elastic · andrewkroh · Feb 19, 2025 · Feb 18, 2025
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -131,6 +131,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix a bug in Salesforce input to only handle responses with 200 status code {pull}41015[41015]
 - [Journald] Fixes handling of `journalctl` restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. {issue}41331[41331] {pull}42595[42595]
 - Fix entityanalytics activedirectory provider full sync use before initialization bug. {pull}42682[42682]
+- In the `http_endpoint` input, fix the check for a missing HMAC HTTP header. {pull}42756[42756]
 
 *Heartbeat*
 

@@ -359,6 +359,81 @@ func Test_apiResponse(t *testing.T) {
 			wantStatus:   http.StatusOK,
 			wantResponse: `{"message": "success"}`,
 		},
+		{
+			name: "hmac_header_not_present",
+			conf: func() config {
+				c := defaultConfig()
+				c.HMACHeader = "Authorization"
+				c.HMACKey = "mysecretkey"
+				c.HMACType = "sha256"
+				c.HMACPrefix = "HMAC-SHA256 "
+				return c
+			}(),
+			request: func() *http.Request {
+				req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
+				req.Header.Set("Content-Type", "application/json")
+				return req
+			}(),
+			wantStatus:   http.StatusUnauthorized,
+			wantResponse: `{"message":"missing HMAC header"}`,
+		},
+		{
+			name: "hmac_header_value_is_empty",
+			conf: func() config {
+				c := defaultConfig()
+				c.HMACHeader = "Authorization"
+				c.HMACKey = "mysecretkey"
+				c.HMACType = "sha256"
+				c.HMACPrefix = "HMAC-SHA256 "
+				return c
+			}(),
+			request: func() *http.Request {
+				req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
+				req.Header.Set("Content-Type", "application/json")
+				req.Header.Set("Authorization", "")
+				return req
+			}(),
+			wantStatus:   http.StatusUnauthorized,
+			wantResponse: `{"message":"invalid HMAC signature encoding: unexpected empty header value"}`,
+		},
+		{
+			name: "hmac_header_value_only_contains_prefix",
+			conf: func() config {
+				c := defaultConfig()
+				c.HMACHeader = "Authorization"
+				c.HMACKey = "mysecretkey"
+				c.HMACType = "sha256"
+				c.HMACPrefix = "HMAC-SHA256 "
+				return c
+			}(),
+			request: func() *http.Request {
+				req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
+				req.Header.Set("Content-Type", "application/json")
+				req.Header.Set("Authorization", "HMAC-SHA256 ")
+				return req
+			}(),
+			wantStatus:   http.StatusUnauthorized,
+			wantResponse: `{"message":"invalid HMAC signature encoding: unexpected empty header value"}`,
+		},
+		{
+			name: "hmac_header_value_bad_encoding",
+			conf: func() config {
+				c := defaultConfig()
+				c.HMACHeader = "Authorization"
+				c.HMACKey = "mysecretkey"
+				c.HMACType = "sha256"
+				c.HMACPrefix = "HMAC-SHA256 "
+				return c
+			}(),
+			request: func() *http.Request {
+				req := httptest.NewRequest(http.MethodPost, "/", bytes.NewBufferString(`{"id":0}`))
+				req.Header.Set("Content-Type", "application/json")
+				req.Header.Set("Authorization", "HMAC-SHA256 not-hex-or-base64")
+				return req
+			}(),
+			wantStatus:   http.StatusUnauthorized,
+			wantResponse: `{"message":"invalid HMAC signature encoding: encoding/hex: invalid byte: U+006E 'n'\nillegal base64 data at input byte 3\nillegal base64 data at input byte 3"}`,
+		},
 		{
 			name: "single_event_gzip",
 			conf: defaultConfig(),

@@ -62,17 +62,15 @@ func (v *apiValidator) validateRequest(r *http.Request) (status int, err error)
 	}
 
 	if v.hmacHeader != "" && v.hmacKey != "" && v.hmacType != "" {
-		// Read HMAC signature from HTTP header.
-		hmacHeaderValue := r.Header.Get(v.hmacHeader)
-		if v.hmacHeader == "" {
+		// Check whether the HMAC header exists at all.
+		if len(r.Header.Values(v.hmacHeader)) == 0 {
 			return http.StatusUnauthorized, errMissingHMACHeader
 		}
-		if v.hmacPrefix != "" {
-			hmacHeaderValue = strings.TrimPrefix(hmacHeaderValue, v.hmacPrefix)
-		}
-		signature, err := decodeHeaderValue(hmacHeaderValue)
+		// Read HMAC signature from HTTP header.
+		hmacHeaderValue := r.Header.Get(v.hmacHeader)
+		signature, err := decodeHeaderValue(strings.TrimPrefix(hmacHeaderValue, v.hmacPrefix))
 		if err != nil {
-			return http.StatusUnauthorized, fmt.Errorf("invalid HMAC signature hex: %w", err)
+			return http.StatusUnauthorized, fmt.Errorf("invalid HMAC signature encoding: %w", err)
 		}
 
 		// We need access to the request body to validate the signature, but we
@@ -113,7 +111,14 @@ var decoders = [...]func(string) ([]byte, error){
 	base64.StdEncoding.DecodeString,
 }
 
+// decodeHeaderValue attempts to decode s as hex, unpadded base64
+// ([base64.RawStdEncoding]), and padded base64 ([base64.StdEncoding]).
+// The first successful decoding result is returned. If all decodings fail, it
+// collects errors from each attempt and returns them as a single error.
 func decodeHeaderValue(s string) ([]byte, error) {
+	if s == "" {
+		return nil, errors.New("unexpected empty header value")
+	}
 	var errs []error
 	for _, d := range &decoders {
 		b, err := d(s)