logstash-input-http 3.5.1-java → 3.6.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 57c80d7659006a5cbaa321016046be88431d7df9ab7aff47c2b6e22670e420aa
4
- data.tar.gz: fbf35768bf5bfc1bddeb2fab860ca5dd6e7d76eee6e5b03590ea6239ebb0935a
3
+ metadata.gz: aa318266e4bda14335b9ff0a9334d984e0a52cecaefa7037a064aef4e8df7015
4
+ data.tar.gz: efe4a565498fda944f2b2e9a91813a2ecc70ed9b4a89bae7ba2730221eef8549
5
5
  SHA512:
6
- metadata.gz: 6474b6cf869b1e9c07f43ddf7c7903496d38d366f02f3a5c4217c16011eb008dcee940bc87d1f77a885c5c92c0f440ea207e56c677431df65d04f9cb3fcafb82
7
- data.tar.gz: 5ddf0b72e016873e9bce678f74f8052dbad329819fadcfcf431af0d2126251a33901f5033b0948eff2e18f08dd0d107c092f505cabd63b5731c2679a3c13e0af
6
+ metadata.gz: b52359e3a884877733f41ce7885bba97dc578db0c4fbdf708a498a13cc06a38efc319b2e72f5f788d6287f0c8a33f419a811e01776661e1eea313682948439d7
7
+ data.tar.gz: e953789900e9f5d98593c3d83ad1d100b83433abf109a708c90c2eb04291d18f1339419a6f498a830103ba894bac03a02944094495873260a9cfab9c1c8ae666
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 3.6.0
2
+ - Feat: review and deprecate ssl protocol/cipher related settings [#151](https://github.com/logstash-plugins/logstash-input-http/pull/151)
3
+
1
4
  ## 3.5.1
2
5
  - Fix: codecs provided with `additional_codecs` now correctly run in the pipeline's context, which means that they respect the `pipeline.ecs_compatibility` setting [#152](https://github.com/logstash-plugins/logstash-input-http/pull/152)
3
6
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.5.1
1
+ 3.6.0
data/docs/index.asciidoc CHANGED
@@ -104,9 +104,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
104
104
  | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
105
105
  | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
106
106
  | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
107
+ | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
107
108
  | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
108
109
  | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
109
110
  | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
111
+ | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
110
112
  | <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
111
113
  | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
112
114
  | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
@@ -134,20 +136,20 @@ and no codec for the request's content-type is found
134
136
  ===== `cipher_suites`
135
137
 
136
138
  * Value type is <<array,array>>
137
- * Default value is `[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]`
139
+ * This option is deprecated
138
140
 
139
141
  The list of cipher suites to use, listed by priorities.
140
- This default list applies for OpenJDK 11.0.14 and higher.
141
- For older JDK versions, the default list includes only suites supported by that version.
142
- For example, the ChaCha20 family of ciphers is not supported in older versions.
142
+
143
+ NOTE: This option is deprecated and it will be removed in the next major version of Logstash.
144
+ Use `ssl_cipher_suites` instead.
143
145
 
144
146
  [id="plugins-{type}s-{plugin}-ecs_compatibility"]
145
147
  ===== `ecs_compatibility`
146
148
 
147
- * Value type is <<string,string>>
148
- * Supported values are:
149
- ** `disabled`: unstructured connection metadata added at root level
150
- ** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
149
+ * Value type is <<string,string>>
150
+ * Supported values are:
151
+ ** `disabled`: unstructured connection metadata added at root level
152
+ ** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
151
153
 
152
154
  Controls this plugin's compatibility with the
153
155
  {ecs-ref}[Elastic Common Schema (ECS)].
@@ -345,6 +347,17 @@ be read and added to the trust store. You need to configure the `ssl_verify_mode
345
347
  to `peer` or `force_peer` to enable the verification.
346
348
 
347
349
 
350
+ [id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
351
+ ===== `ssl_cipher_suites`
352
+
353
+ * Value type is <<array,array>>
354
+ * Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']`
355
+
356
+ The list of cipher suites to use, listed by priorities.
357
+ This default list applies for OpenJDK 11.0.14 and higher.
358
+ For older JDK versions, the default list includes only suites supported by that version.
359
+ For example, the ChaCha20 family of ciphers is not supported in older versions.
360
+
348
361
  [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
349
362
  ===== `ssl_handshake_timeout`
350
363
 
@@ -371,6 +384,23 @@ for more information.
371
384
 
372
385
  SSL key passphrase to use.
373
386
 
387
+ [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
388
+ ===== `ssl_supported_protocols`
389
+
390
+ * Value type is <<array,array>>
391
+ * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
392
+ * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
393
+ `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
394
+
395
+ List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
396
+
397
+ For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
398
+ `LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
399
+
400
+ NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
401
+ the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
402
+ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
403
+
374
404
  [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
375
405
  ===== `ssl_verify_mode`
376
406
 
@@ -399,7 +429,7 @@ Number of threads to use for both accepting connections and handling requests
399
429
  ===== `tls_max_version`
400
430
 
401
431
  * Value type is <<number,number>>
402
- * Default value is `1.3`
432
+ * This option is deprecated
403
433
 
404
434
  The maximum TLS version allowed for the encrypted connections.
405
435
  The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
@@ -408,7 +438,7 @@ The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.
408
438
  ===== `tls_min_version`
409
439
 
410
440
  * Value type is <<number,number>>
411
- * Default value is `1.2`
441
+ * This option is deprecated
412
442
 
413
443
  The minimum TLS version allowed for the encrypted connections.
414
444
  The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
@@ -430,7 +460,7 @@ Username for basic authorization
430
460
 
431
461
  Set the client certificate verification method. Valid methods: none, peer, force_peer
432
462
 
433
- Note: This option is deprecated and it will be removed in the next major version of Logstash.
463
+ NOTE: This option is deprecated and it will be removed in the next major version of Logstash.
434
464
  Use `ssl_verify_mode` instead.
435
465
 
436
466
 
@@ -30,6 +30,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
30
30
  require "logstash/inputs/http/tls"
31
31
 
32
32
  java_import "io.netty.handler.codec.http.HttpUtil"
33
+ java_import 'org.logstash.plugins.inputs.http.util.SslSimpleBuilder'
33
34
 
34
35
  config_name "http"
35
36
 
@@ -86,16 +87,11 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
86
87
  # Time in milliseconds for an incomplete ssl handshake to timeout
87
88
  config :ssl_handshake_timeout, :validate => :number, :default => 10000
88
89
 
89
- # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
90
- # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
91
- config :tls_min_version, :validate => :number, :default => TLS.min.version
92
-
93
- # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
94
- # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
95
- config :tls_max_version, :validate => :number, :default => TLS.max.version
96
-
97
90
  # The list of ciphers suite to use, listed by priorities.
98
- config :cipher_suites, :validate => :array, :default => org.logstash.plugins.inputs.http.util.SslSimpleBuilder.getDefaultCiphers
91
+ config :ssl_cipher_suites, :validate => SslSimpleBuilder::SUPPORTED_CIPHERS.to_a,
92
+ :default => SslSimpleBuilder.getDefaultCiphers, :list => true
93
+
94
+ config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => ['TLSv1.2', 'TLSv1.3'], :list => true
99
95
 
100
96
  # Apply specific codecs for specific content types.
101
97
  # The default codec will be applied only after this list is checked
@@ -118,14 +114,23 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
118
114
  config :max_content_length, :validate => :number, :required => false, :default => 100 * 1024 * 1024
119
115
 
120
116
  config :response_code, :validate => [200, 201, 202, 204], :default => 200
117
+
121
118
  # Deprecated options
122
119
 
123
120
  # The JKS keystore to validate the client's certificates
124
121
  config :keystore, :validate => :path, :deprecated => "Set 'ssl_certificate' and 'ssl_key' instead."
125
122
  config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_key_passphrase' instead."
126
123
 
127
- config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none',
128
- :deprecated => "Set 'ssl_verify_mode' instead."
124
+ config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_verify_mode' instead."
125
+ config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
126
+
127
+ # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
128
+ # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
129
+ config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."
130
+
131
+ # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
132
+ # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
133
+ config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
129
134
 
130
135
  attr_reader :codecs
131
136
 
@@ -233,24 +238,45 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
233
238
  @logger.warn("SSL Certificate will not be used") if @ssl_certificate
234
239
  @logger.warn("SSL Key will not be used") if @ssl_key
235
240
  @logger.warn("SSL Java Key Store will not be used") if @keystore
236
- elsif !(ssl_key_configured? || ssl_jks_configured?)
241
+ return # code bellow assumes `ssl => true`
242
+ end
243
+
244
+ if !(ssl_key_configured? || ssl_jks_configured?)
237
245
  raise LogStash::ConfigurationError, "Certificate or JKS must be configured"
238
246
  end
239
247
 
240
- if @ssl && (original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode"))
241
- raise LogStash::ConfigurationError, "Both 'ssl_verify_mode' and 'verify_mode' were set. Use only 'ssl_verify_mode'."
248
+ if original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode")
249
+ raise LogStash::ConfigurationError, "Both `ssl_verify_mode` and (deprecated) `verify_mode` were set. Use only `ssl_verify_mode`."
242
250
  elsif original_params.key?("verify_mode")
243
251
  @ssl_verify_mode_final = @verify_mode
244
- elsif original_params.key?("ssl_verify_mode")
245
- @ssl_verify_mode_final = @ssl_verify_mode
246
252
  else
247
253
  @ssl_verify_mode_final = @ssl_verify_mode
248
254
  end
249
255
 
250
- if @ssl && require_certificate_authorities? && !client_authentication?
251
- raise LogStash::ConfigurationError, "Using `ssl_verify_mode` or `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `ssl_certificate_authorities`"
252
- elsif @ssl && !require_certificate_authorities? && client_authentication?
253
- raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` or `verify_mode` to PEER or FORCE_PEER"
256
+ if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
257
+ raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
258
+ elsif original_params.key?('cipher_suites')
259
+ @ssl_cipher_suites_final = @cipher_suites
260
+ else
261
+ @ssl_cipher_suites_final = @ssl_cipher_suites
262
+ end
263
+
264
+ if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
265
+ raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
266
+ elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
267
+ raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
268
+ else
269
+ if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
270
+ @ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
271
+ else
272
+ @ssl_supported_protocols_final = @ssl_supported_protocols
273
+ end
274
+ end
275
+
276
+ if require_certificate_authorities? && !client_authentication?
277
+ raise LogStash::ConfigurationError, "Using `ssl_verify_mode` (or `verify_mode`) set to PEER or FORCE_PEER, requires the configuration of `ssl_certificate_authorities`"
278
+ elsif !require_certificate_authorities? && client_authentication?
279
+ raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` (or `verify_mode`) to PEER or FORCE_PEER"
254
280
  end
255
281
  end
256
282
 
@@ -268,7 +294,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
268
294
  begin
269
295
  ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder
270
296
  .new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
271
- .setCipherSuites(normalized_ciphers)
297
+ .setCipherSuites(normalized_cipher_suites)
272
298
  rescue java.lang.IllegalArgumentException => e
273
299
  @logger.error("SSL configuration invalid", error_details(e))
274
300
  raise LogStash::ConfigurationError, e
@@ -300,19 +326,15 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
300
326
 
301
327
  private
302
328
 
303
- def normalized_ciphers
304
- @cipher_suites.map(&:upcase)
305
- end
306
-
307
- def convert_protocols
308
- TLS.get_supported(@tls_min_version..@tls_max_version).map(&:name)
329
+ def normalized_cipher_suites
330
+ @ssl_cipher_suites_final.map(&:upcase)
309
331
  end
310
332
 
311
333
  def new_ssl_handshake_provider(ssl_builder)
312
334
  begin
313
335
  ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_builder.build())
314
336
  ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
315
- ssl_handler_provider.setProtocols(convert_protocols)
337
+ ssl_handler_provider.setProtocols(@ssl_supported_protocols_final)
316
338
  ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
317
339
  ssl_handler_provider
318
340
  rescue java.lang.IllegalArgumentException => e
@@ -2,4 +2,4 @@
2
2
 
3
3
  require 'jar_dependencies'
4
4
  require_jar('io.netty', 'netty-all', '4.1.65.Final')
5
- require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.5.1')
5
+ require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.6.0')
@@ -169,10 +169,10 @@ describe LogStash::Inputs::Http do
169
169
 
170
170
  let(:config) do
171
171
  super().merge 'ssl' => true,
172
- 'ssl_certificate_authorities' => [ File.join(certs_dir, 'root.crt') ],
173
- 'ssl_certificate' => File.join(certs_dir, 'server_from_root.crt'),
174
- 'ssl_key' => File.join(certs_dir, 'server_from_root.key.pkcs8'),
175
- 'ssl_verify_mode' => 'peer'
172
+ 'ssl_certificate_authorities' => [ File.join(certs_dir, 'root.crt') ],
173
+ 'ssl_certificate' => File.join(certs_dir, 'server_from_root.crt'),
174
+ 'ssl_key' => File.join(certs_dir, 'server_from_root.key.pkcs8'),
175
+ 'ssl_verify_mode' => 'peer'
176
176
  end
177
177
 
178
178
  let(:client_options) do
@@ -219,7 +219,21 @@ describe LogStash::Inputs::Http do
219
219
 
220
220
  context 'enforced TLSv1.3 in plugin' do
221
221
 
222
- let(:config) { super().merge 'tls_min_version' => '1.3', 'cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
222
+ let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.3'],
223
+ 'ssl_cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
224
+
225
+ it "should parse the json body" do
226
+ expect(response.code).to eq(200)
227
+ event = logstash_queue.pop
228
+ expect(event.get("message")).to eq("Hello")
229
+ end
230
+
231
+ end
232
+
233
+ context 'enforced TLSv1.3 (deprecated options)' do
234
+
235
+ let(:config) { super().merge 'tls_min_version' => 1.3,
236
+ 'cipher_suites' => [ 'TLS_AES_128_GCM_SHA256' ] }
223
237
 
224
238
  it "should parse the json body" do
225
239
  expect(response.code).to eq(200)
@@ -537,6 +551,12 @@ describe LogStash::Inputs::Http do
537
551
  expect { subject.register }.to raise_exception(LogStash::ConfigurationError)
538
552
  end
539
553
  end
554
+ context "with invalid cipher suites" do
555
+ it "should raise a configuration error" do
556
+ invalid_config = config.merge("ssl_cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38")
557
+ expect { LogStash::Inputs::Http.new(invalid_config) }.to raise_error(LogStash::ConfigurationError)
558
+ end
559
+ end
540
560
  context "with :ssl_certificate" do
541
561
  let(:ssc) { SelfSignedCertificate.new }
542
562
  let(:ssl_certificate) { ssc.certificate }
@@ -595,18 +615,6 @@ describe LogStash::Inputs::Http do
595
615
  end
596
616
  end
597
617
 
598
- context "with invalid cipher_suites" do
599
- let(:config) { super().merge("cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
600
-
601
- it "should raise a configuration error" do
602
- expect( subject.logger ).to receive(:error) do |msg, opts|
603
- expect( msg ).to match /.*?configuration invalid/
604
- expect( opts[:message] ).to match /TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38.*? not available/
605
- end
606
- expect { subject.register }.to raise_error(LogStash::ConfigurationError)
607
- end
608
- end
609
-
610
618
  context "with invalid ssl certificate" do
611
619
  before do
612
620
  cert = File.readlines path = config["ssl_certificate"]
@@ -654,9 +662,50 @@ describe LogStash::Inputs::Http do
654
662
  end
655
663
  end
656
664
 
665
+ context "with both verify_mode options set" do
666
+ let(:config) do
667
+ super().merge('ssl_verify_mode' => 'peer', 'verify_mode' => 'none')
668
+ end
669
+
670
+ it "should raise a configuration error" do
671
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_verify_mode.?/i
672
+ end
673
+ end
674
+
675
+ context "with ssl_cipher_suites and cipher_suites set" do
676
+ let(:config) do
677
+ super().merge('ssl_cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'],
678
+ 'cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'])
679
+ end
680
+
681
+ it "should raise a configuration error" do
682
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_cipher_suites.?/i
683
+ end
684
+ end
685
+
686
+ context "with ssl_supported_protocols and tls_min_version set" do
687
+ let(:config) do
688
+ super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_min_version' => 1.0)
689
+ end
690
+
691
+ it "should raise a configuration error" do
692
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
693
+ end
694
+ end
695
+
696
+ context "with ssl_supported_protocols and tls_max_version set" do
697
+ let(:config) do
698
+ super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_max_version' => 1.2)
699
+ end
700
+
701
+ it "should raise a configuration error" do
702
+ expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
703
+ end
704
+ end
705
+
657
706
  end
658
707
  end
659
- end if false
708
+ end
660
709
 
661
710
  # If we have a setting called `pipeline.ecs_compatibility`, we need to
662
711
  # ensure that our additional_codecs are instantiated with the proper
@@ -664,19 +713,11 @@ end if false
664
713
  # respected.
665
714
  if LogStash::SETTINGS.registered?('pipeline.ecs_compatibility')
666
715
 
667
- def with_setting(name, value, &block)
668
- setting = LogStash::SETTINGS.get_setting(name)
669
- was_set, orignial_value = setting.set?, setting.value
670
- setting.set(value)
671
-
672
- yield(true)
673
-
674
- ensure
675
- was_set ? setting.set(orignial_value) : setting.reset
676
- end
677
-
678
716
  def setting_value_supported?(name, value)
679
- with_setting(name, value) { true }
717
+ setting = ::LogStash::SETTINGS.clone.get_setting(name)
718
+ setting.set(value)
719
+ setting.validate_value
720
+ true
680
721
  rescue
681
722
  false
682
723
  end
@@ -688,12 +729,32 @@ if LogStash::SETTINGS.registered?('pipeline.ecs_compatibility')
688
729
  %w(disabled v1 v8).each do |spec|
689
730
  if setting_value_supported?('pipeline.ecs_compatibility', spec)
690
731
  context "with `pipeline.ecs_compatibility: #{spec}`" do
691
- around(:each) { |example| with_setting('pipeline.ecs_compatibility', spec, &example) }
732
+ # Override DevUtils's `new_pipeline` default to inject pipeline settings that
733
+ # are different than our global settings, so that we can validate the condition
734
+ # where pipeline settings override global settings.
735
+ def new_pipeline(config_parts, pipeline_id = :main, settings = pipeline_settings)
736
+ super(config_parts, pipeline_id, settings)
737
+ end
738
+
739
+ let(:pipeline_settings) do
740
+ ::LogStash::SETTINGS.clone.tap do |s|
741
+ s.set('pipeline.ecs_compatibility', spec)
742
+ end
743
+ end
692
744
 
693
745
  it 'propagates the ecs_compatibility pipeline setting to the additional_codecs' do
746
+ # Ensure plugins pick up pipeline-level setting over the global default.
747
+ aggregate_failures('precondition') do
748
+ expect(::LogStash::SETTINGS).to_not be_set('pipeline.ecs_compatibility')
749
+ expect(pipeline_settings).to be_set('pipeline.ecs_compatibility')
750
+ end
751
+
694
752
  input("input { http { port => #{port} additional_codecs => { 'application/json' => 'json' 'text/plain' => 'plain' } } }") do |pipeline, queue|
695
753
  http_input = pipeline.inputs.first
696
- expect(http_input).to be_a_kind_of(described_class) # precondition
754
+ aggregate_failures('initialization precondition') do
755
+ expect(http_input).to be_a_kind_of(described_class)
756
+ expect(http_input.execution_context&.pipeline&.settings&.to_hash).to eq(pipeline_settings.to_hash)
757
+ end
697
758
 
698
759
  http_input.codecs.each do |key, value|
699
760
  aggregate_failures("Codec for `#{key}`") do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-http
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.1
4
+ version: 3.6.0
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-12 00:00:00.000000000 Z
11
+ date: 2022-04-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -173,7 +173,7 @@ files:
173
173
  - spec/fixtures/certs/openssl.cnf
174
174
  - spec/inputs/http_spec.rb
175
175
  - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
176
- - vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.5.1/logstash-input-http-3.5.1.jar
176
+ - vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.6.0/logstash-input-http-3.6.0.jar
177
177
  homepage: http://www.elastic.co/guide/en/logstash/current/index.html
178
178
  licenses:
179
179
  - Apache License (2.0)