logstash-input-http 3.6.1-java → 3.7.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bbb47f975f16beea81522f5307114560f5d6005218d3c246dfb62db54208c817
-  data.tar.gz: 47dc0325473f1d9c8a99b427f7b695c99cfc8f5c4f35b2e88df6fbd0d0ef67d7
+  metadata.gz: 8f51c4bbd6f822ca86e04cf3895e6084f6eb7c3ce3c860dd4cd634960083925d
+  data.tar.gz: 58d2c5e3bf67f11808a7eae4aa2ee0dd66d344233548b92180b3ef9743a3ffcd
 SHA512:
-  metadata.gz: 55f0a67b04f6c5f159433df787cfd9e93a5f42414452889e486fedeb3bd53f57b1074645fdefd19a763625ca294bca89a39496ae89c5bc105c9bafb22f5382c1
-  data.tar.gz: b9b9afe52a6155ae774b98f7c615d699d4ad1e297d7e61a8de99d9e83b87e33bd94264df27737196bfcd7894e2e9f98a20629c2bf39802e4d950415073933ce6
+  metadata.gz: 30fe8ab9b1b965dfe60b453aad5cbb6ca00ea994d6d1dbb7ac4bb2d28d095a491ca15c7c2ba295fe7f2f25df3f5d96d882f9a377f34c9cb372fc766dcd745028
+  data.tar.gz: ffadf395fc47657426445cf47f9b8c0da277c68edf73020154c4e62dc7e8313b28bd2cc7f6c9e06907be89b651cdf44d294f45974f67aae0aaf1f039fff308ab

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 3.7.0
+ - Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#165](https://github.com/logstash-plugins/logstash-input-http/pull/165)
+   - Deprecated `ssl` in favor of `ssl_enabled`
+   - Deprecated `ssl_verify_mode` in favor of `ssl_client_authentication`
+   - Deprecated `keystore` in favor of `ssl_keystore_path`
+   - Deprecated `keystore_password` in favor of `ssl_keystore_password`
+
 ## 3.6.1
  - Update Netty dependency to 4.1.87 [#162](https://github.com/logstash-plugins/logstash-input-http/pull/162)
 

data/VERSION

@@ -1 +1 @@
-3.6.1
+3.7.0

data/docs/index.asciidoc

@@ -101,15 +101,19 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-max_pending_requests>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-response_headers>> |<<hash,hash>>|No
 | <<plugins-{type}s-{plugin}-response_code>> |<<number,number>>, one of `[200, 201, 202, 204]`|No
-| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
 | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
@@ -214,7 +218,7 @@ The host or ip to bind
 
 [id="plugins-{type}s-{plugin}-keystore"]
 ===== `keystore`
-deprecated[3.1.0, Use <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> instead]
+deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_path>> instead]
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -223,12 +227,12 @@ The JKS keystore to validate the client's certificates
 
 [id="plugins-{type}s-{plugin}-keystore_password"]
 ===== `keystore_password`
-deprecated[3.1.0, Use <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> instead]
+deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_password>> instead]
 
   * Value type is <<password,password>>
   * There is no default value for this setting.
 
-Set the truststore password
+Set the keystore password
 
 [id="plugins-{type}s-{plugin}-password"]
 ===== `password` 
@@ -308,11 +312,12 @@ specify target field for the client host of the http request
 
 [id="plugins-{type}s-{plugin}-ssl"]
 ===== `ssl` 
+deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
 
-Events are by default sent in plain text. You can
+Events are, by default, sent in plain text. You can
 enable encryption by setting `ssl` to true and configuring
 the `ssl_certificate` and `ssl_key` options.
 
@@ -332,8 +337,8 @@ SSL certificate to use.
 
 Validate client certificates against these authorities. 
 You can define multiple files or paths. All the certificates will
-be read and added to the trust store. You need to configure the `ssl_verify_mode`
-to `peer` or `force_peer` to enable the verification.
+be read and added to the trust store. You need to configure the <<plugins-{type}s-{plugin}-ssl_client_authentication>>
+to `optional` or `required` to enable the verification.
 
 
 [id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
@@ -347,6 +352,27 @@ This default list applies for OpenJDK 11.0.14 and higher.
 For older JDK versions, the default list includes only suites supported by that version.
 For example, the ChaCha20 family of ciphers is not supported in older versions.
 
+[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
+===== `ssl_client_authentication`
+
+* Value can be any of: `none`, `optional`, `required`
+* Default value is `"none"`
+
+Controls the server's behavior in regard to requesting a certificate from client connections:
+`required` forces a client to present a certificate, while `optional` requests a client certificate
+but the client is not required to present one. Defaults to `none`, which disables the client authentication.
+
+NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Events are, by default, sent in plain text. You can enable encryption by setting `ssl_enabled` to true and configuring
+the <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> options.
+
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout` 
 
@@ -373,6 +399,22 @@ for more information.
 
 SSL key passphrase to use.
 
+[id="plugins-{type}s-{plugin}-ssl_keystore_path"]
+===== `ssl_keystore_path`
+
+ * Value type is <<path,path>>
+ * There is no default value for this setting.
+
+The JKS keystore to validate the client's certificates
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
+===== `ssl_keystore_password`
+
+ * Value type is <<password,password>>
+ * There is no default value for this setting.
+
+Set the JKS keystore password
+
 [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
 ===== `ssl_supported_protocols`
 
@@ -392,6 +434,7 @@ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.
 
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
 ===== `ssl_verify_mode` 
+deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
 
   * Value can be any of: `none`, `peer`, `force_peer`
   * Default value is `"none"`
@@ -404,7 +447,7 @@ If the client provides a certificate, it will be validated.
 `force_peer` will make the server ask the client to provide a certificate.
 If the client doesn't provide a certificate, the connection will be closed.
 
-This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
+This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.
 
 [id="plugins-{type}s-{plugin}-threads"]
 ===== `threads` 

data/lib/logstash/inputs/http.rb

@@ -4,6 +4,7 @@ require "logstash/namespace"
 require "stud/interval"
 require "logstash-input-http_jars"
 require "logstash/plugin_mixins/ecs_compatibility_support"
+require "logstash/plugin_mixins/normalize_config_support"
 
 # Using this input you can receive single or multiline events over http(s).
 # Applications can send a HTTP POST request with a body to the endpoint started by this
@@ -27,6 +28,9 @@ require "logstash/plugin_mixins/ecs_compatibility_support"
 #
 class LogStash::Inputs::Http < LogStash::Inputs::Base
   include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
+
+  include LogStash::PluginMixins::NormalizeConfigSupport
+
   require "logstash/inputs/http/tls"
 
   java_import "io.netty.handler.codec.http.HttpUtil"
@@ -54,7 +58,12 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   # Events are by default sent in plain text. You can
   # enable encryption by setting `ssl` to true and configuring
   # the `ssl_certificate` and `ssl_key` options.
-  config :ssl, :validate => :boolean, :default => false
+  config :ssl, :validate => :boolean, :default => false, :deprecated => "Set 'ssl_enabled' instead."
+
+  # Events are by default sent in plain text. You can
+  # enable encryption by setting `ssl` to true and configuring
+  # the `ssl_certificate` and `ssl_key` options.
+  config :ssl_enabled, :validate => :boolean, :default => false
 
   # SSL certificate to use.
   config :ssl_certificate, :validate => :path
@@ -64,15 +73,29 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   # for more information.
   config :ssl_key, :validate => :path
 
+  # The JKS keystore password
+  config :ssl_keystore_password, :validate => :password
+
+  # The JKS keystore to validate the client's certificates
+  config :ssl_keystore_path, :validate => :path
+
   # SSL key passphrase to use.
   config :ssl_key_passphrase, :validate => :password
 
   # Validate client certificates against these authorities.
   # You can define multiple files or paths. All the certificates will
-  # be read and added to the trust store. You need to configure the `ssl_verify_mode`
-  # to `peer` or `force_peer` to enable the verification.
+  # be read and added to the trust store. You need to configure the `ssl_client_authentication`
+  # to `optional` or `required` to enable the verification.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
+  # Controls the server’s behavior in regard to requesting a certificate from client connections.
+  # `none`: No client authentication
+  # `optional`: Requests a client certificate but the client is not required to present one.
+  # `required`: Forces a client to present a certificate.
+  #
+  # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
+  config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none'
+
   # By default the server doesn't do any client verification.
   #
   # `peer` will make the server ask the client to provide a certificate.
@@ -82,7 +105,7 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   # If the client doesn't provide a certificate, the connection will be closed.
   #
   # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
-  config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none"
+  config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none", :deprecated => "Set 'ssl_client_authentication' instead."
 
   # Time in milliseconds for an incomplete ssl handshake to timeout
   config :ssl_handshake_timeout, :validate => :number, :default => 10000
@@ -118,10 +141,13 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   # Deprecated options
 
   # The JKS keystore to validate the client's certificates
-  config :keystore, :validate => :path, :deprecated => "Set 'ssl_certificate' and 'ssl_key' instead."
-  config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_key_passphrase' instead."
+  config :keystore, :validate => :path, :deprecated => "Set 'ssl_keystore_path' instead."
+
+  # The JKS keystore password
+  config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_keystore_password' instead."
+
+  config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_client_authentication' instead."
 
-  config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_verify_mode' instead."
   config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
 
   # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
@@ -134,9 +160,36 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
 
   attr_reader :codecs
 
+  NON_PREFIXED_SSL_CONFIGS = Set[
+    'keystore',
+    'keystore_password',
+    'verify_mode',
+    'tls_min_version',
+    'tls_max_version',
+    'cipher_suites',
+  ].freeze
+
+  SSL_CLIENT_AUTH_NONE = 'none'.freeze
+  SSL_CLIENT_AUTH_OPTIONAL = 'optional'.freeze
+  SSL_CLIENT_AUTH_REQUIRED = 'required'.freeze
+
+  SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP = {
+    'none' => SSL_CLIENT_AUTH_NONE,
+    'peer' => SSL_CLIENT_AUTH_OPTIONAL,
+    'force_peer' => SSL_CLIENT_AUTH_REQUIRED
+  }.freeze
+
+  private_constant :SSL_CLIENT_AUTH_NONE
+  private_constant :SSL_CLIENT_AUTH_OPTIONAL
+  private_constant :SSL_CLIENT_AUTH_REQUIRED
+  private_constant :NON_PREFIXED_SSL_CONFIGS
+  private_constant :SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP
+
   public
   def register
 
+    setup_ssl_params!
+
     validate_ssl_settings!
 
     if @user && @password
@@ -234,78 +287,123 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   end
 
   def validate_ssl_settings!
-    if !@ssl
-      @logger.warn("SSL Certificate will not be used") if @ssl_certificate
-      @logger.warn("SSL Key will not be used") if @ssl_key
-      @logger.warn("SSL Java Key Store will not be used") if @keystore
-      return # code bellow assumes `ssl => true`
+    ssl_config_name = original_params.include?('ssl') ? 'ssl' : 'ssl_enabled'
+
+    unless @ssl_enabled
+      ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k.start_with?('ssl_') || NON_PREFIXED_SSL_CONFIGS.include?(k) }
+      @logger.warn("Configured SSL settings are not used when `#{ssl_config_name}` is set to `false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
+      return # code bellow assumes `ssl_enabled => true`
     end
 
-    if !(ssl_key_configured? || ssl_jks_configured?)
-      raise LogStash::ConfigurationError, "Certificate or JKS must be configured"
+    if @ssl_certificate && !@ssl_key
+      raise LogStash::ConfigurationError, "Using an `ssl_certificate` requires an `ssl_key`"
+    elsif @ssl_key && !@ssl_certificate
+      raise LogStash::ConfigurationError, 'An `ssl_certificate` is required when using an `ssl_key`'
     end
 
-    if original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode")
-      raise LogStash::ConfigurationError, "Both `ssl_verify_mode` and (deprecated) `verify_mode` were set. Use only `ssl_verify_mode`."
-    elsif original_params.key?("verify_mode")
-      @ssl_verify_mode_final = @verify_mode
-    else
-      @ssl_verify_mode_final = @ssl_verify_mode
+    unless ssl_key_configured? || ssl_jks_configured?
+      raise LogStash::ConfigurationError, "Either an `ssl_certificate` or `ssl_keystore_path` is required when SSL is enabled `#{ssl_config_name} => true`"
     end
 
-    if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
-      raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
-    elsif original_params.key?('cipher_suites')
-      @ssl_cipher_suites_final = @cipher_suites
-    else
-      @ssl_cipher_suites_final = @ssl_cipher_suites
+    if require_certificate_authorities? && !certificate_authorities_configured?
+      config_name, optional, required = provided_client_authentication_config([SSL_CLIENT_AUTH_OPTIONAL, SSL_CLIENT_AUTH_REQUIRED])
+      raise LogStash::ConfigurationError, "Using `#{config_name}` set to `#{optional}` or `#{required}`, requires the configuration of `ssl_certificate_authorities`"
     end
 
-    if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
-      raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
-    elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
-      raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
-    else
-      if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
-        @ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
-      else
-        @ssl_supported_protocols_final = @ssl_supported_protocols
+    if !require_certificate_authorities? && certificate_authorities_configured?
+      config_name, optional, required = provided_client_authentication_config([SSL_CLIENT_AUTH_OPTIONAL, SSL_CLIENT_AUTH_REQUIRED])
+      raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `#{config_name}` to `#{optional}` or '#{required}'"
+    end
+  end
+
+  def setup_ssl_params!
+    @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
+      normalizer.with_deprecated_alias(:ssl)
+    end
+
+    @ssl_cipher_suites = normalize_config(:ssl_cipher_suites) do |normalizer|
+      normalizer.with_deprecated_alias(:cipher_suites)
+    end
+
+    @ssl_supported_protocols = normalize_config(:ssl_supported_protocols) do |normalizer|
+      normalizer.with_deprecated_mapping(:tls_min_version, :tls_max_version) do |tls_min_version, tls_max_version|
+        TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
+      end
+    end
+
+    @ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
+      normalizer.with_deprecated_mapping(:verify_mode, :ssl_verify_mode) do |verify_mode, ssl_verify_mode|
+        normalize_ssl_client_authentication_value!(verify_mode, ssl_verify_mode)
       end
     end
 
-    if require_certificate_authorities? && !client_authentication?
-      raise LogStash::ConfigurationError, "Using `ssl_verify_mode` (or `verify_mode`) set to PEER or FORCE_PEER, requires the configuration of `ssl_certificate_authorities`"
-    elsif !require_certificate_authorities? && client_authentication?
-      raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` (or `verify_mode`) to PEER or FORCE_PEER"
+    @ssl_keystore_path = normalize_config(:ssl_keystore_path) do |normalizer|
+      normalizer.with_deprecated_alias(:keystore)
+    end
+
+    @ssl_keystore_password = normalize_config(:ssl_keystore_password) do |normalizer|
+      normalizer.with_deprecated_alias(:keystore_password)
     end
+
+    params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
+    params['ssl_cipher_suites'] = @ssl_cipher_suites unless @ssl_cipher_suites.nil?
+    params['ssl_supported_protocols'] = @ssl_supported_protocols unless @ssl_supported_protocols.nil?
+    params['ssl_client_authentication'] = @ssl_client_authentication unless @ssl_client_authentication.nil?
+    params['ssl_keystore_path'] = @ssl_keystore_path unless @ssl_keystore_path.nil?
+    params['ssl_keystore_password'] = @ssl_keystore_password unless @ssl_keystore_password.nil?
+  end
+
+  def normalize_ssl_client_authentication_value!(verify_mode, ssl_verify_mode)
+    verify_mode_explicitly_set = original_params.key?("verify_mode")
+
+    if verify_mode_explicitly_set && original_params.key?("ssl_verify_mode")
+      raise LogStash::ConfigurationError, "Both (deprecated) `ssl_verify_mode` and `verify_mode` were set. Use only `ssl_verify_mode`"
+    end
+
+    deprecated_value = (verify_mode_explicitly_set ? verify_mode : ssl_verify_mode).downcase
+    SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP[deprecated_value]
   end
 
   def create_http_server(message_handler)
     org.logstash.plugins.inputs.http.NettyHttpServer.new(
-      @host, @port, message_handler, build_ssl_params(), @threads, @max_pending_requests, @max_content_length, @response_code)
+      @host, @port, message_handler, build_ssl_params, @threads, @max_pending_requests, @max_content_length, @response_code)
   end
 
   def build_ssl_params
-    return nil unless @ssl
+    return nil unless @ssl_enabled
 
-    if @keystore && @keystore_password
-      ssl_builder = org.logstash.plugins.inputs.http.util.JksSslBuilder.new(@keystore, @keystore_password.value)
+    if @ssl_keystore_path && @ssl_keystore_password
+      ssl_builder = org.logstash.plugins.inputs.http.util.JksSslBuilder.new(@ssl_keystore_path, @ssl_keystore_password.value)
     else
-      begin
-        ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder
-                          .new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
-                          .setCipherSuites(normalized_cipher_suites)
-      rescue java.lang.IllegalArgumentException => e
-        @logger.error("SSL configuration invalid", error_details(e))
-        raise LogStash::ConfigurationError, e
-      end
+      ssl_builder = new_ssl_simple_builder
+    end
+
+    new_ssl_handshake_provider(ssl_builder)
+  end
+
+  def new_ssl_simple_builder
+    passphrase = @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value
+    begin
+      ssl_context_builder = SslSimpleBuilder.new(@ssl_certificate, @ssl_key, passphrase)
+                            .setProtocols(@ssl_supported_protocols)
+                            .setCipherSuites(normalized_cipher_suites)
 
-      if client_authentication?
-        ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)
+      if client_authentication_enabled?
+        ssl_context_builder.setClientAuthentication(ssl_simple_builder_verify_mode, @ssl_certificate_authorities)
       end
+
+      ssl_context_builder
+    rescue java.lang.IllegalArgumentException => e
+      @logger.error("SSL configuration invalid", error_details(e))
+      raise LogStash::ConfigurationError, e
     end
+  end
 
-    new_ssl_handshake_provider(ssl_builder)
+  def ssl_simple_builder_verify_mode
+    return SslSimpleBuilder::SslClientVerifyMode::OPTIONAL if client_authentication_optional?
+    return SslSimpleBuilder::SslClientVerifyMode::REQUIRED if client_authentication_required?
+    return SslSimpleBuilder::SslClientVerifyMode::NONE if client_authentication_none?
+    raise LogStash::ConfigurationError, "Invalid `ssl_client_authentication` value #{@ssl_client_authentication}"
   end
 
   def ssl_key_configured?
@@ -313,30 +411,52 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   end
 
   def ssl_jks_configured?
-    !!(@keystore && @keystore_password)
+    !!(@ssl_keystore_path && @ssl_keystore_password)
   end
 
-  def client_authentication?
-    @ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
+  def client_authentication_enabled?
+    client_authentication_optional? || client_authentication_required?
   end
 
   def require_certificate_authorities?
-    @ssl_verify_mode_final == "force_peer" || @ssl_verify_mode_final == "peer"
+    client_authentication_required? || client_authentication_optional?
+  end
+
+  def certificate_authorities_configured?
+    @ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
+  end
+
+  def client_authentication_required?
+    @ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_REQUIRED
+  end
+
+  def client_authentication_none?
+    @ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_NONE
+  end
+
+  def client_authentication_optional?
+    @ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_OPTIONAL
+  end
+
+  def provided_client_authentication_config(values = [@ssl_client_authentication])
+    if original_params.include?('ssl_verify_mode')
+      ['ssl_verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
+    elsif original_params.include?('verify_mode')
+      ['verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
+    else
+      ['ssl_client_authentication', *values]
+    end
   end
 
   private
 
   def normalized_cipher_suites
-    @ssl_cipher_suites_final.map(&:upcase)
+    @ssl_cipher_suites.map(&:upcase)
   end
 
   def new_ssl_handshake_provider(ssl_builder)
     begin
-      ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_builder.build())
-      ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
-      ssl_handler_provider.setProtocols(@ssl_supported_protocols_final)
-      ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
-      ssl_handler_provider
+      org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_builder.build(), @ssl_handshake_timeout)
     rescue java.lang.IllegalArgumentException => e
       @logger.error("SSL configuration invalid", error_details(e))
       raise LogStash::ConfigurationError, e

data/lib/logstash-input-http_jars.rb

@@ -8,4 +8,4 @@ require_jar('io.netty', 'netty-common', '4.1.87.Final')
 require_jar('io.netty', 'netty-transport', '4.1.87.Final')
 require_jar('io.netty', 'netty-handler', '4.1.87.Final')
 require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.87.Final')
-require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.6.1')
+require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.7.0')

data/logstash-input-http.gemspec

@@ -24,6 +24,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-codec-plain'
   s.add_runtime_dependency 'jar-dependencies', '~> 0.3', '>= 0.3.4'
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
+  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'logstash-codec-json'

data/spec/inputs/helpers.rb

@@ -0,0 +1,6 @@
+# encoding: utf-8
+CERTS_DIR = File.expand_path('../fixtures/certs/generated', File.dirname(__FILE__))
+
+def certificate_path(filename)
+  File.join(CERTS_DIR, filename)
+end

data/spec/inputs/http_spec.rb

@@ -7,6 +7,7 @@ require "stud/temporary"
 require "zlib"
 require "stringio"
 require 'logstash/plugin_mixins/ecs_compatibility_support/spec_helper'
+require 'inputs/helpers'
 
 java_import "io.netty.handler.ssl.util.SelfSignedCertificate"
 
@@ -165,22 +166,20 @@ describe LogStash::Inputs::Http do
 
         let(:url) { super().sub('http://', 'https://') }
 
-        certs_dir = File.expand_path('../fixtures/certs/generated', File.dirname(__FILE__))
-
         let(:config) do
-          super().merge 'ssl' => true,
-                        'ssl_certificate_authorities' => [ File.join(certs_dir, 'root.crt') ],
-                        'ssl_certificate' => File.join(certs_dir, 'server_from_root.crt'),
-                        'ssl_key' => File.join(certs_dir, 'server_from_root.key.pkcs8'),
-                        'ssl_verify_mode' => 'peer'
+          super().merge 'ssl_enabled' => true,
+                        'ssl_certificate_authorities' => [certificate_path('root.crt')],
+                        'ssl_certificate' => certificate_path( 'server_from_root.crt'),
+                        'ssl_key' => certificate_path( 'server_from_root.key.pkcs8'),
+                        'ssl_client_authentication' => 'optional'
         end
 
         let(:client_options) do
           super().merge ssl: {
               verify: false,
-              ca_file: File.join(certs_dir, 'root.crt'),
-              client_cert: File.join(certs_dir, 'client_from_root.crt'),
-              client_key: File.join(certs_dir, 'client_from_root.key.pkcs8'),
+              ca_file: certificate_path( 'root.crt'),
+              client_cert: certificate_path( 'client_from_root.crt'),
+              client_key: certificate_path( 'client_from_root.key.pkcs8'),
           }
         end
 
@@ -538,15 +537,27 @@ describe LogStash::Inputs::Http do
     end
   end
 
-  context "with :ssl => false" do
-    subject { LogStash::Inputs::Http.new("port" => port, "ssl" => false) }
+  context "with :ssl_enabled => false" do
+    let(:config) { {"port" => port, "ssl_enabled" => false} }
+
     it "should not raise exception" do
       expect { subject.register }.to_not raise_exception
     end
+
+    context "and `ssl_` settings provided" do
+      let(:ssc) { SelfSignedCertificate.new }
+      let(:config) { { "port" => 0, "ssl_enabled" => false, "ssl_certificate" => ssc.certificate.path, "ssl_client_authentication" => "none", "cipher_suites" => ["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"] } }
+
+      it "should warn about not using the configs" do
+        expect(subject.logger).to receive(:warn).with(/^Configured SSL settings are not used when `ssl_enabled` is set to `false`: \[("ssl_certificate"(,\s)?|"ssl_client_authentication"(,\s)?|"cipher_suites"(,\s)?)*\]$/)
+        subject.register
+      end
+    end
   end
-  context "with :ssl => true" do
+
+  context "with :ssl_enabled => true" do
     context "without :ssl_certificate" do
-      subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true) }
+      subject { LogStash::Inputs::Http.new("port" => port, "ssl_enabled" => true) }
       it "should raise exception" do
         expect { subject.register }.to raise_exception(LogStash::ConfigurationError)
       end
@@ -563,7 +574,7 @@ describe LogStash::Inputs::Http do
       let(:ssl_key) { ssc.private_key }
 
       let(:config) do
-        { "port" => port, "ssl" => true, "ssl_certificate" => ssl_certificate.path, "ssl_key" => ssl_key.path }
+        { "port" => port, "ssl_enabled" => true, "ssl_certificate" => ssl_certificate.path, "ssl_key" => ssl_key.path }
       end
 
       after(:each) { ssc.delete }
@@ -575,46 +586,37 @@ describe LogStash::Inputs::Http do
       end
 
       context "with ssl_verify_mode = none" do
-        subject { LogStash::Inputs::Http.new(config.merge("ssl_verify_mode" => "none")) }
+        subject { LogStash::Inputs::Http.new(config.merge("ssl_client_authentication" => "none")) }
 
         it "should not raise exception" do
           expect { subject.register }.to_not raise_exception
         end
       end
-      ["peer", "force_peer"].each do |verify_mode|
-        context "with ssl_verify_mode = #{verify_mode}" do
-          subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
-                                               "ssl_certificate" => ssl_certificate.path,
-                                               "ssl_certificate_authorities" => ssl_certificate.path,
-                                               "ssl_key" => ssl_key.path,
-                                               "ssl_verify_mode" => verify_mode
-                                              ) }
-          it "should not raise exception" do
-            expect { subject.register }.to_not raise_exception
+      ["ssl_verify_mode", "verify_mode"].each do |config_name|
+        ["peer", "force_peer"].each do |verify_mode|
+          context "with deprecated #{config_name} = #{verify_mode}" do
+            subject { LogStash::Inputs::Http.new("port" => port,
+                                                 "ssl_enabled" => true,
+                                                 "ssl_certificate" => ssl_certificate.path,
+                                                 "ssl_certificate_authorities" => ssl_certificate.path,
+                                                 "ssl_key" => ssl_key.path,
+                                                  config_name => verify_mode
+                                                ) }
+            it "should not raise exception" do
+              expect { subject.register }.to_not raise_exception
+            end
           end
         end
       end
-      context "with verify_mode = none" do
-        subject { LogStash::Inputs::Http.new(config.merge("verify_mode" => "none")) }
+      ["ssl_verify_mode", "verify_mode"].each do |config_name|
+        context "with deprecated #{config_name} = none" do
+          subject { LogStash::Inputs::Http.new(config.merge(config_name => "none")) }
 
-        it "should not raise exception" do
-          expect { subject.register }.to_not raise_exception
-        end
-      end
-      ["peer", "force_peer"].each do |verify_mode|
-        context "with verify_mode = #{verify_mode}" do
-          subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
-                                               "ssl_certificate" => ssl_certificate.path,
-                                               "ssl_certificate_authorities" => ssl_certificate.path,
-                                               "ssl_key" => ssl_key.path,
-                                               "verify_mode" => verify_mode
-                                              ) }
           it "should not raise exception" do
             expect { subject.register }.to_not raise_exception
           end
         end
       end
-
       context "with invalid ssl certificate" do
         before do
           cert = File.readlines path = config["ssl_certificate"]
@@ -646,7 +648,7 @@ describe LogStash::Inputs::Http do
 
       context "with invalid ssl certificate_authorities" do
         let(:config) do
-          super().merge("ssl_verify_mode" => "peer", "ssl_certificate_authorities" => [ ssc.certificate.path, ssc.private_key.path ])
+          super().merge("ssl_client_authentication" => "optional", "ssl_certificate_authorities" => [ ssc.certificate.path, ssc.private_key.path ])
         end
 
         it "should raise a cert error" do
@@ -662,13 +664,33 @@ describe LogStash::Inputs::Http do
         end
       end
 
-      context "with both verify_mode options set" do
+      context "with both verify_mode and ssl_verify_mode options set" do
         let(:config) do
-          super().merge('ssl_verify_mode' => 'peer', 'verify_mode' => 'none')
+          super().merge('verify_mode' => 'none', 'ssl_verify_mode' => 'none')
         end
 
         it "should raise a configuration error" do
-          expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_verify_mode.?/i
+          expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_verify_mode`.?/i
+        end
+      end
+
+      context "with both ssl_client_authentication and ssl_verify_mode options set" do
+        let(:config) do
+          super().merge('ssl_client_authentication' => 'optional', 'ssl_verify_mode' => 'none')
+        end
+
+        it "should raise a configuration error" do
+          expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_client_authentication.?/i
+        end
+      end
+
+      context "with both ssl_client_authentication and verify_mode options set" do
+        let(:config) do
+          super().merge('ssl_client_authentication' => 'optional', 'verify_mode' => 'none')
+        end
+
+        it "should raise a configuration error" do
+          expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_client_authentication.?/i
         end
       end
 
@@ -703,6 +725,101 @@ describe LogStash::Inputs::Http do
         end
       end
 
+      context "with both ssl and ssl_enabled set" do
+        let(:config) do
+          super().merge('ssl' => true, 'ssl_enabled' => true )
+        end
+
+        it "should raise a configuration error" do
+          expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_enabled.?/i
+        end
+      end
+
+      context "with ssl_client_authentication" do
+        context "normalized from ssl_verify_mode 'none'" do
+          let(:config) { super().merge("ssl_verify_mode" => "none") }
+
+          it "should transform the value to 'none'" do
+            subject.register
+            expect(subject.params).to match hash_including("ssl_client_authentication" => "none")
+            expect(subject.instance_variable_get(:@ssl_client_authentication)).to eql("none")
+          end
+
+          context "and ssl_certificate_authorities is set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate_path( 'root.crt')]) }
+            it "raise a configuration error" do
+              expect { subject.register }.to raise_error(LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_verify_mode` to `peer` or 'force_peer'")
+            end
+          end
+        end
+
+        [%w[peer optional], %w[force_peer required]].each do |ssl_verify_mode, ssl_client_authentication|
+          context "normalized from ssl_verify_mode '#{ssl_verify_mode}'" do
+            let(:config) { super().merge("ssl_verify_mode" => ssl_verify_mode, "ssl_certificate_authorities" => [certificate_path( 'root.crt')]) }
+
+            it "should transform the value to '#{ssl_client_authentication}'" do
+              subject.register
+              expect(subject.params).to match hash_including("ssl_client_authentication" => ssl_client_authentication)
+              expect(subject.instance_variable_get(:@ssl_client_authentication)).to eql(ssl_client_authentication)
+            end
+
+            context "with no ssl_certificate_authorities set " do
+              let(:config) { super().reject { |key| "ssl_certificate_authorities".eql?(key) } }
+              it "raise a configuration error" do
+                expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_verify_mode` set to `peer` or `force_peer`, requires the configuration of `ssl_certificate_authorities`")
+              end
+            end
+          end
+        end
+
+        context "configured to 'none'" do
+          let(:config) { super().merge("ssl_client_authentication" => "none") }
+
+          it "doesn't raise an error when certificate_authorities is not set" do
+            expect {subject.register}.to_not raise_error
+          end
+
+          context "with certificate_authorities set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate_path( 'root.crt')]) }
+
+            it "raise a configuration error" do
+              expect {subject.register}.to raise_error(LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_client_authentication` to `optional` or 'required'")
+            end
+          end
+        end
+
+        context "configured to 'required'" do
+          let(:config) { super().merge("ssl_client_authentication" => "required") }
+
+          it "raise a ConfigurationError when certificate_authorities is not set" do
+            expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_client_authentication` set to `optional` or `required`, requires the configuration of `ssl_certificate_authorities`")
+          end
+
+          context "with ssl_certificate_authorities set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate_path( 'root.crt')]) }
+
+            it "doesn't raise a configuration error" do
+              expect {subject.register}.not_to raise_error
+            end
+          end
+        end
+
+        context "configured to 'optional'" do
+          let(:config) { super().merge("ssl_client_authentication" => "optional") }
+
+          it "raise a ConfigurationError when certificate_authorities is not set" do
+            expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_client_authentication` set to `optional` or `required`, requires the configuration of `ssl_certificate_authorities`")
+          end
+
+          context "with certificate_authorities set" do
+            let(:config) { super().merge("ssl_certificate_authorities" => [certificate_path( 'root.crt')]) }
+
+            it "doesn't raise a configuration error" do
+              expect {subject.register}.not_to raise_error
+            end
+          end
+        end
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-http
 version: !ruby/object:Gem::Version
-  version: 3.6.1
+  version: 3.7.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-19 00:00:00.000000000 Z
+date: 2023-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -78,6 +78,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-normalize_config_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -171,6 +185,7 @@ files:
 - spec/fixtures/certs/generated/server_from_root.key
 - spec/fixtures/certs/generated/server_from_root.key.pkcs8
 - spec/fixtures/certs/openssl.cnf
+- spec/inputs/helpers.rb
 - spec/inputs/http_spec.rb
 - vendor/jar-dependencies/io/netty/netty-buffer/4.1.87.Final/netty-buffer-4.1.87.Final.jar
 - vendor/jar-dependencies/io/netty/netty-codec-http/4.1.87.Final/netty-codec-http-4.1.87.Final.jar
@@ -179,7 +194,7 @@ files:
 - vendor/jar-dependencies/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar
 - vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.87.Final/netty-transport-native-unix-common-4.1.87.Final.jar
 - vendor/jar-dependencies/io/netty/netty-transport/4.1.87.Final/netty-transport-4.1.87.Final.jar
-- vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.6.1/logstash-input-http-3.6.1.jar
+- vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.7.0/logstash-input-http-3.7.0.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
@@ -221,4 +236,5 @@ test_files:
 - spec/fixtures/certs/generated/server_from_root.key
 - spec/fixtures/certs/generated/server_from_root.key.pkcs8
 - spec/fixtures/certs/openssl.cnf
+- spec/inputs/helpers.rb
 - spec/inputs/http_spec.rb