fluent-plugin-secure-forward 0.2.6 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +184 -43
- data/bin/secure-forward-ca-generate +34 -0
- data/example/cert_client.conf +1 -2
- data/example/cert_server.conf +5 -4
- data/example/client.conf +10 -7
- data/example/insecure_client.conf +23 -0
- data/example/insecure_server.conf +10 -0
- data/example/server.conf +5 -2
- data/fluent-plugin-secure-forward.gemspec +1 -1
- data/lib/fluent/plugin/in_secure_forward.rb +89 -50
- data/lib/fluent/plugin/input_session.rb +2 -2
- data/lib/fluent/plugin/out_secure_forward.rb +35 -18
- data/lib/fluent/plugin/output_node.rb +46 -23
- data/lib/fluent/plugin/secure_forward/cert_util.rb +85 -0
- data/test/plugin/test_in_secure_forward.rb +73 -8
- data/test/plugin/test_out_secure_forward.rb +45 -0
- metadata +9 -3
|
@@ -17,19 +17,18 @@ class SecureForwardInputTest < Test::Unit::TestCase
|
|
|
17
17
|
p1 = nil
|
|
18
18
|
assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
|
|
19
19
|
type secure_forward
|
|
20
|
+
secure false
|
|
20
21
|
shared_key secret_string
|
|
21
22
|
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
|
22
|
-
cert_auto_generate yes # This parameter MUST be specified
|
|
23
23
|
CONFIG
|
|
24
24
|
assert_equal 'secret_string', p1.shared_key
|
|
25
25
|
assert_equal 'server.fqdn.local', p1.self_hostname
|
|
26
|
-
assert p1.cert_auto_generate
|
|
27
26
|
|
|
28
27
|
assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
|
|
29
28
|
type secure_forward
|
|
29
|
+
secure no
|
|
30
30
|
shared_key secret_string
|
|
31
31
|
self_hostname server.fqdn.local
|
|
32
|
-
cert_auto_generate yes
|
|
33
32
|
authentication yes # Deny clients without valid username/password
|
|
34
33
|
<user>
|
|
35
34
|
username tagomoris
|
|
@@ -41,9 +40,9 @@ CONFIG
|
|
|
41
40
|
CONFIG
|
|
42
41
|
assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
|
|
43
42
|
type secure_forward
|
|
43
|
+
secure no
|
|
44
44
|
shared_key secret_string
|
|
45
45
|
self_hostname server.fqdn.local
|
|
46
|
-
cert_auto_generate yes
|
|
47
46
|
authentication yes # Deny clients without valid username/password
|
|
48
47
|
<user>
|
|
49
48
|
username tagomoris
|
|
@@ -57,9 +56,9 @@ CONFIG
|
|
|
57
56
|
p2 = nil
|
|
58
57
|
assert_nothing_raised { p2 = create_driver(<<CONFIG).instance }
|
|
59
58
|
type secure_forward
|
|
59
|
+
secure no
|
|
60
60
|
shared_key secret_string
|
|
61
61
|
self_hostname server.fqdn.local
|
|
62
|
-
cert_auto_generate yes
|
|
63
62
|
authentication yes # Deny clients without valid username/password
|
|
64
63
|
<user>
|
|
65
64
|
username tagomoris
|
|
@@ -76,9 +75,9 @@ CONFIG
|
|
|
76
75
|
|
|
77
76
|
assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
|
|
78
77
|
type secure_forward
|
|
78
|
+
secure no
|
|
79
79
|
shared_key secret_string
|
|
80
80
|
self_hostname server.fqdn.local
|
|
81
|
-
cert_auto_generate yes
|
|
82
81
|
allow_anonymous_source no # Allow to accept from nodes of <client>
|
|
83
82
|
<client>
|
|
84
83
|
host 192.168.10.30
|
|
@@ -94,9 +93,9 @@ CONFIG
|
|
|
94
93
|
CONFIG
|
|
95
94
|
assert_raise(Fluent::ConfigError){ create_driver(<<CONFIG) }
|
|
96
95
|
type secure_forward
|
|
96
|
+
secure no
|
|
97
97
|
shared_key secret_string
|
|
98
98
|
self_hostname server.fqdn.local
|
|
99
|
-
cert_auto_generate yes
|
|
100
99
|
allow_anonymous_source no # Allow to accept from nodes of <client>
|
|
101
100
|
<client>
|
|
102
101
|
host 192.168.10.30
|
|
@@ -112,9 +111,9 @@ CONFIG
|
|
|
112
111
|
p3 = nil
|
|
113
112
|
assert_nothing_raised { p3 = create_driver(<<CONFIG).instance }
|
|
114
113
|
type secure_forward
|
|
114
|
+
secure no
|
|
115
115
|
shared_key secret_string
|
|
116
116
|
self_hostname server.fqdn.local
|
|
117
|
-
cert_auto_generate yes
|
|
118
117
|
allow_anonymous_source no # Allow to accept from nodes of <client>
|
|
119
118
|
<client>
|
|
120
119
|
host 192.168.10.30
|
|
@@ -137,6 +136,7 @@ CONFIG
|
|
|
137
136
|
|
|
138
137
|
p4 = nil
|
|
139
138
|
assert_nothing_raised { p4 = create_driver(<<CONFIG).instance }
|
|
139
|
+
secure no
|
|
140
140
|
shared_key secret_string
|
|
141
141
|
self_hostname server.fqdn.local
|
|
142
142
|
cert_auto_generate yes
|
|
@@ -169,4 +169,69 @@ CONFIG
|
|
|
169
169
|
CONFIG
|
|
170
170
|
assert_equal ['tagomoris','frsyuki'], p4.nodes[1][:users]
|
|
171
171
|
end
|
|
172
|
+
|
|
173
|
+
def test_configure_secure
|
|
174
|
+
p = nil
|
|
175
|
+
assert_raise(Fluent::ConfigError) { p = create_driver(<<CONFIG).instance }
|
|
176
|
+
type secure_forward
|
|
177
|
+
shared_key secret_string
|
|
178
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
|
179
|
+
CONFIG
|
|
180
|
+
|
|
181
|
+
assert_raise(Fluent::ConfigError) { p = create_driver(<<CONFIG).instance }
|
|
182
|
+
type secure_forward
|
|
183
|
+
secure true
|
|
184
|
+
shared_key secret_string
|
|
185
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
|
186
|
+
CONFIG
|
|
187
|
+
|
|
188
|
+
assert_raise(Fluent::ConfigError) { p = create_driver(<<CONFIG).instance }
|
|
189
|
+
type secure_forward
|
|
190
|
+
secure true
|
|
191
|
+
shared_key secret_string
|
|
192
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
|
193
|
+
ca_cert_path /anywhere/cert/file/does/not/exist
|
|
194
|
+
CONFIG
|
|
195
|
+
|
|
196
|
+
passphrase = "testing secret phrase"
|
|
197
|
+
ca_dir = File.join(Dir.pwd, "test", "tmp", "cadir")
|
|
198
|
+
unless File.exist?(File.join(ca_dir, 'ca_cert.pem'))
|
|
199
|
+
FileUtils.mkdir_p(ca_dir)
|
|
200
|
+
opt = {
|
|
201
|
+
private_key_length: 2048,
|
|
202
|
+
cert_country: 'US',
|
|
203
|
+
cert_state: 'CA',
|
|
204
|
+
cert_locality: 'Mountain View',
|
|
205
|
+
cert_common_name: 'SecureForward CA',
|
|
206
|
+
}
|
|
207
|
+
cert, key = Fluent::SecureForward::CertUtil.generate_ca_pair(opt)
|
|
208
|
+
key_data = key.export(OpenSSL::Cipher::Cipher.new('aes256'), passphrase)
|
|
209
|
+
File.open(File.join(ca_dir, 'ca_key.pem'), 'w') do |file|
|
|
210
|
+
file.write key_data
|
|
211
|
+
end
|
|
212
|
+
File.open(File.join(ca_dir, 'ca_cert.pem'), 'w') do |file|
|
|
213
|
+
file.write cert.to_pem
|
|
214
|
+
end
|
|
215
|
+
end
|
|
216
|
+
|
|
217
|
+
assert_raise(OpenSSL::PKey::RSAError) { p = create_driver(<<CONFIG).instance }
|
|
218
|
+
type secure_forward
|
|
219
|
+
secure true
|
|
220
|
+
shared_key secret_string
|
|
221
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
|
222
|
+
ca_cert_path #{ca_dir}/ca_cert.pem
|
|
223
|
+
ca_private_key_path #{ca_dir}/ca_key.pem
|
|
224
|
+
ca_private_key_passphrase wrong phrase
|
|
225
|
+
CONFIG
|
|
226
|
+
|
|
227
|
+
assert_nothing_raised { p = create_driver(<<CONFIG).instance }
|
|
228
|
+
type secure_forward
|
|
229
|
+
secure true
|
|
230
|
+
shared_key secret_string
|
|
231
|
+
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
|
|
232
|
+
ca_cert_path #{ca_dir}/ca_cert.pem
|
|
233
|
+
ca_private_key_path #{ca_dir}/ca_key.pem
|
|
234
|
+
ca_private_key_passphrase testing secret phrase
|
|
235
|
+
CONFIG
|
|
236
|
+
end
|
|
172
237
|
end
|
|
@@ -16,6 +16,7 @@ class SecureForwardOutputTest < Test::Unit::TestCase
|
|
|
16
16
|
p1 = nil
|
|
17
17
|
assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
|
|
18
18
|
type secure_forward
|
|
19
|
+
secure no
|
|
19
20
|
shared_key secret_string
|
|
20
21
|
self_hostname client.fqdn.local
|
|
21
22
|
<server>
|
|
@@ -35,6 +36,7 @@ CONFIG
|
|
|
35
36
|
p1 = nil
|
|
36
37
|
assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
|
|
37
38
|
type secure_forward
|
|
39
|
+
secure no
|
|
38
40
|
shared_key secret_string
|
|
39
41
|
self_hostname client.fqdn.local
|
|
40
42
|
keepalive 1m
|
|
@@ -82,6 +84,7 @@ CONFIG
|
|
|
82
84
|
p1 = nil
|
|
83
85
|
assert_nothing_raised { p1 = create_driver(<<CONFIG).instance }
|
|
84
86
|
type secure_forward
|
|
87
|
+
secure no
|
|
85
88
|
shared_key secret_string
|
|
86
89
|
self_hostname client.fqdn.local
|
|
87
90
|
num_threads 3
|
|
@@ -99,4 +102,46 @@ CONFIG
|
|
|
99
102
|
assert_equal 3, p1.num_threads
|
|
100
103
|
assert_equal 1, p1.log.logs.select{|line| line =~ /\[warn\]: Too many num_threads for secure-forward:/}.size
|
|
101
104
|
end
|
|
105
|
+
|
|
106
|
+
def test_configure_with_ca_cert
|
|
107
|
+
ca_dir = File.join(Dir.pwd, "test", "tmp", "cadir")
|
|
108
|
+
unless File.exist?(File.join(ca_dir, 'ca_cert.pem'))
|
|
109
|
+
FileUtils.mkdir_p(ca_dir)
|
|
110
|
+
opt = {
|
|
111
|
+
private_key_length: 2048,
|
|
112
|
+
cert_country: 'US',
|
|
113
|
+
cert_state: 'CA',
|
|
114
|
+
cert_locality: 'Mountain View',
|
|
115
|
+
cert_common_name: 'SecureForward CA',
|
|
116
|
+
}
|
|
117
|
+
cert, key = Fluent::SecureForward::CertUtil.generate_ca_pair(opt)
|
|
118
|
+
key_data = key.export(OpenSSL::Cipher::Cipher.new('aes256'), passphrase)
|
|
119
|
+
File.open(File.join(ca_dir, 'ca_key.pem'), 'w') do |file|
|
|
120
|
+
file.write key_data
|
|
121
|
+
end
|
|
122
|
+
File.open(File.join(ca_dir, 'ca_cert.pem'), 'w') do |file|
|
|
123
|
+
file.write cert.to_pem
|
|
124
|
+
end
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
p = nil
|
|
128
|
+
assert_nothing_raised { p = create_driver(<<CONFIG).instance }
|
|
129
|
+
type secure_forward
|
|
130
|
+
secure yes
|
|
131
|
+
ca_cert_path #{ca_dir}/ca_cert.pem
|
|
132
|
+
shared_key secret_string
|
|
133
|
+
self_hostname client.fqdn.local
|
|
134
|
+
num_threads 3
|
|
135
|
+
<server>
|
|
136
|
+
host server1.fqdn.local
|
|
137
|
+
</server>
|
|
138
|
+
<server>
|
|
139
|
+
host server2.fqdn.local
|
|
140
|
+
</server>
|
|
141
|
+
<server>
|
|
142
|
+
host server3.fqdn.local
|
|
143
|
+
standby
|
|
144
|
+
</server>
|
|
145
|
+
CONFIG
|
|
146
|
+
end
|
|
102
147
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-secure-forward
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- TAGOMORI Satoshi
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-05-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: fluentd
|
|
@@ -83,7 +83,8 @@ dependencies:
|
|
|
83
83
|
description: Message forwarding over SSL with authentication
|
|
84
84
|
email:
|
|
85
85
|
- tagomoris@gmail.com
|
|
86
|
-
executables:
|
|
86
|
+
executables:
|
|
87
|
+
- secure-forward-ca-generate
|
|
87
88
|
extensions: []
|
|
88
89
|
extra_rdoc_files: []
|
|
89
90
|
files:
|
|
@@ -93,6 +94,7 @@ files:
|
|
|
93
94
|
- LICENSE.txt
|
|
94
95
|
- README.md
|
|
95
96
|
- Rakefile
|
|
97
|
+
- bin/secure-forward-ca-generate
|
|
96
98
|
- example/auth_client.conf
|
|
97
99
|
- example/auth_server.conf
|
|
98
100
|
- example/cert_client.conf
|
|
@@ -100,6 +102,8 @@ files:
|
|
|
100
102
|
- example/certs/cert.pem
|
|
101
103
|
- example/certs/key.pem
|
|
102
104
|
- example/client.conf
|
|
105
|
+
- example/insecure_client.conf
|
|
106
|
+
- example/insecure_server.conf
|
|
103
107
|
- example/server.conf
|
|
104
108
|
- fluent-plugin-secure-forward.gemspec
|
|
105
109
|
- lib/fluent/plugin/in_secure_forward.rb
|
|
@@ -107,6 +111,7 @@ files:
|
|
|
107
111
|
- lib/fluent/plugin/openssl_util.rb
|
|
108
112
|
- lib/fluent/plugin/out_secure_forward.rb
|
|
109
113
|
- lib/fluent/plugin/output_node.rb
|
|
114
|
+
- lib/fluent/plugin/secure_forward/cert_util.rb
|
|
110
115
|
- test/helper.rb
|
|
111
116
|
- test/plugin/test_in_secure_forward.rb
|
|
112
117
|
- test/plugin/test_input_session.rb
|
|
@@ -140,3 +145,4 @@ test_files:
|
|
|
140
145
|
- test/plugin/test_in_secure_forward.rb
|
|
141
146
|
- test/plugin/test_input_session.rb
|
|
142
147
|
- test/plugin/test_out_secure_forward.rb
|
|
148
|
+
has_rdoc:
|