x-pack/filebeat/input/{cel,httpjson}: fix oauth2 config validation (#…

…38962) The logic for validation assumed that client.id and client.secret must be present, but this is not the case for password grant, so relax the requirement. (cherry picked from commit aae9185)
elastic · Apr 16, 2024 · 1c14507 · 1c14507
1 parent ff392ca
commit 1c14507
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 6 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -75,6 +75,19 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]
 - Fix indexing failures by re-enabling event normalisation in netflow input. {issue}38703[38703] {pull}38780[38780]
+- Fix handling of truncated files in Filestream {issue}38070[38070] {pull}38416[38416]
+- Fix panic when more than 32767 pipeline clients are active. {issue}38197[38197] {pull}38556[38556]
+- Fix filestream's registry GC: registry entries are now removed from the in-memory and disk store when they're older than the set TTL {issue}36761[36761] {pull}38488[38488]
+- [threatintel] MISP splitting fix for empty responses {issue}38739[38739] {pull}38917[38917]
+- Prevent GCP Pub/Sub input blockage by increasing default value of `max_outstanding_messages` {issue}35029[35029] {pull}38985[38985]
+- Fix config validation for CEL and HTTPJSON inputs when using password grant authentication and `client.id` or `client.secret` are not present. {pull}38962[38962]
+
+*Heartbeat*
+
+- Fix panics when parsing dereferencing invalid parsed url. {pull}34702[34702]
+- Fix setuid root when running under cgroups v2. {pull}37794[37794]
+- Adjust State loader to only retry when response code status is 5xx {pull}37981[37981]
+- Reset prctl dumpable flag after cap drop. {pull}38269[38269]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/input/cel/config_auth.go b/x-pack/filebeat/input/cel/config_auth.go
@@ -263,12 +263,12 @@ func (o *oAuth2Config) Validate() error {
 	case oAuth2ProviderOkta:
 		return o.validateOktaProvider()
 	case oAuth2ProviderDefault:
-		if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil {
-			return errors.New("both token_url and client credentials must be provided")
-		}
 		if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
 			return errors.New("both user and password credentials must be provided")
 		}
+		if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) {
+			return errors.New("both token_url and client credentials must be provided")
+		}
 	default:
 		return fmt.Errorf("unknown provider %q", o.getProvider())
 	}

diff --git a/x-pack/filebeat/input/cel/config_test.go b/x-pack/filebeat/input/cel/config_test.go
@@ -291,6 +291,16 @@ var oAuth2ValidationTests = []struct {
 			},
 		},
 	},
+	{
+		name: "if_password_is_set_credentials_may_be_missing_for_user-password_authentication",
+		input: map[string]interface{}{
+			"auth.oauth2": map[string]interface{}{
+				"user":      "a_client_user",
+				"password":  "a_client_password",
+				"token_url": "localhost",
+			},
+		},
+	},
 	{
 		name:    "must_fail_with_an_unknown_provider",
 		wantErr: errors.New("unknown provider \"unknown\" accessing 'auth.oauth2'"),

diff --git a/x-pack/filebeat/input/httpjson/config_auth.go b/x-pack/filebeat/input/httpjson/config_auth.go
@@ -227,12 +227,12 @@ func (o *oAuth2Config) Validate() error {
 	case oAuth2ProviderOkta:
 		return o.validateOktaProvider()
 	case oAuth2ProviderDefault:
-		if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil {
-			return errors.New("both token_url and client credentials must be provided")
-		}
 		if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
 			return errors.New("both user and password credentials must be provided")
 		}
+		if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) {
+			return errors.New("both token_url and client credentials must be provided")
+		}
 	default:
 		return fmt.Errorf("unknown provider %q", o.getProvider())
 	}

diff --git a/x-pack/filebeat/input/httpjson/config_test.go b/x-pack/filebeat/input/httpjson/config_test.go
@@ -222,6 +222,16 @@ func TestConfigOauth2Validation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "if password is set credentials may be missing for user-password authentication",
+			input: map[string]interface{}{
+				"auth.oauth2": map[string]interface{}{
+					"user":      "a_client_user",
+					"password":  "a_client_password",
+					"token_url": "localhost",
+				},
+			},
+		},
 		{
 			name:        "must fail with an unknown provider",
 			expectedErr: "unknown provider \"unknown\" accessing 'auth.oauth2'",