Skip to content

Commit

Permalink
x-pack/filebeat/input/entityanalytics/provider/azuread: fix query han…
Browse files Browse the repository at this point in the history
…dling (#39420)
  • Loading branch information
efd6 authored May 8, 2024
1 parent b6b4280 commit f5bb642
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 11 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Restore netflow input on Windows {pull}39024[39024]
- Upgrade azure-event-hubs-go and azure-storage-blob-go dependencies. {pull}38861[38861]
- Fix concurrency/error handling bugs in the AWS S3 input that could drop data and prevent ingestion of large buckets. {pull}39131[39131]
- Fix EntraID query handling. {issue}39419[39419] {pull}39420[39420]

*Heartbeat*

Expand Down
3 changes: 2 additions & 1 deletion x-pack/filebeat/input/awss3/input_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,9 @@ import (
"errors"
"testing"

aws "github.com/elastic/beats/v7/x-pack/libbeat/common/aws"
"github.com/stretchr/testify/assert"

aws "github.com/elastic/beats/v7/x-pack/libbeat/common/aws"
)

func TestGetProviderFromDomain(t *testing.T) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,10 @@ import (
const (
defaultAPIEndpoint = "https://graph.microsoft.com/v1.0"

defaultGroupsQuery = "$select=displayName,members"
defaultUsersQuery = "$select=accountEnabled,userPrincipalName,mail,displayName,givenName,surname,jobTitle,officeLocation,mobilePhone,businessPhones"
defaultDevicesQuery = "$select=accountEnabled,deviceId,displayName,operatingSystem,operatingSystemVersion,physicalIds,extensionAttributes,alternativeSecurityIds"
queryName = "$select"
defaultGroupsQuery = "displayName,members"
defaultUsersQuery = "accountEnabled,userPrincipalName,mail,displayName,givenName,surname,jobTitle,officeLocation,mobilePhone,businessPhones"
defaultDevicesQuery = "accountEnabled,deviceId,displayName,operatingSystem,operatingSystemVersion,physicalIds,extensionAttributes,alternativeSecurityIds"

apiGroupType = "#microsoft.graph.group"
apiUserType = "#microsoft.graph.user"
Expand Down Expand Up @@ -353,21 +354,21 @@ func New(cfg *config.C, logger *logp.Logger, auth authenticator.Authenticator) (
if err != nil {
return nil, fmt.Errorf("invalid groups URL endpoint: %w", err)
}
groupsURL.RawQuery = url.QueryEscape(formatQuery(c.Select.GroupQuery, defaultGroupsQuery))
groupsURL.RawQuery = formatQuery(queryName, c.Select.GroupQuery, defaultGroupsQuery)
f.groupsURL = groupsURL.String()

usersURL, err := url.Parse(f.conf.APIEndpoint + "/users/delta")
if err != nil {
return nil, fmt.Errorf("invalid users URL endpoint: %w", err)
}
usersURL.RawQuery = url.QueryEscape(formatQuery(c.Select.UserQuery, defaultUsersQuery))
usersURL.RawQuery = formatQuery(queryName, c.Select.UserQuery, defaultUsersQuery)
f.usersURL = usersURL.String()

devicesURL, err := url.Parse(f.conf.APIEndpoint + "/devices/delta")
if err != nil {
return nil, fmt.Errorf("invalid devices URL endpoint: %w", err)
}
devicesURL.RawQuery = url.QueryEscape(formatQuery(c.Select.DeviceQuery, defaultDevicesQuery))
devicesURL.RawQuery = formatQuery(queryName, c.Select.DeviceQuery, defaultDevicesQuery)
f.devicesURL = devicesURL.String()

// The API takes a departure from the query approach here, so we
Expand All @@ -382,11 +383,12 @@ func New(cfg *config.C, logger *logp.Logger, auth authenticator.Authenticator) (
return &f, nil
}

func formatQuery(query []string, dflt string) string {
if len(query) == 0 {
return dflt
func formatQuery(name string, query []string, dflt string) string {
q := dflt
if len(query) != 0 {
q = strings.Join(query, ",")
}
return "$select=" + strings.Join(query, ",")
return url.Values{name: []string{q}}.Encode()
}

// newUserFromAPI translates an API-representation of a user to a fetcher.User.
Expand Down

0 comments on commit f5bb642

Please sign in to comment.