Skip to content

Commit

Permalink
x-pack/filebeat/input/{cel,httpjson}: fix oauth2 config validation
Browse files Browse the repository at this point in the history
The logic for validation assumed that client.id and client.secret must
be present, but this is not the case for password grant, so relax the
requirement.
  • Loading branch information
efd6 committed Apr 16, 2024
1 parent 11bc06c commit 5949d94
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 6 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Fix panic when more than 32767 pipeline clients are active. {issue}38197[38197] {pull}38556[38556]
- Fix filestream's registry GC: registry entries are now removed from the in-memory and disk store when they're older than the set TTL {issue}36761[36761] {pull}38488[38488]
- [threatintel] MISP splitting fix for empty responses {issue}38739[38739] {pull}38917[38917]
- Fix config validation for CEL and HTTPJSON inputs when using password grant authentication and `client.id` or `client.secret` are not present. {pull}38962[38962]

*Heartbeat*

Expand Down
6 changes: 3 additions & 3 deletions x-pack/filebeat/input/cel/config_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -263,12 +263,12 @@ func (o *oAuth2Config) Validate() error {
case oAuth2ProviderOkta:
return o.validateOktaProvider()
case oAuth2ProviderDefault:
if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil {
return errors.New("both token_url and client credentials must be provided")
}
if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
return errors.New("both user and password credentials must be provided")
}
if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) {
return errors.New("both token_url and client credentials must be provided")
}
default:
return fmt.Errorf("unknown provider %q", o.getProvider())
}
Expand Down
10 changes: 10 additions & 0 deletions x-pack/filebeat/input/cel/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,16 @@ var oAuth2ValidationTests = []struct {
},
},
},
{
name: "if_password_is_set_credentials_may_be_missing_for_user-password_authentication",
input: map[string]interface{}{
"auth.oauth2": map[string]interface{}{
"user": "a_client_user",
"password": "a_client_password",
"token_url": "localhost",
},
},
},
{
name: "must_fail_with_an_unknown_provider",
wantErr: errors.New("unknown provider \"unknown\" accessing 'auth.oauth2'"),
Expand Down
6 changes: 3 additions & 3 deletions x-pack/filebeat/input/httpjson/config_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,12 +227,12 @@ func (o *oAuth2Config) Validate() error {
case oAuth2ProviderOkta:
return o.validateOktaProvider()
case oAuth2ProviderDefault:
if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == nil {
return errors.New("both token_url and client credentials must be provided")
}
if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
return errors.New("both user and password credentials must be provided")
}
if o.TokenURL == "" || ((o.ClientID == "" || o.ClientSecret == nil) && (o.User == "" || o.Password == "")) {
return errors.New("both token_url and client credentials must be provided")
}
default:
return fmt.Errorf("unknown provider %q", o.getProvider())
}
Expand Down
10 changes: 10 additions & 0 deletions x-pack/filebeat/input/httpjson/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,16 @@ func TestConfigOauth2Validation(t *testing.T) {
},
},
},
{
name: "if password is set credentials may be missing for user-password authentication",
input: map[string]interface{}{
"auth.oauth2": map[string]interface{}{
"user": "a_client_user",
"password": "a_client_password",
"token_url": "localhost",
},
},
},
{
name: "must fail with an unknown provider",
expectedErr: "unknown provider \"unknown\" accessing 'auth.oauth2'",
Expand Down

0 comments on commit 5949d94

Please sign in to comment.