Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation #38405

Merged
merged 3 commits into from
Mar 19, 2024
Merged

x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation #38405

merged 3 commits into from
Mar 19, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Mar 19, 2024
edited
Loading

Proposed commit message

Previously the validation was attempting to parse the PEM text as a key and was also attempting to parse the data as the wrong kind of key.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works — also tested manually against the Okta integration as at okta: allow users to provide private key as a PEM block integrations#9291
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 added Filebeat Filebeat bugfix Team:Security-Service Integrations Security Service Integrations Team 8.13-candidate backport-v8.13.0 Automated backport with mergify labels Mar 19, 2024
@efd6 efd6 self-assigned this Mar 19, 2024
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 19, 2024
@efd6 efd6 marked this pull request as ready for review March 19, 2024 02:10
@efd6 efd6 requested a review from a team as a code owner March 19, 2024 02:10
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6
x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation
5e46064 
Previously the validation was attempting to parse the PEM text as a key
and was also attempting to parse the data as the wrong kind of key.
@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 19, 2024
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2024-03-19T04:27:08.753+0000

  • Duration: 134 min 26 sec

Test stats 🧪

Test Results
Failed 0
Passed 434
Skipped 0
Total 434

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

andrewkroh
andrewkroh reviewed Mar 19, 2024
View reviewed changes
x-pack/filebeat/input/cel/config_auth.go Outdated
_, err := x509.ParsePKCS1PrivateKey([]byte(o.OktaJWKPEM))
blk, rest := pem.Decode([]byte(o.OktaJWKPEM))
if rest := bytes.TrimSpace(rest); len(rest) != 0 {
return fmt.Errorf("PEM text has trailing data: %s", rest)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a check for blk == nil is warranted if it is going to check for extra data in rest.

And to be safe against logging key material, I would omit rest from the error.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The data in rest is partially orthogonal to the nilness of blk because of the bytes.TrimSpace call, but I have guarded against a nil deref.

@efd6 efd6 requested a review from andrewkroh March 19, 2024 03:22
@efd6 efd6 enabled auto-merge (squash) March 19, 2024 03:34
@efd6 efd6 requested a review from andrewkroh March 19, 2024 03:43
@efd6 efd6 disabled auto-merge March 19, 2024 03:44
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @efd6

@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 19, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @efd6

@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 19, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @efd6

@ShourieG
Copy link
Contributor

@efd6 Should the windows build failure be a cause of concern here ?

@efd6
Copy link
Contributor Author

efd6 commented Mar 19, 2024

/test

ShourieG
ShourieG approved these changes Mar 19, 2024
View reviewed changes
Copy link
Contributor

@ShourieG ShourieG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 enabled auto-merge (squash) March 19, 2024 05:04
@efd6 efd6 merged commit c29075e into elastic:main Mar 19, 2024
39 of 43 checks passed
mergify bot pushed a commit that referenced this pull request Mar 19, 2024
@efd6 @mergify
x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation (#38405)
4c0acc0 
Previously the validation was attempting to parse the PEM text as a key
and was also attempting to parse the data as the wrong kind of key.

(cherry picked from commit c29075e)
@mergify mergify bot mentioned this pull request Mar 19, 2024
Merged
6 tasks
efd6 added a commit that referenced this pull request Mar 19, 2024
@efd6
x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation (#38405)
124f31c 
Previously the validation was attempting to parse the PEM text as a key
and was also attempting to parse the data as the wrong kind of key.

(cherry picked from commit c29075e)
efd6 added a commit that referenced this pull request Mar 19, 2024
@mergify @efd6
[8.13](backport #38405) x-pack/filebeat/input/{cel,httpjson}: fix PEM…
4a86c64 
… key validation (#38406)

* x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation (#38405)

Previously the validation was attempting to parse the PEM text as a key
and was also attempting to parse the data as the wrong kind of key.

(cherry picked from commit c29075e)

* remove irrelevant changelog entries

---------

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShourieG ShourieG ShourieG approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

Assignees

@efd6 efd6

Labels
8.13-candidate backport-v8.13.0 Automated backport with mergify bugfix Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@efd6 @elasticmachine @ShourieG @andrewkroh