Skip to content

Commit

Permalink
Merge branch 'master' of github.com:elastic/beats into backoff-reload
Browse files Browse the repository at this point in the history
  • Loading branch information
michalpristas committed May 13, 2021
2 parents 552cfc8 + 144058a commit d3167a5
Show file tree
Hide file tree
Showing 11 changed files with 199 additions and 27 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -852,6 +852,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add parsing for `haproxy.http.request.raw_request_line` field {issue}25480[25480] {pull}25482[25482]
- Mark `filestream` input beta. {pull}25560[25560]
- Update PanOS module to parse Global Protect & User ID logs. {issue}24722[24722] {issue}24724[24724] {pull}24927[24927]
- Add HMAC signature validation support for http_endpoint input. {pull}24918[24918]

*Heartbeat*

Expand Down
3 changes: 0 additions & 3 deletions x-pack/elastic-agent/pkg/agent/operation/operator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,9 +139,6 @@ func TestConfigurableRun(t *testing.T) {
}

func TestConfigurableFailed(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("this test is sometimes flaky on the last part, investigating @michal")
}
p := getProgram("configurable", "1.0")

operator := getTestOperator(t, downloadPath, installPath, p)
Expand Down
2 changes: 1 addition & 1 deletion x-pack/elastic-agent/pkg/core/plugin/process/start.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ func (a *Application) start(ctx context.Context, t app.Taggable, cfg map[string]
if srvState != nil {
a.setState(state.Starting, "Starting", nil)
srvState.SetStatus(proto.StateObserved_STARTING, a.state.Message, a.state.Payload)
srvState.UpdateConfig(string(cfgStr))
srvState.UpdateConfig(srvState.Config())
} else {
a.srvState, err = a.srv.Register(a, string(cfgStr))
if err != nil {
Expand Down
6 changes: 3 additions & 3 deletions x-pack/elastic-agent/pkg/core/plugin/process/status.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func (a *Application) startFailedTimer(cfg map[string]interface{}) {
case <-ctx.Done():
return
case <-t.C:
a.restart(a.restartConfig)
a.restart()
}
}()
}
Expand All @@ -91,7 +91,7 @@ func (a *Application) stopFailedTimer() {
}

// restart restarts the application
func (a *Application) restart(cfg map[string]interface{}) {
func (a *Application) restart() {
a.appLock.Lock()
defer a.appLock.Unlock()

Expand All @@ -103,7 +103,7 @@ func (a *Application) restart(cfg map[string]interface{}) {
ctx := a.startContext
tag := a.tag

err := a.start(ctx, tag, cfg)
err := a.start(ctx, tag, a.restartConfig)
if err != nil {
a.setState(state.Crashed, fmt.Sprintf("failed to restart: %s", err), nil)
}
Expand Down
2 changes: 1 addition & 1 deletion x-pack/elastic-agent/pkg/core/plugin/service/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ func (a *Application) Start(ctx context.Context, _ app.Taggable, cfg map[string]
if a.srvState != nil {
a.setState(state.Starting, "Starting", nil)
a.srvState.SetStatus(proto.StateObserved_STARTING, a.state.Message, a.state.Payload)
a.srvState.UpdateConfig(string(cfgStr))
a.srvState.UpdateConfig(a.srvState.Config())
} else {
a.setState(state.Starting, "Starting", nil)
a.srvState, err = a.srv.Register(a, string(cfgStr))
Expand Down
35 changes: 34 additions & 1 deletion x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,19 @@ Authentication or checking that a specific header includes a specific value
secret.value: secretheadertoken
----

Validate a HMAC signature from a specific header
["source","yaml",subs="attributes"]
----
{beatname_lc}.inputs:
- type: http_endpoint
enabled: true
listen_address: 192.168.1.1
listen_port: 8080
hmac.header: "X-Hub-Signature-256"
hmac.key: "password123"
hmac.type: "sha256"
hmac.prefix: "sha256="
----

==== Configuration options

Expand Down Expand Up @@ -113,6 +126,26 @@ The header to check for a specific value specified by `secret.value`. Certain we

The secret stored in the header name specified by `secret.header`. Certain webhooks provide the possibility to include a special header and secret to identify the source.

[float]
==== `hmac.header`

The name of the header that contains the HMAC signature: `X-Dropbox-Signature`, `X-Hub-Signature-256`, etc.

[float]
==== `hmac.key`

The secret key used to calculate the HMAC signature. Typically, the webhook sender provides this value.

[float]
==== `hmac.type`

The hash algorithm to use for the HMAC comparison. At this time the only valid values are `sha256` or `sha1`.

[float]
==== `hmac.prefix`

The prefix for the signature. Certain webhooks prefix the HMAC signature with a value, for example `sha256=`.

[float]
==== `content_type`

Expand All @@ -137,7 +170,7 @@ If multiple interfaces is present the `listen_address` can be set to control whi
[float]
==== `listen_port`

Which port the listener binds to. Defaults to 8000
Which port the listener binds to. Defaults to 8000.

[float]
==== `url`
Expand Down
20 changes: 18 additions & 2 deletions x-pack/filebeat/input/http_endpoint/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ type config struct {
ContentType string `config:"content_type"`
SecretHeader string `config:"secret.header"`
SecretValue string `config:"secret.value"`
HMACHeader string `config:"hmac.header"`
HMACKey string `config:"hmac.key"`
HMACType string `config:"hmac.type"`
HMACPrefix string `config:"hmac.prefix"`
}

func defaultConfig() config {
Expand All @@ -42,6 +46,10 @@ func defaultConfig() config {
ContentType: "application/json",
SecretHeader: "",
SecretValue: "",
HMACHeader: "",
HMACKey: "",
HMACType: "",
HMACPrefix: "",
}
}

Expand All @@ -52,12 +60,20 @@ func (c *config) Validate() error {

if c.BasicAuth {
if c.Username == "" || c.Password == "" {
return errors.New("Username and password required when basicauth is enabled")
return errors.New("username and password required when basicauth is enabled")
}
}

if (c.SecretHeader != "" && c.SecretValue == "") || (c.SecretHeader == "" && c.SecretValue != "") {
return errors.New("Both secret.header and secret.value must be set")
return errors.New("both secret.header and secret.value must be set")
}

if (c.HMACHeader != "" && c.HMACKey == "") || (c.HMACHeader == "" && c.HMACKey != "") {
return errors.New("both hmac.header and hmac.key must be set")
}

if c.HMACType != "" && !(c.HMACType == "sha1" || c.HMACType == "sha256") {
return errors.New("hmac.type must be sha1 or sha256")
}

return nil
Expand Down
12 changes: 8 additions & 4 deletions x-pack/filebeat/input/http_endpoint/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,10 @@ type httpHandler struct {
responseBody string
}

var errBodyEmpty = errors.New("Body cannot be empty")
var errUnsupportedType = errors.New("Only JSON objects are accepted")
var (
errBodyEmpty = errors.New("body cannot be empty")
errUnsupportedType = errors.New("only JSON objects are accepted")
)

// Triggers if middleware validation returns successful
func (h *httpHandler) apiResponse(w http.ResponseWriter, r *http.Request) {
Expand Down Expand Up @@ -75,7 +77,9 @@ func withValidator(v validator, handler http.HandlerFunc) http.HandlerFunc {
func sendErrorResponse(w http.ResponseWriter, status int, err error) {
w.Header().Add("Content-Type", "application/json")
w.WriteHeader(status)
fmt.Fprintf(w, `{"message": %q}`, err.Error())
e := json.NewEncoder(w)
e.SetEscapeHTML(false)
e.Encode(common.MapStr{"message": err.Error()})
}

func httpReadJsonObject(body io.Reader) (obj common.MapStr, status int, err error) {
Expand All @@ -94,7 +98,7 @@ func httpReadJsonObject(body io.Reader) (obj common.MapStr, status int, err erro

obj = common.MapStr{}
if err := json.Unmarshal(contents, &obj); err != nil {
return nil, http.StatusBadRequest, fmt.Errorf("Malformed JSON body: %w", err)
return nil, http.StatusBadRequest, fmt.Errorf("malformed JSON body: %w", err)
}

return obj, 0, nil
Expand Down
6 changes: 5 additions & 1 deletion x-pack/filebeat/input/http_endpoint/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,10 @@ func (e *httpEndpoint) Run(ctx v2.Context, publisher stateless.Publisher) error
contentType: e.config.ContentType,
secretHeader: e.config.SecretHeader,
secretValue: e.config.SecretValue,
hmacHeader: e.config.HMACHeader,
hmacKey: e.config.HMACKey,
hmacType: e.config.HMACType,
hmacPrefix: e.config.HMACPrefix,
}

handler := &httpHandler{
Expand Down Expand Up @@ -117,7 +121,7 @@ func (e *httpEndpoint) Run(ctx v2.Context, publisher stateless.Publisher) error
}

if err != nil && err != http.ErrServerClosed {
return fmt.Errorf("Unable to start server due to error: %w", err)
return fmt.Errorf("unable to start server due to error: %w", err)
}
return nil
}
66 changes: 62 additions & 4 deletions x-pack/filebeat/input/http_endpoint/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,17 @@
package http_endpoint

import (
"bytes"
"crypto/hmac"
"crypto/sha1"
"crypto/sha256"
"encoding/hex"
"errors"
"fmt"
"hash"
"io/ioutil"
"net/http"
"strings"
)

type validator interface {
Expand All @@ -23,10 +31,18 @@ type apiValidator struct {
contentType string
secretHeader string
secretValue string
hmacHeader string
hmacKey string
hmacType string
hmacPrefix string
}

var errIncorrectUserOrPass = errors.New("Incorrect username or password")
var errIncorrectHeaderSecret = errors.New("Incorrect header or header secret")
var (
errIncorrectUserOrPass = errors.New("incorrect username or password")
errIncorrectHeaderSecret = errors.New("incorrect header or header secret")
errMissingHMACHeader = errors.New("missing HMAC header")
errIncorrectHMACSignature = errors.New("invalid HMAC signature")
)

func (v *apiValidator) ValidateHeader(r *http.Request) (int, error) {
if v.basicAuth {
Expand All @@ -43,11 +59,53 @@ func (v *apiValidator) ValidateHeader(r *http.Request) (int, error) {
}

if v.method != "" && v.method != r.Method {
return http.StatusMethodNotAllowed, fmt.Errorf("Only %v requests supported", v.method)
return http.StatusMethodNotAllowed, fmt.Errorf("only %v requests are allowed", v.method)
}

if v.contentType != "" && r.Header.Get("Content-Type") != v.contentType {
return http.StatusUnsupportedMediaType, fmt.Errorf("Wrong Content-Type header, expecting %v", v.contentType)
return http.StatusUnsupportedMediaType, fmt.Errorf("wrong Content-Type header, expecting %v", v.contentType)
}

if v.hmacHeader != "" && v.hmacKey != "" && v.hmacType != "" {
// Read HMAC signature from HTTP header.
hmacHeaderValue := r.Header.Get(v.hmacHeader)
if v.hmacHeader == "" {
return http.StatusUnauthorized, errMissingHMACHeader
}
if v.hmacPrefix != "" {
hmacHeaderValue = strings.TrimPrefix(hmacHeaderValue, v.hmacPrefix)
}
signature, err := hex.DecodeString(hmacHeaderValue)
if err != nil {
return http.StatusUnauthorized, fmt.Errorf("invalid HMAC signature hex: %w", err)
}

// We need access to the request body to validate the signature, but we
// must leave the body intact for future processing.
buf, err := ioutil.ReadAll(r.Body)
if err != nil {
return http.StatusInternalServerError, fmt.Errorf("failed to read request body: %w", err)
}
// Set r.Body back to untouched original value.
r.Body = ioutil.NopCloser(bytes.NewBuffer(buf))

// Compute HMAC of raw body.
var mac hash.Hash
switch v.hmacType {
case "sha256":
mac = hmac.New(sha256.New, []byte(v.hmacKey))
case "sha1":
mac = hmac.New(sha1.New, []byte(v.hmacKey))
default:
// Upstream config validation prevents this from happening.
panic(fmt.Errorf("unhandled hmac.type %q", v.hmacType))
}
mac.Write(buf)
actualMAC := mac.Sum(nil)

if !hmac.Equal(signature, actualMAC) {
return http.StatusUnauthorized, errIncorrectHMACSignature
}
}

return 0, nil
Expand Down
Loading

0 comments on commit d3167a5

Please sign in to comment.