logstash-input-http 3.7.3-java → 3.8.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/VERSION +1 -1
- data/docs/index.asciidoc +42 -1
- data/lib/logstash/inputs/http.rb +66 -38
- data/lib/logstash-input-http_jars.rb +8 -8
- data/spec/fixtures/certs/generate.sh +5 -0
- data/spec/fixtures/certs/generated/server_from_root.p12 +0 -0
- data/spec/fixtures/certs/generated/truststore.jks +0 -0
- data/spec/inputs/http_spec.rb +100 -3
- data/vendor/jar-dependencies/io/netty/netty-buffer/{4.1.100.Final/netty-buffer-4.1.100.Final.jar → 4.1.109.Final/netty-buffer-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-codec/{4.1.100.Final/netty-codec-4.1.100.Final.jar → 4.1.109.Final/netty-codec-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-codec-http/{4.1.100.Final/netty-codec-http-4.1.100.Final.jar → 4.1.109.Final/netty-codec-http-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-common/{4.1.100.Final/netty-common-4.1.100.Final.jar → 4.1.109.Final/netty-common-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-handler/{4.1.100.Final/netty-handler-4.1.100.Final.jar → 4.1.109.Final/netty-handler-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-transport/{4.1.100.Final/netty-transport-4.1.100.Final.jar → 4.1.109.Final/netty-transport-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/{4.1.100.Final/netty-transport-native-unix-common-4.1.100.Final.jar → 4.1.109.Final/netty-transport-native-unix-common-4.1.109.Final.jar} +0 -0
- data/vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/{3.7.3/logstash-input-http-3.7.3.jar → 3.8.1/logstash-input-http-3.8.1.jar} +0 -0
- metadata +14 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dce1f0dc68aea9fe3fc036bff6c20eca4c1c08df2986f7ac7fb0a292a764dda5
|
4
|
+
data.tar.gz: 1e9f85e289e7e22c1a95f60bffe5d405eaaca68dce14ede91e76ba639e6163bb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7e3193fa2cc9427c7b7442d5fd88eab306bb424e260903e4999a925f199f682f08dda7ee71418248b01dc4f42eb81c93414876ff11933d9e546794a12349ae3f
|
7
|
+
data.tar.gz: c3024943b402622bfa87bc592267ca879e01e0abac707b75918e1dde4cd6d4522a48d364e3b21bcb1236613e2ad6aea1b7428a47735931119fcffb5d3311ca0f
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
## 3.8.1
|
2
|
+
- bump netty to 4.1.109 [#173](https://github.com/logstash-plugins/logstash-input-http/pull/173)
|
3
|
+
|
4
|
+
## 3.8.0
|
5
|
+
- Fixed SSL Java KeyStore support [#171](https://github.com/logstash-plugins/logstash-input-http/pull/171)
|
6
|
+
- Added `ssl_keystore_type` configuration
|
7
|
+
- Added SSL Java TrustStore configurations (`ssl_truststore_type`, `ssl_truststore_path` and `ssl_truststore_password`)
|
8
|
+
|
1
9
|
## 3.7.3
|
2
10
|
- bump netty to 4.1.100 [#170](https://github.com/logstash-plugins/logstash-input-http/pull/170)
|
3
11
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.8.1
|
data/docs/index.asciidoc
CHANGED
@@ -112,7 +112,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
112
112
|
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
113
113
|
| <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
|
114
114
|
| <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
|
115
|
+
| <<plugins-{type}s-{plugin}-ssl_keystore_type>> |<<string,string>>|No
|
115
116
|
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
|
117
|
+
| <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
|
118
|
+
| <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
|
119
|
+
| <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
|
116
120
|
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
|
117
121
|
| <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
|
118
122
|
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
|
@@ -405,7 +409,18 @@ SSL key passphrase to use.
|
|
405
409
|
* Value type is <<path,path>>
|
406
410
|
* There is no default value for this setting.
|
407
411
|
|
408
|
-
The
|
412
|
+
The path for the keystore file that contains a private key and certificate.
|
413
|
+
It must be either a Java keystore (jks) or a PKCS#12 file.
|
414
|
+
|
415
|
+
NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
|
416
|
+
|
417
|
+
[id="plugins-{type}s-{plugin}-ssl_keystore_type"]
|
418
|
+
===== `ssl_keystore_type`
|
419
|
+
|
420
|
+
* Value can be any of: `jks`, `pkcs12`
|
421
|
+
* If not provided, the value will be inferred from the keystore filename.
|
422
|
+
|
423
|
+
The format of the keystore file. It must be either `jks` or `pkcs12`.
|
409
424
|
|
410
425
|
[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
|
411
426
|
===== `ssl_keystore_password`
|
@@ -432,6 +447,32 @@ NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as
|
|
432
447
|
the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
|
433
448
|
the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
|
434
449
|
|
450
|
+
[id="plugins-{type}s-{plugin}-ssl_truststore_password"]
|
451
|
+
===== `ssl_truststore_password`
|
452
|
+
|
453
|
+
* Value type is <<password,password>>
|
454
|
+
* There is no default value for this setting.
|
455
|
+
|
456
|
+
Set the truststore password
|
457
|
+
|
458
|
+
[id="plugins-{type}s-{plugin}-ssl_truststore_path"]
|
459
|
+
===== `ssl_truststore_path`
|
460
|
+
|
461
|
+
* Value type is <<path,path>>
|
462
|
+
* There is no default value for this setting.
|
463
|
+
|
464
|
+
The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.
|
465
|
+
|
466
|
+
NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> at the same time.
|
467
|
+
|
468
|
+
[id="plugins-{type}s-{plugin}-ssl_truststore_type"]
|
469
|
+
===== `ssl_truststore_type`
|
470
|
+
|
471
|
+
* Value can be any of: `jks`, `pkcs12`
|
472
|
+
* If not provided, the value will be inferred from the truststore filename.
|
473
|
+
|
474
|
+
The format of the truststore file. It must be either `jks` or `pkcs12`.
|
475
|
+
|
435
476
|
[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
|
436
477
|
===== `ssl_verify_mode`
|
437
478
|
deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
|
data/lib/logstash/inputs/http.rb
CHANGED
@@ -76,12 +76,24 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
76
76
|
# The JKS keystore password
|
77
77
|
config :ssl_keystore_password, :validate => :password
|
78
78
|
|
79
|
-
# The
|
79
|
+
# The path for the keystore file that contains a private key and certificate
|
80
80
|
config :ssl_keystore_path, :validate => :path
|
81
81
|
|
82
|
+
# The format of the keystore file. It must be either jks or pkcs12
|
83
|
+
config :ssl_keystore_type, :validate => %w[pkcs12 jks]
|
84
|
+
|
82
85
|
# SSL key passphrase to use.
|
83
86
|
config :ssl_key_passphrase, :validate => :password
|
84
87
|
|
88
|
+
# Set the truststore password
|
89
|
+
config :ssl_truststore_password, :validate => :password
|
90
|
+
|
91
|
+
# The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file
|
92
|
+
config :ssl_truststore_path, :validate => :path
|
93
|
+
|
94
|
+
# The format of the truststore file. It must be either jks or pkcs12
|
95
|
+
config :ssl_truststore_type, :validate => %w[pkcs12 jks]
|
96
|
+
|
85
97
|
# Validate client certificates against these authorities.
|
86
98
|
# You can define multiple files or paths. All the certificates will
|
87
99
|
# be read and added to the trust store. You need to configure the `ssl_client_authentication`
|
@@ -301,18 +313,31 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
301
313
|
raise LogStash::ConfigurationError, 'An `ssl_certificate` is required when using an `ssl_key`'
|
302
314
|
end
|
303
315
|
|
304
|
-
unless
|
316
|
+
unless ssl_certificate_configured? || ssl_keystore_configured?
|
305
317
|
raise LogStash::ConfigurationError, "Either an `ssl_certificate` or `ssl_keystore_path` is required when SSL is enabled `#{ssl_config_name} => true`"
|
306
318
|
end
|
307
319
|
|
308
|
-
if
|
309
|
-
|
310
|
-
raise LogStash::ConfigurationError, "Using `#{config_name}` set to `#{optional}` or `#{required}`, requires the configuration of `ssl_certificate_authorities`"
|
320
|
+
if ssl_certificate_configured? && ssl_keystore_configured?
|
321
|
+
raise LogStash::ConfigurationError, 'Use either an `ssl_certificate` or an `ssl_keystore_path`'
|
311
322
|
end
|
312
323
|
|
313
|
-
if
|
314
|
-
|
315
|
-
|
324
|
+
if ssl_certificate_authorities_configured? && ssl_truststore_configured?
|
325
|
+
raise LogStash::ConfigurationError, 'Use either an `ssl_certificate_authorities` or an `ssl_truststore_path`'
|
326
|
+
end
|
327
|
+
|
328
|
+
cli_auth_config_name, cli_auth_optional_val, cli_auth_required_val = provided_ssl_client_authentication_config([SSL_CLIENT_AUTH_OPTIONAL, SSL_CLIENT_AUTH_REQUIRED])
|
329
|
+
if ssl_client_authentication_enabled?
|
330
|
+
# Ensure any CA is configured. By default, the keystore can also be used as CA
|
331
|
+
unless ssl_certificate_authorities_configured? || ssl_truststore_configured? || ssl_keystore_configured?
|
332
|
+
raise LogStash::ConfigurationError, "Using `#{cli_auth_config_name}` set to `#{cli_auth_optional_val}` or `#{cli_auth_required_val}`, requires the configuration of `ssl_certificate_authorities` or `ssl_truststore_path`"
|
333
|
+
end
|
334
|
+
else
|
335
|
+
if ssl_truststore_configured?
|
336
|
+
raise LogStash::ConfigurationError, "The configuration of `ssl_truststore_path` requires setting `#{cli_auth_config_name}` to `#{cli_auth_optional_val}` or '#{cli_auth_required_val}'"
|
337
|
+
end
|
338
|
+
if ssl_certificate_authorities_configured?
|
339
|
+
raise LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `#{cli_auth_config_name}` to `#{cli_auth_optional_val}` or '#{cli_auth_required_val}'"
|
340
|
+
end
|
316
341
|
end
|
317
342
|
end
|
318
343
|
|
@@ -372,73 +397,76 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
|
|
372
397
|
def build_ssl_params
|
373
398
|
return nil unless @ssl_enabled
|
374
399
|
|
375
|
-
|
376
|
-
ssl_builder = org.logstash.plugins.inputs.http.util.JksSslBuilder.new(@ssl_keystore_path, @ssl_keystore_password.value)
|
377
|
-
else
|
378
|
-
ssl_builder = new_ssl_simple_builder
|
379
|
-
end
|
380
|
-
|
381
|
-
new_ssl_handshake_provider(ssl_builder)
|
400
|
+
new_ssl_handshake_provider(new_ssl_simple_builder)
|
382
401
|
end
|
383
402
|
|
384
403
|
def new_ssl_simple_builder
|
385
|
-
passphrase = @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value
|
386
404
|
begin
|
387
|
-
|
388
|
-
|
389
|
-
|
405
|
+
if ssl_keystore_configured?
|
406
|
+
ssl_context_builder = SslSimpleBuilder.withKeyStore(@ssl_keystore_type, @ssl_keystore_path, @ssl_keystore_password&.value)
|
407
|
+
else
|
408
|
+
ssl_context_builder = SslSimpleBuilder.withPemCertificate(@ssl_certificate, @ssl_key, @ssl_key_passphrase&.value)
|
409
|
+
end
|
390
410
|
|
391
|
-
|
392
|
-
|
411
|
+
ssl_context_builder.setProtocols(@ssl_supported_protocols)
|
412
|
+
.setCipherSuites(normalized_cipher_suites)
|
413
|
+
.setClientAuthentication(ssl_simple_builder_verify_mode)
|
414
|
+
|
415
|
+
if ssl_client_authentication_enabled?
|
416
|
+
if ssl_certificate_authorities_configured?
|
417
|
+
ssl_context_builder.setCertificateAuthorities(@ssl_certificate_authorities)
|
418
|
+
elsif ssl_truststore_configured?
|
419
|
+
ssl_context_builder.setTrustStore(@ssl_truststore_type, @ssl_truststore_path, @ssl_truststore_password&.value)
|
420
|
+
end
|
393
421
|
end
|
394
422
|
|
395
423
|
ssl_context_builder
|
396
|
-
rescue
|
424
|
+
rescue => e
|
397
425
|
@logger.error("SSL configuration invalid", error_details(e))
|
398
426
|
raise LogStash::ConfigurationError, e
|
399
427
|
end
|
400
428
|
end
|
401
429
|
|
402
430
|
def ssl_simple_builder_verify_mode
|
403
|
-
return SslSimpleBuilder::SslClientVerifyMode::OPTIONAL if
|
404
|
-
return SslSimpleBuilder::SslClientVerifyMode::REQUIRED if
|
405
|
-
return SslSimpleBuilder::SslClientVerifyMode::NONE if
|
431
|
+
return SslSimpleBuilder::SslClientVerifyMode::OPTIONAL if ssl_client_authentication_optional?
|
432
|
+
return SslSimpleBuilder::SslClientVerifyMode::REQUIRED if ssl_client_authentication_required?
|
433
|
+
return SslSimpleBuilder::SslClientVerifyMode::NONE if ssl_client_authentication_none?
|
406
434
|
raise LogStash::ConfigurationError, "Invalid `ssl_client_authentication` value #{@ssl_client_authentication}"
|
407
435
|
end
|
408
436
|
|
409
|
-
def
|
410
|
-
|
437
|
+
def ssl_certificate_configured?
|
438
|
+
!(@ssl_certificate.nil? || @ssl_certificate.empty?)
|
411
439
|
end
|
412
440
|
|
413
|
-
def
|
414
|
-
|
441
|
+
def ssl_keystore_configured?
|
442
|
+
!(@ssl_keystore_path.nil? || @ssl_keystore_path.empty?)
|
415
443
|
end
|
416
444
|
|
417
|
-
def
|
418
|
-
|
445
|
+
def ssl_truststore_configured?
|
446
|
+
!(@ssl_truststore_path.nil? || @ssl_truststore_path.empty?)
|
419
447
|
end
|
420
448
|
|
421
|
-
def
|
422
|
-
|
449
|
+
def ssl_client_authentication_enabled?
|
450
|
+
ssl_client_authentication_optional? || ssl_client_authentication_required?
|
423
451
|
end
|
424
452
|
|
425
|
-
def
|
453
|
+
def ssl_certificate_authorities_configured?
|
426
454
|
@ssl_certificate_authorities && @ssl_certificate_authorities.size > 0
|
427
455
|
end
|
428
456
|
|
429
|
-
def
|
457
|
+
def ssl_client_authentication_required?
|
430
458
|
@ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_REQUIRED
|
431
459
|
end
|
432
460
|
|
433
|
-
def
|
461
|
+
def ssl_client_authentication_none?
|
434
462
|
@ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_NONE
|
435
463
|
end
|
436
464
|
|
437
|
-
def
|
465
|
+
def ssl_client_authentication_optional?
|
438
466
|
@ssl_client_authentication && @ssl_client_authentication.downcase == SSL_CLIENT_AUTH_OPTIONAL
|
439
467
|
end
|
440
468
|
|
441
|
-
def
|
469
|
+
def provided_ssl_client_authentication_config(values = [@ssl_client_authentication])
|
442
470
|
if original_params.include?('ssl_verify_mode')
|
443
471
|
['ssl_verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
|
444
472
|
elsif original_params.include?('verify_mode')
|
@@ -1,11 +1,11 @@
|
|
1
1
|
# AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
|
2
2
|
|
3
3
|
require 'jar_dependencies'
|
4
|
-
require_jar('io.netty', 'netty-buffer', '4.1.
|
5
|
-
require_jar('io.netty', 'netty-codec', '4.1.
|
6
|
-
require_jar('io.netty', 'netty-codec-http', '4.1.
|
7
|
-
require_jar('io.netty', 'netty-common', '4.1.
|
8
|
-
require_jar('io.netty', 'netty-transport', '4.1.
|
9
|
-
require_jar('io.netty', 'netty-handler', '4.1.
|
10
|
-
require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.
|
11
|
-
require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.
|
4
|
+
require_jar('io.netty', 'netty-buffer', '4.1.109.Final')
|
5
|
+
require_jar('io.netty', 'netty-codec', '4.1.109.Final')
|
6
|
+
require_jar('io.netty', 'netty-codec-http', '4.1.109.Final')
|
7
|
+
require_jar('io.netty', 'netty-common', '4.1.109.Final')
|
8
|
+
require_jar('io.netty', 'netty-transport', '4.1.109.Final')
|
9
|
+
require_jar('io.netty', 'netty-handler', '4.1.109.Final')
|
10
|
+
require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.109.Final')
|
11
|
+
require_jar('org.logstash.plugins.input.http', 'logstash-input-http', '3.8.1')
|
@@ -12,11 +12,16 @@ echo "DO NOT USE THESE CERTIFICATES IN PRODUCTION" >> ./README.txt
|
|
12
12
|
# certificate authority
|
13
13
|
openssl genrsa -out root.key 4096
|
14
14
|
openssl req -new -x509 -days 1826 -extensions ca -key root.key -out root.crt -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=root" -config ../openssl.cnf
|
15
|
+
# using keytool here as openssl < 3.2 won't add the "2.16.840.1.113894.746875.1.1" OID to make the cert "trusted" # See more:
|
16
|
+
# * https://github.com/openssl/openssl/pull/19025
|
17
|
+
# * https://github.com/openssl/openssl/commit/e869c867c1c405de3b6538586f17b67937556a4b
|
18
|
+
keytool -import -file root.crt -alias rootCA -keystore truststore.jks -noprompt -storepass 12345678
|
15
19
|
|
16
20
|
# server certificate from root
|
17
21
|
openssl genrsa -out server_from_root.key 4096
|
18
22
|
openssl req -new -key server_from_root.key -out server_from_root.csr -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=server" -config ../openssl.cnf
|
19
23
|
openssl x509 -req -extensions server_cert -extfile ../openssl.cnf -days 1096 -in server_from_root.csr -CA root.crt -CAkey root.key -set_serial 03 -out server_from_root.crt
|
24
|
+
openssl pkcs12 -export -out server_from_root.p12 -inkey server_from_root.key -in server_from_root.crt -certfile root.crt -password pass:12345678
|
20
25
|
|
21
26
|
# client certificate from root
|
22
27
|
openssl genrsa -out client_from_root.key 4096
|
Binary file
|
Binary file
|
data/spec/inputs/http_spec.rb
CHANGED
@@ -735,6 +735,16 @@ describe LogStash::Inputs::Http do
|
|
735
735
|
end
|
736
736
|
end
|
737
737
|
|
738
|
+
context "and with :ssl_keystore_path" do
|
739
|
+
let(:config) do
|
740
|
+
super().merge('ssl_keystore_path' => certificate_path( 'server_from_root.p12'), 'ssl_enabled' => true )
|
741
|
+
end
|
742
|
+
|
743
|
+
it "should raise a configuration error" do
|
744
|
+
expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use either an `ssl_certificate` or an `ssl_keystore_path`/i
|
745
|
+
end
|
746
|
+
end
|
747
|
+
|
738
748
|
context "with ssl_client_authentication" do
|
739
749
|
context "normalized from ssl_verify_mode 'none'" do
|
740
750
|
let(:config) { super().merge("ssl_verify_mode" => "none") }
|
@@ -766,7 +776,7 @@ describe LogStash::Inputs::Http do
|
|
766
776
|
context "with no ssl_certificate_authorities set " do
|
767
777
|
let(:config) { super().reject { |key| "ssl_certificate_authorities".eql?(key) } }
|
768
778
|
it "raise a configuration error" do
|
769
|
-
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_verify_mode` set to `peer` or `force_peer`, requires the configuration of `ssl_certificate_authorities`")
|
779
|
+
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_verify_mode` set to `peer` or `force_peer`, requires the configuration of `ssl_certificate_authorities` or `ssl_truststore_path`")
|
770
780
|
end
|
771
781
|
end
|
772
782
|
end
|
@@ -786,13 +796,21 @@ describe LogStash::Inputs::Http do
|
|
786
796
|
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "The configuration of `ssl_certificate_authorities` requires setting `ssl_client_authentication` to `optional` or 'required'")
|
787
797
|
end
|
788
798
|
end
|
799
|
+
|
800
|
+
context "with ssl_truststore_path set" do
|
801
|
+
let(:config) { super().merge("ssl_truststore_path" => certificate_path('truststore.jks'), "ssl_truststore_password" => "12345678") }
|
802
|
+
|
803
|
+
it "raise a configuration error" do
|
804
|
+
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "The configuration of `ssl_truststore_path` requires setting `ssl_client_authentication` to `optional` or 'required'")
|
805
|
+
end
|
806
|
+
end
|
789
807
|
end
|
790
808
|
|
791
809
|
context "configured to 'required'" do
|
792
810
|
let(:config) { super().merge("ssl_client_authentication" => "required") }
|
793
811
|
|
794
812
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
795
|
-
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_client_authentication` set to `optional` or `required`, requires the configuration of `ssl_certificate_authorities`")
|
813
|
+
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_client_authentication` set to `optional` or `required`, requires the configuration of `ssl_certificate_authorities` or `ssl_truststore_path`")
|
796
814
|
end
|
797
815
|
|
798
816
|
context "with ssl_certificate_authorities set" do
|
@@ -802,13 +820,30 @@ describe LogStash::Inputs::Http do
|
|
802
820
|
expect {subject.register}.not_to raise_error
|
803
821
|
end
|
804
822
|
end
|
823
|
+
|
824
|
+
context "with ssl_truststore_path set to a valid truststore" do
|
825
|
+
let(:config) { super().merge("ssl_truststore_path" => certificate_path('truststore.jks'), "ssl_truststore_password" => "12345678") }
|
826
|
+
|
827
|
+
it "doesn't raise a configuration error" do
|
828
|
+
expect {subject.register}.not_to raise_error
|
829
|
+
end
|
830
|
+
end
|
831
|
+
|
832
|
+
context "with ssl_truststore_path set with no trusted certificate" do
|
833
|
+
let(:truststore_path) { certificate_path('server_from_root.p12') }
|
834
|
+
let(:config) { super().merge("ssl_truststore_path" => truststore_path, "ssl_truststore_password" => "12345678") }
|
835
|
+
|
836
|
+
it "raise a configuration error" do
|
837
|
+
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "The provided Trust Store file does not contains any trusted certificate entry: #{truststore_path}")
|
838
|
+
end
|
839
|
+
end
|
805
840
|
end
|
806
841
|
|
807
842
|
context "configured to 'optional'" do
|
808
843
|
let(:config) { super().merge("ssl_client_authentication" => "optional") }
|
809
844
|
|
810
845
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
811
|
-
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_client_authentication` set to `optional` or `required`, requires the configuration of `ssl_certificate_authorities`")
|
846
|
+
expect {subject.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_client_authentication` set to `optional` or `required`, requires the configuration of `ssl_certificate_authorities` or `ssl_truststore_path`")
|
812
847
|
end
|
813
848
|
|
814
849
|
context "with certificate_authorities set" do
|
@@ -818,9 +853,71 @@ describe LogStash::Inputs::Http do
|
|
818
853
|
expect {subject.register}.not_to raise_error
|
819
854
|
end
|
820
855
|
end
|
856
|
+
|
857
|
+
context "with ssl_truststore_path set" do
|
858
|
+
let(:config) { super().merge("ssl_truststore_path" => certificate_path('truststore.jks'), "ssl_truststore_password" => "12345678") }
|
859
|
+
|
860
|
+
it "doesn't raise a configuration error" do
|
861
|
+
expect {subject.register}.not_to raise_error
|
862
|
+
end
|
863
|
+
end
|
864
|
+
|
865
|
+
context "with ssl_truststore_path set with no trusted certificate" do
|
866
|
+
let(:config) { super().merge("ssl_truststore_path" => certificate_path('server_from_root.p12'), "ssl_truststore_password" => "12345678") }
|
867
|
+
|
868
|
+
it "doesn't raise a configuration error" do
|
869
|
+
expect {subject.register}.not_to raise_error
|
870
|
+
end
|
871
|
+
end
|
872
|
+
end
|
873
|
+
end
|
874
|
+
end
|
875
|
+
context "with :ssl_keystore_path" do
|
876
|
+
let(:config) do
|
877
|
+
{
|
878
|
+
"port" => port,
|
879
|
+
"ssl_enabled" => true,
|
880
|
+
"ssl_keystore_path" => certificate_path( 'server_from_root.p12'),
|
881
|
+
"ssl_keystore_password" => "12345678"
|
882
|
+
}
|
883
|
+
end
|
884
|
+
|
885
|
+
subject { LogStash::Inputs::Http.new(config) }
|
886
|
+
|
887
|
+
it "should not raise exception" do
|
888
|
+
expect { subject.register }.to_not raise_exception
|
889
|
+
end
|
890
|
+
end
|
891
|
+
context "with :ssl_truststore_path" do
|
892
|
+
let(:config) do
|
893
|
+
{
|
894
|
+
"port" => port,
|
895
|
+
"ssl_enabled" => true,
|
896
|
+
"ssl_client_authentication" => "optional",
|
897
|
+
"ssl_keystore_path" => certificate_path( 'server_from_root.p12'),
|
898
|
+
"ssl_keystore_password" => "12345678",
|
899
|
+
"ssl_truststore_path" => certificate_path( 'truststore.jks'),
|
900
|
+
"ssl_truststore_password" => "12345678"
|
901
|
+
}
|
902
|
+
end
|
903
|
+
|
904
|
+
subject { LogStash::Inputs::Http.new(config) }
|
905
|
+
|
906
|
+
it "should not raise exception" do
|
907
|
+
expect { subject.register }.to_not raise_exception
|
908
|
+
end
|
909
|
+
|
910
|
+
context "and with :ssl_certificate_authorities configured" do
|
911
|
+
let(:config) do
|
912
|
+
super().merge('ssl_certificate_authorities' => [certificate_path( 'root.crt')], 'ssl_enabled' => true )
|
913
|
+
end
|
914
|
+
|
915
|
+
it "should raise a configuration error" do
|
916
|
+
expect { subject.register }.to raise_error LogStash::ConfigurationError, /Use either an `ssl_certificate_authorities` or an `ssl_truststore_path`/i
|
821
917
|
end
|
822
918
|
end
|
823
919
|
end
|
920
|
+
|
824
921
|
end
|
825
922
|
end
|
826
923
|
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-http
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.8.1
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-04-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -184,17 +184,19 @@ files:
|
|
184
184
|
- spec/fixtures/certs/generated/server_from_root.crt
|
185
185
|
- spec/fixtures/certs/generated/server_from_root.key
|
186
186
|
- spec/fixtures/certs/generated/server_from_root.key.pkcs8
|
187
|
+
- spec/fixtures/certs/generated/server_from_root.p12
|
188
|
+
- spec/fixtures/certs/generated/truststore.jks
|
187
189
|
- spec/fixtures/certs/openssl.cnf
|
188
190
|
- spec/inputs/helpers.rb
|
189
191
|
- spec/inputs/http_spec.rb
|
190
|
-
- vendor/jar-dependencies/io/netty/netty-buffer/4.1.
|
191
|
-
- vendor/jar-dependencies/io/netty/netty-codec-http/4.1.
|
192
|
-
- vendor/jar-dependencies/io/netty/netty-codec/4.1.
|
193
|
-
- vendor/jar-dependencies/io/netty/netty-common/4.1.
|
194
|
-
- vendor/jar-dependencies/io/netty/netty-handler/4.1.
|
195
|
-
- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.
|
196
|
-
- vendor/jar-dependencies/io/netty/netty-transport/4.1.
|
197
|
-
- vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.
|
192
|
+
- vendor/jar-dependencies/io/netty/netty-buffer/4.1.109.Final/netty-buffer-4.1.109.Final.jar
|
193
|
+
- vendor/jar-dependencies/io/netty/netty-codec-http/4.1.109.Final/netty-codec-http-4.1.109.Final.jar
|
194
|
+
- vendor/jar-dependencies/io/netty/netty-codec/4.1.109.Final/netty-codec-4.1.109.Final.jar
|
195
|
+
- vendor/jar-dependencies/io/netty/netty-common/4.1.109.Final/netty-common-4.1.109.Final.jar
|
196
|
+
- vendor/jar-dependencies/io/netty/netty-handler/4.1.109.Final/netty-handler-4.1.109.Final.jar
|
197
|
+
- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.109.Final/netty-transport-native-unix-common-4.1.109.Final.jar
|
198
|
+
- vendor/jar-dependencies/io/netty/netty-transport/4.1.109.Final/netty-transport-4.1.109.Final.jar
|
199
|
+
- vendor/jar-dependencies/org/logstash/plugins/input/http/logstash-input-http/3.8.1/logstash-input-http-3.8.1.jar
|
198
200
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
199
201
|
licenses:
|
200
202
|
- Apache License (2.0)
|
@@ -235,6 +237,8 @@ test_files:
|
|
235
237
|
- spec/fixtures/certs/generated/server_from_root.crt
|
236
238
|
- spec/fixtures/certs/generated/server_from_root.key
|
237
239
|
- spec/fixtures/certs/generated/server_from_root.key.pkcs8
|
240
|
+
- spec/fixtures/certs/generated/server_from_root.p12
|
241
|
+
- spec/fixtures/certs/generated/truststore.jks
|
238
242
|
- spec/fixtures/certs/openssl.cnf
|
239
243
|
- spec/inputs/helpers.rb
|
240
244
|
- spec/inputs/http_spec.rb
|