[Filebeat] Okta Entity Analytics Input panic

[andrewkroh]

The Okta provider in the Filebeat entityanalytics input can panic. This was observed two times while running the Fleet integration in Elastic Agent.

This is the gist of the panic taken from the log message forwarded by the Elastic Agent. This is from a system that doesn't have direct network access so I had to transcribe.

---

runtime error: invalid memory address of nil pointer dereference

kvstore/input.go:62

x-pack/filebeat/input/entityanalytics/provider/okta/okta.go:630

okta/okta.go:323

okta/okta.go:143

kvstore/input.go:83

input/v2/compat/compt.go:122

---

For confirmed bugs, please report:

• Version: 8.13.3
• Operating System: linux

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[andrewkroh]

A more complete copy of the message (via OCR):

Input 'entity-analytics-okta' failed with: input entity-analytics-entityanalytics_okta.user-6a0dccOd-4479-473e-a06c-7e742da97456 panic with: runtimeerror: invalid memory address or nil pointer dereference 
goroutine 58713 [running]: 
runtime/debug.Stack()
	runtime/debug/stack.go:24+0x64
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore.(*input).Run.func1()
	github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore/input.go:62 +0x48
panic({0xaaaae8f7540?, Oxaaaaebb58540?})
	runtime/panic.go:914+0x218
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta.(*oktaInput).publishUser(0x4000ad2d80, 0x400a5da1c0, 0x4003706210?, {0x4001823950, 0x4f},  {0x0, 0x0}, 0x4001d3a820)
	github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta/okta.go:630+0x260
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta.(*oktaInput).runIncrementalUpdate_, {0x4005c70b30, {0x4001823950, ex4f}, 1{@xaaaae81afb30, 0x8}, {0xaaaae81afb30, 0x8}, (0x4000cea258, 0x6}, ...), ...}, ...)
	github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta/okta.go:323 +0x3b8
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta.(*oktaInput). Run_, {0x4005c70b30, {0x4001823950, 0x4f}, {{0xaaaae81afb30, 0x8}, {0xaaaae81afb30, 0x8}, {0x4000cea258, 0x6},…｝，•…｝，...) 
	github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta/okta.go:143 +0x664
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore.(*input).Run(_, {0x4005c70b30, {0x4001823950, 0x4f}, {{0xaaaae81afb30, 0x8}, {0xaaaae81afb30, 0x8},{0х4000сеа258, 0хб},...3, .},...)
	github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore/input.go:83+0x400
github.com/elastic/beats/v7/filebeat/input/v2/compat. (*runner).Start.funcl()
	github.com/elastic/beats/v7/filebeat/input/v2/compat/compat.go:122+0x184 ncreated by github.com/elastic/beats/v7/filebeat/input/v2/compat. (*runner).Start in goroutine 148
Itgithub.com/elastic/beats/v7/filebeat/input/v2/compat/compat.go:119 +0xd0

[efd6]

The manually corrected line that's relevant is

github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta.(*oktaInput).publishUser(0x4000ad2d80, 0x400a5da1c0, 0x4003706210?, {0x4001823950, 0x4f},  {0x0, 0x0}, 0x4001d3a820)
	github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta/okta.go:630+0x260

This tells us that the beat.Client being passed in is nil. This is consitent with the panic behaviour.

[efd6]

The only way that we can get a nil value here is if the client constructor here fails. The error from this call is not checked, so we cannot know if this happens. This is fixed in #38556, which is in v8.14.0, but not backported to 8.13.

[andrewkroh]

Thanks for your help @efd6 . I think we can close this given the panic shouldn't occur in 8.14.