diff --git a/packages/workday/_dev/deploy/docker/files/config.yml b/packages/workday/_dev/deploy/docker/files/config.yml index d2c396f558c..921c762974c 100644 --- a/packages/workday/_dev/deploy/docker/files/config.yml +++ b/packages/workday/_dev/deploy/docker/files/config.yml @@ -15,6 +15,7 @@ rules: { "access_token": "xxxx", "token_type": "Bearer", + "expires_in": 3600, "refresh_token": "refresh_token" } `}} diff --git a/packages/workday/changelog.yml b/packages/workday/changelog.yml index 64f62bfd0f8..fb7250ff2ec 100644 --- a/packages/workday/changelog.yml +++ b/packages/workday/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: '0.2.0' + changes: + - description: Fix token refresh after 401 by adding TTL-based expiry tracking. + type: bugfix + link: https://github.com/elastic/integrations/pull/20072 - version: '0.1.0' changes: - description: Add support for activity data stream. diff --git a/packages/workday/data_stream/activity/agent/stream/cel.yml.hbs b/packages/workday/data_stream/activity/agent/stream/cel.yml.hbs index 7f4e634ee3b..cdb6ef1c7cf 100644 --- a/packages/workday/data_stream/activity/agent/stream/cel.yml.hbs +++ b/packages/workday/data_stream/activity/agent/stream/cel.yml.hbs @@ -42,7 +42,9 @@ program: |- state.url.trim_right("/").as(base_url, state.with( ( - (state.?cursor.access_token.orValue("") == "") ? + (!has(state.?cursor.access_token) || + !has(state.?cursor.token_expiry) || + timestamp(state.cursor.token_expiry) < now - duration("30s")) ? post_request( state.token_url, "application/x-www-form-urlencoded", @@ -58,6 +60,17 @@ program: |- { "ok": true, "access_token": ao.access_token, + // Workday's "Enforce 60 Minute Access Token Expiry" + // is a server-side admin setting. When disabled, the + // token endpoint returns expires_in:-1 and tokens are + // "valid for several hours". Default to 60m in that + // case. This is conservative but well within the actual + // lifetime. + "token_expiry": + (!has(ao.expires_in) || int(ao.expires_in) < 0) ? + (now + duration("3540s")).format(time_layout.RFC3339) + : + (now + duration(string(int(ao.expires_in) - 60) + "s")).format(time_layout.RFC3339), } ) : @@ -72,6 +85,7 @@ program: |- { "ok": true, "access_token": state.cursor.access_token, + "token_expiry": state.cursor.token_expiry, } ).as(tok, !tok.ok ? @@ -116,6 +130,7 @@ program: |- "want_more": has_more, "cursor": { "access_token": tok.access_token, + "token_expiry": tok.token_expiry, ?"max_ingested_time": has_more ? ( has(state.?cursor.max_ingested_time) ? @@ -152,11 +167,11 @@ program: |- "error": { "code": string(resp.StatusCode), "id": resp.Status, - "message": "GET " + base_url + "/activityLogging: token expired, retrying", + "message": "GET " + base_url + "/activityLogging: token expired", }, }, - "want_more": true, - "offset": state.offset, + "want_more": false, + "offset": 0, } : { diff --git a/packages/workday/manifest.yml b/packages/workday/manifest.yml index 8fc8dee9d51..99181294d54 100644 --- a/packages/workday/manifest.yml +++ b/packages/workday/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: workday title: 'Workday' -version: 0.1.0 +version: 0.2.0 description: 'Collect logs from Workday with Elastic Agent.' type: integration categories: