x-pack/filebeat/input/entityanalytics: fix encoding of client_secret (#…

…41393) (#41415) In the Azure Active Directory provider, only encode the value of `client_secret` once. --------- Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>
elastic · Oct 24, 2024 · f0cc4e3 · f0cc4e3
1 parent 9d23ff5
commit f0cc4e3
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -171,6 +171,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Improve modification time handling for entities and entity deletion logic in the Active Directory entityanalytics input. {pull}41179[41179]
 - Log bad handshake details when websocket connection fails {pull}41300[41300]
 - Journald input now can read events from all boots {issue}41083[41083] {pull}41244[41244]
+- Fix double encoding of client_secret in the Entity Analytics input's Azure Active Directory provider {pull}41393[41393]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/input/entityanalytics/provider/azuread/authenticator/oauth2/oauth2.go b/x-pack/filebeat/input/entityanalytics/provider/azuread/authenticator/oauth2/oauth2.go
@@ -74,7 +74,7 @@ func (a *oauth2) renewToken(ctx context.Context) error {
 	reqValues := url.Values{
 		"client_id":     []string{a.conf.ClientID},
 		"scope":         a.conf.Scopes,
-		"client_secret": []string{url.QueryEscape(a.conf.Secret)},
+		"client_secret": []string{a.conf.Secret},
 		"grant_type":    []string{"client_credentials"},
 	}
 	reqEncoded := reqValues.Encode()

diff --git a/x-pack/filebeat/input/entityanalytics/provider/azuread/authenticator/oauth2/oauth2_test.go b/x-pack/filebeat/input/entityanalytics/provider/azuread/authenticator/oauth2/oauth2_test.go
@@ -18,7 +18,7 @@ import (
 	"github.com/elastic/elastic-agent-libs/logp"
 )
 
-func testSetupServer(t *testing.T, tokenValue string, expiresIn int) *httptest.Server {
+func testSetupServer(t *testing.T, expectedClientSecret string, tokenValue string, expiresIn int) *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		payload := authResponse{
 			TokenType:    "Bearer",
@@ -28,6 +28,7 @@ func testSetupServer(t *testing.T, tokenValue string, expiresIn int) *httptest.S
 		}
 		data, err := json.Marshal(payload)
 		require.NoError(t, err)
+		require.Equal(t, expectedClientSecret, r.FormValue("client_secret"))
 
 		_, err = w.Write(data)
 		require.NoError(t, err)
@@ -62,12 +63,13 @@ func TestRenew(t *testing.T) {
 		value := "test-value"
 		expiresIn := 1000
 
-		srv := testSetupServer(t, value, expiresIn)
+		clientSecret := "value&chars=to|escape" // #nosec G101
+		srv := testSetupServer(t, clientSecret, value, expiresIn)
 		defer srv.Close()
 
 		cfg, err := config.NewConfigFrom(&conf{
 			Endpoint: "http://" + srv.Listener.Addr().String(),
-			Secret:   "value",
+			Secret:   clientSecret,
 			ClientID: "client-id",
 			TenantID: "tenant-id",
 		})
@@ -90,7 +92,7 @@ func TestRenew(t *testing.T) {
 		cachedToken := "cached-value"
 		expireTime := time.Now().Add(1000 * time.Second)
 
-		srv := testSetupServer(t, cachedToken, 1000)
+		srv := testSetupServer(t, "no-client-secret-used", cachedToken, 1000)
 		defer srv.Close()
 
 		cfg, err := config.NewConfigFrom(&conf{