[Filebeat] Adds oauth2 support for httpjson input #18892
Conversation
marc-gr
added
enhancement
in progress
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
added
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
|
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
from
dd950a3
to
922f906
Compare
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
from
922f906
to
4a321dc
Compare
|
@P1llus please take a look to see if this looks somehow good. I scoped the provider specific options with |
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
2 times, most recently
from
3f8a188
to
868d3b8
Compare
| @@ -84,6 +83,14 @@ func (c *config) Validate() error { | |||
| } | |||
| } | |||
| } | |||
| if c.OAuth2 != nil { | |||
There was a problem hiding this comment.
| if c.OAuth2 != nil { | |
| if c.OAuth2.IsEnabled() { |
There was a problem hiding this comment.
Here I followed the same pattern as Pagination, which checks for it being enabled at the moment of using it, but still validates its config. To me it kind of made sense since even if disabled a user needs to introduce a valid config for it. Otherwise I would change also how Pagination is handled just to be consistent here and check for IsEnabled in both config validation and usage. WDYT?
There was a problem hiding this comment.
I think using IsEnabled() is correct now that you've refactored it a bit (before you we're correct). For example it would be invalid to use api_key or authentication only when oauth is enabled.
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
4 times, most recently
from
0475b64
to
8c68fd0
Compare
| case "GET": | ||
| break | ||
| case "POST": | ||
| case "GET", "POST": |
There was a problem hiding this comment.
Could you add validation for any raw json strings in your config? Example from my http_endpoint input:
func (c *config) Validate() error {
if !json.Valid([]byte(c.ResponseBody)) {
return errors.New("response_body must be valid JSON")
}
return nil
}
There was a problem hiding this comment.
Added it in the places where it is expected: https://github.com/elastic/beats/pull/18892/files#diff-e3d27d33f878a5fb0a720224c80ad7aaR135 and https://github.com/elastic/beats/pull/18892/files#diff-e3d27d33f878a5fb0a720224c80ad7aaR171
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
from
8c68fd0
to
05581e2
Compare
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
from
3ded504
to
a130cd9
Compare
marc-gr
added
review
and removed
in progress
| if err != nil { | ||
| return nil, fmt.Errorf("oauth2 client: error loading credentials: %w", err) | ||
| } | ||
| return oauth2.NewClient(ctx, creds.TokenSource), nil |
There was a problem hiding this comment.
I like having a case OAuth2ProviderDefault, OAuth2ProviderAzure: and then an explicit default: case that returns an error. Then we know every case is covered or it results in a error.
| ---- | ||
| {beatname_lc}.inputs: | ||
| - type: httpjson | ||
| api_key: 12345678901234567890abcdef |
There was a problem hiding this comment.
I'd like to minimize the use of api_key and possibly deprecate it soon because you can just use http_headers. Having two ways to configure something usually leads to confusion and more edge cases to test. So can you leave this example out?
| The `provider` setting can be used to configure supported oauth2 providers. | ||
| Each supported provider will require specific settings. It is not set by default. | ||
|
|
||
| NOTE: Supported providers are: `azure`, `google`. |
There was a problem hiding this comment.
This and some of the other NOTEs can be incorporated into the paragraph. NOTEs get some special rendering and I'd reserve them for exceptional cases where the behavior might not be what the user expected.
| The `token_url` setting specifies the endpoint that will be used to generate the | ||
| tokens during the oauth2 flow. It is required if no provider is specified. | ||
|
|
||
| NOTE: For `azure` provider, a default `token_url` will be used if none provided, |
There was a problem hiding this comment.
Maybe "For Azure either token_url or azure.tenant_id is required." From looking at the validation it looks like one or the other is required.
| combination with it. It is not required. | ||
|
|
||
| NOTE: For information about where to find it, you can refer to | ||
| https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal |
There was a problem hiding this comment.
| https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal | |
| https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal. |
| @@ -84,6 +83,14 @@ func (c *config) Validate() error { | |||
| } | |||
| } | |||
| } | |||
| if c.OAuth2 != nil { | |||
There was a problem hiding this comment.
I think using IsEnabled() is correct now that you've refactored it a bit (before you we're correct). For example it would be invalid to use api_key or authentication only when oauth is enabled.
| } | ||
| } | ||
|
|
||
| func TestConfigValidationCase14(t *testing.T) { |
There was a problem hiding this comment.
I'm really happy to have all the new test cases. I'm not keen on the numerical naming pattern that got established here. Maybe break from this pattern for the new tests. I'd prefer something that describes the requirements/assertion being made about the code (e.g. TestConfigValidateRequiresCreds or use TestConfigValidate with t.Run("validate requires credentials", func(...)).
marc-gr
force-pushed
the
feature_httpjson-oauth2
branch
from
a130cd9
to
246f1d9
Compare
|
Moved the config tests from |
…ngs-archive * upstream/master: (119 commits) Update filebeat input docs (elastic#19110) Add ECS fields from log pipeline of PostgreSQL (elastic#19127) Init package libbeat/statestore (elastic#19117) [Ingest Manager] Retryable downloads of beats (elastic#19102) [DOCS] Add output.console to Functionbeat doc and Functionbeat reference file (elastic#18965) Add compatibility info (elastic#18929) Set ecszap version to v0.2.0 (elastic#19106) [filebeat][httpjson] Fix unit test function call (elastic#19124) [Filebeat][httpjson] Adds oauth2 support for httpjson input (elastic#18892) Allow host.* fields to be disabled in Suricata module (elastic#19107) Make selector string casing configurable (elastic#18854) Switch the GRPC communication where Agent is running the server and the beats are connecting back to Agent (elastic#18973) Disable host.* fields by default for netflow module (elastic#19087) Automatically fill zube teams on backports if available (elastic#18924) Fix crash on vsphere module (elastic#19078) [Ingest Manager] Download snapshot artifacts from snapshots repo (elastic#18685) [Ingest Manager] Basic Elastic Agent documentation (elastic#19030) Make user.id a string in system/users, in line with ECS (elastic#19019) [docs] Add 7.8 release highlights placeholder file (elastic#18493) Fix translate_sid's empty target field handling (elastic#18991) ...
…18892) * Filebeat HTTPJSON input initial changes to support oauth2 client_credentials * [Filebeat][httpjson] Add EndpointParams option to oauth config * Add provider specific settings to oauth httpjson * Change config as suggested and add config tests * Add checks for invalid json in google validation * Add documentation and azure.resource * Add oauth2 test and update changelog * Address docs and change new test case into table tests * Check if oauth2 is enabled in config.Validate and add test Closes elastic#18415 (cherry picked from commit b6cd17c)
…19122) * Filebeat HTTPJSON input initial changes to support oauth2 client_credentials * [Filebeat][httpjson] Add EndpointParams option to oauth config * Add provider specific settings to oauth httpjson * Change config as suggested and add config tests * Add checks for invalid json in google validation * Add documentation and azure.resource * Add oauth2 test and update changelog * Address docs and change new test case into table tests * Check if oauth2 is enabled in config.Validate and add test Closes #18415 (cherry picked from commit b6cd17c)
…18892) * Filebeat HTTPJSON input initial changes to support oauth2 client_credentials * [Filebeat][httpjson] Add EndpointParams option to oauth config * Add provider specific settings to oauth httpjson * Change config as suggested and add config tests * Add checks for invalid json in google validation * Add documentation and azure.resource * Add oauth2 test and update changelog * Address docs and change new test case into table tests * Check if oauth2 is enabled in config.Validate and add test Closes elastic#18415
What does this PR do?
Adds oauth2 support to filebeat HTTPJSON input.
Why is it important?
This will let us pull data from oauth2 authenticated sources, like AzureAD or GSuite.
Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues
Closes #18415