From 3dbd1d802403822fa2f4d2ca96f6359e156ff596 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Tue, 28 May 2024 13:42:19 +0900 Subject: [PATCH 1/7] in_splunk: Add switch for storing splunk token in metadata or records Signed-off-by: Hiroshi Hatake --- plugins/in_splunk/splunk.c | 12 +++++ plugins/in_splunk/splunk.h | 2 + plugins/in_splunk/splunk_prot.c | 89 +++++++++++++++++++++++++-------- 3 files changed, 82 insertions(+), 21 deletions(-) diff --git a/plugins/in_splunk/splunk.c b/plugins/in_splunk/splunk.c index 1511a8ff31d..a2dfdff8810 100644 --- a/plugins/in_splunk/splunk.c +++ b/plugins/in_splunk/splunk.c @@ -236,6 +236,18 @@ static struct flb_config_map config_map[] = { "Set valid Splunk HEC tokens for the requests" }, + { + FLB_CONFIG_MAP_BOOL, "store_token_to_metadata", "true", + 0, FLB_TRUE, offsetof(struct flb_splunk, store_token_to_metadata), + "Store Splunk HEC tokens to matadata. If set as false, they will be stored into records." + }, + + { + FLB_CONFIG_MAP_STR, "splunk_token_key", "@splunk_token", + 0, FLB_TRUE, offsetof(struct flb_splunk, store_token_key), + "Set a record key for storing Splunk HEC token for the request" + }, + { FLB_CONFIG_MAP_STR, "tag_key", NULL, 0, FLB_TRUE, offsetof(struct flb_splunk, tag_key), diff --git a/plugins/in_splunk/splunk.h b/plugins/in_splunk/splunk.h index ac811e962f8..3b919b87e84 100644 --- a/plugins/in_splunk/splunk.h +++ b/plugins/in_splunk/splunk.h @@ -43,6 +43,8 @@ struct flb_splunk { /* Token Auth */ flb_sds_t auth_header; flb_sds_t ingested_auth_header; + int store_token_to_metadata; + flb_sds_t store_token_key; struct flb_log_event_encoder log_encoder; diff --git a/plugins/in_splunk/splunk_prot.c b/plugins/in_splunk/splunk_prot.c index f59ebddc330..fd9ca012926 100644 --- a/plugins/in_splunk/splunk_prot.c +++ b/plugins/in_splunk/splunk_prot.c @@ -226,19 +226,36 @@ static int process_raw_payload_pack(struct flb_splunk *ctx, flb_sds_t tag, char ret = flb_log_event_encoder_set_current_timestamp(&ctx->log_encoder); } - if (ret == FLB_EVENT_ENCODER_SUCCESS) { - ret = flb_log_event_encoder_append_body_values( - &ctx->log_encoder, - FLB_LOG_EVENT_CSTRING_VALUE("log"), - FLB_LOG_EVENT_STRING_VALUE(buf, size)); + if (ctx->store_token_to_metadata == FLB_TRUE) { + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_append_body_values( + &ctx->log_encoder, + FLB_LOG_EVENT_CSTRING_VALUE("log"), + FLB_LOG_EVENT_STRING_VALUE(buf, size)); + } } - if (ctx->ingested_auth_header != NULL) { - if (ret == FLB_EVENT_ENCODER_SUCCESS) { - ret = flb_log_event_encoder_append_metadata_values( - &ctx->log_encoder, - FLB_LOG_EVENT_CSTRING_VALUE("hec_token"), - FLB_LOG_EVENT_CSTRING_VALUE(ctx->ingested_auth_header)); + if (ctx->store_token_to_metadata == FLB_TRUE) { + if (ctx->ingested_auth_header != NULL) { + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_append_metadata_values( + &ctx->log_encoder, + FLB_LOG_EVENT_CSTRING_VALUE("hec_token"), + FLB_LOG_EVENT_CSTRING_VALUE(ctx->ingested_auth_header)); + } + } + } + else { + if (ctx->ingested_auth_header != NULL) { + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_append_body_values( + &ctx->log_encoder, + FLB_LOG_EVENT_CSTRING_VALUE(ctx->store_token_key), + FLB_LOG_EVENT_CSTRING_VALUE(ctx->ingested_auth_header), + FLB_LOG_EVENT_CSTRING_VALUE("log"), + FLB_LOG_EVENT_STRING_VALUE(buf, size)); + + } } } @@ -275,6 +292,8 @@ static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *recor flb_sds_t tag, flb_sds_t tag_from_record, struct flb_time tm) { int ret; + int i; + msgpack_object_kv *kv; ret = flb_log_event_encoder_begin_record(&ctx->log_encoder); @@ -284,18 +303,46 @@ static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *recor &tm); } - if (ret == FLB_EVENT_ENCODER_SUCCESS) { - ret = flb_log_event_encoder_set_body_from_msgpack_object( - &ctx->log_encoder, - record); + if (ctx->store_token_to_metadata == FLB_TRUE) { + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_set_body_from_msgpack_object( + &ctx->log_encoder, + record); + } + + if (ctx->ingested_auth_header != NULL) { + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_append_metadata_values( + &ctx->log_encoder, + FLB_LOG_EVENT_CSTRING_VALUE("hec_token"), + FLB_LOG_EVENT_CSTRING_VALUE(ctx->ingested_auth_header)); + } + } } + else { + if (ctx->ingested_auth_header != NULL) { + /* iterate through the old record map to create the appendable new buffer */ + kv = record->via.map.ptr; + for(i = 0; i < record->via.map.size && ret == FLB_EVENT_ENCODER_SUCCESS; i++) { + ret = flb_log_event_encoder_append_body_values( + &ctx->log_encoder, + FLB_LOG_EVENT_MSGPACK_OBJECT_VALUE(&kv[i].key), + FLB_LOG_EVENT_MSGPACK_OBJECT_VALUE(&kv[i].val)); + } - if (ctx->ingested_auth_header != NULL) { - if (ret == FLB_EVENT_ENCODER_SUCCESS) { - ret = flb_log_event_encoder_append_metadata_values( - &ctx->log_encoder, - FLB_LOG_EVENT_CSTRING_VALUE("hec_token"), - FLB_LOG_EVENT_CSTRING_VALUE(ctx->ingested_auth_header)); + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_append_body_values( + &ctx->log_encoder, + FLB_LOG_EVENT_CSTRING_VALUE(ctx->store_token_key), + FLB_LOG_EVENT_CSTRING_VALUE(ctx->ingested_auth_header)); + } + } + else { + if (ret == FLB_EVENT_ENCODER_SUCCESS) { + ret = flb_log_event_encoder_set_body_from_msgpack_object( + &ctx->log_encoder, + record); + } } } From 5aa9b99ccc573ef7283081aed179c84243d10877 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 29 May 2024 19:27:41 +0900 Subject: [PATCH 2/7] in_splunk: test: Add tests for injecting HEC tokens into records case In metadata case, we didn't support for formatting metadata in out_lib. So, we didn't write down the tests for them. Signed-off-by: Hiroshi Hatake --- tests/runtime/in_splunk.c | 102 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/tests/runtime/in_splunk.c b/tests/runtime/in_splunk.c index bba4977c4c9..e50d658498a 100644 --- a/tests/runtime/in_splunk.c +++ b/tests/runtime/in_splunk.c @@ -810,6 +810,106 @@ void flb_test_splunk_collector_raw_multilines_gzip() flb_test_splunk_raw_multilines_gzip(8815); } +#define SPLUNK_HEC_TOKEN "Splunk b386261b-d949-411a-b4e8-0103211aa7ae" + +void flb_test_splunk_auth_header(int port, char *endpoint) +{ + struct flb_lib_out_cb cb_data; + struct test_ctx *ctx; + struct flb_http_client *c; + int ret; + int num; + size_t b_sent; + char *buf = "{\"event\": \"Pony 1 has left the barn\"}{\"event\": \"Pony 2 has left the barn\"}{\"event\": \"Pony 3 has left the barn\", \"nested\": {\"key1\": \"value1\"}}"; + char *expected = "\"@splunk_token\":"; + char sport[16]; + flb_sds_t target; + + target = flb_sds_create_size(64); + flb_sds_cat(target, endpoint, strlen(endpoint)); + + snprintf(sport, 16, "%d", port); + + clear_output_num(); + + cb_data.cb = cb_check_result_json; + cb_data.data = expected; + + ctx = test_ctx_create(&cb_data); + if (!TEST_CHECK(ctx != NULL)) { + TEST_MSG("test_ctx_create failed"); + exit(EXIT_FAILURE); + } + + ret = flb_input_set(ctx->flb, ctx->i_ffd, + "port", sport, + NULL); + TEST_CHECK(ret == 0); + ret = flb_input_set(ctx->flb, ctx->i_ffd, + "store_token_to_metadata", "false", + NULL); + TEST_CHECK(ret == 0); + + ret = flb_output_set(ctx->flb, ctx->o_ffd, + "match", "*", + "format", "json", + NULL); + TEST_CHECK(ret == 0); + + /* Start the engine */ + ret = flb_start(ctx->flb); + TEST_CHECK(ret == 0); + + ctx->httpc = splunk_client_ctx_create(port); + TEST_CHECK(ctx->httpc != NULL); + + c = flb_http_client(ctx->httpc->u_conn, FLB_HTTP_POST, target, buf, strlen(buf), + "127.0.0.1", port, NULL, 0); + ret = flb_http_add_header(c, FLB_HTTP_HEADER_CONTENT_TYPE, strlen(FLB_HTTP_HEADER_CONTENT_TYPE), + JSON_CONTENT_TYPE, strlen(JSON_CONTENT_TYPE)); + TEST_CHECK(ret == 0); + ret = flb_http_add_header(c, FLB_HTTP_HEADER_AUTH, strlen(FLB_HTTP_HEADER_AUTH), + SPLUNK_HEC_TOKEN, strlen(SPLUNK_HEC_TOKEN)); + TEST_CHECK(ret == 0); + if (!TEST_CHECK(c != NULL)) { + TEST_MSG("splunk_client failed"); + exit(EXIT_FAILURE); + } + + ret = flb_http_do(c, &b_sent); + if (!TEST_CHECK(ret == 0)) { + TEST_MSG("ret error. ret=%d\n", ret); + } + else if (!TEST_CHECK(b_sent > 0)){ + TEST_MSG("b_sent size error. b_sent = %lu\n", b_sent); + } + else if (!TEST_CHECK(c->resp.status == 200)) { + TEST_MSG("http response code error. expect: 200, got: %d\n", c->resp.status); + } + + /* waiting to flush */ + flb_time_msleep(1500); + + num = get_output_num(); + if (!TEST_CHECK(num > 0)) { + TEST_MSG("no outputs"); + } + flb_sds_destroy(target); + flb_http_client_destroy(c); + flb_upstream_conn_release(ctx->httpc->u_conn); + test_ctx_destroy(ctx); +} + +void flb_test_splunk_collector_event_hec_token_key() +{ + flb_test_splunk_auth_header(8816, "/services/collector/event"); +} + +void flb_test_splunk_collector_raw_hec_token_key() +{ + flb_test_splunk_auth_header(8817, "/services/collector/raw"); +} + TEST_LIST = { {"health", flb_test_splunk_health}, {"collector", flb_test_splunk_collector}, @@ -820,5 +920,7 @@ TEST_LIST = { {"collector_event_gzip", flb_test_splunk_collector_event_gzip}, {"collector_raw_multilines_gzip", flb_test_splunk_collector_raw_multilines_gzip}, {"tag_key", flb_test_splunk_tag_key}, + {"collector_event_with_auth_key", flb_test_splunk_collector_event_hec_token_key}, + {"collector_raw_with_auth_key", flb_test_splunk_collector_raw_hec_token_key}, {NULL, NULL} }; From 8e004d495b33ca047d38eea2899815a438af6f29 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Thu, 30 May 2024 19:49:10 +0900 Subject: [PATCH 3/7] in_splunk: Handle multiple HEC tokens with comma Signed-off-by: Hiroshi Hatake --- plugins/in_splunk/splunk.h | 7 ++- plugins/in_splunk/splunk_config.c | 87 ++++++++++++++++++++++++------- plugins/in_splunk/splunk_prot.c | 44 ++++++++++------ 3 files changed, 100 insertions(+), 38 deletions(-) diff --git a/plugins/in_splunk/splunk.h b/plugins/in_splunk/splunk.h index 3b919b87e84..3e795cc0484 100644 --- a/plugins/in_splunk/splunk.h +++ b/plugins/in_splunk/splunk.h @@ -32,6 +32,11 @@ #define HTTP_BUFFER_MAX_SIZE "4M" #define HTTP_BUFFER_CHUNK_SIZE "512K" +struct flb_splunk_tokens { + flb_sds_t header; + struct mk_list _head; +}; + struct flb_splunk { flb_sds_t listen; flb_sds_t tcp_port; @@ -41,7 +46,7 @@ struct flb_splunk { struct mk_list *success_headers; /* Token Auth */ - flb_sds_t auth_header; + struct mk_list auth_tokens; flb_sds_t ingested_auth_header; int store_token_to_metadata; flb_sds_t store_token_key; diff --git a/plugins/in_splunk/splunk_config.c b/plugins/in_splunk/splunk_config.c index a6e5562e772..9bcfdff2a00 100644 --- a/plugins/in_splunk/splunk_config.c +++ b/plugins/in_splunk/splunk_config.c @@ -24,6 +24,66 @@ #include "splunk_conn.h" #include "splunk_config.h" +static void delete_hec_tokens(struct flb_splunk *ctx) +{ + struct mk_list *tmp; + struct mk_list *head; + struct flb_splunk_tokens *splunk_token; + + mk_list_foreach_safe(head, tmp, &ctx->auth_tokens) { + splunk_token = mk_list_entry(head, struct flb_splunk_tokens, _head); + flb_sds_destroy(splunk_token->header); + mk_list_del(&splunk_token->_head); + flb_free(&splunk_token); + } +} + +static int setup_hec_tokens(struct flb_splunk *ctx) +{ + int ret; + const char *tmp; + char *tmp_tokens; + char *token; + flb_sds_t auth_header; + struct flb_splunk_tokens *splunk_token; + + tmp = flb_input_get_property("splunk_token", ctx->ins); + if (tmp) { + tmp_tokens = flb_strdup(tmp); + + token = strtok(tmp_tokens, ","); + while (token) { + auth_header = flb_sds_create("Splunk "); + if (auth_header == NULL) { + flb_plg_error(ctx->ins, "error on prefix of auth_header generation"); + return -1; + } + + ret = flb_sds_cat_safe(&auth_header, tmp, strlen(tmp)); + if (ret < 0) { + flb_plg_error(ctx->ins, "error on token generation"); + return -1; + } + + /* Create a new token */ + splunk_token = flb_malloc(sizeof(struct flb_splunk_tokens)); + if (!splunk_token) { + flb_errno(); + return -1; + } + + splunk_token->header = auth_header; + + /* Link to parent list */ + mk_list_add(&splunk_token->_head, &ctx->auth_tokens); + + token = strtok(NULL, ","); + } + } + + return 0; +} + struct flb_splunk *splunk_config_create(struct flb_input_instance *ins) { struct mk_list *header_iterator; @@ -33,7 +93,6 @@ struct flb_splunk *splunk_config_create(struct flb_input_instance *ins) char port[8]; int ret; struct flb_splunk *ctx; - const char *tmp; ctx = flb_calloc(1, sizeof(struct flb_splunk)); if (!ctx) { @@ -42,6 +101,7 @@ struct flb_splunk *splunk_config_create(struct flb_input_instance *ins) } ctx->ins = ins; mk_list_init(&ctx->connections); + mk_list_init(&ctx->auth_tokens); /* Load the config map */ ret = flb_input_config_map_set(ins, (void *) ctx); @@ -50,22 +110,12 @@ struct flb_splunk *splunk_config_create(struct flb_input_instance *ins) return NULL; } - ctx->auth_header = NULL; ctx->ingested_auth_header = NULL; - tmp = flb_input_get_property("splunk_token", ins); - if (tmp) { - ctx->auth_header = flb_sds_create("Splunk "); - if (ctx->auth_header == NULL) { - flb_plg_error(ctx->ins, "error on prefix of auth_header generation"); - splunk_config_destroy(ctx); - return NULL; - } - ret = flb_sds_cat_safe(&ctx->auth_header, tmp, strlen(tmp)); - if (ret < 0) { - flb_plg_error(ctx->ins, "error on token generation"); - splunk_config_destroy(ctx); - return NULL; - } + + ret = setup_hec_tokens(ctx); + if (ret != 0) { + splunk_config_destroy(ctx); + return NULL; } /* Listen interface (if not set, defaults to 0.0.0.0:8088) */ @@ -161,10 +211,6 @@ int splunk_config_destroy(struct flb_splunk *ctx) ctx->collector_id = -1; } - if (ctx->auth_header != NULL) { - flb_sds_destroy(ctx->auth_header); - } - if (ctx->downstream != NULL) { flb_downstream_destroy(ctx->downstream); } @@ -181,6 +227,7 @@ int splunk_config_destroy(struct flb_splunk *ctx) flb_sds_destroy(ctx->success_headers_str); } + delete_hec_tokens(ctx); flb_free(ctx->listen); flb_free(ctx->tcp_port); diff --git a/plugins/in_splunk/splunk_prot.c b/plugins/in_splunk/splunk_prot.c index fd9ca012926..b131bad98d6 100644 --- a/plugins/in_splunk/splunk_prot.c +++ b/plugins/in_splunk/splunk_prot.c @@ -481,9 +481,12 @@ static ssize_t parse_hec_payload_json(struct flb_splunk *ctx, flb_sds_t tag, static int validate_auth_header(struct flb_splunk *ctx, struct mk_http_request *request) { + struct mk_list *tmp; + struct mk_list *head; struct mk_http_header *auth_header = NULL; + struct flb_splunk_tokens *splunk_token; - if (ctx->auth_header == NULL) { + if (mk_list_size(&ctx->auth_tokens) == 0) { return SPLUNK_AUTH_UNAUTH; } @@ -494,14 +497,16 @@ static int validate_auth_header(struct flb_splunk *ctx, struct mk_http_request * } if (auth_header != NULL && auth_header->val.len > 0) { - if (strncmp(ctx->auth_header, - auth_header->val.data, - strlen(ctx->auth_header)) == 0) { - return SPLUNK_AUTH_SUCCESS; - } - else { - return SPLUNK_AUTH_UNAUTHORIZED; + mk_list_foreach_safe(head, tmp, &ctx->auth_tokens) { + splunk_token = mk_list_entry(head, struct flb_splunk_tokens, _head); + if (strncmp(splunk_token->header, + auth_header->val.data, + strlen(splunk_token->header)) == 0) { + return SPLUNK_AUTH_SUCCESS; + } } + + return SPLUNK_AUTH_UNAUTHORIZED; } else { return SPLUNK_AUTH_MISSING_CRED; @@ -935,12 +940,15 @@ static int send_json_message_response_ng(struct flb_http_response *response, static int validate_auth_header_ng(struct flb_splunk *ctx, struct flb_http_request *request) { + struct mk_list *tmp; + struct mk_list *head; char *auth_header; + struct flb_splunk_tokens *splunk_token; - if (ctx->auth_header == NULL) { + if (mk_list_size(&ctx->auth_tokens) == 0) { return SPLUNK_AUTH_UNAUTH; } - + auth_header = flb_http_request_get_header(request, "authorization"); if (auth_header == NULL) { @@ -948,14 +956,16 @@ static int validate_auth_header_ng(struct flb_splunk *ctx, struct flb_http_reque } if (auth_header != NULL && strlen(auth_header) > 0) { - if (strncmp(ctx->auth_header, - auth_header, - strlen(ctx->auth_header)) == 0) { - return SPLUNK_AUTH_SUCCESS; - } - else { - return SPLUNK_AUTH_UNAUTHORIZED; + mk_list_foreach_safe(head, tmp, &ctx->auth_tokens) { + splunk_token = mk_list_entry(head, struct flb_splunk_tokens, _head); + if (strncmp(splunk_token->header, + auth_header, + strlen(splunk_token->header)) == 0) { + return SPLUNK_AUTH_SUCCESS; + } } + + return SPLUNK_AUTH_UNAUTHORIZED; } else { return SPLUNK_AUTH_MISSING_CRED; From 968725cdfebbebda4308006c85e95f12a54ce4ab Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 5 Jun 2024 12:50:21 +0900 Subject: [PATCH 4/7] in_splunk: test: Address comments Signed-off-by: Hiroshi Hatake --- plugins/in_splunk/splunk.c | 4 +-- plugins/in_splunk/splunk_config.c | 43 +++++++++++++++++++++---------- plugins/in_splunk/splunk_prot.c | 3 +-- tests/runtime/in_splunk.c | 2 +- 4 files changed, 33 insertions(+), 19 deletions(-) diff --git a/plugins/in_splunk/splunk.c b/plugins/in_splunk/splunk.c index a2dfdff8810..6c6555083f6 100644 --- a/plugins/in_splunk/splunk.c +++ b/plugins/in_splunk/splunk.c @@ -237,9 +237,9 @@ static struct flb_config_map config_map[] = { }, { - FLB_CONFIG_MAP_BOOL, "store_token_to_metadata", "true", + FLB_CONFIG_MAP_BOOL, "store_token_in_metadata", "true", 0, FLB_TRUE, offsetof(struct flb_splunk, store_token_to_metadata), - "Store Splunk HEC tokens to matadata. If set as false, they will be stored into records." + "Store Splunk HEC tokens in matadata. If set as false, they will be stored into records." }, { diff --git a/plugins/in_splunk/splunk_config.c b/plugins/in_splunk/splunk_config.c index 9bcfdff2a00..f291cfaf0e2 100644 --- a/plugins/in_splunk/splunk_config.c +++ b/plugins/in_splunk/splunk_config.c @@ -41,47 +41,62 @@ static void delete_hec_tokens(struct flb_splunk *ctx) static int setup_hec_tokens(struct flb_splunk *ctx) { int ret; - const char *tmp; - char *tmp_tokens; - char *token; + const char *raw_token; + struct mk_list *head = NULL; + struct mk_list *kvs = NULL; + struct flb_split_entry *cur = NULL; flb_sds_t auth_header; struct flb_splunk_tokens *splunk_token; - tmp = flb_input_get_property("splunk_token", ctx->ins); - if (tmp) { - tmp_tokens = flb_strdup(tmp); + raw_token = flb_input_get_property("splunk_token", ctx->ins); + if (raw_token) { + kvs = flb_utils_split(raw_token, ',', -1 ); + if (kvs == NULL) { + goto split_error; + } + + mk_list_foreach(head, kvs) { + cur = mk_list_entry(head, struct flb_split_entry, _head); - token = strtok(tmp_tokens, ","); - while (token) { auth_header = flb_sds_create("Splunk "); if (auth_header == NULL) { flb_plg_error(ctx->ins, "error on prefix of auth_header generation"); - return -1; + goto error; } - ret = flb_sds_cat_safe(&auth_header, tmp, strlen(tmp)); + ret = flb_sds_cat_safe(&auth_header, cur->value, strlen(cur->value)); if (ret < 0) { flb_plg_error(ctx->ins, "error on token generation"); - return -1; + goto error; } /* Create a new token */ splunk_token = flb_malloc(sizeof(struct flb_splunk_tokens)); if (!splunk_token) { flb_errno(); - return -1; + goto error; } splunk_token->header = auth_header; /* Link to parent list */ mk_list_add(&splunk_token->_head, &ctx->auth_tokens); - - token = strtok(NULL, ","); } } + if (kvs != NULL) { + flb_utils_split_free(kvs); + } + return 0; + +split_error: + return -1; +error: + if (kvs != NULL) { + flb_utils_split_free(kvs); + } + return -1; } struct flb_splunk *splunk_config_create(struct flb_input_instance *ins) diff --git a/plugins/in_splunk/splunk_prot.c b/plugins/in_splunk/splunk_prot.c index b131bad98d6..401d97e4963 100644 --- a/plugins/in_splunk/splunk_prot.c +++ b/plugins/in_splunk/splunk_prot.c @@ -481,7 +481,6 @@ static ssize_t parse_hec_payload_json(struct flb_splunk *ctx, flb_sds_t tag, static int validate_auth_header(struct flb_splunk *ctx, struct mk_http_request *request) { - struct mk_list *tmp; struct mk_list *head; struct mk_http_header *auth_header = NULL; struct flb_splunk_tokens *splunk_token; @@ -497,7 +496,7 @@ static int validate_auth_header(struct flb_splunk *ctx, struct mk_http_request * } if (auth_header != NULL && auth_header->val.len > 0) { - mk_list_foreach_safe(head, tmp, &ctx->auth_tokens) { + mk_list_foreach(head, &ctx->auth_tokens) { splunk_token = mk_list_entry(head, struct flb_splunk_tokens, _head); if (strncmp(splunk_token->header, auth_header->val.data, diff --git a/tests/runtime/in_splunk.c b/tests/runtime/in_splunk.c index e50d658498a..77eb80b50f3 100644 --- a/tests/runtime/in_splunk.c +++ b/tests/runtime/in_splunk.c @@ -846,7 +846,7 @@ void flb_test_splunk_auth_header(int port, char *endpoint) NULL); TEST_CHECK(ret == 0); ret = flb_input_set(ctx->flb, ctx->i_ffd, - "store_token_to_metadata", "false", + "store_token_in_metadata", "false", NULL); TEST_CHECK(ret == 0); From a77b7a2de07ca1e6bc20bf8291c83b8e942118de Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 5 Jun 2024 14:22:54 +0900 Subject: [PATCH 5/7] in_splunk: Fix an invalid free Signed-off-by: Hiroshi Hatake --- plugins/in_splunk/splunk_config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/in_splunk/splunk_config.c b/plugins/in_splunk/splunk_config.c index f291cfaf0e2..5267eba0ae8 100644 --- a/plugins/in_splunk/splunk_config.c +++ b/plugins/in_splunk/splunk_config.c @@ -34,7 +34,7 @@ static void delete_hec_tokens(struct flb_splunk *ctx) splunk_token = mk_list_entry(head, struct flb_splunk_tokens, _head); flb_sds_destroy(splunk_token->header); mk_list_del(&splunk_token->_head); - flb_free(&splunk_token); + flb_free(splunk_token); } } From 1888a1b26b0f08186046a6687a16d648d07f5be0 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 5 Jun 2024 15:03:03 +0900 Subject: [PATCH 6/7] in_splunk: Check credential properly for HTTP2 payloads Signed-off-by: Hiroshi Hatake --- plugins/in_splunk/splunk_prot.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/plugins/in_splunk/splunk_prot.c b/plugins/in_splunk/splunk_prot.c index 401d97e4963..fee39e8ea9e 100644 --- a/plugins/in_splunk/splunk_prot.c +++ b/plugins/in_splunk/splunk_prot.c @@ -999,8 +999,10 @@ static int process_hec_payload_ng(struct flb_http_request *request, } ret = flb_hash_table_get(request->headers, "authorization", 13, (void **)&auth_header, &size); - if (ret != 0) { - ctx->ingested_auth_header = auth_header; + if (ret != 0 && size > 0) { + if (strncasecmp(auth_header, "Splunk ", 7) == 0) { + ctx->ingested_auth_header = auth_header; + } } if (request->body == NULL || cfl_sds_len(request->body) <= 0) { @@ -1032,8 +1034,10 @@ static int process_hec_raw_payload_ng(struct flb_http_request *request, } ret = flb_hash_table_get(request->headers, "authorization", 13, (void **)&auth_header, &size); - if (ret != 0) { - ctx->ingested_auth_header = auth_header; + if (ret != 0 && size > 0) { + if (strncasecmp(auth_header, "Splunk ", 7) == 0) { + ctx->ingested_auth_header = auth_header; + } } if (request->body == NULL || cfl_sds_len(request->body) == 0) { From 0157717dda86e00b576231e151662c820f00c927 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Wed, 5 Jun 2024 15:25:57 +0900 Subject: [PATCH 7/7] in_splunk: Rename a struct member Signed-off-by: Hiroshi Hatake --- plugins/in_splunk/splunk.c | 2 +- plugins/in_splunk/splunk.h | 2 +- plugins/in_splunk/splunk_prot.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/plugins/in_splunk/splunk.c b/plugins/in_splunk/splunk.c index 6c6555083f6..b10dfa8f00e 100644 --- a/plugins/in_splunk/splunk.c +++ b/plugins/in_splunk/splunk.c @@ -238,7 +238,7 @@ static struct flb_config_map config_map[] = { { FLB_CONFIG_MAP_BOOL, "store_token_in_metadata", "true", - 0, FLB_TRUE, offsetof(struct flb_splunk, store_token_to_metadata), + 0, FLB_TRUE, offsetof(struct flb_splunk, store_token_in_metadata), "Store Splunk HEC tokens in matadata. If set as false, they will be stored into records." }, diff --git a/plugins/in_splunk/splunk.h b/plugins/in_splunk/splunk.h index 3e795cc0484..e72905b5a80 100644 --- a/plugins/in_splunk/splunk.h +++ b/plugins/in_splunk/splunk.h @@ -48,7 +48,7 @@ struct flb_splunk { /* Token Auth */ struct mk_list auth_tokens; flb_sds_t ingested_auth_header; - int store_token_to_metadata; + int store_token_in_metadata; flb_sds_t store_token_key; struct flb_log_event_encoder log_encoder; diff --git a/plugins/in_splunk/splunk_prot.c b/plugins/in_splunk/splunk_prot.c index fee39e8ea9e..513ea41d340 100644 --- a/plugins/in_splunk/splunk_prot.c +++ b/plugins/in_splunk/splunk_prot.c @@ -226,7 +226,7 @@ static int process_raw_payload_pack(struct flb_splunk *ctx, flb_sds_t tag, char ret = flb_log_event_encoder_set_current_timestamp(&ctx->log_encoder); } - if (ctx->store_token_to_metadata == FLB_TRUE) { + if (ctx->store_token_in_metadata == FLB_TRUE) { if (ret == FLB_EVENT_ENCODER_SUCCESS) { ret = flb_log_event_encoder_append_body_values( &ctx->log_encoder, @@ -235,7 +235,7 @@ static int process_raw_payload_pack(struct flb_splunk *ctx, flb_sds_t tag, char } } - if (ctx->store_token_to_metadata == FLB_TRUE) { + if (ctx->store_token_in_metadata == FLB_TRUE) { if (ctx->ingested_auth_header != NULL) { if (ret == FLB_EVENT_ENCODER_SUCCESS) { ret = flb_log_event_encoder_append_metadata_values( @@ -303,7 +303,7 @@ static void process_flb_log_append(struct flb_splunk *ctx, msgpack_object *recor &tm); } - if (ctx->store_token_to_metadata == FLB_TRUE) { + if (ctx->store_token_in_metadata == FLB_TRUE) { if (ret == FLB_EVENT_ENCODER_SUCCESS) { ret = flb_log_event_encoder_set_body_from_msgpack_object( &ctx->log_encoder,