[Libbeat] Fix array matching in contains condition (#11691)

Matching arrays of strings inside a contains condition doesn't work properly
with the output of JSON decoding as it is expecting fields of type []string
when they are in this case []interface{}.

Fixes: #3138

CHANGELOG.next.asciidoc

@@ -55,6 +55,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix a parsing error with the X-Pack license check on 32-bit system. {issue}11650[11650]
 - Fix ILM policy always being overwritten. {pull}11671[11671]
 - Fix template always being overwritten. {pull}11671[11671]
+- Fix matching of string arrays in contains condition. {pull}11691[11691]
 
 *Auditbeat*
 

libbeat/common/match/matcher.go

@@ -119,19 +119,23 @@ func (m *Matcher) Unpack(s string) error {
 	return nil
 }
 
-func (m *Matcher) MatchAnyString(strs []string) bool {
+// MatchAnyString succeeds if any string in the given array contains a match.
+func (m *Matcher) MatchAnyString(strs interface{}) bool {
 	return matchAnyStrings(m.stringMatcher, strs)
 }
 
-func (m *Matcher) MatchAllStrings(strs []string) bool {
+// MatchAllStrings succeeds if all strings in the given array contain a match.
+func (m *Matcher) MatchAllStrings(strs interface{}) bool {
 	return matchAllStrings(m.stringMatcher, strs)
 }
 
-func (m *ExactMatcher) MatchAnyString(strs []string) bool {
+// MatchAnyString succeeds if any string in the given array is an exact match.
+func (m *ExactMatcher) MatchAnyString(strs interface{}) bool {
 	return matchAnyStrings(m.stringMatcher, strs)
 }
 
-func (m *ExactMatcher) MatchAllStrings(strs []string) bool {
+// MatchAllStrings succeeds if all strings in the given array are an exact match.
+func (m *ExactMatcher) MatchAllStrings(strs interface{}) bool {
 	return matchAllStrings(m.stringMatcher, strs)
 }
 
@@ -145,19 +149,37 @@ func (m *ExactMatcher) Unpack(s string) error {
 	return nil
 }
 
-func matchAnyStrings(m stringMatcher, strs []string) bool {
-	for _, s := range strs {
-		if m.MatchString(s) {
-			return true
+func matchAnyStrings(m stringMatcher, strs interface{}) bool {
+	switch v := strs.(type) {
+	case []interface{}:
+		for _, s := range v {
+			if str, ok := s.(string); ok && m.MatchString(str) {
+				return true
+			}
+		}
+	case []string:
+		for _, s := range v {
+			if m.MatchString(s) {
+				return true
+			}
 		}
 	}
 	return false
 }
 
-func matchAllStrings(m stringMatcher, strs []string) bool {
-	for _, s := range strs {
-		if !m.MatchString(s) {
-			return false
+func matchAllStrings(m stringMatcher, strs interface{}) bool {
+	switch v := strs.(type) {
+	case []interface{}:
+		for _, s := range v {
+			if str, ok := s.(string); ok && !m.MatchString(str) {
+				return false
+			}
+		}
+	case []string:
+		for _, s := range v {
+			if !m.MatchString(s) {
+				return false
+			}
 		}
 	}
 	return true

libbeat/conditions/conditions_test.go

@@ -68,8 +68,9 @@ var secdTestEvent = &beat.Event{
 			"ppid":     1,
 			"state":    "running",
 			"username": "monica",
-			"keywords": []string{"foo", "bar"},
+			"keywords": []interface{}{"foo", "bar"},
 		},
+		"tags":  []string{"auditbeat", "prod", "security"},
 		"type":  "process",
 		"final": false,
 	},

libbeat/conditions/matcher.go

@@ -86,11 +86,10 @@ func (c Matcher) Check(event ValuesMap) bool {
 				return false
 			}
 
-		case []string:
+		case []interface{}, []string:
 			if !matcher.MatchAnyString(v) {
 				return false
 			}
-
 		default:
 			str, err := ExtractString(value)
 			if err != nil {

libbeat/conditions/matcher_test.go

@@ -64,6 +64,14 @@ func TestContainsSingleFieldPositiveMatch(t *testing.T) {
 	})
 }
 
+func TestContainsArrayOfStringPositiveMatch(t *testing.T) {
+	testConfig(t, true, secdTestEvent, &Config{
+		Contains: &Fields{fields: map[string]interface{}{
+			"tags": "prod",
+		}},
+	})
+}
+
 func TestRegexpCondition(t *testing.T) {
 	logp.TestingSetup()