fluent-plugin-ssl-check 2.0.1 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +0 -4
- data/Gemfile.lock +1 -1
- data/README.md +4 -0
- data/fluent-plugin-ssl-check.gemspec +1 -1
- data/lib/fluent/plugin/in_ssl_check.rb +44 -9
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6f57a4e0f824d263cc4cde461a9b4846695309b16e7211486ba6ccd2e41365c0
|
|
4
|
+
data.tar.gz: c93593774d277d9769bb953f0e7893bbaf7168adf514dadff415a2382b37e37b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4e4cdfd93bd663bfb08e75fc60b9cd5ec34d58957001207569932cd6696e2e6c51e5ae3392fcbf76caa624af9a1d00684e56646f2690a8d96fbdd778b7fc653c
|
|
7
|
+
data.tar.gz: 3446b7d2cfb26a28754bafee5074725f8bff7a1381d1020128d61b01bb31ae7785b08762749c17fd83c378a78f8815e98c9809f5c5e5d9ccb874140114954be8
|
data/.rubocop.yml
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -30,6 +30,10 @@ Options are:
|
|
|
30
30
|
* interval: check every X seconds
|
|
31
31
|
* ca_path: directory that contains CA files
|
|
32
32
|
* ca_file: specify a CA file directly
|
|
33
|
+
* sni: want the sni support (true)
|
|
34
|
+
* verify_mode: none or peer
|
|
35
|
+
* cert: client cert for ssl connection
|
|
36
|
+
* key: client key associated to client cert for ssl connection
|
|
33
37
|
* timeout: timeout for ssl check execution (5sec)
|
|
34
38
|
* log_events: emit log format (true)
|
|
35
39
|
* metric_events: emit metric format (false)
|
|
@@ -33,9 +33,10 @@ module Fluent
|
|
|
33
33
|
Fluent::Plugin.register_input(NAME, self)
|
|
34
34
|
|
|
35
35
|
DEFAULT_TAG = NAME
|
|
36
|
-
DEFAULT_HOST = 'localhost'
|
|
37
36
|
DEFAULT_PORT = 443
|
|
38
|
-
|
|
37
|
+
DEFAULT_INTERVAL = 600
|
|
38
|
+
DEFAULT_SNI = true
|
|
39
|
+
DEFAULT_VERIFY_MODE = :peer
|
|
39
40
|
DEFAULT_TIMEOUT = 5
|
|
40
41
|
DEFAULT_LOG_EVENTS = true
|
|
41
42
|
DEFAULT_METRIC_EVENTS = false
|
|
@@ -47,11 +48,19 @@ module Fluent
|
|
|
47
48
|
desc 'Host of the service to check'
|
|
48
49
|
config_param :hosts, :array, default: [], value_type: :string
|
|
49
50
|
desc 'Interval for the check execution'
|
|
50
|
-
config_param :interval, :time, default:
|
|
51
|
+
config_param :interval, :time, default: DEFAULT_INTERVAL
|
|
51
52
|
desc 'CA path to load'
|
|
52
53
|
config_param :ca_path, :string, default: nil
|
|
53
54
|
desc 'CA file to load'
|
|
54
55
|
config_param :ca_file, :string, default: nil
|
|
56
|
+
desc 'SNI support'
|
|
57
|
+
config_param :sni, :bool, default: DEFAULT_SNI
|
|
58
|
+
desc 'Verify mode'
|
|
59
|
+
config_param :verify_mode, :enum, list: %i[none peer], default: DEFAULT_VERIFY_MODE
|
|
60
|
+
desc 'Client Cert'
|
|
61
|
+
config_param :cert, :string, default: nil
|
|
62
|
+
desc 'Client Key'
|
|
63
|
+
config_param :key, :string, default: nil
|
|
55
64
|
|
|
56
65
|
desc 'Timeout for check'
|
|
57
66
|
config_param :timeout, :integer, default: DEFAULT_TIMEOUT
|
|
@@ -67,17 +76,22 @@ module Fluent
|
|
|
67
76
|
|
|
68
77
|
helpers :timer
|
|
69
78
|
|
|
70
|
-
# rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
|
|
79
|
+
# rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
|
|
71
80
|
def configure(conf)
|
|
72
81
|
super
|
|
73
82
|
|
|
74
83
|
raise Fluent::ConfigError, 'tag can not be empty.' if !tag || tag.empty?
|
|
75
|
-
raise Fluent::ConfigError, 'hosts can not be empty.'
|
|
84
|
+
raise Fluent::ConfigError, 'hosts can not be empty.' unless hosts
|
|
76
85
|
raise Fluent::ConfigError, 'interval can not be < 1.' if !interval || interval < 1
|
|
77
86
|
raise Fluent::ConfigError, 'ca_path should be a dir.' if ca_path && !File.directory?(ca_path)
|
|
78
87
|
raise Fluent::ConfigError, 'ca_file should be a file.' if ca_file && !File.file?(ca_file)
|
|
88
|
+
raise Fluent::ConfigError, 'cert should be a file.' if cert && !File.file?(cert)
|
|
89
|
+
raise Fluent::ConfigError, 'key should be a file.' if key && !File.file?(key)
|
|
90
|
+
raise Fluent::ConfigError, 'cert and key should be specified.' if !!cert ^ !!key
|
|
91
|
+
|
|
92
|
+
log.warn("#{NAME}: hosts is empty, nothing to process") if hosts.empty?
|
|
79
93
|
end
|
|
80
|
-
# rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
|
|
94
|
+
# rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
|
|
81
95
|
|
|
82
96
|
def start
|
|
83
97
|
super
|
|
@@ -104,6 +118,8 @@ module Fluent
|
|
|
104
118
|
ssl_client = SslClient.new(
|
|
105
119
|
host: host, port: port,
|
|
106
120
|
ca_path: ca_path, ca_file: ca_file,
|
|
121
|
+
sni: sni, verify_mode: ssl_verify_mode,
|
|
122
|
+
cert: cert, key: key,
|
|
107
123
|
timeout: timeout
|
|
108
124
|
)
|
|
109
125
|
ssl_client.ssl_info
|
|
@@ -157,6 +173,14 @@ module Fluent
|
|
|
157
173
|
router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
|
|
158
174
|
end
|
|
159
175
|
|
|
176
|
+
private
|
|
177
|
+
|
|
178
|
+
def ssl_verify_mode
|
|
179
|
+
return OpenSSL::SSL::VERIFY_PEER if verify_mode == :peer
|
|
180
|
+
|
|
181
|
+
OpenSSL::SSL::VERIFY_NONE
|
|
182
|
+
end
|
|
183
|
+
|
|
160
184
|
# ssl info
|
|
161
185
|
# to encapsulate extracted ssl information
|
|
162
186
|
class SslInfo
|
|
@@ -211,15 +235,23 @@ module Fluent
|
|
|
211
235
|
# ssl client
|
|
212
236
|
# to check ssl status
|
|
213
237
|
class SslClient
|
|
214
|
-
attr_reader :host, :port, :ca_path, :ca_file, :timeout
|
|
238
|
+
attr_reader :host, :port, :ca_path, :ca_file, :sni, :verify_mode, :cert, :key, :timeout
|
|
215
239
|
|
|
216
|
-
|
|
240
|
+
# rubocop:disable Metrics/ParameterLists
|
|
241
|
+
def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, verify_mode: OpenSSL::SSL::VERIFY_PEER,
|
|
242
|
+
cert: nil, key: nil,
|
|
243
|
+
timeout: 5)
|
|
217
244
|
@host = host
|
|
218
245
|
@port = port
|
|
219
246
|
@ca_path = ca_path
|
|
220
247
|
@ca_file = ca_file
|
|
248
|
+
@sni = sni
|
|
249
|
+
@verify_mode = verify_mode
|
|
250
|
+
@cert = cert
|
|
251
|
+
@key = key
|
|
221
252
|
@timeout = timeout
|
|
222
253
|
end
|
|
254
|
+
# rubocop:enable Metrics/ParameterLists
|
|
223
255
|
|
|
224
256
|
def ssl_info
|
|
225
257
|
info = SslInfo.new(host: host, port: port)
|
|
@@ -227,6 +259,7 @@ module Fluent
|
|
|
227
259
|
Timeout.timeout(timeout) do
|
|
228
260
|
tcp_socket = TCPSocket.open(host, port)
|
|
229
261
|
ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
|
|
262
|
+
ssl_socket.hostname = host if sni
|
|
230
263
|
ssl_socket.connect
|
|
231
264
|
ssl_socket.sysclose
|
|
232
265
|
tcp_socket.close
|
|
@@ -252,10 +285,12 @@ module Fluent
|
|
|
252
285
|
|
|
253
286
|
def ssl_context
|
|
254
287
|
OpenSSL::SSL::SSLContext.new.tap do |ssl_context|
|
|
255
|
-
ssl_context.verify_mode =
|
|
288
|
+
ssl_context.verify_mode = verify_mode
|
|
256
289
|
ssl_context.cert_store = store
|
|
257
290
|
ssl_context.min_version = nil
|
|
258
291
|
ssl_context.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
292
|
+
ssl_context.cert = OpenSSL::X509::Certificate.new(File.open(cert)) if cert
|
|
293
|
+
ssl_context.key = OpenSSL::PKey::RSA.new(File.open(key)) if key
|
|
259
294
|
end
|
|
260
295
|
end
|
|
261
296
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-ssl-check
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0
|
|
4
|
+
version: 2.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Thomas Tych
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-09-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bump
|