecti…

…ng to ES (elastic#24304)" This reverts commit 9e86a04.
FrankHassanabad · Oct 26, 2018 · c042d37 · c042d37
1 parent e486451
commit c042d37
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 93 deletions.
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -49,11 +49,6 @@ certificate and key files. These files are used to verify the identity of Kibana
 `elasticsearch.ssl.verificationMode:`:: *Default: full* Controls the verification of certificates presented by Elasticsearch. Valid values are `none`, `certificate`, and `full`.
 `full` performs hostname verification, and `certificate` does not.
 
-`elasticsearch.ssl.alwaysPresentCertificate:`:: *Default: false* Controls whether to always present the certificate specified
-by `elasticsearch.ssl.certificate` when requested. This applies to all requests to Elasticsearch, including requests that are
-proxied for end-users. Setting this to `true` when Elasticsearch is using certificates to authenticate users can lead to proxied
-requests for end-users being executed as the identity tied to the configured certificate.
-
 `elasticsearch.startupTimeout:`:: *Default: 5000* Time in milliseconds to wait for Elasticsearch at Kibana startup before
 retrying.
 

diff --git a/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js b/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js
@@ -18,15 +18,11 @@
  */
 
 import expect from 'expect.js';
-import fs from 'fs';
-import { promisify } from 'bluebird';
 import { getElasticsearchProxyConfig } from '../elasticsearch_proxy_config';
 import https from 'https';
 import http from 'http';
 import sinon from 'sinon';
 
-const readFileAsync = promisify(fs.readFile, fs);
-
 describe('plugins/console', function () {
   describe('#getElasticsearchProxyConfig', function () {
 
@@ -122,73 +118,22 @@ describe('plugins/console', function () {
         expect(agent.options.ca).to.contain('test ca certificate\n');
       });
 
-      describe('when alwaysPresentCertificate is false', () => {
-        it(`doesn't set cert and key when certificate and key paths are specified`, function () {
-          setElasticsearchConfig('ssl.alwaysPresentCertificate', false);
-          setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
-          setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
-
-          const { agent } = getElasticsearchProxyConfig(server);
-          expect(agent.options.cert).to.be(undefined);
-          expect(agent.options.key).to.be(undefined);
-        });
-
-        it(`doesn't set passphrase when certificate, key and keyPassphrase are specified`, function () {
-          setElasticsearchConfig('ssl.alwaysPresentCertificate', false);
-          setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
-          setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
-          setElasticsearchConfig('ssl.keyPassphrase', 'secret');
-
-          const { agent } = getElasticsearchProxyConfig(server);
-          expect(agent.options.passphrase).to.be(undefined);
-        });
+      it(`doesn't set cert and key when certificate and key paths are specified`, function () {
+        setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
+        setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
+
+        const { agent } = getElasticsearchProxyConfig(server);
+        expect(agent.options.cert).to.be(undefined);
+        expect(agent.options.key).to.be(undefined);
       });
 
-      describe('when alwaysPresentCertificate is true', () => {
-        it(`sets cert and key when certificate and key paths are specified`, async function () {
-          const certificatePath = __dirname + '/fixtures/cert.crt';
-          const keyPath = __dirname + '/fixtures/cert.key';
-          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
-          setElasticsearchConfig('ssl.certificate', certificatePath);
-          setElasticsearchConfig('ssl.key', keyPath);
-
-          const { agent } = getElasticsearchProxyConfig(server);
-          expect(agent.options.cert).to.be(await readFileAsync(certificatePath, 'utf8'));
-          expect(agent.options.key).to.be(await readFileAsync(keyPath, 'utf8'));
-        });
-
-        it(`sets passphrase when certificate, key and keyPassphrase are specified`, function () {
-          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
-          setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
-          setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
-          setElasticsearchConfig('ssl.keyPassphrase', 'secret');
-
-          const { agent } = getElasticsearchProxyConfig(server);
-          expect(agent.options.passphrase).to.be('secret');
-        });
-
-        it(`doesn't set cert when only certificate path is specified`, async function () {
-          const certificatePath = __dirname + '/fixtures/cert.crt';
-          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
-          setElasticsearchConfig('ssl.certificate', certificatePath);
-          setElasticsearchConfig('ssl.key', undefined);
-
-          const { agent } = getElasticsearchProxyConfig(server);
-          expect(agent.options.cert).to.be(undefined);
-          expect(agent.options.key).to.be(undefined);
-        });
-
-        it(`doesn't set key when only key path is specified`, async function () {
-          const keyPath = __dirname + '/fixtures/cert.key';
-          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
-          setElasticsearchConfig('ssl.certificate', undefined);
-          setElasticsearchConfig('ssl.key', keyPath);
-
-          const { agent } = getElasticsearchProxyConfig(server);
-          expect(agent.options.cert).to.be(undefined);
-          expect(agent.options.key).to.be(undefined);
-        });
+      it(`doesn't set passphrase when certificate, key and keyPassphrase are specified`, function () {
+        setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
+        setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
+        setElasticsearchConfig('ssl.keyPassphrase', 'secret');
 
+        const { agent } = getElasticsearchProxyConfig(server);
+        expect(agent.options.passphrase).to.be(undefined);
       });
     });
   });

diff --git a/src/core_plugins/console/server/elasticsearch_proxy_config.js b/src/core_plugins/console/server/elasticsearch_proxy_config.js
@@ -55,16 +55,6 @@ const createAgent = (server) => {
     agentOptions.ca = config.get('elasticsearch.ssl.certificateAuthorities').map(readFile);
   }
 
-  if (
-    config.get('elasticsearch.ssl.alwaysPresentCertificate') &&
-    config.get('elasticsearch.ssl.certificate') &&
-    config.get('elasticsearch.ssl.key')
-  ) {
-    agentOptions.cert = readFile(config.get('elasticsearch.ssl.certificate'));
-    agentOptions.key = readFile(config.get('elasticsearch.ssl.key'));
-    agentOptions.passphrase = config.get('elasticsearch.ssl.keyPassphrase');
-  }
-
   return new https.Agent(agentOptions);
 };
 

diff --git a/src/core_plugins/elasticsearch/index.js b/src/core_plugins/elasticsearch/index.js
@@ -42,8 +42,7 @@ export default function (kibana) {
         certificateAuthorities: array().single().items(string()),
         certificate: string(),
         key: string(),
-        keyPassphrase: string(),
-        alwaysPresentCertificate: boolean().default(false),
+        keyPassphrase: string()
       }).default();
 
       return object({

diff --git a/src/core_plugins/elasticsearch/lib/cluster.js b/src/core_plugins/elasticsearch/lib/cluster.js
@@ -34,10 +34,7 @@ export class Cluster {
 
     this._clients = new Set();
     this._client = this.createClient();
-    this._noAuthClient = this.createClient(
-      { auth: false },
-      { ignoreCertAndKey: !this.getSsl().alwaysPresentCertificate }
-    );
+    this._noAuthClient = this.createClient({ auth: false }, { ignoreCertAndKey: true });
 
     return this;
   }

diff --git a/src/core_plugins/elasticsearch/lib/create_agent.js b/src/core_plugins/elasticsearch/lib/create_agent.js
@@ -29,6 +29,5 @@ export default function (config) {
 
   if (!/^https/.test(target.protocol)) return new http.Agent();
 
-  const ignoreCertAndKey = !get(config, 'ssl.alwaysPresentCertificate');
-  return new https.Agent(parseConfig(config, { ignoreCertAndKey }).ssl);
+  return new https.Agent(parseConfig(config, { ignoreCertAndKey: true }).ssl);
 }
diff --git a/x-pack/plugins/monitoring/config.js b/x-pack/plugins/monitoring/config.js
@@ -76,8 +76,7 @@ export const config = (Joi) => {
         certificateAuthorities: array().single().items(string()),
         certificate: string(),
         key: string(),
-        keyPassphrase: string(),
-        alwaysPresentCertificate: boolean().default(false),
+        keyPassphrase: string()
       }).default(),
       apiVersion: string().default('master')
     }).default()