fluent-plugin-ssl-check 2.0.1 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +0 -4
- data/Gemfile.lock +1 -1
- data/README.md +4 -0
- data/fluent-plugin-ssl-check.gemspec +1 -1
- data/lib/fluent/plugin/in_ssl_check.rb +44 -9
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6f57a4e0f824d263cc4cde461a9b4846695309b16e7211486ba6ccd2e41365c0
|
4
|
+
data.tar.gz: c93593774d277d9769bb953f0e7893bbaf7168adf514dadff415a2382b37e37b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4e4cdfd93bd663bfb08e75fc60b9cd5ec34d58957001207569932cd6696e2e6c51e5ae3392fcbf76caa624af9a1d00684e56646f2690a8d96fbdd778b7fc653c
|
7
|
+
data.tar.gz: 3446b7d2cfb26a28754bafee5074725f8bff7a1381d1020128d61b01bb31ae7785b08762749c17fd83c378a78f8815e98c9809f5c5e5d9ccb874140114954be8
|
data/.rubocop.yml
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -30,6 +30,10 @@ Options are:
|
|
30
30
|
* interval: check every X seconds
|
31
31
|
* ca_path: directory that contains CA files
|
32
32
|
* ca_file: specify a CA file directly
|
33
|
+
* sni: want the sni support (true)
|
34
|
+
* verify_mode: none or peer
|
35
|
+
* cert: client cert for ssl connection
|
36
|
+
* key: client key associated to client cert for ssl connection
|
33
37
|
* timeout: timeout for ssl check execution (5sec)
|
34
38
|
* log_events: emit log format (true)
|
35
39
|
* metric_events: emit metric format (false)
|
@@ -33,9 +33,10 @@ module Fluent
|
|
33
33
|
Fluent::Plugin.register_input(NAME, self)
|
34
34
|
|
35
35
|
DEFAULT_TAG = NAME
|
36
|
-
DEFAULT_HOST = 'localhost'
|
37
36
|
DEFAULT_PORT = 443
|
38
|
-
|
37
|
+
DEFAULT_INTERVAL = 600
|
38
|
+
DEFAULT_SNI = true
|
39
|
+
DEFAULT_VERIFY_MODE = :peer
|
39
40
|
DEFAULT_TIMEOUT = 5
|
40
41
|
DEFAULT_LOG_EVENTS = true
|
41
42
|
DEFAULT_METRIC_EVENTS = false
|
@@ -47,11 +48,19 @@ module Fluent
|
|
47
48
|
desc 'Host of the service to check'
|
48
49
|
config_param :hosts, :array, default: [], value_type: :string
|
49
50
|
desc 'Interval for the check execution'
|
50
|
-
config_param :interval, :time, default:
|
51
|
+
config_param :interval, :time, default: DEFAULT_INTERVAL
|
51
52
|
desc 'CA path to load'
|
52
53
|
config_param :ca_path, :string, default: nil
|
53
54
|
desc 'CA file to load'
|
54
55
|
config_param :ca_file, :string, default: nil
|
56
|
+
desc 'SNI support'
|
57
|
+
config_param :sni, :bool, default: DEFAULT_SNI
|
58
|
+
desc 'Verify mode'
|
59
|
+
config_param :verify_mode, :enum, list: %i[none peer], default: DEFAULT_VERIFY_MODE
|
60
|
+
desc 'Client Cert'
|
61
|
+
config_param :cert, :string, default: nil
|
62
|
+
desc 'Client Key'
|
63
|
+
config_param :key, :string, default: nil
|
55
64
|
|
56
65
|
desc 'Timeout for check'
|
57
66
|
config_param :timeout, :integer, default: DEFAULT_TIMEOUT
|
@@ -67,17 +76,22 @@ module Fluent
|
|
67
76
|
|
68
77
|
helpers :timer
|
69
78
|
|
70
|
-
# rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
|
79
|
+
# rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
|
71
80
|
def configure(conf)
|
72
81
|
super
|
73
82
|
|
74
83
|
raise Fluent::ConfigError, 'tag can not be empty.' if !tag || tag.empty?
|
75
|
-
raise Fluent::ConfigError, 'hosts can not be empty.'
|
84
|
+
raise Fluent::ConfigError, 'hosts can not be empty.' unless hosts
|
76
85
|
raise Fluent::ConfigError, 'interval can not be < 1.' if !interval || interval < 1
|
77
86
|
raise Fluent::ConfigError, 'ca_path should be a dir.' if ca_path && !File.directory?(ca_path)
|
78
87
|
raise Fluent::ConfigError, 'ca_file should be a file.' if ca_file && !File.file?(ca_file)
|
88
|
+
raise Fluent::ConfigError, 'cert should be a file.' if cert && !File.file?(cert)
|
89
|
+
raise Fluent::ConfigError, 'key should be a file.' if key && !File.file?(key)
|
90
|
+
raise Fluent::ConfigError, 'cert and key should be specified.' if !!cert ^ !!key
|
91
|
+
|
92
|
+
log.warn("#{NAME}: hosts is empty, nothing to process") if hosts.empty?
|
79
93
|
end
|
80
|
-
# rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
|
94
|
+
# rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
|
81
95
|
|
82
96
|
def start
|
83
97
|
super
|
@@ -104,6 +118,8 @@ module Fluent
|
|
104
118
|
ssl_client = SslClient.new(
|
105
119
|
host: host, port: port,
|
106
120
|
ca_path: ca_path, ca_file: ca_file,
|
121
|
+
sni: sni, verify_mode: ssl_verify_mode,
|
122
|
+
cert: cert, key: key,
|
107
123
|
timeout: timeout
|
108
124
|
)
|
109
125
|
ssl_client.ssl_info
|
@@ -157,6 +173,14 @@ module Fluent
|
|
157
173
|
router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
|
158
174
|
end
|
159
175
|
|
176
|
+
private
|
177
|
+
|
178
|
+
def ssl_verify_mode
|
179
|
+
return OpenSSL::SSL::VERIFY_PEER if verify_mode == :peer
|
180
|
+
|
181
|
+
OpenSSL::SSL::VERIFY_NONE
|
182
|
+
end
|
183
|
+
|
160
184
|
# ssl info
|
161
185
|
# to encapsulate extracted ssl information
|
162
186
|
class SslInfo
|
@@ -211,15 +235,23 @@ module Fluent
|
|
211
235
|
# ssl client
|
212
236
|
# to check ssl status
|
213
237
|
class SslClient
|
214
|
-
attr_reader :host, :port, :ca_path, :ca_file, :timeout
|
238
|
+
attr_reader :host, :port, :ca_path, :ca_file, :sni, :verify_mode, :cert, :key, :timeout
|
215
239
|
|
216
|
-
|
240
|
+
# rubocop:disable Metrics/ParameterLists
|
241
|
+
def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, verify_mode: OpenSSL::SSL::VERIFY_PEER,
|
242
|
+
cert: nil, key: nil,
|
243
|
+
timeout: 5)
|
217
244
|
@host = host
|
218
245
|
@port = port
|
219
246
|
@ca_path = ca_path
|
220
247
|
@ca_file = ca_file
|
248
|
+
@sni = sni
|
249
|
+
@verify_mode = verify_mode
|
250
|
+
@cert = cert
|
251
|
+
@key = key
|
221
252
|
@timeout = timeout
|
222
253
|
end
|
254
|
+
# rubocop:enable Metrics/ParameterLists
|
223
255
|
|
224
256
|
def ssl_info
|
225
257
|
info = SslInfo.new(host: host, port: port)
|
@@ -227,6 +259,7 @@ module Fluent
|
|
227
259
|
Timeout.timeout(timeout) do
|
228
260
|
tcp_socket = TCPSocket.open(host, port)
|
229
261
|
ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
|
262
|
+
ssl_socket.hostname = host if sni
|
230
263
|
ssl_socket.connect
|
231
264
|
ssl_socket.sysclose
|
232
265
|
tcp_socket.close
|
@@ -252,10 +285,12 @@ module Fluent
|
|
252
285
|
|
253
286
|
def ssl_context
|
254
287
|
OpenSSL::SSL::SSLContext.new.tap do |ssl_context|
|
255
|
-
ssl_context.verify_mode =
|
288
|
+
ssl_context.verify_mode = verify_mode
|
256
289
|
ssl_context.cert_store = store
|
257
290
|
ssl_context.min_version = nil
|
258
291
|
ssl_context.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
292
|
+
ssl_context.cert = OpenSSL::X509::Certificate.new(File.open(cert)) if cert
|
293
|
+
ssl_context.key = OpenSSL::PKey::RSA.new(File.open(key)) if key
|
259
294
|
end
|
260
295
|
end
|
261
296
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-ssl-check
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0
|
4
|
+
version: 2.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Thomas Tych
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-09-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bump
|