Removing deprecated SSL settings (#28622)

* Removing deprecated SSL settings

* Updating breaking changes doc

* Fixing documentation typo

* Fixing LegacyObjectToConfigAdapter tests

* Fixing transformDeprecations tests

* Updating docs

Co-Authored-By: kobelb <brandon.kobel@gmail.com>

docs/migration/migrate_7_0.asciidoc

@@ -103,3 +103,16 @@ The port is now protocol dependent: https ports will use 443, and http ports wil
 `server.ssl.supportedProtocols`
 
 *Impact:* Users relying upon TLSv1 will be unable to use Kibana unless `server.ssl.supportedProtocols` is explicitly set.
+
+[float]
+=== kibana.yml setting `server.ssl.cert` is no longer valid
+*Details:* This deprecated setting has been removed and `server.ssl.certificate` should be used instead.
+
+*Impact:* Users with `server.ssl.cert` set should use `server.ssl.certificate` instead
+
+[float]
+=== kibana.yml `server.ssl.enabled` must be set to `true` to enable SSL
+*Details:* Previously, if `server.ssl.certificate` and `server.ssl.key` were set, SSL would automatically be enabled. 
+It's now required that the user sets `server.ssl.enabled` to true for this to occur.
+
+*Impact:* Users with both `server.ssl.certificate` and `server.ssl.key` set must now also set `server.ssl.enabled` to enable SSL.

src/core/server/legacy_compat/config/__snapshots__/legacy_object_to_config_adapter.test.ts.snap

@@ -17,40 +17,6 @@ Object {
 }
 `;
 
-exports[`#get correctly handles server config.: deprecated missing ssl.enabled 1`] = `
-Object {
-  "autoListen": true,
-  "basePath": "/abc",
-  "cors": false,
-  "host": "host",
-  "maxPayload": 1000,
-  "port": 1234,
-  "rewriteBasePath": false,
-  "ssl": Object {
-    "certificate": "cert",
-    "enabled": true,
-    "key": "key",
-  },
-}
-`;
-
-exports[`#get correctly handles server config.: deprecated ssl.cert 1`] = `
-Object {
-  "autoListen": true,
-  "basePath": "/abc",
-  "cors": false,
-  "host": "host",
-  "maxPayload": 1000,
-  "port": 1234,
-  "rewriteBasePath": false,
-  "ssl": Object {
-    "certificate": "deprecated-cert",
-    "enabled": true,
-    "key": "key",
-  },
-}
-`;
-
 exports[`#get correctly handles server config.: disabled ssl 1`] = `
 Object {
   "autoListen": true,

src/core/server/legacy_compat/config/legacy_object_to_config_adapter.test.ts

@@ -90,40 +90,8 @@ describe('#get', () => {
       },
     });
 
-    const configAdapterWithCert = new LegacyObjectToConfigAdapter({
-      server: {
-        autoListen: true,
-        basePath: '/abc',
-        cors: false,
-        host: 'host',
-        maxPayloadBytes: 1000,
-        port: 1234,
-        rewriteBasePath: false,
-        ssl: { enabled: true, cert: 'deprecated-cert', key: 'key' },
-        someNotSupportedValue: 'val',
-      },
-    });
-
-    const configAdapterWithoutSSLEnabled = new LegacyObjectToConfigAdapter({
-      server: {
-        autoListen: true,
-        basePath: '/abc',
-        cors: false,
-        host: 'host',
-        maxPayloadBytes: 1000,
-        port: 1234,
-        rewriteBasePath: false,
-        ssl: { certificate: 'cert', key: 'key' },
-        someNotSupportedValue: 'val',
-      },
-    });
-
     expect(configAdapter.get('server')).toMatchSnapshot('default');
     expect(configAdapterWithDisabledSSL.get('server')).toMatchSnapshot('disabled ssl');
-    expect(configAdapterWithCert.get('server')).toMatchSnapshot('deprecated ssl.cert');
-    expect(configAdapterWithoutSSLEnabled.get('server')).toMatchSnapshot(
-      'deprecated missing ssl.enabled'
-    );
   });
 });
 

src/core/server/legacy_compat/config/legacy_object_to_config_adapter.ts

@@ -67,26 +67,10 @@ export class LegacyObjectToConfigAdapter extends ObjectToConfigAdapter {
       maxPayload: configValue.maxPayloadBytes,
       port: configValue.port,
       rewriteBasePath: configValue.rewriteBasePath,
-      ssl: configValue.ssl && LegacyObjectToConfigAdapter.transformSSL(configValue.ssl),
+      ssl: configValue.ssl,
     };
   }
 
-  private static transformSSL(configValue: Record<string, any>) {
-    // `server.ssl.cert` is deprecated, legacy platform will issue deprecation warning.
-    if (configValue.cert) {
-      configValue.certificate = configValue.cert;
-      delete configValue.cert;
-    }
-
-    // Enabling ssl by only specifying server.ssl.certificate and server.ssl.key is deprecated,
-    // legacy platform will issue deprecation warning.
-    if (typeof configValue.enabled !== 'boolean' && configValue.certificate && configValue.key) {
-      configValue.enabled = true;
-    }
-
-    return configValue;
-  }
-
   private static transformPlugins(configValue: Record<string, any>) {
     // This property is the only one we use from the existing `plugins` config node
     // since `scanDirs` and `paths` aren't respected by new platform plugin discovery.

src/server/config/transform_deprecations.js

@@ -17,22 +17,12 @@
  * under the License.
  */
 
-import _, { partial, set } from 'lodash';
+import _, { set } from 'lodash';
 import { createTransform, Deprecations } from '../../deprecation';
 import { unset } from '../../utils';
 
 const { rename, unused } = Deprecations;
 
-const serverSslEnabled = (settings, log) => {
-  const has = partial(_.has, settings);
-  const set = partial(_.set, settings);
-
-  if (!has('server.ssl.enabled') && has('server.ssl.certificate') && has('server.ssl.key')) {
-    set('server.ssl.enabled', true);
-    log('Enabling ssl by only specifying server.ssl.certificate and server.ssl.key is deprecated. Please set server.ssl.enabled to true');
-  }
-};
-
 const savedObjectsIndexCheckTimeout = (settings, log) => {
   if (_.has(settings, 'savedObjects.indexCheckTimeout')) {
     log('savedObjects.indexCheckTimeout is no longer necessary.');
@@ -67,7 +57,6 @@ const loggingTimezone = (settings, log) => {
 
 const deprecations = [
   //server
-  rename('server.ssl.cert', 'server.ssl.certificate'),
   unused('server.xsrf.token'),
   unused('uiSettings.enabled'),
   rename('optimize.lazy', 'optimize.watch'),
@@ -76,7 +65,6 @@ const deprecations = [
   rename('optimize.lazyPrebuild', 'optimize.watchPrebuild'),
   rename('optimize.lazyProxyTimeout', 'optimize.watchProxyTimeout'),
   rename('i18n.defaultLocale', 'i18n.locale'),
-  serverSslEnabled,
   savedObjectsIndexCheckTimeout,
   rewriteBasePath,
   loggingTimezone,

src/server/config/transform_deprecations.test.js

@@ -22,59 +22,6 @@ import { transformDeprecations } from './transform_deprecations';
 
 describe('server/config', function () {
   describe('transformDeprecations', function () {
-    describe('server.ssl.enabled', function () {
-      it('sets enabled to true when certificate and key are set', function () {
-        const settings = {
-          server: {
-            ssl: {
-              certificate: '/cert.crt',
-              key: '/key.key'
-            }
-          }
-        };
-
-        const result = transformDeprecations(settings);
-        expect(result.server.ssl.enabled).toBe(true);
-      });
-
-      it('logs a message when automatically setting enabled to true', function () {
-        const settings = {
-          server: {
-            ssl: {
-              certificate: '/cert.crt',
-              key: '/key.key'
-            }
-          }
-        };
-
-        const log = sinon.spy();
-        transformDeprecations(settings, log);
-        expect(log.calledOnce).toBe(true);
-      });
-
-      it(`doesn't set enabled when key and cert aren't set`, function () {
-        const settings = {
-          server: {
-            ssl: {}
-          }
-        };
-
-        const result = transformDeprecations(settings);
-        expect(result.server.ssl.enabled).toBe(undefined);
-      });
-
-      it(`doesn't log a message when not automatically setting enabled`, function () {
-        const settings = {
-          server: {
-            ssl: {}
-          }
-        };
-
-        const log = sinon.spy();
-        transformDeprecations(settings, log);
-        expect(log.called).toBe(false);
-      });
-    });
 
     describe('savedObjects.indexCheckTimeout', () => {
       it('removes the indexCheckTimeout and savedObjects properties', () => {