logstash-input-tcp 6.0.6-java → 6.1.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4dbdf0afaf0e9956001477eff23f9dcc7bdeaa82bffdb696ab66657000802662
-  data.tar.gz: 94b90ca185e259f016ed8a40b8303306ffd00bc9f50256db510cd29a448510f7
+  metadata.gz: 26d542f495a0b506903b944a54ce0cdab39b93714fadfca025f8b2233ac22135
+  data.tar.gz: 17b2c70fc10f1d1132956c6cf45f752c2e0b992d819e0c54e568882f2da0dada
 SHA512:
-  metadata.gz: 8d2572a98f74bf028d2c2ac5bcfeddd651090fb96af903faec94dea3c8ac373f69bfb823fdd9c14e0b5f2711f1e05e7c8b8203e10d3f2ca004217f176df37f37
-  data.tar.gz: b9856bbd395f4080ceaa8029bcb4f348704c3f65d82c5564ee1e7130b40f3f32a931c9939f003cac81e244490544463e6139cf7d8800ba2d80cf6b902aba3d07
+  metadata.gz: d03c07e5980298f23fe7309528a1eaef3b5ebc45948362582c9ed922c5c257e24affdca65d92f859b55507f1a3f2b9766c6e09e2949d40cb6a51ed55f48b1646
+  data.tar.gz: 817c0305eff54d5fb35ee66a0b4633cfbcce93a2c2adb43be9d71d9c6dedfb71a4d0a07e7ed665b0267839526716eb721ad8c0dc2c3e1e732430988193e97035

data/CHANGELOG.md

@@ -1,3 +1,21 @@
+## 6.1.0
+  - Feat: improve SSL error logging/unwrapping [#178](https://github.com/logstash-plugins/logstash-input-tcp/pull/178)
+  - Fix: the plugin will no longer have a side effect of adding the Bouncy-Castle security provider at runtime  
+
+## 6.0.10
+  - bumping dependency commons-io [#174](https://github.com/logstash-plugins/logstash-input-tcp/pull/174)
+
+## 6.0.9
+  - [DOC] Reorder options alphabetically [#171](https://github.com/logstash-plugins/logstash-input-tcp/pull/171)
+
+## 6.0.8
+  - [DOC] better description for `tcp_keep_alive` option [#169](https://github.com/logstash-plugins/logstash-input-tcp/pull/169)
+
+## 6.0.7
+  - Fix: reduce error logging (to info level) on connection resets [#168](https://github.com/logstash-plugins/logstash-input-tcp/pull/168)
+  - Refactor: only patch Socket classes once (on first input)
+  - Refactor: use a proper log4j logger (in Java to avoid surprises when unwrapping `LogStash::Logging::Logger`)
+
 ## 6.0.6
   - Updated Netty dependencies. Additionally, this release removes the dependency on `tcnative` +
     `boringssl`, using JVM supplied ciphers instead. This may result in fewer ciphers being available if the JCE

data/README.md

@@ -1,6 +1,6 @@
 # Logstash Plugin
 
-[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-input-tcp.svg)](https://travis-ci.org/logstash-plugins/logstash-input-tcp)
+[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-input-tcp.svg)](https://travis-ci.com/logstash-plugins/logstash-input-tcp)
 
 This is a plugin for [Logstash](https://github.com/elastic/logstash).
 

data/docs/index.asciidoc

@@ -78,6 +78,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
+| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
@@ -90,7 +91,6 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -98,6 +98,16 @@ input plugins.
 
 &nbsp;
 
+[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
+===== `dns_reverse_lookup_enabled`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `true`
+
+It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
+the address metadata that is added to events will contain the source address as-specified
+at the TCP layer and IPs will not be resolved to hostnames.
+
 [id="plugins-{type}s-{plugin}-host"]
 ===== `host` 
 
@@ -202,17 +212,9 @@ For input, sets the field `sslsubject` to that of the client certificate.
   * Value type is <<boolean,boolean>>
   * Default value is `false`
 
-Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
-
-[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
-===== `dns_reverse_lookup_enabled`
-
-  * Value type is <<boolean,boolean>>
-  * Default value is `true`
-
-It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
-the address metadata that is added to events will contain the source address as-specified
-at the TCP layer and IPs will not be resolved to hostnames.
+Instruct the socket to use TCP keep alive. If it's `true` then the underlying socket
+will use the OS defaults settings for keep alive. If it's `false` it doesn't configure any
+keep alive setting for the underlying socket.
 
 
 [id="plugins-{type}s-{plugin}-common-options"]

data/lib/logstash/inputs/tcp.rb

@@ -6,7 +6,6 @@ require "logstash/inputs/base"
 require "logstash/util/socket_peer"
 require "logstash-input-tcp_jars"
 require "logstash/inputs/tcp/decoder_impl"
-require "logstash/inputs/tcp/compat_ssl_options"
 
 require "socket"
 require "openssl"
@@ -61,7 +60,8 @@ require "openssl"
 #     }
 class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
-  java_import org.logstash.tcp.InputLoop
+  java_import 'org.logstash.tcp.InputLoop'
+  java_import 'org.logstash.tcp.SslContextBuilder'
 
   config_name "tcp"
 
@@ -103,7 +103,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Useful when the CA chain is not necessary in the system store.
   config :ssl_extra_chain_certs, :validate => :array, :default => []
 
-  # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
+  # Validate client certificates against these authorities. You can define multiple files or paths.
+  # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
@@ -119,15 +120,21 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   PROXY_PORT_FIELD = "proxy_port".freeze
   SSLSUBJECT_FIELD = "sslsubject".freeze
 
-  PLUGIN_GLOBAL_MUTEX = Mutex.new
-  private_constant :PLUGIN_GLOBAL_MUTEX
+  # Monkey patch TCPSocket and SSLSocket to include socket peer
+  # @private
+  def self.patch_socket_peer!
+    unless TCPSocket < ::LogStash::Util::SocketPeer
+      TCPSocket.send :include, ::LogStash::Util::SocketPeer
+    end
+    unless OpenSSL::SSL::SSLSocket < ::LogStash::Util::SocketPeer
+      OpenSSL::SSL::SSLSocket.send :include, ::LogStash::Util::SocketPeer
+    end
+  end
 
   def initialize(*args)
     super(*args)
 
-    # monkey patch TCPSocket and SSLSocket to include socket peer
-    TCPSocket.module_eval{include ::LogStash::Util::SocketPeer}
-    OpenSSL::SSL::SSLSocket.module_eval{include ::LogStash::Util::SocketPeer}
+    self.class.patch_socket_peer!
 
     # threadsafe socket bookkeeping
     @server_socket = nil
@@ -142,24 +149,14 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     fix_streaming_codecs
 
     if server?
-      ssl_context = get_ssl_context(SslOptions)
-
-      # RubyObject#to_java is not threadsafe, and we cannot guarantee
-      # that ours is the only reference to the underlying logger, which
-      # is memoized at a class level.
-      log4j_logger = PLUGIN_GLOBAL_MUTEX.synchronize do
-        @logger.to_java(org.apache.logging.log4j.Logger)
-      end
-
-      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive,
-                            ssl_context, log4j_logger)
+      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
     end
   end
 
   def run(output_queue)
     @output_queue = output_queue
     if server?
-      @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enable => "#{@ssl_enable}")
+      @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enable => @ssl_enable)
       @loop.run
     else
       run_client()
@@ -252,12 +249,10 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   rescue Errno::ECONNRESET
     @logger.debug? && @logger.debug("Connection reset by peer", :client => peer)
   rescue OpenSSL::SSL::SSLError => e
-    # Fixes issue #23
-    @logger.error("SSL Error", :exception => e, :backtrace => e.backtrace)
-    socket.close rescue nil
+    @logger.error("SSL error", :client => peer, :message => e.message, :exception => e.class, :backtrace => e.backtrace)
   rescue => e
     # if plugin is stopping, don't bother logging it as an error
-    !stop? && @logger.error("An error occurred. Closing connection", :client => peer, :exception => e, :backtrace => e.backtrace)
+    !stop? && @logger.error("An error occurred, closing connection", :client => peer, :message => e.message, :exception => e.class, :backtrace => e.backtrace)
   ensure
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
@@ -293,7 +288,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       end
     rescue => e
-      @logger.error("Could not inititalize SSL context", :exception => e, :backtrace => e.backtrace)
+      @logger.error("Could not inititalize SSL context", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
       raise e
     end
 
@@ -323,7 +318,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
     socket
   rescue OpenSSL::SSL::SSLError => e
-    @logger.error("SSL Error", :exception => e, :backtrace => e.backtrace)
+    @logger.error("SSL Error", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
     sleep(1) # prevent hammering peer
@@ -365,15 +360,33 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @socket_mutex.synchronize{@connection_sockets.keys.dup}
   end
 
-  def get_ssl_context(options_class)
-    ssl_context = options_class.builder
-      .set_is_ssl_enabled(@ssl_enable)
+  def java_ssl_context
+    SslContextBuilder.new
+      .set_ssl_enabled(@ssl_enable)
       .set_should_verify(@ssl_verify)
       .set_ssl_cert(@ssl_cert)
       .set_ssl_key(@ssl_key)
-      .set_ssl_key_passphrase(@ssl_key_passphrase.value)
+      .set_ssl_key_password(@ssl_key_passphrase.value)
       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-      .build.toSslContext()
+      .build_context
+  rescue java.lang.IllegalArgumentException => e
+    @logger.error("SSL configuration invalid", error_details(e))
+    raise LogStash::ConfigurationError, e
+  rescue java.lang.Exception => e
+    @logger.error("SSL configuration failed", error_details(e, true))
+    raise e
   end
+
+  def error_details(e, trace = false)
+    error_details = { :exception => e.class, :message => e.message }
+    error_details[:backtrace] = e.backtrace if trace || @logger.debug?
+    cause = e.cause
+    if cause && e != cause
+      error_details[:cause] = { :exception => cause.class, :message => cause.message }
+      error_details[:cause][:backtrace] = cause.backtrace if trace || @logger.debug?
+    end
+    error_details
+  end
+
 end

data/lib/logstash/inputs/tcp/decoder_impl.rb

@@ -38,8 +38,8 @@ class DecoderImpl
       pp_info = pp_hdr.split(/\s/)
       # PROXY proto clientip proxyip clientport proxyport
       if pp_info[0] != "PROXY"
-        @tcp.logger.error("invalid proxy protocol header label", :hdr => pp_hdr)
-        raise IOError
+        @tcp.logger.error("Invalid proxy protocol header label", :header => pp_hdr)
+        raise IOError.new("Invalid proxy protocol header label #{pp_hdr.inspect}")
       else
         @proxy_address = pp_info[3]
         @proxy_port = pp_info[5]

data/logstash-input-tcp.gemspec

@@ -22,6 +22,11 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
 
+  s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
+
+  # we depend on bouncycastle's bcpkix-jdk15on being on the class-path
+  s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2', '< 0.12'
+
   # line vs streaming codecs required for fix_streaming_codecs
   # TODO: fix_streaming_codecs should be refactored to not
   # require the codecs to be installed.

data/version

@@ -1 +1 @@
-6.0.6
+6.1.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.0.6
+  version: 6.1.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-06-03 00:00:00.000000000 Z
+date: 2021-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -30,6 +30,40 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.7.0
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.7.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  name: jruby-openssl
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.12'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -173,12 +207,11 @@ files:
 - docs/index.asciidoc
 - lib/logstash-input-tcp_jars.rb
 - lib/logstash/inputs/tcp.rb
-- lib/logstash/inputs/tcp/compat_ssl_options.rb
 - lib/logstash/inputs/tcp/decoder_impl.rb
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.6/logstash-input-tcp-6.0.6.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.1.0/logstash-input-tcp-6.1.0.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:

data/lib/logstash/inputs/tcp/compat_ssl_options.rb

@@ -1,147 +0,0 @@
-require 'openssl'
-require "logstash/util/loggable"
-
-# Simulate a normal SslOptions builder:
-#
-#     ssl_context = SslOptions.builder
-#       .set_is_ssl_enabled(@ssl_enable)
-#       .set_should_verify(@ssl_verify)
-#       .set_ssl_cert(@ssl_cert)
-#       .set_ssl_key(@ssl_key)
-#       .set_ssl_key_passphrase(@ssl_key_passphrase.value)
-#       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
-#       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-#       .build.toSslContext()
-class SslOptions
-  include LogStash::Util::Loggable
-
-  java_import 'io.netty.handler.ssl.ClientAuth'
-  java_import 'io.netty.handler.ssl.SslContextBuilder'
-  java_import 'java.security.cert.X509Certificate'
-  java_import 'javax.crypto.Cipher'
-  java_import 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo'
-  java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
-  java_import 'org.bouncycastle.openssl.PEMKeyPair'
-  java_import 'org.bouncycastle.openssl.PEMParser'
-  java_import 'org.bouncycastle.openssl.PEMEncryptedKeyPair'
-  java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
-  java_import 'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder'
-  java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder'
-  java_import 'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo'
-
-  def self.builder
-    new
-  end
-
-  def set_is_ssl_enabled(boolean)
-    @ssl_enabled = boolean
-    self
-  end
-
-  def set_should_verify(boolean)
-    @ssl_verify = boolean
-    self
-  end
-
-  def set_ssl_cert(path)
-    @ssl_cert_path = path
-    self
-  end
-
-  def set_ssl_key(path)
-    @ssl_key_path = path
-    self
-  end
-
-  def set_ssl_key_passphrase(passphrase)
-    @ssl_key_passphrase = passphrase
-    self
-  end
-
-  def set_ssl_extra_chain_certs(certs)
-    @ssl_extra_chain_certs = certs
-    self
-  end
-
-  def set_ssl_certificate_authorities(certs)
-    @ssl_certificate_authorities = certs
-    self
-  end
-
-  def build; self; end
-
-  def toSslContext
-    return nil unless @ssl_enabled
-
-    # Check key strength
-    logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits") unless Cipher.getMaxAllowedKeyLength("AES") > 128
-    # create certificate object
-    cf = java.security.cert.CertificateFactory.getInstance("X.509")
-    cert_chain = []
-    fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
-      cert_chain << cert
-    end
-
-    # convert key from pkcs1 to pkcs8 and get PrivateKey object
-    pem_parser = PEMParser.new(java.io.FileReader.new(@ssl_key_path))
-    java.security.Security.addProvider(BouncyCastleProvider.new)
-    converter = JcaPEMKeyConverter.new
-    case obj = pem_parser.readObject
-    when PEMKeyPair # unencrypted pkcs#1
-      private_key = converter.getKeyPair(obj).private
-    when PrivateKeyInfo # unencrypted pkcs#8
-      private_key = converter.getPrivateKey(obj)
-    when PEMEncryptedKeyPair # encrypted pkcs#1
-      key_char_array = @ssl_key_passphrase.to_java.toCharArray
-      decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
-      key_pair = obj.decryptKeyPair(decryptor)
-      private_key = converter.getKeyPair(key_pair).private
-    when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
-      key_char_array = @ssl_key_passphrase.to_java.toCharArray
-      key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
-      private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
-    else
-      raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
-    end
-
-    @ssl_extra_chain_certs.each do |file|
-      fetch_certificates_from_file(file, cf) do |cert|
-        cert_chain << cert
-      end
-    end
-    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))
-
-    trust_certs = []
-
-    @ssl_certificate_authorities.each do |file|
-      fetch_certificates_from_file(file, cf) do |cert|
-        trust_certs << cert
-      end
-    end
-
-    if trust_certs.any?
-      sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
-    end
-
-    sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
-    sslContextBuilder.build()
-  end
-
-  private
-  def fetch_certificates_from_file(file, cf)
-    fis = java.io.FileInputStream.new(file)
-
-    while (fis.available > 0) do
-      cert = generate_certificate(cf, fis)
-      yield cert if cert
-    end
-  ensure
-    fis.close if fis
-  end
-
-  def generate_certificate(cf, fis)
-    cf.generateCertificate(fis)
-  rescue Java::JavaSecurityCert::CertificateException => e
-    raise e unless e.cause.message == "Empty input"
-  end
-end