[beatsauthextension] Fix bug in configureTransport method (#690)

* [beatsauthextension] Fix bug how custom verifyConnection is built

* add tls server name

* put root ca back into TLSconfig

* add additonal unit tests

* fixed test case

* upgrade ea-libs

* add comments

* update elastic-agent-libs

* use logp logger

* fix go mod tidy

* Update extension/beatsauthextension/authenticator.go

Co-authored-by: Tiago Queiroz <[email protected]>

* Update extension/beatsauthextension/authenticator_test.go

Co-authored-by: Tiago Queiroz <[email protected]>

* remove ca cert

* fix data race

* create a copy instead

* update

---------

Co-authored-by: Tiago Queiroz <[email protected]>

Author: khushijain21

extension/beatsauthextension/authenticator.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
 	"go.opentelemetry.io/collector/component"
 	"go.opentelemetry.io/collector/extension"
@@ -37,19 +38,25 @@ type authenticator struct {
 	cfg       *Config
 	telemetry component.TelemetrySettings
 	tlsConfig *tlscommon.TLSConfig // set by Start
+	logger    *logp.Logger
 }
 
 func newAuthenticator(cfg *Config, telemetry component.TelemetrySettings) (*authenticator, error) {
-	return &authenticator{cfg: cfg, telemetry: telemetry}, nil
+	logger, err := logp.NewZapLogger(telemetry.Logger)
+	if err != nil {
+		return nil, err
+	}
+	return &authenticator{cfg: cfg, telemetry: telemetry, logger: logger}, nil
 }
 
 func (a *authenticator) Start(ctx context.Context, host component.Host) error {
 	if a.cfg.TLS != nil {
+
 		tlsConfig, err := tlscommon.LoadTLSConfig(&tlscommon.Config{
 			VerificationMode:     tlsVerificationModes[a.cfg.TLS.VerificationMode],
 			CATrustedFingerprint: a.cfg.TLS.CATrustedFingerprint,
 			CASha256:             a.cfg.TLS.CASha256,
-		})
+		}, a.logger)
 		if err != nil {
 			return err
 		}
@@ -77,13 +84,21 @@ func (a *authenticator) RoundTripper(base http.RoundTripper) (http.RoundTripper,
 }
 
 func (a *authenticator) configureTransport(transport *http.Transport) error {
+
 	if a.tlsConfig != nil {
-		// injecting verifyConnection here, keeping all other fields on TLSClientConfig intact
-		beatTLSConfig := a.tlsConfig.BuildModuleClientConfig(a.cfg.TLS.ServerName)
+
+		// copy incoming CertPool into our tls config
+		// because ca_trusted_fingerprint will be appended to CertPool
+		tlsConfig := *a.tlsConfig // copy before updating, configureTransport may be called concurrently
+		tlsConfig.RootCAs = transport.TLSClientConfig.RootCAs
+
+		beatTLSConfig := tlsConfig.BuildModuleClientConfig(transport.TLSClientConfig.ServerName)
 
 		transport.TLSClientConfig.VerifyConnection = beatTLSConfig.VerifyConnection
 		transport.TLSClientConfig.InsecureSkipVerify = beatTLSConfig.InsecureSkipVerify
+
 	}
+
 	return nil
 }
 

extension/beatsauthextension/authenticator_test.go

@@ -21,6 +21,10 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
+	"net"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -29,16 +33,18 @@ import (
 	"go.opentelemetry.io/collector/component/componenttest"
 	"go.opentelemetry.io/collector/config/configauth"
 	"go.opentelemetry.io/collector/config/confighttp"
+	"go.opentelemetry.io/collector/config/configopaque"
 	"go.opentelemetry.io/collector/config/configoptional"
 
 	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
+	"github.com/elastic/elastic-agent-libs/transport/tlscommontest"
 	"github.com/elastic/opentelemetry-collector-components/extension/beatsauthextension/internal/metadata"
 )
 
 // It tests whether VerifyConnection is set on tls.Config
 func TestVerifyConnection(t *testing.T) {
-	testCerts := tlscommon.GenTestCerts(t)
-	fingerprint := tlscommon.GetCertFingerprint(testCerts["ca"])
+	testCerts := tlscommontest.GenTestCerts(t)
+	fingerprint := tlscommontest.GetCertFingerprint(testCerts["ca"])
 
 	settings := componenttest.NewNopTelemetrySettings()
 	httpClientConfig := confighttp.NewDefaultClientConfig()
@@ -125,7 +131,6 @@ func TestVerifyConnection(t *testing.T) {
 					VerificationMode:     test.verificationMode.String(),
 					CATrustedFingerprint: test.CATrustedFingerprint,
 					CASha256:             test.CASHA256,
-					ServerName:           test.serverName,
 				},
 			}
 
@@ -165,6 +170,246 @@ func TestVerifyConnection(t *testing.T) {
 	}
 }
 
+// This test suite is from `tlscommon` package in elastic-agent-libs
+// https://github.com/elastic/elastic-agent-libs/blob/531c75610fb3fa147cdde354b8ec5433e1b82dc3/transport/tlscommon/tls_config_test.go#L495
+// It is modified to work with beatsauthextension
+func TestVerificationMode(t *testing.T) {
+	settings := componenttest.NewNopTelemetrySettings()
+	httpClientConfig := confighttp.NewDefaultClientConfig()
+	httpClientConfig.Auth = configoptional.Some(configauth.Config{
+		AuthenticatorID: component.NewID(metadata.Type),
+	})
+
+	testcases := map[string]struct {
+		verificationMode tlscommon.TLSVerificationMode
+		expectingError   bool
+
+		// hostname is used to make connection
+		hostname string
+
+		// ignoreCerts do not add the Root CA to the trust chain
+		ignoreCerts bool
+
+		// commonName used in the Certificate
+		commonName string
+
+		// dnsNames is used as the SNA DNSNames
+		dnsNames []string
+
+		// ips is used as the SNA IPAddresses
+		ips []net.IP
+	}{
+		"VerifyFull validates domain": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "localhost",
+			dnsNames:         []string{"localhost"},
+		},
+		"VerifyFull validates IPv4": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "127.0.0.1",
+			ips:              []net.IP{net.IPv4(127, 0, 0, 1)},
+		},
+		"VerifyFull validates IPv6": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "::1",
+			ips:              []net.IP{net.ParseIP("::1")},
+		},
+		"VerifyFull domain mismatch returns error": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "localhost",
+			dnsNames:         []string{"example.com"},
+			expectingError:   true,
+		},
+		"VerifyFull IPv4 mismatch returns error": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "127.0.0.1",
+			ips:              []net.IP{net.IPv4(10, 0, 0, 1)},
+			expectingError:   true,
+		},
+		"VerifyFull IPv6 mismatch returns error": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "::1",
+			ips:              []net.IP{net.ParseIP("faca:b0de:baba::ca")},
+			expectingError:   true,
+		},
+		"VerifyFull does not return error when SNA is empty and legacy Common Name is used": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "localhost",
+			commonName:       "localhost",
+			expectingError:   false,
+		},
+		"VerifyFull does not return error when SNA is empty and legacy Common Name is used with IP address": {
+			verificationMode: tlscommon.VerifyFull,
+			hostname:         "127.0.0.1",
+			commonName:       "127.0.0.1",
+			expectingError:   false,
+		},
+
+		"VerifyStrict validates domain": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "localhost",
+			dnsNames:         []string{"localhost"},
+		},
+		"VerifyStrict validates IPv4": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "127.0.0.1",
+			ips:              []net.IP{net.IPv4(127, 0, 0, 1)},
+		},
+		"VerifyStrict validates IPv6": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "::1",
+			ips:              []net.IP{net.ParseIP("::1")},
+		},
+		"VerifyStrict domain mismatch returns error": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "127.0.0.1",
+			dnsNames:         []string{"example.com"},
+			expectingError:   true,
+		},
+		"VerifyStrict IPv4 mismatch returns error": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "127.0.0.1",
+			ips:              []net.IP{net.IPv4(10, 0, 0, 1)},
+			expectingError:   true,
+		},
+		"VerifyStrict IPv6 mismatch returns error": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "::1",
+			ips:              []net.IP{net.ParseIP("faca:b0de:baba::ca")},
+			expectingError:   true,
+		},
+		"VerifyStrict returns error when SNA is empty and legacy Common Name is used": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "localhost",
+			commonName:       "localhost",
+			expectingError:   true,
+		},
+		"VerifyStrict returns error when SNA is empty and legacy Common Name is used with IP address": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "127.0.0.1",
+			commonName:       "127.0.0.1",
+			expectingError:   true,
+		},
+		"VerifyStrict returns error when SNA is empty": {
+			verificationMode: tlscommon.VerifyStrict,
+			hostname:         "localhost",
+			expectingError:   true,
+		},
+
+		"VerifyCertificate does not validate domain": {
+			verificationMode: tlscommon.VerifyCertificate,
+			hostname:         "localhost",
+			dnsNames:         []string{"example.com"},
+		},
+		"VerifyCertificate does not validate IPv4": {
+			verificationMode: tlscommon.VerifyCertificate,
+			hostname:         "127.0.0.1",
+			dnsNames:         []string{"example.com"}, // I believe it cannot be empty
+		},
+		"VerifyCertificate does not validate IPv6": {
+			verificationMode: tlscommon.VerifyCertificate,
+			hostname:         "127.0.0.1",
+			ips:              []net.IP{net.ParseIP("faca:b0de:baba::ca")},
+		},
+
+		"VerifyNone accepts untrusted certificates": {
+			verificationMode: tlscommon.VerifyNone,
+			hostname:         "127.0.0.1",
+			ignoreCerts:      true,
+		},
+	}
+	caCert, err := tlscommontest.GenCA()
+	if err != nil {
+		t.Fatalf("could not generate root CA certificate: %s", err)
+	}
+
+	for name, test := range testcases {
+		t.Run(name, func(t *testing.T) {
+
+			// create certificates for server setup
+			certs, err := tlscommontest.GenSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips, false)
+			if err != nil {
+				t.Fatalf("could not generate certificates: %s", err)
+			}
+			// start server with generated cer
+			serverURL := startTestServer(t, []tls.Certificate{certs})
+
+			// config to pass to authenticator
+			cfg := &Config{
+				TLS: &TLSConfig{
+					VerificationMode: test.verificationMode.String(),
+				},
+			}
+
+			// create an instance of authenticator
+			auth, err := newAuthenticator(cfg, settings)
+			require.NoError(t, err)
+
+			host := extensionsMap{component.NewID(metadata.Type): auth}
+			// starts the auth extension
+			err = auth.Start(context.Background(), host)
+			require.NoError(t, err)
+
+			httpClientConfig.TLS.ServerName = test.hostname
+			httpClientConfig.TLS.CAPem = configopaque.String(string(
+				pem.EncodeToMemory(&pem.Block{
+					Type:  "CERTIFICATE",
+					Bytes: caCert.Leaf.Raw,
+				})))
+
+			if test.ignoreCerts {
+				httpClientConfig.TLS.ServerName = ""
+				httpClientConfig.TLS.CAPem = ""
+			}
+
+			client, err := httpClientConfig.ToClient(context.Background(), host, settings)
+			require.NoError(t, err)
+
+			resp, err := client.Get(serverURL) //nolint:noctx // It is a test
+			if err == nil {
+				resp.Body.Close()
+			}
+
+			if test.expectingError {
+				if err != nil {
+					// We got the expected error, no need to check the status code
+					return
+				} else {
+					t.Fatalf("expected error, got: %v", err)
+				}
+			}
+
+			if err != nil {
+				t.Fatalf("did not expect an error: %v", err)
+			}
+
+			if resp.StatusCode != 200 {
+				t.Fatalf("expecting 200 got: %d", resp.StatusCode)
+			}
+		})
+	}
+}
+
+// startTestServer starts a HTTP server for testing using the provided
+// certificates
+//
+// All requests are responded with an HTTP 200 OK and a plain
+// text string
+//
+// The HTTP server will shutdown at the end of the test.
+func startTestServer(t *testing.T, serverCerts []tls.Certificate) string {
+	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if _, err := w.Write([]byte("SSL test server")); err != nil {
+			t.Errorf("coluld not write to client: %s", err)
+		}
+	}))
+	server.TLS = &tls.Config{}
+	server.TLS.Certificates = serverCerts
+	server.StartTLS()
+	t.Cleanup(func() { server.Close() })
+	return server.URL
+}
+
 type extensionsMap map[component.ID]component.Component
 
 func (m extensionsMap) GetExtensions() map[component.ID]component.Component {

extension/beatsauthextension/config.go

@@ -39,7 +39,6 @@ type TLSConfig struct {
 	VerificationMode     string   `mapstructure:"verification_mode"`
 	CATrustedFingerprint string   `mapstructure:"ca_trusted_fingerprint"`
 	CASha256             []string `mapstructure:"ca_sha256"`
-	ServerName           string   `mapstructure:"server_name"`
 }
 
 func createDefaultConfig() component.Config {

extension/beatsauthextension/go.mod

@@ -3,13 +3,14 @@ module github.com/elastic/opentelemetry-collector-components/extension/beatsauth
 go 1.23.8
 
 require (
-	github.com/elastic/elastic-agent-libs v0.18.3
+	github.com/elastic/elastic-agent-libs v0.21.6
 	github.com/stretchr/testify v1.10.0
 	github.com/tj/assert v0.0.3
 	go.opentelemetry.io/collector/component v1.36.0
 	go.opentelemetry.io/collector/component/componenttest v0.130.0
 	go.opentelemetry.io/collector/config/configauth v0.130.0
 	go.opentelemetry.io/collector/config/confighttp v0.130.0
+	go.opentelemetry.io/collector/config/configopaque v1.36.0
 	go.opentelemetry.io/collector/config/configoptional v0.130.0
 	go.opentelemetry.io/collector/confmap v1.36.0
 	go.opentelemetry.io/collector/extension v1.36.0
@@ -50,7 +51,6 @@ require (
 	go.opentelemetry.io/collector/client v1.36.0 // indirect
 	go.opentelemetry.io/collector/config/configcompression v1.36.0 // indirect
 	go.opentelemetry.io/collector/config/configmiddleware v0.130.0 // indirect
-	go.opentelemetry.io/collector/config/configopaque v1.36.0 // indirect
 	go.opentelemetry.io/collector/config/configtls v1.36.0 // indirect
 	go.opentelemetry.io/collector/extension/extensionmiddleware v0.130.0 // indirect
 	go.opentelemetry.io/collector/featuregate v1.36.0 // indirect

extension/beatsauthextension/go.sum

@@ -2,8 +2,8 @@ github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZx
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/elastic/elastic-agent-libs v0.18.3 h1:bZ0e4Mrw7t6GnquTxzvZclGxZsUEIlsZNJPCPy2qO24=
-github.com/elastic/elastic-agent-libs v0.18.3/go.mod h1:rWdyrrAFzZwgNNi41Tsqhlt2c2GdXWhCEwcsnqISJ2U=
+github.com/elastic/elastic-agent-libs v0.21.6 h1:hvBAi4KHaYf4hn+rTc9m6A35eZjqb1uoE2exklIdWm0=
+github.com/elastic/elastic-agent-libs v0.21.6/go.mod h1:xSeIP3NtOIT4N2pPS4EyURmS1Q8mK0lWZ8Wd1Du6q3w=
 github.com/elastic/go-ucfg v0.8.5 h1:4GB/rMpuh7qTcSFaxJUk97a/JyvFzhi6t+kaskTTLdM=
 github.com/elastic/go-ucfg v0.8.5/go.mod h1:4E8mPOLSUV9hQ7sgLEJ4bvt0KhMuDJa8joDT2QGAEKA=
 github.com/elastic/pkcs8 v1.0.0 h1:HhitlUKxhN288kcNcYkjW6/ouvuwJWd9ioxpjnD9jVA=