[8.13](backport #38962) x-pack/filebeat/input/{cel,httpjson}: fix oau…

…th2 config validation (#38995)

* x-pack/filebeat/input/{cel,httpjson}: fix oauth2 config validation (#38962)

The logic for validation assumed that client.id and client.secret must
be present, but this is not the case for password grant, so relax the
requirement.

(cherry picked from commit aae9185)

* remove irrelevant changelog entries

---------

Co-authored-by: Dan Kortschak <[email protected]>

CHANGELOG.next.asciidoc

@@ -75,6 +75,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]
 - Fix indexing failures by re-enabling event normalisation in netflow input. {issue}38703[38703] {pull}38780[38780]
+- Fix config validation for CEL and HTTPJSON inputs when using password grant authentication and `client.id` or `client.secret` are not present. {pull}38962[38962]
 
 *Heartbeat*
 

x-pack/filebeat/input/cel/config_auth.go

@@ -263,12 +263,12 @@ func (o *oAuth2Config) Validate() error {
 	case oAuth2ProviderOkta:
 		return o.validateOktaProvider()
 	case oAuth2ProviderDefault:
-		if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil {
-			return errors.New("both token_url and client credentials must be provided")
-		}
 		if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
 			return errors.New("both user and password credentials must be provided")
 		}
+		if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) {
+			return errors.New("both token_url and client credentials must be provided")
+		}
 	default:
 		return fmt.Errorf("unknown provider %q", o.getProvider())
 	}

x-pack/filebeat/input/cel/config_test.go

@@ -291,6 +291,16 @@ var oAuth2ValidationTests = []struct {
 			},
 		},
 	},
+	{
+		name: "if_password_is_set_credentials_may_be_missing_for_user-password_authentication",
+		input: map[string]interface{}{
+			"auth.oauth2": map[string]interface{}{
+				"user":      "a_client_user",
+				"password":  "a_client_password",
+				"token_url": "localhost",
+			},
+		},
+	},
 	{
 		name:    "must_fail_with_an_unknown_provider",
 		wantErr: errors.New("unknown provider \"unknown\" accessing 'auth.oauth2'"),

x-pack/filebeat/input/httpjson/config_auth.go

@@ -227,12 +227,12 @@ func (o *oAuth2Config) Validate() error {
 	case oAuth2ProviderOkta:
 		return o.validateOktaProvider()
 	case oAuth2ProviderDefault:
-		if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil {
-			return errors.New("both token_url and client credentials must be provided")
-		}
 		if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
 			return errors.New("both user and password credentials must be provided")
 		}
+		if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) {
+			return errors.New("both token_url and client credentials must be provided")
+		}
 	default:
 		return fmt.Errorf("unknown provider %q", o.getProvider())
 	}

x-pack/filebeat/input/httpjson/config_test.go

@@ -222,6 +222,16 @@ func TestConfigOauth2Validation(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "if password is set credentials may be missing for user-password authentication",
+			input: map[string]interface{}{
+				"auth.oauth2": map[string]interface{}{
+					"user":      "a_client_user",
+					"password":  "a_client_password",
+					"token_url": "localhost",
+				},
+			},
+		},
 		{
 			name:        "must fail with an unknown provider",
 			expectedErr: "unknown provider \"unknown\" accessing 'auth.oauth2'",