fluent-plugin-secure-forward-addproxy 0.3.3dev2

data/lib/fluent/plugin/secure_forward/cert_util.rb

@@ -0,0 +1,85 @@
+require 'openssl'
+
+module Fluent
+  module SecureForward
+    module CertUtil
+      def self.generate_ca_pair(opts={})
+        key = OpenSSL::PKey::RSA.generate(opts[:private_key_length])
+
+        issuer = subject = OpenSSL::X509::Name.new
+        subject.add_entry('C', opts[:cert_country])
+        subject.add_entry('ST', opts[:cert_state])
+        subject.add_entry('L', opts[:cert_locality])
+        subject.add_entry('CN', opts[:cert_common_name])
+
+        digest = OpenSSL::Digest::SHA1.new
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.not_before = Time.at(0)
+        cert.not_after = Time.now + 5 * 365 * 86400 # 5 years after
+        cert.public_key = key
+        cert.serial = 1
+        cert.issuer = issuer
+        cert.subject = subject
+        cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(true)]))
+        cert.sign(key, digest)
+
+        return cert, key
+      end
+
+      def self.generate_server_pair(opts={})
+        key = OpenSSL::PKey::RSA.generate(opts[:private_key_length])
+
+        ca_key = OpenSSL::PKey::RSA.new(File.read(opts[:ca_key_path]), opts[:ca_key_passphrase])
+        ca_cert = OpenSSL::X509::Certificate.new(File.read(opts[:ca_cert_path]))
+        issuer = ca_cert.issuer
+
+        subject = OpenSSL::X509::Name.new
+        subject.add_entry('C', opts[:country])
+        subject.add_entry('ST', opts[:state])
+        subject.add_entry('L', opts[:locality])
+        subject.add_entry('CN', opts[:common_name])
+
+        digest = OpenSSL::Digest::SHA1.new
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.not_before = Time.at(0)
+        cert.not_after = Time.now + 5 * 365 * 86400 # 5 years after
+        cert.public_key = key
+        cert.serial = 2
+        cert.issuer = issuer
+        cert.subject = subject
+
+        cert.add_extension OpenSSL::X509::Extension.new('basicConstraints', OpenSSL::ASN1.Sequence([OpenSSL::ASN1::Boolean(false)]))
+        cert.add_extension OpenSSL::X509::Extension.new('nsCertType', 'server')
+
+        cert.sign ca_key, digest
+
+        return cert, key
+      end
+
+      def self.generate_self_signed_server_pair(opts={})
+        key = OpenSSL::PKey::RSA.generate(opts[:private_key_length])
+
+        issuer = subject = OpenSSL::X509::Name.new
+        subject.add_entry('C', opts[:country])
+        subject.add_entry('ST', opts[:state])
+        subject.add_entry('L', opts[:locality])
+        subject.add_entry('CN', opts[:common_name])
+
+        digest = OpenSSL::Digest::SHA1.new
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.not_before = Time.at(0)
+        cert.not_after = Time.now + 5 * 365 * 86400 # 5 years after
+        cert.public_key = key
+        cert.serial = 1
+        cert.issuer = issuer
+        cert.subject  = subject
+        cert.sign(key, digest)
+
+        return cert, key
+      end
+    end
+  end
+end

data/test/helper.rb

@@ -0,0 +1,66 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'fluent/test'
+
+$log = Fluent::Log.new(Fluent::Test::DummyLogDevice.new, Fluent::Log::LEVEL_INFO)
+
+require 'fluent/plugin/in_secure_forward'
+require 'fluent/plugin/out_secure_forward'
+
+class DummySocket
+  attr_accessor :sync
+end
+
+class DummyInputPlugin
+  attr_reader :log, :users, :nodes, :authentication, :allow_anonymous_source, :allow_keepalive
+  attr_reader :shared_key, :self_hostname
+  attr_reader :read_length, :read_interval, :socket_interval
+
+  attr_reader :data
+
+  def initialize(opts={})
+    @log = $log
+    @users = opts.fetch(:users, [])
+    @nodes = opts.fetch(:nodes, [])
+    @authentication = opts.fetch(:authentication, false)
+    @allow_anonymous_source = opts.fetch(:allow_anonymous_source, true)
+    @allow_keepalive = opts.fetch(:allow_keepalive, true)
+    @shared_key = opts.fetch(:shared_key, 'shared key')
+    @self_hostname = opts.fetch(:self_hostname, 'hostname.local')
+    @read_length = opts.fetch(:read_length, 8*1024*1024)
+    @read_interval = opts.fetch(:read_interval, 0.05)
+    @socket_interval = opts.fetch(:socket_interval, 0.2)
+
+    @data = []
+  end
+
+  def select_authenticate_users(node, username)
+    if node.nil? || node[:users].nil?
+      self.users.select{|u| u[:username] == username}
+    else
+      self.users.select{|u| node[:users].include?(u[:username]) && u[:username] == username}
+    end
+  end
+
+  def on_message(data)
+    raise NotImplementedError
+  end
+end
+
+class DummyOutputPlugin
+end
+
+
+class Test::Unit::TestCase
+end

data/test/plugin/test_in_secure_forward.rb

@@ -0,0 +1,237 @@
+require 'helper'
+
+class SecureForwardInputTest < Test::Unit::TestCase
+  CONFIG = %[
+
+]
+
+  def setup
+    Fluent::Test.setup
+  end
+
+  def create_driver(conf=CONFIG,tag='test')
+    Fluent::Test::InputTestDriver.new(Fluent::SecureForwardInput).configure(conf)
+  end
+
+  def test_configure
+    p1 = nil
+    assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure false
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+CONFIG
+    assert_equal 'secret_string', p1.shared_key
+    assert_equal 'server.fqdn.local', p1.self_hostname
+
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  authentication     yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    password yakiniku
+  </user>
+CONFIG
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  authentication     yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    username frsyuki
+  </user>
+CONFIG
+
+    p2 = nil
+    assert_nothing_raised { p2 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  authentication     yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    username frsyuki
+    password yakiniku
+  </user>
+CONFIG
+    assert_equal 2, p2.users.size
+    assert_equal 'tagomoris', p2.users[0].username
+    assert_equal 'foobar012', p2.users[0].password
+
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  <client>
+    host 192.168.10.30
+    # network address (ex: 192.168.10.0/24) NOT Supported now
+  </client>
+  <client>
+    host localhost
+    network 192.168.1.1/32
+  </client>
+  <client>
+    network 192.168.16.0/24
+  </client>
+CONFIG
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  <client>
+    host 192.168.10.30
+    # network address (ex: 192.168.10.0/24) NOT Supported now
+  </client>
+  <client>
+  </client>
+  <client>
+    network 192.168.16.0/24
+  </client>
+CONFIG
+
+    p3 = nil
+    assert_nothing_raised { p3 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  <client>
+    host 192.168.10.30
+    # network address (ex: 192.168.10.0/24) NOT Supported now
+  </client>
+  <client>
+    host localhost
+    # wildcard (ex: *.host.fqdn.local) NOT Supported now
+  </client>
+  <client>
+    network 192.168.16.0/24
+  </client>
+CONFIG
+    assert (not p3.allow_anonymous_source)
+    assert_equal 3, p3.clients.size
+    assert_equal '192.168.16.0/24', p3.clients[2].network
+    assert_equal 3, p3.nodes.size
+    assert_equal IPAddr.new('192.168.10.30'), p3.nodes[0][:address]
+    assert_equal IPAddr.new('192.168.16.0/24'), p3.nodes[2][:address]
+
+    p4 = nil
+    assert_nothing_raised { p4 = create_driver(<<CONFIG).instance }
+  secure no
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate     yes
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  authentication         yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    username frsyuki
+    password sukiyaki
+  </user>
+  <user>
+    username repeatedly
+    password sushi
+  </user>
+  <client>
+    host 192.168.10.30      # allow all users to connect from 192.168.10.30
+  </client>
+  <client>
+    host  192.168.10.31
+    users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
+  </client>
+  <client>
+    host 192.168.10.32
+    shared_key less_secret_string # limited shared_key for 192.168.10.32
+    users      repeatedly         # and repatedly only
+  </client>
+CONFIG
+    assert_equal ['tagomoris','frsyuki'], p4.nodes[1][:users]
+  end
+
+  def test_configure_secure
+    p = nil
+    assert_raise(Fluent::ConfigError) { p = create_driver(<<CONFIG).instance }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+CONFIG
+
+    assert_raise(Fluent::ConfigError) { p = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure true
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+CONFIG
+
+    assert_raise(Fluent::ConfigError) { p = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure true
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+  ca_cert_path       /anywhere/cert/file/does/not/exist
+CONFIG
+
+    passphrase = "testing secret phrase"
+    ca_dir = File.join(Dir.pwd, "test", "tmp", "cadir")
+    unless File.exist?(File.join(ca_dir, 'ca_cert.pem'))
+      FileUtils.mkdir_p(ca_dir)
+      opt = {
+        private_key_length: 2048,
+        cert_country:  'US',
+        cert_state:    'CA',
+        cert_locality: 'Mountain View',
+        cert_common_name: 'SecureForward CA',
+      }
+      cert, key = Fluent::SecureForward::CertUtil.generate_ca_pair(opt)
+      key_data = key.export(OpenSSL::Cipher::Cipher.new('aes256'), passphrase)
+      File.open(File.join(ca_dir, 'ca_key.pem'), 'w') do |file|
+        file.write key_data
+      end
+      File.open(File.join(ca_dir, 'ca_cert.pem'), 'w') do |file|
+        file.write cert.to_pem
+      end
+    end
+
+    assert_raise(OpenSSL::PKey::RSAError) { p = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure true
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+  ca_cert_path       #{ca_dir}/ca_cert.pem
+  ca_private_key_path #{ca_dir}/ca_key.pem
+  ca_private_key_passphrase wrong phrase
+CONFIG
+
+    assert_nothing_raised { p = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure true
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+  ca_cert_path       #{ca_dir}/ca_cert.pem
+  ca_private_key_path #{ca_dir}/ca_key.pem
+  ca_private_key_passphrase testing secret phrase
+CONFIG
+  end
+end

data/test/plugin/test_input_session.rb

@@ -0,0 +1,43 @@
+require 'helper'
+
+require 'fluent/plugin/input_session'
+
+require 'ipaddr'
+
+class InputSessionTest < Test::Unit::TestCase
+
+  def test_check_node
+    # def check_node(hostname, ipaddress, port, proto)
+    nodes = [
+      { address: IPAddr.new('127.0.0.1'), shared_key: 'shared_key', users: ['tagomoris', 'repeatedly'] },
+      { address: IPAddr.new('2001:DB8::9'), shared_key: 'shared_key2', users: nil },
+      { address: IPAddr.new('127.0.0.0/24'), shared_key: 'shared_key3', users: ['tagomoris', 'repeatedly'] },
+    ]
+    p1 = DummyInputPlugin.new(nodes: nodes)
+    s1 = Fluent::SecureForwardInput::Session.new(p1, DummySocket.new)
+
+    assert s1.check_node('127.0.0.1')
+    assert_equal 'shared_key', s1.check_node('127.0.0.1')[:shared_key]
+
+    assert s1.check_node('127.0.0.127')
+    assert_equal 'shared_key3', s1.check_node('127.0.0.127')[:shared_key]
+
+    assert_nil s1.check_node('192.0.2.8')
+    assert_nil s1.check_node('2001:DB8::8')
+
+    assert s1.check_node('2001:DB8::9')
+    assert_equal 'shared_key2', s1.check_node('2001:DB8::9')[:shared_key]
+  end
+
+  def test_generate_helo
+  end
+
+  def test_check_ping
+  end
+
+  def test_generate_pong
+  end
+
+  def test_on_read
+  end
+end

data/test/plugin/test_out_secure_forward.rb

@@ -0,0 +1,147 @@
+require 'helper'
+
+class SecureForwardOutputTest < Test::Unit::TestCase
+  CONFIG = %[
+]
+
+  def setup
+    Fluent::Test.setup
+  end
+
+  def create_driver(conf=CONFIG,tag='test')
+    Fluent::Test::OutputTestDriver.new(Fluent::SecureForwardOutput, tag).configure(conf)
+  end
+
+  def test_configure_secondary
+    p1 = nil
+    assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure no
+  shared_key secret_string
+  self_hostname client.fqdn.local
+  <server>
+    host server.fqdn.local  # or IP
+    # port 24284
+  </server>
+  <secondary>
+    type forward
+    <server>
+      host localhost
+    </server>
+  </secondary>
+CONFIG
+  end
+
+  def test_configure_standby_server
+    p1 = nil
+    assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure no
+  shared_key secret_string
+  self_hostname client.fqdn.local
+  keepalive 1m
+  <server>
+    host server1.fqdn.local
+  </server>
+  <server>
+    host server2.fqdn.local
+    hostlabel server2
+  </server>
+  <server>
+    host server1.fqdn.local
+    hostlabel server1
+    port 24285
+    shared_key secret_string_more
+    standby
+  </server>
+CONFIG
+    assert_equal 3, p1.servers.size
+    assert_equal 3, p1.nodes.size
+
+    assert_equal 'server1.fqdn.local', p1.nodes[0].host
+    assert_equal 'server1.fqdn.local', p1.nodes[0].hostlabel
+    assert_equal 24284, p1.nodes[0].port
+    assert_equal false, p1.nodes[0].standby
+    assert_equal 'secret_string', p1.nodes[0].shared_key
+    assert_equal 60, p1.nodes[0].keepalive
+
+    assert_equal 'server2.fqdn.local', p1.nodes[1].host
+    assert_equal 'server2', p1.nodes[1].hostlabel
+    assert_equal 24284, p1.nodes[1].port
+    assert_equal false, p1.nodes[1].standby
+    assert_equal 'secret_string', p1.nodes[1].shared_key
+    assert_equal 60, p1.nodes[1].keepalive
+
+    assert_equal 'server1.fqdn.local', p1.nodes[2].host
+    assert_equal 'server1', p1.nodes[2].hostlabel
+    assert_equal 24285, p1.nodes[2].port
+    assert_equal true, p1.nodes[2].standby
+    assert_equal 'secret_string_more', p1.nodes[2].shared_key
+    assert_equal 60, p1.nodes[2].keepalive
+  end
+
+  def test_configure_standby_server2
+    p1 = nil
+    assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure no
+  shared_key secret_string
+  self_hostname client.fqdn.local
+  num_threads 3
+  <server>
+    host server1.fqdn.local
+  </server>
+  <server>
+    host server2.fqdn.local
+  </server>
+  <server>
+    host server3.fqdn.local
+    standby
+  </server>
+CONFIG
+    assert_equal 3, p1.num_threads
+    assert_equal 1, p1.log.logs.select{|line| line =~ /\[warn\]: Too many num_threads for secure-forward:/}.size
+  end
+
+  def test_configure_with_ca_cert
+    ca_dir = File.join(Dir.pwd, "test", "tmp", "cadir")
+    unless File.exist?(File.join(ca_dir, 'ca_cert.pem'))
+      FileUtils.mkdir_p(ca_dir)
+      opt = {
+        private_key_length: 2048,
+        cert_country:  'US',
+        cert_state:    'CA',
+        cert_locality: 'Mountain View',
+        cert_common_name: 'SecureForward CA',
+      }
+      cert, key = Fluent::SecureForward::CertUtil.generate_ca_pair(opt)
+      key_data = key.export(OpenSSL::Cipher::Cipher.new('aes256'), passphrase)
+      File.open(File.join(ca_dir, 'ca_key.pem'), 'w') do |file|
+        file.write key_data
+      end
+      File.open(File.join(ca_dir, 'ca_cert.pem'), 'w') do |file|
+        file.write cert.to_pem
+      end
+    end
+
+    p = nil
+    assert_nothing_raised { p = create_driver(<<CONFIG).instance }
+  type secure_forward
+  secure yes
+  ca_cert_path #{ca_dir}/ca_cert.pem
+  shared_key secret_string
+  self_hostname client.fqdn.local
+  num_threads 3
+  <server>
+    host server1.fqdn.local
+  </server>
+  <server>
+    host server2.fqdn.local
+  </server>
+  <server>
+    host server3.fqdn.local
+    standby
+  </server>
+CONFIG
+  end
+end