fix MTLS settings for synthetics service in Kibana (#136267)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

x-pack/plugins/synthetics/server/synthetics_service/service_api_client.test.ts

@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Logger } from '@kbn/core/server';
+import { ServiceAPIClient } from './service_api_client';
+import { UptimeServerSetup } from '../legacy_uptime/lib/adapters';
+import { ServiceConfig } from '../../common/config';
+
+jest.mock('@kbn/server-http-tools', () => ({
+ SslConfig: jest.fn().mockImplementation(({ certificate, key }) => ({ certificate, key })),
+}));
+
+describe('getHttpsAgent', () => {
+ it('does not use certs if basic auth is set', () => {
+ const apiClient = new ServiceAPIClient(
+ jest.fn() as unknown as Logger,
+ { username: 'u', password: 'p' },
+ { isDev: true } as UptimeServerSetup
+ );
+ const { options: result } = apiClient.getHttpsAgent('https://localhost:10001');
+ expect(result).not.toHaveProperty('cert');
+ expect(result).not.toHaveProperty('key');
+ });
+
+ it('rejectUnauthorised is true for requests out of localhost even in dev', () => {
+ const apiClient = new ServiceAPIClient(
+ jest.fn() as unknown as Logger,
+ { tls: { certificate: 'crt', key: 'k' } } as ServiceConfig,
+ { isDev: true } as UptimeServerSetup
+ );
+
+ const { options: result } = apiClient.getHttpsAgent('https://example.com');
+ expect(result).toEqual(expect.objectContaining({ rejectUnauthorized: true }));
+ });
+
+ it('use rejectUnauthorised as true out of dev for localhost', () => {
+ const apiClient = new ServiceAPIClient(
+ jest.fn() as unknown as Logger,
+ { tls: { certificate: 'crt', key: 'k' } } as ServiceConfig,
+ { isDev: false } as UptimeServerSetup
+ );
+
+ const { options: result } = apiClient.getHttpsAgent('https://localhost:10001');
+ expect(result).toEqual(expect.objectContaining({ rejectUnauthorized: true }));
+ });
+
+ it('uses certs when defined', () => {
+ const apiClient = new ServiceAPIClient(
+ jest.fn() as unknown as Logger,
+ { tls: { certificate: 'crt', key: 'k' } } as ServiceConfig,
+ { isDev: false } as UptimeServerSetup
+ );
+
+ const { options: result } = apiClient.getHttpsAgent('https://localhost:10001');
+ expect(result).toEqual(expect.objectContaining({ cert: 'crt', key: 'k' }));
+ });
+});

x-pack/plugins/synthetics/server/synthetics_service/service_api_client.ts

@@ -55,22 +55,28 @@ export class ServiceAPIClient {
  this.server = server;
  }
 
- getHttpsAgent(url: string) {
+ getHttpsAgent(targetUrl: string) {
+ const parsedTargetUrl = new URL(targetUrl);
+
+ const rejectUnauthorized = parsedTargetUrl.hostname !== 'localhost' || !this.server.isDev;
+ const baseHttpsAgent = new https.Agent({ rejectUnauthorized });
+
  const config = this.config;
- if (url !== this.config.devUrl && this.authorization && this.server.isDev) {
- return;
- }
+
+ // If using basic-auth, ignore certificate configs
+ if (this.authorization) return baseHttpsAgent;
+
  if (config.tls && config.tls.certificate && config.tls.key) {
  const tlsConfig = new SslConfig(config.tls);
 
- const rejectUnauthorized = process.env.NODE_ENV === 'production';
-
  return new https.Agent({
  rejectUnauthorized,
  cert: tlsConfig.certificate,
  key: tlsConfig.key,
  });
  }
+
+ return baseHttpsAgent;
  }
 
  async post(data: ServiceData) {

x-pack/plugins/synthetics/server/synthetics_service/synthetics_service.test.ts

@@ -40,7 +40,7 @@ describe('SyntheticsService', () => {
  return {
  id: `loc-${n}`,
  label: `Location ${n}`,
- url: `example.com/${n}`,
+ url: `https://example.com/${n}`,
  geo: {
  lat: 0,
  lon: 0,