Skip to content

Commit

Permalink
x-pack/filebeat/input/http_endpoint: add support for base64-encoded H…
Browse files Browse the repository at this point in the history
…MAC headers (#39655)
  • Loading branch information
efd6 authored May 30, 2024
1 parent 98202e4 commit 23f69f7
Show file tree
Hide file tree
Showing 4 changed files with 98 additions and 2 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -284,10 +284,10 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Implement Elastic Agent status and health reporting for CEL Filebeat input. {pull}39209[39209]
- Add HTTP metrics to CEL input. {issue}39501[39501] {pull}39503[39503]
- Add default user-agent to CEL HTTP requests. {issue}39502[39502] {pull}39587[39587]
- Improve reindexing support in security module pipelines. {issue}38224[38224] {pull}[]
- Improve reindexing support in security module pipelines. {issue}38224[38224] {pull}39588[39588]
- Make HTTP Endpoint input GA. {issue}38979[38979] {pull}39410[39410]
- Update CEL mito extensions to v1.12.2. {pull}39755[39755]
- Add support for base64-encoded HMAC headers to HTTP Endpoint. {pull}39655[39655]

*Auditbeat*

Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ The secret stored in the header name specified by `secret.header`. Certain webho
==== `hmac.header`

The name of the header that contains the HMAC signature: `X-Dropbox-Signature`, `X-Hub-Signature-256`, etc.
HMAC signatures may be encoded as hex or base64.

[float]
==== `hmac.key`
Expand Down
75 changes: 75 additions & 0 deletions x-pack/filebeat/input/http_endpoint/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,81 @@ func Test_apiResponse(t *testing.T) {
wantStatus: http.StatusOK,
wantResponse: `{"message": "success"}`,
},
{
name: "hmac_hex",
conf: func() config {
c := defaultConfig()
c.Prefix = "."
c.HMACHeader = "Test-HMAC"
c.HMACKey = "Test-HMAC-Key"
c.HMACType = "sha1"
c.HMACPrefix = "sha1:"
return c
}(),
request: func() *http.Request {
req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Test-HMAC", "sha1:f6bf232bf1f0ca3d768f8b6bd5c26a204ba57e89")
return req
}(),
events: []mapstr.M{
{
"id": int64(0),
},
},
wantStatus: http.StatusOK,
wantResponse: `{"message": "success"}`,
},
{
name: "hmac_base64",
conf: func() config {
c := defaultConfig()
c.Prefix = "."
c.HMACHeader = "Test-HMAC"
c.HMACKey = "Test-HMAC-Key"
c.HMACType = "sha1"
c.HMACPrefix = "sha1:"
return c
}(),
request: func() *http.Request {
req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Test-HMAC", "sha1:9r8jK/Hwyj12j4tr1cJqIEulfok=")
return req
}(),
events: []mapstr.M{
{
"id": int64(0),
},
},
wantStatus: http.StatusOK,
wantResponse: `{"message": "success"}`,
},
{
name: "hmac_raw_base64",
conf: func() config {
c := defaultConfig()
c.Prefix = "."
c.HMACHeader = "Test-HMAC"
c.HMACKey = "Test-HMAC-Key"
c.HMACType = "sha1"
c.HMACPrefix = "sha1:"
return c
}(),
request: func() *http.Request {
req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Test-HMAC", "sha1:9r8jK/Hwyj12j4tr1cJqIEulfok")
return req
}(),
events: []mapstr.M{
{
"id": int64(0),
},
},
wantStatus: http.StatusOK,
wantResponse: `{"message": "success"}`,
},
{
name: "single_event_gzip",
conf: defaultConfig(),
Expand Down
22 changes: 21 additions & 1 deletion x-pack/filebeat/input/http_endpoint/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"crypto/hmac"
"crypto/sha1"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
Expand Down Expand Up @@ -69,7 +70,7 @@ func (v *apiValidator) validateRequest(r *http.Request) (status int, err error)
if v.hmacPrefix != "" {
hmacHeaderValue = strings.TrimPrefix(hmacHeaderValue, v.hmacPrefix)
}
signature, err := hex.DecodeString(hmacHeaderValue)
signature, err := decodeHeaderValue(hmacHeaderValue)
if err != nil {
return http.StatusUnauthorized, fmt.Errorf("invalid HMAC signature hex: %w", err)
}
Expand Down Expand Up @@ -104,3 +105,22 @@ func (v *apiValidator) validateRequest(r *http.Request) (status int, err error)

return http.StatusAccepted, nil
}

// decoders is the priority-ordered set of decoders to use for HMAC header values.
var decoders = [...]func(string) ([]byte, error){
hex.DecodeString,
base64.RawStdEncoding.DecodeString,
base64.StdEncoding.DecodeString,
}

func decodeHeaderValue(s string) ([]byte, error) {
var errs []error
for _, d := range &decoders {
b, err := d(s)
if err == nil {
return b, nil
}
errs = append(errs, err)
}
return nil, errors.Join(errs...)
}

0 comments on commit 23f69f7

Please sign in to comment.