[Filebeat] Enable HMAC Signature Validation for http_endpoint input #24918
Conversation
SpencerLN
added
enhancement
needs_backport
botelastic
bot
added
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
This pull request is now in conflicts. Could you fix it? 🙏 |
SpencerLN
changed the title
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
@SpencerLN Would you mind fixing the conflict with the changelog? |
There was a problem hiding this comment.
It does LGTM, have you tested this for example with Github @SpencerLN ?
It looks better than my older implementation here: https://github.com/elastic/beats/pull/20744/files
@P1llus I wrote this with GitHub in mind and that was what I did my primary testing with. The conflict for the changelog should be resolved now; is there anything else I should take care of? I wasn't sure if I needed to add different labels for Mergify to work. |
Just need to confirm a few things with @andrewkroh in terms of how the response body is read, and if we can still get this to work if we wanted to read the body further in the future (like body validation logic, middleware etc), (should be okay because of the NopCloser). After that we can add the labels for you. |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
Error strings should not be capitalized. https://github.com/golang/go/wiki/CodeReviewComments#error-strings
Use Go's JSON encoder to ensure proper escaping.
Validate the HMAC header before progressing to the HMAC calculation. Avoid copying body contents twice.
andrewkroh
force-pushed
the
add-hmac-validation
branch
from
0fe36d0 to
d19ebd8
Compare
There was a problem hiding this comment.
I pushed an update to address the comments I made.
I also changed error messages that were capitalized as an unrelated cleanup.
…24918) * Enable HMAC Signature Validation for http_endpoint input * Fix error message for invalid HmacType * Update changelog * Correct variable names to better follow conventions * Don't capitalize error messages Error strings should not be capitalized. https://github.com/golang/go/wiki/CodeReviewComments#error-strings * Avoid manual JSON encoding Use Go's JSON encoder to ensure proper escaping. * Refactor HMAC validation Validate the HMAC header before progressing to the HMAC calculation. Avoid copying body contents twice. * Fix changelog merge * Add punctuation to docs Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 68d8948)
…24918) (#25702) * Enable HMAC Signature Validation for http_endpoint input * Fix error message for invalid HmacType * Update changelog * Correct variable names to better follow conventions * Don't capitalize error messages Error strings should not be capitalized. https://github.com/golang/go/wiki/CodeReviewComments#error-strings * Avoid manual JSON encoding Use Go's JSON encoder to ensure proper escaping. * Refactor HMAC validation Validate the HMAC header before progressing to the HMAC calculation. Avoid copying body contents twice. * Fix changelog merge * Add punctuation to docs Co-authored-by: Andrew Kroh <[email protected]> (cherry picked from commit 68d8948) Co-authored-by: Spencer Niemi <[email protected]>
What does this PR do?
Adds the option of HMAC signature validation for the
http_endpointinput. This PR adds support forsha1andsha256based HMAC validation and allows flexible configuration of the header containing the signature, the key, and an optional prefix.Why is it important?
Many webhook senders offer this as the only method of authenticating that the method was actually sent from them, for example, GitHub and Dropbox. This enables future modules to receive events from these types of senders and allows users the flexibility to configure their own inputs in the meantime.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
This PR can be tested locally by configuring a webhook sender to send events to your machine. I personally used ngrok to expose the appropriate port from Filebeat, but there are other options. One simple sender to use for testing is configuring a webhook on any GitHub repo.
https://docs.github.com/en/developers/webhooks-and-events/creating-webhooks#exposing-localhost-to-the-internet
Related issues