[Filebeat][httpjson] httpjson oauth2 authentication mechanism for salesforce events #29087
Conversation
botelastic
bot
added
the
needs_team
|
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
kush-elastic
force-pushed
the
salesforce_httpjson_input
branch
from
dcde2af
to
cc3cc83
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
kush-elastic
changed the title
| @@ -82,6 +82,8 @@ type oAuth2Config struct { | |||
| // common oauth fields | |||
| ClientID string `config:"client.id"` | |||
| ClientSecret string `config:"client.secret"` | |||
| User string `config:"user"` | |||
There was a problem hiding this comment.
Could you please put these properties in alpha-num order?
There was a problem hiding this comment.
Sure. I will update it.
| TokenURL: o.getTokenURL(), | ||
| Scopes: o.Scopes, | ||
| EndpointParams: o.getEndpointParams(), | ||
| if o.User != "" || o.Password != "" { |
There was a problem hiding this comment.
Is it also valid for Azure?
Do you think it's worth considering introducing another type: oauth2ProviderSalesforce?
There was a problem hiding this comment.
I am not sure but they do support username-password authentication here.
If its valid then that means they will also be able to use another authentication mechanism.
I will look into it if its not ok then we can add oauth2ProviderSalesforce
There was a problem hiding this comment.
Do you think it's worth focusing on the oauth2ProviderSalesforce provider now?
There was a problem hiding this comment.
I think we have another option.
what if we use oAuth2ProviderDefault:
case oAuth2ProviderDefault:
if o.User != "" || o.Password != "" {
conf := &oauth2.Config{
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
Endpoint: oauth2.Endpoint{
TokenURL: o.TokenURL,
AuthStyle: AuthStyleInParams,
},
}
token, err := conf.PasswordCredentialsToken(ctx, o.User, o.Password)
if err != nil {
return nil, fmt.Errorf("oauth2 client: error loading credentials using user and password: %w", err)
}
return conf.Client(ctx, token), nil
} else {
creds := clientcredentials.Config{
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
TokenURL: o.getTokenURL(),
Scopes: o.Scopes,
EndpointParams: o.getEndpointParams(),
}
return creds.Client(ctx), nil
}
case oAuth2ProviderAzure:
creds := clientcredentials.Config{
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
TokenURL: o.getTokenURL(),
Scopes: o.Scopes,
EndpointParams: o.getEndpointParams(),
}
return creds.Client(ctx), nil
What do you think if we do this?
Instead creating new provider we can use default one and user will also able use user-password method for other than salesforce.
There was a problem hiding this comment.
RFC defines it (Resource Owner Password Credentials Grant), so I don't see a reason why don't apply it also here. Feel free to modify the source code.
| AuthStyle: 1, | ||
| }, | ||
| } | ||
| token, err := conf.PasswordCredentialsToken(ctx, o.User, o.Password) |
There was a problem hiding this comment.
Any ideas for covering this logic with unit tests?
There was a problem hiding this comment.
as an idea, if we want to test this bit in isolation, could get extracted to its own function and validate the resulting token
mtojek
removed
the
backport-skip
|
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
mtojek
added
Team:Integrations
botelastic
bot
removed
the
needs_team
|
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
mtojek
added
needs_team
botelastic
bot
removed
the
needs_team
|
This pull request doesn't have a |
|
This pull request does not have a backport label. Could you fix it @kush-elastic? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
mergify
bot
removed
the
backport-skip
|
/test |
kush-elastic
force-pushed
the
salesforce_httpjson_input
branch
from
2e54c4a
to
8e10984
Compare
| TokenURL: o.getTokenURL(), | ||
| Scopes: o.Scopes, | ||
| EndpointParams: o.getEndpointParams(), | ||
| if o.User != "" || o.Password != "" { |
There was a problem hiding this comment.
Do you think it's worth focusing on the oauth2ProviderSalesforce provider now?
|
Pinging @elastic/siem (Team:SIEM) |
|
Pinging @elastic/integrations (Team:Integrations) |
There was a problem hiding this comment.
Thanks for this! Is looking good so far aside of a couple nits. Also would be nice to add the related docs in https://github.com/elastic/beats/blob/master/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc for the new options and any consideration needed when using them.
| @@ -22,6 +22,8 @@ import ( | |||
| "github.com/elastic/beats/v7/libbeat/common" | |||
| ) | |||
|
|
|||
| const authStyleInParams = 1 | |||
There was a problem hiding this comment.
Would be nice to add a brief comment in here to know what is used for, and maybe declare it local to where it is going to be used if not expected to be reused anymore.
There was a problem hiding this comment.
Sure, Got it.
Thanks
There was a problem hiding this comment.
Done. added one liner describing the context.
| AuthStyle: 1, | ||
| }, | ||
| } | ||
| token, err := conf.PasswordCredentialsToken(ctx, o.User, o.Password) |
There was a problem hiding this comment.
as an idea, if we want to test this bit in isolation, could get extracted to its own function and validate the resulting token
There was a problem hiding this comment.
Please update also the docs: https://github.com/elastic/beats/blob/c77bf19b66a95c0bb669c06b4ffb8e7ba773a22d/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc
... and I think this would be in a good shape to merge.
|
💚 CLA has been signed |
Updated the doc |
| @@ -82,6 +82,8 @@ filebeat.inputs: | |||
| client.id: 12345678901234567890abcdef | |||
| client.secret: abcdef12345678901234567890 | |||
| token_url: http://localhost/oauth2/token | |||
| user: abc.xyz@mail.com | |||
There was a problem hiding this comment.
Mail.com is a product https://www.mail.com/int/ :) Let's not suggest anything. How about user@domain.tld?
There was a problem hiding this comment.
sure :) its updated.
| ==== `auth.oauth2.user` | ||
|
|
||
| The user used as part of the authentication flow. It is required for authentication | ||
| - grant type password. It is always required except if using `google` as provider. |
There was a problem hiding this comment.
It doesn't look to be correct. The user option goes in pair with password for the default provider only. @kush-elastic would you mind proofreading docs?
|
This pull request is now in conflicts. Could you fix it? 🙏 |
…user-passowrd method
botelastic
bot
added
the
Team:Automation
|
Wow, 234 files changed. I think you should consider rebasing against the master branch to see only changes relevant to this PR. |
kush-elastic
force-pushed
the
salesforce_httpjson_input
branch
from
4983333
to
d4d21c1
Compare
|
/test |
…esforce events (#29087) * Add grant-type: passoword in httpjson oauth2 * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault * Update CHANGELOG.next.asciidoc * update input-httpjson.asciidoc with new extended httpjson authentication method * add comment for authstyleparam variable * update user dummy value in the doc * Update input-httpjson.asciidoc - provider should be default only for user-passowrd method * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault Co-authored-by: Sunny Chaudhari <sunny.chaudhari@elastic.co> (cherry picked from commit 008182a)
…esforce events (#29087) (#29246) * Add grant-type: passoword in httpjson oauth2 * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault * Update CHANGELOG.next.asciidoc * update input-httpjson.asciidoc with new extended httpjson authentication method * add comment for authstyleparam variable * update user dummy value in the doc * Update input-httpjson.asciidoc - provider should be default only for user-passowrd method * refactor code and add new properties tests in config_test.go * Add grant_type: password in oAuth2ProviderDefault Co-authored-by: Sunny Chaudhari <sunny.chaudhari@elastic.co> (cherry picked from commit 008182a) Co-authored-by: Kush Rana <89848966+kush-elastic@users.noreply.github.com> Co-authored-by: Nicolas Ruflin <spam@ruflin.com>
What does this PR do?
Current httpjson doesn’t have grant_type: password.
This PR contains the codebase for the authentication mechanism for httpjson input which is a part of the Salesforce connector.
Authentication Details:
Added grant_type: password in existing method with configurations.
if auth.oauth2.user and auth.oauth2.password parameter are mentioned in oauth2 configuration, code will automatically uses grant_type as password and create client accordingly.
Why is it important?
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues
Use cases
Configuration Example:
Screenshots
Logs