fluent-plugin-syslog-tls 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5edc3aa71986c902deb084d88ab9bed3300e60c1
-  data.tar.gz: 6862dea55d337fed6b6738188f877a00b0b64e69
+  metadata.gz: ddf273fb2c9a34084d8a7a1feb129bc1bbb1839b
+  data.tar.gz: dfdc191ec721da7055e0378d1ce56cc0f6764a5c
 SHA512:
-  metadata.gz: e6c585a645fbf5cb43da9b2a7fe2c7ab4f1302a963f116e0e60c480804688ef01f90156baa066fc6c601bc809f1d6b65b0301a251458c91c8c74d557edd8a4e5
-  data.tar.gz: 6db891b9196133b8315f9f1394c41cec4fe9f8e22d7172d070cea805e825de36f1eff5fcc6e56252cbec010bc03a6ede2a978f778960c8d57c107ef0a8fd802f
+  metadata.gz: 4319df63af40e195d1d027103c520a93fba78919094a8d2b4cb6b29e0665eaed8a0342fc8c9c3c48f6daa73d5f31db96e0f3ec17cbd106f72870b0e024e1af3a
+  data.tar.gz: cc5cfffaa6760872316e6952332dfaf2ba79691863fcde49d5ae81ad84672f94a5963d3d2c626f9a7c0b09284d9c2c768bb345558f2a9bf675834a78a3814a5e

data/.gitignore

@@ -2,7 +2,6 @@
 *.rbc
 /.config
 /coverage/
-/Gemfile.lock
 /InstalledFiles
 /pkg/
 /spec/reports/
@@ -30,8 +29,8 @@ build/
 # for a library or gem, you might want to ignore these files since the code is
 # intended to run in multiple environments; otherwise, check them in:
 # Gemfile.lock
-# .ruby-version
-# .ruby-gemset
+.ruby-version
+.ruby-gemset
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc

data/CHANGELOG.md

@@ -0,0 +1,19 @@
+Note: v0.5+ is compatible with Fluent 0.12. Use v1.0+ with Fluent 0.14.
+
+#### 0.6.0
+* Backport `ca_cert` from master to fluent-0.12 branch
+  - Added `ca_cert` to validate the remote certificate. Defaults to 'system' which uses the system certificate store.
+
+
+#### 0.5.0
+
+Comparable to 1.0.0 from [master (Fluent 0.14) branch](https://github.com/zarqman/fluent-plugin-syslog-tls).
+
+* Standard fluent formatting plugins are supported. Json output remains the default.
+* `token` (Structured Data in syslog terms) is now optional, for syslog hosts that don't require it.
+* Message payload in the syslog packet no longer duplicates Time or includes Tag by default.
+
+
+#### < 0.2.0
+
+From [Fluent::Plugin::SumologicCloudSyslog](https://github.com/acquia/fluent-plugin-sumologic-cloud-syslog)

data/Gemfile.lock

@@ -0,0 +1,85 @@
+PATH
+  remote: .
+  specs:
+    fluent-plugin-syslog-tls (0.6.0)
+      fluent-mixin-config-placeholders (~> 0.3)
+      fluentd (~> 0.12.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.5.1)
+      public_suffix (~> 2.0, >= 2.0.2)
+    cool.io (1.5.0)
+    coveralls (0.8.21)
+      json (>= 1.8, < 3)
+      simplecov (~> 0.14.1)
+      term-ansicolor (~> 1.3)
+      thor (~> 0.19.4)
+      tins (~> 1.6)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    docile (1.1.5)
+    fluent-mixin-config-placeholders (0.4.0)
+      fluentd
+      uuidtools (>= 2.1.5)
+    fluentd (0.12.39)
+      cool.io (>= 1.2.2, < 2.0.0)
+      http_parser.rb (>= 0.5.1, < 0.7.0)
+      json (>= 1.4.3)
+      msgpack (>= 0.5.11, < 2)
+      sigdump (~> 0.2.2)
+      string-scrub (>= 0.0.3, <= 0.0.5)
+      tzinfo (>= 1.0.0)
+      tzinfo-data (>= 1.0.0)
+      yajl-ruby (~> 1.0)
+    hashdiff (0.3.5)
+    http_parser.rb (0.6.0)
+    json (2.1.0)
+    minitest (5.10.3)
+    minitest-stub_any_instance (1.0.1)
+    msgpack (1.1.0)
+    power_assert (1.0.2)
+    public_suffix (2.0.5)
+    rake (10.5.0)
+    safe_yaml (1.0.4)
+    sigdump (0.2.4)
+    simplecov (0.14.1)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.1)
+    string-scrub (0.0.5)
+    term-ansicolor (1.6.0)
+      tins (~> 1.0)
+    test-unit (3.2.5)
+      power_assert
+    thor (0.19.4)
+    thread_safe (0.3.6)
+    tins (1.15.0)
+    tzinfo (1.2.3)
+      thread_safe (~> 0.1)
+    tzinfo-data (1.2017.2)
+      tzinfo (>= 1.0.0)
+    uuidtools (2.1.5)
+    webmock (2.3.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+    yajl-ruby (1.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  coveralls
+  fluent-plugin-syslog-tls!
+  minitest (~> 5.8)
+  minitest-stub_any_instance (~> 1.0.0)
+  rake (~> 10.5)
+  simplecov (~> 0.11)
+  test-unit (~> 3.1)
+  webmock (~> 2.0)
+
+BUNDLED WITH
+   1.14.6

data/README.md

@@ -8,20 +8,20 @@ Tested with [Papertrail](https://papertrailapp.com) and should also work with [S
 
 
 ## Installation
----
+
 ```sh
-$ gem install fluent-plugin-syslog-tls -v '~> 0.5'
+$ gem install fluent-plugin-syslog-tls -v '~> 0.6'
 ```
 or
 ```sh
-$ td-agent-gem install fluent-plugin-syslog-tls -v '~> 0.5'
+$ td-agent-gem install fluent-plugin-syslog-tls -v '~> 0.6'
 ```
 
 _Hint: Use v0.5+ for Fluentd 0.12 and v1.0+ for Fluentd 0.14. (See Version Compatibility below.)_
 
 
 ## Configuration
----
+
 In your Fluentd configuration, use `@type syslog_tls`. Examples:
 
 Sumologic:
@@ -58,15 +58,11 @@ Note that the v1.x series has more features and is more robust than the v0.x ser
 
 ## Origin/History
 
-This plugin is derived from [Fluent::Plugin::SumologicCloudSyslog](https://github.com/acquia/fluent-plugin-sumologic-cloud-syslog). Changes from the original:
-
-* Standard fluent formatting plugins are supported. Json output remains the default.
-* `token` (Structured Data in syslog terms) is now optional, for syslog hosts that don't require it.
-* Message payload in the syslog packet no longer duplicates Time or includes Tag by default.
+This plugin is derived from [Fluent::Plugin::SumologicCloudSyslog](https://github.com/acquia/fluent-plugin-sumologic-cloud-syslog). Changes for the v0.x+ series are in this branch's [Changelog](CHANGELOG.md).
 
 
 ## License
----
+
 Except as otherwise noted this software is licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0.html)
 
 Licensed under the Apache License, Version 2.0 (the "License");

data/docs/configuration.md

@@ -15,6 +15,14 @@ Host represents DNS name of endpoint where should be data sent. Example: `syslog
 
 Example: `6514`
 
+### ca_cert
+
+Whether and how to verify the server's TLS certificate. Examples:
+* ca_cert system - Default; use the system CA certificate store (which must then be configured correctly)
+* ca_cert false - Disable verification; not recommended
+* ca_cert /path/to/file - A path+filename to a single CA file
+* ca_cert /path/to/dir/ - A directory of CA files (in format that OpenSSL can parse); must end with /
+
 ### token
 
 Some services require a token to identify the account. Example: `ABABABABABABA@99999`. Not required for Papertrail.

data/lib/fluent/plugin/out_syslog_tls.rb

@@ -27,6 +27,7 @@ module Fluent
 
     config_param :host, :string
     config_param :port, :integer
+    config_param :ca_cert, :string, default: 'system'
     config_param :token, :string, :default => nil
     config_param :cert, :string, :default => nil
     config_param :key, :string, :default => nil
@@ -89,7 +90,7 @@ module Fluent
     end
 
     def new_logger(tag)
-      transport = ::SyslogTls::SSLTransport.new(host, port, cert: cert, key: key, max_retries: 3)
+      transport = ::SyslogTls::SSLTransport.new(host, port, ca_cert: ca_cert, cert: cert, key: key, max_retries: 3)
       logger = ::SyslogTls::Logger.new(transport, token)
       logger.facility(facility)
       logger.hostname(hostname)

data/lib/syslog_tls/ssl_transport.rb

@@ -20,11 +20,12 @@ module SyslogTls
   class SSLTransport
     attr_accessor :socket
 
-    attr_reader :host, :port, :cert, :key, :ssl_version
+    attr_reader :host, :port, :ca_cert, :cert, :key, :ssl_version
 
     attr_writer :retries
 
-    def initialize(host, port, cert: nil, key: nil, ssl_version: :TLSv1_2, max_retries: 1)
+    def initialize(host, port, ca_cert: 'system', cert: nil, key: nil, ssl_version: :TLSv1_2, max_retries: 1)
+      @ca_cert = ca_cert
       @host = host
       @port = port
       @cert = cert
@@ -46,9 +47,24 @@ module SyslogTls
       ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_PEER)
       ctx.ssl_version = ssl_version
 
-      ctx.cert = OpenSSL::X509::Certificate.new(File.open(cert)) if cert
-      ctx.key = OpenSSL::PKey::RSA.new(File.open(key)) if key
-      OpenSSL::SSL::SSLSocket.new(tcp, ctx)
+      case ca_cert
+      when true, 'true', 'system'
+        # use system certs, same as openssl cli
+        ctx.cert_store = OpenSSL::X509::Store.new
+        ctx.cert_store.set_default_paths
+      when false, 'false'
+        ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      when %r{/$} # ends in /
+        ctx.ca_path = ca_cert
+      when String
+        ctx.ca_file = ca_cert
+      end
+
+      ctx.cert = OpenSSL::X509::Certificate.new(File.read(cert)) if cert
+      ctx.key = OpenSSL::PKey::read(File.read(key)) if key
+      socket = OpenSSL::SSL::SSLSocket.new(tcp, ctx)
+      socket.sync_close = true
+      socket
     end
 
     # Allow to retry on failed writes

data/lib/syslog_tls/version.rb

@@ -14,5 +14,5 @@
 # limitations under the License.
 
 module SyslogTls
-  VERSION = '0.5.0'
+  VERSION = '0.6.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-syslog-tls
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - thomas morgan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-11 00:00:00.000000000 Z
+date: 2017-08-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -132,7 +132,9 @@ files:
 - ".coveralls.yml"
 - ".gitignore"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
+- Gemfile.lock
 - LICENSE
 - README.md
 - Rakefile
@@ -172,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Fluent Syslog TLS output plugin