logstash-input-http 3.5.1-java → 3.6.0-java

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 57c80d7659006a5cbaa321016046be88431d7df9ab7aff47c2b6e22670e420aa
4
- data.tar.gz: fbf35768bf5bfc1bddeb2fab860ca5dd6e7d76eee6e5b03590ea6239ebb0935a
3
+ metadata.gz: aa318266e4bda14335b9ff0a9334d984e0a52cecaefa7037a064aef4e8df7015
4
+ data.tar.gz: efe4a565498fda944f2b2e9a91813a2ecc70ed9b4a89bae7ba2730221eef8549
5
5
  SHA512:
6
- metadata.gz: 6474b6cf869b1e9c07f43ddf7c7903496d38d366f02f3a5c4217c16011eb008dcee940bc87d1f77a885c5c92c0f440ea207e56c677431df65d04f9cb3fcafb82
7
- data.tar.gz: 5ddf0b72e016873e9bce678f74f8052dbad329819fadcfcf431af0d2126251a33901f5033b0948eff2e18f08dd0d107c092f505cabd63b5731c2679a3c13e0af
6
+ metadata.gz: b52359e3a884877733f41ce7885bba97dc578db0c4fbdf708a498a13cc06a38efc319b2e72f5f788d6287f0c8a33f419a811e01776661e1eea313682948439d7
7
+ data.tar.gz: e953789900e9f5d98593c3d83ad1d100b83433abf109a708c90c2eb04291d18f1339419a6f498a830103ba894bac03a02944094495873260a9cfab9c1c8ae666
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 3.6.0
2
+ - Feat: review and deprecate ssl protocol/cipher related settings [#151](https://github.com/logstash-plugins/logstash-input-http/pull/151)
3
+
1
4
  ## 3.5.1
2
5
  - Fix: codecs provided with `additional_codecs` now correctly run in the pipeline's context, which means that they respect the `pipeline.ecs_compatibility` setting [#152](https://github.com/logstash-plugins/logstash-input-http/pull/152)
3
6
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.5.1
1
+ 3.6.0
data/docs/index.asciidoc CHANGED
@@ -104,9 +104,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
104
104
  | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
105
105
  | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
106
106
  | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
107
+ | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
107
108
  | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
108
109
  | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
109
110
  | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
111
+ | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
110
112
  | <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
111
113
  | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
112
114
  | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
@@ -134,20 +136,20 @@ and no codec for the request's content-type is found
134
136
  ===== `cipher_suites`
135
137
 
136
138
  * Value type is <<array,array>>
137
- * Default value is `[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]`
139
+ * This option is deprecated
138
140
 
139
141
  The list of cipher suites to use, listed by priorities.
140
- This default list applies for OpenJDK 11.0.14 and higher.
141
- For older JDK versions, the default list includes only suites supported by that version.
142
- For example, the ChaCha20 family of ciphers is not supported in older versions.
142
+
143
+ NOTE: This option is deprecated and it will be removed in the next major version of Logstash.
144
+ Use `ssl_cipher_suites` instead.
143
145
 
144
146
  [id="plugins-{type}s-{plugin}-ecs_compatibility"]
145
147
  ===== `ecs_compatibility`
146
148
 
147
- * Value type is <<string,string>>
148
- * Supported values are:
149
- ** `disabled`: unstructured connection metadata added at root level
150
- ** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
149
+ * Value type is <<string,string>>
150
+ * Supported values are:
151
+ ** `disabled`: unstructured connection metadata added at root level
152
+ ** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
151
153
 
152
154
  Controls this plugin's compatibility with the
153
155
  {ecs-ref}[Elastic Common Schema (ECS)].
@@ -345,6 +347,17 @@ be read and added to the trust store. You need to configure the `ssl_verify_mode
345
347
  to `peer` or `force_peer` to enable the verification.
346
348
 
347
349
 
350
+ [id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
351
+ ===== `ssl_cipher_suites`
352
+
353
+ * Value type is <<array,array>>
354
+ * Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']`
355
+
356
+ The list of cipher suites to use, listed by priorities.
357
+ This default list applies for OpenJDK 11.0.14 and higher.
358
+ For older JDK versions, the default list includes only suites supported by that version.
359
+ For example, the ChaCha20 family of ciphers is not supported in older versions.
360
+
348
361
  [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
349
362
  ===== `ssl_handshake_timeout`
350
363
 
@@ -371,6 +384,23 @@ for more information.
371
384
 
372
385
  SSL key passphrase to use.
373
386
 
387
+ [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
388
+ ===== `ssl_supported_protocols`
389
+
390
+ * Value type is <<array,array>>
391
+ * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
392
+ * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
393
+ `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
394
+
395
+ List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
396
+
397
+ For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
398
+ `LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
399
+
400
+ NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
401
+ the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
402
+ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
403
+
374
404
  [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
375
405
  ===== `ssl_verify_mode`
376
406
 
@@ -399,7 +429,7 @@ Number of threads to use for both accepting connections and handling requests
399
429
  ===== `tls_max_version`
400
430
 
401
431
  * Value type is <<number,number>>
402
- * Default value is `1.3`
432
+ * This option is deprecated
403
433
 
404
434
  The maximum TLS version allowed for the encrypted connections.
405
435
  The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
@@ -408,7 +438,7 @@ The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.
408
438
  ===== `tls_min_version`
409
439
 
410
440
  * Value type is <<number,number>>
411
- * Default value is `1.2`
441
+ * This option is deprecated
412
442
 
413
443
  The minimum TLS version allowed for the encrypted connections.
414
444
  The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
@@ -430,7 +460,7 @@ Username for basic authorization
430
460
 
431
461
  Set the client certificate verification method. Valid methods: none, peer, force_peer
432
462
 
433
- Note: This option is deprecated and it will be removed in the next major version of Logstash.
463
+ NOTE: This option is deprecated and it will be removed in the next major version of Logstash.
434
464
  Use `ssl_verify_mode` instead.
435
465
 
436
466
 
@@ -30,6 +30,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
30
30
  require "logstash/inputs/http/tls"
31
31
 
32
32
  java_import "io.netty.handler.codec.http.HttpUtil"
33
+ java_import 'org.logstash.plugins.inputs.http.util.SslSimpleBuilder'
33
34
 
34
35
  config_name "http"
35
36
 
@@ -86,16 +87,11 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
86
87
  # Time in milliseconds for an incomplete ssl handshake to timeout
87
88
  config :ssl_handshake_timeout, :validate => :number, :default => 10000
88
89
 
89
- # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
90
- # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
91
- config :tls_min_version, :validate => :number, :default => TLS.min.version
92
-
93
- # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
94
- # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
95
- config :tls_max_version, :validate => :number, :default => TLS.max.version
96
-
97
90
  # The list of ciphers suite to use, listed by priorities.
98
- config :cipher_suites, :validate => :array, :default => org.logstash.plugins.inputs.http.util.SslSimpleBuilder.getDefaultCiphers
91
+ config :ssl_cipher_suites, :validate => SslSimpleBuilder::SUPPORTED_CIPHERS.to_a,
92
+ :default => SslSimpleBuilder.getDefaultCiphers, :list => true
93
+
94
+ config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => ['TLSv1.2', 'TLSv1.3'], :list => true
99
95
 
100
96
  # Apply specific codecs for specific content types.
101
97
  # The default codec will be applied only after this list is checked
@@ -118,14 +114,23 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
118
114
  config :max_content_length, :validate => :number, :required => false, :default => 100 * 1024 * 1024
119
115
 
120
116
  config :response_code, :validate => [200, 201, 202, 204], :default => 200
117
+
121
118
  # Deprecated options
122
119
 
123
120
  # The JKS keystore to validate the client's certificates
124
121
  config :keystore, :validate => :path, :deprecated => "Set 'ssl_certificate' and 'ssl_key' instead."
125
122
  config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_key_passphrase' instead."
126
123
 
127
- config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none',
128
- :deprecated => "Set 'ssl_verify_mode' instead."
124
+ config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_verify_mode' instead."
125
+ config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
126
+
127
+ # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
128
+ # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
129
+ config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."
130
+
131
+ # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
132
+ # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
133
+ config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
129
134
 
130
135
  attr_reader :codecs
131
136
 
@@ -233,24 +238,45 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
233
238
  @logger.warn("SSL Certificate will not be used") if @ssl_certificate
234
239
  @logger.warn("SSL Key will not be used") if @ssl_key
235
240
  @logger.warn("SSL Java Key Store will not be used") if @keystore
236
- elsif !(ssl_key_configured? || ssl_jks_configured?)
241
+ return # code bellow assumes `ssl => true`
242
+ end
243
+
244
+ if !(ssl_key_configured? || ssl_jks_configured?)
237
245
  raise LogStash::ConfigurationError, "Certificate or JKS must be configured"
238
246
  end
239
247
 
240
- if @ssl && (original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode"))
241
- raise LogStash::ConfigurationError, "Both 'ssl_verify_mode' and 'verify_mode' were set. Use only 'ssl_verify_mode'."
248
+ if original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode")
249
+ raise LogStash::ConfigurationError, "Both `ssl_verify_mode` and (deprecated) `verify_mode` were set. Use only `ssl_verify_mode`."
242
250
  elsif original_params.key?("verify_mode")
243
251
  @ssl_verify_mode_final = @verify_mode
244
- elsif original_params.key?("ssl_verify_mode")
245
- @ssl_verify_mode_final = @ssl_verify_mode
246
252
  else
247
253
  @ssl_verify_mode_final = @ssl_verify_mode
248
254
  end
249
255
 
250
- if @ssl && require_certificate_authorities? && !client_authentication?
251
- raise LogStash::ConfigurationError, "Using `ssl_verify_mode` or `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `ssl_certificate_authorities`"
252
- elsif @ssl && !require_certificate_authorities? && client_authentication?
253
- raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` or `verify_mode` to PEER or FORCE_PEER"
256
+ if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
257
+ raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
258
+ elsif original_params.key?('cipher_suites')
259
+ @ssl_cipher_suites_final = @cipher_suites
260
+ else
261
+ @ssl_cipher_suites_final = @ssl_cipher_suites
262
+ end
263
+
264
+ if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
265
+ raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
266
+ elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
267
+ raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
268
+ else
269
+ if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
270
+ @ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
271
+ else
272
+ @ssl_supported_protocols_final = @ssl_supported_protocols
273
+ end
274
+ end
275
+
276
+ if require_certificate_authorities? && !client_authentication?
277
+ raise LogStash::ConfigurationError, "Using `ssl_verify_mode` (or `verify_mode`) set to PEER or FORCE_PEER, requires the configuration of `ssl_certificate_authorities`"
278
+ elsif !require_certificate_authorities? && client_authentication?
279
+ raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` (or `verify_mode`) to PEER or FORCE_PEER"
254
280
  end
255
281
  end
256
282
 
@@ -268,7 +294,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
268
294
  begin
269
295
  ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder
270
296
  .new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
271
- .setCipherSuites(normalized_ciphers)
297
+ .setCipherSuites(normalized_cipher_suites)
272
298
  rescue java.lang.IllegalArgumentException => e
273
299
  @logger.error("SSL configuration invalid", error_details(e))
274
300
  raise LogStash::ConfigurationError, e
@@ -300,19 +326,15 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
300
326
 
301
327
  private
302
328
 
303
- def normalized_ciphers
304
- @cipher_suites.map(&:upcase)
305
- end
306
-
307
- def convert_protocols
308
- TLS.get_supported(@tls_min_version..@tls_max_version).map(&:name)
329
+ def normalized_cipher_suites
330
+ @ssl_cipher_suites_final.map(&:upcase)
309
331
  end
310
332
 
311
333
  def new_ssl_handshake_provider(ssl_builder)
312
334
  begin
313
335
  ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_builder.build())
314
336
  ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
315
- ssl_handler_provider.setProtocols(convert_protocols)
337
+ ssl_handler_provider.setProtocols(@ssl_supported_protocols_final)
316
338
  ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
317
339
  ssl_handler_provider
318
340
  rescue java.lang.IllegalArgumentException => e
@@ -2,4 +2,4 @@
2
2
 
3
3
  require 'jar_dependencies'
4
4
  require_jar('io.netty', 'netty-all', '4.1.65.Final')
5
- require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.5.1')
5
+ require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.6.0')
@@ -169,10 +169,10 @@ describe LogStash::Inputs::Http do
169
169
 
170
170
  let(:config) do
171
171
  super().merge 'ssl' => true,
172
- 'ssl_certificate_authorities' => [ File.join(certs_dir, 'root.crt') ],
173
- 'ssl_certificate' => File.join(certs_dir, 'server_from_root.crt'),
174
- 'ssl_key' => File.join(certs_dir, 'server_from_root.key.pkcs8'),
175
- 'ssl_verify_mode' => 'peer'
172
+ 'ssl_certificate_authorities' => [ File.join(certs_dir, 'root.crt') ],
173
+ 'ssl_certificate' => File.join(certs_dir, 'server_from_root.crt'),
174
+ 'ssl_key' => File.join(certs_dir, 'server_from_root.key.pkcs8'),
175
+ 'ssl_verify_mode' => 'peer'
176
176
  end
177
177
 
178
178
  let(:client_options) do
@@ -219,7 +219,21 @@ describe LogStash::Inputs::Http do
219
219
 
220
220
  context 'enforced TLSv1.3 in plugin' do
221
221
 
222
- let(:config) { super().merge 'tls_min_version' => '1.3', 'cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
222
+ let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.3'],
223
+ 'ssl_cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
224
+
225
+ it "should parse the json body" do
226
+ expect(response.code).to eq(200)
227
+ event = logstash_queue.pop
228
+ expect(event.get("message")).to eq("Hello")
229
+ end
230
+
231
+ end
232
+
233
+ context 'enforced TLSv1.3 (deprecated options)' do
234
+
235
+ let(:config) { super().merge 'tls_min_version' => 1.3,
236
+ 'cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
223
237
 
224
238
  it "should parse the json body" do
225
239
  expect(response.code).to eq(200)
@@ -537,6 +551,12 @@ describe LogStash::Inputs::Http do
537
551
  expect { subject.register }.to raise_exception(LogStash::ConfigurationError)
538
552
  end
539
553
  end
554
+ context "with invalid cipher suites" do
555
+ it "should raise a configuration error" do
556
+ invalid_config = config.merge("ssl_cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38")
557
+ expect { LogStash::Inputs::Http.new(invalid_config) }.to raise_error(LogStash::ConfigurationError)
558
+ end
559
+ end
540
560
  context "with :ssl_certificate" do
541
561
  let(:ssc) { SelfSignedCertificate.new }
542
562
  let(:ssl_certificate) { ssc.certificate }
@@ -595,18 +615,6 @@ describe LogStash::Inputs::Http do
595
615
  end
596
616
  end
597
617
 
598
- context "with invalid cipher_suites" do
599
- let(:config) { super().merge("cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
600
-
601
- it "should raise a configuration error" do
602
- expect( subject.logger ).to receive(:error) do |msg, opts|
603
- expect( msg ).to match /.*?configuration invalid/
604
- expect( opts[:message] ).to match /TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38.*? not available/
605
- end
606
- expect { subject.register }.to raise_error(LogStash::ConfigurationError)
607
- end
608
- end
609
-
610
618
  context "with invalid ssl certificate" do
611
619
  before do
612
620
  cert = File.readlines path = config["ssl_certificate"]
@@ -654,9 +662,50 @@ describe LogStash::Inputs::Http do
654
662
  end
655
663
  end
656
664
 
665
+ context "with both verify_mode options set" do
666
+ let(:config) do
667
+ super().merge('ssl_verify_mode' => 'peer', 'verify_mode' => 'none')
668
+ end
669
+
670
+ it "should raise a configuration error" do
671
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_verify_mode.?/i
672
+ end
673
+ end
674
+
675
+ context "with ssl_cipher_suites and cipher_suites set" do
676
+ let(:config) do
677
+ super().merge('ssl_cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'],
678
+ 'cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'])
679
+ end
680
+
681
+ it "should raise a configuration error" do
682
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_cipher_suites.?/i
683
+ end
684
+ end
685
+
686
+ context "with ssl_supported_protocols and tls_min_version set" do
687
+ let(:config) do
688
+ super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_min_version' => 1.0)
689
+ end
690
+
691
+ it "should raise a configuration error" do
692
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
693
+ end
694
+ end
695
+
696
+ context "with ssl_supported_protocols and tls_max_version set" do
697
+ let(:config) do
698
+ super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_max_version' => 1.2)
699
+ end
700
+
701
+ it "should raise a configuration error" do
702
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
703
+ end
704
+ end
705
+
657
706
  end
658
707
  end
659
- end if false
708
+ end
660
709
 
661
710
  # If we have a setting called `pipeline.ecs_compatibility`, we need to
662
711
  # ensure that our additional_codecs are instantiated with the proper
@@ -664,19 +713,11 @@ end if false
664
713
  # respected.
665
714
  if LogStash::SETTINGS.registered?('pipeline.ecs_compatibility')
666
715
 
667
- def with_setting(name, value, &block)
668
- setting = LogStash::SETTINGS.get_setting(name)
669
- was_set, orignial_value = setting.set?, setting.value
670
- setting.set(value)
671
-
672
- yield(true)
673
-
674
- ensure
675
- was_set ? setting.set(orignial_value) : setting.reset
676
- end
677
-
678
716
  def setting_value_supported?(name, value)
679
- with_setting(name, value) { true }
717
+ setting = ::LogStash::SETTINGS.clone.get_setting(name)
718
+ setting.set(value)
719
+ setting.validate_value
720
+ true
680
721
  rescue
681
722
  false
682
723
  end
@@ -688,12 +729,32 @@ if LogStash::SETTINGS.registered?('pipeline.ecs_compatibility')
688
729
  %w(disabled v1 v8).each do |spec|
689
730
  if setting_value_supported?('pipeline.ecs_compatibility', spec)
690
731
  context "with `pipeline.ecs_compatibility: #{spec}`" do
691
- around(:each) { |example| with_setting('pipeline.ecs_compatibility', spec, &example) }
732
+ # Override DevUtils's `new_pipeline` default to inject pipeline settings that
733
+ # are different than our global settings, so that we can validate the condition
734
+ # where pipeline settings override global settings.
735
+ def new_pipeline(config_parts, pipeline_id = :main, settings = pipeline_settings)
736
+ super(config_parts, pipeline_id, settings)
737
+ end
738
+
739
+ let(:pipeline_settings) do
740
+ ::LogStash::SETTINGS.clone.tap do |s|
741
+ s.set('pipeline.ecs_compatibility', spec)
742
+ end
743
+ end
692
744
 
693
745
  it 'propagates the ecs_compatibility pipeline setting to the additional_codecs' do
746
+ # Ensure plugins pick up pipeline-level setting over the global default.
747
+ aggregate_failures('precondition') do
748
+ expect(::LogStash::SETTINGS).to_not be_set('pipeline.ecs_compatibility')
749
+ expect(pipeline_settings).to be_set('pipeline.ecs_compatibility')
750
+ end
751
+
694
752
  input("input { http { port => #{port} additional_codecs => { 'application/json' => 'json' 'text/plain' => 'plain' } } }") do |pipeline, queue|
695
753
  http_input = pipeline.inputs.first
696
- expect(http_input).to be_a_kind_of(described_class) # precondition
754
+ aggregate_failures('initialization precondition') do
755
+ expect(http_input).to be_a_kind_of(described_class)
756
+ expect(http_input.execution_context&.pipeline&.settings&.to_hash).to eq(pipeline_settings.to_hash)
757
+ end
697
758
 
698
759
  http_input.codecs.each do |key, value|
699
760
  aggregate_failures("Codec for `#{key}`") do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-http
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.1
4
+ version: 3.6.0
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-12 00:00:00.000000000 Z
11
+ date: 2022-04-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -173,7 +173,7 @@ files:
173
173
  - spec/fixtures/certs/openssl.cnf
174
174
  - spec/inputs/http_spec.rb
175
175
  - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
176
- - vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.5.1/logstash-input-http-3.5.1.jar
176
+ - vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.6.0/logstash-input-http-3.6.0.jar
177
177
  homepage: http://www.elastic.co/guide/en/logstash/current/index.html
178
178
  licenses:
179
179
  - Apache License (2.0)