elastic · kobelb · Oct 23, 2018 · Oct 19, 2018 · Oct 19, 2018 · Oct 22, 2018
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -49,6 +49,11 @@ certificate and key files. These files are used to verify the identity of Kibana
 `elasticsearch.ssl.verificationMode:`:: *Default: full* Controls the verification of certificates presented by Elasticsearch. Valid values are `none`, `certificate`, and `full`.
 `full` performs hostname verification, and `certificate` does not.
 
+`elasticsearch.ssl.alwaysPresentCertificate:`:: *Default: false* Controls whether to always present the certificate specified
+by `elasticsearch.ssl.certificate` when requested. This applies to all requests to Elasticsearch, including requests that are
+proxied for end-users. Setting this to `true` when Elasticsearch is using certificates to authenticate users can lead to proxied
+requests for end-users being executed as the identity tied to the configured certificate.
+
 `elasticsearch.startupTimeout:`:: *Default: 5000* Time in milliseconds to wait for Elasticsearch at Kibana startup before
 retrying.
 

diff --git a/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js b/src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js
@@ -18,11 +18,15 @@
  */
 
 import expect from 'expect.js';
+import fs from 'fs';
+import { promisify } from 'bluebird';
 import { getElasticsearchProxyConfig } from '../elasticsearch_proxy_config';
 import https from 'https';
 import http from 'http';
 import sinon from 'sinon';
 
+const readFileAsync = promisify(fs.readFile, fs);
+
 describe('plugins/console', function () {
   describe('#getElasticsearchProxyConfig', function () {
 
@@ -118,22 +122,73 @@ describe('plugins/console', function () {
         expect(agent.options.ca).to.contain('test ca certificate\n');
       });
 
-      it(`doesn't set cert and key when certificate and key paths are specified`, function () {
-        setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
-        setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
-
-        const { agent } = getElasticsearchProxyConfig(server);
-        expect(agent.options.cert).to.be(undefined);
-        expect(agent.options.key).to.be(undefined);
+      describe('when alwaysPresentCertificate is false', () => {
+        it(`doesn't set cert and key when certificate and key paths are specified`, function () {
+          setElasticsearchConfig('ssl.alwaysPresentCertificate', false);
+          setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
+          setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
+
+          const { agent } = getElasticsearchProxyConfig(server);
+          expect(agent.options.cert).to.be(undefined);
+          expect(agent.options.key).to.be(undefined);
+        });
+
+        it(`doesn't set passphrase when certificate, key and keyPassphrase are specified`, function () {
+          setElasticsearchConfig('ssl.alwaysPresentCertificate', false);
+          setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
+          setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
+          setElasticsearchConfig('ssl.keyPassphrase', 'secret');
+
+          const { agent } = getElasticsearchProxyConfig(server);
+          expect(agent.options.passphrase).to.be(undefined);
+        });
       });
 
-      it(`doesn't set passphrase when certificate, key and keyPassphrase are specified`, function () {
-        setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
-        setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
-        setElasticsearchConfig('ssl.keyPassphrase', 'secret');
+      describe('when alwaysPresentCertificate is true', () => {
+        it(`sets cert and key when certificate and key paths are specified`, async function () {
+          const certificatePath = __dirname + '/fixtures/cert.crt';
+          const keyPath = __dirname + '/fixtures/cert.key';
+          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
+          setElasticsearchConfig('ssl.certificate', certificatePath);
+          setElasticsearchConfig('ssl.key', keyPath);
+
+          const { agent } = getElasticsearchProxyConfig(server);
+          expect(agent.options.cert).to.be(await readFileAsync(certificatePath, 'utf8'));
+          expect(agent.options.key).to.be(await readFileAsync(keyPath, 'utf8'));
+        });
+
+        it(`sets passphrase when certificate, key and keyPassphrase are specified`, function () {
+          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
+          setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
+          setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
+          setElasticsearchConfig('ssl.keyPassphrase', 'secret');
+
+          const { agent } = getElasticsearchProxyConfig(server);
+          expect(agent.options.passphrase).to.be('secret');
+        });
+
+        it(`doesn't set cert when only certificate path is specified`, async function () {
+          const certificatePath = __dirname + '/fixtures/cert.crt';
+          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
+          setElasticsearchConfig('ssl.certificate', certificatePath);
+          setElasticsearchConfig('ssl.key', undefined);
+
+          const { agent } = getElasticsearchProxyConfig(server);
+          expect(agent.options.cert).to.be(undefined);
+          expect(agent.options.key).to.be(undefined);
+        });
+
+        it(`doesn't set key when only key path is specified`, async function () {
+          const keyPath = __dirname + '/fixtures/cert.key';
+          setElasticsearchConfig('ssl.alwaysPresentCertificate', true);
+          setElasticsearchConfig('ssl.certificate', undefined);
+          setElasticsearchConfig('ssl.key', keyPath);
+
+          const { agent } = getElasticsearchProxyConfig(server);
+          expect(agent.options.cert).to.be(undefined);
+          expect(agent.options.key).to.be(undefined);
+        });
 
-        const { agent } = getElasticsearchProxyConfig(server);
-        expect(agent.options.passphrase).to.be(undefined);
       });
     });
   });

diff --git a/src/core_plugins/console/server/elasticsearch_proxy_config.js b/src/core_plugins/console/server/elasticsearch_proxy_config.js
@@ -55,6 +55,16 @@ const createAgent = (server) => {
     agentOptions.ca = config.get('elasticsearch.ssl.certificateAuthorities').map(readFile);
   }
 
+  if (
+    config.get('elasticsearch.ssl.alwaysPresentCertificate') &&
+    config.get('elasticsearch.ssl.certificate') &&
+    config.get('elasticsearch.ssl.key')
+  ) {
+    agentOptions.cert = readFile(config.get('elasticsearch.ssl.certificate'));
+    agentOptions.key = readFile(config.get('elasticsearch.ssl.key'));
+    agentOptions.passphrase = config.get('elasticsearch.ssl.keyPassphrase');
+  }
+
   return new https.Agent(agentOptions);
 };
 

diff --git a/src/core_plugins/elasticsearch/index.js b/src/core_plugins/elasticsearch/index.js
@@ -42,7 +42,8 @@ export default function (kibana) {
         certificateAuthorities: array().single().items(string()),
         certificate: string(),
         key: string(),
-        keyPassphrase: string()
+        keyPassphrase: string(),
+        alwaysPresentCertificate: boolean().default(false),
       }).default();
 
       return object({

diff --git a/src/core_plugins/elasticsearch/lib/cluster.js b/src/core_plugins/elasticsearch/lib/cluster.js
@@ -34,7 +34,10 @@ export class Cluster {
 
     this._clients = new Set();
     this._client = this.createClient();
-    this._noAuthClient = this.createClient({ auth: false }, { ignoreCertAndKey: true });
+    this._noAuthClient = this.createClient(
+      { auth: false },
+      { ignoreCertAndKey: !this.getSsl().alwaysPresentCertificate }
+    );
 
     return this;
   }

diff --git a/src/core_plugins/elasticsearch/lib/create_agent.js b/src/core_plugins/elasticsearch/lib/create_agent.js
@@ -29,5 +29,6 @@ export default function (config) {
 
   if (!/^https/.test(target.protocol)) return new http.Agent();
 
-  return new https.Agent(parseConfig(config, { ignoreCertAndKey: true }).ssl);
+  const ignoreCertAndKey = !get(config, 'ssl.alwaysPresentCertificate');
+  return new https.Agent(parseConfig(config, { ignoreCertAndKey }).ssl);
 }
diff --git a/x-pack/plugins/monitoring/config.js b/x-pack/plugins/monitoring/config.js
@@ -76,7 +76,8 @@ export const config = (Joi) => {
         certificateAuthorities: array().single().items(string()),
         certificate: string(),
         key: string(),
-        keyPassphrase: string()
+        keyPassphrase: string(),
+        alwaysPresentCertificate: boolean().default(false),
       }).default(),
       apiVersion: string().default('master')
     }).default()