Remove the special pins type for ca_sha256 (#16615)

We have changed the type from a special custom type to a slice of
string. This reduce the number of exposed types and make it easier in
general to work with in the tests.

CHANGELOG-developer.asciidoc

@@ -12,6 +12,12 @@ other Beats should be migrated.
 
 Note: This changelog was only started after the 6.3 release.
 
+=== Beats version 8.0.0
+https://github.com/elastic/beats/compare/v7.x..master[Check the HEAD diff]
+
+==== Breaking changes
+ - Replace custom Pins type for a slice of string for defining the `ca_sha256` values.
+
 === Beats version 7.5.1
 https://github.com/elastic/beats/compare/v7.5.0..v7.5.1[Check the HEAD diff]
 

libbeat/common/transport/tlscommon/ca_pinning.go

@@ -28,17 +28,6 @@ import (
 // ErrCAPinMissmatch is returned when no pin is matched in the verified chain.
 var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match any of the certificate authorities used to validate the certificate")
 
-type pins []string
-
-func (p pins) Matches(candidate string) bool {
-	for _, pin := range p {
-		if pin == candidate {
-			return true
-		}
-	}
-	return false
-}
-
 // verifyPeerCertFunc is a callback defined on the tls.Config struct that will called when a
 // TLS connection is used.
 type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error
@@ -48,15 +37,15 @@ type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error
 // NOTE: Defining a PIN to check certificates is not a replacement for the normal TLS validations it's
 // an additional validation. In fact if you set `InsecureSkipVerify` to true and a PIN, the
 // verifiedChains variable will be empty and the added validation will fail.
-func MakeCAPinCallback(hashes pins) func([][]byte, [][]*x509.Certificate) error {
+func MakeCAPinCallback(hashes []string) func([][]byte, [][]*x509.Certificate) error {
 	return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
 		// The chain of trust has been already established before the call to the VerifyPeerCertificate
 		// function, after we go through the chain to make sure we have at least a certificate certificate
 		//	that match the provided pin.
 		for _, chain := range verifiedChains {
 			for _, certificate := range chain {
 				h := Fingerprint(certificate)
-				if hashes.Matches(h) {
+				if matches(hashes, h) {
 					return nil
 				}
 			}
@@ -71,3 +60,12 @@ func Fingerprint(certificate *x509.Certificate) string {
 	hash := sha256.Sum256(certificate.RawSubjectPublicKeyInfo)
 	return base64.StdEncoding.EncodeToString(hash[:])
 }
+
+func matches(pins []string, candidate string) bool {
+	for _, pin := range pins {
+		if pin == candidate {
+			return true
+		}
+	}
+	return false
+}

libbeat/common/transport/tlscommon/config.go

@@ -33,7 +33,7 @@ type Config struct {
 	Certificate      CertificateConfig       `config:",inline" yaml:",inline"`
 	CurveTypes       []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
 	Renegotiation    tlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
-	CASha256         pins                    `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
+	CASha256         []string                `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
 }
 
 // LoadTLSConfig will load a certificate from config with all TLS based keys

libbeat/common/transport/tlscommon/tls_config.go

@@ -67,7 +67,7 @@ type TLSConfig struct {
 
 	// CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust
 	// the server certificate.
-	CASha256 pins
+	CASha256 []string
 }
 
 // ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with