logstash-core 1.5.3.snapshot1-java → 1.5.3.snapshot2-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of logstash-core might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/logstash/outputs/base.rb +1 -1
- data/lib/logstash/patches.rb +1 -0
- data/lib/logstash/patches/stronger_openssl_defaults.rb +62 -0
- data/lib/logstash/pipeline.rb +3 -0
- data/lib/logstash/util/reporter.rb +27 -0
- data/lib/logstash/util/unicode_trimmer.rb +1 -1
- data/lib/logstash/version.rb +1 -1
- data/spec/logstash/patches_spec.rb +25 -0
- data/spec/util/unicode_trimmer_spec.rb +9 -7
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 167268ee29e6f1789d22217c70c8f9860f4c1c45
|
4
|
+
data.tar.gz: 480dd1f7ca4035fe7352d8a4e09eb1e5609de086
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: aebae3223652b1e4c7605a20ad8ca0d9d4c30cc13160511c43e33e701925c269cb95f90c8d3685043e815b824eabaa335ca595e0bd574f0ec9e4d5c97a6f47a4
|
7
|
+
data.tar.gz: c7d4f1d085f6da87187a10d89f8f618aacc4135cc9526096d11297a675bfcf4b5f684ab2cd4e36faafbd9031be6da08dfda895bb7383d087bf072f16b792984f
|
@@ -33,7 +33,7 @@ class LogStash::Outputs::Base < LogStash::Plugin
|
|
33
33
|
# Note that this setting may not be useful for all outputs.
|
34
34
|
config :workers, :validate => :number, :default => 1
|
35
35
|
|
36
|
-
attr_reader :worker_plugins
|
36
|
+
attr_reader :worker_plugins, :worker_queue
|
37
37
|
|
38
38
|
public
|
39
39
|
def workers_not_supported(message=nil)
|
data/lib/logstash/patches.rb
CHANGED
@@ -0,0 +1,62 @@
|
|
1
|
+
|
2
|
+
require "openssl"
|
3
|
+
|
4
|
+
# :nodoc:
|
5
|
+
class OpenSSL::SSL::SSLContext
|
6
|
+
# Wrap SSLContext.new to a stronger default settings.
|
7
|
+
class << self
|
8
|
+
alias_method :orig_new, :new
|
9
|
+
def new(*args)
|
10
|
+
c = orig_new(*args)
|
11
|
+
|
12
|
+
# MRI nor JRuby seem to actually invoke `SSLContext#set_params` by
|
13
|
+
# default, which makes the default ciphers (and other settings) not
|
14
|
+
# actually defaults. Oops!
|
15
|
+
# To force this, and force our (hopefully more secure) defaults on
|
16
|
+
# all things using openssl in Ruby, we will invoke set_params
|
17
|
+
# on all new SSLContext objects.
|
18
|
+
c.set_params
|
19
|
+
c
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
# This cipher selection comes from https://wiki.mozilla.org/Security/Server_Side_TLS
|
24
|
+
MOZILLA_INTERMEDIATE_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
25
|
+
|
26
|
+
# Returns the value that should be used for the default SSLContext options
|
27
|
+
#
|
28
|
+
# This is a method instead of a constant because some constants (like
|
29
|
+
# OpenSSL::SSL::OP_NO_COMPRESSION) may not be available in all Ruby
|
30
|
+
# versions/platforms.
|
31
|
+
def self.__default_options
|
32
|
+
# ruby-core is refusing to patch ruby's default openssl settings to be more
|
33
|
+
# secure, so let's fix that here. The next few lines setting options and
|
34
|
+
# ciphers come from jmhodges' proposed patch
|
35
|
+
ssloptions = OpenSSL::SSL::OP_ALL
|
36
|
+
|
37
|
+
# TODO(sissel): JRuby doesn't have this. Maybe work on a fix?
|
38
|
+
if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
|
39
|
+
ssloptions &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
40
|
+
end
|
41
|
+
|
42
|
+
# TODO(sissel): JRuby doesn't have this. Maybe work on a fix?
|
43
|
+
if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
|
44
|
+
ssloptions |= OpenSSL::SSL::OP_NO_COMPRESSION
|
45
|
+
end
|
46
|
+
|
47
|
+
# Disable SSLv2 and SSLv3. They are insecure and highly discouraged.
|
48
|
+
ssloptions |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
|
49
|
+
ssloptions |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
|
50
|
+
ssloptions
|
51
|
+
end
|
52
|
+
|
53
|
+
# Overwriting the DEFAULT_PARAMS const idea from here: https://www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl/
|
54
|
+
remove_const(:DEFAULT_PARAMS) if const_defined?(:DEFAULT_PARAMS)
|
55
|
+
DEFAULT_PARAMS = {
|
56
|
+
:ssl_version => "SSLv23",
|
57
|
+
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
|
58
|
+
:ciphers => MOZILLA_INTERMEDIATE_CIPHERS,
|
59
|
+
:options => __default_options # Not a constant because it's computed at start-time.
|
60
|
+
}
|
61
|
+
|
62
|
+
end
|
data/lib/logstash/pipeline.rb
CHANGED
@@ -8,6 +8,7 @@ require "logstash/config/file"
|
|
8
8
|
require "logstash/filters/base"
|
9
9
|
require "logstash/inputs/base"
|
10
10
|
require "logstash/outputs/base"
|
11
|
+
require "logstash/util/reporter"
|
11
12
|
|
12
13
|
class LogStash::Pipeline
|
13
14
|
|
@@ -252,6 +253,8 @@ class LogStash::Pipeline
|
|
252
253
|
#
|
253
254
|
# This method is intended to be called from another thread
|
254
255
|
def shutdown
|
256
|
+
InflightEventsReporter.logger = @logger
|
257
|
+
InflightEventsReporter.start(@input_to_filter, @filter_to_output, @outputs)
|
255
258
|
@input_threads.each do |thread|
|
256
259
|
# Interrupt all inputs
|
257
260
|
@logger.info("Sending shutdown signal to input thread", :thread => thread)
|
@@ -0,0 +1,27 @@
|
|
1
|
+
class InflightEventsReporter
|
2
|
+
def self.logger=(logger)
|
3
|
+
@logger = logger
|
4
|
+
end
|
5
|
+
|
6
|
+
def self.start(input_to_filter, filter_to_output, outputs)
|
7
|
+
Thread.new do
|
8
|
+
loop do
|
9
|
+
sleep 5
|
10
|
+
report(input_to_filter, filter_to_output, outputs)
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
def self.report(input_to_filter, filter_to_output, outputs)
|
16
|
+
report = {
|
17
|
+
"input_to_filter" => input_to_filter.size,
|
18
|
+
"filter_to_output" => filter_to_output.size,
|
19
|
+
"outputs" => []
|
20
|
+
}
|
21
|
+
outputs.each do |output|
|
22
|
+
next unless output.worker_queue && output.worker_queue.size > 0
|
23
|
+
report["outputs"] << [output.inspect, output.worker_queue.size]
|
24
|
+
end
|
25
|
+
@logger.warn ["INFLIGHT_EVENTS_REPORT", Time.now.iso8601, report]
|
26
|
+
end
|
27
|
+
end
|
data/lib/logstash/version.rb
CHANGED
@@ -0,0 +1,25 @@
|
|
1
|
+
require "logstash/patches"
|
2
|
+
|
3
|
+
describe "OpenSSL defaults" do
|
4
|
+
subject { OpenSSL::SSL::SSLContext.new }
|
5
|
+
|
6
|
+
# OpenSSL::SSL::SSLContext#ciphers returns an array of
|
7
|
+
# [ [ ciphername, version, bits, alg_bits ], [ ... ], ... ]
|
8
|
+
|
9
|
+
# List of cipher names
|
10
|
+
let(:ciphers) { subject.ciphers.map(&:first) }
|
11
|
+
|
12
|
+
# List of cipher encryption bit strength.
|
13
|
+
let(:encryption_bits) { subject.ciphers.map { |_, _, _, a| a } }
|
14
|
+
|
15
|
+
it "should not include any export ciphers" do
|
16
|
+
# SSLContext#ciphers returns an array of [ciphername, tlsversion, key_bits, alg_bits]
|
17
|
+
# Let's just check the cipher names
|
18
|
+
expect(ciphers).not_to be_any { |name| name =~ /EXPORT/ || name =~ /^EXP/ }
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should not include any weak ciphers (w/ less than 128 bits in encryption algorithm)" do
|
22
|
+
# SSLContext#ciphers returns an array of [ciphername, tlsversion, key_bits, alg_bits]
|
23
|
+
expect(encryption_bits).not_to be_any { |bits| bits < 128 }
|
24
|
+
end
|
25
|
+
end
|
@@ -9,19 +9,21 @@ RSpec.configure do |config|
|
|
9
9
|
end
|
10
10
|
|
11
11
|
describe "truncating unicode strings correctly" do
|
12
|
+
subject { LogStash::Util::UnicodeTrimmer }
|
13
|
+
|
12
14
|
context "with extra bytes before the snip" do
|
13
15
|
let(:ustr) { "Testing «ταБЬℓσ»: 1<2 & 4+1>3, now 20% off!" }
|
14
16
|
|
15
17
|
it "should truncate to exact byte boundaries when possible" do
|
16
|
-
expect(
|
18
|
+
expect(subject.trim_bytes(ustr, 21).bytesize).to eql(21)
|
17
19
|
end
|
18
20
|
|
19
21
|
it "should truncate below the bytesize when splitting a byte" do
|
20
|
-
expect(
|
22
|
+
expect(subject.trim_bytes(ustr, 20).bytesize).to eql(18)
|
21
23
|
end
|
22
24
|
|
23
25
|
it "should not truncate the string when the bytesize is already OK" do
|
24
|
-
expect(
|
26
|
+
expect(subject.trim_bytes(ustr, ustr.bytesize)).to eql(ustr)
|
25
27
|
end
|
26
28
|
end
|
27
29
|
|
@@ -29,15 +31,15 @@ describe "truncating unicode strings correctly" do
|
|
29
31
|
let(:ustr) { ": 1<2 & 4+1>3, now 20% off! testing «ταБЬℓσ»" }
|
30
32
|
|
31
33
|
it "should truncate to exact byte boundaries when possible" do
|
32
|
-
expect(
|
34
|
+
expect(subject.trim_bytes(ustr, 21).bytesize).to eql(21)
|
33
35
|
end
|
34
36
|
|
35
37
|
it "should truncate below the bytesize when splitting a byte" do
|
36
|
-
expect(
|
38
|
+
expect(subject.trim_bytes(ustr, 52).bytesize).to eql(51)
|
37
39
|
end
|
38
40
|
|
39
41
|
it "should not truncate the string when the bytesize is already OK" do
|
40
|
-
expect(
|
42
|
+
expect(subject.trim_bytes(ustr, ustr.bytesize)).to eql(ustr)
|
41
43
|
end
|
42
44
|
end
|
43
45
|
|
@@ -47,7 +49,7 @@ describe "truncating unicode strings correctly" do
|
|
47
49
|
let(:expected_range) { (size - 4)..size }
|
48
50
|
|
49
51
|
stress_it "should be near the boundary of requested size" do
|
50
|
-
expect(expected_range).to include(
|
52
|
+
expect(expected_range).to include(subject.trim_bytes(text, size).bytesize)
|
51
53
|
end
|
52
54
|
end
|
53
55
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.5.3.
|
4
|
+
version: 1.5.3.snapshot2
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Jordan Sissel
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2015-07-
|
13
|
+
date: 2015-07-13 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: cabin
|
@@ -201,6 +201,7 @@ files:
|
|
201
201
|
- lib/logstash/patches/cabin.rb
|
202
202
|
- lib/logstash/patches/profile_require_calls.rb
|
203
203
|
- lib/logstash/patches/rubygems.rb
|
204
|
+
- lib/logstash/patches/stronger_openssl_defaults.rb
|
204
205
|
- lib/logstash/pipeline.rb
|
205
206
|
- lib/logstash/plugin.rb
|
206
207
|
- lib/logstash/program.rb
|
@@ -219,6 +220,7 @@ files:
|
|
219
220
|
- lib/logstash/util/password.rb
|
220
221
|
- lib/logstash/util/plugin_version.rb
|
221
222
|
- lib/logstash/util/prctl.rb
|
223
|
+
- lib/logstash/util/reporter.rb
|
222
224
|
- lib/logstash/util/require-helper.rb
|
223
225
|
- lib/logstash/util/retryable.rb
|
224
226
|
- lib/logstash/util/socket_peer.rb
|
@@ -242,6 +244,7 @@ files:
|
|
242
244
|
- spec/lib/logstash/java_integration_spec.rb
|
243
245
|
- spec/license_spec.rb
|
244
246
|
- spec/logstash/agent_spec.rb
|
247
|
+
- spec/logstash/patches_spec.rb
|
245
248
|
- spec/outputs/base_spec.rb
|
246
249
|
- spec/spec_helper.rb
|
247
250
|
- spec/util/accessors_spec.rb
|
@@ -293,6 +296,7 @@ test_files:
|
|
293
296
|
- spec/lib/logstash/java_integration_spec.rb
|
294
297
|
- spec/license_spec.rb
|
295
298
|
- spec/logstash/agent_spec.rb
|
299
|
+
- spec/logstash/patches_spec.rb
|
296
300
|
- spec/outputs/base_spec.rb
|
297
301
|
- spec/spec_helper.rb
|
298
302
|
- spec/util/accessors_spec.rb
|