logstash-input-tcp 5.0.9-java → 5.0.10-java

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 61f75f397819fe7ec52ebe3f7001294b1f9347e116d84ab9136ceb71b9f43694
4
- data.tar.gz: 8bbf42e0358a82d6fe8cc05c9c87ad7335866a17f7bec046c414b5899cedb06e
3
+ metadata.gz: f637d5ed9693d5beb15a48cdd0fea3add3c5df312cf5efce134570c62ede5778
4
+ data.tar.gz: bba5e2a6a9e4b3ce69af2ddf9e3941125388df73504c9345f24342372aa2338c
5
5
  SHA512:
6
- metadata.gz: 47e0697536fa5ac5a9bb4b8c0ee218d6d99a79fd0a24141a5f0b8c91e72a88d2e1d5c31153cd3b563e1b1e7fc0759f9da9e109ff6cd2453f98f0e3fd68b05866
7
- data.tar.gz: d7bd3f0f555f4182753dfa7dbb7d6663b5623c8f10fdff00464a732d9551b0ed89abe7d26f532baaf91f3e94041887e1ea291f8753517113062cfb89c72bd4b7
6
+ metadata.gz: bdbdff7d0d2de89aada8254d93d72f528cb0bd1b605af6bdb7533a831c89492b34af296d142726c68a5d863727cedd344bb4c9e8f5ef356dfc491e442bc83eb2
7
+ data.tar.gz: e74e3262ea1c3f7f10ae82653e3a581361fadf9daafb0a44926f3f47138c0ef1e3c620ce013fb03cfd010858e8e79b865b23e95156fdcc9bea3c0489e0ee859b
data/CHANGELOG.md CHANGED
@@ -1,6 +1,9 @@
1
+ ## 5.0.10
2
+ - Correctly set up the certificate chain so that the server will present cert + chain to client
3
+
1
4
  ## 5.0.9
2
5
  - New configuration option to set TCP keep-alive [#16](https://github.com/logstash-plugins/logstash-input-tcp/pull/116)
3
-
6
+
4
7
  ## 5.0.8
5
8
  - Reorder shut down of the two event loops to prevent RejectedExecutionException
6
9
 
data/docs/index.asciidoc CHANGED
@@ -83,6 +83,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
83
83
  | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
84
84
  | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
85
85
  | <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
86
+ | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
86
87
  | <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
87
88
  | <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
88
89
  | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
@@ -139,7 +140,17 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
139
140
  * Value type is <<path,path>>
140
141
  * There is no default value for this setting.
141
142
 
142
- SSL certificate path
143
+ Path to certificate in PEM format. This certificate will be presented
144
+ to the connecting clients.
145
+
146
+ [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
147
+ ===== `ssl_extra_chain_certs`
148
+
149
+ * Value type is <<array,array>>
150
+ * Default value is `[]`
151
+
152
+ Validate client certificate or certificate chain against these authorities.
153
+ You can define multiple files or paths. All the certificates will be read and added to the trust store.
143
154
 
144
155
  [id="plugins-{type}s-{plugin}-ssl_enable"]
145
156
  ===== `ssl_enable`
@@ -155,8 +166,9 @@ Enable SSL (must be set for other `ssl_` options to take effect).
155
166
  * Value type is <<array,array>>
156
167
  * Default value is `[]`
157
168
 
158
- An Array of extra X509 certificates to be added to the certificate chain.
159
- Useful when the CA chain is not necessary in the system store.
169
+ An Array of paths to extra X509 certificates.
170
+ These are used together with the certificate to construct the certificate chain
171
+ presented to the client.
160
172
 
161
173
  [id="plugins-{type}s-{plugin}-ssl_key"]
162
174
  ===== `ssl_key`
@@ -164,7 +176,7 @@ Useful when the CA chain is not necessary in the system store.
164
176
  * Value type is <<path,path>>
165
177
  * There is no default value for this setting.
166
178
 
167
- SSL key path
179
+ The path to the private key corresponding to the specified certificate (PEM format).
168
180
 
169
181
  [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
170
182
  ===== `ssl_key_passphrase`
@@ -172,7 +184,7 @@ SSL key path
172
184
  * Value type is <<password,password>>
173
185
  * Default value is `nil`
174
186
 
175
- SSL key passphrase
187
+ SSL key passphrase for the private key.
176
188
 
177
189
  [id="plugins-{type}s-{plugin}-ssl_verify"]
178
190
  ===== `ssl_verify`
@@ -105,6 +105,9 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
105
105
  # Useful when the CA chain is not necessary in the system store.
106
106
  config :ssl_extra_chain_certs, :validate => :array, :default => []
107
107
 
108
+ # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
109
+ config :ssl_certificate_authorities, :validate => :array, :default => []
110
+
108
111
  # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
109
112
  config :tcp_keep_alive, :validate => :boolean, :default => false
110
113
 
@@ -310,6 +313,10 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
310
313
  @ssl_context = OpenSSL::SSL::SSLContext.new
311
314
  @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
312
315
  @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
316
+ if @ssl_extra_chain_certs.any?
317
+ @ssl_context.extra_chain_cert = @ssl_extra_chain_certs.map {|cert_path| OpenSSL::X509::Certificate.new(File.read(cert_path)) }
318
+ @ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@ssl_cert)))
319
+ end
313
320
  if @ssl_verify
314
321
  @ssl_context.cert_store = load_cert_store
315
322
  @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
@@ -325,7 +332,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
325
332
  def load_cert_store
326
333
  cert_store = OpenSSL::X509::Store.new
327
334
  cert_store.set_default_paths
328
- @ssl_extra_chain_certs.each do |cert|
335
+ @ssl_certificate_authorities.each do |cert|
329
336
  cert_store.add_file(cert)
330
337
  end
331
338
  cert_store
@@ -335,11 +335,9 @@ describe LogStash::Inputs::Tcp do
335
335
  end
336
336
 
337
337
  context "when ssl_enable is true" do
338
- let(:pki) { Flores::PKI.generate }
339
- let(:certificate) { pki[0] }
340
- let(:key) { pki[1] }
341
- let(:certificate_file) { Stud::Temporary.file }
342
- let(:key_file) { Stud::Temporary.file }
338
+ let(:self_signed_cert) { helper.certificate }
339
+ let(:certificate) { self_signed_cert.first }
340
+ let(:key) { self_signed_cert.last }
343
341
  let(:queue) { Queue.new }
344
342
 
345
343
  let(:config) do
@@ -347,30 +345,59 @@ describe LogStash::Inputs::Tcp do
347
345
  "host" => "127.0.0.1",
348
346
  "port" => port,
349
347
  "ssl_enable" => true,
350
- "ssl_cert" => certificate_file.path,
351
- "ssl_key" => key_file.path,
352
-
353
- # Trust our self-signed cert.
354
- # TODO(sissel): Make this a separate certificate for the client
355
- "ssl_extra_chain_certs" => certificate_file.path
348
+ "ssl_cert" => certificate.path,
349
+ "ssl_key" => key.path,
350
+ "ssl_certificate_authorities" => certificate.path
356
351
  }
357
352
  end
358
353
 
359
354
  subject(:input) { LogStash::Plugin.lookup("input", "tcp").new(config) }
360
355
 
361
356
  before do
362
- certificate_file.write(certificate)
363
- key_file.write(key)
364
-
365
- # Close to flush the file writes.
366
- certificate_file.close
367
- key_file.close
368
357
  subject.register
369
358
  end
370
359
 
371
- after do
372
- File.unlink(certificate_file.path)
373
- File.unlink(key_file.path)
360
+ context "when using a certificate chain" do
361
+ let(:chain_of_certificates) { helper.chain_of_certificates }
362
+ let(:config) do
363
+ {
364
+ "host" => "127.0.0.1",
365
+ "port" => port,
366
+ "ssl_enable" => true,
367
+ "ssl_cert" => chain_of_certificates[:b_cert].path,
368
+ "ssl_key" => chain_of_certificates[:b_key].path,
369
+ "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
370
+ "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
371
+ "ssl_verify" => true
372
+ }
373
+ end
374
+ let(:tcp) { TCPSocket.new("127.0.0.1", port) }
375
+ let(:sslcontext) do
376
+ sslcontext = OpenSSL::SSL::SSLContext.new
377
+ sslcontext.verify_mode = OpenSSL::SSL::VERIFY_PEER
378
+ sslcontext.ca_file = chain_of_certificates[:root_ca].path
379
+ sslcontext.cert = OpenSSL::X509::Certificate.new(File.read(chain_of_certificates[:aa_cert].path))
380
+ sslcontext.key = OpenSSL::PKey::RSA.new(File.read(chain_of_certificates[:aa_key].path))
381
+ sslcontext
382
+ end
383
+ let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
384
+ let(:input_task) { Stud::Task.new { input.run(queue) } }
385
+
386
+ before do
387
+ input_task
388
+ end
389
+
390
+ it "should be able to connect and write data" do
391
+ sslsocket.connect
392
+ sslsocket.write("Hello world\n")
393
+ tcp.flush
394
+ sslsocket.close
395
+ tcp.close
396
+ result = input_task.thread.join(0.5)
397
+ expect(result).to be_nil
398
+ expect(queue.size).to eq(1)
399
+ end
400
+
374
401
  end
375
402
 
376
403
  context "with a poorly-behaving client" do
@@ -456,8 +483,8 @@ describe LogStash::Inputs::Tcp do
456
483
  let(:garbage) { Flores::Random.iterations(max_length).collect { Flores::Random.integer(1...255) }.pack("C*") }
457
484
 
458
485
  before do
459
- sslcontext.cert = certificate
460
- sslcontext.key = key
486
+ sslcontext.cert = OpenSSL::X509::Certificate.new(File.read(certificate))
487
+ sslcontext.key = OpenSSL::PKey::RSA.new(File.read(key))
461
488
  sslcontext.verify_mode = OpenSSL::SSL::VERIFY_NONE
462
489
 
463
490
  sslsocket.connect
data/version CHANGED
@@ -1 +1 @@
1
- 5.0.9
1
+ 5.0.10
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-tcp
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.9
4
+ version: 5.0.10
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-06-11 00:00:00.000000000 Z
11
+ date: 2018-10-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -163,7 +163,7 @@ files:
163
163
  - logstash-input-tcp.gemspec
164
164
  - spec/inputs/tcp_spec.rb
165
165
  - spec/spec_helper.rb
166
- - vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.0.9/logstash-input-tcp-5.0.9.jar
166
+ - vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.0.10/logstash-input-tcp-5.0.10.jar
167
167
  - version
168
168
  homepage: http://www.elastic.co/guide/en/logstash/current/index.html
169
169
  licenses: