fluent-plugin-ssl-check 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +0 -3
  3. data/Gemfile.lock +1 -1
  4. data/README.md +4 -0
  5. data/fluent-plugin-ssl-check.gemspec +1 -1
  6. data/lib/fluent/plugin/in_ssl_check.rb +38 -8
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd66e101f055ca5f4cf4d6ab29d548cb73df7783c9429171f03a397aaddd856f
4
- data.tar.gz: 69fd54b23c4a88fa90565cf6bcb8d73990e96e0f42f869fd3fabf1ca16fa5f72
3
+ metadata.gz: 6f57a4e0f824d263cc4cde461a9b4846695309b16e7211486ba6ccd2e41365c0
4
+ data.tar.gz: c93593774d277d9769bb953f0e7893bbaf7168adf514dadff415a2382b37e37b
5
5
  SHA512:
6
- metadata.gz: 04500e488c04750d2f480037aa80feb16baf8d7a23b9b01f1921bbe201510b3b35a5694703da018a43705786af6d95ce67d7ee40fc0e661cd1df42823b640e4f
7
- data.tar.gz: 13da4ca2dd02dd8c9a983570097cfa30b12b0f7e9dd0f573762d440c366fe0e0afc9b67deebf8c735dc87eaf52d8b1915dc3728b3179aa4d3686c5cc9a64c652
6
+ metadata.gz: 4e4cdfd93bd663bfb08e75fc60b9cd5ec34d58957001207569932cd6696e2e6c51e5ae3392fcbf76caa624af9a1d00684e56646f2690a8d96fbdd778b7fc653c
7
+ data.tar.gz: 3446b7d2cfb26a28754bafee5074725f8bff7a1381d1020128d61b01bb31ae7785b08762749c17fd83c378a78f8815e98c9809f5c5e5d9ccb874140114954be8
data/.rubocop.yml CHANGED
@@ -26,9 +26,6 @@ Metrics/ClassLength:
26
26
  Metrics/MethodLength:
27
27
  Max: 20
28
28
 
29
- Metrics/ParameterLists:
30
- Max: 6
31
-
32
29
  # Naming/MethodParameterName:
33
30
  # Exclude:
34
31
  # - lib/fluent/plugin/in_ssl_check.rb
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- fluent-plugin-ssl-check (2.1.0)
4
+ fluent-plugin-ssl-check (2.2.0)
5
5
  fluentd (>= 0.14.10, < 2)
6
6
 
7
7
  GEM
data/README.md CHANGED
@@ -30,6 +30,10 @@ Options are:
30
30
  * interval: check every X seconds
31
31
  * ca_path: directory that contains CA files
32
32
  * ca_file: specify a CA file directly
33
+ * sni: want the sni support (true)
34
+ * verify_mode: none or peer
35
+ * cert: client cert for ssl connection
36
+ * key: client key associated to client cert for ssl connection
33
37
  * timeout: timeout for ssl check execution (5sec)
34
38
  * log_events: emit log format (true)
35
39
  * metric_events: emit metric format (false)
data/fluent-plugin-ssl-check.gemspec CHANGED
@@ -5,7 +5,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
5
5
 
6
6
  Gem::Specification.new do |spec|
7
7
  spec.name = 'fluent-plugin-ssl-check'
8
- spec.version = '2.1.0'
8
+ spec.version = '2.2.0'
9
9
  spec.authors = ['Thomas Tych']
10
10
  spec.email = ['thomas.tych@gmail.com']
11
11
 
data/lib/fluent/plugin/in_ssl_check.rb CHANGED
@@ -33,10 +33,10 @@ module Fluent
33
33
  Fluent::Plugin.register_input(NAME, self)
34
34
 
35
35
  DEFAULT_TAG = NAME
36
- DEFAULT_HOST = 'localhost'
37
36
  DEFAULT_PORT = 443
38
37
  DEFAULT_INTERVAL = 600
39
38
  DEFAULT_SNI = true
39
+ DEFAULT_VERIFY_MODE = :peer
40
40
  DEFAULT_TIMEOUT = 5
41
41
  DEFAULT_LOG_EVENTS = true
42
42
  DEFAULT_METRIC_EVENTS = false
@@ -55,6 +55,12 @@ module Fluent
55
55
  config_param :ca_file, :string, default: nil
56
56
  desc 'SNI support'
57
57
  config_param :sni, :bool, default: DEFAULT_SNI
58
+ desc 'Verify mode'
59
+ config_param :verify_mode, :enum, list: %i[none peer], default: DEFAULT_VERIFY_MODE
60
+ desc 'Client Cert'
61
+ config_param :cert, :string, default: nil
62
+ desc 'Client Key'
63
+ config_param :key, :string, default: nil
58
64
 
59
65
  desc 'Timeout for check'
60
66
  config_param :timeout, :integer, default: DEFAULT_TIMEOUT
@@ -70,17 +76,22 @@ module Fluent
70
76
 
71
77
  helpers :timer
72
78
 
73
- # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
79
+ # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
74
80
  def configure(conf)
75
81
  super
76
82
 
77
83
  raise Fluent::ConfigError, 'tag can not be empty.' if !tag || tag.empty?
78
- raise Fluent::ConfigError, 'hosts can not be empty.' if !hosts || hosts.empty?
84
+ raise Fluent::ConfigError, 'hosts can not be empty.' unless hosts
79
85
  raise Fluent::ConfigError, 'interval can not be < 1.' if !interval || interval < 1
80
86
  raise Fluent::ConfigError, 'ca_path should be a dir.' if ca_path && !File.directory?(ca_path)
81
87
  raise Fluent::ConfigError, 'ca_file should be a file.' if ca_file && !File.file?(ca_file)
88
+ raise Fluent::ConfigError, 'cert should be a file.' if cert && !File.file?(cert)
89
+ raise Fluent::ConfigError, 'key should be a file.' if key && !File.file?(key)
90
+ raise Fluent::ConfigError, 'cert and key should be specified.' if !!cert ^ !!key
91
+
92
+ log.warn("#{NAME}: hosts is empty, nothing to process") if hosts.empty?
82
93
  end
83
- # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
94
+ # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
84
95
 
85
96
  def start
86
97
  super
@@ -107,7 +118,9 @@ module Fluent
107
118
  ssl_client = SslClient.new(
108
119
  host: host, port: port,
109
120
  ca_path: ca_path, ca_file: ca_file,
110
- sni: sni, timeout: timeout
121
+ sni: sni, verify_mode: ssl_verify_mode,
122
+ cert: cert, key: key,
123
+ timeout: timeout
111
124
  )
112
125
  ssl_client.ssl_info
113
126
  end
@@ -160,6 +173,14 @@ module Fluent
160
173
  router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
161
174
  end
162
175
 
176
+ private
177
+
178
+ def ssl_verify_mode
179
+ return OpenSSL::SSL::VERIFY_PEER if verify_mode == :peer
180
+
181
+ OpenSSL::SSL::VERIFY_NONE
182
+ end
183
+
163
184
  # ssl info
164
185
  # to encapsulate extracted ssl information
165
186
  class SslInfo
@@ -214,16 +235,23 @@ module Fluent
214
235
  # ssl client
215
236
  # to check ssl status
216
237
  class SslClient
217
- attr_reader :host, :port, :ca_path, :ca_file, :sni, :timeout
238
+ attr_reader :host, :port, :ca_path, :ca_file, :sni, :verify_mode, :cert, :key, :timeout
218
239
 
219
- def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, timeout: 5)
240
+ # rubocop:disable Metrics/ParameterLists
241
+ def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, verify_mode: OpenSSL::SSL::VERIFY_PEER,
242
+ cert: nil, key: nil,
243
+ timeout: 5)
220
244
  @host = host
221
245
  @port = port
222
246
  @ca_path = ca_path
223
247
  @ca_file = ca_file
224
248
  @sni = sni
249
+ @verify_mode = verify_mode
250
+ @cert = cert
251
+ @key = key
225
252
  @timeout = timeout
226
253
  end
254
+ # rubocop:enable Metrics/ParameterLists
227
255
 
228
256
  def ssl_info
229
257
  info = SslInfo.new(host: host, port: port)
@@ -257,10 +285,12 @@ module Fluent
257
285
 
258
286
  def ssl_context
259
287
  OpenSSL::SSL::SSLContext.new.tap do |ssl_context|
260
- ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
288
+ ssl_context.verify_mode = verify_mode
261
289
  ssl_context.cert_store = store
262
290
  ssl_context.min_version = nil
263
291
  ssl_context.max_version = OpenSSL::SSL::TLS1_2_VERSION
292
+ ssl_context.cert = OpenSSL::X509::Certificate.new(File.open(cert)) if cert
293
+ ssl_context.key = OpenSSL::PKey::RSA.new(File.open(key)) if key
264
294
  end
265
295
  end
266
296
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-ssl-check
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Thomas Tych
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-09-12 00:00:00.000000000 Z
11
+ date: 2023-09-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bump