-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[eset_protect] Update grant type to password #9600
Conversation
🚀 Benchmarks reportTo see the full report comment with |
client.id: ' ' | ||
client.secret: ' ' | ||
user: {{username}} | ||
password: {{password}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider using escape_string
1 in case values contain characters that require special handling in YAML.
user: {{escape_string username}}
password: {{escape_string password}}
Footnotes
@@ -15,8 +15,10 @@ resource.timeout: {{http_client_timeout}} | |||
{{/if}} | |||
resource.url: https://{{region}}.incident-management.eset.systems | |||
auth.oauth2: | |||
client.id: {{username}} | |||
client.secret: {{password}} | |||
client.id: ' ' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are these empty strings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without empty string it is not working.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you clarify what is not working? Can you share the error message? Is it some kind of validation problem from the Agent side? Or is a something from the API service?
If you view the request tracer logs, is the input POSTing client_id=%20&client_secret=%20
and the API is accepting that?
At a minimum we need a comment explaining why the empty strings exists so that future maintainers understand.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue here is over zealous validation in the auth config code for the cel package (the same issue will exist in the httpjson package which is the origin of this code). When password auth was added, the token auth logic in the validation was not updated to allow a fallthrough.
I'm putting together a change to fix this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was facing below error:
both token_url and client credentials must be provided accessing 'auth.oauth2'
Additionally, it does not function with an empty string. It requires one space to work properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, elastic/beats#38962 will fix that, but for the moment you'll need to do what you have done. A comment explaining it and giving a time frame for removal would be good (I expect the PR for the fix would get in to v8.14.0).
TBH I'm amazed that his has gone unnoticed for so long. The bug was introduced in to HTTPJSON when password grant auth was added. I guess no-one has ever had password-only uses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A comment explaining it and giving a time frame for removal would be good (I expect the PR for the fix would get in to v8.14.0).
@janvi-elastic Can you please add a comment to the two cel.yml.hbs files.
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
As per https://eu.esetconnect.eset.systems/swagger/ > Grant type client_credentials is deprecated and will be removed on Apr 15th 2024
💚 Build Succeeded
History
|
Quality Gate passedIssues Measures |
Package eset_protect - 0.5.0 containing this change is available at https://epr.elastic.co/search?package=eset_protect |
Type of change
What does this PR do?
Checklist
changelog.yml
file.How to test this PR locally
Automated Test