logstash-input-elastic_serverless_forwarder 0.1.1-java → 0.1.3-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e68d73969ef8dec415c74ce755da13dfa6bad59c99c239e439b5edafd856ea8
-  data.tar.gz: e3d07f9b40953bf1e44b0f26a63beef226aac28bf03b05286e0e90b67ebe60ce
+  metadata.gz: '08bce725c7626a1e3cc794ab1679b2ca61de4f10fb58a4c6efb895af4a4c2a5f'
+  data.tar.gz: b997c8f5c4a7011f219ea2cf338d6813c2cd58350918e9f2fe1d58ece1c43e11
 SHA512:
-  metadata.gz: 8ff5d1b69d172f1293db93a316515779dd68875425b514517ae94edb9f807b5705a40cfeff2b4d613e62b497401a074695ca7abbe65ded013906aad1bbbca459
-  data.tar.gz: abf8b62a5135fc746a38709d43252e9447faae8c10d8c8e434bf70034fe9bdc13e76c346046cd58e6a37dc9728a0126c50dbae07c1ec27b245b4b352367ab5e7
+  metadata.gz: 9f69616a38002781b3f896f67c09cf780f708419bceef0789ef3e7f93f88bafafdea34539468bbb4de793c1231434282912b15dc6dad69da0aabdd63d29d0fd8
+  data.tar.gz: 3b306b08747a7f86611f785ba3b3d477707172b15eb096e2a7854a2bbc6937e2c376a65eb23c8f3e7758a3b6aae81bbb79dc31d73986246ce9264ced232aa698

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.1.3
+  - Deprecates the `ssl` option in favor of `ssl_enabled` [#6](https://github.com/logstash-plugins/logstash-input-elastic_serverless_forwarder/pull/6)
+  - Bumps `logstash-input-http` gem version to `>= 3.7.2` (SSL-normalized)
+
+## 0.1.2
+  - [DOC] Adds "Technical Preview" call-out to documentation [#4](https://github.com/logstash-plugins/logstash-input-elastic_serverless_forwarder/pull/4)
+
 ## 0.1.1
   - Fixes an issue that prevents this prototype from being instantiated in an actual Logstash pipeline [#3](https://github.com/logstash-plugins/logstash-input-elastic_serverless_forwarder/pull/3)
 

data/docs/index.asciidoc

@@ -26,7 +26,7 @@ include::{include_path}/plugin_header.asciidoc[]
 Using this input you can receive events from {esf-name} over http(s) connections to the configured <<plugins-{type}s-{plugin}-port>>.
 
 [id="plugins-{type}s-{plugin}-ext-field"]
-====== Minimum Configuration
+===== Minimum Configuration
 [cols="3a,2a"]
 |=======================================================================================================================
 |SSL Enabled              |SSL Disabled
@@ -51,20 +51,33 @@ input {
 input {
   elastic_serverless_forwarder {
     port => 8080
-    ssl => false
+    ssl_enabled => false
   }
 }
 ----
 
 |=======================================================================================================================
 
+.Technical Preview
+****
+This {esf-name} input plugin is part of a _Technical Preview_, which means that both configuration options and implementation details are subject to change in minor releases without being preceded by deprecation warnings.
+
+Before upgrading this plugin or Logstash itself, please pay special attention to this plugin's https://github.com/logstash-plugins/logstash-input-elastic_serverless_forwarder/blob/main/CHANGELOG.md[CHANGELOG.md] to avoid being caught by surprise.
+****
+
+
 [id="plugins-{type}s-{plugin}-enrichment"]
 ==== Enrichment
 
 This input provides _minimal enrichment_ on events, and avoids including information about itself, the client from which it received the data, or about the original event as-decoded from the request.
-If the decoded event has a valid ISO8601-encoded `@timestamp`, it will be used. Otherwise this required field will be populated with the current time.
 
 NOTE: Senders are advised to use care with respect to fields that are {logstash-ref}/processing.html#reserved-fields[reserved in Logstash].
+      ESF sends the Logstash-required `@timestamp` field by default, but if this value is missing it will be populated with the current time.
+
+
+////
+// BEGIN: Elastic-internal implementation details
+//
 
 [id="plugins-{type}s-{plugin}-blocking"]
 ==== Blocking Behavior
@@ -76,6 +89,10 @@ A client that receives an HTTP request timeout is expected to retry the entire r
 When this plugin is blocked, it will reject _new_ requests with HTTP `429 Too Many Requests`.
 Clients that receive `429`-s are expected to wait a moment before retrying the request — exponential back-off is encouraged to ease flood recovery.
 
+//
+// END: Elastic-internal implementation details
+////
+
 [id="plugins-{type}s-{plugin}-security"]
 ==== Security
 
@@ -87,7 +104,7 @@ Additionally, you may wish to authenticate clients using SSL client authenticati
 
 ===== SSL Identity
 
-In order to establish SSL with a client, this input plugin will need to present an SSL certificate that the client trusts and have access to the associated key.
+In order to establish SSL with a client, this input plugin will need to present an SSL certificate that the client trusts, and have access to the associated key.
 These are configurable with <<plugins-{type}s-{plugin}-ssl_certificate>>, <<plugins-{type}s-{plugin}-ssl_key>>, and optionally <<plugins-{type}s-{plugin}-ssl_key_passphrase>>.
 
 ===== SSL Client Authentication
@@ -98,6 +115,8 @@ It can be configured to either request or require client certificates using <<pl
 which often also requires configuring it with a list of <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> to trust.
 When validating a certificate that is presented, <<plugins-{type}s-{plugin}-ssl_verification_mode>> controls how certificates are verified.
 
+NOTE: ESF does not currently support _presenting_ client certificates, so requesting or requiring clients to present identity is only useful when combined with an SSL-terminating proxy.
+
 ===== SSL Advanced Configuration
 
 This plugin exposes several advanced SSL configurations:
@@ -125,11 +144,12 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-auth_basic_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
 | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
@@ -178,6 +198,7 @@ The TCP port to bind to
 
 [id="plugins-{type}s-{plugin}-ssl"]
 ===== `ssl`
+deprecated[0.1.3, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
 
 * Value type is <<boolean,boolean>>
 * Default value is `true`
@@ -233,9 +254,20 @@ For example, the ChaCha20 family of ciphers is not supported in older versions.
 * Default value is `"none"`
 
 By default the server doesn't do any client authentication.
-This means that connections from clients are private by default, but that this input will allow SSL connections from _any_ client.
+This means that connections from clients are _private_ when SSL is enabled, but that this input will allow SSL connections from _any_ client.
 If you wish to configure this plugin to reject connections from untrusted hosts, you will need to configure this plugin to authenticate clients, and may also need to configure it with a list of `ssl_certificate_authorities`.
 
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
+
+* Value type is <<boolean,boolean>>
+* Default value is `true`
+
+Events are, by default, sent over SSL, which requires configuring this plugin to present an identity certificate using <<plugins-{type}s-{plugin}-ssl_certificate>> and key using <<plugins-{type}s-{plugin}-ssl_key>>.
+
+You can disable SSL with `+ssl_enabled => false+`.
+
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout`
 

data/lib/logstash/inputs/elastic_serverless_forwarder.rb

@@ -3,12 +3,14 @@ require "logstash/inputs/base"
 require "logstash/namespace"
 
 require "logstash/plugin_mixins/plugin_factory_support"
+require "logstash/plugin_mixins/normalize_config_support"
 
 require 'logstash/inputs/http'
 require 'logstash/codecs/json_lines'
 
 class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
   include LogStash::PluginMixins::PluginFactorySupport
+  include LogStash::PluginMixins::NormalizeConfigSupport
 
   config_name "elastic_serverless_forwarder"
 
@@ -21,7 +23,8 @@ class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
   config :auth_basic_password,         :validate => :password
 
   # ssl-config
-  config :ssl,                         :validate => :boolean, :default => true
+  config :ssl,                         :validate => :boolean, :default => true, :deprecated => "Use 'ssl_enabled' instead."
+  config :ssl_enabled,                 :validate => :boolean, :default => true
 
   # ssl-identity
   config :ssl_certificate,             :validate => :path
@@ -38,20 +41,11 @@ class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
   config :ssl_supported_protocols,     :validate => :string,  :list => true
   config :ssl_handshake_timeout,       :validate => :number,  :default => 10_000
 
-  # we present the ES-like ssl_certificate_authorities, but our
-  # internal http input plugin uses ssl_verify_mode to describe
-  # the same behaviour.
-  SSL_CLIENT_AUTHENTICATION_TO_VERIFY_MODE_MAP = {
-    'none'     => 'none',
-    'optional' => 'peer',
-    'required' => 'force_peer',
-  }.each_value(&:freeze).freeze # deep freeze
-  private_constant :SSL_CLIENT_AUTHENTICATION_TO_VERIFY_MODE_MAP
-
-
   def initialize(*a)
     super
 
+    normalize_ssl_configs!
+
     if original_params.include?('codec')
       fail LogStash::ConfigurationError, 'The `elastic_serverless_forwarder` input does not have an externally-configurable `codec`'
     end
@@ -109,14 +103,14 @@ class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
       if @auth_basic_username
         http_options['user'] = @auth_basic_username
         http_options['password'] = @auth_basic_password || fail(LogStash::ConfigurationError, '`auth_basic_password` is REQUIRED when `auth_basic_username` is provided')
-        logger.warn("HTTP Basic Auth over non-secured connection") if @ssl == false
+        logger.warn("HTTP Basic Auth over non-secured connection") if @ssl_enabled == false
       end
 
-      if @ssl == false
+      if @ssl_enabled == false
         ignored_ssl_settings = @original_params.keys.grep('ssl_')
-        logger.warn("Explicit SSL-related settings are ignored because `ssl => false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
+        logger.warn("Explicit SSL-related settings are ignored because `ssl_enabled => false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
       else
-        http_options['ssl'] = true
+        http_options['ssl_enabled'] = true
 
         http_options['ssl_cipher_suites'] = @ssl_cipher_suites if @original_params.include?('ssl_cipher_suites')
         http_options['ssl_supported_protocols'] = @ssl_supported_protocols if @original_params.include?('ssl_supported_protocols')
@@ -131,9 +125,10 @@ class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
   end
 
   def ssl_identity_options
+    ssl_enabled_config = @original_params.include?('ssl') ? 'ssl' : 'ssl_enabled'
     identity_options = {
-      'ssl_certificate' => @ssl_certificate || fail(LogStash::ConfigurationError, '`ssl_certificate` is REQUIRED when `ssl => true`'),
-      'ssl_key'         => @ssl_key         || fail(LogStash::ConfigurationError, '`ssl_key` is REQUIRED when `ssl => true`')
+      'ssl_certificate' => @ssl_certificate || fail(LogStash::ConfigurationError, "`ssl_certificate` is REQUIRED when `#{ssl_enabled_config} => true`"),
+      'ssl_key'         => @ssl_key         || fail(LogStash::ConfigurationError, "`ssl_key` is REQUIRED when `#{ssl_enabled_config} => true`")
     }
     identity_options['ssl_key_passphrase'] = @ssl_key_passphrase if @original_params.include?('ssl_key_passphrase')
 
@@ -142,7 +137,7 @@ class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
 
   def ssl_trust_options
     trust_options = {
-      'ssl_verify_mode' => SSL_CLIENT_AUTHENTICATION_TO_VERIFY_MODE_MAP.fetch(@ssl_client_authentication)
+      'ssl_client_authentication' => @ssl_client_authentication
     }
     if @ssl_client_authentication == 'none'
       logger.warn("Explicit `ssl_certificate_authorities` is ignored because `ssl_client_authentication => #{@ssl_client_authentication}`")
@@ -160,6 +155,12 @@ class LogStash::Inputs::ElasticServerlessForwarder < LogStash::Inputs::Base
     }
   end
 
+  def normalize_ssl_configs!
+    @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
+      normalizer.with_deprecated_alias(:ssl)
+    end
+  end
+
   class QueueWrapper
     def initialize(wrapped_queue)
       @wrapped_queue = wrapped_queue

data/logstash-input-elastic_serverless_forwarder.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = 'logstash-input-elastic_serverless_forwarder'
-  s.version = '0.1.1'
+  s.version = '0.1.3'
   s.licenses = ['Apache License (2.0)']
   s.summary = "Receives events from Elastic Serverless Forwarder over HTTP or HTTPS"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -23,8 +23,9 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
   s.add_runtime_dependency 'logstash-mixin-plugin_factory_support'
-  s.add_runtime_dependency 'logstash-input-http'
+  s.add_runtime_dependency 'logstash-input-http', '>= 3.7.2'
   s.add_runtime_dependency 'logstash-codec-json_lines'
+  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_development_dependency 'logstash-devutils'
 

data/spec/inputs/elastic_serverless_forwarder_spec.rb

@@ -28,7 +28,7 @@ describe LogStash::Inputs::ElasticServerlessForwarder do
   let!(:queue) { Queue.new }
 
   context 'baseline' do
-    let(:config) { super().merge('ssl' => false) }
+    let(:config) { super().merge('ssl_enabled' => false) }
     let(:scheme) { 'http' }
 
     it_behaves_like "an interruptible input plugin" do
@@ -45,7 +45,7 @@ describe LogStash::Inputs::ElasticServerlessForwarder do
   end
 
   context 'no user-defined codec' do
-    let(:config) { super().merge('ssl' => false) } # minimal config
+    let(:config) { super().merge('ssl_enabled' => false) } # minimal config
 
     ##
     # @codec ivar is required PENDING https://github.com/elastic/logstash/issues/14828
@@ -185,7 +185,7 @@ describe LogStash::Inputs::ElasticServerlessForwarder do
   end
 
   describe 'unsecured HTTP' do
-    let(:config) { super().merge('ssl' => false) }
+    let(:config) { super().merge('ssl_enabled' => false) }
     let(:scheme) { 'http' }
 
     include_examples 'successful request handling'
@@ -321,4 +321,23 @@ describe LogStash::Inputs::ElasticServerlessForwarder do
       end
     end
   end
+
+  describe 'deprecated SSL options' do
+    let(:config) do
+      super().merge({
+        'ssl_certificate' => generated_certs_directory.join('server_from_root.crt').to_path,
+        'ssl_key'         => generated_certs_directory.join('server_from_root.key.pkcs8').to_path,
+      })
+    end
+
+    [true, false].each do |enabled|
+      context "when `ssl => #{enabled}`" do
+        let(:config) { super().merge('ssl' => enabled) }
+
+        it "sets @ssl_enabled to `#{enabled}`" do
+          expect(esf_input.instance_variable_get(:@ssl_enabled)).to be enabled
+        end
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-elastic_serverless_forwarder
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.3
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-05 00:00:00.000000000 Z
+date: 2023-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -63,7 +63,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.7.2
   name: logstash-input-http
   prerelease: false
   type: :runtime
@@ -71,7 +71,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.7.2
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -86,6 +86,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-normalize_config_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -160,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: Receives events from Elastic Serverless Forwarder over HTTP or HTTPS