[Filebeat] Adds oauth2 support for httpjson input

[marc-gr]

What does this PR do?

Adds oauth2 support to filebeat HTTPJSON input.

Why is it important?

This will let us pull data from oauth2 authenticated sources, like AzureAD or GSuite.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
  I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Closes #18415

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Pull request #18892 updated]

• Start Time: 2020-06-09T09:20:52.521+0000

• Duration: 85 min 1 sec

Test stats 🧪

Test	Results
Failed	0
Passed	9431
Skipped	1574
Total	11005

Steps errors

Expand to view the steps failures

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Duration: 2 min 22 sec

  • Start Time: 2020-06-09T10:05:21.006+0000

  • log

[P1llus]

Just my 2 cents, rest looks good from our testing

[marc-gr]

@P1llus please take a look to see if this looks somehow good. I scoped the provider specific options with google_ azure_ etc. to make it easy to grasp while reading the config or setting it, even though I do not have strong feelings towards doing it or not. If it feels good will move on with testing, docs etc.

[P1llus]

Just a small question, rest LGTM :)

[andrewkroh]

Just a little early feedback. Looks like it coming along well.

[andrewkroh]

Suggested change

	if c.OAuth2 != nil {
	if c.OAuth2.IsEnabled() {

[marc-gr]

Here I followed the same pattern as Pagination, which checks for it being enabled at the moment of using it, but still validates its config. To me it kind of made sense since even if disabled a user needs to introduce a valid config for it. Otherwise I would change also how Pagination is handled just to be consistent here and check for IsEnabled in both config validation and usage. WDYT?

[andrewkroh]

I think using IsEnabled() is correct now that you've refactored it a bit (before you we're correct). For example it would be invalid to use api_key or authentication only when oauth is enabled.

[marc-gr]

Good point! 👍

[P1llus]

Added one comment, rest LGTM

[P1llus]

Could you add validation for any raw json strings in your config? Example from my http_endpoint input:

func (c *config) Validate() error {
	if !json.Valid([]byte(c.ResponseBody)) {
		return errors.New("response_body must be valid JSON")
	}

	return nil
}

[marc-gr]

Added it in the places where it is expected: https://github.com/elastic/beats/pull/18892/files#diff-e3d27d33f878a5fb0a720224c80ad7aaR135 and https://github.com/elastic/beats/pull/18892/files#diff-e3d27d33f878a5fb0a720224c80ad7aaR171

[andrewkroh]

I like having a case OAuth2ProviderDefault, OAuth2ProviderAzure: and then an explicit default: case that returns an error. Then we know every case is covered or it results in a error.

[andrewkroh]

I'd like to minimize the use of api_key and possibly deprecate it soon because you can just use http_headers. Having two ways to configure something usually leads to confusion and more edge cases to test. So can you leave this example out?

[andrewkroh]

This and some of the other NOTEs can be incorporated into the paragraph. NOTEs get some special rendering and I'd reserve them for exceptional cases where the behavior might not be what the user expected.

[andrewkroh]

Maybe "For Azure either token_url or azure.tenant_id is required." From looking at the validation it looks like one or the other is required.

[andrewkroh]

Suggested change

	https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
	https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.

[andrewkroh]

I think using IsEnabled() is correct now that you've refactored it a bit (before you we're correct). For example it would be invalid to use api_key or authentication only when oauth is enabled.

[andrewkroh]

I'm really happy to have all the new test cases. I'm not keen on the numerical naming pattern that got established here. Maybe break from this pattern for the new tests. I'd prefer something that describes the requirements/assertion being made about the code (e.g. TestConfigValidateRequiresCreds or use TestConfigValidate with t.Run("validate requires credentials", func(...)).

[marc-gr]

Moved the config tests from TestConfigValidateNN to a table test. Also changed config.Validate to use IsEnabled and added an extra test for it. Did some changes on the docs, please tell me if you think they need any more 👍

[P1llus]

LGTM, I got nothing more to add than what Andrew already mentioned

[andrewkroh]

LGTM