From 2ad496026ddb76ce94ddb5ea85d2d8301f87b33c Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 9 Jun 2020 12:36:55 -0400 Subject: [PATCH] Fix translate_sid's empty target field handling (#18991) The translate_sid processor only requires one of the three target fields to be configured. It should work properly when some of the targets are not set, but it doesn't check if the are empty strings. So it ends up adding target fields that are empty strings to the event (e.g. "": "Group"). Closes #18990 (cherry picked from commit baccaad8b5717a022daf158a0383839cd4cf3ed4) --- CHANGELOG.next.asciidoc | 2 ++ .../processors/translate_sid/translatesid.go | 18 ++++++---- .../translate_sid/translatesid_test.go | 36 +++++++++++++++++++ 3 files changed, 50 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 934f48062aa..d826ceabebb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -70,6 +70,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Gives monitoring reporter hosts, if configured, total precedence over corresponding output hosts. {issue}17937[17937] {pull}17991[17991] - Fix `keystore add` hanging under Windows. {issue}18649[18649] {pull}18654[18654] - Fix regression in `add_kubernetes_metadata`, so configured `indexers` and `matchers` are used if defaults are not disabled. {issue}18481[18481] {pull}18818[18818] +- Fix potential race condition in fingerprint processor. {pull}18738[18738] +- Fix the `translate_sid` processor's handling of unconfigured target fields. {issue}18990[18990] {pull}18991[18991] - Fixed a service restart failure under Windows. {issue}18914[18914] {pull}18916[18916] *Auditbeat* diff --git a/libbeat/processors/translate_sid/translatesid.go b/libbeat/processors/translate_sid/translatesid.go index 491ed66859f..f794019d78e 100644 --- a/libbeat/processors/translate_sid/translatesid.go +++ b/libbeat/processors/translate_sid/translatesid.go @@ -111,14 +111,20 @@ func (p *processor) translateSID(event *beat.Event) error { // Do all operations even if one fails. var errs []error - if _, err = event.PutValue(p.AccountNameTarget, account); err != nil { - errs = append(errs, err) + if p.AccountNameTarget != "" { + if _, err = event.PutValue(p.AccountNameTarget, account); err != nil { + errs = append(errs, err) + } } - if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil { - errs = append(errs, err) + if p.AccountTypeTarget != "" { + if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil { + errs = append(errs, err) + } } - if _, err = event.PutValue(p.DomainTarget, domain); err != nil { - errs = append(errs, err) + if p.DomainTarget != "" { + if _, err = event.PutValue(p.DomainTarget, domain); err != nil { + errs = append(errs, err) + } } return multierr.Combine(errs...) } diff --git a/libbeat/processors/translate_sid/translatesid_test.go b/libbeat/processors/translate_sid/translatesid_test.go index ad1fbc6a4b8..529f90b065f 100644 --- a/libbeat/processors/translate_sid/translatesid_test.go +++ b/libbeat/processors/translate_sid/translatesid_test.go @@ -25,6 +25,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "golang.org/x/sys/windows" "github.com/elastic/beats/v7/libbeat/beat" @@ -83,6 +84,41 @@ func TestTranslateSID(t *testing.T) { } } +func TestTranslateSIDEmptyTarget(t *testing.T) { + c := defaultConfig() + c.Field = "sid" + + evt := &beat.Event{Fields: map[string]interface{}{ + "sid": "S-1-5-32-544", + }} + + tests := []struct { + Name string + Config config + }{ + {"account_name", config{Field: "sid", AccountNameTarget: "account_name"}}, + {"account_type", config{Field: "sid", AccountTypeTarget: "account_type"}}, + {"domain", config{Field: "sid", DomainTarget: "domain"}}, + } + + for _, tc := range tests { + tc := tc + t.Run(tc.Name, func(t *testing.T) { + p, err := newFromConfig(tc.Config) + require.NoError(t, err) + + evt, err := p.Run(&beat.Event{Fields: evt.Fields.Clone()}) + require.NoError(t, err) + + // Verify that only the configured target field is set. + // And ensure that no empty string keys are used. + assert.Len(t, evt.Fields, 2) + assert.Contains(t, evt.Fields, tc.Name) + assert.NotContains(t, evt.Fields, "") + }) + } +} + func BenchmarkProcessor_Run(b *testing.B) { p, err := newFromConfig(config{ Field: "sid",