logstash-input-tcp 5.2.0-java → 5.2.4-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5f821e3a9df2b90606b5fd46026262b5c7a0054d5e24bf7545d322efbedec40a
-  data.tar.gz: 202f4eeb3fe522d4df635599b7557faaab6884db8d80c1a92a17f140915c1d02
+  metadata.gz: b52419a2f779553c52739d999b5596deb3bc2b7e71fe5ad57b002f2c1da36924
+  data.tar.gz: d9fbaecd56643cc14d1696407f24db9e764f9b011701d497c7a2ada25591faee
 SHA512:
-  metadata.gz: cee3f82c41bfefea68c3e0337a5ad15f50e17ba6e72fe4fbcf004c6580d755107d47435667c73022938fe852a7e4a7401e793f6640c70bac0486f8fcbbd63642
-  data.tar.gz: a588b4ca240e7eb9e6cca0aec296999270c89b375d7b8038de989529447bf8f5df1c38faae49d71821f2051906e34e32e5f834f248ad2a2856583a7b16704caf
+  metadata.gz: 4428f7df91b52d98c14c499dc70b971afb40629d9b342dea8026327ce5363fc7542ff9100af7e2144be998773e8fe9b9a793e3f7bed19635dd6d11a7e682c58e
+  data.tar.gz: 4693d64f8f6adf2c4a4e95004f532f0457e8e78914fdefd04e435c06b3914793ef65f34202364a4f5a2318a4ada7e3d518fc9b29b29700d99307ab2da5d795ab

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 5.2.4
+  - Update Log4j dependency to 2.16, ensuring this plugin's runtime relies only on log4j-api instead
+     of providing its own log4j-core [#189](https://github.com/logstash-plugins/logstash-input-tcp/pull/189)
+
+## 5.2.3
+  - Skip empty lines while reading certificate files [#144](https://github.com/logstash-plugins/logstash-input-tcp/issues/144)
+
+## 5.2.2
+  - Fixed race condition where data would be accepted before queue was configured [#142](https://github.com/logstash-plugins/logstash-input-tcp/pull/142)
+
+## 5.2.1
+  - Support multiple certificates per file [#140](https://github.com/logstash-plugins/logstash-input-tcp/pull/140)
+  - Fixed support for encrypted pkcs8 private keys [#133](https://github.com/logstash-plugins/logstash-input-tcp/pull/133)
+  - Added support for encrypted pem pkcs1 private keys [#131](https://github.com/logstash-plugins/logstash-input-tcp/pull/131)
+  - Changed testing to docker [#128](https://github.com/logstash-plugins/logstash-input-tcp/pull/128)
+  - Fixed heading for `ssl_certificate_authorities` docs [#130](https://github.com/logstash-plugins/logstash-input-tcp/pull/130)
+
 ## 5.2.0
   - Added support for pkcs1 and pkcs8 key formats [#122](https://github.com/logstash-plugins/logstash-input-tcp/issues/122)
   - Changed server-mode SSL to run on top of Netty [#122](https://github.com/logstash-plugins/logstash-input-tcp/issues/122)

data/docs/index.asciidoc

@@ -145,7 +145,7 @@ Path to certificate in PEM format. This certificate will be presented
 to the connecting clients.
 
 [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
-===== `ssl_extra_chain_certs`
+===== `ssl_certificate_authorities`
 
   * Value type is <<array,array>>
   * Default value is `[]`
@@ -218,4 +218,4 @@ at the TCP layer and IPs will not be resolved to hostnames.
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
 
-:default_codec!:
+:default_codec!:

data/lib/logstash/inputs/tcp/compat_ssl_options.rb

@@ -7,9 +7,15 @@ java_import 'java.io.FileReader'
 java_import 'java.security.cert.CertificateFactory'
 java_import 'java.security.cert.X509Certificate'
 java_import 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo'
+java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
 java_import 'org.bouncycastle.openssl.PEMKeyPair'
 java_import 'org.bouncycastle.openssl.PEMParser'
+java_import 'org.bouncycastle.openssl.PEMEncryptedKeyPair'
 java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
+java_import 'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder'
+java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder'
+java_import 'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo'
+
 
 # Simulate a normal SslOptions builder:
 #
@@ -70,34 +76,70 @@ class SslOptions
     # create certificate object
     cf = CertificateFactory.getInstance("X.509")
     cert_chain = []
-    cert_chain << cf.generateCertificate(FileInputStream.new(@ssl_cert_path))
+    fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
+      cert_chain << cert
+    end
 
     # convert key from pkcs1 to pkcs8 and get PrivateKey object
     pem_parser = PEMParser.new(FileReader.new(@ssl_key_path))
-
-    case obj = pem_parser.read_object
-    when PEMKeyPair # likely pkcs#1
-      private_key = JcaPEMKeyConverter.new.get_key_pair(obj).private
-    when PrivateKeyInfo # likely pkcs#8
-      private_key = JcaPEMKeyConverter.new.get_private_key(obj)
+    java.security.Security.addProvider(BouncyCastleProvider.new)
+    converter = JcaPEMKeyConverter.new
+    case obj = pem_parser.readObject
+    when PEMKeyPair # unencrypted pkcs#1
+      private_key = converter.getKeyPair(obj).private
+    when PrivateKeyInfo # unencrypted pkcs#8
+      private_key = converter.getPrivateKey(obj)
+    when PEMEncryptedKeyPair # encrypted pkcs#1
+      key_char_array = @ssl_key_passphrase.to_java.toCharArray
+      decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
+      key_pair = obj.decryptKeyPair(decryptor)
+      private_key = converter.getKeyPair(key_pair).private
+    when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
+      key_char_array = @ssl_key_passphrase.to_java.toCharArray
+      key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
+      private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
     else
       raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
     end
 
-    @ssl_extra_chain_certs.each do |cert|
-      cert_chain << cf.generateCertificate(FileInputStream.new(cert))
+    @ssl_extra_chain_certs.each do |file|
+      fetch_certificates_from_file(file, cf) do |cert|
+        cert_chain << cert
+      end
     end
-    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(java.security.cert.X509Certificate))
+    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))
 
-    trust_certs = @ssl_certificate_authorities.map do |cert|
-      cf.generateCertificate(FileInputStream.new(cert))
+    trust_certs = []
+
+    @ssl_certificate_authorities.each do |file|
+      fetch_certificates_from_file(file, cf) do |cert|
+        trust_certs << cert
+      end
     end
 
     if trust_certs.any?
-      sslContextBuilder.trustManager(trust_certs.to_java(java.security.cert.X509Certificate))
+      sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
     end
 
     sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
     sslContextBuilder.build()
   end
+
+  private
+  def fetch_certificates_from_file(file, cf)
+    fis = java.io.FileInputStream.new(file)
+
+    while (fis.available > 0) do
+      cert = generate_certificate(cf, fis)
+      yield cert if cert
+    end
+  ensure
+    fis.close if fis
+  end
+
+  def generate_certificate(cf, fis)
+    cf.generateCertificate(fis)
+  rescue Java::JavaSecurityCert::CertificateException => e
+    raise e unless e.cause.message == "Empty input"
+  end
 end

data/lib/logstash/inputs/tcp.rb

@@ -141,11 +141,6 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def register
     fix_streaming_codecs
 
-    # note that since we are opening a socket in register, we must also make sure we close it
-    # in the close method even if we also close it in the stop method since we could have
-    # a situation where register is called but not run & stop.
-
-    @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enable => "#{@ssl_enable}")
     if server?
       ssl_context = get_ssl_context(SslOptions)
 
@@ -157,6 +152,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def run(output_queue)
     @output_queue = output_queue
     if server?
+      @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enable => "#{@ssl_enable}")
       @loop.run
     else
       run_client()

data/logstash-input-tcp.gemspec

@@ -31,7 +31,11 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-codec-json_lines'
   s.add_runtime_dependency 'logstash-codec-multiline'
 
-  s.add_development_dependency 'logstash-devutils'
+  # 5.x branch of this plugin provides support for LS5&6.
+  # To use LS7+, you must use v6+ of this plugin.
+  s.add_runtime_dependency 'logstash-core', '< 7.0.0'
+
+  s.add_development_dependency 'logstash-devutils', '~> 1.0'
   s.add_development_dependency 'flores', '~> 0.0.6'
   s.add_development_dependency 'stud', '~> 0.0.22'
 end

data/spec/inputs/tcp_spec.rb

@@ -382,6 +382,35 @@ describe LogStash::Inputs::Tcp do
             ssc.delete
           end
         end
+
+        context "with multiple certificates with empty spaces in them" do
+          let(:ssc) { SelfSignedCertificate.new }
+          let(:certificate_file) { ssc.certificate }
+          let(:key_file) { ssc.private_key}
+          let(:ssc_2) { SelfSignedCertificate.new }
+          let(:certificate_file_2) { ssc.certificate }
+          let(:config) do
+            {
+              "host" => "127.0.0.1",
+              "port" => port,
+              "ssl_enable" => true,
+              "ssl_cert" => certificate_file.path,
+              "ssl_key" => key_file.path
+            }
+          end
+          before(:each) do
+            File.open(certificate_file.path, "a") do |file|
+              path = ssc_2.certificate.path
+              file.puts("\n")
+              file.puts(IO.read(path))
+              file.puts("\n")
+            end
+          end
+
+          it "should register without errors" do
+            expect { subject.register }.to_not raise_error
+          end
+        end
       end
     end
 
@@ -391,41 +420,16 @@ describe LogStash::Inputs::Tcp do
       end
 
       context "when ssl_enable is true" do
-        let(:ssc) { SelfSignedCertificate.new }
-        let(:certificate_file) { ssc.certificate }
-        let(:key_file) { ssc.private_key}
-        let(:queue) { Queue.new }
-
-        let(:config) do
-          {
-            "host" => "127.0.0.1",
-            "port" => port,
-            "ssl_enable" => true,
-            "ssl_cert" => certificate_file.path,
-            "ssl_key" => key_file.path,
-            "ssl_certificate_authorities" => [ certificate_file.path ]
-          }
-        end
-
         let(:input) { subject }
-        before(:each) { input.register }
-        after(:each) { ssc.delete }
+        let(:queue) { Queue.new }
+        before(:each) { subject.register }
 
         context "when using a certificate chain" do
-          let(:chain_of_certificates) { helper.chain_of_certificates }
-          let(:config) do
-            {
-              "host" => "127.0.0.1",
-              "port" => port,
-              "ssl_enable" => true,
-              "ssl_cert" => chain_of_certificates[:b_cert].path,
-              "ssl_key" => chain_of_certificates[:b_key].path,
-              "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
-              "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-              "ssl_verify" => true
-            }
+          chain_of_certificates = TcpHelpers.new.chain_of_certificates
+
+          let(:tcp) do
+            Stud::try(5.times) { TCPSocket.new("127.0.0.1", port) }
           end
-          let(:tcp) { TCPSocket.new("127.0.0.1", port) }
           let(:sslcontext) do
             sslcontext = OpenSSL::SSL::SSLContext.new
             sslcontext.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -435,23 +439,86 @@ describe LogStash::Inputs::Tcp do
             sslcontext
           end
           let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
-          let(:input_task) { Stud::Task.new { input.run(queue) } }
-
-          before do
-            input_task
+          let(:message) { "message to #{port}" }
+
+          context "with a non encrypted private key" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:b_cert].path,
+                "ssl_key" => chain_of_certificates[:b_key].path,
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+            it "should be able to connect and write data" do
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(result.first.get("message")).to eq(message)
+            end
           end
 
-          it "should be able to connect and write data" do
-            sslsocket.connect
-            sslsocket.write("Hello world\n")
-            tcp.flush
-            sslsocket.close
-            tcp.close
-            result = input_task.thread.join(0.5)
-            expect(result).to be_nil
-            expect(queue.size).to eq(1)
+          context "when using an encrypted private pkcs1 key" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:be_cert].path,
+                "ssl_key" => chain_of_certificates[:be_key].path,
+                "ssl_key_passphrase" => "passpasspassword",
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+            it "should be able to connect and write data" do
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(result.first.get("message")).to eq(message)
+            end
+          end
+          context "when using an encrypted private pkcs8 key" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:be_cert].path,
+                "ssl_key" => chain_of_certificates[:be_key_pkcs8].path,
+                "ssl_key_passphrase" => "passpasspassword",
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+            it "should be able to connect and write data" do
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(result.first.get("message")).to eq(message)
+            end
           end
-
         end
 
         context "with a poorly-behaving client" do
@@ -459,7 +526,7 @@ describe LogStash::Inputs::Tcp do
 
           context "that disconnects before doing TLS handshake" do
             before do
-              client = TCPSocket.new("127.0.0.1", port)
+              client = Stud::try(5.times) { TCPSocket.new("127.0.0.1", port) }
               client.close
             end
 
@@ -491,7 +558,7 @@ describe LogStash::Inputs::Tcp do
               # Assertion to verify this test is actually sending something.
               expect(garbage.length).to be > 0
 
-              client = TCPSocket.new("127.0.0.1", port)
+              client = Stud::try(5.times) { TCPSocket.new("127.0.0.1", port) }
               client.write(garbage)
               client.flush
               Thread.new { sleep(1); client.close }

data/spec/spec_helper.rb

@@ -3,11 +3,15 @@ require "logstash/devutils/rspec/spec_helper"
 require "tempfile"
 require "stud/temporary"
 
+java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder'
+java_import 'org.bouncycastle.openssl.jcajce.JcaPEMWriter'
+java_import 'org.bouncycastle.openssl.jcajce.JcaPKCS8Generator'
+java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
 # this has been taken from the udp input, it should be DRYed
 
 class TcpHelpers
 
-  def pipelineless_input(plugin, size, &block)
+  def self.pipelineless_input(plugin, size, &block)
     queue = Queue.new
     input_thread = Thread.new do
       plugin.run(queue)
@@ -32,12 +36,32 @@ class TcpHelpers
     a_cert,   a_key = build_certificate(root_ca, root_key, "A_Cert")
     aa_cert, aa_key = build_certificate(root_ca, root_key, "AA_Cert")
     b_cert, b_key = build_certificate(a_cert, a_key, "B_Cert")
+    be_cert, be_key, be_key_text = build_certificate(a_cert, a_key, "BE_Cert", "passpasspassword")
+    be_key_pkcs8 = convert_private_key_to_pkcs8_with_passpharse(be_key, "passpasspassword")
     c_cert, c_key = build_certificate(b_cert, b_key, "C_Cert")
     { :root_ca => new_temp_file('', root_ca), :root_key => new_temp_file('', root_key),
       :a_cert  => new_temp_file('', a_cert),  :a_key    => new_temp_file('', a_key),
       :aa_cert => new_temp_file('', aa_cert), :aa_key   => new_temp_file('', aa_key),
       :b_cert  => new_temp_file('', b_cert),  :b_key    => new_temp_file('', b_key),
-      :c_cert  => new_temp_file('', c_cert),  :c_key    => new_temp_file('', c_key)}
+      :be_cert => new_temp_file('', be_cert), :be_key   => new_temp_file('', be_key_text), :be_key_pkcs8 => new_temp_file('', be_key_pkcs8),
+      :c_cert  => new_temp_file('', c_cert),  :c_key    => new_temp_file('', c_key),
+    }
+  end
+
+  def convert_private_key_to_pkcs8_with_passpharse(pkcs1key, passphrase)
+    pem_parser = PEMParser.new(java.io.StringReader.new(pkcs1key.to_pem))
+    kp = pem_parser.read_object
+    java.security.Security.addProvider(BouncyCastleProvider.new)
+    converter  = JcaPEMKeyConverter.new.setProvider("BC")
+    key = converter.getPrivateKey(kp.get_private_key_info)
+    alg = org.bouncycastle.openssl.PKCS8Generator::PBE_SHA1_RC4_128
+    enc =  JceOpenSSLPKCS8EncryptorBuilder.new(alg).set_passsword(passphrase.to_java.to_char_array).build
+    sw = java.io.StringWriter.new
+    writer = JcaPEMWriter.new(sw)
+    writer.write_object(JcaPKCS8Generator.new(key, enc))
+    writer.flush
+    writer.close
+    sw
   end
 
   private
@@ -49,12 +73,17 @@ class TcpHelpers
     file
   end
 
-  def build_certificate(root_ca, root_key=nil, name="")
+  def build_certificate(root_ca, root_key, name, password=nil)
     key = ( root_key.nil? ? OpenSSL::PKey::RSA.new(2048) : root_key )
     options = { :serial => 2, :subject => "/DC=org/DC=ruby-lang/CN=Ruby#{name}", :key => key, :issuer => root_ca.subject}
     cert = new_certificate(options)
     add_ca_extensions(cert, nil, root_ca)
-    [ cert.sign(key, OpenSSL::Digest::SHA256.new), key ]
+    if password
+      key_text = key.to_pem(OpenSSL::Cipher::AES256.new(:CFB), password)
+      [ cert.sign(key, OpenSSL::Digest::SHA256.new), key, key_text ]
+    else
+      [ cert.sign(key, OpenSSL::Digest::SHA256.new), key ]
+    end
   end
 
   def build_root_ca

data/version

@@ -1 +1 @@
-5.2.0
+5.2.4

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 5.2.4
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-10-24 00:00:00.000000000 Z
+date: 2021-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -103,17 +103,31 @@ dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 7.0.0
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
   name: logstash-devutils
   prerelease: false
   type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -164,7 +178,7 @@ files:
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.2.0/logstash-input-tcp-5.2.0.jar
+- vendor/jar-dependencies/org/logstash/inputs/plugin/5.2.4/plugin-5.2.4.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
@@ -188,8 +202,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Reads events from a TCP socket