elastic
diff --git a/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎libbeat/common/transport/tlscommon/tls.go‎
Lines changed: 70 additions & 11 deletions b/‎libbeat/common/transport/tlscommon/tls.go‎
Lines changed: 70 additions & 11 deletions
@@ -22,6 +22,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Added `certificate` TLS verification mode to ignore server name mismatch. {issue}12283[12283] {pull}20293[20293]
 - Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898]
 - Remove redundant `cloudfoundry.*.timestamp` fields. This value is set in `@timestamp`. {pull}21175[21175]
+- Allow embedding of CAs, Certificate of private keys for anything that support TLS in ouputs and inputs https://github.com/elastic/beats/pull/21179
 
 *Auditbeat*
 
 
@@ -24,7 +24,10 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
+	"os"
+	"strings"
 
 	"github.com/elastic/beats/v7/libbeat/logp"
 )
@@ -67,13 +70,19 @@ func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error) {
 	return &cert, nil
 }
 
-// ReadPEMFile reads a PEM format file on disk and decrypt it with the privided password and
-// return the raw content.
-func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error) {
+// ReadPEMFile reads a PEM formatted string either from disk or passed as a plain text starting with a "-"
+// and decrypt it with the provided password and  return the raw content.
+func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error) {
 	pass := []byte(passphrase)
 	var blocks []*pem.Block
 
-	content, err := ioutil.ReadFile(path)
+	r, err := NewPEMReader(s)
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+
+	content, err := ioutil.ReadAll(r)
 	if err != nil {
 		return nil, err
 	}
@@ -102,7 +111,7 @@ func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error) {
 
 			if err != nil {
 				log.Errorf("Dropping encrypted pem '%v' block read from %v. %+v",
-					block.Type, path, err)
+					block.Type, r, err)
 				continue
 			}
 
@@ -139,20 +148,28 @@ func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error) {
 
 	log := logp.NewLogger(logSelector)
 	roots := x509.NewCertPool()
-	for _, path := range CAs {
-		pemData, err := ioutil.ReadFile(path)
+	for _, s := range CAs {
+		r, err := NewPEMReader(s)
 		if err != nil {
 			log.Errorf("Failed reading CA certificate: %+v", err)
-			errors = append(errors, fmt.Errorf("%v reading %v", err, path))
+			errors = append(errors, fmt.Errorf("%v reading %v", err, r))
+			continue
+		}
+		defer r.Close()
+
+		pemData, err := ioutil.ReadAll(r)
+		if err != nil {
+			log.Errorf("Failed reading CA certificate: %+v", err)
+			errors = append(errors, fmt.Errorf("%v reading %v", err, r))
 			continue
 		}
 
 		if ok := roots.AppendCertsFromPEM(pemData); !ok {
-			log.Error("Failed to add CA to the cert pool, CA is not a valid PEM file")
-			errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, path))
+			log.Error("Failed to add CA to the cert pool, CA is not a valid PEM document")
+			errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, r))
 			continue
 		}
-		log.Debugf("tls", "successfully loaded CA certificate: %v", path)
+		log.Debugf("tls", "successfully loaded CA certificate: %v", r)
 	}
 
 	return roots, errors
@@ -187,3 +204,45 @@ func ResolveTLSVersion(v uint16) string {
 func ResolveCipherSuite(cipher uint16) string {
 	return tlsCipherSuite(cipher).String()
 }
+
+// PEMReader allows to read a certificate in PEM format either through the disk or from a string.
+type PEMReader struct {
+	reader   io.ReadCloser
+	debugStr string
+}
+
+// NewPEMReader returns a new PEMReader.
+func NewPEMReader(certificate string) (*PEMReader, error) {
+	if IsPEMString(certificate) {
+		// Take a substring of the certificate so we do not leak the whole certificate or private key in the log.
+		debugStr := certificate[0:256] + "..."
+		return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: debugStr}, nil
+	}
+
+	r, err := os.Open(certificate)
+	if err != nil {
+		return nil, err
+	}
+	return &PEMReader{reader: r, debugStr: certificate}, nil
+}
+
+// Close closes the target io.ReadCloser.
+func (p *PEMReader) Close() error {
+	return p.reader.Close()
+}
+
+// Read read bytes from the io.ReadCloser.
+func (p *PEMReader) Read(b []byte) (n int, err error) {
+	return p.reader.Read(b)
+}
+
+func (p *PEMReader) String() string {
+	return p.debugStr
+}
+
+// IsPEMString returns true if the provided string match a PEM formatted certificate. try to pem decode to validate.
+func IsPEMString(s string) bool {
+	// Trim the certificates to make sure we tolerate any yaml weirdness, we assume that the string starts
+	// with "-" and let further validation verifies the PEM format.
+	return strings.HasPrefix(strings.TrimSpace(s), "-")
+}