elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.62k stars 8.22k forks source link

Fleet UI does not format proxy TLS config correctly #179269

Open AndersonQ opened 7 months ago

AndersonQ commented 7 months ago

Kibana version: 8.13, main

Elasticsearch version: 8.13, main

Server OS version: Elastic Cloud

Browser version: Brave v1.64.109 (Mar 20, 2024)

Browser OS version: Pop!_OS 22.04 LTS

Original install method (e.g. download page, yum, from source, etc.): N/A

Describe the bug: Fleet UI does not format proxy TLS config correctly

Steps to reproduce:

  1. Have fleet-server running
  2. Navigate to Fleet > Settings
  3. Add a proxy with CA or certificates
  4. add the proxy to an output

Expected behavior: The TLS config should be correctly formatted as it happens for the ES output and others

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

#elastic-agent inspect

outputs:
  default:
    api_key: [REDACTED]
    hosts:
    - https://9a565b4629ba489e92c2d1ce5f829741.us-west2.gcp.elastic-cloud.com:443
    preset: balanced
    proxy_url: http://10.80.40.1:8888
    ssl:
      certificate_authorities:
      - '-----BEGIN CERTIFICATE----- MIIDSTCCAjGgAwIBAgIUcBlefuvb/A+JDybVFWwtNkrZWwwwDQYJKoZIhvcNAQEL
        BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l cmF0ZWQgQ0EwHhcNMjQwMzIwMDYzOTU1WhcNMjcwMzIwMDYzOTU1WjA0MTIwMAYD
        VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu5Rkl5gRf3oNN8e0cYQmsK
        j3W2nq/s1QInLLkCZdPWsBd0RyjJqOHDP734xKBndZVcrE1haP7W4SOcfaJ22UVK 8xchFpZ4q0FOWxTVHSmW9ReLwciFQP4HeAu1j36PbHSc5S6J7FlgB8JAHILm7A3t
        DtiyWUcg9Z/LwcW1N4Id4Xcj4p3uFi00IfzXpd8InBWXPjKnwCWzNAJTsLHIfCLk Xj+IfAfWJzuPa36/ro2ANoXAyOKgJHd6IB4xfZqkGXUlADqRxjYJPBi3f1jnsyVL
        yj5NLtdew+KSOFqo2efrCsbggrXr8o+CnvZTb8acqYqzWd6bz0zTXUkANgfZMAsC AwEAAaNTMFEwHQYDVR0OBBYEFBcBatnnOeDw3Ppi5bp6YgmlP0Q8MB8GA1UdIwQY
        MBaAFBcBatnnOeDw3Ppi5bp6YgmlP0Q8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI hvcNAQELBQADggEBALVGfAP0FAhrelBtTfjhJMoxe0kY9bXIFWKsUJ0ac/alrs+K
        93FXiOAbB4yhHPjhAP0T5KiYSMotCeSV0rK9gBTxrxdtWMNc71PHzC0vZtgq9vje o0EWuroCAOjjt9WT4YrcQxR54bu7T/zk/AzUIzGsn0G2zjt9yeslu6dQpBziGgWH
        55YMAIHRDP7sE3cZcY9aoDJ31PST8zAEvZdBlqusu+WnT6/iLRiTaoVIZN01BrAt taLEJnys+EH2dQKtHuw2BZ5m4qe0svS8hlN2Ep8kGQGjA7G4VJQGBjXwhfmzT5hb
        Ip0Su0PSeApTfSZnsYEkq7fMe9d0o7lfYA4pK08= -----END CERTIFICATE-----'
    type: elasticsearch

Any additional context:

elasticmachine commented 7 months ago

Pinging @elastic/fleet (Team:Fleet)

kpollich commented 7 months ago

The TLS config should be correctly formatted as it happens for the ES output and others

To be clear, we expect this certificate to be formatted with the >- YML block-chomping operator, as we do in other policy objects. Is that correct @AndersonQ?

AndersonQ commented 7 months ago

The TLS config should be correctly formatted as it happens for the ES output and others

To be clear, we expect this certificate to be formatted with the >- YML block-chomping operator, as we do in other policy objects. Is that correct @AndersonQ?

@kpollich, not really. The issue here is that the certificate has 2 of its line on the same line. It should be formatted like that:

-----BEGIN CERTIFICATE-----
MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot
-----END CERTIFICATE-----

Besides I believe the ahgent receives it as json I believe the issue comes from the type of input used on the add proxy "page". If you look at the input fields for the TLS config on the add logstash output "page", you'll see it's the bit text field.

Screenshot from 2024-03-25 19-01-59

Screenshot from 2024-03-25 19-00-57

So for the proxy, the field forces the whole text to be on a single line and I believe it's losing the correct line breaks.

and it can be seen in the policy stored on .fleet-policies:

      "outputs": {
        "596add4e-78f7-45a4-9e34-50acf71d3773": {
          "type": "logstash",
          "hosts": [
            "127.0.0.1:4242"
          ],
          "ssl": {
            "certificate": """-----BEGIN CERTIFICATE-----
MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot
-----END CERTIFICATE-----
""",
            "certificate_authorities": []
          },
          "secrets": {
            "ssl": {
              "key": {
                "id": "JVzKdo4Bp8p83IV2FruP"
              }
            }
          }
        },

[...]

      "fleet": {
        "hosts": [
          "https://d45b956c801e4d8d8ea56ff23661a9ab.fleet.us-central1.gcp.cloud.es.io:443"
        ],
        "proxy_url": "http://127.0.0.1:8888",
        "ssl": {
          "renegotiation": "never",
          "verification_mode": "",
          "certificate": "-----BEGIN CERTIFICATE----- MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1 MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5 KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B 2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot -----END CERTIFICATE-----",
          "key": "-----BEGIN EC PRIVATE KEY----- MIGkAgEBBDC3lM5k4aqpSK4tn/nI0almgDDt4ifb6zrKg4/2jJWD1GHQwvVG4yhl AKp/N44rdDKgBwYFK4EEACKhZANiAASuh7Mqd4ywHb7qBMY48n4XfevXMi9rOSlS 6d96P/EQ/aPy6GWz61zU5qqyUhbt7PMvCfE09Ro7/4RpGgSO/dv9POs6k1hvgdo2 z7AP11BL4nP0BcqyQMTzFWfOz+1xDEM= -----END EC PRIVATE KEY-----"
        }
      }
    },

as well as in the yaml from View Policy on fleetUI:

id: bfda4972-84bc-40a9-a290-5aa97a5829a1
revision: 1
outputs:
  596add4e-78f7-45a4-9e34-50acf71d3773:
    type: logstash
    hosts:
      - '127.0.0.1:4242'
    ssl:
      certificate: |
        -----BEGIN CERTIFICATE-----
        MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
        cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
        MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
        dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
        KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
        2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
        A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
        c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
        b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
        oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot
        -----END CERTIFICATE-----
      certificate_authorities: []
    secrets:
      ssl:
        key:
          id: JVzKdo4Bp8p83IV2FruP
  default:
    type: elasticsearch
    hosts:
      - 'https://838b90d702eb4f7089f82f90be009619.us-central1.gcp.cloud.es.io:443'
    preset: balanced
fleet:
  hosts:
    - >-
      https://d45b956c801e4d8d8ea56ff23661a9ab.fleet.us-central1.gcp.cloud.es.io:443
  proxy_url: 'http://127.0.0.1:8888'
  ssl:
    renegotiation: never
    verification_mode: ''
    certificate: >-
      -----BEGIN CERTIFICATE-----
      MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
      cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
      MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
      dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
      KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
      2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
      A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
      c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
      b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
      oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot -----END CERTIFICATE-----
    key: >-
      -----BEGIN EC PRIVATE KEY-----
      MIGkAgEBBDC3lM5k4aqpSK4tn/nI0almgDDt4ifb6zrKg4/2jJWD1GHQwvVG4yhl
      AKp/N44rdDKgBwYFK4EEACKhZANiAASuh7Mqd4ywHb7qBMY48n4XfevXMi9rOSlS
      6d96P/EQ/aPy6GWz61zU5qqyUhbt7PMvCfE09Ro7/4RpGgSO/dv9POs6k1hvgdo2
      z7AP11BL4nP0BcqyQMTzFWfOz+1xDEM= -----END EC PRIVATE KEY-----