Adding APIs for synthetics

[jguay]

Adding following API calls from 8.12.0 (we may be able to set a lower minimum version if no sensitive data is returned) :

GET kbn:/internal/uptime/service/locations
GET kbn:/api/synthetics/private_locations
GET kbn:/api/uptime/settings
GET kbn:/internal/synthetics/monitor/filters

Additionally code for this API was added and API is disabled on purpose pending review that API does not include sensitive information :

GET kbn:/internal/synthetics/service/monitors?perPage=100&page=1

Checklist

• Review from dev required related to inclusion of sensitive data

[jguay]

@lucabelluccini Can you ping the synthetics developers related to check for sensitive data in case monitors list is (the only one) unsafe to collect and if they know which version is safe to collect these APIs from ? Thanks

[lucabelluccini]

Hello @jguay thank you a lot for the contribution.
As discussed with @devcorpio (sorry for the direct ping - if you want to delegate this to other members of the Synthetics team please do), we would like to confirm if the APIs we're planning to add are not dumping secrets or sensitive information.
Can we have a confirmation? If there's a specific minimum version to use, please let us know.

[devcorpio]

Hi @jguay @lucabelluccini,

I'm trying to find the proper person(or people) who might give a thorough answer to this.

We will add our review as soon as possible

Thanks,
Alberto

[devcorpio]

Hi again!,

@awahab07 has been checking this and provided the following information (thanks Abdul!):

So the decrypted query param is on the Get One monitor endpoint /internal/synthetics/service/monitor/{monitorId} and should be set to false. This will omit sensitive/encrypted fields while returning the monitor. List of sensitive fields.

The list of non-decrypted fields are.

So generally no sensitive fields will be returned. However, there might be sensitive information contained in the non-decrypted fields, depending on how the user has configured the monitor. E.g. Playwright Options accepts a JSON but is not encrypted.

--

Hope this helps

Cheers,
Alberto

[lucabelluccini]

Hello @jguay - I think this should be safe to merge if we tested it.

[lucabelluccini]

Hello @elastic/field-eng
Would it be possible to review this PR and merge it? It would be useful for Synthetics.

According to engineering, those APIs will not disclose sensible info.

[pickypg]

I think this should be safe to merge if we tested it.

Was it ever tested?