Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cli] Add bin/kibana-encryption-keys #82838

Merged
merged 39 commits into from
Nov 19, 2020
Merged
Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
1bef148
[cli] Add bin/kibana-encryption-key
jbudz Nov 6, 2020
46da571
s/please set/Please set
jbudz Nov 6, 2020
8721aee
fix lint errors
jbudz Nov 6, 2020
d4e5adc
update snapshot text for setting encryption key
jbudz Nov 6, 2020
f8e586d
fix new Command('kibana-keystore') -> new Command('kibana-encryption-…
jbudz Nov 9, 2020
68995fd
fix typo encyption -> encryption
jbudz Nov 9, 2020
6cb82ec
use spyOn instead of jest.fn() to avoid namespace lint errors
jbudz Nov 9, 2020
8e2a5af
use spyOn instead of jest.fn() to avoid namespace lint errors part 2
jbudz Nov 9, 2020
2ce58b4
fix typo encyption -> encryption
jbudz Nov 9, 2020
6ba0a99
cleanup encryption_config constructor, use native private fields
jbudz Nov 9, 2020
6b8e023
capitalize --help description to be consistent with other descriptions
jbudz Nov 9, 2020
569a8c0
replace lodash find when looking up commands
jbudz Nov 9, 2020
b15fdd1
update class variables to use private notation
jbudz Nov 9, 2020
b59b161
update generate tests to close confirm prompt
jbudz Nov 9, 2020
58bdef8
mock fs.readFileSync and crypto.randomBytes
jbudz Nov 10, 2020
77b60eb
only prompt to write if keys are generated
jbudz Nov 10, 2020
84dfc02
Merge branch 'master' into cli/kibana-encryption-key
jbudz Nov 10, 2020
6240c79
wip interactive mode
jbudz Nov 10, 2020
0b56209
wip interactive mode v2
jbudz Nov 12, 2020
434f262
update tests
jbudz Nov 12, 2020
18041d2
add interactive tests
jbudz Nov 15, 2020
71ddf80
remove excluse test
jbudz Nov 16, 2020
3874705
Merge branch 'master' into cli/kibana-encryption-key
jbudz Nov 16, 2020
9251ec6
add documentation links
jbudz Nov 16, 2020
6f9848a
fix reporting link
jbudz Nov 16, 2020
f3e0f4c
Merge branch 'master' into cli/kibana-encryption-key
jbudz Nov 17, 2020
8d7dad6
update log message grammar
jbudz Nov 17, 2020
1a2ceab
Update src/cli_encryption_key/generate.js
jbudz Nov 17, 2020
ab20f05
use \n to help wrapping readability
jbudz Nov 17, 2020
d3b5240
rename kibana-encryption-key to kibana-encryption-keys
jbudz Nov 17, 2020
f6bc8bb
update jest reference
jbudz Nov 17, 2020
bfd70c0
Merge branch 'master' into cli/kibana-encryption-key
jbudz Nov 18, 2020
7b1ed92
chmod +x
jbudz Nov 18, 2020
01e6638
include docs in kibana.sample.yml
jbudz Nov 18, 2020
ab263e0
for let i -> for of
jbudz Nov 18, 2020
f18d96d
fix wording on remaining logs
jbudz Nov 18, 2020
7b26683
match writing kibana.sample.yml output to a snapshot
jbudz Nov 18, 2020
0566134
Merge branch 'cli/kibana-encryption-key' of github.com:jbudz/kibana i…
jbudz Nov 18, 2020
4084722
Merge branch 'master' into cli/kibana-encryption-key
jbudz Nov 18, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions scripts/kibana_encryption_keys.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

require('../src/cli_encryption_keys/dev');
56 changes: 56 additions & 0 deletions src/cli_encryption_keys/cli_encryption_keys.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import { pkg } from '../core/server/utils';
import Command from '../cli/command';
import { EncryptionConfig } from './encryption_config';

import { generateCli } from './generate';

const argv = process.env.kbnWorkerArgv
? JSON.parse(process.env.kbnWorkerArgv)
: process.argv.slice();
const program = new Command('bin/kibana-encryption-keys');

program.version(pkg.version).description('A tool for managing encryption keys');

const encryptionConfig = new EncryptionConfig();

generateCli(program, encryptionConfig);

program
.command('help <command>')
.description('Get the help for a specific command')
.action(function (cmdName) {
const cmd = Object.values(program.commands).find((command) => command._name === cmdName);
if (!cmd) return program.error(`unknown command ${cmdName}`);
cmd.help();
});

program.command('*', null, { noHelp: true }).action(function (cmd) {
program.error(`unknown command ${cmd}`);
});

// check for no command name
const subCommand = argv[2] && !String(argv[2][0]).match(/^-|^\.|\//);
if (!subCommand) {
program.defaultHelp();
}

program.parse(process.argv);
21 changes: 21 additions & 0 deletions src/cli_encryption_keys/dev.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

require('../setup_node_env');
require('./cli_encryption_keys');
21 changes: 21 additions & 0 deletions src/cli_encryption_keys/dist.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

require('../setup_node_env/dist');
require('./cli_encryption_keys');
85 changes: 85 additions & 0 deletions src/cli_encryption_keys/encryption_config.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import crypto from 'crypto';
import { join } from 'path';
import { get } from 'lodash';
import { readFileSync } from 'fs';
import { safeLoad } from 'js-yaml';

import { getConfigDirectory } from '@kbn/utils';

export class EncryptionConfig {
#config = safeLoad(readFileSync(join(getConfigDirectory(), 'kibana.yml')));
#encryptionKeyPaths = [
'xpack.encryptedSavedObjects.encryptionKey',
'xpack.reporting.encryptionKey',
'xpack.security.encryptionKey',
];
#encryptionMeta = {
'xpack.encryptedSavedObjects.encryptionKey': {
docs:
'https://www.elastic.co/guide/en/kibana/current/xpack-security-secure-saved-objects.html#xpack-security-secure-saved-objects',
description: 'Used to encrypt stored objects such as dashboards and visualizations',
},
'xpack.reporting.encryptionKey': {
docs:
'https://www.elastic.co/guide/en/kibana/current/reporting-settings-kb.html#general-reporting-settings',
description: 'Used to encrypt saved reports',
},
'xpack.security.encryptionKey': {
docs:
'https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#security-session-and-cookie-settings',
description: 'Used to encrypt session information',
},
};

_getEncryptionKey(key) {
return get(this.#config, key);
}

_hasEncryptionKey(key) {
return !!get(this.#config, key);
}

_generateEncryptionKey() {
return crypto.randomBytes(16).toString('hex');
}

docs() {
let docs = '';
this.#encryptionKeyPaths.forEach((key) => {
docs += `${key}
${this.#encryptionMeta[key].description}
${this.#encryptionMeta[key].docs}
\n`;
});
return docs;
}

generate({ force = false }) {
const output = {};
this.#encryptionKeyPaths.forEach((key) => {
if (force || !this._hasEncryptionKey(key)) {
output[key] = this._generateEncryptionKey();
}
});
return output;
}
}
83 changes: 83 additions & 0 deletions src/cli_encryption_keys/encryption_config.test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import { EncryptionConfig } from './encryption_config';
import crypto from 'crypto';
import fs from 'fs';

describe('encryption key configuration', () => {
let encryptionConfig = null;

beforeEach(() => {
jest.spyOn(fs, 'readFileSync').mockReturnValue('xpack.security.encryptionKey: foo');
jest.spyOn(crypto, 'randomBytes').mockReturnValue('random-key');
encryptionConfig = new EncryptionConfig();
});
it('should be able to check for encryption keys', () => {
expect(encryptionConfig._hasEncryptionKey('xpack.reporting.encryptionKey')).toEqual(false);
expect(encryptionConfig._hasEncryptionKey('xpack.security.encryptionKey')).toEqual(true);
});

it('should be able to get encryption keys', () => {
expect(encryptionConfig._getEncryptionKey('xpack.reporting.encryptionKey')).toBeUndefined();
expect(encryptionConfig._getEncryptionKey('xpack.security.encryptionKey')).toEqual('foo');
});

it('should generate a key', () => {
expect(encryptionConfig._generateEncryptionKey()).toEqual('random-key');
});

it('should only generate unset keys', () => {
const output = encryptionConfig.generate({ force: false });
expect(output['xpack.security.encryptionKey']).toEqual(undefined);
expect(output['xpack.reporting.encryptionKey']).toEqual('random-key');
});

it('should regenerate all keys if the force flag is set', () => {
const output = encryptionConfig.generate({ force: true });
expect(output['xpack.security.encryptionKey']).toEqual('random-key');
expect(output['xpack.reporting.encryptionKey']).toEqual('random-key');
expect(output['xpack.encryptedSavedObjects.encryptionKey']).toEqual('random-key');
});

it('should set encryptedObjects and reporting with a default configuration', () => {
const output = encryptionConfig.generate({});
expect(output['xpack.security.encryptionKey']).toBeUndefined();
expect(output['xpack.encryptedSavedObjects.encryptionKey']).toEqual('random-key');
expect(output['xpack.reporting.encryptionKey']).toEqual('random-key');
});
});
59 changes: 59 additions & 0 deletions src/cli_encryption_keys/generate.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import { safeDump } from 'js-yaml';
import { isEmpty } from 'lodash';
import { interactive } from './interactive';
import { Logger } from '../cli_plugin/lib/logger';

export async function generate(encryptionConfig, command) {
const logger = new Logger();
const keys = encryptionConfig.generate({ force: command.force });
if (isEmpty(keys)) {
logger.log('No keys to write. Use the --force flag to generate new keys.');
} else {
if (!command.quiet) {
logger.log('## Kibana Encryption Key Generation Utility\n');
logger.log(
`The 'generate' command guides you through the process of setting encryption keys for:\n`
);
logger.log(encryptionConfig.docs());
logger.log(
'Already defined settings are ignored and can be regenerated using the --force flag. Check the documentation links for instructions on how to rotate encryption keys.'
);
logger.log('Definitions should be set in the kibana.yml used configure Kibana.\n');
}
if (command.interactive) {
await interactive(keys, logger);
} else {
if (!command.quiet) logger.log('Settings:');
logger.log(safeDump(keys));
}
}
}

export function generateCli(program, encryptionConfig) {
program
.command('generate')
.description('Generates encryption keys')
.option('-i, --interactive', 'interactive output')
.option('-q, --quiet', 'do not include instructions')
.option('-f, --force', 'generate new keys for all settings')
.action(generate.bind(null, encryptionConfig));
}
Loading