-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat] Adds oauth2 support for httpjson input #18892
Conversation
Pinging @elastic/siem (Team:SIEM) |
💚 Build SucceededExpand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
|
dd950a3
to
922f906
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just my 2 cents, rest looks good from our testing
922f906
to
4a321dc
Compare
@P1llus please take a look to see if this looks somehow good. I scoped the provider specific options with |
3f8a188
to
868d3b8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a small question, rest LGTM :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a little early feedback. Looks like it coming along well.
@@ -84,6 +83,14 @@ func (c *config) Validate() error { | |||
} | |||
} | |||
} | |||
if c.OAuth2 != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if c.OAuth2 != nil { | |
if c.OAuth2.IsEnabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I followed the same pattern as Pagination
, which checks for it being enabled at the moment of using it, but still validates its config. To me it kind of made sense since even if disabled a user needs to introduce a valid config for it. Otherwise I would change also how Pagination
is handled just to be consistent here and check for IsEnabled
in both config validation and usage. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think using IsEnabled()
is correct now that you've refactored it a bit (before you we're correct). For example it would be invalid to use api_key
or authentication
only when oauth is enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! 👍
0475b64
to
8c68fd0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added one comment, rest LGTM
case "GET": | ||
break | ||
case "POST": | ||
case "GET", "POST": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add validation for any raw json strings in your config? Example from my http_endpoint input:
func (c *config) Validate() error {
if !json.Valid([]byte(c.ResponseBody)) {
return errors.New("response_body must be valid JSON")
}
return nil
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added it in the places where it is expected: https://github.com/elastic/beats/pull/18892/files#diff-e3d27d33f878a5fb0a720224c80ad7aaR135 and https://github.com/elastic/beats/pull/18892/files#diff-e3d27d33f878a5fb0a720224c80ad7aaR171
8c68fd0
to
05581e2
Compare
3ded504
to
a130cd9
Compare
if err != nil { | ||
return nil, fmt.Errorf("oauth2 client: error loading credentials: %w", err) | ||
} | ||
return oauth2.NewClient(ctx, creds.TokenSource), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like having a case OAuth2ProviderDefault, OAuth2ProviderAzure:
and then an explicit default:
case that returns an error. Then we know every case is covered or it results in a error.
---- | ||
{beatname_lc}.inputs: | ||
- type: httpjson | ||
api_key: 12345678901234567890abcdef |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to minimize the use of api_key
and possibly deprecate it soon because you can just use http_headers
. Having two ways to configure something usually leads to confusion and more edge cases to test. So can you leave this example out?
The `provider` setting can be used to configure supported oauth2 providers. | ||
Each supported provider will require specific settings. It is not set by default. | ||
|
||
NOTE: Supported providers are: `azure`, `google`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This and some of the other NOTEs can be incorporated into the paragraph. NOTEs get some special rendering and I'd reserve them for exceptional cases where the behavior might not be what the user expected.
The `token_url` setting specifies the endpoint that will be used to generate the | ||
tokens during the oauth2 flow. It is required if no provider is specified. | ||
|
||
NOTE: For `azure` provider, a default `token_url` will be used if none provided, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe "For Azure either token_url
or azure.tenant_id
is required." From looking at the validation it looks like one or the other is required.
combination with it. It is not required. | ||
|
||
NOTE: For information about where to find it, you can refer to | ||
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal | |
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal. |
@@ -84,6 +83,14 @@ func (c *config) Validate() error { | |||
} | |||
} | |||
} | |||
if c.OAuth2 != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think using IsEnabled()
is correct now that you've refactored it a bit (before you we're correct). For example it would be invalid to use api_key
or authentication
only when oauth is enabled.
} | ||
} | ||
|
||
func TestConfigValidationCase14(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm really happy to have all the new test cases. I'm not keen on the numerical naming pattern that got established here. Maybe break from this pattern for the new tests. I'd prefer something that describes the requirements/assertion being made about the code (e.g. TestConfigValidateRequiresCreds
or use TestConfigValidate
with t.Run("validate requires credentials", func(...)
).
a130cd9
to
246f1d9
Compare
Moved the config tests from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I got nothing more to add than what Andrew already mentioned
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…ngs-archive * upstream/master: (119 commits) Update filebeat input docs (elastic#19110) Add ECS fields from log pipeline of PostgreSQL (elastic#19127) Init package libbeat/statestore (elastic#19117) [Ingest Manager] Retryable downloads of beats (elastic#19102) [DOCS] Add output.console to Functionbeat doc and Functionbeat reference file (elastic#18965) Add compatibility info (elastic#18929) Set ecszap version to v0.2.0 (elastic#19106) [filebeat][httpjson] Fix unit test function call (elastic#19124) [Filebeat][httpjson] Adds oauth2 support for httpjson input (elastic#18892) Allow host.* fields to be disabled in Suricata module (elastic#19107) Make selector string casing configurable (elastic#18854) Switch the GRPC communication where Agent is running the server and the beats are connecting back to Agent (elastic#18973) Disable host.* fields by default for netflow module (elastic#19087) Automatically fill zube teams on backports if available (elastic#18924) Fix crash on vsphere module (elastic#19078) [Ingest Manager] Download snapshot artifacts from snapshots repo (elastic#18685) [Ingest Manager] Basic Elastic Agent documentation (elastic#19030) Make user.id a string in system/users, in line with ECS (elastic#19019) [docs] Add 7.8 release highlights placeholder file (elastic#18493) Fix translate_sid's empty target field handling (elastic#18991) ...
…18892) * Filebeat HTTPJSON input initial changes to support oauth2 client_credentials * [Filebeat][httpjson] Add EndpointParams option to oauth config * Add provider specific settings to oauth httpjson * Change config as suggested and add config tests * Add checks for invalid json in google validation * Add documentation and azure.resource * Add oauth2 test and update changelog * Address docs and change new test case into table tests * Check if oauth2 is enabled in config.Validate and add test Closes elastic#18415 (cherry picked from commit b6cd17c)
…19122) * Filebeat HTTPJSON input initial changes to support oauth2 client_credentials * [Filebeat][httpjson] Add EndpointParams option to oauth config * Add provider specific settings to oauth httpjson * Change config as suggested and add config tests * Add checks for invalid json in google validation * Add documentation and azure.resource * Add oauth2 test and update changelog * Address docs and change new test case into table tests * Check if oauth2 is enabled in config.Validate and add test Closes #18415 (cherry picked from commit b6cd17c)
…18892) * Filebeat HTTPJSON input initial changes to support oauth2 client_credentials * [Filebeat][httpjson] Add EndpointParams option to oauth config * Add provider specific settings to oauth httpjson * Change config as suggested and add config tests * Add checks for invalid json in google validation * Add documentation and azure.resource * Add oauth2 test and update changelog * Address docs and change new test case into table tests * Check if oauth2 is enabled in config.Validate and add test Closes elastic#18415
What does this PR do?
Adds oauth2 support to filebeat HTTPJSON input.
Why is it important?
This will let us pull data from oauth2 authenticated sources, like AzureAD or GSuite.
Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues
Closes #18415