logstash-input-http 3.5.1-java → 3.6.0-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/VERSION +1 -1
- data/docs/index.asciidoc +41 -11
- data/lib/logstash/inputs/http.rb +50 -28
- data/lib/logstash-input-http_jars.rb +1 -1
- data/spec/inputs/http_spec.rb +93 -32
- data/vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.6.0/logstash-input-http-3.6.0.jar +0 -0
- metadata +3 -3
- data/vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.5.1/logstash-input-http-3.5.1.jar +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: aa318266e4bda14335b9ff0a9334d984e0a52cecaefa7037a064aef4e8df7015
|
4
|
+
data.tar.gz: efe4a565498fda944f2b2e9a91813a2ecc70ed9b4a89bae7ba2730221eef8549
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b52359e3a884877733f41ce7885bba97dc578db0c4fbdf708a498a13cc06a38efc319b2e72f5f788d6287f0c8a33f419a811e01776661e1eea313682948439d7
|
7
|
+
data.tar.gz: e953789900e9f5d98593c3d83ad1d100b83433abf109a708c90c2eb04291d18f1339419a6f498a830103ba894bac03a02944094495873260a9cfab9c1c8ae666
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,6 @@
|
|
1
|
+
## 3.6.0
|
2
|
+
- Feat: review and deprecate ssl protocol/cipher related settings [#151](https://github.com/logstash-plugins/logstash-input-http/pull/151)
|
3
|
+
|
1
4
|
## 3.5.1
|
2
5
|
- Fix: codecs provided with `additional_codecs` now correctly run in the pipeline's context, which means that they respect the `pipeline.ecs_compatibility` setting [#152](https://github.com/logstash-plugins/logstash-input-http/pull/152)
|
3
6
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.6.0
|
data/docs/index.asciidoc
CHANGED
@@ -104,9 +104,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
104
104
|
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
|
105
105
|
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
|
106
106
|
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
|
107
|
+
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
|
107
108
|
| <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
|
108
109
|
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
|
109
110
|
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
111
|
+
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
|
110
112
|
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
|
111
113
|
| <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
|
112
114
|
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
|
@@ -134,20 +136,20 @@ and no codec for the request's content-type is found
|
|
134
136
|
===== `cipher_suites`
|
135
137
|
|
136
138
|
* Value type is <<array,array>>
|
137
|
-
*
|
139
|
+
* This option is deprecated
|
138
140
|
|
139
141
|
The list of cipher suites to use, listed by priorities.
|
140
|
-
|
141
|
-
|
142
|
-
|
142
|
+
|
143
|
+
NOTE: This option is deprecated and it will be removed in the next major version of Logstash.
|
144
|
+
Use `ssl_cipher_suites` instead.
|
143
145
|
|
144
146
|
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
145
147
|
===== `ecs_compatibility`
|
146
148
|
|
147
|
-
* Value type is <<string,string>>
|
148
|
-
* Supported values are:
|
149
|
-
** `disabled`: unstructured connection metadata added at root level
|
150
|
-
** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
|
149
|
+
* Value type is <<string,string>>
|
150
|
+
* Supported values are:
|
151
|
+
** `disabled`: unstructured connection metadata added at root level
|
152
|
+
** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
|
151
153
|
|
152
154
|
Controls this plugin's compatibility with the
|
153
155
|
{ecs-ref}[Elastic Common Schema (ECS)].
|
@@ -345,6 +347,17 @@ be read and added to the trust store. You need to configure the `ssl_verify_mode
|
|
345
347
|
to `peer` or `force_peer` to enable the verification.
|
346
348
|
|
347
349
|
|
350
|
+
[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
|
351
|
+
===== `ssl_cipher_suites`
|
352
|
+
|
353
|
+
* Value type is <<array,array>>
|
354
|
+
* Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']`
|
355
|
+
|
356
|
+
The list of cipher suites to use, listed by priorities.
|
357
|
+
This default list applies for OpenJDK 11.0.14 and higher.
|
358
|
+
For older JDK versions, the default list includes only suites supported by that version.
|
359
|
+
For example, the ChaCha20 family of ciphers is not supported in older versions.
|
360
|
+
|
348
361
|
[id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
|
349
362
|
===== `ssl_handshake_timeout`
|
350
363
|
|
@@ -371,6 +384,23 @@ for more information.
|
|
371
384
|
|
372
385
|
SSL key passphrase to use.
|
373
386
|
|
387
|
+
[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
|
388
|
+
===== `ssl_supported_protocols`
|
389
|
+
|
390
|
+
* Value type is <<array,array>>
|
391
|
+
* Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
|
392
|
+
* Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
|
393
|
+
`'TLSv1.1'` is not considered secure and is only provided for legacy applications.
|
394
|
+
|
395
|
+
List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
|
396
|
+
|
397
|
+
For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
|
398
|
+
`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
|
399
|
+
|
400
|
+
NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
|
401
|
+
the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
|
402
|
+
the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
|
403
|
+
|
374
404
|
[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
|
375
405
|
===== `ssl_verify_mode`
|
376
406
|
|
@@ -399,7 +429,7 @@ Number of threads to use for both accepting connections and handling requests
|
|
399
429
|
===== `tls_max_version`
|
400
430
|
|
401
431
|
* Value type is <<number,number>>
|
402
|
-
*
|
432
|
+
* This option is deprecated
|
403
433
|
|
404
434
|
The maximum TLS version allowed for the encrypted connections.
|
405
435
|
The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
|
@@ -408,7 +438,7 @@ The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.
|
|
408
438
|
===== `tls_min_version`
|
409
439
|
|
410
440
|
* Value type is <<number,number>>
|
411
|
-
*
|
441
|
+
* This option is deprecated
|
412
442
|
|
413
443
|
The minimum TLS version allowed for the encrypted connections.
|
414
444
|
The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
|
@@ -430,7 +460,7 @@ Username for basic authorization
|
|
430
460
|
|
431
461
|
Set the client certificate verification method. Valid methods: none, peer, force_peer
|
432
462
|
|
433
|
-
|
463
|
+
NOTE: This option is deprecated and it will be removed in the next major version of Logstash.
|
434
464
|
Use `ssl_verify_mode` instead.
|
435
465
|
|
436
466
|
|
data/lib/logstash/inputs/http.rb
CHANGED
@@ -30,6 +30,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
30
30
|
require "logstash/inputs/http/tls"
|
31
31
|
|
32
32
|
java_import "io.netty.handler.codec.http.HttpUtil"
|
33
|
+
java_import 'org.logstash.plugins.inputs.http.util.SslSimpleBuilder'
|
33
34
|
|
34
35
|
config_name "http"
|
35
36
|
|
@@ -86,16 +87,11 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
86
87
|
# Time in milliseconds for an incomplete ssl handshake to timeout
|
87
88
|
config :ssl_handshake_timeout, :validate => :number, :default => 10000
|
88
89
|
|
89
|
-
# The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
|
90
|
-
# 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
|
91
|
-
config :tls_min_version, :validate => :number, :default => TLS.min.version
|
92
|
-
|
93
|
-
# The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
|
94
|
-
# 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
|
95
|
-
config :tls_max_version, :validate => :number, :default => TLS.max.version
|
96
|
-
|
97
90
|
# The list of ciphers suite to use, listed by priorities.
|
98
|
-
config :
|
91
|
+
config :ssl_cipher_suites, :validate => SslSimpleBuilder::SUPPORTED_CIPHERS.to_a,
|
92
|
+
:default => SslSimpleBuilder.getDefaultCiphers, :list => true
|
93
|
+
|
94
|
+
config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => ['TLSv1.2', 'TLSv1.3'], :list => true
|
99
95
|
|
100
96
|
# Apply specific codecs for specific content types.
|
101
97
|
# The default codec will be applied only after this list is checked
|
@@ -118,14 +114,23 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
118
114
|
config :max_content_length, :validate => :number, :required => false, :default => 100 * 1024 * 1024
|
119
115
|
|
120
116
|
config :response_code, :validate => [200, 201, 202, 204], :default => 200
|
117
|
+
|
121
118
|
# Deprecated options
|
122
119
|
|
123
120
|
# The JKS keystore to validate the client's certificates
|
124
121
|
config :keystore, :validate => :path, :deprecated => "Set 'ssl_certificate' and 'ssl_key' instead."
|
125
122
|
config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_key_passphrase' instead."
|
126
123
|
|
127
|
-
config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none',
|
128
|
-
|
124
|
+
config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_verify_mode' instead."
|
125
|
+
config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
|
126
|
+
|
127
|
+
# The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
|
128
|
+
# 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
|
129
|
+
config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."
|
130
|
+
|
131
|
+
# The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
|
132
|
+
# 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
|
133
|
+
config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
|
129
134
|
|
130
135
|
attr_reader :codecs
|
131
136
|
|
@@ -233,24 +238,45 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
233
238
|
@logger.warn("SSL Certificate will not be used") if @ssl_certificate
|
234
239
|
@logger.warn("SSL Key will not be used") if @ssl_key
|
235
240
|
@logger.warn("SSL Java Key Store will not be used") if @keystore
|
236
|
-
|
241
|
+
return # code bellow assumes `ssl => true`
|
242
|
+
end
|
243
|
+
|
244
|
+
if !(ssl_key_configured? || ssl_jks_configured?)
|
237
245
|
raise LogStash::ConfigurationError, "Certificate or JKS must be configured"
|
238
246
|
end
|
239
247
|
|
240
|
-
if
|
241
|
-
|
248
|
+
if original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode")
|
249
|
+
raise LogStash::ConfigurationError, "Both `ssl_verify_mode` and (deprecated) `verify_mode` were set. Use only `ssl_verify_mode`."
|
242
250
|
elsif original_params.key?("verify_mode")
|
243
251
|
@ssl_verify_mode_final = @verify_mode
|
244
|
-
elsif original_params.key?("ssl_verify_mode")
|
245
|
-
@ssl_verify_mode_final = @ssl_verify_mode
|
246
252
|
else
|
247
253
|
@ssl_verify_mode_final = @ssl_verify_mode
|
248
254
|
end
|
249
255
|
|
250
|
-
if
|
251
|
-
raise LogStash::ConfigurationError, "
|
252
|
-
elsif
|
253
|
-
|
256
|
+
if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
|
257
|
+
raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
|
258
|
+
elsif original_params.key?('cipher_suites')
|
259
|
+
@ssl_cipher_suites_final = @cipher_suites
|
260
|
+
else
|
261
|
+
@ssl_cipher_suites_final = @ssl_cipher_suites
|
262
|
+
end
|
263
|
+
|
264
|
+
if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
|
265
|
+
raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
|
266
|
+
elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
|
267
|
+
raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
|
268
|
+
else
|
269
|
+
if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
|
270
|
+
@ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
|
271
|
+
else
|
272
|
+
@ssl_supported_protocols_final = @ssl_supported_protocols
|
273
|
+
end
|
274
|
+
end
|
275
|
+
|
276
|
+
if require_certificate_authorities? && !client_authentication?
|
277
|
+
raise LogStash::ConfigurationError, "Using `ssl_verify_mode` (or `verify_mode`) set to PEER or FORCE_PEER, requires the configuration of `ssl_certificate_authorities`"
|
278
|
+
elsif !require_certificate_authorities? && client_authentication?
|
279
|
+
raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` (or `verify_mode`) to PEER or FORCE_PEER"
|
254
280
|
end
|
255
281
|
end
|
256
282
|
|
@@ -268,7 +294,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
268
294
|
begin
|
269
295
|
ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder
|
270
296
|
.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
|
271
|
-
.setCipherSuites(
|
297
|
+
.setCipherSuites(normalized_cipher_suites)
|
272
298
|
rescue java.lang.IllegalArgumentException => e
|
273
299
|
@logger.error("SSL configuration invalid", error_details(e))
|
274
300
|
raise LogStash::ConfigurationError, e
|
@@ -300,19 +326,15 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
300
326
|
|
301
327
|
private
|
302
328
|
|
303
|
-
def
|
304
|
-
@
|
305
|
-
end
|
306
|
-
|
307
|
-
def convert_protocols
|
308
|
-
TLS.get_supported(@tls_min_version..@tls_max_version).map(&:name)
|
329
|
+
def normalized_cipher_suites
|
330
|
+
@ssl_cipher_suites_final.map(&:upcase)
|
309
331
|
end
|
310
332
|
|
311
333
|
def new_ssl_handshake_provider(ssl_builder)
|
312
334
|
begin
|
313
335
|
ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_builder.build())
|
314
336
|
ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
|
315
|
-
ssl_handler_provider.setProtocols(
|
337
|
+
ssl_handler_provider.setProtocols(@ssl_supported_protocols_final)
|
316
338
|
ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
|
317
339
|
ssl_handler_provider
|
318
340
|
rescue java.lang.IllegalArgumentException => e
|
data/spec/inputs/http_spec.rb
CHANGED
@@ -169,10 +169,10 @@ describe LogStash::Inputs::Http do
|
|
169
169
|
|
170
170
|
let(:config) do
|
171
171
|
super().merge 'ssl' => true,
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
172
|
+
'ssl_certificate_authorities' => [ File.join(certs_dir, 'root.crt') ],
|
173
|
+
'ssl_certificate' => File.join(certs_dir, 'server_from_root.crt'),
|
174
|
+
'ssl_key' => File.join(certs_dir, 'server_from_root.key.pkcs8'),
|
175
|
+
'ssl_verify_mode' => 'peer'
|
176
176
|
end
|
177
177
|
|
178
178
|
let(:client_options) do
|
@@ -219,7 +219,21 @@ describe LogStash::Inputs::Http do
|
|
219
219
|
|
220
220
|
context 'enforced TLSv1.3 in plugin' do
|
221
221
|
|
222
|
-
let(:config) { super().merge '
|
222
|
+
let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.3'],
|
223
|
+
'ssl_cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
|
224
|
+
|
225
|
+
it "should parse the json body" do
|
226
|
+
expect(response.code).to eq(200)
|
227
|
+
event = logstash_queue.pop
|
228
|
+
expect(event.get("message")).to eq("Hello")
|
229
|
+
end
|
230
|
+
|
231
|
+
end
|
232
|
+
|
233
|
+
context 'enforced TLSv1.3 (deprecated options)' do
|
234
|
+
|
235
|
+
let(:config) { super().merge 'tls_min_version' => 1.3,
|
236
|
+
'cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
|
223
237
|
|
224
238
|
it "should parse the json body" do
|
225
239
|
expect(response.code).to eq(200)
|
@@ -537,6 +551,12 @@ describe LogStash::Inputs::Http do
|
|
537
551
|
expect { subject.register }.to raise_exception(LogStash::ConfigurationError)
|
538
552
|
end
|
539
553
|
end
|
554
|
+
context "with invalid cipher suites" do
|
555
|
+
it "should raise a configuration error" do
|
556
|
+
invalid_config = config.merge("ssl_cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38")
|
557
|
+
expect { LogStash::Inputs::Http.new(invalid_config) }.to raise_error(LogStash::ConfigurationError)
|
558
|
+
end
|
559
|
+
end
|
540
560
|
context "with :ssl_certificate" do
|
541
561
|
let(:ssc) { SelfSignedCertificate.new }
|
542
562
|
let(:ssl_certificate) { ssc.certificate }
|
@@ -595,18 +615,6 @@ describe LogStash::Inputs::Http do
|
|
595
615
|
end
|
596
616
|
end
|
597
617
|
|
598
|
-
context "with invalid cipher_suites" do
|
599
|
-
let(:config) { super().merge("cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
|
600
|
-
|
601
|
-
it "should raise a configuration error" do
|
602
|
-
expect( subject.logger ).to receive(:error) do |msg, opts|
|
603
|
-
expect( msg ).to match /.*?configuration invalid/
|
604
|
-
expect( opts[:message] ).to match /TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38.*? not available/
|
605
|
-
end
|
606
|
-
expect { subject.register }.to raise_error(LogStash::ConfigurationError)
|
607
|
-
end
|
608
|
-
end
|
609
|
-
|
610
618
|
context "with invalid ssl certificate" do
|
611
619
|
before do
|
612
620
|
cert = File.readlines path = config["ssl_certificate"]
|
@@ -654,9 +662,50 @@ describe LogStash::Inputs::Http do
|
|
654
662
|
end
|
655
663
|
end
|
656
664
|
|
665
|
+
context "with both verify_mode options set" do
|
666
|
+
let(:config) do
|
667
|
+
super().merge('ssl_verify_mode' => 'peer', 'verify_mode' => 'none')
|
668
|
+
end
|
669
|
+
|
670
|
+
it "should raise a configuration error" do
|
671
|
+
expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_verify_mode.?/i
|
672
|
+
end
|
673
|
+
end
|
674
|
+
|
675
|
+
context "with ssl_cipher_suites and cipher_suites set" do
|
676
|
+
let(:config) do
|
677
|
+
super().merge('ssl_cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'],
|
678
|
+
'cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'])
|
679
|
+
end
|
680
|
+
|
681
|
+
it "should raise a configuration error" do
|
682
|
+
expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_cipher_suites.?/i
|
683
|
+
end
|
684
|
+
end
|
685
|
+
|
686
|
+
context "with ssl_supported_protocols and tls_min_version set" do
|
687
|
+
let(:config) do
|
688
|
+
super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_min_version' => 1.0)
|
689
|
+
end
|
690
|
+
|
691
|
+
it "should raise a configuration error" do
|
692
|
+
expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
|
693
|
+
end
|
694
|
+
end
|
695
|
+
|
696
|
+
context "with ssl_supported_protocols and tls_max_version set" do
|
697
|
+
let(:config) do
|
698
|
+
super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_max_version' => 1.2)
|
699
|
+
end
|
700
|
+
|
701
|
+
it "should raise a configuration error" do
|
702
|
+
expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
|
703
|
+
end
|
704
|
+
end
|
705
|
+
|
657
706
|
end
|
658
707
|
end
|
659
|
-
end
|
708
|
+
end
|
660
709
|
|
661
710
|
# If we have a setting called `pipeline.ecs_compatibility`, we need to
|
662
711
|
# ensure that our additional_codecs are instantiated with the proper
|
@@ -664,19 +713,11 @@ end if false
|
|
664
713
|
# respected.
|
665
714
|
if LogStash::SETTINGS.registered?('pipeline.ecs_compatibility')
|
666
715
|
|
667
|
-
def with_setting(name, value, &block)
|
668
|
-
setting = LogStash::SETTINGS.get_setting(name)
|
669
|
-
was_set, orignial_value = setting.set?, setting.value
|
670
|
-
setting.set(value)
|
671
|
-
|
672
|
-
yield(true)
|
673
|
-
|
674
|
-
ensure
|
675
|
-
was_set ? setting.set(orignial_value) : setting.reset
|
676
|
-
end
|
677
|
-
|
678
716
|
def setting_value_supported?(name, value)
|
679
|
-
|
717
|
+
setting = ::LogStash::SETTINGS.clone.get_setting(name)
|
718
|
+
setting.set(value)
|
719
|
+
setting.validate_value
|
720
|
+
true
|
680
721
|
rescue
|
681
722
|
false
|
682
723
|
end
|
@@ -688,12 +729,32 @@ if LogStash::SETTINGS.registered?('pipeline.ecs_compatibility')
|
|
688
729
|
%w(disabled v1 v8).each do |spec|
|
689
730
|
if setting_value_supported?('pipeline.ecs_compatibility', spec)
|
690
731
|
context "with `pipeline.ecs_compatibility: #{spec}`" do
|
691
|
-
|
732
|
+
# Override DevUtils's `new_pipeline` default to inject pipeline settings that
|
733
|
+
# are different than our global settings, so that we can validate the condition
|
734
|
+
# where pipeline settings override global settings.
|
735
|
+
def new_pipeline(config_parts, pipeline_id = :main, settings = pipeline_settings)
|
736
|
+
super(config_parts, pipeline_id, settings)
|
737
|
+
end
|
738
|
+
|
739
|
+
let(:pipeline_settings) do
|
740
|
+
::LogStash::SETTINGS.clone.tap do |s|
|
741
|
+
s.set('pipeline.ecs_compatibility', spec)
|
742
|
+
end
|
743
|
+
end
|
692
744
|
|
693
745
|
it 'propagates the ecs_compatibility pipeline setting to the additional_codecs' do
|
746
|
+
# Ensure plugins pick up pipeline-level setting over the global default.
|
747
|
+
aggregate_failures('precondition') do
|
748
|
+
expect(::LogStash::SETTINGS).to_not be_set('pipeline.ecs_compatibility')
|
749
|
+
expect(pipeline_settings).to be_set('pipeline.ecs_compatibility')
|
750
|
+
end
|
751
|
+
|
694
752
|
input("input { http { port => #{port} additional_codecs => { 'application/json' => 'json' 'text/plain' => 'plain' } } }") do |pipeline, queue|
|
695
753
|
http_input = pipeline.inputs.first
|
696
|
-
|
754
|
+
aggregate_failures('initialization precondition') do
|
755
|
+
expect(http_input).to be_a_kind_of(described_class)
|
756
|
+
expect(http_input.execution_context&.pipeline&.settings&.to_hash).to eq(pipeline_settings.to_hash)
|
757
|
+
end
|
697
758
|
|
698
759
|
http_input.codecs.each do |key, value|
|
699
760
|
aggregate_failures("Codec for `#{key}`") do
|
Binary file
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-http
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.6.0
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-04-
|
11
|
+
date: 2022-04-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -173,7 +173,7 @@ files:
|
|
173
173
|
- spec/fixtures/certs/openssl.cnf
|
174
174
|
- spec/inputs/http_spec.rb
|
175
175
|
- vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
|
176
|
-
- vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.
|
176
|
+
- vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.6.0/logstash-input-http-3.6.0.jar
|
177
177
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
178
178
|
licenses:
|
179
179
|
- Apache License (2.0)
|