Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It is not possible to zero OAuth2.0 credentials via the fleet UI #11261

Open
efd6 opened this issue Sep 27, 2024 · 0 comments
Open

It is not possible to zero OAuth2.0 credentials via the fleet UI #11261

efd6 opened this issue Sep 27, 2024 · 0 comments
Labels
bug Something isn't working, use only for issues

Comments

@efd6
Copy link
Contributor

efd6 commented Sep 27, 2024

When the oauth secret has been added, it cannot be removed via the UI. This breaks some uses. The work-around is to edit the POST text to remove those and then force the change.

Steps:

  1. add a cel custom integration changing only the auth; remove the Basic Authentication user and password and add the OAuth2 authentication fields. 
    POST kbn:/api/fleet/package_policies
{
  "policy_id": "<agent_policy_id>",
  "package": {
    "name": "cel",
    "version": "1.12.0"
  },
  "name": "cel-1",
  "description": "",
  "namespace": "",
  "inputs": {
    "cel-cel": {
      "enabled": true,
      "streams": {
        "cel.cel": {
          "enabled": true,
          "vars": {
            "data_stream.dataset": "cel.cel",
            "resource_url": "https://server.example.com:8089/api",
            "resource_interval": "1m",
            "program": "# // Fetch the agent's public IP every minute and note when the last request was made.\n# // It does not use the Resource URL configuration value.\n# bytes(get(\"https://api.ipify.org/?format=json\").Body).as(body, {\n#     \"events\": [body.decode_json().with({\n#         \"last_requested_at\": has(state.cursor) && has(state.cursor.last_requested_at) ?\n#             state.cursor.last_requested_at\n#         :\n#             now\n#     })],\n#     \"cursor\": {\"last_requested_at\": now}\n# })\n",
            "regexp": "#products: '(?i)(Elasticsearch|Beats|Logstash|Kibana)'\n#solutions: '(?i)(Search|Observability|Security)'\n",
            "username": "",
            "password": "",
            "digest_username": "",
            "digest_password": "",
            "oauth_id": "abc",
            "oauth_secret": "abc",
            "oauth_token_url": "http://example.com/",
            "redact_fields": [],
            "delete_redacted_fields": false,
            "resource_redirect_headers_ban_list": [],
            "oauth_scopes": [],
            "tags": [
              "forwarded"
            ]
          }
        }
      }
    }
  }
}
  2. Save and continue.
  3. Edit the policy to remove the OAuth2 configurations and save.
  4. Examine the resulting policy. 
    PUT kbn:/api/fleet/package_policies/fa519c2a-3dc6-4133-8b25-3ec50bfa53b5
{
  "package": {
    "name": "cel",
    "version": "1.12.0"
  },
  "name": "cel-1",
  "namespace": "",
  "description": "",
  "policy_id": "elastic-agent-managed-ep",
  "vars": {},
  "inputs": {
    "cel-cel": {
      "enabled": true,
      "streams": {
        "cel.cel": {
          "enabled": true,
          "vars": {
            "data_stream.dataset": "cel.cel",
            "resource_url": "https://server.example.com:8089/api",
            "resource_interval": "1m",
            "program": "# // Fetch the agent's public IP every minute and note when the last request was made.\n# // It does not use the Resource URL configuration value.\n# bytes(get(\"https://api.ipify.org/?format=json\").Body).as(body, {\n#     \"events\": [body.decode_json().with({\n#         \"last_requested_at\": has(state.cursor) && has(state.cursor.last_requested_at) ?\n#             state.cursor.last_requested_at\n#         :\n#             now\n#     })],\n#     \"cursor\": {\"last_requested_at\": now}\n# })\n",
            "regexp": "#products: '(?i)(Elasticsearch|Beats|Logstash|Kibana)'\n#solutions: '(?i)(Search|Observability|Security)'\n",
            "username": "",
            "password": "",
            "digest_username": "",
            "digest_password": "",
            "oauth_id": "",
            "oauth_secret": {
              "id": "Bt7kMJIBg_TidvVzgDb6",
              "isSecretRef": true
            },
            "oauth_token_url": "",
            "redact_fields": [],
            "delete_redacted_fields": false,
            "resource_redirect_headers_ban_list": [],
            "oauth_scopes": [],
            "tags": [
              "forwarded"
            ]
          }
        }
      }
    }
  }
}
  5. Note that oauth_secret is still present. This can cause an issue for users who are developing a CEL-based custom integration, accidentally add OAuth2.0 cred and then need to back them out as the resulting configuration will not validate as correct.

The work around is to edit the POST text to remove that field. This is not an immediately obvious approach.

This looks like it may be a limitation of the handlebars template, though I'm not sure whether it could be due to how fleet handles configurations transitions to the zero state (also due to handlebars). I do not think this is limited to the CEL custom integration, but this is where I found it, and there are very few packages where removing OAuth is a valid action to take. HTTPJSON is one, for the same reasons and is also affected.
@efd6 efd6 added the bug Something isn't working, use only for issues label Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working, use only for issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@efd6