fluent-plugin-secure-forward 0.1.8 → 0.1.9.pre.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9299ae4d7e763b5778a45ce5c98563f3ecc4e86f
-  data.tar.gz: b187ec1e5f56f6ad7cb854241d88b36ecae9a9f3
+  metadata.gz: 2fc54e54fa73f9f47d2edbc7c57727d88909718e
+  data.tar.gz: 17e46a3f3a58d57ab468d05972fa72da68f5d692
 SHA512:
-  metadata.gz: d5666bc81bc5aa40d47996069b1192368080dbad8e17245cefd7929bf3962f34c46623d841a91007929a414cca24566d86da45d2f4a74e62e8a2eb7acd551470
-  data.tar.gz: e7aee097f8536c0dde5adbda7637f02ee19c829feeeff003bed3de19cedd2b9e472d5216c040196f5a94276a13a5bb6faf9d9feb6c03fe88b19ecc8704755462
+  metadata.gz: df677feca1b1252f6b6b22c43c199654728d3e39b2569f20b1207d682075c75d4389b77977955992bb3d5756d620c5119e43d2d6c466986572aae5e09684d78c
+  data.tar.gz: e6bbbe1860763d53c4aea3534bfb5dde66b153d5580d4503c26f947cb278f6bdb64d810c6d4b04170ecd1997a25a63fdae6058e99b526af37ae5d1ecf2ad1280

data/README.md

@@ -75,12 +75,14 @@ To deny unknown source IP/hosts:
       allow_anonymous_source no  # Allow to accept from nodes of <client>
       <client>
         host 192.168.10.30
-        # network address (ex: 192.168.10.0/24) NOT Supported now
       </client>
       <client>
         host your.host.fqdn.local
         # wildcard (ex: *.host.fqdn.local) NOT Supported now
       </client>
+      <client>
+        network 192.168.16.0/24 # network address specification
+      </client>
     </source>
 
 You can use both of username/password check and client check:
@@ -103,7 +105,7 @@ You can use both of username/password check and client check:
       <user>
         username repeatedly
         password sushi
-      </user
+      </user>
       <client>
         host 192.168.10.30      # allow all users to connect from 192.168.10.30
       </client>

data/example/client.conf

@@ -9,14 +9,13 @@
   keepalive 30
   <server>
     host localhost
-    standby
   </server>
   <server>
     host localhost
     standby yes
   </server>
   <server>
-    host localhost2
+    host localhost
   </server>
   flush_interval 1s
 </match>

data/fluent-plugin-secure-forward.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "fluent-plugin-secure-forward"
-  gem.version       = "0.1.8"
+  gem.version       = "0.1.9-rc1"
   gem.authors       = ["TAGOMORI Satoshi"]
   gem.email         = ["tagomoris@gmail.com"]
   gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}
@@ -14,7 +14,7 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_runtime_dependency "fluentd"
+  gem.add_runtime_dependency "fluentd", ">= 0.10.46"
   gem.add_runtime_dependency "fluent-mixin-config-placeholders"
   gem.add_runtime_dependency "resolve-hostname"
   gem.add_development_dependency "rake"

data/lib/fluent/plugin/in_secure_forward.rb

@@ -48,22 +48,24 @@ module Fluent
 
     attr_reader :read_interval, :socket_interval
 
-    attr_reader :users # list of (username, password) by <user> tag
-    # <user>
-    #   username ....
-    #   password ....
-    # </user>
-    attr_reader :nodes # list of hosts, allowed to connect <server> tag (it includes source ip, shared_key(optional))
-    # <client>
-    #   host ipaddr/hostname
-    #   shared_key .... # optional shared key
-    #   users username,list,of,allowed
-    # </client>
+    config_section :user, param_name: :users do
+      config_param :username, :string
+      config_param :password, :string
+    end
+
+    config_section :client, param_name: :clients do
+      config_param :host, :string, default: nil
+      config_param :network, :string, default: nil
+      config_param :shared_key, :string, default: nil
+      config_param :users, :string, default: nil # comma separated username list
+    end
+    attr_reader :nodes
 
     attr_reader :sessions # node/socket/thread list which has sslsocket instance keepaliving to client
 
     def initialize
       super
+      require 'ipaddr'
       require 'socket'
       require 'openssl'
       require 'digest'
@@ -84,30 +86,33 @@ module Fluent
       @read_interval = @read_interval_msec / 1000.0
       @socket_interval = @socket_interval_msec / 1000.0
 
-      @users = []
       @nodes = []
-      conf.elements.each do |element|
-        case element.name
-        when 'user'
-          unless element['username'] && element['password']
-            raise Fluent::ConfigError, "username/password pair missing in <user>"
-          end
-          @users.push({
-              username: element['username'],
-              password: element['password']
-            })
-        when 'client'
-          unless element['host']
-            raise Fluent::ConfigError, "host missing in <client>"
+
+      @clients.each do |client|
+        if client.host && client.network
+          raise Fluent::ConfigError, "both of 'host' and 'network' are specified for client"
+        end
+        if !client.host && !client.network
+          raise Fluent::ConfigError, "Either of 'host' and 'network' must be specified for client"
+        end
+        source = nil
+        if client.host
+          begin
+            source = IPSocket.getaddress(client.host)
+          rescue SocketError => e
+            raise Fluent::ConfigError, "host '#{client.host}' cannot be resolved"
           end
-          @nodes.push({
-              host: element['host'],
-              shared_key: (element['shared_key'] || @shared_key),
-              users: (element['users'] ? element['users'].split(',') : nil),
-            })
-        else
-          raise Fluent::ConfigError, "unknown config tag name"
         end
+        source_addr = begin
+                        IPAddr.new(source || client.network)
+                      rescue ArgumentError => e
+                        raise Fluent::ConfigError, "network '#{client.network}' address format is invalid"
+                      end
+        @nodes.push({
+            address: source_addr,
+            shared_key: (client.shared_key || @shared_key),
+            users: (client.users ? client.users.split(',') : nil)
+          })
       end
 
       @generate_cert_common_name ||= @self_hostname
@@ -132,9 +137,9 @@ module Fluent
 
     def select_authenticate_users(node, username)
       if node.nil? || node[:users].nil?
-        @users.select{|u| u[:username] == username}
+        @users.select{|u| u.username == username}
       else
-        @users.select{|u| node[:users].include?(u[:username]) && u[:username] == username}
+        @users.select{|u| node[:users].include?(u.username) && u.username == username}
       end
     end
 

data/lib/fluent/plugin/input_session.rb

@@ -1,8 +1,8 @@
-# require 'msgpack'
-# require 'socket'
-# require 'openssl'
-# require 'digest'
-### require 'resolv'
+require 'msgpack'
+require 'socket'
+require 'openssl'
+require 'digest'
+# require 'resolv'
 
 class Fluent::SecureForwardInput::Session
   attr_accessor :receiver
@@ -22,6 +22,10 @@ class Fluent::SecureForwardInput::Session
     @thread = Thread.new(&method(:start))
   end
 
+  def log
+    @receiver.log
+  end
+
   def established?
     @state == :established
   end
@@ -30,12 +34,10 @@ class Fluent::SecureForwardInput::Session
     OpenSSL::Random.random_bytes(16)
   end
 
-  def check_node(hostname, ipaddress, port, proto)
+  def check_node(ipaddress)
     node = nil
-    family = Socket.const_get(proto)
     @receiver.nodes.each do |n|
-      proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(n[:host], port, family).first
-      if ipaddr == ipaddress
+      if n[:address].include?(ipaddress)
         node = n
         break
       end
@@ -54,13 +56,13 @@ class Fluent::SecureForwardInput::Session
   # end
 
   def generate_helo
-    $log.debug "generating helo"
+    log.debug "generating helo"
     # ['HELO', options(hash)]
     [ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
   end
 
   def check_ping(message)
-    $log.debug "checking ping"
+    log.debug "checking ping"
     # ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
     #  username || '', sha512\_hex(auth\_salt + username + password) || '']
     unless message.size == 6 && message[0] == 'PING'
@@ -75,7 +77,7 @@ class Fluent::SecureForwardInput::Session
                  end
     serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
     if shared_key_hexdigest != serverside
-      $log.warn "Shared key mismatch from '#{hostname}'"
+      log.warn "Shared key mismatch from '#{hostname}'"
       return false, 'shared_key mismatch'
     end
 
@@ -87,7 +89,7 @@ class Fluent::SecureForwardInput::Session
         success ||= (passhash == password_digest)
       end
       unless success
-        $log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
+        log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
         return false, 'username/password mismatch'
       end
     end
@@ -96,7 +98,7 @@ class Fluent::SecureForwardInput::Session
   end
 
   def generate_pong(auth_result, reason_or_salt)
-    $log.debug "generating pong"
+    log.debug "generating pong"
     # ['PONG', bool(authentication result), 'reason if authentication failed',
     #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
     if not auth_result
@@ -113,7 +115,7 @@ class Fluent::SecureForwardInput::Session
   end
 
   def on_read(data)
-    $log.debug "on_read"
+    log.debug "on_read"
     if self.established?
       @receiver.on_message(data)
     end
@@ -128,7 +130,7 @@ class Fluent::SecureForwardInput::Session
       end
       send_data generate_pong(true, reason_or_salt)
 
-      $log.debug "connection established"
+      log.debug "connection established"
       @state = :established
     end
   end
@@ -139,21 +141,21 @@ class Fluent::SecureForwardInput::Session
   end
 
   def start
-    $log.debug "starting server"
+    log.debug "starting server"
 
-    $log.trace "accepting ssl session"
+    log.trace "accepting ssl session"
     begin
       @socket.accept
     rescue OpenSSL::SSL::SSLError => e
-      $log.debug "failed to establish ssl session"
+      log.debug "failed to establish ssl session"
       self.shutdown
       return
     end
 
     proto, port, host, ipaddr = @socket.io.peeraddr
-    @node = check_node(host, ipaddr, port, proto)
+    @node = check_node(ipaddr)
     if @node.nil? && (! @receiver.allow_anonymous_source)
-      $log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
+      log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
       self.shutdown
       return
     end
@@ -182,14 +184,14 @@ class Fluent::SecureForwardInput::Session
         # to wait i/o restart
         sleep socket_interval
       rescue EOFError => e
-        $log.debug "Connection closed from '#{host}'(#{ipaddr})"
+        log.debug "Connection closed from '#{host}'(#{ipaddr})"
         break
       end
     end
   rescue Errno::ECONNRESET => e
     # disconnected from client
   rescue => e
-    $log.warn "unexpected error in in_secure_forward", :error_class => e.class, :error => e
+    log.warn "unexpected error in in_secure_forward", :error_class => e.class, :error => e
   ensure
     self.shutdown
   end
@@ -207,6 +209,6 @@ class Fluent::SecureForwardInput::Session
       @socket.close
     end
   rescue => e
-    $log.debug "#{e.class}:#{e.message}"
+    log.debug "#{e.class}:#{e.message}"
   end
 end

data/lib/fluent/plugin/out_secure_forward.rb

@@ -20,7 +20,7 @@ module Fluent
 
     config_param :shared_key, :string
 
-    config_param :keepalive, :time, :default => nil # nil/0 means disable keepalive
+    config_param :keepalive, :time, :default => nil # nil/0 means disable keepalive expiration
 
     config_param :send_timeout, :time, :default => 60
     # config_param :hard_timeout, :time, :default => 60
@@ -34,6 +34,7 @@ module Fluent
     config_param :socket_interval_msec, :integer, :default => 200 # 200ms
 
     config_param :reconnect_interval, :time, :default => 5
+    config_param :established_timeout, :time, :default => 10
 
     attr_reader :read_interval, :socket_interval
 
@@ -129,6 +130,8 @@ module Fluent
     end
 
     def node_watcher
+      reconnectings = Array.new(@nodes.size)
+
       loop do
         sleep @reconnect_interval
 
@@ -139,17 +142,51 @@ module Fluent
 
           next if @nodes[i].established? && ! @nodes[i].expired?
 
+          next if reconnectings[i]
+
           log.info "dead connection found: #{@nodes[i].host}, reconnecting..." unless @nodes[i].established?
 
           node = @nodes[i]
           log.debug "reconnecting to node", :host => node.host, :port => node.port, :expire => node.expire, :expired => node.expired?
 
-          @nodes[i] = node.dup
-          @nodes[i].start
+          renewed = node.dup
+          begin
+            renewed.start
+            Thread.pass # to connection thread
+            reconnectings[i] = { :conn => renewed, :at => Time.now }
+          rescue => e
+            log.debug "Some error occured on start of renewed connection", :error_class => e2.class, :error => e2, :host => renewed.host, :port => renewed.port
+          end
+        end
+
+        (0...(reconnectings.size)).each do |i|
+          next unless reconnectings[i]
+
+          if reconnectings[i][:conn].established?
+            oldconn = @nodes[i]
+            @nodes[i] = reconnectings[i][:conn]
+            begin
+              oldconn.shutdown
+            rescue => e
+              log.debug "Some error occured on shutdown of expired connection", :error_class => e.class, :error => e, :host => renewed.host, :port => renewed.port
+            end
+
+            reconnectings[i] = nil
+            next
+          end
+
+          # not connected yet
+
+          next if reconnectings[i][:at] < Time.now + @established_timeout
+
+          # not connected yet, and timeout
           begin
-            node.shutdown
+            timeout_conn = reconnectings[i][:conn]
+            log.debug "SSL connection is not established until timemout", :host => timeout_conn.host, :port => timeout_conn.port, :timeout => @established_timeout
+            reconnectings[i] = nil
+            timeout_conn.shutdown
           rescue => e
-            log.warn "error in shutdown of dead connection", :error_class => e.class, :error => e
+            log.debug "Some error occured on shutdown of timeout re-connection", :error_class => e.class, :error => e
           end
         end
       end

data/lib/fluent/plugin/output_node.rb

@@ -43,6 +43,10 @@ class Fluent::SecureForwardOutput::Node
     @thread = nil
   end
 
+  def log
+    @sender.log
+  end
+
   def dup
     renewed = self.class.new(
       @sender,
@@ -58,7 +62,7 @@ class Fluent::SecureForwardOutput::Node
   end
 
   def shutdown
-    $log.debug "shutting down node #{@host}"
+    log.debug "shutting down node #{@host}"
     @state = :closed
 
     if @thread == Thread.current
@@ -74,7 +78,7 @@ class Fluent::SecureForwardOutput::Node
       @socket.close if @socket
     end
   rescue => e
-    $log.debug "error on node shutdown #{e.class}:#{e.message}"
+    log.debug "error on node shutdown #{e.class}:#{e.message}"
   end
 
   def join
@@ -98,7 +102,7 @@ class Fluent::SecureForwardOutput::Node
   end
 
   def check_helo(message)
-    $log.debug "checking helo"
+    log.debug "checking helo"
     # ['HELO', options(hash)]
     unless message.size == 2 && message[0] == 'HELO'
       return false
@@ -110,7 +114,7 @@ class Fluent::SecureForwardOutput::Node
   end
 
   def generate_ping
-    $log.debug "generating ping"
+    log.debug "generating ping"
     # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
     #  username || '', sha512\_hex(auth\_salt + username + password) || '']
     shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
@@ -125,7 +129,7 @@ class Fluent::SecureForwardOutput::Node
   end
 
   def check_pong(message)
-    $log.debug "checking pong"
+    log.debug "checking pong"
     # ['PONG', bool(authentication result), 'reason if authentication failed',
     #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
     unless message.size == 5 && message[0] == 'PONG'
@@ -150,17 +154,17 @@ class Fluent::SecureForwardOutput::Node
   end
 
   def on_read(data)
-    $log.debug "on_read"
+    log.debug "on_read"
     if self.established?
       #TODO: ACK
-      $log.warn "unknown packets arrived..."
+      log.warn "unknown packets arrived..."
       return
     end
 
     case @state
     when :helo
       unless check_helo(data)
-        $log.warn "received invalid helo message from #{@host}"
+        log.warn "received invalid helo message from #{@host}"
         self.shutdown
         return
       end
@@ -169,25 +173,25 @@ class Fluent::SecureForwardOutput::Node
     when :pingpong
       success, reason = check_pong(data)
       unless success
-        $log.warn "connection refused to #{@host}:" + reason
+        log.warn "connection refused to #{@host}:" + reason
         self.shutdown
         return
       end
-      $log.info "connection established to #{@host}" if @first_session
+      log.info "connection established to #{@host}" if @first_session
       @state = :established
       @expire = Time.now + @keepalive if @keepalive && @keepalive > 0
-      $log.debug "connection established", :host => @host, :port => @port, :expire => @expire
+      log.debug "connection established", :host => @host, :port => @port, :expire => @expire
     end
   end
 
   def connect
-    $log.debug "starting client"
+    log.debug "starting client"
 
     addr = @sender.hostname_resolver.getaddress(@host)
-    $log.debug "create tcp socket to node", :host => @host, :address => addr, :port => @port
+    log.debug "create tcp socket to node", :host => @host, :address => addr, :port => @port
     sock = TCPSocket.new(addr, @port)
 
-    $log.trace "changing socket options"
+    log.trace "changing socket options"
     opt = [1, @sender.send_timeout.to_i].pack('I!I!')  # { int l_onoff; int l_linger; }
     sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_LINGER, opt)
 
@@ -195,36 +199,36 @@ class Fluent::SecureForwardOutput::Node
     sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, opt)
 
     # TODO: SSLContext constructer parameter (SSL/TLS protocol version)
-    $log.trace "initializing SSL contexts"
+    log.trace "initializing SSL contexts"
     context = OpenSSL::SSL::SSLContext.new
     # TODO: context.ca_file = (ca_file_path)
     # TODO: context.ciphers = (SSL Shared key chiper protocols)
 
-    $log.debug "trying to connect ssl session", :host => @host, :ipaddr => addr, :port => @port
+    log.debug "trying to connect ssl session", :host => @host, :ipaddr => addr, :port => @port
     sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
     # TODO: check connection failure
     sslsession.connect
-    $log.debug "ssl session connected", :host => @host, :port => @port
+    log.debug "ssl session connected", :host => @host, :port => @port
 
     begin
       unless @sender.allow_self_signed_certificate
-        $log.debug "checking peer's certificate", :subject => sslsession.peer_cert.subject
+        log.debug "checking peer's certificate", :subject => sslsession.peer_cert.subject
         sslsession.post_connection_check(@hostlabel)
         verify = sslsession.verify_result
         if verify != OpenSSL::X509::V_OK
           err_name = Fluent::SecureForwardOutput::OpenSSLUtil.verify_result_name(verify)
-          $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel} (but not raised, why?)"
-          $log.warn "verify_result: #{err_name}"
+          log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel} (but not raised, why?)"
+          log.warn "verify_result: #{err_name}"
           raise RuntimeError, "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
         end
       end
     rescue OpenSSL::SSL::SSLError => e
-      $log.warn "failed to verify certification while connecting ssl session", :host => @host, :hostlabel => @hostlabel
+      log.warn "failed to verify certification while connecting ssl session", :host => @host, :hostlabel => @hostlabel
       self.shutdown
       raise
     end
 
-    $log.debug "ssl sessison connected", :host => @host, :port => @port
+    log.debug "ssl sessison connected", :host => @host, :port => @port
     @socket = sock
     @sslsession = sslsession
 
@@ -249,7 +253,7 @@ class Fluent::SecureForwardOutput::Node
         # to wait i/o restart
         sleep socket_interval
       rescue EOFError
-        $log.warn "disconnected from #{@host}"
+        log.warn "disconnected from #{@host}"
         break
       end
     end

data/test/helper.rb

@@ -12,18 +12,55 @@ require 'test/unit'
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'fluent/test'
-unless ENV.has_key?('VERBOSE')
-  nulllogger = Object.new
-  nulllogger.instance_eval {|obj|
-    def method_missing(method, *args)
-      # pass
-    end
-  }
-  $log = nulllogger
-end
+
+$log = Fluent::Log.new(Fluent::Test::DummyLogDevice.new, Fluent::Log::LEVEL_INFO)
 
 require 'fluent/plugin/in_secure_forward'
 require 'fluent/plugin/out_secure_forward'
 
+class DummySocket
+  attr_accessor :sync
+end
+
+class DummyInputPlugin
+  attr_reader :log, :users, :nodes, :authentication, :allow_anonymous_source, :allow_keepalive
+  attr_reader :shared_key, :self_hostname
+  attr_reader :read_length, :read_interval, :socket_interval
+
+  attr_reader :data
+
+  def initialize(opts={})
+    @log = $log
+    @users = opts.fetch(:users, [])
+    @nodes = opts.fetch(:nodes, [])
+    @authentication = opts.fetch(:authentication, false)
+    @allow_anonymous_source = opts.fetch(:allow_anonymous_source, true)
+    @allow_keepalive = opts.fetch(:allow_keepalive, true)
+    @shared_key = opts.fetch(:shared_key, 'shared key')
+    @self_hostname = opts.fetch(:self_hostname, 'hostname.local')
+    @read_length = opts.fetch(:read_length, 8*1024*1024)
+    @read_interval = opts.fetch(:read_interval, 0.05)
+    @socket_interval = opts.fetch(:socket_interval, 0.2)
+
+    @data = []
+  end
+
+  def select_authenticate_users(node, username)
+    if node.nil? || node[:users].nil?
+      self.users.select{|u| u[:username] == username}
+    else
+      self.users.select{|u| node[:users].include?(u[:username]) && u[:username] == username}
+    end
+  end
+
+  def on_message(data)
+    raise NotImplementedError
+  end
+end
+
+class DummyOutputPlugin
+end
+
+
 class Test::Unit::TestCase
 end

data/test/plugin/test_in_secure_forward.rb

@@ -2,9 +2,167 @@ require 'helper'
 
 class SecureForwardInputTest < Test::Unit::TestCase
   CONFIG = %[
+
 ]
 
   def create_driver(conf=CONFIG,tag='test')
-    Fluent::Test::InputTestDriver.new(Fluent::SecureForwardInput, tag).configure(conf)
+    Fluent::Test::InputTestDriver.new(Fluent::SecureForwardInput).configure(conf)
+  end
+
+  def test_configure
+    p1 = nil
+    assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
+  cert_auto_generate yes                # This parameter MUST be specified
+CONFIG
+    assert_equal 'secret_string', p1.shared_key
+    assert_equal 'server.fqdn.local', p1.self_hostname
+    assert p1.cert_auto_generate
+
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate yes
+  authentication     yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    password yakiniku
+  </user>
+CONFIG
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate yes
+  authentication     yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    username frsyuki
+  </user>
+CONFIG
+
+    p2 = nil
+    assert_nothing_raised { p2 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate yes
+  authentication     yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    username frsyuki
+    password yakiniku
+  </user>
+CONFIG
+    assert_equal 2, p2.users.size
+    assert_equal 'tagomoris', p2.users[0].username
+    assert_equal 'foobar012', p2.users[0].password
+
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate     yes
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  <client>
+    host 192.168.10.30
+    # network address (ex: 192.168.10.0/24) NOT Supported now
+  </client>
+  <client>
+    host localhost
+    network 192.168.1.1/32
+  </client>
+  <client>
+    network 192.168.16.0/24
+  </client>
+CONFIG
+    assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate     yes
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  <client>
+    host 192.168.10.30
+    # network address (ex: 192.168.10.0/24) NOT Supported now
+  </client>
+  <client>
+  </client>
+  <client>
+    network 192.168.16.0/24
+  </client>
+CONFIG
+
+    p3 = nil
+    assert_nothing_raised { p3 = create_driver(<<CONFIG).instance }
+  type secure_forward
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate     yes
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  <client>
+    host 192.168.10.30
+    # network address (ex: 192.168.10.0/24) NOT Supported now
+  </client>
+  <client>
+    host localhost
+    # wildcard (ex: *.host.fqdn.local) NOT Supported now
+  </client>
+  <client>
+    network 192.168.16.0/24
+  </client>
+CONFIG
+    assert (not p3.allow_anonymous_source)
+    assert_equal 3, p3.clients.size
+    assert_equal '192.168.16.0/24', p3.clients[2].network
+    assert_equal 3, p3.nodes.size
+    assert_equal IPAddr.new('192.168.10.30'), p3.nodes[0][:address]
+    assert_equal IPAddr.new('192.168.16.0/24'), p3.nodes[2][:address]
+
+    p4 = nil
+    assert_nothing_raised { p4 = create_driver(<<CONFIG).instance }
+  shared_key         secret_string
+  self_hostname      server.fqdn.local
+  cert_auto_generate     yes
+  allow_anonymous_source no  # Allow to accept from nodes of <client>
+  authentication         yes # Deny clients without valid username/password
+  <user>
+    username tagomoris
+    password foobar012
+  </user>
+  <user>
+    username frsyuki
+    password sukiyaki
+  </user>
+  <user>
+    username repeatedly
+    password sushi
+  </user>
+  <client>
+    host 192.168.10.30      # allow all users to connect from 192.168.10.30
+  </client>
+  <client>
+    host  192.168.10.31
+    users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
+  </client>
+  <client>
+    host 192.168.10.32
+    shared_key less_secret_string # limited shared_key for 192.168.10.32
+    users      repeatedly         # and repatedly only
+  </client>
+CONFIG
+    assert_equal ['tagomoris','frsyuki'], p4.nodes[1][:users]
   end
 end

data/test/plugin/test_input_session.rb

@@ -0,0 +1,43 @@
+require 'helper'
+
+require 'fluent/plugin/input_session'
+
+require 'ipaddr'
+
+class InputSessionTest < Test::Unit::TestCase
+
+  def test_check_node
+    # def check_node(hostname, ipaddress, port, proto)
+    nodes = [
+      { address: IPAddr.new('127.0.0.1'), shared_key: 'shared_key', users: ['tagomoris', 'repeatedly'] },
+      { address: IPAddr.new('2001:DB8::9'), shared_key: 'shared_key2', users: nil },
+      { address: IPAddr.new('127.0.0.0/24'), shared_key: 'shared_key3', users: ['tagomoris', 'repeatedly'] },
+    ]
+    p1 = DummyInputPlugin.new(nodes: nodes)
+    s1 = Fluent::SecureForwardInput::Session.new(p1, DummySocket.new)
+
+    assert s1.check_node('127.0.0.1')
+    assert_equal 'shared_key', s1.check_node('127.0.0.1')[:shared_key]
+
+    assert s1.check_node('127.0.0.127')
+    assert_equal 'shared_key3', s1.check_node('127.0.0.127')[:shared_key]
+
+    assert_nil s1.check_node('192.0.2.8')
+    assert_nil s1.check_node('2001:DB8::8')
+
+    assert s1.check_node('2001:DB8::9')
+    assert_equal 'shared_key2', s1.check_node('2001:DB8::9')[:shared_key]
+  end
+
+  def test_generate_helo
+  end
+
+  def test_check_ping
+  end
+
+  def test_generate_pong
+  end
+
+  def test_on_read
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-secure-forward
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9.pre.rc1
 platform: ruby
 authors:
 - TAGOMORI Satoshi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-31 00:00:00.000000000 Z
+date: 2014-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.46
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.46
 - !ruby/object:Gem::Dependency
   name: fluent-mixin-config-placeholders
   requirement: !ruby/object:Gem::Requirement
@@ -95,6 +95,7 @@ files:
 - lib/fluent/plugin/output_node.rb
 - test/helper.rb
 - test/plugin/test_in_secure_forward.rb
+- test/plugin/test_input_session.rb
 - test/plugin/test_out_secure_forward.rb
 homepage: https://github.com/tagomoris/fluent-plugin-secure-forward
 licenses:
@@ -111,9 +112,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.2.2
@@ -123,4 +124,5 @@ summary: Fluentd input/output plugin to forward over SSL with authentications
 test_files:
 - test/helper.rb
 - test/plugin/test_in_secure_forward.rb
+- test/plugin/test_input_session.rb
 - test/plugin/test_out_secure_forward.rb