logstash-input-beats 3.1.7-java → 3.1.8-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4971aaa1b795f9f4c3b5cd40be9dbc436539fbb8
-  data.tar.gz: 9dd88323afe16f7c5c3289df29bf87856145fde4
+  metadata.gz: 7f61bf44bb58b65cd4824bfe25ce81730c1d99cf
+  data.tar.gz: 77846db87b2f4269f35e1e5cb928b082642829cd
 SHA512:
-  metadata.gz: 812fb47b55172830f48dfe260b5685edd74eb29e9aa87129c20edbe8cf34561f6c25b2a40b863120fb298cc37b903910b5a0fde90a613c9d51bf5f286c6c369b
-  data.tar.gz: a60ca7c6c682aea51640d11e3c40e866513d49df4cc441faca02844e732bd41caa8c13f252448fde0f4355abd864cfc6a0425ff720c272a3347a7f97255d8cc1
+  metadata.gz: 373b8e4f362389c414de7c847b6ea7604abb7b1c147952688940771bd8f1ffe51bd941efe06861c4a97426db99ad3d743eb455abf50c76670a5d089bcf8de8cc
+  data.tar.gz: 56f197051770a9fd49a0146000015d2fa83f894706ccb6e8773e8938d2e37201d3bd2073ad23fb4f27517d2a10d84b1457ca45084e5ca018edbe61e436df8737

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.1.8
+  - Fix a typo in the default ciphers suite, added validations for the configured ciphers #156
+  - validate the presence of `ssl_certificate_authorities` when `verify_mode` is set to FORCE_PEER or peer #155
+
 ## 3.1.7
   - Fix an issue when only the first CA found in the certificate authorities was taking into consideration to verify clients #153
 

data/VERSION

@@ -1 +1 @@
-3.1.7
+3.1.8

data/lib/logstash-input-beats_jars.rb

@@ -2,11 +2,11 @@
 
 require 'jar_dependencies'
 require_jar('io.netty', 'netty-all', '4.1.3.Final')
-require_jar('io.netty', 'netty-tcnative-boringssl-static', '1.1.33.Fork17')
+require_jar('io.netty', 'netty-tcnative-boringssl-static', '1.1.33.Fork23')
 require_jar('org.javassist', 'javassist', '3.20.0-GA')
 require_jar('com.fasterxml.jackson.core', 'jackson-core', '2.7.5')
 require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.7.5')
 require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.7.5')
 require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.7.5')
 require_jar('log4j', 'log4j', '1.2.17')
-require_jar('org.logstash.beats', 'logstash-input-beats', '3.1.7')
+require_jar('org.logstash.beats', 'logstash-input-beats', '3.1.8')

data/lib/logstash/inputs/beats.rb

@@ -10,6 +10,7 @@ require "logstash-input-beats_jars"
 import "org.logstash.beats.Server"
 import "org.logstash.netty.SslSimpleBuilder"
 import "java.io.FileInputStream"
+java_import "io.netty.handler.ssl.OpenSsl"
 
 # This input plugin enables Logstash to receive events from the
 # https://www.elastic.co/products/beats[Elastic Beats] framework.
@@ -152,6 +153,10 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       raise LogStash::ConfigurationError, "Certificate or Certificate Key not configured"
     end
 
+    if @ssl && require_certificate_authorities? && !client_authentification?
+      raise LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`"
+    end
+
     @logger.info("Beats inputs: Starting input listener", :address => "#{@host}:#{@port}")
 
     # wrap the configured codec to support identity stream
@@ -169,9 +174,14 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   def create_server
     server = org.logstash.beats.Server.new(@host, @port)
     if @ssl
+
+      begin
       ssl_builder = org.logstash.netty.SslSimpleBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
         .setProtocols(convert_protocols)
         .setCipherSuites(normalized_ciphers)
+      rescue java.lang.IllegalArgumentException => e
+        raise LogStash::ConfigurationError, e
+      end
 
       ssl_builder.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
 
@@ -203,7 +213,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   end # def run
 
   def stop
-    @server.stop
+    @server.stop unless @server.nil?
   end
 
   def need_identity_map?
@@ -214,6 +224,10 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
     @ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
   end
 
+  def require_certificate_authorities?
+    @ssl_verify_mode == "force_peer" || @ssl_verify_mode == "peer"
+  end
+
   def normalized_ciphers
     @cipher_suites.map(&:upcase)
   end

data/lib/tasks/test.rake

@@ -3,9 +3,9 @@ OS_PLATFORM = RbConfig::CONFIG["host_os"]
 VENDOR_PATH = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "vendor"))
 
 if OS_PLATFORM == "linux"
-  FILEBEAT_URL = "https://beats-nightlies.s3.amazonaws.com/filebeat/filebeat-6.0.0-alpha1-SNAPSHOT-linux-x86_64.tar.gz"
+  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.0.0-linux-x86_64.tar.gz"
 elsif OS_PLATFORM == "darwin"
-  FILEBEAT_URL = "https://beats-nightlies.s3.amazonaws.com/filebeat/filebeat-6.0.0-alpha1-SNAPSHOT-darwin-x86_64.tar.gz"
+  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.0.0-darwin-x86_64.tar.gz"
 end
 
 LSF_URL = "https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder_#{OS_PLATFORM}_amd64"

data/spec/inputs/beats_spec.rb

@@ -61,6 +61,47 @@ describe LogStash::Inputs::Beats do
           expect {plugin.register}.to raise_error(LogStash::ConfigurationError)
         end
       end
+
+      context "with invalid ciphers" do
+        let(:config)   { { "port" => 0, "ssl" => true, "ssl_certificate" => certificate.ssl_cert, "type" => "example", "tags" => "Beats", "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38"} }
+
+        it "should raise a configuration error" do
+          plugin = LogStash::Inputs::Beats.new(config)
+          expect { plugin.register }.to raise_error(LogStash::ConfigurationError)
+        end
+      end
+
+      context "verify_mode" do
+        context "verify_mode configured to PEER" do
+          let(:config)   { { "port" => 0, "ssl" => true, "ssl_verify_mode" => "peer", "ssl_certificate" => certificate.ssl_cert, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "Beats"} }
+
+          it "raise a ConfigurationError when certificate_authorities is not set" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`")
+          end
+
+          it "doesn't raise a configuration error when certificate_authorities is set" do
+            config.merge!({ "ssl_certificate_authorities" => [certificate.ssl_cert]})
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect {plugin.register}.not_to raise_error
+          end
+        end
+
+        context "verify_mode configured to FORCE_PEER" do
+          let(:config)   { { "port" => 0, "ssl" => true, "ssl_verify_mode" => "force_peer", "ssl_certificate" => certificate.ssl_cert, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "Beats"} }
+
+          it "raise a ConfigurationError when certificate_authorities is not set" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`")
+          end
+
+          it "doesn't raise a configuration error when certificate_authorities is set" do
+            config.merge!({ "ssl_certificate_authorities" => [certificate.ssl_cert]})
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect {plugin.register}.not_to raise_error
+          end
+        end
+      end
     end
 
     context "with ssl disabled" do

data/spec/integration/filebeat_spec.rb

@@ -111,6 +111,51 @@ describe "Filebeat", :integration => true do
       context "self signed certificate" do
         include_examples "send events"
 
+        context "when specifying a cipher" do
+          let(:filebeat_config) do
+            super.merge({
+              "output" => {
+                "logstash" => {
+                  "hosts" => ["#{host}:#{port}"],
+                  "ssl" => {
+                    "certificate_authorities" => certificate_authorities,
+                    "versions" => ["TLSv1.2"],
+                    "cipher_suites" => [beats_cipher]
+                  }
+                },
+                "logging" => { "level" => "debug" }
+              }})
+          end
+
+          let(:input_config) {
+            super.merge({
+              "cipher_suites" => [logstash_cipher],
+              "tls_min_version" => "1.2"
+            })
+          }
+
+          context "when the cipher is supported" do
+            {
+              #Not Working? "ECDHE-ECDSA-AES-256-GCM-SHA384" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+              "ECDHE-RSA-AES-256-GCM-SHA384" => "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+              #Not working? "ECDHE-ECDSA-AES-128-GCM-SHA256" => "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+              "ECDHE-RSA-AES-128-GCM-SHA256" => "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            }.each do |b_cipher, l_cipher|
+              context "with protocol: `TLSv1.2` and cipher: beats: #{b_cipher}, logstash: #{l_cipher}" do
+                let(:beats_cipher) { b_cipher }
+                let(:logstash_cipher) { l_cipher }
+                include_examples "send events"
+              end
+            end
+
+            context "when the cipher is not supported" do
+              let(:beats_cipher) { "ECDHE-RSA-AES-128-GCM-SHA256" }
+              let(:logstash_cipher) { "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}
+
+              include_examples "doesn't send events"
+            end
+          end
+        end
 
         # Refactor this to use Flores's PKI instead of openssl command line
         # see: https://github.com/jordansissel/ruby-flores/issues/7

data/spec/support/integration_shared_context.rb

@@ -48,14 +48,6 @@ shared_context "beats configuration" do
 
     @server = Thread.new do
       begin
-        # use to know what lumberjack is actually doing
-        if ENV["DEBUG"]
-          logger = Logger.new(STDOUT)
-          beats.logger = Cabin::Channel.new
-          beats.logger.subscribe(logger)
-          beats.logger.level = :debug
-        end
-
         beats.run(queue)
       rescue => e
         retry unless beats.stop?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-beats
 version: !ruby/object:Gem::Version
-  version: 3.1.7
+  version: 3.1.8
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-10-28 00:00:00.000000000 Z
+date: 2016-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -265,10 +265,10 @@ files:
 - vendor/jar-dependencies/com/fasterxml/jackson/core/jackson-databind/2.7.5/jackson-databind-2.7.5.jar
 - vendor/jar-dependencies/com/fasterxml/jackson/module/jackson-module-afterburner/2.7.5/jackson-module-afterburner-2.7.5.jar
 - vendor/jar-dependencies/io/netty/netty-all/4.1.3.Final/netty-all-4.1.3.Final.jar
-- vendor/jar-dependencies/io/netty/netty-tcnative-boringssl-static/1.1.33.Fork17/netty-tcnative-boringssl-static-1.1.33.Fork17.jar
+- vendor/jar-dependencies/io/netty/netty-tcnative-boringssl-static/1.1.33.Fork23/netty-tcnative-boringssl-static-1.1.33.Fork23.jar
 - vendor/jar-dependencies/log4j/log4j/1.2.17/log4j-1.2.17.jar
 - vendor/jar-dependencies/org/javassist/javassist/3.20.0-GA/javassist-3.20.0-GA.jar
-- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/3.1.7/logstash-input-beats-3.1.7.jar
+- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/3.1.8/logstash-input-beats-3.1.8.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)