logstash-input-tcp 6.0.7-java → 6.1.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '007417778a970ec7915f1f5bd2cf4e01b08c7682b361b208d44309f04d9ed29e'
-  data.tar.gz: f2b63ea306e7ecf323663d69f05780096c2ee76c8fbfbe2cac357bc90c3b744e
+  metadata.gz: 9b37d806eedc118d3a553f449a68e90d9366e258b0484c5e1aad54e0e6939883
+  data.tar.gz: cae6d73f16e144241b588a3eb9b2c7703ac42ccb0d26a266736ad3d5d5d3f4bb
 SHA512:
-  metadata.gz: 522cd25c63ec98067a9b52efb10a3f55b8ab728ced841f96f812c9c9262198584efe0aee5c95125ff9b513d9147dfd351a3cf2648ce43b87fc948ba517f5c952
-  data.tar.gz: d03ef7cb60c5ee53dab6fc109b85aa3a2e3d5ebae87ce35ba99c2dad9a0b9e5085d797a6a4c9f8dea4312e4c1e4f0603fc85a51a4749e1ef052621bb0be1bb1f
+  metadata.gz: bf8d08b9b60d6268b2e0625b175048c0def7aed442661c89415797cbbcf6409e54d25bad0b4d7cd1d6dc8816fa3b4d9b79ebb78e60a8344fca7f62451637b283
+  data.tar.gz: fe74219396c110829a71fbdfcbb36d07d1c8e4d06a58af00093e43741b62aad3d34638bbb3d19e9888e8d5edb642edd59110865b4a39c2a1ef624797c4f66225

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 6.1.1
+ - Changed jar dependencies to reflect newer versions [#179](https://github.com/logstash-plugins/logstash-input-http/pull/179)
+
+## 6.1.0
+  - Feat: improve SSL error logging/unwrapping [#178](https://github.com/logstash-plugins/logstash-input-tcp/pull/178)
+  - Fix: the plugin will no longer have a side effect of adding the Bouncy-Castle security provider at runtime  
+
+## 6.0.10
+  - bumping dependency commons-io [#174](https://github.com/logstash-plugins/logstash-input-tcp/pull/174)
+
+## 6.0.9
+  - [DOC] Reorder options alphabetically [#171](https://github.com/logstash-plugins/logstash-input-tcp/pull/171)
+
+## 6.0.8
+  - [DOC] better description for `tcp_keep_alive` option [#169](https://github.com/logstash-plugins/logstash-input-tcp/pull/169)
+
 ## 6.0.7
   - Fix: reduce error logging (to info level) on connection resets [#168](https://github.com/logstash-plugins/logstash-input-tcp/pull/168)
   - Refactor: only patch Socket classes once (on first input)

data/docs/index.asciidoc

@@ -78,6 +78,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
+| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
@@ -90,7 +91,6 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -98,6 +98,16 @@ input plugins.
 
 &nbsp;
 
+[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
+===== `dns_reverse_lookup_enabled`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `true`
+
+It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
+the address metadata that is added to events will contain the source address as-specified
+at the TCP layer and IPs will not be resolved to hostnames.
+
 [id="plugins-{type}s-{plugin}-host"]
 ===== `host` 
 
@@ -202,17 +212,9 @@ For input, sets the field `sslsubject` to that of the client certificate.
   * Value type is <<boolean,boolean>>
   * Default value is `false`
 
-Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
-
-[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
-===== `dns_reverse_lookup_enabled`
-
-  * Value type is <<boolean,boolean>>
-  * Default value is `true`
-
-It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
-the address metadata that is added to events will contain the source address as-specified
-at the TCP layer and IPs will not be resolved to hostnames.
+Instruct the socket to use TCP keep alive. If it's `true` then the underlying socket
+will use the OS defaults settings for keep alive. If it's `false` it doesn't configure any
+keep alive setting for the underlying socket.
 
 
 [id="plugins-{type}s-{plugin}-common-options"]

data/lib/logstash/inputs/tcp.rb

@@ -6,7 +6,6 @@ require "logstash/inputs/base"
 require "logstash/util/socket_peer"
 require "logstash-input-tcp_jars"
 require "logstash/inputs/tcp/decoder_impl"
-require "logstash/inputs/tcp/compat_ssl_options"
 
 require "socket"
 require "openssl"
@@ -61,7 +60,8 @@ require "openssl"
 #     }
 class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
-  java_import org.logstash.tcp.InputLoop
+  java_import 'org.logstash.tcp.InputLoop'
+  java_import 'org.logstash.tcp.SslContextBuilder'
 
   config_name "tcp"
 
@@ -103,7 +103,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Useful when the CA chain is not necessary in the system store.
   config :ssl_extra_chain_certs, :validate => :array, :default => []
 
-  # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
+  # Validate client certificates against these authorities. You can define multiple files or paths.
+  # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
@@ -148,10 +149,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     fix_streaming_codecs
 
     if server?
-      ssl_context = get_ssl_context(SslOptions)
-
-
-      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, ssl_context)
+      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
     end
   end
 
@@ -320,7 +318,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
     socket
   rescue OpenSSL::SSL::SSLError => e
-    @logger.error("SSL Error", :exception => e, :backtrace => e.backtrace)
+    @logger.error("SSL Error", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
     sleep(1) # prevent hammering peer
@@ -362,15 +360,33 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @socket_mutex.synchronize{@connection_sockets.keys.dup}
   end
 
-  def get_ssl_context(options_class)
-    ssl_context = options_class.builder
-      .set_is_ssl_enabled(@ssl_enable)
+  def java_ssl_context
+    SslContextBuilder.new
+      .set_ssl_enabled(@ssl_enable)
       .set_should_verify(@ssl_verify)
       .set_ssl_cert(@ssl_cert)
       .set_ssl_key(@ssl_key)
-      .set_ssl_key_passphrase(@ssl_key_passphrase.value)
+      .set_ssl_key_password(@ssl_key_passphrase.value)
       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-      .build.toSslContext()
+      .build_context
+  rescue java.lang.IllegalArgumentException => e
+    @logger.error("SSL configuration invalid", error_details(e))
+    raise LogStash::ConfigurationError, e
+  rescue java.lang.Exception => e
+    @logger.error("SSL configuration failed", error_details(e, true))
+    raise e
+  end
+
+  def error_details(e, trace = false)
+    error_details = { :exception => e.class, :message => e.message }
+    error_details[:backtrace] = e.backtrace if trace || @logger.debug?
+    cause = e.cause
+    if cause && e != cause
+      error_details[:cause] = { :exception => cause.class, :message => cause.message }
+      error_details[:cause][:backtrace] = cause.backtrace if trace || @logger.debug?
+    end
+    error_details
   end
+
 end

data/logstash-input-tcp.gemspec

@@ -22,6 +22,11 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
 
+  s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
+
+  # we depend on bouncycastle's bcpkix-jdk15on being on the class-path
+  s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2', '< 0.12'
+
   # line vs streaming codecs required for fix_streaming_codecs
   # TODO: fix_streaming_codecs should be refactored to not
   # require the codecs to be installed.

data/version

@@ -1 +1 @@
-6.0.7
+6.1.1

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.0.7
+  version: 6.1.1
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-09 00:00:00.000000000 Z
+date: 2021-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -30,6 +30,40 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.7.0
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.7.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  name: jruby-openssl
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.12'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -173,12 +207,11 @@ files:
 - docs/index.asciidoc
 - lib/logstash-input-tcp_jars.rb
 - lib/logstash/inputs/tcp.rb
-- lib/logstash/inputs/tcp/compat_ssl_options.rb
 - lib/logstash/inputs/tcp/decoder_impl.rb
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.7/logstash-input-tcp-6.0.7.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.1.1/logstash-input-tcp-6.1.1.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:

data/lib/logstash/inputs/tcp/compat_ssl_options.rb

@@ -1,147 +0,0 @@
-require 'openssl'
-require "logstash/util/loggable"
-
-# Simulate a normal SslOptions builder:
-#
-#     ssl_context = SslOptions.builder
-#       .set_is_ssl_enabled(@ssl_enable)
-#       .set_should_verify(@ssl_verify)
-#       .set_ssl_cert(@ssl_cert)
-#       .set_ssl_key(@ssl_key)
-#       .set_ssl_key_passphrase(@ssl_key_passphrase.value)
-#       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
-#       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-#       .build.toSslContext()
-class SslOptions
-  include LogStash::Util::Loggable
-
-  java_import 'io.netty.handler.ssl.ClientAuth'
-  java_import 'io.netty.handler.ssl.SslContextBuilder'
-  java_import 'java.security.cert.X509Certificate'
-  java_import 'javax.crypto.Cipher'
-  java_import 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo'
-  java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
-  java_import 'org.bouncycastle.openssl.PEMKeyPair'
-  java_import 'org.bouncycastle.openssl.PEMParser'
-  java_import 'org.bouncycastle.openssl.PEMEncryptedKeyPair'
-  java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
-  java_import 'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder'
-  java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder'
-  java_import 'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo'
-
-  def self.builder
-    new
-  end
-
-  def set_is_ssl_enabled(boolean)
-    @ssl_enabled = boolean
-    self
-  end
-
-  def set_should_verify(boolean)
-    @ssl_verify = boolean
-    self
-  end
-
-  def set_ssl_cert(path)
-    @ssl_cert_path = path
-    self
-  end
-
-  def set_ssl_key(path)
-    @ssl_key_path = path
-    self
-  end
-
-  def set_ssl_key_passphrase(passphrase)
-    @ssl_key_passphrase = passphrase
-    self
-  end
-
-  def set_ssl_extra_chain_certs(certs)
-    @ssl_extra_chain_certs = certs
-    self
-  end
-
-  def set_ssl_certificate_authorities(certs)
-    @ssl_certificate_authorities = certs
-    self
-  end
-
-  def build; self; end
-
-  def toSslContext
-    return nil unless @ssl_enabled
-
-    # Check key strength
-    logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits") unless Cipher.getMaxAllowedKeyLength("AES") > 128
-    # create certificate object
-    cf = java.security.cert.CertificateFactory.getInstance("X.509")
-    cert_chain = []
-    fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
-      cert_chain << cert
-    end
-
-    # convert key from pkcs1 to pkcs8 and get PrivateKey object
-    pem_parser = PEMParser.new(java.io.FileReader.new(@ssl_key_path))
-    java.security.Security.addProvider(BouncyCastleProvider.new)
-    converter = JcaPEMKeyConverter.new
-    case obj = pem_parser.readObject
-    when PEMKeyPair # unencrypted pkcs#1
-      private_key = converter.getKeyPair(obj).private
-    when PrivateKeyInfo # unencrypted pkcs#8
-      private_key = converter.getPrivateKey(obj)
-    when PEMEncryptedKeyPair # encrypted pkcs#1
-      key_char_array = @ssl_key_passphrase.to_java.toCharArray
-      decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
-      key_pair = obj.decryptKeyPair(decryptor)
-      private_key = converter.getKeyPair(key_pair).private
-    when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
-      key_char_array = @ssl_key_passphrase.to_java.toCharArray
-      key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
-      private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
-    else
-      raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
-    end
-
-    @ssl_extra_chain_certs.each do |file|
-      fetch_certificates_from_file(file, cf) do |cert|
-        cert_chain << cert
-      end
-    end
-    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))
-
-    trust_certs = []
-
-    @ssl_certificate_authorities.each do |file|
-      fetch_certificates_from_file(file, cf) do |cert|
-        trust_certs << cert
-      end
-    end
-
-    if trust_certs.any?
-      sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
-    end
-
-    sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
-    sslContextBuilder.build()
-  end
-
-  private
-  def fetch_certificates_from_file(file, cf)
-    fis = java.io.FileInputStream.new(file)
-
-    while (fis.available > 0) do
-      cert = generate_certificate(cf, fis)
-      yield cert if cert
-    end
-  ensure
-    fis.close if fis
-  end
-
-  def generate_certificate(cf, fis)
-    cf.generateCertificate(fis)
-  rescue Java::JavaSecurityCert::CertificateException => e
-    raise e unless e.cause.message == "Empty input"
-  end
-end