logstash-filter-elasticsearch 3.11.1 → 3.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d5a56362567a5c8949cb77f1615659c709449c5999fe46e5b558212045d3197
-  data.tar.gz: ba77cec6eda6ea51f037541223d257532a5161081cf64609c2ea6590c6d37ed4
+  metadata.gz: 7ecfb3d5b15acecc9b301e27f77f5170ead83708c2722db56324807e3663cc08
+  data.tar.gz: bd8798a9f82792afb79b1be85936bdf51967dd74c91d6b45bb24b7cadec16e1b
 SHA512:
-  metadata.gz: 8b3415eb21cb9e6bbe25b692514037cdae4c5a64827e99412433b4bf184308fca1a6e307e1b724f0ba7b6c311e2b463346189d6176e78c56941e4dc0af0d8b9b
-  data.tar.gz: 24dad4a1105f97e5c55f94c281d62091db76020c27242253e3307946db755e1093a41c751d175fd23ed07fcb01890e8753fd54691d854b0f456792adbd667b18
+  metadata.gz: b76de8e2722b3b1c5cf11efd0a29cc827042e48d584215e14fb9272349bc5cb50aa04b763a52ff26800ad36f64f2c1870cab27a38dbf94776fde5a25f75a7e08
+  data.tar.gz: 9304e6e00443b13fe5888ae62d0f9c0610cb6917cf148b21373afae460602548172a61efa4fed287e085421c7e9ef26bcebaf7a8ec1aee70a12449942b226a3e

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## 3.12.0
+  - Added support for `ca_trusted_fingerprint` when run on Logstash 8.3+ [#158](https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/158)
+
 ## 3.11.1
   -  Fix: hosts => "es_host:port" regression [#156](https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/156)
 

data/docs/index.asciidoc

@@ -128,6 +128,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-aggregation_fields>> |<<hash,hash>>|No
 | <<plugins-{type}s-{plugin}-api_key>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ca_file>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-ca_trusted_fingerprint>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-cloud_auth>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-cloud_id>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-docinfo_fields>> |<<hash,hash>>|No
@@ -189,6 +190,15 @@ Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
 
 SSL Certificate Authority file
 
+[id="plugins-{type}s-{plugin}-ca_trusted_fingerprint"]
+===== `ca_trusted_fingerprint`
+
+* Value type is <<string,string>>, and must contain exactly 64 hexadecimal characters.
+* There is no default value for this setting.
+* Use of this option _requires_ Logstash 8.3+
+
+The SHA-256 fingerprint of an SSL Certificate Authority to trust, such as the autogenerated self-signed CA for an Elasticsearch cluster.
+
 [id="plugins-{type}s-{plugin}-cloud_auth"]
 ===== `cloud_auth`
 

data/lib/logstash/filters/elasticsearch/client.rb

@@ -27,9 +27,11 @@ module LogStash
         transport_options[:proxy] = proxy.to_s if proxy && !proxy.eql?('')
 
         hosts = setup_hosts(hosts, ssl)
+
+        ssl_options = {}
         # set ca_file even if ssl isn't on, since the host can be an https url
-        ssl_options = { ssl: true, ca_file: options[:ca_file] } if options[:ca_file]
-        ssl_options ||= {}
+        ssl_options.update(ssl: true, ca_file: options[:ca_file]) if options[:ca_file]
+        ssl_options.update(ssl: true, trust_strategy: options[:ssl_trust_strategy]) if options[:ssl_trust_strategy]
 
         logger.info("New ElasticSearch filter client", :hosts => hosts)
         @client = ::Elasticsearch::Client.new(hosts: hosts, transport_options: transport_options, transport_class: ::Elasticsearch::Transport::Transport::HTTP::Manticore, :ssl => ssl_options)

data/lib/logstash/filters/elasticsearch.rb

@@ -2,6 +2,8 @@
 require "logstash/filters/base"
 require "logstash/namespace"
 require "logstash/json"
+require 'logstash/plugin_mixins/ca_trusted_fingerprint_support'
+
 require_relative "elasticsearch/client"
 require_relative "elasticsearch/patches/_elasticsearch_transport_http_manticore"
 
@@ -73,6 +75,9 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
   # Tags the event on failure to look up geo information. This can be used in later analysis.
   config :tag_on_failure, :validate => :array, :default => ["_elasticsearch_lookup_failure"]
 
+  # config :ca_trusted_fingerprint, :validate => :sha_256_hex
+  include LogStash::PluginMixins::CATrustedFingerprintSupport
+
   attr_reader :clients_pool
 
   ##
@@ -199,6 +204,7 @@ class LogStash::Filters::Elasticsearch < LogStash::Filters::Base
       :proxy => @proxy,
       :ssl => @ssl,
       :ca_file => @ca_file,
+      :ssl_trust_strategy => trust_strategy_for_ca_trusted_fingerprint
     }
   end
 

data/logstash-filter-elasticsearch.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-filter-elasticsearch'
-  s.version         = '3.11.1'
+  s.version         = '3.12.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Copies fields from previous log events in Elasticsearch to current events "
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -23,6 +23,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'elasticsearch', ">= 7.14.0" # LS >= 6.7 and < 7.14 all used version 5.0.5
   s.add_runtime_dependency 'manticore', ">= 0.7.1"
+  s.add_runtime_dependency 'logstash-mixin-ca_trusted_fingerprint_support', '~> 1.0'
   s.add_development_dependency 'cabin', ['~> 0.6']
   s.add_development_dependency 'webrick'
 

data/spec/filters/elasticsearch_spec.rb

@@ -561,6 +561,38 @@ describe LogStash::Filters::Elasticsearch do
     end
   end
 
+  describe "ca_trusted_fingerprint" do
+    let(:ca_trusted_fingerprint) { SecureRandom.hex(32) }
+    let(:config) { {"ca_trusted_fingerprint" => ca_trusted_fingerprint}}
+
+    subject(:plugin) { described_class.new(config) }
+
+    if Gem::Version.create(LOGSTASH_VERSION) >= Gem::Version.create("8.3.0")
+      context 'the generated trust_strategy' do
+        before(:each) { allow(plugin).to receive(:test_connection!) }
+
+        it 'is passed to the Manticore client' do
+          expect(Manticore::Client).to receive(:new)
+                                         .with(
+                                           a_hash_including(
+                                             ssl: a_hash_including(
+                                               trust_strategy: plugin.trust_strategy_for_ca_trusted_fingerprint
+                                             )
+                                           )
+                                         ).and_call_original
+          plugin.register
+
+          # the client is built lazily, so we need to get it explicitly
+          plugin.send(:get_client).client
+        end
+      end
+    else
+      it 'raises a configuration error' do
+        expect { plugin }.to raise_exception(LogStash::ConfigurationError, a_string_including("ca_trusted_fingerprint"))
+      end
+    end
+  end
+
   describe "defaults" do
 
     let(:config) { Hash.new }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-elasticsearch
 version: !ruby/object:Gem::Version
-  version: 3.11.1
+  version: 3.12.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-08 00:00:00.000000000 Z
+date: 2022-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -58,6 +58,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.7.1
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-ca_trusted_fingerprint_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements: