Merge pull request #1863 from ashnwade/patch-to-main

Release/v5.8.14: Merge next-patch to main

Author: kris-watts-gravwell

_static/versions.json

@@ -1,10 +1,14 @@
 [
   {
-    "name": "v5.8.13 (latest)",
-    "version": "v5.8.13",
+    "name": "v5.8.14 (latest)",
+    "version": "v5.8.14",
     "url": "/",
     "preferred": true
   },
+  {
+    "version": "v5.8.13",
+    "url": "/v5.8.13/"
+  },
   {
     "version": "v5.8.12",
     "url": "/v5.8.12/"

_tools/dedup-links/default.nix

@@ -1,14 +1,14 @@
 let
   # use a specific (although arbitrarily chosen) version of the Nix package collection
   pkgs = import (fetchTarball {
-    url =
-      "https://github.com/NixOS/nixpkgs/archive/e0464e47880a69896f0fb1810f00e0de469f770a.tar.gz";
+    url = "https://github.com/NixOS/nixpkgs/archive/e0464e47880a69896f0fb1810f00e0de469f770a.tar.gz";
     sha256 = "sha256:1maakx00q48r6q6njxrajyhrq27xsnnayarc8j33p7x9f6pxlbyg";
   }) { };
 
   buildGoModule = pkgs.buildGoModule.override { go = pkgs.go_1_23; };
 
-in buildGoModule {
+in
+buildGoModule {
   name = "dedup-links";
   src = ./.;
 

changelog/5.8.14.md

@@ -0,0 +1,30 @@
+# Changelog for version 5.8.14
+
+## Released 23 April 2026
+
+## Gravwell
+
+```{attention}
+This release contains high priority bug fixes to address security concerns related to secret leaking and token permissions. Gravwell highly recommends users change secrets which have been used for MS SQL database connection strings in SQL Query flow nodes.
+```
+
+### Additions
+
+* Added a new eval function named `indirect()` that allows for passing a string, EV name, or EV name string that will transparently resolve the EV, name, or string.  This function helps with building macros and other automation functions that may need to take a constant, an EV, or an EV name.
+* Added API version checks and library enforcement to ensure client compatibility with currently installed Gravwell version.
+
+### Bug Fixes
+
+* Fixed an issue where secrets were not properly masked in error messages when running a Flow with a SQL Query flow node.
+* Fixed an issue with using backslashes in MS SQL database connection strings in the SQL Query flow node.
+* Fixed an issue with Token ownership caching when a user token is edited by an admin.
+* Fixed an issue with type promotion in the eval module `in()` function.
+* Fixed an issue with using 0x20 (space) as the separator in the kv module.
+* Fixed a hinting issue with eval that occured when using non-fulltext compatible delimiters with the fields or kv modules.
+* Fixed the PagerDuty flow node to comply with required fields and field lengths expected by the API.
+
+## Ingesters
+
+### Bug Fixes
+
+* Fixed an issue where the HEC health check was not respected by the HTTP ingester.

changelog/list.md

@@ -7,7 +7,7 @@
 maxdepth: 1
 caption: Current Release
 ---
-5.8.13 <5.8.13>
+5.8.14 <5.8.14>
 ```
 
 ## Previous Versions
@@ -18,6 +18,7 @@ maxdepth: 1
 caption: Previous Releases
 ---
 
+5.8.13 <5.8.13>
 5.8.12 <5.8.12>
 5.8.11 <5.8.11>
 5.8.10 <5.8.10>

conf.py

@@ -22,7 +22,7 @@
 project = "Gravwell"
 copyright = f"Gravwell, Inc. {date.today().year}"
 author = "Gravwell, Inc."
-release = "v5.8.13"
+release = "v5.8.14"
 
 # Default to localhost:8000, so the version switcher looks OK on livehtml
 version_list_url = os.environ.get(

configuration/sso-okta/okta.md

@@ -1,102 +1,64 @@
-# Configuring OKTA SSO with Gravwell
+# Configuring Okta SSO with Gravwell
 
-OKTA is a managed identity provider that provides cloud hosted identity and authentication services; if your organization uses OKTA for identity management, integrating with Gravwell is an incredibly easy process.
+Okta is a managed identity provider that provides cloud hosted identity and authentication services; if your organization uses Okta for identity management, integrating with Gravwell is an incredibly easy process.
 
 In this document, we assume the following:
 
 * The Gravwell instance has a valid DNS name of gravwell.example.com.
 * The Gravwell instance is publicly available with valid SSL certificates.
 * You are an Okta admin and can establish a new application and assign users to it.
 
-
 ## Creating The Okta Application
 
 The first step is to log into the Okta management console and click on `Applications`, then click `Create App Integration` to begin setting up a Gravwell integration.
 
 ![](create_app.png)
 
-Name your application and upload an image so that users know what they are interacting with; feel free to grab our logo and use it.
+Name your SAML 2.0 application and upload an image so that users know what they are interacting with; feel free to grab our logo and use it. Proceed to step 2 (`Configure SAML`).
 
-![](general_settings.png)
+![](okta_saml_step_one.png)
 
 Make sure to set the appropriate fully qualified URL for your SSO URL and SP Entity ID URL; given the domain of `gravwell.example.com` the appropriate URLs are `https://gravwell.example.com/saml/acs` and `https://gravwell.example.com/saml/metadata`.
 
-![](setup_1.png)
+![](okta_saml_step_two.png)
 
-Next configure Attribute Statements so that user information such as names, emails, and groups can be transmitted from Okta to Gravwell during account creation.  The `uid` and `mail` attributes are mandatory, but we suggest adding `givenName` and `surName` too.  Also add the Group Attribute Statements to describe which groups will be sent from Okta to Gravwell; you can filter which groups are sent using a prefix, postfix, or even a regular expression.  For this example we are sending all groups.
+Finalize this step and use the defaults for step 3 (`Feedback`).
 
-![](setup_2.png)
+## Setting Okta SAML Attributes
 
-If you wish to double check the configuration XML click `Preview the SAML Assertion`, it may look something like this:
+Next configure Attribute Statements so that user information such as names, email addresses, and groups can be forwarded from Okta to Gravwell.
 
-```
-<?xml version="1.0" encoding="UTF-8"?>
-<saml2:Assertion ID="id12345678901234567890" IssueInstant="2023-08-08T22:22:08.424Z" Version="2.0"
-    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
-    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk6ukjm9vpaGcPe8697</saml2:Issuer>
-    <saml2:Subject>
-        <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">kris.watts@gravwell.io</saml2:NameID>
-        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-            <saml2:SubjectConfirmationData NotOnOrAfter="2023-08-08T22:27:08.424Z" Recipient="https://gravwell.example.com/saml/acs"/>
-        </saml2:SubjectConfirmation>
-    </saml2:Subject>
-    <saml2:Conditions NotBefore="2023-08-08T22:17:08.424Z" NotOnOrAfter="2023-08-08T22:27:08.424Z">
-        <saml2:AudienceRestriction>
-            <saml2:Audience>https://gravwell.example.com/saml/metadata</saml2:Audience>
-        </saml2:AudienceRestriction>
-    </saml2:Conditions>
-    <saml2:AuthnStatement AuthnInstant="2023-08-08T21:38:53.551Z" SessionIndex="id12345678.123456789">
-        <saml2:AuthnContext>
-            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
-        </saml2:AuthnContext>
-    </saml2:AuthnStatement>
-    <saml2:AttributeStatement>
-        <saml2:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
-            <saml2:AttributeValue
-                xmlns:xs="http://www.w3.org/2001/XMLSchema"
-                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.dude@example.com
-            </saml2:AttributeValue>
-        </saml2:Attribute>
-        <saml2:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
-            <saml2:AttributeValue
-                xmlns:xs="http://www.w3.org/2001/XMLSchema"
-                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User
-            </saml2:AttributeValue>
-        </saml2:Attribute>
-        <saml2:Attribute Name="surName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
-            <saml2:AttributeValue
-                xmlns:xs="http://www.w3.org/2001/XMLSchema"
-                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Dude
-            </saml2:AttributeValue>
-        </saml2:Attribute>
-        <saml2:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
-            <saml2:AttributeValue
-                xmlns:xs="http://www.w3.org/2001/XMLSchema"
-                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.dude@example.com
-            </saml2:AttributeValue>
-        </saml2:Attribute>
-        <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
-            <saml2:AttributeValue
-                xmlns:xs="http://www.w3.org/2001/XMLSchema"
-                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">group1
-            </saml2:AttributeValue>
-            <saml2:AttributeValue
-                xmlns:xs="http://www.w3.org/2001/XMLSchema"
-                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">group2
-            </saml2:AttributeValue>
-        </saml2:Attribute>
-    </saml2:AttributeStatement>
-</saml2:Assertion>
-```
+Locate the newly created application in your list of Okta applications. Open the application and navigate to the `Sign On` tab. Find the `Attribute statements` block.
+
+
+Configure Okta SAML attributes using either Option A or Option B as described below. The `uid` and `mail` attributes are mandatory, but we suggest adding `givenName` and 
+`surName` too. Set the `groups` attribute to select which Okta groups to forward from Okta to Gravwell. Both options (A and B) show how to send **all** groups.
+
+![](okta_saml_attributes_empty.png)
+
+### (Option A) Attribute Statements
 
-After finalizing your application integration, Okta will show a `Sign On Methods` screen containing a SAML 2.0 Metadata URL. Copy the URL (you will need it for your `gravwell.conf` configuration).
+Okta's attribute statements have migrated to using the [Okta Expression Language (EL)](https://developer.okta.com/docs/reference/okta-expression-language).
+The following example would forward all groups from Okta and grant admin access to members of Okta group `foo-admin-group`.
 
-Next go to your Okta application and assign people and groups to the application; the group assignments can control which groups are passed to Gravwell as well as which users can log into the application.
+![](okta_saml_attributes_oel.png)
 
-![](setup_3.png)
+### (Option B) Legacy Configuration
+
+If you do not want to use EL for SAML attributes, you can still use Okta's legacy configuration as follows.
+
+![](okta_saml_attributes_legacy.png)
+
+## Okta App Assignments
+
+Next go to your Okta application and assign people and groups to the application to allow sign-on access to Gravwell.
+
+![](okta_app_assignments.png)
 
 ## Set up Gravwell configuration block
 
+You will need the metadata URL provided in the Gravwell Okta app -> `Sign On` tab -> `Metadata URL` block.
+
 On the system running the Gravwell webserver, create a file named `/opt/gravwell/etc/gravwell.conf.d/sso.conf` and paste the following into it:
 
 ```