[Slack] Pagination formats 'oldest' query param in scientific notation #6402
Labels
Comments
andrewkroh
added
bug
andrewkroh
added a commit
to brachera/integrations
that referenced
this issue
May 31, 2023
|
httpjson does make use of https://pkg.go.dev/encoding/json#Decoder.UseNumber so all numbers parsed from JSON become a float64. So we need to be careful about how those values get used afterwards. In this case we expect |
|
Fixed by #4999. |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
Package slack - 1.4.0 containing this change is available at https://epr.elastic.co/search?package=slack |
agithomas
pushed a commit
to agithomas/integrations
that referenced
this issue
Jun 5, 2023
Add details from Slack audit anomaly events to published events. See https://api.slack.com/admins/audit-logs-anomaly. Updated the system test with assert.hit_count and fixed elastic#6402 which was discovered as a result. Add better pipeline error message and set event.kind=pipeline_error. --------- Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Slack integration sends the
oldestquery param value formatted in scientific notation format (%e). An example value (after URL decoding) isoldest=1.566215192e+09. The API docs1 say the value should be an integer. I doubt it is expecting scientific notation (our system tests are not).Here's an example from our system tests. This is the request tracer output.
{ "log.level": "debug", "@timestamp": "2023-05-31T12:57:28.667Z", "message": "HTTP request", "transaction.id": "E6NJ4D5U7DI1E-1", "url.original": "http://elastic-package-service_slack_1:8080/audit/v1/logs?latest=1685537848&limit=2&oldest=1682945848", "url.scheme": "http", "url.path": "/audit/v1/logs", "url.domain": "elastic-package-service_slack_1", "url.port": "8080", "url.query": "latest=1685537848&limit=2&oldest=1682945848", "http.request.method": "GET", "user_agent.original": "Elastic-Filebeat/8.7.1 (linux; amd64; bda40535cf0743b97017512e6af6d661eeef956e; 2023-04-23 04:33:29 +0000 UTC)", "http.request.body.content": "", "http.request.body.bytes": 0, "http.request.mime_type": "", "event.original": "GET /audit/v1/logs?latest=1685537848&limit=2&oldest=1682945848 HTTP/1.1\r\nHost: elastic-package-service_slack_1:8080\r\nUser-Agent: Elastic-Filebeat/8.7.1 (linux; amd64; bda40535cf0743b97017512e6af6d661eeef956e; 2023-04-23 04:33:29 +0000 UTC)\r\nAccept: application/json\r\nAuthorization: Bearer xoxp-1234567890\r\nAccept-Encoding: gzip\r\n\r\n", "ecs.version": "1.6.0" } { "log.level": "debug", "@timestamp": "2023-05-31T12:57:28.685Z", "message": "HTTP response", "transaction.id": "E6NJ4D5U7DI1E-1", "http.response.status_code": 200, "http.response.body.content": "{\n \"entries\":[\n {\"id\":\"bdcb13e3-28a3-41f0-9ace-a20952def3a0\",\"date_create\":1566215192,\"action\":\"user_created\",\"actor\":{\"type\":\"user\",\"user\":{\"id\":\"e65b0f5c\",\"name\":\"roy\",\"email\":\"aaron@demo.com\"}},\"entity\":{\"type\":\"user\",\"user\":{\"id\":\"asdfasdf\",\"name\":\"Joe Bob\",\"email\":\"jbob@example.com\",\"team\":\"T234SAH2\"}},\"context\":{\"location\":{\"type\":\"workspace\",\"id\":\"e65b11aa\",\"name\":\"Docker\",\"domain\":\"Docker\"},\"ua\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0\",\"ip_address\":\"181.2.69.143\"}},\n {\"id\":\"0123a45b-6c7d-8900-e12f-3456789gh0i1\",\"date_create\":1521214343,\"action\":\"user_login\",\"actor\":{\"type\":\"user\",\"user\":{\"id\":\"W123AB456\",\"name\":\"Charlie Parker\",\"email\":\"bird@slack.com\"}},\"entity\":{\"type\":\"user\",\"user\":{\"id\":\"W123AB456\",\"name\":\"Charlie Parker\",\"email\":\"bird@slack.com\"}},\"context\":{\"location\":{\"type\":\"enterprise\",\"id\":\"E1701NCCA\",\"name\":\"Birdland\",\"domain\":\"birdland\"},\"ua\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\",\"ip_address\":\"81.2.69.143\"}}\n ],\n \"response_metadata\": {\n \"next_cursor\": \"YXNkZmFzZGZhc2Rm\"\n }\n}", "http.response.body.bytes": 1149, "http.response.mime_type": "text/plain; charset=utf-8", "event.original": "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Length: 1149\r\nContent-Type: text/plain; charset=utf-8\r\nDate: Wed, 31 May 2023 12:57:28 GMT\r\n\r\n{\n \"entries\":[\n {\"id\":\"bdcb13e3-28a3-41f0-9ace-a20952def3a0\",\"date_create\":1566215192,\"action\":\"user_created\",\"actor\":{\"type\":\"user\",\"user\":{\"id\":\"e65b0f5c\",\"name\":\"roy\",\"email\":\"aaron@demo.com\"}},\"entity\":{\"type\":\"user\",\"user\":{\"id\":\"asdfasdf\",\"name\":\"Joe Bob\",\"email\":\"jbob@example.com\",\"team\":\"T234SAH2\"}},\"context\":{\"location\":{\"type\":\"workspace\",\"id\":\"e65b11aa\",\"name\":\"Docker\",\"domain\":\"Docker\"},\"ua\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0\",\"ip_address\":\"181.2.69.143\"}},\n {\"id\":\"0123a45b-6c7d-8900-e12f-3456789gh0i1\",\"date_create\":1521214343,\"action\":\"user_login\",\"actor\":{\"type\":\"user\",\"user\":{\"id\":\"W123AB456\",\"name\":\"Charlie Parker\",\"email\":\"bird@slack.com\"}},\"entity\":{\"type\":\"user\",\"user\":{\"id\":\"W123AB456\",\"name\":\"Charlie Parker\",\"email\":\"bird@slack.com\"}},\"context\":{\"location\":{\"type\":\"enterprise\",\"id\":\"E1701NCCA\",\"name\":\"Birdland\",\"domain\":\"birdland\"},\"ua\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\",\"ip_address\":\"81.2.69.143\"}}\n ],\n \"response_metadata\": {\n \"next_cursor\": \"YXNkZmFzZGZhc2Rm\"\n }\n}", "ecs.version": "1.6.0" } { "log.level": "debug", "@timestamp": "2023-05-31T12:57:31.365Z", "message": "HTTP request", "transaction.id": "E6NJ4D5U7DI1E-2", "url.original": "http://elastic-package-service_slack_1:8080/audit/v1/logs?cursor=YXNkZmFzZGZhc2Rm&latest=1685537851&limit=2&oldest=1.566215192e%2B09", "url.scheme": "http", "url.path": "/audit/v1/logs", "url.domain": "elastic-package-service_slack_1", "url.port": "8080", "url.query": "cursor=YXNkZmFzZGZhc2Rm&latest=1685537851&limit=2&oldest=1.566215192e%2B09", "http.request.method": "GET", "user_agent.original": "Elastic-Filebeat/8.7.1 (linux; amd64; bda40535cf0743b97017512e6af6d661eeef956e; 2023-04-23 04:33:29 +0000 UTC)", "http.request.body.content": "", "http.request.body.bytes": 0, "http.request.mime_type": "", "event.original": "GET /audit/v1/logs?cursor=YXNkZmFzZGZhc2Rm&latest=1685537851&limit=2&oldest=1.566215192e%2B09 HTTP/1.1\r\nHost: elastic-package-service_slack_1:8080\r\nUser-Agent: Elastic-Filebeat/8.7.1 (linux; amd64; bda40535cf0743b97017512e6af6d661eeef956e; 2023-04-23 04:33:29 +0000 UTC)\r\nAccept: application/json\r\nAuthorization: Bearer xoxp-1234567890\r\nAccept-Encoding: gzip\r\n\r\n", "ecs.version": "1.6.0" } { "log.level": "debug", "@timestamp": "2023-05-31T12:57:31.376Z", "message": "HTTP response", "transaction.id": "E6NJ4D5U7DI1E-2", "http.response.status_code": 404, "http.response.body.content": "", "http.response.body.bytes": 0, "http.response.mime_type": "", "event.original": "HTTP/1.1 404 Not Found\r\nConnection: close\r\nDate: Wed, 31 May 2023 12:57:31 GMT\r\nContent-Length: 0\r\n\r\n", "ecs.version": "1.6.0" }Footnotes
https://api.slack.com/admins/audit-logs-call#endpoints ↩
The text was updated successfully, but these errors were encountered: