logstash-input-beats 6.5.0-java → 6.6.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1801dd24702dc3b6d751e679ecdeb78b34b2ffc23ad5ec2e236f2642ba4a0ddd
-  data.tar.gz: '0879bc47974cef2918e5c2725458bca543f2beab38e9c8f523ba848e468eb0cd'
+  metadata.gz: 6de1a5eb934d76788165fab317d164abcdc4f9cf400ee051a57b8f3ca7b40cad
+  data.tar.gz: 682eb9c33c9ae6d19f55e576d56b7078099fcfeb0335d719b197cc1e5c6e7123
 SHA512:
-  metadata.gz: d779990717562cb6db36423821e3471c0e8f582a06738a248c64346c54e1e0f38cea789146941dde2c2c784e2ca1daaac82418c9ba3cbd6029a7fd5b2643f323
-  data.tar.gz: e6c6c0164ff7c827e54ad51d71832c2b79eed3ad44452ec7cc9dad86475faf25c1127756425dbb1a1783eb8d7427b280acfdfcd8088b957b848b024f40e51b47
+  metadata.gz: 64b3a6de77140fcc9e319d14fe12ae272c977e0fe7b9dc012807e11992cf64632acb0f5e5c200b4430f73306f503a7fb4b837bce64dc336c1bb28e055b1378d4
+  data.tar.gz: 2bee16a581bc69bbc40c4945e3eed727d47f64cbce6f2550bae6c79fd669f8b387db19707c3a89c23f75d95edae490f87ea9985d21be3907c2d8067b76478a58

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 6.6.1
+  - update netty to 4.1.93 and jackson to 2.13.5 [#472](https://github.com/logstash-plugins/logstash-input-beats/pull/472)
+
+## 6.6.0
+ - Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#470](https://github.com/logstash-plugins/logstash-input-beats/pull/470)
+   - Deprecated `ssl` in favor of `ssl_enabled`
+   - Deprecated `ssl_verify_mode` in favor of `ssl_client_authentication`
+
 ## 6.5.0
  - An enrichment `enrich` option added to control ECS passthrough. `ssl_peer_metadata` and `include_codec_tag` configurations are deprecated and can be managed through the `enrich`  [#464](https://github.com/logstash-plugins/logstash-input-beats/pull/464)
 

data/VERSION

@@ -1 +1 @@
-6.5.0
+6.6.1

data/docs/index.asciidoc

@@ -221,15 +221,18 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
-| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
 | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
 |=======================================================================
@@ -283,7 +286,7 @@ Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed info
 ===== `enrich`
 
 * Value type is <<string,string>>
-** A <<list,list>> can also be provided
+** An <<array,array>> can also be provided
 ** Configures which enrichments are applied to each event
 ** Default value is `[codec_metadata, source_metadata]` that may be extended in future versions of this plugin to include additional enrichments.
 ** Supported values are:
@@ -293,7 +296,7 @@ Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed info
 |Enrichment | Description
 
 | codec_metadata    | Information about how the codec transformed a sequence of bytes into
-                      this Event, such as _which_ codec was used. Also, if no <<codec>> is
+                      this Event, such as _which_ codec was used. Also, if no codec is
                       explicitly specified, _excluding_ `codec_metadata` from `enrich` will
                       disable `ecs_compatibility` for this plugin.
 | source_metadata   | Information about the _source_ of the event, such as the IP address
@@ -305,7 +308,7 @@ Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed info
 | all               | _alias_ to include _all_ available enrichments (including additional
                       enrichments introduced in future versions of this plugin)
 | none              | _alias_ to _exclude_ all available enrichments. Note that, _explicitly_
-                      defining <<codec>> with this option will not disable the `ecs_compatibility`,
+                      defining codec with this option will not disable the `ecs_compatibility`,
                       instead it relies on pipeline or codec `ecs_compatibility` configuration.
 |=======================================================================
 
@@ -384,6 +387,7 @@ The port to listen on.
 
 [id="plugins-{type}s-{plugin}-ssl"]
 ===== `ssl`
+deprecated[6.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
@@ -408,8 +412,8 @@ SSL certificate to use.
 
 Validate client certificates against these authorities.
 You can define multiple files or paths. All the certificates will
-be read and added to the trust store. You need to configure the `ssl_verify_mode`
-to `peer` or `force_peer` to enable the verification.
+be read and added to the trust store. You need to configure the <<plugins-{type}s-{plugin}-ssl_client_authentication>>
+to `optional` or `required` to enable the verification.
 
 [id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
 ===== `ssl_cipher_suites`
@@ -422,6 +426,27 @@ This default list applies for OpenJDK 11.0.14 and higher.
 For older JDK versions, the default list includes only suites supported by that version.
 For example, the ChaCha20 family of ciphers is not supported in older versions.
 
+[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
+===== `ssl_client_authentication`
+
+* Value can be any of: `none`, `optional`, `required`
+* Default value is `"none"`
+
+Controls the server's behavior in regard to requesting a certificate from client connections:
+`required` forces a client to present a certificate, while `optional` requests a client certificate
+but the client is not required to present one. Defaults to `none`, which disables the client authentication.
+
+NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+Events are by default sent in plain text. You can enable encryption by setting `ssl_enabled` to true and configuring
+the <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> options.
+
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout`
 
@@ -464,7 +489,7 @@ deprecated[6.5.0, Replaced by <<plugins-{type}s-{plugin}-enrich>>]
 
 Enables storing client certificate information in event's metadata.
 
-This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
+This option is only valid when <<plugins-{type}s-{plugin}-ssl_client_authentication>> is set to `optional` or `required`.
 
 [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
 ===== `ssl_supported_protocols`
@@ -485,11 +510,13 @@ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.
 
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
 ===== `ssl_verify_mode`
+deprecated[6.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
 
   * Value can be any of: `none`, `peer`, `force_peer`
   * Default value is `"none"`
 
-By default the server doesn't do any client verification.
+By default, the server doesn't do any client verification. If the <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
+is configured, and no value or `none` is provided for this option, it defaults to `force_peer` instead of `none`.
 
 `peer` will make the server ask the client to provide a certificate.
 If the client provides a certificate, it will be validated.
@@ -497,7 +524,7 @@ If the client provides a certificate, it will be validated.
 `force_peer` will make the server ask the client to provide a certificate.
 If the client doesn't provide a certificate, the connection will be closed.
 
-This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
+This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.
 
 [id="plugins-{type}s-{plugin}-tls_max_version"]
 ===== `tls_max_version`

data/lib/logstash/inputs/beats.rb

@@ -7,6 +7,7 @@ require "logstash/util"
 require "logstash-input-beats_jars"
 require "logstash/plugin_mixins/ecs_compatibility_support"
 require 'logstash/plugin_mixins/plugin_factory_support'
+require "logstash/plugin_mixins/normalize_config_support"
 require 'logstash/plugin_mixins/event_support/event_factory_adapter'
 require_relative "beats/patch"
 
@@ -61,6 +62,8 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
 
   include LogStash::PluginMixins::PluginFactorySupport
 
+  include LogStash::PluginMixins::NormalizeConfigSupport
+
   config_name "beats"
 
   default :codec, "plain"
@@ -74,11 +77,16 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # Events are by default sent in plain text. You can
   # enable encryption by setting `ssl` to true and configuring
   # the `ssl_certificate` and `ssl_key` options.
-  config :ssl, :validate => :boolean, :default => false
+  config :ssl, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_enabled' instead."
 
   # SSL certificate to use.
   config :ssl_certificate, :validate => :path
 
+  # Events are by default sent in plain text. You can
+  # enable encryption by setting `ssl_enabled` to true and configuring
+  # the `ssl_certificate` and `ssl_key` options.
+  config :ssl_enabled, :validate => :boolean, :default => false
+
   # SSL key to use.
   # NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
   # for more information.
@@ -94,6 +102,14 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # 
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
+  # Controls the server’s behavior in regard to requesting a certificate from client connections.
+  # `none`: No client authentication
+  # `optional`: Requests a client certificate but the client is not required to present one.
+  # `required`: Forces a client to present a certificate.
+  #
+  # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
+  config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none'
+
   # By default the server doesn't do any client verification.
   # 
   # `peer` will make the server ask the client to provide a certificate. 
@@ -103,7 +119,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # If the client doesn't provide a certificate, the connection will be closed.
   #
   # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
-  config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none"
+  config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none", :deprecated => "Set 'ssl_client_authentication' instead."
 
   # Enables storing client certificate information in event's metadata. You need 
   # to configure the `ssl_verify_mode` to `peer` or `force_peer` to enable this.
@@ -156,6 +172,28 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   attr_reader :field_tls_protocol_version, :field_tls_peer_subject, :field_tls_cipher
   attr_reader :include_source_metadata
 
+  NON_PREFIXED_SSL_CONFIGS = Set[
+    'tls_min_version',
+    'tls_max_version',
+    'cipher_suites',
+  ].freeze
+
+  SSL_CLIENT_AUTH_NONE = 'none'.freeze
+  SSL_CLIENT_AUTH_OPTIONAL = 'optional'.freeze
+  SSL_CLIENT_AUTH_REQUIRED = 'required'.freeze
+
+  SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP = {
+    'none' => SSL_CLIENT_AUTH_NONE,
+    'peer' => SSL_CLIENT_AUTH_OPTIONAL,
+    'force_peer' => SSL_CLIENT_AUTH_REQUIRED
+  }.freeze
+
+  private_constant :SSL_CLIENT_AUTH_NONE
+  private_constant :SSL_CLIENT_AUTH_OPTIONAL
+  private_constant :SSL_CLIENT_AUTH_REQUIRED
+  private_constant :NON_PREFIXED_SSL_CONFIGS
+  private_constant :SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP
+
   def register
     # For Logstash 2.4 we need to make sure that the logger is correctly set for the
     # java classes before actually loading them.
@@ -166,45 +204,9 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       LogStash::Logger.setup_log4j(@logger)
     end
 
-    if @ssl
-      if @ssl_key.nil? || @ssl_key.empty?
-        configuration_error "ssl_key => is a required setting when ssl => true is configured"
-      end
-      if @ssl_certificate.nil? || @ssl_certificate.empty?
-        configuration_error "ssl_certificate => is a required setting when ssl => true is configured"
-      end
+    setup_ssl_params!
 
-      if require_certificate_authorities? && !client_authentification?
-        configuration_error "ssl_certificate_authorities => is a required setting when ssl_verify_mode => '#{@ssl_verify_mode}' is configured"
-      end
-
-      if client_authentication_metadata? && !require_certificate_authorities?
-        configuration_error "Configuring ssl_peer_metadata => true requires ssl_verify_mode => to be configured with 'peer' or 'force_peer'"
-      end
-
-      if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
-        raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
-      elsif original_params.key?('cipher_suites')
-        @ssl_cipher_suites_final = @cipher_suites
-      else
-        @ssl_cipher_suites_final = @ssl_cipher_suites
-      end
-
-      if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
-        raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
-      elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
-        raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
-      else
-        if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
-          @ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
-        else
-          @ssl_supported_protocols_final = @ssl_supported_protocols
-        end
-      end
-    else
-      @logger.warn("configured ssl_certificate => #{@ssl_certificate.inspect} will not be used") if @ssl_certificate
-      @logger.warn("configured ssl_key => #{@ssl_key.inspect} will not be used") if @ssl_key
-    end
+    validate_ssl_config!
 
     active_enrichments = resolve_enriches
 
@@ -242,18 +244,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
 
   def create_server
     server = org.logstash.beats.Server.new(@host, @port, @client_inactivity_timeout, @executor_threads)
-    if @ssl
-      ssl_context_builder = new_ssl_context_builder
-      if client_authentification?
-        if @ssl_verify_mode == "force_peer"
-          ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::FORCE_PEER)
-        elsif @ssl_verify_mode == "peer"
-          ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::VERIFY_PEER)
-        end
-        ssl_context_builder.setCertificateAuthorities(@ssl_certificate_authorities)
-      end
-      server.setSslHandlerProvider(new_ssl_handshake_provider(ssl_context_builder))
-    end
+    server.setSslHandlerProvider(new_ssl_handshake_provider(new_ssl_context_builder)) if @ssl_enabled
     server
   end
 
@@ -275,20 +266,39 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
     !@target_codec_on_field.empty?
   end
 
-  def client_authentification?
+  def client_authentication_enabled?
+    if original_params.include?('ssl_client_authentication')
+      return client_authentication_optional? || client_authentication_required?
+    end
+
+    # Keep backward compatibility with the deprecated `ssl_verify_mode` until it's not removed.
+    # When it's explicitly set (or both settings are absent), it should use the ssl_certificate_authorities
+    # to enable/disable the client authentication. (even if ssl_verify_mode => none)
+    certificate_authorities_configured?
+  end
+
+  def certificate_authorities_configured?
     @ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
   end
 
   def client_authentication_metadata?
-    @ssl_peer_metadata && ssl_configured? && client_authentification?
+    @ssl_enabled && @ssl_peer_metadata && ssl_configured? && client_authentication_enabled?
   end
 
   def client_authentication_required?
-    @ssl_verify_mode == "force_peer" 
+    @ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_REQUIRED
+  end
+
+  def client_authentication_optional?
+    @ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_OPTIONAL
+  end
+
+  def client_authentication_none?
+    @ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_NONE
   end
 
   def require_certificate_authorities?
-    @ssl_verify_mode == "force_peer" || @ssl_verify_mode == "peer"
+    client_authentication_required? || client_authentication_optional?
   end
 
   def include_source_metadata?
@@ -297,6 +307,75 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
 
   private
 
+  def validate_ssl_config!
+    ssl_config_name = original_params.include?('ssl') ? 'ssl' : 'ssl_enabled'
+
+    unless @ssl_enabled
+      ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k.start_with?('ssl_') || NON_PREFIXED_SSL_CONFIGS.include?(k) }
+      @logger.warn("Configured SSL settings are not used when `#{ssl_config_name}` is set to `false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
+      return
+    end
+
+    if @ssl_key.nil? || @ssl_key.empty?
+      configuration_error "ssl_key => is a required setting when #{ssl_config_name} => true is configured"
+    end
+
+    if @ssl_certificate.nil? || @ssl_certificate.empty?
+      configuration_error "ssl_certificate => is a required setting when #{ssl_config_name} => true is configured"
+    end
+
+    if require_certificate_authorities? && !certificate_authorities_configured?
+      config_name, config_value = provided_client_authentication_config
+      configuration_error "ssl_certificate_authorities => is a required setting when #{config_name} => '#{config_value}' is configured"
+    end
+
+    if client_authentication_metadata? && !require_certificate_authorities?
+      config_name, optional, required = provided_client_authentication_config([SSL_CLIENT_AUTH_OPTIONAL, SSL_CLIENT_AUTH_REQUIRED])
+      configuration_error "Configuring ssl_peer_metadata => true requires #{config_name} => to be configured with '#{optional}' or '#{required}'"
+    end
+
+    if original_params.include?('ssl_client_authentication') && certificate_authorities_configured? && !require_certificate_authorities?
+      configuration_error "Configuring ssl_certificate_authorities requires ssl_client_authentication => to be configured with '#{SSL_CLIENT_AUTH_OPTIONAL}' or '#{SSL_CLIENT_AUTH_REQUIRED}'"
+    end
+  end
+
+  def provided_client_authentication_config(values = [@ssl_client_authentication])
+    if original_params.include?('ssl_verify_mode')
+      ['ssl_verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
+    else
+      ['ssl_client_authentication', *values]
+    end
+  end
+
+  def setup_ssl_params!
+    @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
+      normalizer.with_deprecated_alias(:ssl)
+    end
+
+    @ssl_cipher_suites = normalize_config(:ssl_cipher_suites) do |normalizer|
+      normalizer.with_deprecated_alias(:cipher_suites)
+    end
+
+    @ssl_supported_protocols = normalize_config(:ssl_supported_protocols) do |normalizer|
+      normalizer.with_deprecated_mapping(:tls_min_version, :tls_max_version) do |tls_min_version, tls_max_version|
+        TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
+      end
+    end
+
+    @ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
+      normalizer.with_deprecated_mapping(:ssl_verify_mode) do |ssl_verify_mode|
+        normalized_value = SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP[ssl_verify_mode.downcase]
+        fail(LogStash::ConfigurationError, "Unsupported value #{ssl_verify_mode} for deprecated option `ssl_verify_mode`") unless normalized_value
+        normalized_value
+      end
+    end
+
+    params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
+    params['ssl_cipher_suites'] = @ssl_cipher_suites unless @ssl_cipher_suites.nil?
+    params['ssl_supported_protocols'] = @ssl_supported_protocols unless @ssl_supported_protocols.nil?
+    params['ssl_client_authentication'] = @ssl_client_authentication unless @ssl_client_authentication.nil?
+  end
+
   def new_ssl_handshake_provider(ssl_context_builder)
     begin
       org.logstash.netty.SslHandlerProvider.new(ssl_context_builder.build_context, @ssl_handshake_timeout)
@@ -312,17 +391,36 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   def new_ssl_context_builder
     passphrase = @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value
     begin
-      org.logstash.netty.SslContextBuilder.new(@ssl_certificate, @ssl_key, passphrase)
-          .setProtocols(@ssl_supported_protocols_final)
+      ssl_context_builder = org.logstash.netty.SslContextBuilder.new(@ssl_certificate, @ssl_key, passphrase)
+          .setProtocols(@ssl_supported_protocols)
           .setCipherSuites(normalized_cipher_suites)
+
+      if client_authentication_enabled?
+        ssl_context_builder.setClientAuthentication(ssl_context_builder_verify_mode, @ssl_certificate_authorities)
+      end
+
+      ssl_context_builder
     rescue java.lang.IllegalArgumentException => e
       @logger.error("SSL configuration invalid", error_details(e))
       raise LogStash::ConfigurationError, e
     end
   end
 
+  def ssl_context_builder_verify_mode
+    return SslContextBuilder::SslClientVerifyMode::OPTIONAL if client_authentication_optional?
+    return SslContextBuilder::SslClientVerifyMode::REQUIRED if client_authentication_required?
+
+    # Backward compatibility with the deprecated `ssl_verify_mode` and the current `none` overrides
+    if !original_params.include?('ssl_client_authentication') && certificate_authorities_configured?
+      return SslContextBuilder::SslClientVerifyMode::REQUIRED
+    end
+
+    return SslContextBuilder::SslClientVerifyMode::NONE if client_authentication_none?
+    configuration_error "Invalid `ssl_client_authentication` value #{@ssl_client_authentication}"
+  end
+
   def normalized_cipher_suites
-    @ssl_cipher_suites_final.map(&:upcase)
+    @ssl_cipher_suites.map(&:upcase)
   end
 
   def configuration_error(message)

data/lib/logstash-input-beats_jars.rb

@@ -1,11 +1,11 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
 
 require 'jar_dependencies'
-require_jar('io.netty', 'netty-buffer', '4.1.87.Final')
-require_jar('io.netty', 'netty-codec', '4.1.87.Final')
-require_jar('io.netty', 'netty-common', '4.1.87.Final')
-require_jar('io.netty', 'netty-transport', '4.1.87.Final')
-require_jar('io.netty', 'netty-handler', '4.1.87.Final')
-require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.87.Final')
+require_jar('io.netty', 'netty-buffer', '4.1.93.Final')
+require_jar('io.netty', 'netty-codec', '4.1.93.Final')
+require_jar('io.netty', 'netty-common', '4.1.93.Final')
+require_jar('io.netty', 'netty-transport', '4.1.93.Final')
+require_jar('io.netty', 'netty-handler', '4.1.93.Final')
+require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.93.Final')
 require_jar('org.javassist', 'javassist', '3.24.0-GA')
-require_jar('org.logstash.beats', 'logstash-input-beats', '6.5.0')
+require_jar('org.logstash.beats', 'logstash-input-beats', '6.6.1')

data/logstash-input-beats.gemspec

@@ -30,6 +30,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.3'
   s.add_runtime_dependency 'logstash-mixin-event_support', '~>1.0'
   s.add_runtime_dependency 'logstash-mixin-plugin_factory_support', '~>1.0'
+  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_development_dependency "flores", "~>0.0.6"
   s.add_development_dependency "rspec"

data/spec/inputs/beats_spec.rb

@@ -48,10 +48,10 @@ describe LogStash::Inputs::Beats do
 
     context "with ssl enabled" do
 
-      let(:config) { { "ssl" => true, "port" => port, "ssl_key" => certificate.ssl_key, "ssl_certificate" => certificate.ssl_cert } }
+      let(:config) { { "ssl_enabled" => true, "port" => port, "ssl_key" => certificate.ssl_key, "ssl_certificate" => certificate.ssl_cert } }
 
       context "without certificate configuration" do
-        let(:config) { { "port" => 0, "ssl" => true, "ssl_key" => certificate.ssl_key, "type" => "example" } }
+        let(:config) { { "port" => 0, "ssl_enabled" => true, "ssl_key" => certificate.ssl_key, "type" => "example" } }
 
         it "should fail to register the plugin with ConfigurationError" do
           plugin = LogStash::Inputs::Beats.new(config)
@@ -60,7 +60,7 @@ describe LogStash::Inputs::Beats do
       end
 
       context "without key configuration" do
-        let(:config) { { "port" => 0, "ssl" => true, "ssl_certificate" => certificate.ssl_cert, "type" => "example" } }
+        let(:config) { { "port" => 0, "ssl_enabled" => true, "ssl_certificate" => certificate.ssl_cert, "type" => "example" } }
         it "should fail to register the plugin with ConfigurationError" do
           plugin = LogStash::Inputs::Beats.new(config)
           expect { plugin.register }.to raise_error(LogStash::ConfigurationError)
@@ -69,7 +69,7 @@ describe LogStash::Inputs::Beats do
 
       context "with invalid key configuration" do
         let(:p12_key) { certificate.p12_key }
-        let(:config) { { "port" => 0, "ssl" => true, "ssl_certificate" => certificate.ssl_cert, "ssl_key" => p12_key } }
+        let(:config) { { "port" => 0, "ssl_enabled" => true, "ssl_certificate" => certificate.ssl_cert, "ssl_key" => p12_key } }
         it "should fail to register the plugin" do
           plugin = LogStash::Inputs::Beats.new(config)
           expect( plugin.logger ).to receive(:error) do |msg, opts|
@@ -93,34 +93,132 @@ describe LogStash::Inputs::Beats do
         end
       end
 
-      context "verify_mode" do
-        context "verify_mode configured to PEER" do
-          let(:config) { super().merge("ssl_verify_mode" => "peer") }
+      context "deprecated ssl_verify_mode set to 'none'" do
+        let(:config) { super().merge("ssl_verify_mode" => "none") }
 
-          it "raise a ConfigurationError when certificate_authorities is not set" do
+        context "and ssl_certificate_authorities is set" do
+          let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
+          it "should ignore the ssl_verify_mode and use force_peer" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            plugin.register
+            context_builder = plugin.send(:new_ssl_context_builder)
+            expect(context_builder.isClientAuthenticationRequired()).to be_truthy
+          end
+        end
+      end
+
+      context "ssl_client_authentication" do
+        context "normalized from ssl_verify_mode 'none'" do
+          let(:config) { super().merge("ssl_verify_mode" => "none") }
+
+          it "should transform the value to 'none'" do
             plugin = LogStash::Inputs::Beats.new(config)
-            expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_verify_mode => 'peer' is configured")
+            plugin.register
+
+            expect(plugin.params).to match hash_including("ssl_client_authentication" => "none")
+            expect(plugin.instance_variable_get(:@ssl_client_authentication)).to eql("none")
           end
 
-          it "doesn't raise a configuration error when certificate_authorities is set" do
-            config.merge!({ "ssl_certificate_authorities" => [certificate.ssl_cert]})
+          context "and ssl_certificate_authorities is set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
+            it "should not raise an error" do
+              plugin = LogStash::Inputs::Beats.new(config)
+              expect { plugin.register }.to_not raise_error
+            end
+          end
+        end
+
+        context "normalized from ssl_verify_mode 'peer'" do
+          let(:config) { super().merge("ssl_verify_mode" => "peer", "ssl_certificate_authorities" => [certificate.ssl_cert]) }
+
+          it 'should transform the value to OPTIONAL' do
             plugin = LogStash::Inputs::Beats.new(config)
-            expect {plugin.register}.not_to raise_error
+            plugin.register
+
+            expect(plugin.params).to match hash_including("ssl_client_authentication" => "optional")
+            expect(plugin.instance_variable_get(:@ssl_client_authentication)).to eql("optional")
+          end
+
+          context "with no ssl_certificate_authorities set " do
+            let(:config) { super().reject { |key| "ssl_certificate_authorities".eql?(key) } }
+            it "raise a configuration error" do
+              plugin = LogStash::Inputs::Beats.new(config)
+              expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_verify_mode => 'peer' is configured")
+            end
+          end
+        end
+
+        context "normalized from ssl_verify_mode 'force_peer'" do
+          let(:config) { super().merge("ssl_verify_mode" => "force_peer", "ssl_certificate_authorities" => [certificate.ssl_cert]) }
+
+          it "should transform the value to 'required'" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            plugin.register
+
+            expect(plugin.params).to match hash_including("ssl_client_authentication" => "required")
+            expect(plugin.instance_variable_get(:@ssl_client_authentication)).to eql("required")
+          end
+
+          context "with no ssl_certificate_authorities set " do
+            let(:config) { super().reject { |key| "ssl_certificate_authorities".eql?(key) } }
+            it "raise a configuration error" do
+              plugin = LogStash::Inputs::Beats.new(config)
+              expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_verify_mode => 'force_peer' is configured")
+            end
+          end
+        end
+
+        context "configured to 'none'" do
+          let(:config) { super().merge("ssl_client_authentication" => "none") }
+
+          it "doesn't raise an error when certificate_authorities is not set" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect {plugin.register}.to_not raise_error
+          end
+
+          context "with certificate_authorities set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
+
+            it "raise a configuration error" do
+              plugin = LogStash::Inputs::Beats.new(config)
+              expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Configuring ssl_certificate_authorities requires ssl_client_authentication => to be configured with 'optional' or 'required'")
+            end
           end
         end
 
-        context "verify_mode configured to FORCE_PEER" do
-          let(:config) { super().merge("ssl_verify_mode" => "force_peer") }
+        context "configured to 'required'" do
+          let(:config) { super().merge("ssl_client_authentication" => "required") }
 
           it "raise a ConfigurationError when certificate_authorities is not set" do
             plugin = LogStash::Inputs::Beats.new(config)
-            expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_verify_mode => 'force_peer' is configured")
+            expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_client_authentication => 'required' is configured")
           end
 
-          it "doesn't raise a configuration error when certificate_authorities is set" do
-            config.merge!({ "ssl_certificate_authorities" => [certificate.ssl_cert]})
+          context "with certificate_authorities set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
+
+            it "doesn't raise a configuration error" do
+              plugin = LogStash::Inputs::Beats.new(config)
+              expect {plugin.register}.not_to raise_error
+            end
+          end
+        end
+
+        context "configured to 'optional'" do
+          let(:config) { super().merge("ssl_client_authentication" => "optional") }
+
+          it "raise a ConfigurationError when certificate_authorities is not set" do
             plugin = LogStash::Inputs::Beats.new(config)
-            expect {plugin.register}.not_to raise_error
+            expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "ssl_certificate_authorities => is a required setting when ssl_client_authentication => 'optional' is configured")
+          end
+
+          context "with certificate_authorities set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate.ssl_cert]) }
+
+            it "doesn't raise a configuration error" do
+              plugin = LogStash::Inputs::Beats.new(config)
+              expect {plugin.register}.not_to raise_error
+            end
           end
         end
 
@@ -157,12 +255,28 @@ describe LogStash::Inputs::Beats do
             expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
           end
         end
+
+        context "with ssl_client_authentication and ssl_verify_mode set" do
+          let(:config) { super().merge("ssl_verify_mode" => "none", "ssl_client_authentication" => "none") }
+          it "raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_client_authentication.?/i
+          end
+        end
+      end
+
+      context "with ssl and ssl_enabled set" do
+        let(:config) { super().merge("ssl" => true) }
+        it "raise a configuration error" do
+          plugin = LogStash::Inputs::Beats.new(config)
+          expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_enabled.?/i
+        end
       end
     end
 
     context "with ssl disabled" do
       context "and certificate configuration" do
-        let(:config) { { "port" => 0, "ssl" => false, "ssl_certificate" => certificate.ssl_cert, "type" => "example", "tags" => "Beats" } }
+        let(:config) { { "port" => 0, "ssl_enabled" => false, "ssl_certificate" => certificate.ssl_cert, "type" => "example", "tags" => "Beats" } }
 
         it "should not fail" do
           plugin = LogStash::Inputs::Beats.new(config)
@@ -171,7 +285,7 @@ describe LogStash::Inputs::Beats do
       end
 
       context "and certificate key configuration" do
-        let(:config) {{ "port" => 0, "ssl" => false, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "beats" }}
+        let(:config) {{ "port" => 0, "ssl_enabled" => false, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "beats" }}
 
         it "should not fail" do
           plugin = LogStash::Inputs::Beats.new(config)
@@ -180,13 +294,25 @@ describe LogStash::Inputs::Beats do
       end
 
       context "and no certificate or key configured" do
-        let(:config) {{ "ssl" => false, "port" => 0, "type" => "example", "tags" => "beats" }}
+        let(:config) {{ "ssl_enabled" => false, "port" => 0, "type" => "example", "tags" => "beats" }}
 
         it "should work just fine" do
           plugin = LogStash::Inputs::Beats.new(config)
           expect {plugin.register}.not_to raise_error
         end
       end
+
+      context "and `ssl_` settings provided" do
+        let(:config) { { "port" => 0, "ssl_enabled" => false, "ssl_certificate" => certificate.ssl_cert, "ssl_client_authentication" => "none", "cipher_suites" => ["FOO"] } }
+
+        it "should warn about not using the configs" do
+          plugin = LogStash::Inputs::Beats.new(config)
+          expect( plugin.logger ).to receive(:warn).with('Configured SSL settings are not used when `ssl_enabled` is set to `false`: ["ssl_certificate", "ssl_client_authentication", "cipher_suites"]')
+
+          plugin.register
+
+        end
+      end
     end
 
     context "with multiline codec" do
@@ -387,6 +513,8 @@ describe LogStash::Inputs::Beats do
     let(:config) do
       super().merge(
           "host" => host,
+          "ssl_enabled" => true,
+          "ssl_verify_mode" => 'force_peer',
           "ssl_peer_metadata" => true,
           "ssl_certificate_authorities" => [ certificate.ssl_cert ],
           "ecs_compatibility" => 'disabled'
@@ -447,18 +575,33 @@ describe LogStash::Inputs::Beats do
       org.logstash.beats.Message.new(0, java.util.HashMap.new('foo' => 'bar'))
     end
 
-    it 'sets tls fields' do
-      @message_listener.onNewMessage(ctx, message)
+    context 'with ssl enabled' do
+      it 'sets tls fields' do
+        @message_listener.onNewMessage(ctx, message)
 
-      expect( queue.size ).to be 1
-      expect( event = queue.pop ).to be_a LogStash::Event
+        expect( queue.size ).to be 1
+        expect( event = queue.pop ).to be_a LogStash::Event
 
-      expect( event.get('[@metadata][tls_peer][status]') ).to eql 'verified'
+        expect( event.get('[@metadata][tls_peer][status]') ).to eql 'verified'
 
-      expect( event.get('[@metadata][tls_peer][protocol]') ).to eql 'TLS-Mock'
-      expect( event.get('[@metadata][tls_peer][cipher_suite]') ).to eql 'SSL_NULL_WITH_TEST_SPEC'
-      expect( event.get('[@metadata][tls_peer][subject]') ).to eql 'CN=TEST,OU=RSpec,O=Logstash,C=NL'
+        expect( event.get('[@metadata][tls_peer][protocol]') ).to eql 'TLS-Mock'
+        expect( event.get('[@metadata][tls_peer][cipher_suite]') ).to eql 'SSL_NULL_WITH_TEST_SPEC'
+        expect( event.get('[@metadata][tls_peer][subject]') ).to eql 'CN=TEST,OU=RSpec,O=Logstash,C=NL'
+      end
     end
+
+    context 'with ssl disabled' do
+      let(:config) { super().merge("ssl_enabled" => false) }
+
+      it 'do not set tls fields' do
+        @message_listener.onNewMessage(ctx, message)
+
+        expect( queue.size ).to be 1
+        expect( event = queue.pop ).to be_a LogStash::Event
+        expect( event.get('[@metadata][tls_peer]') ).to be_nil
+      end
+    end
+
   end
 
   context "when interrupting the plugin" do

data/spec/integration/filebeat_spec.rb

@@ -112,7 +112,7 @@ describe "Filebeat", :integration => true do
 
       let(:input_config) do
         super().merge({
-          "ssl" => true,
+          "ssl_enabled" => true,
           "ssl_certificate" => certificate_file,
           "ssl_key" => certificate_key_file
         })
@@ -146,7 +146,7 @@ describe "Filebeat", :integration => true do
 
           let(:input_config) {
             super().merge({
-              "cipher_suites" => [logstash_cipher],
+              "ssl_cipher_suites" => [logstash_cipher],
               "tls_min_version" => "1.2"
             })
           }
@@ -281,11 +281,11 @@ describe "Filebeat", :integration => true do
 
         let(:input_config) do
           super().merge({
-            "ssl" => true,
+            "ssl_enabled" => true,
             "ssl_certificate_authorities" => certificate_authorities,
             "ssl_certificate" => server_certificate_file,
             "ssl_key" => server_certificate_key_file,
-            "ssl_verify_mode" => "force_peer"
+            "ssl_client_authentication" => "required"
           })
         end
 

data/spec/integration/logstash_forwarder_spec.rb

@@ -75,7 +75,7 @@ describe "Logstash-Forwarder", :integration => true do
     context "Server Verification" do
       let(:input_config) do
         super().merge({
-          "ssl" => true,
+          "ssl_enabled" => true,
           "ssl_certificate" => certificate_file,
           "ssl_key" => certificate_key_file,
         })

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-beats
 version: !ruby/object:Gem::Version
-  version: 6.5.0
+  version: 6.6.1
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2023-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -148,6 +148,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-normalize_config_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -306,14 +320,14 @@ files:
 - spec/support/integration_shared_context.rb
 - spec/support/logstash_test.rb
 - spec/support/shared_examples.rb
-- vendor/jar-dependencies/io/netty/netty-buffer/4.1.87.Final/netty-buffer-4.1.87.Final.jar
-- vendor/jar-dependencies/io/netty/netty-codec/4.1.87.Final/netty-codec-4.1.87.Final.jar
-- vendor/jar-dependencies/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar
-- vendor/jar-dependencies/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar
-- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.87.Final/netty-transport-native-unix-common-4.1.87.Final.jar
-- vendor/jar-dependencies/io/netty/netty-transport/4.1.87.Final/netty-transport-4.1.87.Final.jar
+- vendor/jar-dependencies/io/netty/netty-buffer/4.1.93.Final/netty-buffer-4.1.93.Final.jar
+- vendor/jar-dependencies/io/netty/netty-codec/4.1.93.Final/netty-codec-4.1.93.Final.jar
+- vendor/jar-dependencies/io/netty/netty-common/4.1.93.Final/netty-common-4.1.93.Final.jar
+- vendor/jar-dependencies/io/netty/netty-handler/4.1.93.Final/netty-handler-4.1.93.Final.jar
+- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.93.Final/netty-transport-native-unix-common-4.1.93.Final.jar
+- vendor/jar-dependencies/io/netty/netty-transport/4.1.93.Final/netty-transport-4.1.93.Final.jar
 - vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
-- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.5.0/logstash-input-beats-6.5.0.jar
+- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.6.1/logstash-input-beats-6.6.1.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
@@ -336,7 +350,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Receives events from the Elastic Beats framework