fluent-plugin-ssl-check 2.1.0 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +0 -3
  3. data/Gemfile.lock +1 -1
  4. data/README.md +4 -0
  5. data/fluent-plugin-ssl-check.gemspec +1 -1
  6. data/lib/fluent/plugin/in_ssl_check.rb +38 -8
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd66e101f055ca5f4cf4d6ab29d548cb73df7783c9429171f03a397aaddd856f
4
- data.tar.gz: 69fd54b23c4a88fa90565cf6bcb8d73990e96e0f42f869fd3fabf1ca16fa5f72
3
+ metadata.gz: 6f57a4e0f824d263cc4cde461a9b4846695309b16e7211486ba6ccd2e41365c0
4
+ data.tar.gz: c93593774d277d9769bb953f0e7893bbaf7168adf514dadff415a2382b37e37b
5
5
  SHA512:
6
- metadata.gz: 04500e488c04750d2f480037aa80feb16baf8d7a23b9b01f1921bbe201510b3b35a5694703da018a43705786af6d95ce67d7ee40fc0e661cd1df42823b640e4f
7
- data.tar.gz: 13da4ca2dd02dd8c9a983570097cfa30b12b0f7e9dd0f573762d440c366fe0e0afc9b67deebf8c735dc87eaf52d8b1915dc3728b3179aa4d3686c5cc9a64c652
6
+ metadata.gz: 4e4cdfd93bd663bfb08e75fc60b9cd5ec34d58957001207569932cd6696e2e6c51e5ae3392fcbf76caa624af9a1d00684e56646f2690a8d96fbdd778b7fc653c
7
+ data.tar.gz: 3446b7d2cfb26a28754bafee5074725f8bff7a1381d1020128d61b01bb31ae7785b08762749c17fd83c378a78f8815e98c9809f5c5e5d9ccb874140114954be8
data/.rubocop.yml CHANGED
@@ -26,9 +26,6 @@ Metrics/ClassLength:
26
26
  Metrics/MethodLength:
27
27
  Max: 20
28
28
 
29
- Metrics/ParameterLists:
30
- Max: 6
31
-
32
29
  # Naming/MethodParameterName:
33
30
  # Exclude:
34
31
  # - lib/fluent/plugin/in_ssl_check.rb
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- fluent-plugin-ssl-check (2.1.0)
4
+ fluent-plugin-ssl-check (2.2.0)
5
5
  fluentd (>= 0.14.10, < 2)
6
6
 
7
7
  GEM
data/README.md CHANGED
@@ -30,6 +30,10 @@ Options are:
30
30
  * interval: check every X seconds
31
31
  * ca_path: directory that contains CA files
32
32
  * ca_file: specify a CA file directly
33
+ * sni: want the sni support (true)
34
+ * verify_mode: none or peer
35
+ * cert: client cert for ssl connection
36
+ * key: client key associated to client cert for ssl connection
33
37
  * timeout: timeout for ssl check execution (5sec)
34
38
  * log_events: emit log format (true)
35
39
  * metric_events: emit metric format (false)
data/fluent-plugin-ssl-check.gemspec CHANGED
@@ -5,7 +5,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
5
5
 
6
6
  Gem::Specification.new do |spec|
7
7
  spec.name = 'fluent-plugin-ssl-check'
8
- spec.version = '2.1.0'
8
+ spec.version = '2.2.0'
9
9
  spec.authors = ['Thomas Tych']
10
10
  spec.email = ['thomas.tych@gmail.com']
11
11
 
data/lib/fluent/plugin/in_ssl_check.rb CHANGED
@@ -33,10 +33,10 @@ module Fluent
33
33
  Fluent::Plugin.register_input(NAME, self)
34
34
 
35
35
  DEFAULT_TAG = NAME
36
- DEFAULT_HOST = 'localhost'
37
36
  DEFAULT_PORT = 443
38
37
  DEFAULT_INTERVAL = 600
39
38
  DEFAULT_SNI = true
39
+ DEFAULT_VERIFY_MODE = :peer
40
40
  DEFAULT_TIMEOUT = 5
41
41
  DEFAULT_LOG_EVENTS = true
42
42
  DEFAULT_METRIC_EVENTS = false
@@ -55,6 +55,12 @@ module Fluent
55
55
  config_param :ca_file, :string, default: nil
56
56
  desc 'SNI support'
57
57
  config_param :sni, :bool, default: DEFAULT_SNI
58
+ desc 'Verify mode'
59
+ config_param :verify_mode, :enum, list: %i[none peer], default: DEFAULT_VERIFY_MODE
60
+ desc 'Client Cert'
61
+ config_param :cert, :string, default: nil
62
+ desc 'Client Key'
63
+ config_param :key, :string, default: nil
58
64
 
59
65
  desc 'Timeout for check'
60
66
  config_param :timeout, :integer, default: DEFAULT_TIMEOUT
@@ -70,17 +76,22 @@ module Fluent
70
76
 
71
77
  helpers :timer
72
78
 
73
- # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
79
+ # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
74
80
  def configure(conf)
75
81
  super
76
82
 
77
83
  raise Fluent::ConfigError, 'tag can not be empty.' if !tag || tag.empty?
78
- raise Fluent::ConfigError, 'hosts can not be empty.' if !hosts || hosts.empty?
84
+ raise Fluent::ConfigError, 'hosts can not be empty.' unless hosts
79
85
  raise Fluent::ConfigError, 'interval can not be < 1.' if !interval || interval < 1
80
86
  raise Fluent::ConfigError, 'ca_path should be a dir.' if ca_path && !File.directory?(ca_path)
81
87
  raise Fluent::ConfigError, 'ca_file should be a file.' if ca_file && !File.file?(ca_file)
88
+ raise Fluent::ConfigError, 'cert should be a file.' if cert && !File.file?(cert)
89
+ raise Fluent::ConfigError, 'key should be a file.' if key && !File.file?(key)
90
+ raise Fluent::ConfigError, 'cert and key should be specified.' if !!cert ^ !!key
91
+
92
+ log.warn("#{NAME}: hosts is empty, nothing to process") if hosts.empty?
82
93
  end
83
- # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
94
+ # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Style/DoubleNegation
84
95
 
85
96
  def start
86
97
  super
@@ -107,7 +118,9 @@ module Fluent
107
118
  ssl_client = SslClient.new(
108
119
  host: host, port: port,
109
120
  ca_path: ca_path, ca_file: ca_file,
110
- sni: sni, timeout: timeout
121
+ sni: sni, verify_mode: ssl_verify_mode,
122
+ cert: cert, key: key,
123
+ timeout: timeout
111
124
  )
112
125
  ssl_client.ssl_info
113
126
  end
@@ -160,6 +173,14 @@ module Fluent
160
173
  router.emit(tag, Fluent::EventTime.from_time(ssl_info.time), record)
161
174
  end
162
175
 
176
+ private
177
+
178
+ def ssl_verify_mode
179
+ return OpenSSL::SSL::VERIFY_PEER if verify_mode == :peer
180
+
181
+ OpenSSL::SSL::VERIFY_NONE
182
+ end
183
+
163
184
  # ssl info
164
185
  # to encapsulate extracted ssl information
165
186
  class SslInfo
@@ -214,16 +235,23 @@ module Fluent
214
235
  # ssl client
215
236
  # to check ssl status
216
237
  class SslClient
217
- attr_reader :host, :port, :ca_path, :ca_file, :sni, :timeout
238
+ attr_reader :host, :port, :ca_path, :ca_file, :sni, :verify_mode, :cert, :key, :timeout
218
239
 
219
- def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, timeout: 5)
240
+ # rubocop:disable Metrics/ParameterLists
241
+ def initialize(host:, port:, ca_path: nil, ca_file: nil, sni: true, verify_mode: OpenSSL::SSL::VERIFY_PEER,
242
+ cert: nil, key: nil,
243
+ timeout: 5)
220
244
  @host = host
221
245
  @port = port
222
246
  @ca_path = ca_path
223
247
  @ca_file = ca_file
224
248
  @sni = sni
249
+ @verify_mode = verify_mode
250
+ @cert = cert
251
+ @key = key
225
252
  @timeout = timeout
226
253
  end
254
+ # rubocop:enable Metrics/ParameterLists
227
255
 
228
256
  def ssl_info
229
257
  info = SslInfo.new(host: host, port: port)
@@ -257,10 +285,12 @@ module Fluent
257
285
 
258
286
  def ssl_context
259
287
  OpenSSL::SSL::SSLContext.new.tap do |ssl_context|
260
- ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
288
+ ssl_context.verify_mode = verify_mode
261
289
  ssl_context.cert_store = store
262
290
  ssl_context.min_version = nil
263
291
  ssl_context.max_version = OpenSSL::SSL::TLS1_2_VERSION
292
+ ssl_context.cert = OpenSSL::X509::Certificate.new(File.open(cert)) if cert
293
+ ssl_context.key = OpenSSL::PKey::RSA.new(File.open(key)) if key
264
294
  end
265
295
  end
266
296
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-ssl-check
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Thomas Tych
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-09-12 00:00:00.000000000 Z
11
+ date: 2023-09-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bump