From fe6b48e8dc062a0bc6f35436bc412af838c33f26 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Mon, 29 May 2023 12:28:38 +0200 Subject: [PATCH 1/6] Add CRC options to Zoom module --- x-pack/filebeat/module/zoom/_meta/config.yml | 6 ++++++ x-pack/filebeat/module/zoom/_meta/docs.asciidoc | 4 ++++ x-pack/filebeat/module/zoom/webhook/config/webhook.yml | 5 +++++ x-pack/filebeat/module/zoom/webhook/manifest.yml | 4 ++++ x-pack/filebeat/modules.d/zoom.yml.disabled | 6 ++++++ 5 files changed, 25 insertions(+) diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml index a010f43f3a9..7f99fc1d0b7 100644 --- a/x-pack/filebeat/module/zoom/_meta/config.yml +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -17,3 +17,9 @@ # The secret token value created by Zoom #secret.value: ZOOMTOKEN + + # Enable the CRC webhook validation + #crc.enabled: false + + # The secret token value provided by Zoom for CRC validation + #crc.secret: ZOOMTOKEN diff --git a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc index 4b3b0da5134..3d6da1e3b21 100644 --- a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc @@ -25,6 +25,8 @@ include::../include/config-option-intro.asciidoc[] When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. This is configured with the `secret.header` and `secret.value` settings as shown below. +On the other hand, Zoom also requires webhook validation for created or modified webhooks after October, 2022. This follows a challenge-response check (CRC) algorithm which is configured with the `crc.enabled` and `crc.secret` settings. Learn more about it at https://developers.zoom.us/docs/api/rest/webhook-reference/#validate-your-webhook-endpoint[Validate your webhook endpoint]. + Example config: [source,yaml] @@ -37,6 +39,8 @@ Example config: var.listen_port: 8080 var.secret.header: Authorization var.secret.value: ZOOMTOKEN + var.crc.enabled: true + var.crc.secret: ZOOMTOKEN ---- include::../include/var-paths.asciidoc[] diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml index 312ba2c208a..d56dd9670d8 100644 --- a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -12,6 +12,11 @@ content_type: "{{ .content_type }}" secret: {{ .secret | tojson }} ssl: {{ .ssl | tojson }} +{{ if .crc.enabled }} +crc.provider: zoom +crc.secret: {{ .crc.secret }} +{{ end }} + {{ else if eq .input "file" }} type: log diff --git a/x-pack/filebeat/module/zoom/webhook/manifest.yml b/x-pack/filebeat/module/zoom/webhook/manifest.yml index 31f78e24e25..05a85691cfd 100644 --- a/x-pack/filebeat/module/zoom/webhook/manifest.yml +++ b/x-pack/filebeat/module/zoom/webhook/manifest.yml @@ -24,6 +24,10 @@ var: default: header: Authorization value: "" + - name: crc + default: + enabled: false + secret: "" - name: tags default: [zoom-webhook, forwarded] diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled index a04706cf15a..edc7809ae09 100644 --- a/x-pack/filebeat/modules.d/zoom.yml.disabled +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -20,3 +20,9 @@ # The secret token value created by Zoom #secret.value: ZOOMTOKEN + + # Enable the CRC webhook validation + #crc.enabled: false + + # The secret token value provided by Zoom for CRC validation + #crc.secret: ZOOMTOKEN From 97d0ce9c48565cd87922ce8d3ded4068b2f72b4d Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Wed, 31 May 2023 18:53:37 +0200 Subject: [PATCH 2/6] Update http_endpoint to use crc.secret for the CRC validation --- .../docs/inputs/input-http-endpoint.asciidoc | 6 ++++++ x-pack/filebeat/filebeat.reference.yml | 6 ++++++ x-pack/filebeat/input/http_endpoint/config.go | 8 ++++++-- .../input/http_endpoint/handler_test.go | 18 ++++++------------ x-pack/filebeat/input/http_endpoint/input.go | 2 +- 5 files changed, 25 insertions(+), 15 deletions(-) diff --git a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc index 28c5c6dd4ec..eafbb5d4d83 100644 --- a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc @@ -142,6 +142,7 @@ Validate webhook endpoint for a specific provider using CRC secret.header: someheadername secret.value: secretheadertoken crc.provider: webhookProvider + crc.secret: secretToken ---- Validate a HMAC signature from a specific header @@ -273,6 +274,11 @@ This option copies the raw unmodified body of the incoming request to the event. This option defines the provider of the webhook that uses CRC (Challenge-Response Check) for validating the endpoint. The HTTP endpoint input is responsible for ensuring the authenticity of incoming webhook requests by generating and verifying a unique token. By specifying the `crc.provider`, you ensure that the system correctly handles the specific CRC validation process required by the chosen provider. +[float] +==== `crc.secret` + +The secret token provided by the webhook owner for the CRC validation. + [id="{beatname_lc}-input-{type}-common-options"] include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 4c6147ce392..de653dc724a 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2561,6 +2561,12 @@ filebeat.modules: # The secret token value created by Zoom #secret.value: ZOOMTOKEN + # Enable the CRC webhook validation + #crc.enabled: false + + # The secret token value provided by Zoom for CRC validation + #crc.secret: ZOOMTOKEN + #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: diff --git a/x-pack/filebeat/input/http_endpoint/config.go b/x-pack/filebeat/input/http_endpoint/config.go index 2a8a246460e..d60ffdeb989 100644 --- a/x-pack/filebeat/input/http_endpoint/config.go +++ b/x-pack/filebeat/input/http_endpoint/config.go @@ -40,6 +40,7 @@ type config struct { HMACType string `config:"hmac.type"` HMACPrefix string `config:"hmac.prefix"` CRCProvider string `config:"crc.provider"` + CRCSecret string `config:"crc.secret"` IncludeHeaders []string `config:"include_headers"` PreserveOriginalEvent bool `config:"preserve_original_event"` } @@ -63,6 +64,7 @@ func defaultConfig() config { HMACType: "", HMACPrefix: "", CRCProvider: "", + CRCSecret: "", } } @@ -92,9 +94,11 @@ func (c *config) Validate() error { if c.CRCProvider != "" { if !isValidCRCProvider(c.CRCProvider) { return fmt.Errorf("not a valid CRC provider: %q", c.CRCProvider) - } else if c.SecretValue == "" { - return errors.New("secret.value is required when crc.provider is defined") + } else if c.CRCSecret == "" { + return errors.New("crc.secret is required when crc.provider is defined") } + } else if c.CRCSecret != "" { + return errors.New("crc.provider is required when crc.secret is defined") } return nil diff --git a/x-pack/filebeat/input/http_endpoint/handler_test.go b/x-pack/filebeat/input/http_endpoint/handler_test.go index ec9533ff97c..d5250881ae0 100644 --- a/x-pack/filebeat/input/http_endpoint/handler_test.go +++ b/x-pack/filebeat/input/http_endpoint/handler_test.go @@ -245,9 +245,8 @@ func Test_apiResponse(t *testing.T) { { name: "validate CRC request", conf: config{ - SecretHeader: "secretHeaderTest", - SecretValue: "secretValueTest", - CRCProvider: "Zoom", + CRCProvider: "Zoom", + CRCSecret: "secretValueTest", }, request: func() *http.Request { buf := bytes.NewBufferString( @@ -261,7 +260,6 @@ func Test_apiResponse(t *testing.T) { ) req := httptest.NewRequest(http.MethodPost, "/", buf) req.Header.Set("Content-Type", "application/json") - req.Header.Set("secretHeaderTest", "secretValueTest") return req }(), events: nil, @@ -271,9 +269,8 @@ func Test_apiResponse(t *testing.T) { { name: "malformed CRC request", conf: config{ - SecretHeader: "secretHeaderTest", - SecretValue: "secretValueTest", - CRCProvider: "Zoom", + CRCProvider: "Zoom", + CRCSecret: "secretValueTest", }, request: func() *http.Request { buf := bytes.NewBufferString( @@ -287,7 +284,6 @@ func Test_apiResponse(t *testing.T) { ) req := httptest.NewRequest(http.MethodPost, "/", buf) req.Header.Set("Content-Type", "application/json") - req.Header.Set("secretHeaderTest", "secretValueTest") return req }(), events: nil, @@ -297,9 +293,8 @@ func Test_apiResponse(t *testing.T) { { name: "empty CRC challenge", conf: config{ - SecretHeader: "secretHeaderTest", - SecretValue: "secretValueTest", - CRCProvider: "Zoom", + CRCProvider: "Zoom", + CRCSecret: "secretValueTest", }, request: func() *http.Request { buf := bytes.NewBufferString( @@ -313,7 +308,6 @@ func Test_apiResponse(t *testing.T) { ) req := httptest.NewRequest(http.MethodPost, "/", buf) req.Header.Set("Content-Type", "application/json") - req.Header.Set("secretHeaderTest", "secretValueTest") return req }(), events: nil, diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index e4d99806f5e..4fe312a5726 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -259,7 +259,7 @@ func newHandler(c config, pub stateless.Publisher, log *logp.Logger) http.Handle responseBody: c.ResponseBody, includeHeaders: canonicalizeHeaders(c.IncludeHeaders), preserveOriginalEvent: c.PreserveOriginalEvent, - crc: newCRC(c.CRCProvider, c.SecretValue), + crc: newCRC(c.CRCProvider, c.CRCSecret), } return newAPIValidationHandler(http.HandlerFunc(handler.apiResponse), validator, log) From 08a8c11ea610dd920afc6b68efcc7e4897d789ae Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Wed, 31 May 2023 18:53:48 +0200 Subject: [PATCH 3/6] Update changelog --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b061eb26315..7b636a1063f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -287,6 +287,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415 - Add support for collecting IPv6 metrics. {pull}35123[35123] - Add oracle authentication messages parsing {pull}35127[35127] - Add support for CRC validation in Filebeat's HTTP endpoint input. {pull}35204[35204] +- Add support for CRC validation in Zoom module. {pull}35604[35604] - Add execution budget to CEL input. {pull}35409[35409] - Add XML decoding support to HTTPJSON. {issue}34438[34438] {pull}35235[35235] - Add delegated account support when using Google ADC in `httpjson` input. {pull}35507[35507] From cbfb317114d39e7619bc74590f26f3715353636f Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Thu, 1 Jun 2023 11:42:54 +0200 Subject: [PATCH 4/6] Update the Zoom docs about event verification --- x-pack/filebeat/filebeat.reference.yml | 6 +++--- x-pack/filebeat/module/zoom/_meta/config.yml | 6 +++--- x-pack/filebeat/module/zoom/_meta/docs.asciidoc | 8 ++++---- x-pack/filebeat/modules.d/zoom.yml.disabled | 6 +++--- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index de653dc724a..f6326441287 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2558,14 +2558,14 @@ filebeat.modules: # The header Zoom uses to send its secret token, defaults to "Authorization" #secret.header: Authorization - # The secret token value created by Zoom - #secret.value: ZOOMTOKEN + # The custom secret token value created when configuring the Zoom webhook + #secret.value: my-custom-value # Enable the CRC webhook validation #crc.enabled: false # The secret token value provided by Zoom for CRC validation - #crc.secret: ZOOMTOKEN + #crc.secret: ZOOMSECRETTOKEN #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml index 7f99fc1d0b7..f996405689a 100644 --- a/x-pack/filebeat/module/zoom/_meta/config.yml +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -15,11 +15,11 @@ # The header Zoom uses to send its secret token, defaults to "Authorization" #secret.header: Authorization - # The secret token value created by Zoom - #secret.value: ZOOMTOKEN + # The custom secret token value created when configuring the Zoom webhook + #secret.value: my-custom-value # Enable the CRC webhook validation #crc.enabled: false # The secret token value provided by Zoom for CRC validation - #crc.secret: ZOOMTOKEN + #crc.secret: ZOOMSECRETTOKEN diff --git a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc index 3d6da1e3b21..28236e17140 100644 --- a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc @@ -22,7 +22,7 @@ include::../include/config-option-intro.asciidoc[] [float] ==== `webhook` fileset settings -When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +When a webhook integration is created on Zoom, you can create a custom header to verify webhook events. See https://developers.zoom.us/docs/api/rest/webhook-reference/#custom-header[Custom Header] for more information about this process. This is configured with the `secret.header` and `secret.value` settings as shown below. On the other hand, Zoom also requires webhook validation for created or modified webhooks after October, 2022. This follows a challenge-response check (CRC) algorithm which is configured with the `crc.enabled` and `crc.secret` settings. Learn more about it at https://developers.zoom.us/docs/api/rest/webhook-reference/#validate-your-webhook-endpoint[Validate your webhook endpoint]. @@ -37,10 +37,10 @@ Example config: var.input: http_endpoint var.listen_address: 0.0.0.0 var.listen_port: 8080 - var.secret.header: Authorization - var.secret.value: ZOOMTOKEN + var.secret.header: x-my-custom-key + var.secret.value: my-custom-value var.crc.enabled: true - var.crc.secret: ZOOMTOKEN + var.crc.secret: ZOOMSECRETTOKEN ---- include::../include/var-paths.asciidoc[] diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled index edc7809ae09..b7a5bc35a00 100644 --- a/x-pack/filebeat/modules.d/zoom.yml.disabled +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -18,11 +18,11 @@ # The header Zoom uses to send its secret token, defaults to "Authorization" #secret.header: Authorization - # The secret token value created by Zoom - #secret.value: ZOOMTOKEN + # The custom secret token value created when configuring the Zoom webhook + #secret.value: my-custom-value # Enable the CRC webhook validation #crc.enabled: false # The secret token value provided by Zoom for CRC validation - #crc.secret: ZOOMTOKEN + #crc.secret: ZOOMSECRETTOKEN From 0825cf9394a40640415baecb976c6777eea27e1b Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Thu, 1 Jun 2023 11:43:20 +0200 Subject: [PATCH 5/6] Update codeowners for x-pack/filebeat/modules.d/zoom.yml.disabled --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8f61f89cfcf..8fa8f044caf 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -141,6 +141,7 @@ CHANGELOG* /x-pack/filebeat/module/zookeeper @elastic/integrations /x-pack/filebeat/module/zoom @elastic/security-external-integrations /x-pack/filebeat/module/zscaler @elastic/security-external-integrations +/x-pack/filebeat/modules.d/zoom.yml.disabled @elastic/security-external-integrations /x-pack/filebeat/processors/decode_cef/ @elastic/security-external-integrations /x-pack/heartbeat/ @elastic/uptime /x-pack/metricbeat/ @elastic/elastic-agent-data-plane From 6d33699b75233c032d74022891eda937dfb70884 Mon Sep 17 00:00:00 2001 From: chemamartinez Date: Thu, 1 Jun 2023 14:16:11 +0200 Subject: [PATCH 6/6] Update legacy zoom module documentation --- filebeat/docs/modules/zoom.asciidoc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/filebeat/docs/modules/zoom.asciidoc b/filebeat/docs/modules/zoom.asciidoc index e55e5934c2d..7e0685dfe87 100644 --- a/filebeat/docs/modules/zoom.asciidoc +++ b/filebeat/docs/modules/zoom.asciidoc @@ -29,9 +29,11 @@ include::../include/config-option-intro.asciidoc[] [float] ==== `webhook` fileset settings -When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +When a webhook integration is created on Zoom, you can create a custom header to verify webhook events. See https://developers.zoom.us/docs/api/rest/webhook-reference/#custom-header[Custom Header] for more information about this process. This is configured with the `secret.header` and `secret.value` settings as shown below. +On the other hand, Zoom also requires webhook validation for created or modified webhooks after October, 2022. This follows a challenge-response check (CRC) algorithm which is configured with the `crc.enabled` and `crc.secret` settings. Learn more about it at https://developers.zoom.us/docs/api/rest/webhook-reference/#validate-your-webhook-endpoint[Validate your webhook endpoint]. + Example config: [source,yaml] @@ -42,8 +44,10 @@ Example config: var.input: http_endpoint var.listen_address: 0.0.0.0 var.listen_port: 8080 - var.secret.header: Authorization - var.secret.value: ZOOMTOKEN + var.secret.header: x-my-custom-key + var.secret.value: my-custom-value + var.crc.enabled: true + var.crc.secret: ZOOMSECRETTOKEN ---- include::../include/var-paths.asciidoc[]