Merge branch 'main' into feat/bump-1.23

.github/dependabot.yml

@@ -66,7 +66,8 @@ updates:
 
   # GitHub actions
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
     schedule:
       interval: "weekly"
       day: "sunday"

CHANGELOG.next.asciidoc

@@ -20,6 +20,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Replace default Ubuntu-based images with UBI-minimal-based ones {pull}42150[42150]
 - Fix templates and docs to use correct `--` version of command line arguments. {issue}42038[42038] {pull}42060[42060]
 - removed support for a single `-` to precede multi-letter command line arguments.  Use `--` instead. {issue}42117[42117] {pull}42209[42209]
+- Removed encryption from diskqueue V2 for fips compliance {issue}4534[4534]{pull}42848[42848]
 
 *Auditbeat*
 
@@ -148,6 +149,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403]
 - hasher: Geneneral improvements and fixes. {pull}41863[41863]
 - hasher: Add a cached hasher for upcoming backend. {pull}41952[41952]
 - Split common tty definitions. {pull}42004[42004]
+- Fix potential data loss in add_session_metadata. {pull}42795[42795]
 
 *Filebeat*
 
@@ -424,6 +426,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403]
 - The journald input is now generally available. {pull}42107[42107]
 - Add metrics for number of events and pages published by HTTPJSON input. {issue}42340[42340] {pull}42442[42442]
 - Add `etw` input fallback to attach an already existing session. {pull}42847[42847]
+- Update CEL mito extensions to v1.17.0. {pull}42851[42851]
 
 *Auditbeat*
 

NOTICE.txt

@@ -15516,11 +15516,11 @@ limitations under the License.
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/mito
-Version: v1.16.0
+Version: v1.17.0
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/mito@v1.16.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/mito@v1.17.0/LICENSE:
 
 
                                  Apache License

filebeat/input/filestream/internal/task/group_test.go

@@ -21,7 +21,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
+	"math/rand/v2"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -95,7 +95,7 @@ func TestGroup_Go(t *testing.T) {
 
 		assert.Eventually(t,
 			func() bool { return want == runningCount.Load() },
-			time.Second, 100*time.Millisecond)
+			1*time.Second, 10*time.Millisecond)
 	})
 
 	t.Run("workloads wait for available worker", func(t *testing.T) {
@@ -158,7 +158,7 @@ func TestGroup_Go(t *testing.T) {
 		// Wait to ensure f1 and f2 are running, thus there is no workers free.
 		assert.Eventually(t,
 			func() bool { return int64(2) == runningCount.Load() },
-			100*time.Millisecond, time.Millisecond)
+			1*time.Second, 10*time.Millisecond)
 
 		err = g.Go(f3)
 		require.NoError(t, err)
@@ -170,7 +170,7 @@ func TestGroup_Go(t *testing.T) {
 			func() bool {
 				return f3Started.Load()
 			},
-			100*time.Millisecond, time.Millisecond)
+			1*time.Second, 10*time.Millisecond)
 
 		// If f3 started, f2 must have finished
 		assert.True(t, f2Finished.Load())
@@ -186,8 +186,8 @@ func TestGroup_Go(t *testing.T) {
 
 		assert.Eventually(t,
 			func() bool { return doneCount.Load() == 3 },
-			50*time.Millisecond,
-			time.Millisecond,
+			1*time.Second,
+			10*time.Millisecond,
 			"not all goroutines finished")
 	})
 
@@ -202,14 +202,13 @@ func TestGroup_Go(t *testing.T) {
 
 	t.Run("without limit, all goroutines run", func(t *testing.T) {
 		// 100 <= limit <= 10000
-		limit := rand.Int63n(10000-100) + 100
+		limit := rand.IntN(10000-100) + 100
 		t.Logf("running %d goroutines", limit)
 		g := NewGroup(uint64(limit), time.Second, noopLogger{}, "")
 
 		done := make(chan struct{})
 		var runningCounter atomic.Int64
-		var i int64
-		for i = 0; i < limit; i++ {
+		for i := 0; i < limit; i++ {
 			err := g.Go(func(context.Context) error {
 				runningCounter.Add(1)
 				defer runningCounter.Add(-1)
@@ -221,9 +220,9 @@ func TestGroup_Go(t *testing.T) {
 		}
 
 		assert.Eventually(t,
-			func() bool { return limit == runningCounter.Load() },
-			100*time.Millisecond,
-			time.Millisecond)
+			func() bool { return int64(limit) == runningCounter.Load() },
+			1*time.Second,
+			10*time.Millisecond)
 
 		close(done)
 		err := g.Stop()
@@ -253,7 +252,7 @@ func TestGroup_Go(t *testing.T) {
 
 		assert.Eventually(t, func() bool {
 			return count.Load() == want && logger.String() != ""
-		}, 100*time.Millisecond, time.Millisecond)
+		}, 1*time.Second, 10*time.Millisecond)
 
 		err = g.Stop()
 		require.NoError(t, err)
@@ -286,7 +285,7 @@ func TestGroup_Go(t *testing.T) {
 
 		assert.Eventually(t, func() bool {
 			return count.Load() == want && logger.String() != ""
-		}, 100*time.Millisecond, time.Millisecond, "not all workloads finished")
+		}, 1*time.Second, 10*time.Millisecond, "not all workloads finished")
 
 		assert.Contains(t, logger.String(), wantErr.Error())
 

go.mod

@@ -181,7 +181,7 @@ require (
 	github.com/elastic/go-elasticsearch/v8 v8.17.0
 	github.com/elastic/go-quark v0.3.0
 	github.com/elastic/go-sfdc v0.0.0-20241010131323-8e176480d727
-	github.com/elastic/mito v1.16.0
+	github.com/elastic/mito v1.17.0
 	github.com/elastic/mock-es v0.0.0-20240712014503-e5b47ece0015
 	github.com/elastic/sarama v1.19.1-0.20241120141909-c7eabfcee7e5
 	github.com/elastic/tk-btf v0.1.0

go.sum

@@ -390,8 +390,8 @@ github.com/elastic/gopacket v1.1.20-0.20241002174017-e8c5fda595e6 h1:VgOx6omXIMK
 github.com/elastic/gopacket v1.1.20-0.20241002174017-e8c5fda595e6/go.mod h1:riddUzxTSBpJXk3qBHtYr4qOhFhT6k/1c0E3qkQjQpA=
 github.com/elastic/gosigar v0.14.3 h1:xwkKwPia+hSfg9GqrCUKYdId102m9qTJIIr7egmK/uo=
 github.com/elastic/gosigar v0.14.3/go.mod h1:iXRIGg2tLnu7LBdpqzyQfGDEidKCfWcCMS0WKyPWoMs=
-github.com/elastic/mito v1.16.0 h1:7UYy1OpJ8rlr4nzy/HDYQHuHjUIDMCofk5ICalYC2LA=
-github.com/elastic/mito v1.16.0/go.mod h1:J+wCf4HccW2YoSFmZMGu+d06gN+WmnIlj5ehBqine74=
+github.com/elastic/mito v1.17.0 h1:UEEFfQy5WhS6vVvMPMwHvdn5rH24eBJMb2ZOlGBkI5s=
+github.com/elastic/mito v1.17.0/go.mod h1:nG5MoOsgJwVlglhlANiBFmHWqoIjrpbR5vy612wE8yE=
 github.com/elastic/mock-es v0.0.0-20240712014503-e5b47ece0015 h1:z8cC8GASpPo8yKlbnXI36HQ/BM9wYjhBPNbDjAWm0VU=
 github.com/elastic/mock-es v0.0.0-20240712014503-e5b47ece0015/go.mod h1:qH9DX/Dmflz6EAtaks/+2SsdQzecVAKE174Zl66hk7E=
 github.com/elastic/pkcs8 v1.0.0 h1:HhitlUKxhN288kcNcYkjW6/ouvuwJWd9ioxpjnD9jVA=

libbeat/common/transport/kerberos/client.go

@@ -18,48 +18,11 @@
 package kerberos
 
 import (
-	"fmt"
 	"net/http"
-
-	krbclient "github.com/jcmturner/gokrb5/v8/client"
-	krbconfig "github.com/jcmturner/gokrb5/v8/config"
-	"github.com/jcmturner/gokrb5/v8/keytab"
-	"github.com/jcmturner/gokrb5/v8/spnego"
 )
 
-type Client struct {
-	spClient *spnego.Client
-}
-
-func NewClient(config *Config, httpClient *http.Client, esurl string) (*Client, error) {
-	var krbClient *krbclient.Client
-	krbConf, err := krbconfig.Load(config.ConfigPath)
-	if err != nil {
-		return nil, fmt.Errorf("error creating Kerberos client: %w", err)
-	}
-
-	switch config.AuthType {
-	case authKeytab:
-		kTab, err := keytab.Load(config.KeyTabPath)
-		if err != nil {
-			return nil, fmt.Errorf("cannot load keytab file %s: %w", config.KeyTabPath, err)
-		}
-		krbClient = krbclient.NewWithKeytab(config.Username, config.Realm, kTab, krbConf)
-	case authPassword:
-		krbClient = krbclient.NewWithPassword(config.Username, config.Realm, config.Password, krbConf)
-	default:
-		return nil, InvalidAuthType
-	}
-
-	return &Client{
-		spClient: spnego.NewClient(krbClient, httpClient, ""),
-	}, nil
-}
-
-func (c *Client) Do(req *http.Request) (*http.Response, error) {
-	return c.spClient.Do(req)
-}
+type Client interface {
+	Do(req *http.Request) (*http.Response, error)
 
-func (c *Client) CloseIdleConnections() {
-	c.spClient.CloseIdleConnections()
+	CloseIdleConnections()
 }

libbeat/common/transport/kerberos/client_fips.go

@@ -0,0 +1,29 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package kerberos
+
+import (
+	"errors"
+	"net/http"
+)
+
+func NewClient(config *Config, httpClient *http.Client, esurl string) (Client, error) {
+	return nil, errors.New("kerberos is not supported in fips mode")
+}

libbeat/common/transport/kerberos/client_fips_test.go

@@ -0,0 +1,39 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package kerberos
+
+import (
+	"net/http"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewClient(t *testing.T) {
+	cfg, err := os.CreateTemp(t.TempDir(), "config")
+	require.NoError(t, err)
+	c, err := NewClient(&Config{
+		AuthType:   authPassword,
+		ConfigPath: cfg.Name(),
+	}, http.DefaultClient, "")
+	require.Nil(t, c)
+	require.EqualError(t, err, "kerberos is not supported in fips mode")
+}

libbeat/common/transport/kerberos/client_nofips.go

@@ -0,0 +1,53 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package kerberos
+
+import (
+	"fmt"
+	"net/http"
+
+	krbclient "github.com/jcmturner/gokrb5/v8/client"
+	krbconfig "github.com/jcmturner/gokrb5/v8/config"
+	"github.com/jcmturner/gokrb5/v8/keytab"
+	"github.com/jcmturner/gokrb5/v8/spnego"
+)
+
+func NewClient(config *Config, httpClient *http.Client, esurl string) (Client, error) {
+	var krbClient *krbclient.Client
+	krbConf, err := krbconfig.Load(config.ConfigPath)
+	if err != nil {
+		return nil, fmt.Errorf("error creating Kerberos client: %w", err)
+	}
+
+	switch config.AuthType {
+	case authKeytab:
+		kTab, err := keytab.Load(config.KeyTabPath)
+		if err != nil {
+			return nil, fmt.Errorf("cannot load keytab file %s: %w", config.KeyTabPath, err)
+		}
+		krbClient = krbclient.NewWithKeytab(config.Username, config.Realm, kTab, krbConf)
+	case authPassword:
+		krbClient = krbclient.NewWithPassword(config.Username, config.Realm, config.Password, krbConf)
+	default:
+		return nil, InvalidAuthType
+	}
+
+	return spnego.NewClient(krbClient, httpClient, ""), nil
+}

libbeat/common/transport/kerberos/client_nofips_test.go

@@ -0,0 +1,39 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package kerberos
+
+import (
+	"net/http"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewClient(t *testing.T) {
+	cfg, err := os.CreateTemp(t.TempDir(), "config")
+	require.NoError(t, err)
+	c, err := NewClient(&Config{
+		AuthType:   authPassword,
+		ConfigPath: cfg.Name(),
+	}, http.DefaultClient, "")
+	require.Nil(t, err)
+	require.NotNil(t, c)
+}