[Response Ops][Connectors] New xpack.actions.webhook.ssl.pfx.enabled config

[jcger]

Summary

Closes #220416

Release note

New xpack.actions.webhook.ssl.pfx.enabled Kibana setting to disable Webhook connector PFX file support for SSL client authentication

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[kibanamachine]

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#8359

[✅] x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/connectors/webhook_disabled_ssl_pfx/config.ts: 100/100 tests passed.
[✅] x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/config.ts: 100/100 tests passed.

see run history

[azasypkin]

Changes in src/platform/test/plugin_functional/test_suites/core_plugins/rendering.ts LGTM.

That being said, maybe it's just me, but xpack.actions.webhook.ssl.pfx for a boolean config looks a bit confusing compared to something with an xxxEnabled or xxxSupported postfix, but I'll defer to the code owners 🙂

[adcoelho]

In the UI, the change was done in public/common/auth/ssl_cert_fields.tsx. That component is shared by all connectors that allow SSL authentication, so whenever the configuration option is set, it will not be visible. Not only for the webhook connector.

By chance, for now, the only connectors that allow SSL/PFX are the webhook connectors(cases webhook too).

On the other hand, in the backend, we validate specifically in server/connector_types/webhook/index.ts. If a connector is added or updated to allow SSL authentication, we will have to remember to copy this validation block there.

So, although the config option is webhook.ssl.pfx, in the FE we hide it everywhere, and in the BE we throw only for webhooks.

Even if the original ticket only mentions the webhook connector, wouldn't it make more sense to disallow PFX completely if the option is set?

We could move this validation somewhere else (maybe to action_executor.ts?), rename the configuration option to something like xpack.actions.ssl.pfx, and be done with it.

[jcger]

Thanks! To make it affect just the webhook connector I'm adding a prop isPfxEnabled to the AuthConfig component (this is shared by the cases-webhook and the webhook connectors). By default it's set to true and for the webhook connector it's gonna be set to the value of xpack.actions.webhook.ssl.pfx.

Asking if it also should affect cases-webhook. If it does, it's just activating that new prop

Edit: Got the answer, we won't add it to cases-webhook

[jcger]

Changes in src/platform/test/plugin_functional/test_suites/core_plugins/rendering.ts LGTM.

That being said, maybe it's just me, but xpack.actions.webhook.ssl.pfx for a boolean config looks a bit confusing compared to something with an xxxEnabled or xxxSupported postfix, but I'll defer to the code owners 🙂

Thanks for the suggestion! We'll rename it to xpack.actions.webhook.ssl.pfx.enabled

[adcoelho]

Yup, this is better now 🙌

[nastasha-solomon]

Just a couple minor fixes. Thanks for writing this!

[kibanamachine]

Starting backport for target branches: 8.19

https://github.com/elastic/kibana/actions/runs/15700987277

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: a88508e

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
actions	334	335	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
stackConnectors	624.5KB	624.9KB	+359.0B
triggersActionsUi	1.5MB	1.5MB	+58.0B
total			+417.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
actions	16.7KB	16.9KB	+229.0B

Unknown metric groups

API count

id	before	after	diff
actions	340	341	+1

History

• 💚 Build #308292 succeeded aa039cb
• 💔 Build #308208 failed 758fd3e
• 💔 Build #307970 failed 2694031
• 💚 Build #307063 succeeded 30c49aa
• 💔 Build #306934 failed ac2029d
• 💔 Build #306622 failed d981181

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.19	Backport failed because of merge conflicts You might need to backport the following PRs to 8.19: - Fix that gap can be stuck "in-progress" (#221473) - [Response Ops][Alerting] Cannot read properties of undefined (reading 'getActiveCount') (#221799) - [Unzyme] rewrite a few enzyme tests to rtl (#223410) - [Discover] Fix isLogsDataSourceContext check for logs data source sub profiles (#223988) - [Maps] [A11y] make the Add layer wizard unordered list (#223532) - [Automatic Migration] Adds ability to change settings when re-processing Rule Migration (#222542) - [APM] Unified (APM/OTel) Trace waterfall (#222569) - 🌊 Streams: Prevent concurrent access (#222961) - [Discover] SCSS to Emotions migration part 3/4 (#222947) - chore(NA): bump sass-embedded version to v1.79.6 (#223995)

Manual backport

To create the backport manually run:

node scripts/backport --pr 222507

Questions ?

Please refer to the Backport tool documentation

[jcger]

💚 All backports created successfully

Status	Branch	Result
✅	8.19

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation