Fix translate_sid's empty target field handling

The translate_sid processor only requires one of the three target fields to be configured. It should work properly when some of the targets are not set, but it doesn't check if the are empty strings. So it ends up adding target fields that are empty strings to the event (e.g. "": "Group"). Closes #18990
elastic · Jun 5, 2020 · 3e996df · 3e996df
1 parent 7b9c535
commit 3e996df
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -117,6 +117,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix an issue where error messages are not accurate in mapstriface. {issue}18662[18662] {pull}18663[18663]
 - Fix regression in `add_kubernetes_metadata`, so configured `indexers` and `matchers` are used if defaults are not disabled. {issue}18481[18481] {pull}18818[18818]
 - Fix potential race condition in fingerprint processor. {pull}18738[18738]
+- Fix the `translate_sid` processor's handling of unconfigured target fields. {issue}18990[18990] {pull}18991[18991]
 
 *Auditbeat*
 

diff --git a/libbeat/processors/translate_sid/translatesid.go b/libbeat/processors/translate_sid/translatesid.go
@@ -111,14 +111,20 @@ func (p *processor) translateSID(event *beat.Event) error {
 
 	// Do all operations even if one fails.
 	var errs []error
-	if _, err = event.PutValue(p.AccountNameTarget, account); err != nil {
-		errs = append(errs, err)
+	if p.AccountNameTarget != "" {
+		if _, err = event.PutValue(p.AccountNameTarget, account); err != nil {
+			errs = append(errs, err)
+		}
 	}
-	if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil {
-		errs = append(errs, err)
+	if p.AccountTypeTarget != "" {
+		if _, err = event.PutValue(p.AccountTypeTarget, sys.SIDType(accountType).String()); err != nil {
+			errs = append(errs, err)
+		}
 	}
-	if _, err = event.PutValue(p.DomainTarget, domain); err != nil {
-		errs = append(errs, err)
+	if p.DomainTarget != "" {
+		if _, err = event.PutValue(p.DomainTarget, domain); err != nil {
+			errs = append(errs, err)
+		}
 	}
 	return multierr.Combine(errs...)
 }
diff --git a/libbeat/processors/translate_sid/translatesid_test.go b/libbeat/processors/translate_sid/translatesid_test.go
@@ -25,6 +25,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
@@ -83,6 +84,41 @@ func TestTranslateSID(t *testing.T) {
 	}
 }
 
+func TestTranslateSIDEmptyTarget(t *testing.T) {
+	c := defaultConfig()
+	c.Field = "sid"
+
+	evt := &beat.Event{Fields: map[string]interface{}{
+		"sid": "S-1-5-32-544",
+	}}
+
+	tests := []struct {
+		Name   string
+		Config config
+	}{
+		{"account_name", config{Field: "sid", AccountNameTarget: "account_name"}},
+		{"account_type", config{Field: "sid", AccountTypeTarget: "account_type"}},
+		{"domain", config{Field: "sid", DomainTarget: "domain"}},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			p, err := newFromConfig(tc.Config)
+			require.NoError(t, err)
+
+			evt, err := p.Run(&beat.Event{Fields: evt.Fields.Clone()})
+			require.NoError(t, err)
+
+			// Verify that only the configured target field is set.
+			// And ensure that no empty string keys are used.
+			assert.Len(t, evt.Fields, 2)
+			assert.Contains(t, evt.Fields, tc.Name)
+			assert.NotContains(t, evt.Fields, "")
+		})
+	}
+}
+
 func BenchmarkProcessor_Run(b *testing.B) {
 	p, err := newFromConfig(config{
 		Field:             "sid",