logstash-core 1.5.3.snapshot1-java → 1.5.3.snapshot2-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba907769485a75b87b1b1853b43dc2c44823294a
-  data.tar.gz: a9ac488f8a87e5e05cebeb5b9ae12e7eab9ecacc
+  metadata.gz: 167268ee29e6f1789d22217c70c8f9860f4c1c45
+  data.tar.gz: 480dd1f7ca4035fe7352d8a4e09eb1e5609de086
 SHA512:
-  metadata.gz: 9bfa3d672055b2df6f56950618aaabfc65310408781ae50ce626de31a6a111d89717c4f2f7c6a3e07f83f2b81fb8139f84ebd14e68d23e36b607f1046022f5ae
-  data.tar.gz: e21ad51d7681e03d4f532df182d6a7e21740373ba5825d9435f23eb83bf1b2c2187370a3da9acf0bcf6369ac6eb218c0ed95c9b4bde5b8a731c660a6e3e4bdcd
+  metadata.gz: aebae3223652b1e4c7605a20ad8ca0d9d4c30cc13160511c43e33e701925c269cb95f90c8d3685043e815b824eabaa335ca595e0bd574f0ec9e4d5c97a6f47a4
+  data.tar.gz: c7d4f1d085f6da87187a10d89f8f618aacc4135cc9526096d11297a675bfcf4b5f684ab2cd4e36faafbd9031be6da08dfda895bb7383d087bf072f16b792984f

data/lib/logstash/outputs/base.rb

@@ -33,7 +33,7 @@ class LogStash::Outputs::Base < LogStash::Plugin
   # Note that this setting may not be useful for all outputs.
   config :workers, :validate => :number, :default => 1
 
-  attr_reader :worker_plugins
+  attr_reader :worker_plugins, :worker_queue
 
   public
   def workers_not_supported(message=nil)

data/lib/logstash/patches.rb

@@ -1,3 +1,4 @@
 require "logstash/patches/bugfix_jruby_2558"
 require "logstash/patches/cabin"
 require "logstash/patches/profile_require_calls"
+require "logstash/patches/stronger_openssl_defaults"

data/lib/logstash/patches/stronger_openssl_defaults.rb

@@ -0,0 +1,62 @@
+
+require "openssl"
+
+# :nodoc:
+class OpenSSL::SSL::SSLContext
+  # Wrap SSLContext.new to a stronger default settings.
+  class << self
+    alias_method :orig_new, :new
+    def new(*args)
+      c = orig_new(*args)
+
+      # MRI nor JRuby seem to actually invoke `SSLContext#set_params` by
+      # default, which makes the default ciphers (and other settings) not
+      # actually defaults. Oops!
+      # To force this, and force our (hopefully more secure) defaults on
+      # all things using openssl in Ruby, we will invoke set_params
+      # on all new SSLContext objects.
+      c.set_params
+      c
+    end
+  end
+
+  # This cipher selection comes from https://wiki.mozilla.org/Security/Server_Side_TLS
+  MOZILLA_INTERMEDIATE_CIPHERS = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+
+  # Returns the value that should be used for the default SSLContext options
+  #
+  # This is a method instead of a constant because some constants (like
+  # OpenSSL::SSL::OP_NO_COMPRESSION) may not be available in all Ruby
+  # versions/platforms.
+  def self.__default_options
+    # ruby-core is refusing to patch ruby's default openssl settings to be more
+    # secure, so let's fix that here. The next few lines setting options and
+    # ciphers come from jmhodges' proposed patch
+    ssloptions = OpenSSL::SSL::OP_ALL
+ 
+    # TODO(sissel): JRuby doesn't have this. Maybe work on a fix?
+    if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+      ssloptions &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+    end
+
+    # TODO(sissel): JRuby doesn't have this. Maybe work on a fix?
+    if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      ssloptions |= OpenSSL::SSL::OP_NO_COMPRESSION
+    end
+
+    # Disable SSLv2 and SSLv3. They are insecure and highly discouraged.
+    ssloptions |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+    ssloptions |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+    ssloptions
+  end
+
+  # Overwriting the DEFAULT_PARAMS const idea from here: https://www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl/
+  remove_const(:DEFAULT_PARAMS) if const_defined?(:DEFAULT_PARAMS)
+  DEFAULT_PARAMS = {
+    :ssl_version => "SSLv23",
+    :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+    :ciphers => MOZILLA_INTERMEDIATE_CIPHERS,
+    :options => __default_options # Not a constant because it's computed at start-time.
+  }
+
+end

data/lib/logstash/pipeline.rb

@@ -8,6 +8,7 @@ require "logstash/config/file"
 require "logstash/filters/base"
 require "logstash/inputs/base"
 require "logstash/outputs/base"
+require "logstash/util/reporter"
 
 class LogStash::Pipeline
 
@@ -252,6 +253,8 @@ class LogStash::Pipeline
   #
   # This method is intended to be called from another thread
   def shutdown
+    InflightEventsReporter.logger = @logger
+    InflightEventsReporter.start(@input_to_filter, @filter_to_output, @outputs)
     @input_threads.each do |thread|
       # Interrupt all inputs
       @logger.info("Sending shutdown signal to input thread", :thread => thread)

data/lib/logstash/util/reporter.rb

@@ -0,0 +1,27 @@
+class InflightEventsReporter
+  def self.logger=(logger)
+    @logger = logger
+  end
+
+  def self.start(input_to_filter, filter_to_output, outputs)
+    Thread.new do
+      loop do
+        sleep 5
+        report(input_to_filter, filter_to_output, outputs)
+      end
+    end
+  end
+
+  def self.report(input_to_filter, filter_to_output, outputs)
+    report = {
+      "input_to_filter" => input_to_filter.size,
+      "filter_to_output" => filter_to_output.size,
+      "outputs" => []
+    }
+    outputs.each do |output|
+      next unless output.worker_queue && output.worker_queue.size > 0
+      report["outputs"] << [output.inspect, output.worker_queue.size]
+    end
+    @logger.warn ["INFLIGHT_EVENTS_REPORT", Time.now.iso8601, report]
+  end
+end

data/lib/logstash/util/unicode_trimmer.rb

@@ -1,4 +1,4 @@
-module UnicodeTrimmer
+module LogStash::Util::UnicodeTrimmer
   # The largest possible unicode chars are 4 bytes
   # http://stackoverflow.com/questions/9533258/what-is-the-maximum-number-of-bytes-for-a-utf-8-encoded-character
   # http://tools.ietf.org/html/rfc3629

data/lib/logstash/version.rb

@@ -1,6 +1,6 @@
 # encoding: utf-8
 # The version of logstash.
-LOGSTASH_VERSION = "1.5.3.snapshot1"
+LOGSTASH_VERSION = "1.5.3.snapshot2"
 
 # Note to authors: this should not include dashes because 'gem' barfs if
 # you include a dash in the version string.

data/spec/logstash/patches_spec.rb

@@ -0,0 +1,25 @@
+require "logstash/patches"
+
+describe "OpenSSL defaults" do
+  subject { OpenSSL::SSL::SSLContext.new }
+
+  # OpenSSL::SSL::SSLContext#ciphers returns an array of 
+  # [ [ ciphername, version, bits, alg_bits ], [ ... ], ... ]
+ 
+  # List of cipher names
+  let(:ciphers) { subject.ciphers.map(&:first) }
+
+  # List of cipher encryption bit strength. 
+  let(:encryption_bits) { subject.ciphers.map { |_, _, _, a| a } }
+
+  it "should not include any export ciphers" do
+    # SSLContext#ciphers returns an array of [ciphername, tlsversion, key_bits, alg_bits]
+    # Let's just check the cipher names
+    expect(ciphers).not_to be_any { |name| name =~ /EXPORT/ || name =~ /^EXP/ }
+  end
+
+  it "should not include any weak ciphers (w/ less than 128 bits in encryption algorithm)" do
+    # SSLContext#ciphers returns an array of [ciphername, tlsversion, key_bits, alg_bits]
+    expect(encryption_bits).not_to be_any { |bits| bits < 128 }
+  end
+end

data/spec/util/unicode_trimmer_spec.rb

@@ -9,19 +9,21 @@ RSpec.configure do |config|
 end
 
 describe "truncating unicode strings correctly" do
+  subject { LogStash::Util::UnicodeTrimmer }
+
   context "with extra bytes before the snip" do
     let(:ustr) { "Testing «ταБЬℓσ»: 1<2 & 4+1>3, now 20% off!" }
 
     it "should truncate to exact byte boundaries when possible" do
-      expect(UnicodeTrimmer.trim_bytes(ustr, 21).bytesize).to eql(21)
+      expect(subject.trim_bytes(ustr, 21).bytesize).to eql(21)
     end
 
     it "should truncate below the bytesize when splitting a byte" do
-      expect(UnicodeTrimmer.trim_bytes(ustr, 20).bytesize).to eql(18)
+      expect(subject.trim_bytes(ustr, 20).bytesize).to eql(18)
     end
 
     it "should not truncate the string when the bytesize is already OK" do
-      expect(UnicodeTrimmer.trim_bytes(ustr, ustr.bytesize)).to eql(ustr)
+      expect(subject.trim_bytes(ustr, ustr.bytesize)).to eql(ustr)
     end
   end
 
@@ -29,15 +31,15 @@ describe "truncating unicode strings correctly" do
     let(:ustr) { ": 1<2 & 4+1>3, now 20% off! testing «ταБЬℓσ»" }
 
     it "should truncate to exact byte boundaries when possible" do
-      expect(UnicodeTrimmer.trim_bytes(ustr, 21).bytesize).to eql(21)
+      expect(subject.trim_bytes(ustr, 21).bytesize).to eql(21)
     end
 
     it "should truncate below the bytesize when splitting a byte" do
-      expect(UnicodeTrimmer.trim_bytes(ustr, 52).bytesize).to eql(51)
+      expect(subject.trim_bytes(ustr, 52).bytesize).to eql(51)
     end
 
     it "should not truncate the string when the bytesize is already OK" do
-      expect(UnicodeTrimmer.trim_bytes(ustr, ustr.bytesize)).to eql(ustr)
+      expect(subject.trim_bytes(ustr, ustr.bytesize)).to eql(ustr)
     end
   end
 
@@ -47,7 +49,7 @@ describe "truncating unicode strings correctly" do
     let(:expected_range) { (size - 4)..size }
 
     stress_it "should be near the boundary of requested size" do
-      expect(expected_range).to include(UnicodeTrimmer.trim_bytes(text, size).bytesize)
+      expect(expected_range).to include(subject.trim_bytes(text, size).bytesize)
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: logstash-core
 version: !ruby/object:Gem::Version
-  version: 1.5.3.snapshot1
+  version: 1.5.3.snapshot2
 platform: java
 authors:
 - Jordan Sissel
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-07-10 00:00:00.000000000 Z
+date: 2015-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cabin
@@ -201,6 +201,7 @@ files:
 - lib/logstash/patches/cabin.rb
 - lib/logstash/patches/profile_require_calls.rb
 - lib/logstash/patches/rubygems.rb
+- lib/logstash/patches/stronger_openssl_defaults.rb
 - lib/logstash/pipeline.rb
 - lib/logstash/plugin.rb
 - lib/logstash/program.rb
@@ -219,6 +220,7 @@ files:
 - lib/logstash/util/password.rb
 - lib/logstash/util/plugin_version.rb
 - lib/logstash/util/prctl.rb
+- lib/logstash/util/reporter.rb
 - lib/logstash/util/require-helper.rb
 - lib/logstash/util/retryable.rb
 - lib/logstash/util/socket_peer.rb
@@ -242,6 +244,7 @@ files:
 - spec/lib/logstash/java_integration_spec.rb
 - spec/license_spec.rb
 - spec/logstash/agent_spec.rb
+- spec/logstash/patches_spec.rb
 - spec/outputs/base_spec.rb
 - spec/spec_helper.rb
 - spec/util/accessors_spec.rb
@@ -293,6 +296,7 @@ test_files:
 - spec/lib/logstash/java_integration_spec.rb
 - spec/license_spec.rb
 - spec/logstash/agent_spec.rb
+- spec/logstash/patches_spec.rb
 - spec/outputs/base_spec.rb
 - spec/spec_helper.rb
 - spec/util/accessors_spec.rb