fluent-plugin-secure-forward 0.0.1

data/.gitignore

@@ -0,0 +1,24 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+# For TextMate, emacs, vim
+*.tmproj
+tmtags
+*~
+\#*
+.\#*
+*.swp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fluent-plugin-secure-forward.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright (c) 2012- TAGOMORI Satoshi
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,238 @@
+# fluent-plugin-secure-forward
+
+Fluentd input/output plugin to forward fluentd messages over SSL with authentication.
+
+**THIS PLUGIN IS PoC, and now version is HIGHLY EXPERIMENTAL.**
+
+This plugin makes you to be able to:
+
+ * protect your data from others in transferring with SSL
+   * with certificate signed and registered correctly
+   * with self-signed certificate (and generate certificate in in\_secure\_forward automatically)
+ * authenticate by shared\_key check from both of client(out\_secure\_forward) and server(in\_secure\_forward)
+ * authenticate with username / password pairs
+
+**DON'T USE THIS PLUGIN OF THIS VERSION (v0.0.x) IN PRODUCTION ENVIRONMENT.**
+
+We need new developer/maintainer of this plugin, who wants to use this plugin in their systems.
+
+## Configuration
+
+### SecureForwardInput
+
+Default settings:
+  * listen 0.0.0.0:24284
+    * `bind 192.168.0.101`
+    * `port 24285`
+  * allow to accept from any sources
+  * allow to connect without authentications
+  * use certificate automatically generated
+    * `generate_private_key_length 2048`
+    * `generate_cert_country  US`
+    * `generate_cert_state    CA`
+    * `generate_cert_locality Mountain View`
+    * `generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER`
+  
+Minimal configurations like below:
+
+    <source>
+      type secure_forward
+      shared_key         secret_string
+      self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+      cert_auto_generate yes                # This parameter MUST be specified
+    </source>
+
+To check username/password from clients, like this:
+
+    <source>
+      type secure_forward
+      shared_key         secret_string
+      self_hostname      server.fqdn.local
+      cert_auto_generate yes               
+      authentication     yes # Deny clients without valid username/password
+      <user>
+        username tagomoris
+        password foobar012
+      </user>
+      <user>
+        username frsyuki
+        password yakiniku
+      </user>
+    </source>
+
+To deny unknown source IP/hosts:
+
+    <source>
+      type secure_forward
+      shared_key         secret_string
+      self_hostname      server.fqdn.local
+      cert_auto_generate     yes
+      allow_anonymous_source no  # Allow to accept from nodes of <client>
+      <client>
+        host 192.168.10.30
+        # network address (ex: 192.168.10.0/24) NOT Supported now
+      </client>
+      <client>
+        host your.host.fqdn.local
+        # wildcard (ex: *.host.fqdn.local) NOT Supported now
+      </client>
+    </source>
+
+You can use both of username/password check and client check:
+
+    <source>
+      type secure_forward
+      shared_key         secret_string
+      self_hostname      server.fqdn.local
+      cert_auto_generate     yes
+      allow_anonymous_source no  # Allow to accept from nodes of <client>
+      authentication         yes # Deny clients without valid username/password
+      <user>
+        username tagomoris
+        password foobar012
+      </user>
+      <user>
+        username frsyuki
+        password sukiyaki
+      </user>
+      <user>
+        username repeatedly
+        password sushi
+      </user
+      <client>
+        host 192.168.10.30      # allow all users to connect from 192.168.10.30
+      </client>
+      <client>
+        host  192.168.10.31
+        users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
+      </client>
+      <client>
+        host 192.168.10.32
+        shared_key less_secret_string # limited shared_key for 192.168.10.32
+        users      repeatedly         # and repatedly only
+      </client>
+    </source>
+
+### SecureForwardOutput
+
+Default settings:
+  * allow to connect server using self-signed certificates
+
+Minimal configurations like this:
+
+    <match secret.data.**>
+      type secure_forward
+      shared_key secret_string
+      <server>
+        host server.fqdn.local  # or IP
+        # port 24284
+      </server>
+    </match>
+
+At this version (v0.0.x), only one `<server>` section can be specified.
+
+If server requires username/password, set `username` and `password` in `<server>` section:
+
+    <match secret.data.**>
+      type secure_forward
+      shared_key secret_string
+      <server>
+        host server.fqdn.local
+        username repeatedly
+        password sushi
+      </server>
+    </match>
+
+## Senario (developer document)
+
+* server
+  * in\_secure\_forward
+* client
+  * out\_secure\_forward
+
+### Setup Phase (server)
+
+1. SSLContext
+  * with certificate file / private key file
+    1. read cert file
+    2. generate SSLContext object
+  * without certificate file
+    1. generate key pair
+    2. generate cert data
+    3. sign cert data with generated private key
+2. shared key
+  * read shared key from configuration
+3. username / password pairs
+  * read from configuration
+
+### Setup Phase (client)
+
+1. SSLContext
+  1. certificate
+    * with certificate file, read from file
+    * without certificate file, `new SSLContext` without any options
+  2. set SSLContext option which allow self signed key option or not
+2. shared key
+  * read shared key from configuration
+3. read server list with username / password pairs from configuration
+
+### Handshake
+
+1. (client) connect to server
+  * on SSL socket handshake, checks certificate and its significate (in client)
+2. (server)
+  * check network/domain acl (if enabled)
+  * check client dns reverse lookup result (if enabled)
+  * disconnect when failed
+3. (server) send HELO
+  * ['HELO', options(hash)]
+  * options:
+    * auth: string or blank\_string (string: authentication required, and its salt is this value)
+    * keepalive: bool (allowed or not)
+4. (client) send PING
+  * ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
+5. (server) check PING
+  * check sharedkey
+  * check username / password (if required)
+  * send PONG FAILURE if failed
+  * ['PONG', false, 'reason of authentication failure', '', '']
+6. (server) send PONG
+  * ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + sharedkey)]
+7. (client) check PONG
+  * check sharedkey
+  * disconnect when failed
+8. connection established
+  * send data from client (until keepalive expiration)
+
+### Data transferring
+
+CONSIDER RETURN ACK OR NOT
+
+ * This version (v0.0.1) has no ACKs
+   * only supports burst transferring (same as ForwardInput/Output)
+ * ack for each message ?
+ * pipeline mode and one-by-one mode ?
+ * data sequence number in keepalive session ?
+
+## TODO
+
+* test for non self-signed certificates
+* ACK mode (protocol)
+* support disabling keepalive (input/output)
+* access control (input plugin)
+  * network acl / domain acl
+  * check connecting source ip and its dns reverse lookup result (for domaian acl)
+  * access deny on accept (against DoS)
+* pluggable authentication database (input plugin)
+  * RDBMS, LDAP, or ...
+* encryption algorithm option (output plugin)
+* balancing/failover (output plugin)
+* TESTS!
+
+* GET NEW MAINTAINER
+
+## Copyright
+
+* Copyright (c) 2013- TAGOMORI Satoshi (tagomoris)
+* License
+  * Apache License, Version 2.0

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/example/auth_client.conf

@@ -0,0 +1,19 @@
+<source>
+  type forward
+</source>
+
+<match test.**>
+  type secure_forward
+  self_hostname client
+  #shared_key hogeposxxx0
+  shared_key wrong_shared_key
+  <server>
+    host localhost
+    shared_key hogeposxxx1
+    username tagomoris
+    password 001122
+    # password XXYYZZ
+    # password wrong_pass
+  </server>
+  flush_interval 1s
+</match>

data/example/auth_server.conf

@@ -0,0 +1,30 @@
+<source>
+  type secure_forward
+  self_hostname server
+  shared_key hogeposxxx0
+  cert_auto_generate yes
+  allow_anonymous_source no
+  authentication yes
+  <user>
+    username tagomoris
+    password 001122
+  </user>
+  <user>
+    username sugomoris
+    password 012345
+  </user>
+  <user>
+    username tagomoris
+    password XXYYZZ
+  </user>
+  <client>
+    host localhost
+    users tagomoris
+    shared_key hogeposxxx1
+    # users sugomoris
+  </client> 
+</source>
+
+<match test.**>
+  type stdout
+</match>

data/example/cert_client.conf

@@ -0,0 +1,22 @@
+<source>
+  type forward
+</source>
+
+<match test.**>
+  type secure_forward
+  self_hostname client
+  #shared_key hogeposxxx0
+  shared_key wrong_shared_key
+  allow_self_signed_certificate yes
+  ca_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
+  <server>
+    host localhost
+    hostlabel tagomoris
+    shared_key hogeposxxx1
+    username tagomoris
+    password 001122
+    # password XXYYZZ
+    # password wrong_pass
+  </server>
+  flush_interval 1s
+</match>

data/example/cert_server.conf

@@ -0,0 +1,34 @@
+<source>
+  type secure_forward
+  self_hostname server
+  # self_hostname tagomoris
+  shared_key hogeposxxx0
+  ####cert_auto_generate no
+  cert_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
+  private_key_file /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/key.pem
+  # private_key_passphrase blank
+  allow_anonymous_source no
+  authentication yes
+  <user>
+    username tagomoris
+    password 001122
+  </user>
+  <user>
+    username sugomoris
+    password 012345
+  </user>
+  <user>
+    username tagomoris
+    password XXYYZZ
+  </user>
+  <client>
+    host localhost
+    users tagomoris
+    shared_key hogeposxxx1
+    # users sugomoris
+  </client> 
+</source>
+
+<match test.**>
+  type stdout
+</match>

data/example/certs/cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9TCCAl6gAwIBAgIJAPZkY4lTv8EcMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzEQMA4GA1UEBxMHU2hpYnV5YTEWMBQGA1UE
+ChMNRmx1ZW50ZCBKYXBhbjESMBAGA1UEAxMJdGFnb21vcmlzMB4XDTEzMDIxNDA4
+MzQ0OVoXDTIzMDIxMjA4MzQ0OVowWzELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRv
+a3lvMRAwDgYDVQQHEwdTaGlidXlhMRYwFAYDVQQKEw1GbHVlbnRkIEphcGFuMRIw
+EAYDVQQDEwl0YWdvbW9yaXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPli
+bZUddJEJDaPza0dQElKYefGcWyN5f6FHBrv0MU29PW4+9fape3/u6Kal2knXhz7c
+ujkyoQgK7pqCOuwpTCi0Fyg2peSLVJm4lw2TS5HP/7qRbKXhx2g3FaHrs/Ug/pbQ
+6xPSy894w2QaXgkeuDLb/bhu8MHulglm/iXg9wHrAgMBAAGjgcAwgb0wHQYDVR0O
+BBYEFNWgnetVbxQlGX6euMDea7WGgWO+MIGNBgNVHSMEgYUwgYKAFNWgnetVbxQl
+GX6euMDea7WGgWO+oV+kXTBbMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8x
+EDAOBgNVBAcTB1NoaWJ1eWExFjAUBgNVBAoTDUZsdWVudGQgSmFwYW4xEjAQBgNV
+BAMTCXRhZ29tb3Jpc4IJAPZkY4lTv8EcMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADgYEAai2UAUa5WAahfUp/UV/7zX7+r/QdUP0fwrrmLzodk+FS3+yS6oqQ
+tBs0K81cD3XKfoYjAqzJ1Hul6orR63wD+yrPq3FApuWKd+CJDBxJmY8MtIA0xHHn
+nfotL/TzTAEIcFVLYb8yaBA27VMstBHvE4TsbL7mA0avF3FFzxG5GqE=
+-----END CERTIFICATE-----

data/example/certs/key.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD5Ym2VHXSRCQ2j82tHUBJSmHnxnFsjeX+hRwa79DFNvT1uPvX2
+qXt/7uimpdpJ14c+3Lo5MqEICu6agjrsKUwotBcoNqXki1SZuJcNk0uRz/+6kWyl
+4cdoNxWh67P1IP6W0OsT0svPeMNkGl4JHrgy2/24bvDB7pYJZv4l4PcB6wIDAQAB
+AoGBAIGvxu7Rl4nI3HgTIQm/wReExX144whKqa2UAxOBBJa5v5VyVnSEZH3+Hqxy
++VaHJ4TwQkN2abmF/dkJulyPiVNmsAEXeYKmNOOnOuvGVYlYgRHGJ0P13oszvtKC
+mIFsL4D01FYOHMeblxGhfPQgh4UTcQtIG9gB+yPJ/JJNH7whAkEA/XPV5rxkz/8i
+BMgUHxXxv1o4CJf0exJiMjqNViydgnWyOSEGpoABbbxsN/XV2pwaG0Sythz/4AcF
+phgCJssNUQJBAPvkIALt96XTB/mlcXap1LC+bleEdiwANpgBlwxp0HlxhBrgyDyJ
+iV65FGixi6xIOOjwQbFaLupDC383L8kW3HsCQEjHcX3PTVeY2Kjs1zJR99hNzNdS
+4yZQEhiATcOYDia/K01SWXmIOmDLgXvUQPOEbc60vGilDSjEe2/FZyDCn/ECQQCY
+pfLQU64UjAL1Q1Gze9AtG/p6hwemOqrbC3uiRi3UqvpH35j5NtBM2xSHLbFbQpla
+cN8ev2xXAzJgce0/i98pAkACvTTdRqRIp/7X24tzXJlageBxXX2vBQF8PZcjdx7C
+nVOmUTBuw5JrB34ehYnoWEwMqeyU3CNgUIIgslhcAsVl
+-----END RSA PRIVATE KEY-----

data/example/client.conf

@@ -0,0 +1,13 @@
+<source>
+  type forward
+</source>
+
+<match test.**>
+  type secure_forward
+  self_hostname client
+  shared_key hogeposxxx0
+  <server>
+    host localhost
+  </server>
+  flush_interval 1s
+</match>