Cherry-pick elastic#18991 to 7.7: Fix translate_sid's empty target fi…

…eld handling (elastic#19085) The translate_sid processor only requires one of the three target fields to be configured. It should work properly when some of the targets are not set, but it doesn't check if the are empty strings. So it ends up adding target fields that are empty strings to the event (e.g. "": "Group"). Closes elastic#18990 (cherry picked from commit 4b19f09)
leweafan · Jun 10, 2020 · 033d688 · 033d688
1 parent ba31e6d
commit 033d688
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -70,6 +70,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Gives monitoring reporter hosts, if configured, total precedence over corresponding output hosts. {issue}17937[17937] {pull}17991[17991]
 - Fix `keystore add` hanging under Windows. {issue}18649[18649] {pull}18654[18654]
 - Fix regression in `add_kubernetes_metadata`, so configured `indexers` and `matchers` are used if defaults are not disabled. {issue}18481[18481] {pull}18818[18818]
+- Fix the `translate_sid` processor's handling of unconfigured target fields. {issue}18990[18990] {pull}18991[18991]
 - Fixed a service restart failure under Windows. {issue}18914[18914] {pull}18916[18916]
 
 *Auditbeat*

diff --git a/libbeat/processors/translate_sid/translatesid.go b/libbeat/processors/translate_sid/translatesid.go
@@ -111,14 +111,20 @@ func (p *processor) translateSID(event *beat.Event) error {
 
 	// Do all operations even if one fails.
 	var errs []error
-	if _, err = event.PutValue(p.AccountNameTarget, account); err != nil {
-		errs = append(errs, err)
+	if p.AccountNameTarget != "" {
+		if _, err = event.PutValue(p.AccountNameTarget, account); err != nil {
+			errs = append(errs, err)
+		}
 	}
-	if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil {
-		errs = append(errs, err)
+	if p.AccountTypeTarget != "" {
+		if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil {
+			errs = append(errs, err)
+		}
 	}
-	if _, err = event.PutValue(p.DomainTarget, domain); err != nil {
-		errs = append(errs, err)
+	if p.DomainTarget != "" {
+		if _, err = event.PutValue(p.DomainTarget, domain); err != nil {
+			errs = append(errs, err)
+		}
 	}
 	return multierr.Combine(errs...)
 }
diff --git a/libbeat/processors/translate_sid/translatesid_test.go b/libbeat/processors/translate_sid/translatesid_test.go
@@ -25,6 +25,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
@@ -83,6 +84,41 @@ func TestTranslateSID(t *testing.T) {
 	}
 }
 
+func TestTranslateSIDEmptyTarget(t *testing.T) {
+	c := defaultConfig()
+	c.Field = "sid"
+
+	evt := &beat.Event{Fields: map[string]interface{}{
+		"sid": "S-1-5-32-544",
+	}}
+
+	tests := []struct {
+		Name   string
+		Config config
+	}{
+		{"account_name", config{Field: "sid", AccountNameTarget: "account_name"}},
+		{"account_type", config{Field: "sid", AccountTypeTarget: "account_type"}},
+		{"domain", config{Field: "sid", DomainTarget: "domain"}},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			p, err := newFromConfig(tc.Config)
+			require.NoError(t, err)
+
+			evt, err := p.Run(&beat.Event{Fields: evt.Fields.Clone()})
+			require.NoError(t, err)
+
+			// Verify that only the configured target field is set.
+			// And ensure that no empty string keys are used.
+			assert.Len(t, evt.Fields, 2)
+			assert.Contains(t, evt.Fields, tc.Name)
+			assert.NotContains(t, evt.Fields, "")
+		})
+	}
+}
+
 func BenchmarkProcessor_Run(b *testing.B) {
 	p, err := newFromConfig(config{
 		Field:             "sid",