Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

in_splunk: splunk token validation must be case-insensitive #9518

Merged
merged 1 commit into from
Nov 14, 2024

Conversation

lecaros
Copy link
Contributor

@lecaros lecaros commented Oct 23, 2024

Changes validation of received Splunk token to be case-insensitive, as the Splunk HEC does.

fixes #9517

Backporting


Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

…at's the behavior from Splunk HEC

Signed-off-by: lecaros <[email protected]>
@edsiper
Copy link
Member

edsiper commented Oct 23, 2024

@lecaros where we can confirm in Splunk docs that indeed auth token are not case sensitive ? (it does not sound normal since it's a security mechanism)

@lecaros
Copy link
Contributor Author

lecaros commented Oct 23, 2024

@edsiper I agree on that, it's way easier to break it if it's case-insensitive.
I was looking into the docs, but couldn't find anything explicitly saying that.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Data/UsetheHTTPEventCollector
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/CreateAuthTokens

However, I confirmed the behavior using latest image of Splunk, as explained in the repro.
If we don't want to do that, then we just need to update the docs instead of mirroring what Splunk is doing.

@cosmo0920
Copy link
Contributor

Or, should we provide case-sensitive or case-insensitive option on in_splunk? This could preserve backward compatibility.

@cosmo0920 cosmo0920 modified the milestone: Fluent Bit v3.2.0 Nov 6, 2024
@lecaros
Copy link
Contributor Author

lecaros commented Nov 7, 2024

As per Splunk docs, the tokens are GUID (UUID).

it generates the token in the form of a globally unique identifier (GUID)

https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector

Based on RFC 9562, these are hexadecimal representations and, therefore, are case-insensitive.

Note that the alphabetic characters may be all uppercase, all lowercase, or mixed case, as per Section 2.3 of [RFC5234]. An example UUID using this textual representation from the above ABNF is shown in Figure 1.

https://datatracker.ietf.org/doc/html/rfc9562

@edsiper @cosmo0920, please let me know if this makes sense.

@cosmo0920
Copy link
Contributor

https://datatracker.ietf.org/doc/html/rfc9562

@edsiper @cosmo0920, please let me know if this makes sense.

From the RFC:

UUIDs MAY be represented as binary data or integers. When in use with URNs or as text in applications, any given UUID should be represented by the "hex-and-dash" string format consisting of multiple groups of uppercase or lowercase alphanumeric hexadecimal characters separated by single dashes/hyphens. When used with databases, please refer to Section 6.13.

Yes, it makes sense to me.

@lecaros
Copy link
Contributor Author

lecaros commented Nov 13, 2024

ping @edsiper. This is the one we discussed today.
Backport is here

@edsiper edsiper merged commit c290f27 into master Nov 14, 2024
49 checks passed
@edsiper edsiper deleted the lecaros-fix-splunk-token-compare branch November 14, 2024 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Splunk input plugin token validation is case-sensitive, the Splunk HEC is not. It should be consistent
3 participants