From 1c145076de3b9bd6fed63cd53b95cb2ccaf91415 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 17 Apr 2024 09:09:51 +0930 Subject: [PATCH] x-pack/filebeat/input/{cel,httpjson}: fix oauth2 config validation (#38962) The logic for validation assumed that client.id and client.secret must be present, but this is not the case for password grant, so relax the requirement. (cherry picked from commit aae918507c36e1de05fda238b2ec08579bbf2d6e) --- CHANGELOG.next.asciidoc | 13 +++++++++++++ x-pack/filebeat/input/cel/config_auth.go | 6 +++--- x-pack/filebeat/input/cel/config_test.go | 10 ++++++++++ x-pack/filebeat/input/httpjson/config_auth.go | 6 +++--- x-pack/filebeat/input/httpjson/config_test.go | 10 ++++++++++ 5 files changed, 39 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7143377158d3..8a22bfe6a6a7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -75,6 +75,19 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326] - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496] - Fix indexing failures by re-enabling event normalisation in netflow input. {issue}38703[38703] {pull}38780[38780] +- Fix handling of truncated files in Filestream {issue}38070[38070] {pull}38416[38416] +- Fix panic when more than 32767 pipeline clients are active. {issue}38197[38197] {pull}38556[38556] +- Fix filestream's registry GC: registry entries are now removed from the in-memory and disk store when they're older than the set TTL {issue}36761[36761] {pull}38488[38488] +- [threatintel] MISP splitting fix for empty responses {issue}38739[38739] {pull}38917[38917] +- Prevent GCP Pub/Sub input blockage by increasing default value of `max_outstanding_messages` {issue}35029[35029] {pull}38985[38985] +- Fix config validation for CEL and HTTPJSON inputs when using password grant authentication and `client.id` or `client.secret` are not present. {pull}38962[38962] + +*Heartbeat* + +- Fix panics when parsing dereferencing invalid parsed url. {pull}34702[34702] +- Fix setuid root when running under cgroups v2. {pull}37794[37794] +- Adjust State loader to only retry when response code status is 5xx {pull}37981[37981] +- Reset prctl dumpable flag after cap drop. {pull}38269[38269] *Heartbeat* diff --git a/x-pack/filebeat/input/cel/config_auth.go b/x-pack/filebeat/input/cel/config_auth.go index ac187f4ffa1e..02998fffaba9 100644 --- a/x-pack/filebeat/input/cel/config_auth.go +++ b/x-pack/filebeat/input/cel/config_auth.go @@ -263,12 +263,12 @@ func (o *oAuth2Config) Validate() error { case oAuth2ProviderOkta: return o.validateOktaProvider() case oAuth2ProviderDefault: - if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil { - return errors.New("both token_url and client credentials must be provided") - } if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") { return errors.New("both user and password credentials must be provided") } + if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) { + return errors.New("both token_url and client credentials must be provided") + } default: return fmt.Errorf("unknown provider %q", o.getProvider()) } diff --git a/x-pack/filebeat/input/cel/config_test.go b/x-pack/filebeat/input/cel/config_test.go index 0a686df099c1..dfc1b82a954a 100644 --- a/x-pack/filebeat/input/cel/config_test.go +++ b/x-pack/filebeat/input/cel/config_test.go @@ -291,6 +291,16 @@ var oAuth2ValidationTests = []struct { }, }, }, + { + name: "if_password_is_set_credentials_may_be_missing_for_user-password_authentication", + input: map[string]interface{}{ + "auth.oauth2": map[string]interface{}{ + "user": "a_client_user", + "password": "a_client_password", + "token_url": "localhost", + }, + }, + }, { name: "must_fail_with_an_unknown_provider", wantErr: errors.New("unknown provider \"unknown\" accessing 'auth.oauth2'"), diff --git a/x-pack/filebeat/input/httpjson/config_auth.go b/x-pack/filebeat/input/httpjson/config_auth.go index b25bab03dd39..f9d3e16300f2 100644 --- a/x-pack/filebeat/input/httpjson/config_auth.go +++ b/x-pack/filebeat/input/httpjson/config_auth.go @@ -227,12 +227,12 @@ func (o *oAuth2Config) Validate() error { case oAuth2ProviderOkta: return o.validateOktaProvider() case oAuth2ProviderDefault: - if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil { - return errors.New("both token_url and client credentials must be provided") - } if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") { return errors.New("both user and password credentials must be provided") } + if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) { + return errors.New("both token_url and client credentials must be provided") + } default: return fmt.Errorf("unknown provider %q", o.getProvider()) } diff --git a/x-pack/filebeat/input/httpjson/config_test.go b/x-pack/filebeat/input/httpjson/config_test.go index 910510b6e9cc..2be99ba68b95 100644 --- a/x-pack/filebeat/input/httpjson/config_test.go +++ b/x-pack/filebeat/input/httpjson/config_test.go @@ -222,6 +222,16 @@ func TestConfigOauth2Validation(t *testing.T) { }, }, }, + { + name: "if password is set credentials may be missing for user-password authentication", + input: map[string]interface{}{ + "auth.oauth2": map[string]interface{}{ + "user": "a_client_user", + "password": "a_client_password", + "token_url": "localhost", + }, + }, + }, { name: "must fail with an unknown provider", expectedErr: "unknown provider \"unknown\" accessing 'auth.oauth2'",