fluent-plugin-secure-forward 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/.gitignore ADDED
@@ -0,0 +1,24 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
18
+ # For TextMate, emacs, vim
19
+ *.tmproj
20
+ tmtags
21
+ *~
22
+ \#*
23
+ .\#*
24
+ *.swp
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in fluent-plugin-secure-forward.gemspec
4
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,13 @@
1
+ Copyright (c) 2012- TAGOMORI Satoshi
2
+
3
+ Licensed under the Apache License, Version 2.0 (the "License");
4
+ you may not use this file except in compliance with the License.
5
+ You may obtain a copy of the License at
6
+
7
+ http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ Unless required by applicable law or agreed to in writing, software
10
+ distributed under the License is distributed on an "AS IS" BASIS,
11
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ See the License for the specific language governing permissions and
13
+ limitations under the License.
data/README.md ADDED
@@ -0,0 +1,238 @@
1
+ # fluent-plugin-secure-forward
2
+
3
+ Fluentd input/output plugin to forward fluentd messages over SSL with authentication.
4
+
5
+ **THIS PLUGIN IS PoC, and now version is HIGHLY EXPERIMENTAL.**
6
+
7
+ This plugin makes you to be able to:
8
+
9
+ * protect your data from others in transferring with SSL
10
+ * with certificate signed and registered correctly
11
+ * with self-signed certificate (and generate certificate in in\_secure\_forward automatically)
12
+ * authenticate by shared\_key check from both of client(out\_secure\_forward) and server(in\_secure\_forward)
13
+ * authenticate with username / password pairs
14
+
15
+ **DON'T USE THIS PLUGIN OF THIS VERSION (v0.0.x) IN PRODUCTION ENVIRONMENT.**
16
+
17
+ We need new developer/maintainer of this plugin, who wants to use this plugin in their systems.
18
+
19
+ ## Configuration
20
+
21
+ ### SecureForwardInput
22
+
23
+ Default settings:
24
+ * listen 0.0.0.0:24284
25
+ * `bind 192.168.0.101`
26
+ * `port 24285`
27
+ * allow to accept from any sources
28
+ * allow to connect without authentications
29
+ * use certificate automatically generated
30
+ * `generate_private_key_length 2048`
31
+ * `generate_cert_country US`
32
+ * `generate_cert_state CA`
33
+ * `generate_cert_locality Mountain View`
34
+ * `generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER`
35
+
36
+ Minimal configurations like below:
37
+
38
+ <source>
39
+ type secure_forward
40
+ shared_key secret_string
41
+ self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
42
+ cert_auto_generate yes # This parameter MUST be specified
43
+ </source>
44
+
45
+ To check username/password from clients, like this:
46
+
47
+ <source>
48
+ type secure_forward
49
+ shared_key secret_string
50
+ self_hostname server.fqdn.local
51
+ cert_auto_generate yes
52
+ authentication yes # Deny clients without valid username/password
53
+ <user>
54
+ username tagomoris
55
+ password foobar012
56
+ </user>
57
+ <user>
58
+ username frsyuki
59
+ password yakiniku
60
+ </user>
61
+ </source>
62
+
63
+ To deny unknown source IP/hosts:
64
+
65
+ <source>
66
+ type secure_forward
67
+ shared_key secret_string
68
+ self_hostname server.fqdn.local
69
+ cert_auto_generate yes
70
+ allow_anonymous_source no # Allow to accept from nodes of <client>
71
+ <client>
72
+ host 192.168.10.30
73
+ # network address (ex: 192.168.10.0/24) NOT Supported now
74
+ </client>
75
+ <client>
76
+ host your.host.fqdn.local
77
+ # wildcard (ex: *.host.fqdn.local) NOT Supported now
78
+ </client>
79
+ </source>
80
+
81
+ You can use both of username/password check and client check:
82
+
83
+ <source>
84
+ type secure_forward
85
+ shared_key secret_string
86
+ self_hostname server.fqdn.local
87
+ cert_auto_generate yes
88
+ allow_anonymous_source no # Allow to accept from nodes of <client>
89
+ authentication yes # Deny clients without valid username/password
90
+ <user>
91
+ username tagomoris
92
+ password foobar012
93
+ </user>
94
+ <user>
95
+ username frsyuki
96
+ password sukiyaki
97
+ </user>
98
+ <user>
99
+ username repeatedly
100
+ password sushi
101
+ </user
102
+ <client>
103
+ host 192.168.10.30 # allow all users to connect from 192.168.10.30
104
+ </client>
105
+ <client>
106
+ host 192.168.10.31
107
+ users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
108
+ </client>
109
+ <client>
110
+ host 192.168.10.32
111
+ shared_key less_secret_string # limited shared_key for 192.168.10.32
112
+ users repeatedly # and repatedly only
113
+ </client>
114
+ </source>
115
+
116
+ ### SecureForwardOutput
117
+
118
+ Default settings:
119
+ * allow to connect server using self-signed certificates
120
+
121
+ Minimal configurations like this:
122
+
123
+ <match secret.data.**>
124
+ type secure_forward
125
+ shared_key secret_string
126
+ <server>
127
+ host server.fqdn.local # or IP
128
+ # port 24284
129
+ </server>
130
+ </match>
131
+
132
+ At this version (v0.0.x), only one `<server>` section can be specified.
133
+
134
+ If server requires username/password, set `username` and `password` in `<server>` section:
135
+
136
+ <match secret.data.**>
137
+ type secure_forward
138
+ shared_key secret_string
139
+ <server>
140
+ host server.fqdn.local
141
+ username repeatedly
142
+ password sushi
143
+ </server>
144
+ </match>
145
+
146
+ ## Senario (developer document)
147
+
148
+ * server
149
+ * in\_secure\_forward
150
+ * client
151
+ * out\_secure\_forward
152
+
153
+ ### Setup Phase (server)
154
+
155
+ 1. SSLContext
156
+ * with certificate file / private key file
157
+ 1. read cert file
158
+ 2. generate SSLContext object
159
+ * without certificate file
160
+ 1. generate key pair
161
+ 2. generate cert data
162
+ 3. sign cert data with generated private key
163
+ 2. shared key
164
+ * read shared key from configuration
165
+ 3. username / password pairs
166
+ * read from configuration
167
+
168
+ ### Setup Phase (client)
169
+
170
+ 1. SSLContext
171
+ 1. certificate
172
+ * with certificate file, read from file
173
+ * without certificate file, `new SSLContext` without any options
174
+ 2. set SSLContext option which allow self signed key option or not
175
+ 2. shared key
176
+ * read shared key from configuration
177
+ 3. read server list with username / password pairs from configuration
178
+
179
+ ### Handshake
180
+
181
+ 1. (client) connect to server
182
+ * on SSL socket handshake, checks certificate and its significate (in client)
183
+ 2. (server)
184
+ * check network/domain acl (if enabled)
185
+ * check client dns reverse lookup result (if enabled)
186
+ * disconnect when failed
187
+ 3. (server) send HELO
188
+ * ['HELO', options(hash)]
189
+ * options:
190
+ * auth: string or blank\_string (string: authentication required, and its salt is this value)
191
+ * keepalive: bool (allowed or not)
192
+ 4. (client) send PING
193
+ * ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
194
+ 5. (server) check PING
195
+ * check sharedkey
196
+ * check username / password (if required)
197
+ * send PONG FAILURE if failed
198
+ * ['PONG', false, 'reason of authentication failure', '', '']
199
+ 6. (server) send PONG
200
+ * ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + sharedkey)]
201
+ 7. (client) check PONG
202
+ * check sharedkey
203
+ * disconnect when failed
204
+ 8. connection established
205
+ * send data from client (until keepalive expiration)
206
+
207
+ ### Data transferring
208
+
209
+ CONSIDER RETURN ACK OR NOT
210
+
211
+ * This version (v0.0.1) has no ACKs
212
+ * only supports burst transferring (same as ForwardInput/Output)
213
+ * ack for each message ?
214
+ * pipeline mode and one-by-one mode ?
215
+ * data sequence number in keepalive session ?
216
+
217
+ ## TODO
218
+
219
+ * test for non self-signed certificates
220
+ * ACK mode (protocol)
221
+ * support disabling keepalive (input/output)
222
+ * access control (input plugin)
223
+ * network acl / domain acl
224
+ * check connecting source ip and its dns reverse lookup result (for domaian acl)
225
+ * access deny on accept (against DoS)
226
+ * pluggable authentication database (input plugin)
227
+ * RDBMS, LDAP, or ...
228
+ * encryption algorithm option (output plugin)
229
+ * balancing/failover (output plugin)
230
+ * TESTS!
231
+
232
+ * GET NEW MAINTAINER
233
+
234
+ ## Copyright
235
+
236
+ * Copyright (c) 2013- TAGOMORI Satoshi (tagomoris)
237
+ * License
238
+ * Apache License, Version 2.0
data/Rakefile ADDED
@@ -0,0 +1,2 @@
1
+ #!/usr/bin/env rake
2
+ require "bundler/gem_tasks"
@@ -0,0 +1,19 @@
1
+ <source>
2
+ type forward
3
+ </source>
4
+
5
+ <match test.**>
6
+ type secure_forward
7
+ self_hostname client
8
+ #shared_key hogeposxxx0
9
+ shared_key wrong_shared_key
10
+ <server>
11
+ host localhost
12
+ shared_key hogeposxxx1
13
+ username tagomoris
14
+ password 001122
15
+ # password XXYYZZ
16
+ # password wrong_pass
17
+ </server>
18
+ flush_interval 1s
19
+ </match>
@@ -0,0 +1,30 @@
1
+ <source>
2
+ type secure_forward
3
+ self_hostname server
4
+ shared_key hogeposxxx0
5
+ cert_auto_generate yes
6
+ allow_anonymous_source no
7
+ authentication yes
8
+ <user>
9
+ username tagomoris
10
+ password 001122
11
+ </user>
12
+ <user>
13
+ username sugomoris
14
+ password 012345
15
+ </user>
16
+ <user>
17
+ username tagomoris
18
+ password XXYYZZ
19
+ </user>
20
+ <client>
21
+ host localhost
22
+ users tagomoris
23
+ shared_key hogeposxxx1
24
+ # users sugomoris
25
+ </client>
26
+ </source>
27
+
28
+ <match test.**>
29
+ type stdout
30
+ </match>
@@ -0,0 +1,22 @@
1
+ <source>
2
+ type forward
3
+ </source>
4
+
5
+ <match test.**>
6
+ type secure_forward
7
+ self_hostname client
8
+ #shared_key hogeposxxx0
9
+ shared_key wrong_shared_key
10
+ allow_self_signed_certificate yes
11
+ ca_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
12
+ <server>
13
+ host localhost
14
+ hostlabel tagomoris
15
+ shared_key hogeposxxx1
16
+ username tagomoris
17
+ password 001122
18
+ # password XXYYZZ
19
+ # password wrong_pass
20
+ </server>
21
+ flush_interval 1s
22
+ </match>
@@ -0,0 +1,34 @@
1
+ <source>
2
+ type secure_forward
3
+ self_hostname server
4
+ # self_hostname tagomoris
5
+ shared_key hogeposxxx0
6
+ ####cert_auto_generate no
7
+ cert_file_path /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/cert.pem
8
+ private_key_file /Users/tagomoris/Documents/fluent-plugin-secure-forward/example/certs/key.pem
9
+ # private_key_passphrase blank
10
+ allow_anonymous_source no
11
+ authentication yes
12
+ <user>
13
+ username tagomoris
14
+ password 001122
15
+ </user>
16
+ <user>
17
+ username sugomoris
18
+ password 012345
19
+ </user>
20
+ <user>
21
+ username tagomoris
22
+ password XXYYZZ
23
+ </user>
24
+ <client>
25
+ host localhost
26
+ users tagomoris
27
+ shared_key hogeposxxx1
28
+ # users sugomoris
29
+ </client>
30
+ </source>
31
+
32
+ <match test.**>
33
+ type stdout
34
+ </match>
@@ -0,0 +1,18 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIC9TCCAl6gAwIBAgIJAPZkY4lTv8EcMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
3
+ BAYTAkpQMQ4wDAYDVQQIEwVUb2t5bzEQMA4GA1UEBxMHU2hpYnV5YTEWMBQGA1UE
4
+ ChMNRmx1ZW50ZCBKYXBhbjESMBAGA1UEAxMJdGFnb21vcmlzMB4XDTEzMDIxNDA4
5
+ MzQ0OVoXDTIzMDIxMjA4MzQ0OVowWzELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRv
6
+ a3lvMRAwDgYDVQQHEwdTaGlidXlhMRYwFAYDVQQKEw1GbHVlbnRkIEphcGFuMRIw
7
+ EAYDVQQDEwl0YWdvbW9yaXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPli
8
+ bZUddJEJDaPza0dQElKYefGcWyN5f6FHBrv0MU29PW4+9fape3/u6Kal2knXhz7c
9
+ ujkyoQgK7pqCOuwpTCi0Fyg2peSLVJm4lw2TS5HP/7qRbKXhx2g3FaHrs/Ug/pbQ
10
+ 6xPSy894w2QaXgkeuDLb/bhu8MHulglm/iXg9wHrAgMBAAGjgcAwgb0wHQYDVR0O
11
+ BBYEFNWgnetVbxQlGX6euMDea7WGgWO+MIGNBgNVHSMEgYUwgYKAFNWgnetVbxQl
12
+ GX6euMDea7WGgWO+oV+kXTBbMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8x
13
+ EDAOBgNVBAcTB1NoaWJ1eWExFjAUBgNVBAoTDUZsdWVudGQgSmFwYW4xEjAQBgNV
14
+ BAMTCXRhZ29tb3Jpc4IJAPZkY4lTv8EcMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
15
+ AQEFBQADgYEAai2UAUa5WAahfUp/UV/7zX7+r/QdUP0fwrrmLzodk+FS3+yS6oqQ
16
+ tBs0K81cD3XKfoYjAqzJ1Hul6orR63wD+yrPq3FApuWKd+CJDBxJmY8MtIA0xHHn
17
+ nfotL/TzTAEIcFVLYb8yaBA27VMstBHvE4TsbL7mA0avF3FFzxG5GqE=
18
+ -----END CERTIFICATE-----
@@ -0,0 +1,15 @@
1
+ -----BEGIN RSA PRIVATE KEY-----
2
+ MIICXQIBAAKBgQD5Ym2VHXSRCQ2j82tHUBJSmHnxnFsjeX+hRwa79DFNvT1uPvX2
3
+ qXt/7uimpdpJ14c+3Lo5MqEICu6agjrsKUwotBcoNqXki1SZuJcNk0uRz/+6kWyl
4
+ 4cdoNxWh67P1IP6W0OsT0svPeMNkGl4JHrgy2/24bvDB7pYJZv4l4PcB6wIDAQAB
5
+ AoGBAIGvxu7Rl4nI3HgTIQm/wReExX144whKqa2UAxOBBJa5v5VyVnSEZH3+Hqxy
6
+ +VaHJ4TwQkN2abmF/dkJulyPiVNmsAEXeYKmNOOnOuvGVYlYgRHGJ0P13oszvtKC
7
+ mIFsL4D01FYOHMeblxGhfPQgh4UTcQtIG9gB+yPJ/JJNH7whAkEA/XPV5rxkz/8i
8
+ BMgUHxXxv1o4CJf0exJiMjqNViydgnWyOSEGpoABbbxsN/XV2pwaG0Sythz/4AcF
9
+ phgCJssNUQJBAPvkIALt96XTB/mlcXap1LC+bleEdiwANpgBlwxp0HlxhBrgyDyJ
10
+ iV65FGixi6xIOOjwQbFaLupDC383L8kW3HsCQEjHcX3PTVeY2Kjs1zJR99hNzNdS
11
+ 4yZQEhiATcOYDia/K01SWXmIOmDLgXvUQPOEbc60vGilDSjEe2/FZyDCn/ECQQCY
12
+ pfLQU64UjAL1Q1Gze9AtG/p6hwemOqrbC3uiRi3UqvpH35j5NtBM2xSHLbFbQpla
13
+ cN8ev2xXAzJgce0/i98pAkACvTTdRqRIp/7X24tzXJlageBxXX2vBQF8PZcjdx7C
14
+ nVOmUTBuw5JrB34ehYnoWEwMqeyU3CNgUIIgslhcAsVl
15
+ -----END RSA PRIVATE KEY-----
@@ -0,0 +1,13 @@
1
+ <source>
2
+ type forward
3
+ </source>
4
+
5
+ <match test.**>
6
+ type secure_forward
7
+ self_hostname client
8
+ shared_key hogeposxxx0
9
+ <server>
10
+ host localhost
11
+ </server>
12
+ flush_interval 1s
13
+ </match>