Adding APIs for synthetics

elastic / support-diagnostics

Support diagnostics utility for elasticsearch and logstash

Other

289 stars 150 forks source link

Adding APIs for synthetics #684

Closed jguay closed 4 days ago

jguay commented 3 months ago

Adding following API calls from 8.12.0 (we may be able to set a lower minimum version if no sensitive data is returned) :

GET kbn:/internal/uptime/service/locations
GET kbn:/api/synthetics/private_locations
GET kbn:/api/uptime/settings
GET kbn:/internal/synthetics/monitor/filters

Additionally code for this API was added and API is disabled on purpose pending review that API does not include sensitive information :

GET kbn:/internal/synthetics/service/monitors?perPage=100&page=1

Checklist

[x] Review from dev required related to inclusion of sensitive data

jguay commented 3 months ago

@lucabelluccini Can you ping the synthetics developers related to check for sensitive data in case monitors list is (the only one) unsafe to collect and if they know which version is safe to collect these APIs from ? Thanks

lucabelluccini commented 3 months ago

Hello @jguay thank you a lot for the contribution. As discussed with @devcorpio (sorry for the direct ping - if you want to delegate this to other members of the Synthetics team please do), we would like to confirm if the APIs we're planning to add are not dumping secrets or sensitive information. Can we have a confirmation? If there's a specific minimum version to use, please let us know.

devcorpio commented 3 months ago

Hi @jguay @lucabelluccini,

I'm trying to find the proper person(or people) who might give a thorough answer to this.

We will add our review as soon as possible

Thanks, Alberto

devcorpio commented 3 months ago

Hi again!,

@awahab07 has been checking this and provided the following information (thanks Abdul!):

So the decrypted query param is on the Get One monitor endpoint /internal/synthetics/service/monitor/{monitorId} and should be set to false. This will omit sensitive/encrypted fields while returning the monitor. List of sensitive fields.

The list of non-decrypted fields are.

So generally no sensitive fields will be returned. However, there might be sensitive information contained in the non-decrypted fields, depending on how the user has configured the monitor. E.g. Playwright Options accepts a JSON but is not encrypted.

Hope this helps

Cheers, Alberto

lucabelluccini commented 2 months ago

Hello @jguay - I think this should be safe to merge if we tested it.

lucabelluccini commented 1 week ago

Hello @elastic/field-eng Would it be possible to review this PR and merge it? It would be useful for Synthetics.

According to engineering, those APIs will not disclose sensible info.

pickypg commented 1 week ago

I think this should be safe to merge if we tested it.

Was it ever tested?