-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat][httpjson] httpjson oauth2 authentication mechanism for salesforce events #29087
[Filebeat][httpjson] httpjson oauth2 authentication mechanism for salesforce events #29087
Conversation
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
dcde2af
to
cc3cc83
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a changelog entry for this PR.
@@ -82,6 +82,8 @@ type oAuth2Config struct { | |||
// common oauth fields | |||
ClientID string `config:"client.id"` | |||
ClientSecret string `config:"client.secret"` | |||
User string `config:"user"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please put these properties in alpha-num order?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. I will update it.
TokenURL: o.getTokenURL(), | ||
Scopes: o.Scopes, | ||
EndpointParams: o.getEndpointParams(), | ||
if o.User != "" || o.Password != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it also valid for Azure?
Do you think it's worth considering introducing another type: oauth2ProviderSalesforce
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure but they do support username-password authentication here.
If its valid then that means they will also be able to use another authentication mechanism.
I will look into it if its not ok then we can add oauth2ProviderSalesforce
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it's worth focusing on the oauth2ProviderSalesforce provider now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have another option.
what if we use oAuth2ProviderDefault:
case oAuth2ProviderDefault:
if o.User != "" || o.Password != "" {
conf := &oauth2.Config{
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
Endpoint: oauth2.Endpoint{
TokenURL: o.TokenURL,
AuthStyle: AuthStyleInParams,
},
}
token, err := conf.PasswordCredentialsToken(ctx, o.User, o.Password)
if err != nil {
return nil, fmt.Errorf("oauth2 client: error loading credentials using user and password: %w", err)
}
return conf.Client(ctx, token), nil
} else {
creds := clientcredentials.Config{
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
TokenURL: o.getTokenURL(),
Scopes: o.Scopes,
EndpointParams: o.getEndpointParams(),
}
return creds.Client(ctx), nil
}
case oAuth2ProviderAzure:
creds := clientcredentials.Config{
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
TokenURL: o.getTokenURL(),
Scopes: o.Scopes,
EndpointParams: o.getEndpointParams(),
}
return creds.Client(ctx), nil
What do you think if we do this?
Instead creating new provider we can use default one and user will also able use user-password method for other than salesforce.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RFC defines it (Resource Owner Password Credentials Grant), so I don't see a reason why don't apply it also here. Feel free to modify the source code.
AuthStyle: 1, | ||
}, | ||
} | ||
token, err := conf.PasswordCredentialsToken(ctx, o.User, o.Password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any ideas for covering this logic with unit tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as an idea, if we want to test this bit in isolation, could get extracted to its own function and validate the resulting token
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
This pull request doesn't have a |
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
/test |
2e54c4a
to
8e10984
Compare
TokenURL: o.getTokenURL(), | ||
Scopes: o.Scopes, | ||
EndpointParams: o.getEndpointParams(), | ||
if o.User != "" || o.Password != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it's worth focusing on the oauth2ProviderSalesforce provider now?
Pinging @elastic/siem (Team:SIEM) |
Pinging @elastic/integrations (Team:Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! Is looking good so far aside of a couple nits. Also would be nice to add the related docs in https://github.com/elastic/beats/blob/master/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc for the new options and any consideration needed when using them.
@@ -22,6 +22,8 @@ import ( | |||
"github.com/elastic/beats/v7/libbeat/common" | |||
) | |||
|
|||
const authStyleInParams = 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to add a brief comment in here to know what is used for, and maybe declare it local to where it is going to be used if not expected to be reused anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, Got it.
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. added one liner describing the context.
AuthStyle: 1, | ||
}, | ||
} | ||
token, err := conf.PasswordCredentialsToken(ctx, o.User, o.Password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as an idea, if we want to test this bit in isolation, could get extracted to its own function and validate the resulting token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update also the docs: https://github.com/elastic/beats/blob/c77bf19b66a95c0bb669c06b4ffb8e7ba773a22d/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc
... and I think this would be in a good shape to merge.
💚 CLA has been signed |
Updated the doc |
@@ -82,6 +82,8 @@ filebeat.inputs: | |||
client.id: 12345678901234567890abcdef | |||
client.secret: abcdef12345678901234567890 | |||
token_url: http://localhost/oauth2/token | |||
user: abc.xyz@mail.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mail.com is a product https://www.mail.com/int/ :) Let's not suggest anything. How about user@domain.tld?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure :) its updated.
==== `auth.oauth2.user` | ||
|
||
The user used as part of the authentication flow. It is required for authentication | ||
- grant type password. It is always required except if using `google` as provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't look to be correct. The user
option goes in pair with password
for the default provider only. @kush-elastic would you mind proofreading docs?
This pull request is now in conflicts. Could you fix it? 🙏
|
…user-passowrd method
Wow, 234 files changed. I think you should consider rebasing against the master branch to see only changes relevant to this PR. |
4983333
to
d4d21c1
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Let's merge this one if CI is happy.
…esforce events (#29087) * Add grant-type: passoword in httpjson oauth2 * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault * Update CHANGELOG.next.asciidoc * update input-httpjson.asciidoc with new extended httpjson authentication method * add comment for authstyleparam variable * update user dummy value in the doc * Update input-httpjson.asciidoc - provider should be default only for user-passowrd method * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault Co-authored-by: Sunny Chaudhari <sunny.chaudhari@elastic.co> (cherry picked from commit 008182a)
…esforce events (#29087) (#29246) * Add grant-type: passoword in httpjson oauth2 * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault * Update CHANGELOG.next.asciidoc * update input-httpjson.asciidoc with new extended httpjson authentication method * add comment for authstyleparam variable * update user dummy value in the doc * Update input-httpjson.asciidoc - provider should be default only for user-passowrd method * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault Co-authored-by: Sunny Chaudhari <sunny.chaudhari@elastic.co> (cherry picked from commit 008182a) Co-authored-by: Kush Rana <89848966+kush-elastic@users.noreply.github.com> Co-authored-by: Nicolas Ruflin <spam@ruflin.com>
What does this PR do?
Current httpjson doesn’t have grant_type: password.
This PR contains the codebase for the authentication mechanism for httpjson input which is a part of the Salesforce connector.
Authentication Details:
Added grant_type: password in existing method with configurations.
if auth.oauth2.user and auth.oauth2.password parameter are mentioned in oauth2 configuration, code will automatically uses grant_type as password and create client accordingly.
Why is it important?
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues
Use cases
Configuration Example:
Screenshots
Logs