elastic · axw · Feb 5, 2025 · Jan 22, 2025 · Jan 23, 2025 · Jan 23, 2025
@@ -92,6 +92,21 @@ updates:
       - dependency-name: "*"
         update-types: ["version-update:semver-major"]
 
+  - package-ecosystem: "gomod"
+    directory: "/extension/beatsauthextension"
+    schedule:
+      interval: "daily"
+    labels:
+      - automation
+    groups:
+      otel-dependencies:
+        patterns:
+          - "go.opentelemetry.io/*"
+          - "github.com/open-telemetry/opentelemetry-collector-contrib/*"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+
   - package-ecosystem: "gomod"
     directory: "/internal/tools/"
     schedule:

@@ -10,6 +10,7 @@ extensions:
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/pprofextension v0.117.0
   - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/extension/storage/filestorage v0.117.0
   - gomod: go.opentelemetry.io/collector/extension/memorylimiterextension v0.117.0
+  - gomod: github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension v0.0.0
 
 connectors:
   - gomod: github.com/elastic/opentelemetry-collector-components/connector/signaltometricsconnector v0.3.0
@@ -68,3 +69,5 @@ replaces:
   - github.com/elastic/opentelemetry-collector-components/connector/signaltometricsconnector => ../connector/signaltometricsconnector
   - github.com/elastic/opentelemetry-collector-components/receiver/loadgenreceiver => ../receiver/loadgenreceiver
   - github.com/elastic/opentelemetry-collector-components/processor/ratelimitprocessor => ../processor/ratelimitprocessor
+  - github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension => ../extension/beatsauthextension
+
@@ -0,0 +1 @@
+include ../../Makefile.Common
@@ -0,0 +1,92 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package beatsauthextension // import "github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension"
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/extension"
+	"go.opentelemetry.io/collector/extension/auth"
+	"google.golang.org/grpc/credentials"
+)
+
+var _ auth.Client = (*authenticator)(nil)
+var _ extension.Extension = (*authenticator)(nil)
+
+type authenticator struct {
+	cfg       *Config
+	telemetry component.TelemetrySettings
+	tlsConfig *tlscommon.TLSConfig // set by Start
+}
+
+func newAuthenticator(cfg *Config, telemetry component.TelemetrySettings) (*authenticator, error) {
+	return &authenticator{cfg: cfg, telemetry: telemetry}, nil
+}
+
+func (a *authenticator) Start(ctx context.Context, host component.Host) error {
+	if a.cfg.TLS != nil {
+		tlsConfig, err := tlscommon.LoadTLSConfig(&tlscommon.Config{
+			VerificationMode:     tlsVerificationModes[a.cfg.TLS.VerificationMode],
+			CATrustedFingerprint: a.cfg.TLS.CATrustedFingerprint,
+			CASha256:             a.cfg.TLS.CASha256,
+		})
+		if err != nil {
+			return err
+		}
+		a.tlsConfig = tlsConfig
+	}
+	return nil
+}
+
+func (a *authenticator) Shutdown(ctx context.Context) error {
+	return nil
+}
+
+func (a *authenticator) RoundTripper(base http.RoundTripper) (http.RoundTripper, error) {
+	// At the time of writing, client.Transport is guaranteed to always have type *http.Transport.
+	// If this assumption is ever broken, we would need to create and use our own transport, and
+	// ignore the one passed in.
+	httpTransport, ok := base.(*http.Transport)
+	if !ok {
+		return nil, fmt.Errorf("http.Roundripper is not of type *http.Transport")
+	}
+	if err := a.configureTransport(httpTransport); err != nil {
+		return nil, err
+	}
+	return httpTransport, nil
+}
+
+func (a *authenticator) configureTransport(transport *http.Transport) error {
+	if a.tlsConfig != nil {
+		// injecting verifyConnection here, keeping all other fields on TLSClientConfig intact
+		beatTLSConfig := a.tlsConfig.BuildModuleClientConfig(a.cfg.TLS.ServerName)
+
+		transport.TLSClientConfig.VerifyConnection = beatTLSConfig.VerifyConnection
+		transport.TLSClientConfig.InsecureSkipVerify = beatTLSConfig.InsecureSkipVerify
+	}
+	return nil
+}
+
+func (a *authenticator) PerRPCCredentials() (credentials.PerRPCCredentials, error) {
+	// Elasticsearch doesn't support gRPC, this function won't be called
+	return nil, nil
+}
@@ -0,0 +1,171 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package beatsauthextension
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/tj/assert"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/component/componenttest"
+	"go.opentelemetry.io/collector/config/configauth"
+	"go.opentelemetry.io/collector/config/confighttp"
+
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
+	"github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension/internal/metadata"
+)
+
+// It tests whether VerifyConnection is set on tls.Config
+func TestVerifyConnection(t *testing.T) {
+	testCerts := tlscommon.GenTestCerts(t)
+	fingerprint := tlscommon.GetCertFingerprint(testCerts["ca"])
+
+	settings := componenttest.NewNopTelemetrySettings()
+	httpClientConfig := confighttp.NewDefaultClientConfig()
+	httpClientConfig.Auth = &configauth.Authentication{
+		AuthenticatorID: component.NewID(metadata.Type),
+	}
+
+	testcases := map[string]struct {
+		verificationMode     tlscommon.TLSVerificationMode
+		peerCerts            []*x509.Certificate
+		serverName           string
+		expectedCallback     bool
+		expectingError       bool
+		CATrustedFingerprint string
+		CASHA256             []string
+	}{
+		"CATrustedFingerprint and verification mode:VerifyFull": {
+			verificationMode:     tlscommon.VerifyFull,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "localhost",
+			expectedCallback:     true,
+			CATrustedFingerprint: fingerprint,
+		},
+		"CATrustedFingerprint and verification mode:VerifyFull and incorrect servername": {
+			verificationMode:     tlscommon.VerifyFull,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "random",
+			expectedCallback:     true,
+			expectingError:       true,
+			CATrustedFingerprint: fingerprint,
+		},
+		"CATrustedFingerprint and verification mode:VerifyCertificate": {
+			verificationMode:     tlscommon.VerifyCertificate,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "random", // does not perform hostname verification
+			expectedCallback:     true,
+			CATrustedFingerprint: fingerprint,
+		},
+		"CATrustedFingerprint and verification mode:VerifyStrict": {
+			verificationMode:     tlscommon.VerifyStrict,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "localhost",
+			expectedCallback:     true,
+			CATrustedFingerprint: fingerprint,
+			CASHA256:             []string{tlscommon.Fingerprint(testCerts["correct"])},
+		},
+		"CATrustedFingerprint and verification mode:VerifyNone": {
+			verificationMode: tlscommon.VerifyNone,
+			peerCerts:        []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:       "random",
+			expectedCallback: false,
+		},
+		"invalid CATrustedFingerprint and verification mode:VerifyFull returns error": {
+			verificationMode:     tlscommon.VerifyFull,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "localhost",
+			expectedCallback:     true,
+			CATrustedFingerprint: "INVALID HEX ENCODING",
+			expectingError:       true,
+		},
+		"invalid CATrustedFingerprint and verification mode:VerifyCertificate returns error": {
+			verificationMode:     tlscommon.VerifyCertificate,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "localhost",
+			expectedCallback:     true,
+			CATrustedFingerprint: "INVALID HEX ENCODING",
+			expectingError:       true,
+		},
+		"invalid CATrustedFingerprint and verification mode:VerifyStrict returns error": {
+			verificationMode:     tlscommon.VerifyStrict,
+			peerCerts:            []*x509.Certificate{testCerts["correct"], testCerts["ca"]},
+			serverName:           "localhost",
+			expectedCallback:     true,
+			CATrustedFingerprint: "INVALID HEX ENCODING",
+			expectingError:       true,
+			CASHA256:             []string{tlscommon.Fingerprint(testCerts["correct"])},
+		},
+	}
+
+	for name, test := range testcases {
+		t.Run(name, func(t *testing.T) {
+			cfg := &Config{
+				TLS: &TLSConfig{
+					VerificationMode:     test.verificationMode.String(),
+					CATrustedFingerprint: test.CATrustedFingerprint,
+					CASha256:             test.CASHA256,
+					ServerName:           test.serverName,
+				},
+			}
+
+			auth, err := newAuthenticator(cfg, settings)
+			require.NoError(t, err)
+
+			host := extensionsMap{component.NewID(metadata.Type): auth}
+			// starts the auth extension and sets tlscommon.tlsConfig
+			err = auth.Start(context.Background(), host)
+			require.NoError(t, err)
+
+			// this verifies there was no error in calling the auth.RoundTripper
+			client, err := httpClientConfig.ToClient(context.Background(), host, settings)
+			require.NoError(t, err)
+			require.NotNil(t, client)
+
+			// verifies if a callback was expected
+			verifier := auth.tlsConfig.BuildModuleClientConfig(test.serverName).VerifyConnection
+			if test.expectedCallback {
+				require.NotNil(t, verifier, "VerifyConnection returned a nil verifier")
+			} else {
+				require.Nil(t, verifier)
+				return
+			}
+
+			err = verifier(tls.ConnectionState{
+				PeerCertificates: test.peerCerts,
+				ServerName:       test.serverName,
+				VerifiedChains:   [][]*x509.Certificate{test.peerCerts},
+			})
+			if test.expectingError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+type extensionsMap map[component.ID]component.Component
+
+func (m extensionsMap) GetExtensions() map[component.ID]component.Component {
+	return m
+}
@@ -0,0 +1,58 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package beatsauthextension // import "github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension"
+
+import (
+	"fmt"
+
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
+	"go.opentelemetry.io/collector/component"
+)
+
+type Config struct {
+	TLS *TLSConfig `mapstructure:"tls"`
+}
+
+var tlsVerificationModes = map[string]tlscommon.TLSVerificationMode{
+	"full":        tlscommon.VerifyFull,
+	"strict":      tlscommon.VerifyStrict,
+	"none":        tlscommon.VerifyNone,
+	"certificate": tlscommon.VerifyCertificate,
+}
+
+type TLSConfig struct {
+	VerificationMode     string   `mapstructure:"verification_mode"`
+	CATrustedFingerprint string   `mapstructure:"ca_trusted_fingerprint"`
+	CASha256             []string `mapstructure:"ca_sha256"`
+	ServerName           string   `mapstructure:"server_name"`
+}
+
+func createDefaultConfig() component.Config {
+	return &Config{
+		&TLSConfig{
+			VerificationMode: "full",
+		},
+	}
+}
+
+func (cfg *Config) Validate() error {
+	if _, ok := tlsVerificationModes[cfg.TLS.VerificationMode]; !ok {
+		return fmt.Errorf("unsupported verification mode: %s", cfg.TLS.VerificationMode)
+	}
+	return nil
+}
@@ -0,0 +1,20 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:generate mdatagen metadata.yaml
+
+package beatsauthextension // import "github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension"