From a6a9cd528bcaee0ff51d09a24f143ff9799edc1d Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Tue, 28 Jul 2020 08:55:48 +0200
Subject: [PATCH] [Packetbeat] HTTP: Improve support for 100-continue #15830
 (#19349) (#20234)

* refactor(packet beat): Improve support for 100-continue

* test(packetbeat): 100-continue only generate one event without error

* test(packetbeat): 100-continue only generate one event without error

* Update packetbeat/protos/http/http.go

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

* delete unused string

* Fix format issue

Co-authored-by: Marc Guasch <marc.guasch@elastic.co>
Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit 41bc8c633d1ad20efeb2ab6032a09344e6bca4f2)

Co-authored-by: Bonsai <LetBonsaiBe@gmail.com>
---
 CHANGELOG.next.asciidoc                       |   2 ++
 packetbeat/protos/http/http.go                |   6 ++++
 .../tests/system/pcaps/http_100_continue.pcap | Bin 0 -> 6075 bytes
 .../system/test_0070_http_100_continue.py     |  32 ++++++++++++++++++
 4 files changed, 40 insertions(+)
 create mode 100644 packetbeat/tests/system/pcaps/http_100_continue.pcap
 create mode 100644 packetbeat/tests/system/test_0070_http_100_continue.py

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 5bcdb19cf8d..429bfca560e 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -684,6 +684,8 @@ field. You can revert this change by configuring tags for the module and omittin
 *Packetbeat*
 
 - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167]
+- Add 100-continue support {issue}15830[15830] {pull}19349[19349]
+
 
 *Functionbeat*
 
diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go
index efa344ab163..4b2367c0239 100644
--- a/packetbeat/protos/http/http.go
+++ b/packetbeat/protos/http/http.go
@@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) {
 		unmatchedResponses.Add(1)
 		resp := conn.responses.pop()
 		debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple)
+
+		if resp.statusCode == 100 {
+			debugf("Drop first 100-continue response")
+			return
+		}
+
 		event := http.newTransaction(nil, resp)
 		http.publishTransaction(event)
 	}
diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..be1438e3080030cc2559e2a2e24c2e35fdcfd679
GIT binary patch
literal 6075
zcmb`Ldr(wW9LMkOA{KZ85d}eQy<EU}xIn0|zAgx9>L@0TT1~hv7o?V5*j<!Im^zbM
zI{lH=A2>NZ{xlyoJ#?C0D$SHNnOb4f1BdZ3O*1O$r0HPa-(Bvq_wMQ*HO8N_XV0GR
z_jf+$ckVs+o;>`)+h!p~82Sr*_U86KvphRNSb+|T35Zn>PVW=)Vr6^`{WFC&@Y&SO
zB=%eiTTb8aH{ZG?6bphmX7&-2#S&{WJrI}GHFX~K#h3+wd^+GGqfHU?NsjI#v2KPT
z0=!mKCF8@mfL`pR1fc>=3Rno0s<bS~v4Zdd@}uZ}NMg>V`Df9s<~R_@vFCO<rb9Ci
zzoi(|oJ6vrn#kuN(u3|f%4Y!i_%Od8T8Ha7Cb-MEI3`G}|Lbirq#2oGNeT54NAfub
z9~o^5l_UA^aZJDv0bav2j-<D$ZFqE!i4sfvc;|i^PdSEj)aTd=O%9HUqzB#iLph$$
zFw~>z%mprvNfMjCZrwF4$MAZz=To1?QIHJvNIrZVlSl_%*F!lvp%=9tM@ekk&CNA5
zJ~BsrjvJxL!EqGnL3fqL(T{bFZ#UFq{LfEwaZHxjp1xmqYdMB<oRLm_#F2cm;3K0=
zq1Ge$@NuNwEWqnMjU(y30==jlM@#Id9WV9J_{bdfId(ylgX3t@gYKzNj-Tcj>d}1g
z1{cRM5_`wK`x7n4aE`OoI?_1)0v{ParcgPO4<E-d7$U&yKq$xMxg7PFBC)T|Cb!Y}
z$Q<=K)<ctnV+!d(w_W4df^|LfqOl%#@YQ1~>M{QJ549Y_Im#C5BaY;A13og^6oGn#
z4<E-=3=!b<k;akq>Nj)L<5-Dp@~z%W<0Es_=lCi#IXI3bJ?QQW<+wM^P>+_S9bEO8
zCb9Ktr&ee=hI1^tOnn;1@8Kh(O`&omA3lz07$U%HWhlprbdGvVmzewJmxpP5WRChA
zmqU|-qk6r9?h%dSTCD3It1bHb^|0CBaB&=$anZV@DY$3CIhL!}CE`dvWln?72yr%#
zPsYXWak*P;b?|E6pA_kQRo;`;Ro<id)WK&VxKXI<Mf0)7%4mlEg`eXB^J#}y{f5NU
zJ^?45!1*npPjm1ZwP_9<+Jkebr#akCdmps_L538;ypP^x-l@p@gg)=8#Y?NLwz>wF
zvRZNYZ8fzXr>(IK|6Au(S6A5zCl|7~c^;qNZgqK_4%Zs`SXxw2z~Ywq6mNc6z2Zin
zv&HMOO`ANWcrrT5oKB?)U*_0ySX^amlj209u%IB{>2doT+${==n}bgnm|xx2q}Z*F
zrY2W|)8TLMxNXn+Jno_Xg^Ii0zs7DYVsR{v5Ffs8#LbyNd^*zdUEXLB6yT*$5!3RO
zMn^ofe9%sXc3BW{FO{AKk{DQN<^cwQ38inkpL%T0L_KaW)C`&S609B2UWCa|1Zzf&
zKA~>4)(5qzW^!~B>h0(x^>>Y#-(9tDur6uNHY`Oj^Yuq9!d&b@3T-J&>CrPET#A4;
zmco<~%)Fnd1eXF8Y+by7#ZgI8A^Ia0;&iKXjl=6x{4<wTKbBuI^mEr>T^3F)rpoLP
zYZ~0ON~>rWwVfp9i8UmOuV_zEv!NCZb#GB?t>X2e;6;03L1~`oReUWjKl)pmY8`&1
zmVV)bcdbvfcZhzE-{BJNMR}sH1)Iy~t7}2CFi)&=VB<ozpp$;DG}pL2Bv^u0leeMK
z;cct&E8a%YUaT%zFR<SG#jiO#cS}JBmh8`v-9uRWsT_`c_djTljI2Fi)V`}yE9gL}
zO)`{PFz*q68S=gt?UA}G%5{y&Or!Q)-E5jCf%o$U-lTn<c&BYK92Cumb9io;-Qy+p
zcmAzA92DpD;d-GSaL8u{d}OpK)U8N9d<UHI7$U$ccu*w0L(r?h_Y}DIM}8qOL1J?&
zy69ean*)wM$K%lCIN(tF0(7s19&oBA7!Qg&PjYdzO04;_OY^lH!w)!>N2yOccr?OC
zMw>$AXn_wOM=OR1@LHf96p3Tf!yE_2i4r@pHRS+}k9<(n=U4$v4vrH^54s06j_Z(5
z_EtkZCLC9|IEoT0I(B-SmSZ@_xt~)XaU`EP@R8A`P&twhA4d^G1bA)NIFjBM(2H7+
z8F=~BdEpK(cJw)3fhGq>+??>Dsq;ec#SY~&J=0K+?AxcfI7$+`dj8-Y9$X&ZLw*`Z
zAADrADO8T+!^cs=5CLAn2N%k_2YOLCW@68bJN6@uk6e%X9M3?LgJUM?LHD>;kFChZ
zWHSp-;Cl))0xv#s4w7{*DX;A6y}IA>+s3ypz5E(ZZs!Newd2D4@~kfL-&y4=t1IU$
zUbd*(URpdA|MH3-ol-gt2LW;@f<p<EDFz*ijSjt6uk0dqxa`E0JZ2#H*gy{R%Sk8f
zkw13)BU~$<C9xe(#=j1Gm1g+PS@0(H(TbB#Iv%HGv?<gTCm+5Q&%zJ^UT<hShxE4d
fJo0Bt>`>n&k;X?}aea<me2@IuqzBy$ZN>isl4JlL

literal 0
HcmV?d00001

diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py
new file mode 100644
index 00000000000..877bb90a280
--- /dev/null
+++ b/packetbeat/tests/system/test_0070_http_100_continue.py
@@ -0,0 +1,32 @@
+from packetbeat import BaseTest
+
+"""
+Tests for checking expect 100-continue only generate 1 event
+"""
+
+
+class Test(BaseTest):
+
+    def test_http_100_continue(self):
+        """
+        Should only generate one event
+        """
+        self.render_config_template(
+            iface_device="lo0",
+            http_ports=["9200"],
+            http_send_all_headers=True
+        )
+        self.run_packetbeat(pcap="http_100_continue.pcap")
+        objs = self.read_output_json()
+
+        assert len(objs) == 1
+        o = objs[0]
+
+        assert o["type"] == "http"
+        assert "request" in o["http"]
+        assert "headers" in o["http"]["request"]
+        assert o["http"]["request"]["headers"]["expect"] == "100-continue"
+
+        assert "response" in o["http"]
+
+        assert not "error" in o