fluent-plugin-syslog-p 1.0.0

data/lib/syslog_tls/logger.rb

@@ -0,0 +1,82 @@
+# Copyright 2016 Acquia, Inc.
+# Copyright 2016 t.e.morgan.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'protocol'
+require_relative 'ssl_transport'
+
+module SyslogTls
+  class Logger
+    attr_reader :token
+    attr_accessor :transport
+
+    # Logger accepts transport which should implement IO methods
+    # close, closed? and write
+    def initialize(transport, token=nil)
+      @transport = transport
+      @default_header = SyslogTls::Header.new
+      @default_structured_data = SyslogTls::StructuredData.new(token)
+    end
+
+    # Sets default facility for each message
+    def facility(val)
+      @default_header.facility = val
+    end
+
+    # Sets default hostname for each message
+    def hostname(val)
+      @default_header.hostname = val
+    end
+
+    # Sets default app_name for each message
+    def app_name(val)
+      @default_header.app_name = val
+    end
+
+    # Sets default procid for message
+    def procid(val)
+      @default_header.procid = val
+    end
+
+    # Check if IO is closed
+    def closed?
+      transport && transport.closed?
+    end
+
+    def close
+      transport.close
+    end
+
+    # Send log message with severity to syslog
+    def log(severity, message, time: nil)
+      time ||= Time.now
+
+      m = SyslogTls::Message.new
+
+      # Include authentication header
+      m.structured_data << @default_structured_data
+
+      # Adjust header with current timestamp and severity
+      m.header = @default_header.dup
+      m.header.severity = severity
+      m.header.timestamp = time
+
+      yield m.header if block_given?
+
+      m.msg = message
+
+      transport.write(m.to_s)
+    end
+  end
+end

data/lib/syslog_tls/lookup_from_const.rb

@@ -0,0 +1,36 @@
+# Copyright 2016 Acquia, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module SyslogTls
+  module LookupFromConst
+    def setup_constants(dst)
+      constants.each do |pri|
+        cval = const_get pri
+
+        dst[pri] = cval
+        dst[pri.downcase] = cval
+
+        dst[:"LOG_#{pri.to_s}"] = cval
+        dst[:"LOG_#{pri.downcase.to_s}"] = cval
+        const_set :"LOG_#{pri.to_s}", cval
+
+        dst[pri.to_s] = cval
+        dst[pri.downcase.to_s] = cval
+
+        dst[cval] = cval
+        dst[cval.to_s] = cval
+      end
+    end
+  end
+end

data/lib/syslog_tls/protocol.rb

@@ -0,0 +1,136 @@
+# Copyright 2016 Acquia, Inc.
+# Copyright 2016 t.e.morgan.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'date'
+
+require_relative 'facility'
+require_relative 'severity'
+
+# Syslog protocol https://tools.ietf.org/html/rfc5424
+module SyslogTls
+  # RFC defined nil value
+  NIL_VALUE = ''
+
+  # All headers by specification wrapped in single object
+  class Header
+    attr_accessor :version, :hostname, :app_name, :procid, :msgid
+    attr_reader :facility, :severity, :timestamp
+
+    FACILITIES = {}
+    SEVERITIES = {}
+
+    Facility.setup_constants FACILITIES
+    Severity.setup_constants SEVERITIES
+
+    def initialize
+      @timestamp = Time.now
+      @severity = 'INFO'
+      @facility = 'LOCAL0'
+      @version = 1
+      @hostname = NIL_VALUE
+      @app_name = NIL_VALUE
+      @procid = NIL_VALUE
+      @msgid = NIL_VALUE
+    end
+
+    def timestamp=(val)
+      raise ArgumentError.new("Must provide Time object value instead: #{val.inspect}") unless val.is_a?(Time)
+      @timestamp = val
+    end
+
+    def facility=(val)
+      raise ArgumentError.new("Invalid facility value: #{val.inspect}") unless FACILITIES.key?(val)
+      @facility = val
+    end
+
+    def severity=(val)
+      raise ArgumentError.new("Invalid severity value: #{val.inspect}") unless SEVERITIES.key?(val)
+      @severity = val
+    end
+
+    # Priority value is calculated by first multiplying the Facility
+    # number by 8 and then adding the numerical value of the Severity.
+    def pri
+      FACILITIES[facility] * 8 + SEVERITIES[severity]
+    end
+
+    def assemble
+      [
+        "<#{pri}>#{timestamp.to_datetime.strftime("%b %d %H:%M:%S")}",
+        hostname,
+        app_name
+      ].join(' ')
+    end
+
+    def to_s
+      assemble
+    end
+  end
+
+  # Structured data field
+  class StructuredData
+    attr_accessor :id, :data
+
+    def initialize(id)
+      @id = id
+      @data = {}
+    end
+
+    # Format data structured data to
+    # [id k="v" ...]
+    def assemble
+      return NIL_VALUE unless id
+      parts = [id]
+      data.each do |k, v|
+        # Characters ", ] and \ must be escaped to prevent any parsing errors
+        v = v.gsub(/(\"|\]|\\)/) { |match| '\\' + match }
+        parts << "#{k}=\"#{v}\""
+      end
+      "[#{parts.join(' ')}]"
+    end
+
+    def to_s
+      assemble
+    end
+  end
+
+  # Message represents full message that can be sent to syslog
+  class Message
+    attr_accessor :structured_data, :msg
+    attr_writer :header
+
+    def initialize
+      @msg = ''
+      @structured_data = []
+    end
+
+    def header
+      @header ||= Header.new
+    end
+
+    def assemble
+      # Start with header
+      out = [header.to_s]
+      # Add message
+      out << msg if msg.length > 0
+      # Message must end with new line delimiter
+      out.join(' ') + "\n"
+    end
+
+    def to_s
+      assemble
+    end
+  end
+end

data/lib/syslog_tls/severity.rb

@@ -0,0 +1,30 @@
+# Copyright 2016 Acquia, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'lookup_from_const'
+
+module SyslogTls
+  module Severity
+    extend LookupFromConst
+    EMERG  = PANIC   = 0
+    ALERT            = 1
+    CRIT             = 2
+    ERR    = ERROR   = 3
+    WARN   = WARNING = 4
+    NOTICE           = 5
+    INFO             = 6
+    DEBUG            = 7
+    NONE             = 10
+  end
+end

data/lib/syslog_tls/ssl_transport.rb

@@ -0,0 +1,189 @@
+# Copyright 2016 Acquia, Inc.
+# Copyright 2016-2019 t.e.morgan.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'socket'
+require 'openssl'
+
+module SyslogTls
+  # Supports SSL connection to remote host
+  class SSLTransport
+    CONNECT_TIMEOUT = 10
+    # READ_TIMEOUT    = 5
+    WRITE_TIMEOUT   = 5
+
+    attr_accessor :socket
+
+    attr_reader :host, :port, :idle_timeout, :ca_cert, :client_cert, :client_key, :verify_cert_name, :ssl_version
+
+    attr_writer :retries
+
+    def initialize(host, port, idle_timeout: nil, ca_cert: 'system', client_cert: nil, client_key: nil, verify_cert_name: true, ssl_version: :TLSv1_2, max_retries: 1)
+      @host = host
+      @port = port
+      @idle_timeout = idle_timeout
+      @ca_cert = ca_cert
+      @client_cert = client_cert
+      @client_key = client_key
+      @verify_cert_name = verify_cert_name
+      @ssl_version = ssl_version
+      @retries = max_retries
+      connect
+    end
+
+    def connect
+      @socket = get_ssl_connection
+      begin
+        begin
+          @socket.connect_nonblock
+        rescue Errno::EAGAIN, Errno::EWOULDBLOCK, IO::WaitReadable
+          select_with_timeout(@socket, :connect_read) && retry
+        rescue IO::WaitWritable
+          select_with_timeout(@socket, :connect_write) && retry
+        end
+      rescue Errno::ETIMEDOUT
+        raise 'Socket timeout during connect'
+      end
+      @last_write = Time.now if idle_timeout
+    end
+
+    def get_tcp_connection
+      tcp = nil
+
+      family = Socket::Constants::AF_UNSPEC
+      sock_type = Socket::Constants::SOCK_STREAM
+      addr_info = Socket.getaddrinfo(host, port, family, sock_type, nil, nil, false).first
+      _, port, _, address, family, sock_type = addr_info
+
+      begin
+        sock_addr = Socket.sockaddr_in(port, address)
+        tcp = Socket.new(family, sock_type, 0)
+        tcp.setsockopt(Socket::SOL_SOCKET, Socket::Constants::SO_REUSEADDR, true)
+        tcp.setsockopt(Socket::SOL_SOCKET, Socket::Constants::SO_REUSEPORT, true)
+        tcp.connect_nonblock(sock_addr)
+      rescue Errno::EINPROGRESS
+        select_with_timeout(tcp, :connect_write)
+        begin
+          tcp.connect_nonblock(sock_addr)
+        rescue Errno::EISCONN
+          # all good
+        rescue SystemCallError
+          tcp.close rescue nil
+          raise
+        end
+      rescue SystemCallError
+        tcp.close rescue nil
+        raise
+      end
+
+      tcp.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, true)
+      tcp
+    end
+
+    def get_ssl_connection
+      tcp = get_tcp_connection
+
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ctx.ssl_version = ssl_version
+
+      ctx.verify_hostname = verify_cert_name != false
+
+      case ca_cert
+      when true, 'true', 'system'
+        # use system certs, same as openssl cli
+        ctx.cert_store = OpenSSL::X509::Store.new
+        ctx.cert_store.set_default_paths
+      when false, 'false'
+        ctx.verify_hostname = false
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      when %r{/$} # ends in /
+        ctx.ca_path = ca_cert
+      when String
+        ctx.ca_file = ca_cert
+      end
+
+      ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert)) if client_cert
+      ctx.key = OpenSSL::PKey::read(File.read(client_key)) if client_key
+      socket = OpenSSL::SSL::SSLSocket.new(tcp, ctx)
+      socket.hostname = host
+      socket.sync_close = true
+      socket
+    end
+
+    # Allow to retry on failed writes
+    def write(s)
+      if idle_timeout
+        if (t=Time.now) > @last_write + idle_timeout
+          @socket.close rescue nil
+          connect
+        else
+          @last_write = t
+        end
+      end
+      begin
+        retry_id ||= 0
+        do_write(s)
+      rescue => e
+        if (retry_id += 1) < @retries
+          @socket.close rescue nil
+          connect
+          retry
+        else
+          raise e
+        end
+      end
+    end
+
+    def do_write(data)
+      data.force_encoding('BINARY') # so we can break in the middle of multi-byte characters
+      loop do
+        sent = 0
+        begin
+          sent = @socket.write_nonblock(data)
+        rescue OpenSSL::SSL::SSLError, Errno::EAGAIN, Errno::EWOULDBLOCK, IO::WaitWritable => e
+          if e.is_a?(OpenSSL::SSL::SSLError) && e.message !~ /write would block/
+            raise e
+          else
+            select_with_timeout(@socket, :write) && retry
+          end
+        end
+
+        break if sent >= data.size
+        data = data[sent, data.size]
+      end
+    end
+
+    def select_with_timeout(tcp, type)
+      case type
+      when :connect_read
+        args = [[tcp], nil, nil, CONNECT_TIMEOUT]
+      when :connect_write
+        args = [nil, [tcp], nil, CONNECT_TIMEOUT]
+      # when :read
+      #   args = [[tcp], nil, nil, READ_TIMEOUT]
+      when :write
+        args = [nil, [tcp], nil, WRITE_TIMEOUT]
+      else
+        raise "Unknown select type #{type}"
+      end
+      IO.select(*args) || raise("Socket timeout during #{type}")
+    end
+
+    # Forward any methods directly to SSLSocket
+    def method_missing(method_sym, *arguments, &block)
+      @socket.send(method_sym, *arguments, &block)
+    end
+  end
+end