From 55c45343472047d5578ebff7324b9e15f6326351 Mon Sep 17 00:00:00 2001 From: Blake Rouse Date: Tue, 14 Jul 2020 13:08:32 -0400 Subject: [PATCH] [Elastic Agent] Require --insecure on enroll for connection to Kibana (#19900) * Add insecure option to enroll. * Set TLS to not verify on --insecure. * Run mage fmt * Add changelog. * Update enroll for certificate-authorities and ca-sha256. * Update changelog. * Update docstring. --- x-pack/elastic-agent/CHANGELOG.asciidoc | 3 ++ .../docs/elastic-agent-command-line.asciidoc | 30 +++++++++++++++---- .../pkg/agent/application/enroll_cmd.go | 18 ++++++++--- x-pack/elastic-agent/pkg/agent/cmd/enroll.go | 12 +++++--- x-pack/elastic-agent/pkg/kibana/config.go | 11 +++++-- 5 files changed, 58 insertions(+), 16 deletions(-) diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc index b2a2cd41ee8..a5ec2d514b4 100644 --- a/x-pack/elastic-agent/CHANGELOG.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.asciidoc @@ -12,6 +12,8 @@ - Rename agent to elastic-agent {pull}17391[17391] - Change fleet.yml structure, causes upgraded agent to register as new agent {pull}19248[19248] - Remove obfuscation of fleet.yml, causes re-enroll of agent to Fleet {pull}19678[19678] +- Rename enroll --ca_sha256 to --ca-sha256 {pull}19900[19900] +- Rename enroll --certificate_authorities to --certificate-authorities {pull}19900[19900] ==== Bugfixes @@ -83,3 +85,4 @@ - Agent now load balances across multiple Kibana instances {pull}19628[19628] - Configuration cleanup {pull}19848[19848] - Agent now sends its own logs to elasticsearch {pull}19811[19811] +- Add --insecure option to enroll command {pull}19900[19900] diff --git a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc index bbbd083e8cc..fab2c470216 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc @@ -7,16 +7,34 @@ experimental[] The `elastic-agent run` command provides flags that alter the behavior of an agent: -`-path.home`:: +`--path.home`:: The home directory of the {agent}. `path.home` determines the location of the configuration files and data directory. ++ +If not specified, {agent} uses current working directory. -`-c`:: -The configuration file to load. If not specified, {agent} uses -`{path.home}/elastic-agent.yml`. - -`-path.data`:: +`--path.data`:: The data directory used by {agent} to store downloaded artifacts. Also stores logs for any {beats} started and managed by {agent}. + If not specified, {agent} uses `{path.home}/data`. + +`-c`:: +The configuration file to load. ++ +If not specified, {agent} uses `{path.home}/elastic-agent.yml`. + +The `elastic-agent enroll` command provides flags that alter the behaviour of +the enrollment process. + +`--ca-sha256`:: +Comma separated list of certificate authorities hash pins used for certificate verifications. + +`--certificate-authorities`:: +Comma separated list of root certificate for server verifications. + +`--force`:: +Force overwrite the current and do not prompt for confirmation. + +`--insecure`:: +Allow insecure connection to Kibana. diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go index 65ba03b679e..bdb9e2c5cb9 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go @@ -7,6 +7,7 @@ package application import ( "bytes" "context" + "fmt" "io" "net/http" "net/url" @@ -60,6 +61,7 @@ type EnrollCmdOption struct { URL string CAs []string CASha256 []string + Insecure bool UserProvidedMetadata map[string]interface{} EnrollAPIKey string } @@ -69,6 +71,9 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { if err != nil { return nil, err } + if cfg.Protocol == kibana.ProtocolHTTP && !e.Insecure { + return nil, fmt.Errorf("connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)") + } // Add any SSL options from the CLI. if len(e.CAs) > 0 || len(e.CASha256) > 0 { @@ -77,6 +82,11 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { CASha256: e.CASha256, } } + if e.Insecure { + cfg.TLS = &tlscommon.Config{ + VerificationMode: tlscommon.VerifyNone, + } + } return cfg, nil } @@ -113,16 +123,16 @@ func NewEnrollCmdWithStore( cfg, err := options.kibanaConfig() if err != nil { - return nil, errors.New(err, - "invalid Kibana configuration", + return nil, errors.New( + err, "Error", errors.TypeConfig, errors.M(errors.MetaKeyURI, options.URL)) } client, err := fleetapi.NewWithConfig(log, cfg) if err != nil { - return nil, errors.New(err, - "fail to create the API client", + return nil, errors.New( + err, "Error", errors.TypeNetwork, errors.M(errors.MetaKeyURI, options.URL)) } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index bfa1e73cb6a..99140951497 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -38,9 +38,10 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr }, } - cmd.Flags().StringP("certificate_authorities", "a", "", "Comma separated list of root certificate for server verifications") - cmd.Flags().StringP("ca_sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") + cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") + cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana") return cmd } @@ -76,6 +77,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } } + insecure, _ := cmd.Flags().GetBool("insecure") + logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) if err != nil { return err @@ -84,10 +87,10 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args url := args[0] enrollmentToken := args[1] - caStr, _ := cmd.Flags().GetString("certificate_authorities") + caStr, _ := cmd.Flags().GetString("certificate-authorities") CAs := cli.StringToSlice(caStr) - caSHA256str, _ := cmd.Flags().GetString("ca_sha256") + caSHA256str, _ := cmd.Flags().GetString("ca-sha256") caSHA256 := cli.StringToSlice(caSHA256str) delay(defaultDelay) @@ -98,6 +101,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args URL: url, CAs: CAs, CASha256: caSHA256, + Insecure: insecure, UserProvidedMetadata: make(map[string]interface{}), } diff --git a/x-pack/elastic-agent/pkg/kibana/config.go b/x-pack/elastic-agent/pkg/kibana/config.go index 671674bf7b6..806c3c9fb2a 100644 --- a/x-pack/elastic-agent/pkg/kibana/config.go +++ b/x-pack/elastic-agent/pkg/kibana/config.go @@ -27,9 +27,16 @@ type Config struct { // Protocol define the protocol to use to make the connection. (Either HTTPS or HTTP) type Protocol string +const ( + // ProtocolHTTP is HTTP protocol connection to Kibana. + ProtocolHTTP Protocol = "http" + // ProtocolHTTPS is HTTPS protocol connection to Kibana. + ProtocolHTTPS Protocol = "https" +) + // Unpack the protocol. func (p *Protocol) Unpack(from string) error { - if from != "https" && from != "http" { + if Protocol(from) != ProtocolHTTPS && Protocol(from) != ProtocolHTTP { return fmt.Errorf("invalid protocol %s, accepted values are 'http' and 'https'", from) } @@ -40,7 +47,7 @@ func (p *Protocol) Unpack(from string) error { // DefaultClientConfig creates default configuration for kibana client. func DefaultClientConfig() *Config { return &Config{ - Protocol: Protocol("http"), + Protocol: ProtocolHTTP, Host: "localhost:5601", Path: "", SpaceID: "",