fluent-plugin-secure-forward 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 616e3ee6ce26495d3cae028b95f875452e65b281
-  data.tar.gz: c2c1e3423af3a2659389b3ed3a534876b56ad9d3
+  metadata.gz: b51f31fdd96e025c02cc760ff62119649c41822b
+  data.tar.gz: 8e6173fe782e3fe9f1cb5f919c8f6eac6f43c455
 SHA512:
-  metadata.gz: d33ca023780967c1d5e543dd30da3beea56c9cddc53ad43b346f19513fa72a00fb35c48797336910b6455de39b14e3e32212f4250073c28ede2d1fddbbfcc077
-  data.tar.gz: 0353931f0f0308dc51719e24628cf96c9c01f53baba40ee087b5dd0f09f42c5bc7492475fe1434e15cc4706fbc0335f3728ca6f614b5a100fe98536bc332fb71
+  metadata.gz: f90bd6309c2b69c62133efe58fd7732c816c1256086ed681198dcc66d949095d3d3bc86fb78fc4e76ad7392ca1fe591d301bab6488a493aa81750eba266d76d1
+  data.tar.gz: ab9cef4259d0071e81fefbe389ffa4840a80bcc5f621f7b1e82bc79781b1278728c124807df925bec0ebfc4fc3e0405d5a6f98cae8331b864247fd6830d9b022

data/README.md

@@ -126,7 +126,7 @@ Minimal configurations like this:
       </server>
     </match>
 
-At this version (v0.0.x), only one `<server>` section can be specified.
+When specified 2 or more `<server>`, this plugin uses these nodes in simple round-robin order.
 
 If server requires username/password, set `username` and `password` in `<server>` section:
 
@@ -135,10 +135,15 @@ If server requires username/password, set `username` and `password` in `<server>
       shared_key secret_string
       self_hostname client.fqdn.local
       <server>
-        host server.fqdn.local
+        host first.fqdn.local
         username repeatedly
         password sushi
       </server>
+      <server>
+        host second.fqdn.local
+        username sasatatsu
+        password karaage
+      </server>
     </match>
 
 ## Senario (developer document)

data/Rakefile

@@ -1,2 +1,11 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test

data/example/client.conf

@@ -9,5 +9,11 @@
   <server>
     host localhost
   </server>
+  <server>
+    host localhost
+  </server>
+  <server>
+    host localhost
+  </server>
   flush_interval 1s
 </match>

data/fluent-plugin-secure-forward.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |gem|
   gem.name          = "fluent-plugin-secure-forward"
-  gem.version       = "0.0.3"
+  gem.version       = "0.0.4"
   gem.authors       = ["TAGOMORI Satoshi"]
   gem.email         = ["tagomoris@gmail.com"]
   gem.summary       = %q{Fluentd input/output plugin to forward over SSL with authentications}
@@ -16,4 +16,5 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency "fluentd"
   gem.add_runtime_dependency "fluent-mixin-config-placeholders"
   gem.add_runtime_dependency "resolve-hostname"
+  gem.add_development_dependency "rake"
 end

data/lib/fluent/plugin/in_secure_forward.rb

@@ -2,6 +2,13 @@
 
 require 'fluent/mixin/config_placeholders'
 
+module Fluent
+  class SecureForwardInput < Input
+  end
+end
+
+require_relative 'input_session'
+
 module Fluent
   class SecureForwardInput < Input
     DEFAULT_SECURE_LISTEN_PORT = 24284
@@ -57,7 +64,6 @@ module Fluent
 
     def initialize
       super
-      require 'resolv'
       require 'socket'
       require 'openssl'
       require 'digest'
@@ -214,210 +220,5 @@ module Fluent
         Fluent::Engine.emit(tag, time, record)
       end
     end
-
-    class Session # Fluent::SecureForwardInput::Session
-      attr_accessor :receiver
-      attr_accessor :state, :thread, :node, :socket, :unpacker, :auth_salt
-
-      def initialize(receiver, socket)
-        @receiver = receiver
-
-        @state = :helo
-
-        @socket = socket
-        @socket.sync = true
-
-        @ipaddress = nil
-        @node = nil
-        @unpacker = MessagePack::Unpacker.new
-        @thread = Thread.new(&method(:start))
-      end
-
-      def established?
-        @state == :established
-      end
-
-      def generate_salt
-        OpenSSL::Random.random_bytes(16)
-      end
-
-      def check_node(hostname, ipaddress, port, proto)
-        node = nil
-        family = Socket.const_get(proto)
-        @receiver.nodes.each do |n|
-          proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(n[:host], port, family).first
-          if ipaddr == ipaddress
-            node = n
-            break
-          end
-        end
-        node
-      end
-
-      ## not implemented yet
-      # def check_hostname_reverse_lookup(ipaddress)
-      #   rev_name = Resolv.getname(ipaddress)
-      #   proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(rev_name, DUMMY_PORT)
-      #   unless ipaddr == ipaddress
-      #     return false
-      #   end
-      #   true
-      # end
-
-      def generate_helo
-        $log.debug "generating helo"
-        # ['HELO', options(hash)]
-        [ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
-      end
-
-      def check_ping(message)
-        $log.debug "checking ping"
-        # ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
-        #  username || '', sha512\_hex(auth\_salt + username + password) || '']
-        unless message.size == 6 && message[0] == 'PING'
-          return false, 'invalid ping message'
-        end
-        ping, hostname, shared_key_salt, shared_key_hexdigest, username, password_digest = message
-
-        shared_key = if @node && @node[:shared_key]
-                       @node[:shared_key]
-                     else
-                       @receiver.shared_key
-                     end
-        serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
-        if shared_key_hexdigest != serverside
-          $log.warn "Shared key mismatch from '#{hostname}'"
-          return false, 'shared_key mismatch'
-        end
-
-        if @receiver.authentication
-          users = @receiver.select_authenticate_users(@node, username)
-          success = false
-          users.each do |user|
-            passhash = Digest::SHA512.new.update(@auth_key_salt).update(username).update(user[:password]).hexdigest
-            success ||= (passhash == password_digest)
-          end
-          unless success
-            $log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
-            return false, 'username/password mismatch'
-          end
-        end
-
-        return true, shared_key_salt
-      end
-
-      def generate_pong(auth_result, reason_or_salt)
-        $log.debug "generating pong"
-        # ['PONG', bool(authentication result), 'reason if authentication failed',
-        #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
-        if not auth_result
-          return ['PONG', false, reason_or_salt, '', '']
-        end
-
-        shared_key = if @node && @node[:shared_key]
-                       @node[:shared_key]
-                     else
-                       @receiver.shared_key
-                     end
-        shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(shared_key).hexdigest
-        [ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
-      end
-
-      def on_read(data)
-        $log.debug "on_read"
-        if self.established?
-          @receiver.on_message(data)
-        end
-
-        case @state
-        when :pingpong
-          success, reason_or_salt = self.check_ping(data)
-          if not success
-            send_data generate_pong(false, reason_or_salt)
-            self.shutdown
-            return
-          end
-          send_data generate_pong(true, reason_or_salt)
-
-          $log.debug "connection established"
-          @state = :established
-        end
-      end
-
-      def send_data(data)
-        # not nonblock because write data (response) needs sequence
-        @socket.write data.to_msgpack
-      end
-
-      def start
-        $log.debug "starting server"
-
-        $log.trace "accepting ssl session"
-        begin
-          @socket.accept
-        rescue OpenSSL::SSL::SSLError => e
-          $log.debug "failed to establish ssl session"
-          self.shutdown
-          return
-        end
-
-        proto, port, host, ipaddr = @socket.io.addr
-        @node = check_node(host, ipaddr, port, proto)
-        if @node.nil? && (! @receiver.allow_anonymous_source)
-          $log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
-          self.shutdown
-          return
-        end
-
-        @auth_key_salt = generate_salt
-
-        buf = ''
-        read_length = @receiver.read_length
-        read_interval = @receiver.read_interval
-        socket_interval = @receiver.socket_interval
-
-        send_data generate_helo()
-        @state = :pingpong
-
-        loop do
-          begin
-            while @socket.read_nonblock(read_length, buf)
-              if buf == ''
-                sleep read_interval
-                next
-              end
-              @unpacker.feed_each(buf, &method(:on_read))
-              buf = ''
-            end
-          rescue OpenSSL::SSL::SSLError => e
-            # to wait i/o restart
-            sleep socket_interval
-          rescue EOFError => e
-            $log.debug "Connection closed from '#{host}'(#{ipaddr})"
-            break
-          end
-        end
-      rescue => e
-        $log.warn e
-      ensure
-        self.shutdown
-      end
-
-      def shutdown
-        @state = :closed
-        if @thread == Thread.current
-          @socket.close
-          @thread.kill
-        else
-          if @thread
-            @thread.kill
-            @thread.join
-          end
-          @socket.close
-        end
-      rescue => e
-        $log.debug "#{e.class}:#{e.message}"
-      end
-    end
   end
 end

data/lib/fluent/plugin/input_session.rb

@@ -0,0 +1,210 @@
+# require 'msgpack'
+# require 'socket'
+# require 'openssl'
+# require 'digest'
+### require 'resolv'
+
+class Fluent::SecureForwardInput::Session
+  attr_accessor :receiver
+  attr_accessor :state, :thread, :node, :socket, :unpacker, :auth_salt
+
+  def initialize(receiver, socket)
+    @receiver = receiver
+
+    @state = :helo
+
+    @socket = socket
+    @socket.sync = true
+
+    @ipaddress = nil
+    @node = nil
+    @unpacker = MessagePack::Unpacker.new
+    @thread = Thread.new(&method(:start))
+  end
+
+  def established?
+    @state == :established
+  end
+
+  def generate_salt
+    OpenSSL::Random.random_bytes(16)
+  end
+
+  def check_node(hostname, ipaddress, port, proto)
+    node = nil
+    family = Socket.const_get(proto)
+    @receiver.nodes.each do |n|
+      proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(n[:host], port, family).first
+      if ipaddr == ipaddress
+        node = n
+        break
+      end
+    end
+    node
+  end
+
+  ## not implemented yet
+  # def check_hostname_reverse_lookup(ipaddress)
+  #   rev_name = Resolv.getname(ipaddress)
+  #   proto, port, host, ipaddr, family_num, socktype_num, proto_num = Socket.getaddrinfo(rev_name, DUMMY_PORT)
+  #   unless ipaddr == ipaddress
+  #     return false
+  #   end
+  #   true
+  # end
+
+  def generate_helo
+    $log.debug "generating helo"
+    # ['HELO', options(hash)]
+    [ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
+  end
+
+  def check_ping(message)
+    $log.debug "checking ping"
+    # ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
+    #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+    unless message.size == 6 && message[0] == 'PING'
+      return false, 'invalid ping message'
+    end
+    ping, hostname, shared_key_salt, shared_key_hexdigest, username, password_digest = message
+
+    shared_key = if @node && @node[:shared_key]
+                   @node[:shared_key]
+                 else
+                   @receiver.shared_key
+                 end
+    serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
+    if shared_key_hexdigest != serverside
+      $log.warn "Shared key mismatch from '#{hostname}'"
+      return false, 'shared_key mismatch'
+    end
+
+    if @receiver.authentication
+      users = @receiver.select_authenticate_users(@node, username)
+      success = false
+      users.each do |user|
+        passhash = Digest::SHA512.new.update(@auth_key_salt).update(username).update(user[:password]).hexdigest
+        success ||= (passhash == password_digest)
+      end
+      unless success
+        $log.warn "Authentication failed from client '#{hostname}', username '#{username}'"
+        return false, 'username/password mismatch'
+      end
+    end
+
+    return true, shared_key_salt
+  end
+
+  def generate_pong(auth_result, reason_or_salt)
+    $log.debug "generating pong"
+    # ['PONG', bool(authentication result), 'reason if authentication failed',
+    #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+    if not auth_result
+      return ['PONG', false, reason_or_salt, '', '']
+    end
+
+    shared_key = if @node && @node[:shared_key]
+                   @node[:shared_key]
+                 else
+                   @receiver.shared_key
+                 end
+    shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(shared_key).hexdigest
+    [ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
+  end
+
+  def on_read(data)
+    $log.debug "on_read"
+    if self.established?
+      @receiver.on_message(data)
+    end
+
+    case @state
+    when :pingpong
+      success, reason_or_salt = self.check_ping(data)
+      if not success
+        send_data generate_pong(false, reason_or_salt)
+        self.shutdown
+        return
+      end
+      send_data generate_pong(true, reason_or_salt)
+
+      $log.debug "connection established"
+      @state = :established
+    end
+  end
+
+  def send_data(data)
+    # not nonblock because write data (response) needs sequence
+    @socket.write data.to_msgpack
+  end
+
+  def start
+    $log.debug "starting server"
+
+    $log.trace "accepting ssl session"
+    begin
+      @socket.accept
+    rescue OpenSSL::SSL::SSLError => e
+      $log.debug "failed to establish ssl session"
+      self.shutdown
+      return
+    end
+
+    proto, port, host, ipaddr = @socket.io.addr
+    @node = check_node(host, ipaddr, port, proto)
+    if @node.nil? && (! @receiver.allow_anonymous_source)
+      $log.warn "Connection required from unknown host '#{host}' (#{ipaddr}), disconnecting..."
+      self.shutdown
+      return
+    end
+
+    @auth_key_salt = generate_salt
+
+    buf = ''
+    read_length = @receiver.read_length
+    read_interval = @receiver.read_interval
+    socket_interval = @receiver.socket_interval
+
+    send_data generate_helo()
+    @state = :pingpong
+
+    loop do
+      begin
+        while @socket.read_nonblock(read_length, buf)
+          if buf == ''
+            sleep read_interval
+            next
+          end
+          @unpacker.feed_each(buf, &method(:on_read))
+          buf = ''
+        end
+      rescue OpenSSL::SSL::SSLError => e
+        # to wait i/o restart
+        sleep socket_interval
+      rescue EOFError => e
+        $log.debug "Connection closed from '#{host}'(#{ipaddr})"
+        break
+      end
+    end
+  rescue => e
+    $log.warn "unexpected error in in_secure_forward", :error_class => e.class, :error => e
+  ensure
+    self.shutdown
+  end
+
+  def shutdown
+    @state = :closed
+    if @thread == Thread.current
+      @socket.close
+      @thread.kill
+    else
+      if @thread
+        @thread.kill
+        @thread.join
+      end
+      @socket.close
+    end
+  rescue => e
+    $log.debug "#{e.class}:#{e.message}"
+  end
+end

data/lib/fluent/plugin/openssl_util.rb

@@ -0,0 +1,38 @@
+module Fluent::SecureForwardOutput::OpenSSLUtil
+  def self.verify_result_name(code)
+    case code
+    when OpenSSL::X509::V_OK then 'V_OK'
+    when OpenSSL::X509::V_ERR_AKID_SKID_MISMATCH then 'V_ERR_AKID_SKID_MISMATCH'
+    when OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION then 'V_ERR_APPLICATION_VERIFICATION'
+    when OpenSSL::X509::V_ERR_CERT_CHAIN_TOO_LONG then 'V_ERR_CERT_CHAIN_TOO_LONG'
+    when OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED then 'V_ERR_CERT_HAS_EXPIRED'
+    when OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID then 'V_ERR_CERT_NOT_YET_VALID'
+    when OpenSSL::X509::V_ERR_CERT_REJECTED then 'V_ERR_CERT_REJECTED'
+    when OpenSSL::X509::V_ERR_CERT_REVOKED then 'V_ERR_CERT_REVOKED'
+    when OpenSSL::X509::V_ERR_CERT_SIGNATURE_FAILURE then 'V_ERR_CERT_SIGNATURE_FAILURE'
+    when OpenSSL::X509::V_ERR_CERT_UNTRUSTED then 'V_ERR_CERT_UNTRUSTED'
+    when OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED then 'V_ERR_CRL_HAS_EXPIRED'
+    when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID then 'V_ERR_CRL_NOT_YET_VALID'
+    when OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE then 'V_ERR_CRL_SIGNATURE_FAILURE'
+    when OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT then 'V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD'
+    when OpenSSL::X509::V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD'
+    when OpenSSL::X509::V_ERR_INVALID_CA then 'V_ERR_INVALID_CA'
+    when OpenSSL::X509::V_ERR_INVALID_PURPOSE then 'V_ERR_INVALID_PURPOSE'
+    when OpenSSL::X509::V_ERR_KEYUSAGE_NO_CERTSIGN then 'V_ERR_KEYUSAGE_NO_CERTSIGN'
+    when OpenSSL::X509::V_ERR_OUT_OF_MEM then 'V_ERR_OUT_OF_MEM'
+    when OpenSSL::X509::V_ERR_PATH_LENGTH_EXCEEDED then 'V_ERR_PATH_LENGTH_EXCEEDED'
+    when OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN then 'V_ERR_SELF_SIGNED_CERT_IN_CHAIN'
+    when OpenSSL::X509::V_ERR_SUBJECT_ISSUER_MISMATCH then 'V_ERR_SUBJECT_ISSUER_MISMATCH'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE then 'V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL then 'V_ERR_UNABLE_TO_GET_CRL'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+    when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE then 'V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE'
+    end
+  end
+end

data/lib/fluent/plugin/out_secure_forward.rb

@@ -2,6 +2,13 @@
 
 require 'fluent/mixin/config_placeholders'
 
+module Fluent
+  class SecureForwardOutput < ObjectBufferedOutput
+  end
+end
+
+require_relative 'output_node'
+
 module Fluent
   class SecureForwardOutput < ObjectBufferedOutput
     DEFAULT_SECURE_CONNECT_PORT = 24284
@@ -74,9 +81,8 @@ module Fluent
           raise Fluent::ConfigError, "unknown config tag name #{element.name}"
         end
       end
-      if @nodes.size > 1
-        raise Fluent::ConfigError, "Two or more servers are not supported yet."
-      end
+      @next_node = 0
+      @mutex = Mutex.new
 
       @hostname_resolver = Resolve::Hostname.new(:system_resolver => true)
 
@@ -84,8 +90,21 @@ module Fluent
     end
 
     def select_node
-      #TODO: roundrobin? random?
-      @nodes.select(&:established?).first
+      tries = 0
+      nodes = @nodes.size
+      @mutex.synchronize {
+        n = nil
+        while tries <= nodes
+          n = @nodes[@next_node]
+          @next_node += 1
+          @next_node = 0 if @next_node >= nodes
+
+          return n if n && n.established?
+
+          tries += 1
+        end
+        nil
+      }
     end
 
     def start
@@ -168,266 +187,5 @@ module Fluent
       # writeRawBody(packed_es)
       es.write_to(ssl)
     end
-
-    class Node # Fluent::SecureForwardOutput::Node
-      attr_accessor :host, :port, :hostlabel, :shared_key, :username, :password
-      attr_accessor :authentication, :keepalive
-      attr_accessor :socket, :sslsession, :unpacker, :shared_key_salt, :state
-
-      def initialize(sender, shared_key, conf)
-        @sender = sender
-        @shared_key = shared_key
-
-        @host = conf['host']
-        @port = (conf['port'] || DEFAULT_SECURE_CONNECT_PORT).to_i
-        @hostlabel = conf['hostlabel'] || conf['host']
-        @username = conf['username'] || ''
-        @password = conf['password'] || ''
-
-        @authentication = nil
-        @keepalive = nil
-
-        @socket = nil
-        @sslsession = nil
-        @unpacker = MessagePack::Unpacker.new
-
-        @shared_key_salt = generate_salt
-        @state = :helo
-        @thread = nil
-      end
-
-      def dup
-        Node.new(
-          @sender,
-          @shared_key,
-          {'host' => @host, 'port' => @port, 'hostlabel' => @hostlabel, 'username' => @username, 'password' => @password}
-        )
-      end
-
-      def start
-        @thread = Thread.new(&method(:connect))
-      end
-
-      def shutdown
-        $log.debug "shutting down node #{@host}"
-        @state = :closed
-
-        if @thread == Thread.current
-          @sslsession.close if @sslsession
-          @socket.close if @socket
-          @thread.kill
-        else
-          if @thread
-            @thread.kill
-            @thread.join
-          end
-          @sslsession.close if @sslsession
-          @socket.close if @socket
-        end
-      rescue => e
-        $log.debug "error on node shutdown #{e.class}:#{e.message}"
-      end
-
-      def verify_result_name(code)
-        case code
-        when OpenSSL::X509::V_OK then 'V_OK'
-        when OpenSSL::X509::V_ERR_AKID_SKID_MISMATCH then 'V_ERR_AKID_SKID_MISMATCH'
-        when OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION then 'V_ERR_APPLICATION_VERIFICATION'
-        when OpenSSL::X509::V_ERR_CERT_CHAIN_TOO_LONG then 'V_ERR_CERT_CHAIN_TOO_LONG'
-        when OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED then 'V_ERR_CERT_HAS_EXPIRED'
-        when OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID then 'V_ERR_CERT_NOT_YET_VALID'
-        when OpenSSL::X509::V_ERR_CERT_REJECTED then 'V_ERR_CERT_REJECTED'
-        when OpenSSL::X509::V_ERR_CERT_REVOKED then 'V_ERR_CERT_REVOKED'
-        when OpenSSL::X509::V_ERR_CERT_SIGNATURE_FAILURE then 'V_ERR_CERT_SIGNATURE_FAILURE'
-        when OpenSSL::X509::V_ERR_CERT_UNTRUSTED then 'V_ERR_CERT_UNTRUSTED'
-        when OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED then 'V_ERR_CRL_HAS_EXPIRED'
-        when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID then 'V_ERR_CRL_NOT_YET_VALID'
-        when OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE then 'V_ERR_CRL_SIGNATURE_FAILURE'
-        when OpenSSL::X509::V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT then 'V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT'
-        when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD'
-        when OpenSSL::X509::V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD then 'V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD'
-        when OpenSSL::X509::V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD'
-        when OpenSSL::X509::V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD then 'V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD'
-        when OpenSSL::X509::V_ERR_INVALID_CA then 'V_ERR_INVALID_CA'
-        when OpenSSL::X509::V_ERR_INVALID_PURPOSE then 'V_ERR_INVALID_PURPOSE'
-        when OpenSSL::X509::V_ERR_KEYUSAGE_NO_CERTSIGN then 'V_ERR_KEYUSAGE_NO_CERTSIGN'
-        when OpenSSL::X509::V_ERR_OUT_OF_MEM then 'V_ERR_OUT_OF_MEM'
-        when OpenSSL::X509::V_ERR_PATH_LENGTH_EXCEEDED then 'V_ERR_PATH_LENGTH_EXCEEDED'
-        when OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN then 'V_ERR_SELF_SIGNED_CERT_IN_CHAIN'
-        when OpenSSL::X509::V_ERR_SUBJECT_ISSUER_MISMATCH then 'V_ERR_SUBJECT_ISSUER_MISMATCH'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE then 'V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE then 'V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL then 'V_ERR_UNABLE_TO_GET_CRL'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY then 'V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
-        when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE then 'V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE'
-        end
-      end
-
-      def established?
-        @state == :established
-      end
-
-      def generate_salt
-        OpenSSL::Random.random_bytes(16)
-      end
-
-      def check_helo(message)
-        $log.debug "checking helo"
-        # ['HELO', options(hash)]
-        unless message.size == 2 && message[0] == 'HELO'
-          return false
-        end
-        opts = message[1]
-        @authentication = opts['auth']
-        @keepalive = opts['keepalive']
-        true
-      end
-
-      def generate_ping
-        $log.debug "generating ping"
-        # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
-        #  username || '', sha512\_hex(auth\_salt + username + password) || '']
-        shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
-        ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
-        if @authentication != ''
-          password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
-          ping.push(@username, password_hexdigest)
-        else
-          ping.push('','')
-        end
-        ping
-      end
-
-      def check_pong(message)
-        $log.debug "checking pong"
-        # ['PONG', bool(authentication result), 'reason if authentication failed',
-        #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
-        unless message.size == 5 && message[0] == 'PONG'
-          return false, 'invalid format for PONG message'
-        end
-        pong, auth_result, reason, hostname, shared_key_hexdigest = message
-
-        unless auth_result
-          return false, 'authentication failed: ' + reason
-        end
-
-        clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
-        unless shared_key_hexdigest == clientside
-          return false, 'shared key mismatch'
-        end
-
-        return true, nil
-      end
-
-      def send_data(data)
-        @sslsession.write data.to_msgpack
-      end
-
-      def on_read(data)
-        $log.debug "on_read"
-        if self.established?
-          #TODO: ACK
-          $log.warn "unknown packets arrived..."
-          return
-        end
-
-        case @state
-        when :helo
-          # TODO: log debug
-          unless check_helo(data)
-            $log.warn "received invalid helo message from #{@host}"
-            self.shutdown
-            return
-          end
-          send_data generate_ping()
-          @state = :pingpong
-        when :pingpong
-          success, reason = check_pong(data)
-          unless success
-            $log.warn "connection refused to #{@host}:" + reason
-            self.shutdown
-            return
-          end
-          $log.info "connection established to #{@host}"
-          @state = :established
-        end
-      end
-
-      def connect
-        $log.debug "starting client"
-
-        addr = @sender.hostname_resolver.getaddress(@host)
-        $log.debug "create tcp socket to node", :host => @host, :address => addr, :port => @port
-        sock = TCPSocket.new(addr, @port)
-
-        $log.trace "changing socket options"
-        opt = [1, @sender.send_timeout.to_i].pack('I!I!')  # { int l_onoff; int l_linger; }
-        sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_LINGER, opt)
-
-        opt = [@sender.send_timeout.to_i, 0].pack('L!L!')  # struct timeval
-        sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, opt)
-
-        # TODO: SSLContext constructer parameter (SSL/TLS protocol version)
-        $log.trace "initializing SSL contexts"
-        context = OpenSSL::SSL::SSLContext.new
-        # TODO: context.ca_file = (ca_file_path)
-        # TODO: context.ciphers = (SSL Shared key chiper protocols)
-
-        $log.debug "trying to connect ssl session", :host => @host, :ipaddr => addr, :port => @port
-        sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
-        # TODO: check connection failure
-        sslsession.connect
-        $log.debug "ssl session connected", :host => @host, :port => @port
-
-        begin
-          unless @sender.allow_self_signed_certificate
-            $log.debug "checking peer's certificate", :subject => sslsession.peer_cert.subject
-            sslsession.post_connection_check(@hostlabel)
-            verify = sslsession.verify_result
-            if verify != OpenSSL::X509::V_OK
-              err_name = verify_result_name(verify)
-              $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel} (but not raised, why?)"
-              $log.warn "verify_result: #{err_name}"
-              raise RuntimeError, "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
-            end
-          end
-        rescue OpenSSL::SSL::SSLError => e
-          $log.warn "failed to verify certification while connecting ssl session", :host => @host, :hostlabel => @hostlabel
-          self.shutdown
-          raise
-        end
-
-        $log.debug "ssl sessison connected", :host => @host, :port => @port
-        @socket = sock
-        @sslsession = sslsession
-
-        buf = ''
-        read_length = @sender.read_length
-        read_interval = @sender.read_interval
-        socket_interval = @sender.socket_interval
-
-        loop do
-          begin
-            while @sslsession.read_nonblock(read_length, buf)
-              if buf == ''
-                sleep read_interval
-                next
-              end
-              @unpacker.feed_each(buf, &method(:on_read))
-              buf = ''
-            end
-          rescue OpenSSL::SSL::SSLError
-            # to wait i/o restart
-            sleep socket_interval
-          rescue EOFError
-            $log.warn "disconnected from #{@host}"
-            break
-          end
-        end
-        self.shutdown
-      end
-    end
   end
 end

data/lib/fluent/plugin/output_node.rb

@@ -0,0 +1,231 @@
+# require 'msgpack'
+# require 'socket'
+# require 'openssl'
+# require 'digest'
+# require 'resolve/hostname'
+
+require_relative 'openssl_util'
+
+class Fluent::SecureForwardOutput::Node
+  attr_accessor :host, :port, :hostlabel, :shared_key, :username, :password
+  attr_accessor :authentication, :keepalive
+  attr_accessor :socket, :sslsession, :unpacker, :shared_key_salt, :state
+
+  def initialize(sender, shared_key, conf)
+    @sender = sender
+    @shared_key = shared_key
+
+    @host = conf['host']
+    @port = (conf['port'] || Fluent::SecureForwardOutput::DEFAULT_SECURE_CONNECT_PORT).to_i
+    @hostlabel = conf['hostlabel'] || conf['host']
+    @username = conf['username'] || ''
+    @password = conf['password'] || ''
+
+    @authentication = nil
+    @keepalive = nil
+
+    @socket = nil
+    @sslsession = nil
+    @unpacker = MessagePack::Unpacker.new
+
+    @shared_key_salt = generate_salt
+    @state = :helo
+    @thread = nil
+  end
+
+  def dup
+    self.class.new(
+      @sender,
+      @shared_key,
+      {'host' => @host, 'port' => @port, 'hostlabel' => @hostlabel, 'username' => @username, 'password' => @password}
+    )
+  end
+
+  def start
+    @thread = Thread.new(&method(:connect))
+  end
+
+  def shutdown
+    $log.debug "shutting down node #{@host}"
+    @state = :closed
+
+    if @thread == Thread.current
+      @sslsession.close if @sslsession
+      @socket.close if @socket
+      @thread.kill
+    else
+      if @thread
+        @thread.kill
+        @thread.join
+      end
+      @sslsession.close if @sslsession
+      @socket.close if @socket
+    end
+  rescue => e
+    $log.debug "error on node shutdown #{e.class}:#{e.message}"
+  end
+
+  def established?
+    @state == :established
+  end
+
+  def generate_salt
+    OpenSSL::Random.random_bytes(16)
+  end
+
+  def check_helo(message)
+    $log.debug "checking helo"
+    # ['HELO', options(hash)]
+    unless message.size == 2 && message[0] == 'HELO'
+      return false
+    end
+    opts = message[1]
+    @authentication = opts['auth']
+    @keepalive = opts['keepalive']
+    true
+  end
+
+  def generate_ping
+    $log.debug "generating ping"
+    # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
+    #  username || '', sha512\_hex(auth\_salt + username + password) || '']
+    shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
+    ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
+    if @authentication != ''
+      password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
+      ping.push(@username, password_hexdigest)
+    else
+      ping.push('','')
+    end
+    ping
+  end
+
+  def check_pong(message)
+    $log.debug "checking pong"
+    # ['PONG', bool(authentication result), 'reason if authentication failed',
+    #  self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+    unless message.size == 5 && message[0] == 'PONG'
+      return false, 'invalid format for PONG message'
+    end
+    pong, auth_result, reason, hostname, shared_key_hexdigest = message
+
+    unless auth_result
+      return false, 'authentication failed: ' + reason
+    end
+
+    clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
+    unless shared_key_hexdigest == clientside
+      return false, 'shared key mismatch'
+    end
+
+    return true, nil
+  end
+
+  def send_data(data)
+    @sslsession.write data.to_msgpack
+  end
+
+  def on_read(data)
+    $log.debug "on_read"
+    if self.established?
+      #TODO: ACK
+      $log.warn "unknown packets arrived..."
+      return
+    end
+
+    case @state
+    when :helo
+      # TODO: log debug
+      unless check_helo(data)
+        $log.warn "received invalid helo message from #{@host}"
+        self.shutdown
+        return
+      end
+      send_data generate_ping()
+      @state = :pingpong
+    when :pingpong
+      success, reason = check_pong(data)
+      unless success
+        $log.warn "connection refused to #{@host}:" + reason
+        self.shutdown
+        return
+      end
+      $log.info "connection established to #{@host}"
+      @state = :established
+    end
+  end
+
+  def connect
+    $log.debug "starting client"
+
+    addr = @sender.hostname_resolver.getaddress(@host)
+    $log.debug "create tcp socket to node", :host => @host, :address => addr, :port => @port
+    sock = TCPSocket.new(addr, @port)
+
+    $log.trace "changing socket options"
+    opt = [1, @sender.send_timeout.to_i].pack('I!I!')  # { int l_onoff; int l_linger; }
+    sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_LINGER, opt)
+
+    opt = [@sender.send_timeout.to_i, 0].pack('L!L!')  # struct timeval
+    sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDTIMEO, opt)
+
+    # TODO: SSLContext constructer parameter (SSL/TLS protocol version)
+    $log.trace "initializing SSL contexts"
+    context = OpenSSL::SSL::SSLContext.new
+    # TODO: context.ca_file = (ca_file_path)
+    # TODO: context.ciphers = (SSL Shared key chiper protocols)
+
+    $log.debug "trying to connect ssl session", :host => @host, :ipaddr => addr, :port => @port
+    sslsession = OpenSSL::SSL::SSLSocket.new(sock, context)
+    # TODO: check connection failure
+    sslsession.connect
+    $log.debug "ssl session connected", :host => @host, :port => @port
+
+    begin
+      unless @sender.allow_self_signed_certificate
+        $log.debug "checking peer's certificate", :subject => sslsession.peer_cert.subject
+        sslsession.post_connection_check(@hostlabel)
+        verify = sslsession.verify_result
+        if verify != OpenSSL::X509::V_OK
+          err_name = Fluent::SecureForwardOutput::OpenSSLUtil.verify_result_name(verify)
+          $log.warn "failed to verify certification while connecting host #{@host} as #{@hostlabel} (but not raised, why?)"
+          $log.warn "verify_result: #{err_name}"
+          raise RuntimeError, "failed to verify certification while connecting host #{@host} as #{@hostlabel}"
+        end
+      end
+    rescue OpenSSL::SSL::SSLError => e
+      $log.warn "failed to verify certification while connecting ssl session", :host => @host, :hostlabel => @hostlabel
+      self.shutdown
+      raise
+    end
+
+    $log.debug "ssl sessison connected", :host => @host, :port => @port
+    @socket = sock
+    @sslsession = sslsession
+
+    buf = ''
+    read_length = @sender.read_length
+    read_interval = @sender.read_interval
+    socket_interval = @sender.socket_interval
+
+    loop do
+      begin
+        while @sslsession.read_nonblock(read_length, buf)
+          if buf == ''
+            sleep read_interval
+            next
+          end
+          @unpacker.feed_each(buf, &method(:on_read))
+          buf = ''
+        end
+      rescue OpenSSL::SSL::SSLError
+        # to wait i/o restart
+        sleep socket_interval
+      rescue EOFError
+        $log.warn "disconnected from #{@host}"
+        break
+      end
+    end
+    self.shutdown
+  end
+end

data/test/helper.rb

@@ -0,0 +1,29 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'fluent/test'
+unless ENV.has_key?('VERBOSE')
+  nulllogger = Object.new
+  nulllogger.instance_eval {|obj|
+    def method_missing(method, *args)
+      # pass
+    end
+  }
+  $log = nulllogger
+end
+
+require 'fluent/plugin/in_secure_forward'
+require 'fluent/plugin/out_secure_forward'
+
+class Test::Unit::TestCase
+end

data/test/plugin/test_in_secure_forward.rb

@@ -0,0 +1,10 @@
+require 'helper'
+
+class SecureForwardInputTest < Test::Unit::TestCase
+  CONFIG = %[
+]
+
+  def create_driver(conf=CONFIG,tag='test')
+    Fluent::Test::InputTestDriver.new(Fluent::SecureForwardInput, tag).configure(conf)
+  end
+end

data/test/plugin/test_out_secure_forward.rb

@@ -0,0 +1,10 @@
+require 'helper'
+
+class SecureForwardOutputTest < Test::Unit::TestCase
+  CONFIG = %[
+]
+
+  def create_driver(conf=CONFIG,tag='test')
+    Fluent::Test::OutputTestDriver.new(Fluent::SecureForwardOutput, tag).configure(conf)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-secure-forward
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - TAGOMORI Satoshi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-23 00:00:00.000000000 Z
+date: 2013-07-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -52,6 +52,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: This version is HIGHLY EXPERIMENTAL.
 email:
 - tagomoris@gmail.com
@@ -74,7 +88,11 @@ files:
 - example/server.conf
 - fluent-plugin-secure-forward.gemspec
 - lib/fluent/plugin/in_secure_forward.rb
+- lib/fluent/plugin/input_session.rb
+- lib/fluent/plugin/openssl_util.rb
 - lib/fluent/plugin/out_secure_forward.rb
+- lib/fluent/plugin/output_node.rb
+- test/helper.rb
 - test/plugin/test_in_secure_forward.rb
 - test/plugin/test_out_secure_forward.rb
 homepage: https://github.com/tagomoris/fluent-plugin-secure-forward
@@ -101,6 +119,7 @@ signing_key:
 specification_version: 4
 summary: Fluentd input/output plugin to forward over SSL with authentications
 test_files:
+- test/helper.rb
 - test/plugin/test_in_secure_forward.rb
 - test/plugin/test_out_secure_forward.rb
 has_rdoc: