[alerting] Adds Action Type configuration support and whitelisting

x-pack/legacy/plugins/actions/README.md

@@ -23,6 +23,29 @@ action types.
 2. Create an action by using the RESTful API (see actions -> create action).
 3. Use alerts to execute actions or execute manually (see firing actions).
 
+## Kibana Actions Configuration
+Implemented under the [Actions Config](./server/actions_config.ts).
+
+### Configuration Options
+
+Built-In-Actions are configured using the _xpack.actions_ namespoace under _kibana.yml_, and have the following configuration options:
+
+| Namespaced Key                       | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Type                  |
+| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| _xpack.actions._**enabled**          | Feature toggle which enabled Actions in Kibana. Currently defaulted to false while Actions are experimental.                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | boolean               |
+| _xpack.actions._**WhitelistedHosts** | Which _hostnames_ are whitelisted for the Built-In-Action? This list should contain hostnames of every external service you wish to interact with using Webhooks, Email or any other built in Action. Note that you may use the string "\*" in place of a specific hostname to enable Kibana to target any URL, but keep in mind the potential use of such a feature to execute [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery) attacks from your server. | Array<String> |
+
+### Configuration Utilities
+
+This module provides a Utilities for interacting with the configuration.
+
+| Method                | Arguments                                          | Description                                                                                                                                                                                                                                                            | Return Type                                                                                                                                                                                                                   |
+| --------------------- | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| isWhitelistedUri | _uri_: The URI you wish to validate is whitelisted | Validates whether the URI is whitelisted. This checks the configuration and validates that the hostname of the URI is in the list of whitelisted Hosts and returns `true` if it is whitelisted. If the configuration says that all URI's are whitelisted (using an "\*") then it will always return `true`. | Boolean |
+| isWhitelistedHostname | _hostname_: The Hostname you wish to validate is whitelisted | Validates whether the Hostname is whitelisted. This checks the configuration and validates that the hostname is in the list of whitelisted Hosts and returns `true` if it is whitelisted. If the configuration says that all Hostnames are whitelisted (using an "\*") then it will always return `true`. | Boolean |
+| ensureWhitelistedUri | _uri_: The URI you wish to validate is whitelisted | Validates whether the URI is whitelisted. This checks the configuration and validates that the hostname of the URI is in the list of whitelisted Hosts and throws an error if it is not whitelisted. If the configuration says that all URI's are whitelisted (using an "\*") then it will never throw. | No return value, throws if URI isn't whitelisted |
+| ensureWhitelistedHostname | _hostname_: The Hostname you wish to validate is whitelisted | Validates whether the Hostname is whitelisted. This checks the configuration and validates that the hostname is in the list of whitelisted Hosts and throws an error if it is not whitelisted. If the configuration says that all Hostnames are whitelisted (using an "\*") then it will never throw | No return value, throws if Hostname isn't whitelisted |
+
 ## Action types
 
 ### Methods

x-pack/legacy/plugins/actions/index.ts

@@ -27,6 +27,13 @@ export function actions(kibana: any) {
       return Joi.object()
         .keys({
           enabled: Joi.boolean().default(false),
+          whitelistedHosts: Joi.alternatives()
+            .try(
+              Joi.array()
+                .items(Joi.string().hostname())
+                .sparse(false)
+            )
+            .default([]),
         })
         .default();
     },

x-pack/legacy/plugins/actions/server/actions_config.test.ts

@@ -0,0 +1,141 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  ActionsKibanaConfig,
+  getActionsConfigurationUtilities,
+  WhitelistedHosts,
+} from './actions_config';
+
+describe('ensureWhitelistedUri', () => {
+  test('returns true when "any" hostnames are allowed', () => {
+    const config: ActionsKibanaConfig = {
+      enabled: false,
+      whitelistedHosts: [WhitelistedHosts.Any],
+    };
+    expect(
+      getActionsConfigurationUtilities(config).ensureWhitelistedUri(
+        'https://github.com/elastic/kibana'
+      )
+    ).toBeUndefined();
+  });
+
+  test('throws when the hostname in the requested uri is not in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
+    expect(() =>
+      getActionsConfigurationUtilities(config).ensureWhitelistedUri(
+        'https://github.com/elastic/kibana'
+      )
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"target url \\"https://github.com/elastic/kibana\\" is not in the Kibana whitelist"`
+    );
+  });
+
+  test('throws when the uri cannot be parsed as a valid URI', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
+    expect(() =>
+      getActionsConfigurationUtilities(config).ensureWhitelistedUri('github.com/elastic')
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"target url \\"github.com/elastic\\" is not in the Kibana whitelist"`
+    );
+  });
+
+  test('returns true when the hostname in the requested uri is in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
+    expect(
+      getActionsConfigurationUtilities(config).ensureWhitelistedUri(
+        'https://github.com/elastic/kibana'
+      )
+    ).toBeUndefined();
+  });
+});
+
+describe('ensureWhitelistedHostname', () => {
+  test('returns true when "any" hostnames are allowed', () => {
+    const config: ActionsKibanaConfig = {
+      enabled: false,
+      whitelistedHosts: [WhitelistedHosts.Any],
+    };
+    expect(
+      getActionsConfigurationUtilities(config).ensureWhitelistedHostname('github.com')
+    ).toBeUndefined();
+  });
+
+  test('throws when the hostname in the requested uri is not in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
+    expect(() =>
+      getActionsConfigurationUtilities(config).ensureWhitelistedHostname('github.com')
+    ).toThrowErrorMatchingInlineSnapshot(
+      `"target hostname \\"github.com\\" is not in the Kibana whitelist"`
+    );
+  });
+
+  test('returns true when the hostname in the requested uri is in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
+    expect(
+      getActionsConfigurationUtilities(config).ensureWhitelistedHostname('github.com')
+    ).toBeUndefined();
+  });
+});
+
+describe('isWhitelistedUri', () => {
+  test('returns true when "any" hostnames are allowed', () => {
+    const config: ActionsKibanaConfig = {
+      enabled: false,
+      whitelistedHosts: [WhitelistedHosts.Any],
+    };
+    expect(
+      getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
+    ).toEqual(true);
+  });
+
+  test('throws when the hostname in the requested uri is not in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
+    expect(
+      getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
+    ).toEqual(false);
+  });
+
+  test('throws when the uri cannot be parsed as a valid URI', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
+    expect(getActionsConfigurationUtilities(config).isWhitelistedUri('github.com/elastic')).toEqual(
+      false
+    );
+  });
+
+  test('returns true when the hostname in the requested uri is in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
+    expect(
+      getActionsConfigurationUtilities(config).isWhitelistedUri('https://github.com/elastic/kibana')
+    ).toEqual(true);
+  });
+});
+
+describe('isWhitelistedHostname', () => {
+  test('returns true when "any" hostnames are allowed', () => {
+    const config: ActionsKibanaConfig = {
+      enabled: false,
+      whitelistedHosts: [WhitelistedHosts.Any],
+    };
+    expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
+      true
+    );
+  });
+
+  test('throws when the hostname in the requested uri is not in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: [] };
+    expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
+      false
+    );
+  });
+
+  test('returns true when the hostname in the requested uri is in the whitelist', () => {
+    const config: ActionsKibanaConfig = { enabled: false, whitelistedHosts: ['github.com'] };
+    expect(getActionsConfigurationUtilities(config).isWhitelistedHostname('github.com')).toEqual(
+      true
+    );
+  });
+});

x-pack/legacy/plugins/actions/server/actions_config.ts

@@ -0,0 +1,85 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+import { tryCatch, fromNullable } from 'fp-ts/lib/Option';
+import { URL } from 'url';
+import { curry } from 'lodash';
+
+export enum WhitelistedHosts {
+  Any = '*',
+}
+
+enum WhitelistingField {
+  url = 'url',
+  hostname = 'hostname',
+}
+
+export interface ActionsKibanaConfig {
+  enabled: boolean;
+  whitelistedHosts: string[];
+}
+
+export interface ActionsConfigurationUtilities {
+  isWhitelistedHostname: (hostname: string) => boolean;
+  isWhitelistedUri: (uri: string) => boolean;
+  ensureWhitelistedHostname: (hostname: string) => void;
+  ensureWhitelistedUri: (uri: string) => void;
+}
+
+function whitelistingErrorMessage(field: WhitelistingField, value: string) {
+  return i18n.translate('xpack.actions.urlWhitelistConfigurationError', {
+    defaultMessage: 'target {field} "{value}" is not in the Kibana whitelist',
+    values: {
+      value,
+      field,
+    },
+  });
+}
+
+function doesValueWhitelistAnyHostname(whitelistedHostname: string): boolean {
+  return whitelistedHostname === WhitelistedHosts.Any;
+}
+
+function isWhitelisted({ whitelistedHosts }: ActionsKibanaConfig, hostname: string): boolean {
+  return (
+    Array.isArray(whitelistedHosts) &&
+    fromNullable(
+      whitelistedHosts.find(
+        whitelistedHostname =>
+          doesValueWhitelistAnyHostname(whitelistedHostname) || whitelistedHostname === hostname
+      )
+    ).isSome()
+  );
+}
+
+function isWhitelistedHostnameInUri(config: ActionsKibanaConfig, uri: string): boolean {
+  return tryCatch(() => new URL(uri))
+    .map(url => url.hostname)
+    .mapNullable(hostname => isWhitelisted(config, hostname))
+    .getOrElse(false);
+}
+
+export function getActionsConfigurationUtilities(
+  config: ActionsKibanaConfig
+): ActionsConfigurationUtilities {
+  const isWhitelistedHostname = curry(isWhitelisted)(config);
+  const isWhitelistedUri = curry(isWhitelistedHostnameInUri)(config);
+  return {
+    isWhitelistedHostname,
+    isWhitelistedUri,
+    ensureWhitelistedUri(uri: string) {
+      if (!isWhitelistedUri(uri)) {
+        throw new Error(whitelistingErrorMessage(WhitelistingField.url, uri));
+      }
+    },
+    ensureWhitelistedHostname(hostname: string) {
+      if (!isWhitelistedHostname(hostname)) {
+        throw new Error(whitelistingErrorMessage(WhitelistingField.hostname, hostname));
+      }
+    },
+  };
+}

x-pack/legacy/plugins/actions/server/builtin_action_types/email.test.ts

@@ -9,6 +9,7 @@ jest.mock('./lib/send_email', () => ({
 }));
 
 import { ActionType, ActionTypeExecutorOptions } from '../types';
+import { ActionsConfigurationUtilities } from '../actions_config';
 import { ActionTypeRegistry } from '../action_type_registry';
 import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
 import { taskManagerMock } from '../../../task_manager/task_manager.mock';
@@ -22,6 +23,12 @@ const sendEmailMock = sendEmail as jest.Mock;
 
 const ACTION_TYPE_ID = '.email';
 const NO_OP_FN = () => {};
+const MOCK_KIBANA_CONFIG_UTILS: ActionsConfigurationUtilities = {
+  isWhitelistedHostname: _ => true,
+  isWhitelistedUri: _ => true,
+  ensureWhitelistedHostname: _ => {},
+  ensureWhitelistedUri: _ => {},
+};
 
 const services = {
   log: NO_OP_FN,
@@ -48,7 +55,7 @@ beforeAll(() => {
     getBasePath: jest.fn().mockReturnValue(undefined),
   });
 
-  registerBuiltInActionTypes(actionTypeRegistry);
+  registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG_UTILS);
 
   actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
 });

x-pack/legacy/plugins/actions/server/builtin_action_types/email.ts

@@ -97,17 +97,18 @@ function validateParams(paramsObject: any): string | void {
 }
 
 // action type definition
-
-export const actionType: ActionType = {
-  id: '.email',
-  name: 'email',
-  validate: {
-    config: ConfigSchema,
-    secrets: SecretsSchema,
-    params: ParamsSchema,
-  },
-  executor,
-};
+export function getActionType(): ActionType {
+  return {
+    id: '.email',
+    name: 'email',
+    validate: {
+      config: ConfigSchema,
+      secrets: SecretsSchema,
+      params: ParamsSchema,
+    },
+    executor,
+  };
+}
 
 // action executor
 

x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.test.ts

@@ -9,6 +9,7 @@ jest.mock('./lib/send_email', () => ({
 }));
 
 import { ActionType, ActionTypeExecutorOptions } from '../types';
+import { ActionsConfigurationUtilities } from '../actions_config';
 import { ActionTypeRegistry } from '../action_type_registry';
 import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/plugin.mock';
 import { taskManagerMock } from '../../../task_manager/task_manager.mock';
@@ -19,6 +20,12 @@ import { ActionParamsType, ActionTypeConfigType } from './es_index';
 
 const ACTION_TYPE_ID = '.index';
 const NO_OP_FN = () => {};
+const MOCK_KIBANA_CONFIG_UTILS: ActionsConfigurationUtilities = {
+  isWhitelistedHostname: _ => true,
+  isWhitelistedUri: _ => true,
+  ensureWhitelistedHostname: _ => {},
+  ensureWhitelistedUri: _ => {},
+};
 
 const services = {
   log: NO_OP_FN,
@@ -45,7 +52,7 @@ beforeAll(() => {
     getBasePath: jest.fn().mockReturnValue(undefined),
   });
 
-  registerBuiltInActionTypes(actionTypeRegistry);
+  registerBuiltInActionTypes(actionTypeRegistry, MOCK_KIBANA_CONFIG_UTILS);
 
   actionType = actionTypeRegistry.get(ACTION_TYPE_ID);
 });

x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.ts

@@ -33,16 +33,17 @@ const ParamsSchema = schema.object({
 });
 
 // action type definition
-
-export const actionType: ActionType = {
-  id: '.index',
-  name: 'index',
-  validate: {
-    config: ConfigSchema,
-    params: ParamsSchema,
-  },
-  executor,
-};
+export function getActionType(): ActionType {
+  return {
+    id: '.index',
+    name: 'index',
+    validate: {
+      config: ConfigSchema,
+      params: ParamsSchema,
+    },
+    executor,
+  };
+}
 
 // action executor