logstash-input-tcp 6.0.7-java → 6.1.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/docs/index.asciidoc +14 -12
- data/lib/logstash/inputs/tcp.rb +29 -13
- data/logstash-input-tcp.gemspec +5 -0
- data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/{6.0.7/logstash-input-tcp-6.0.7.jar → 6.1.1/logstash-input-tcp-6.1.1.jar} +0 -0
- data/version +1 -1
- metadata +37 -4
- data/lib/logstash/inputs/tcp/compat_ssl_options.rb +0 -147
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9b37d806eedc118d3a553f449a68e90d9366e258b0484c5e1aad54e0e6939883
|
4
|
+
data.tar.gz: cae6d73f16e144241b588a3eb9b2c7703ac42ccb0d26a266736ad3d5d5d3f4bb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bf8d08b9b60d6268b2e0625b175048c0def7aed442661c89415797cbbcf6409e54d25bad0b4d7cd1d6dc8816fa3b4d9b79ebb78e60a8344fca7f62451637b283
|
7
|
+
data.tar.gz: fe74219396c110829a71fbdfcbb36d07d1c8e4d06a58af00093e43741b62aad3d34638bbb3d19e9888e8d5edb642edd59110865b4a39c2a1ef624797c4f66225
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,19 @@
|
|
1
|
+
## 6.1.1
|
2
|
+
- Changed jar dependencies to reflect newer versions [#179](https://github.com/logstash-plugins/logstash-input-http/pull/179)
|
3
|
+
|
4
|
+
## 6.1.0
|
5
|
+
- Feat: improve SSL error logging/unwrapping [#178](https://github.com/logstash-plugins/logstash-input-tcp/pull/178)
|
6
|
+
- Fix: the plugin will no longer have a side effect of adding the Bouncy-Castle security provider at runtime
|
7
|
+
|
8
|
+
## 6.0.10
|
9
|
+
- bumping dependency commons-io [#174](https://github.com/logstash-plugins/logstash-input-tcp/pull/174)
|
10
|
+
|
11
|
+
## 6.0.9
|
12
|
+
- [DOC] Reorder options alphabetically [#171](https://github.com/logstash-plugins/logstash-input-tcp/pull/171)
|
13
|
+
|
14
|
+
## 6.0.8
|
15
|
+
- [DOC] better description for `tcp_keep_alive` option [#169](https://github.com/logstash-plugins/logstash-input-tcp/pull/169)
|
16
|
+
|
1
17
|
## 6.0.7
|
2
18
|
- Fix: reduce error logging (to info level) on connection resets [#168](https://github.com/logstash-plugins/logstash-input-tcp/pull/168)
|
3
19
|
- Refactor: only patch Socket classes once (on first input)
|
data/docs/index.asciidoc
CHANGED
@@ -78,6 +78,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
78
78
|
[cols="<,<,<",options="header",]
|
79
79
|
|=======================================================================
|
80
80
|
|Setting |Input type|Required
|
81
|
+
| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
|
81
82
|
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
|
82
83
|
| <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
|
83
84
|
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
|
@@ -90,7 +91,6 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
90
91
|
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
91
92
|
| <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
|
92
93
|
| <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
|
93
|
-
| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
|
94
94
|
|=======================================================================
|
95
95
|
|
96
96
|
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
@@ -98,6 +98,16 @@ input plugins.
|
|
98
98
|
|
99
99
|
|
100
100
|
|
101
|
+
[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
|
102
|
+
===== `dns_reverse_lookup_enabled`
|
103
|
+
|
104
|
+
* Value type is <<boolean,boolean>>
|
105
|
+
* Default value is `true`
|
106
|
+
|
107
|
+
It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
|
108
|
+
the address metadata that is added to events will contain the source address as-specified
|
109
|
+
at the TCP layer and IPs will not be resolved to hostnames.
|
110
|
+
|
101
111
|
[id="plugins-{type}s-{plugin}-host"]
|
102
112
|
===== `host`
|
103
113
|
|
@@ -202,17 +212,9 @@ For input, sets the field `sslsubject` to that of the client certificate.
|
|
202
212
|
* Value type is <<boolean,boolean>>
|
203
213
|
* Default value is `false`
|
204
214
|
|
205
|
-
Instruct the socket to use TCP keep
|
206
|
-
|
207
|
-
|
208
|
-
===== `dns_reverse_lookup_enabled`
|
209
|
-
|
210
|
-
* Value type is <<boolean,boolean>>
|
211
|
-
* Default value is `true`
|
212
|
-
|
213
|
-
It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
|
214
|
-
the address metadata that is added to events will contain the source address as-specified
|
215
|
-
at the TCP layer and IPs will not be resolved to hostnames.
|
215
|
+
Instruct the socket to use TCP keep alive. If it's `true` then the underlying socket
|
216
|
+
will use the OS defaults settings for keep alive. If it's `false` it doesn't configure any
|
217
|
+
keep alive setting for the underlying socket.
|
216
218
|
|
217
219
|
|
218
220
|
[id="plugins-{type}s-{plugin}-common-options"]
|
data/lib/logstash/inputs/tcp.rb
CHANGED
@@ -6,7 +6,6 @@ require "logstash/inputs/base"
|
|
6
6
|
require "logstash/util/socket_peer"
|
7
7
|
require "logstash-input-tcp_jars"
|
8
8
|
require "logstash/inputs/tcp/decoder_impl"
|
9
|
-
require "logstash/inputs/tcp/compat_ssl_options"
|
10
9
|
|
11
10
|
require "socket"
|
12
11
|
require "openssl"
|
@@ -61,7 +60,8 @@ require "openssl"
|
|
61
60
|
# }
|
62
61
|
class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
63
62
|
|
64
|
-
java_import org.logstash.tcp.InputLoop
|
63
|
+
java_import 'org.logstash.tcp.InputLoop'
|
64
|
+
java_import 'org.logstash.tcp.SslContextBuilder'
|
65
65
|
|
66
66
|
config_name "tcp"
|
67
67
|
|
@@ -103,7 +103,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
103
103
|
# Useful when the CA chain is not necessary in the system store.
|
104
104
|
config :ssl_extra_chain_certs, :validate => :array, :default => []
|
105
105
|
|
106
|
-
# Validate client certificates against these authorities. You can define multiple files or paths.
|
106
|
+
# Validate client certificates against these authorities. You can define multiple files or paths.
|
107
|
+
# All the certificates will be read and added to the trust store.
|
107
108
|
config :ssl_certificate_authorities, :validate => :array, :default => []
|
108
109
|
|
109
110
|
# Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
|
@@ -148,10 +149,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
148
149
|
fix_streaming_codecs
|
149
150
|
|
150
151
|
if server?
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
@loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, ssl_context)
|
152
|
+
@loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
|
155
153
|
end
|
156
154
|
end
|
157
155
|
|
@@ -320,7 +318,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
320
318
|
|
321
319
|
socket
|
322
320
|
rescue OpenSSL::SSL::SSLError => e
|
323
|
-
@logger.error("SSL Error", :exception => e, :backtrace => e.backtrace)
|
321
|
+
@logger.error("SSL Error", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
|
324
322
|
# catch all rescue nil on close to discard any close errors or invalid socket
|
325
323
|
socket.close rescue nil
|
326
324
|
sleep(1) # prevent hammering peer
|
@@ -362,15 +360,33 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
362
360
|
@socket_mutex.synchronize{@connection_sockets.keys.dup}
|
363
361
|
end
|
364
362
|
|
365
|
-
def
|
366
|
-
|
367
|
-
.
|
363
|
+
def java_ssl_context
|
364
|
+
SslContextBuilder.new
|
365
|
+
.set_ssl_enabled(@ssl_enable)
|
368
366
|
.set_should_verify(@ssl_verify)
|
369
367
|
.set_ssl_cert(@ssl_cert)
|
370
368
|
.set_ssl_key(@ssl_key)
|
371
|
-
.
|
369
|
+
.set_ssl_key_password(@ssl_key_passphrase.value)
|
372
370
|
.set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
|
373
371
|
.set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
|
374
|
-
.
|
372
|
+
.build_context
|
373
|
+
rescue java.lang.IllegalArgumentException => e
|
374
|
+
@logger.error("SSL configuration invalid", error_details(e))
|
375
|
+
raise LogStash::ConfigurationError, e
|
376
|
+
rescue java.lang.Exception => e
|
377
|
+
@logger.error("SSL configuration failed", error_details(e, true))
|
378
|
+
raise e
|
379
|
+
end
|
380
|
+
|
381
|
+
def error_details(e, trace = false)
|
382
|
+
error_details = { :exception => e.class, :message => e.message }
|
383
|
+
error_details[:backtrace] = e.backtrace if trace || @logger.debug?
|
384
|
+
cause = e.cause
|
385
|
+
if cause && e != cause
|
386
|
+
error_details[:cause] = { :exception => cause.class, :message => cause.message }
|
387
|
+
error_details[:cause][:backtrace] = cause.backtrace if trace || @logger.debug?
|
388
|
+
end
|
389
|
+
error_details
|
375
390
|
end
|
391
|
+
|
376
392
|
end
|
data/logstash-input-tcp.gemspec
CHANGED
@@ -22,6 +22,11 @@ Gem::Specification.new do |s|
|
|
22
22
|
# Gem dependencies
|
23
23
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
24
24
|
|
25
|
+
s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
|
26
|
+
|
27
|
+
# we depend on bouncycastle's bcpkix-jdk15on being on the class-path
|
28
|
+
s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2', '< 0.12'
|
29
|
+
|
25
30
|
# line vs streaming codecs required for fix_streaming_codecs
|
26
31
|
# TODO: fix_streaming_codecs should be refactored to not
|
27
32
|
# require the codecs to be installed.
|
Binary file
|
data/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.
|
1
|
+
6.1.1
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-tcp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.1.1
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-06-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -30,6 +30,40 @@ dependencies:
|
|
30
30
|
- - "<="
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
|
+
- !ruby/object:Gem::Dependency
|
34
|
+
requirement: !ruby/object:Gem::Requirement
|
35
|
+
requirements:
|
36
|
+
- - ">="
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: 6.7.0
|
39
|
+
name: logstash-core
|
40
|
+
prerelease: false
|
41
|
+
type: :runtime
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - ">="
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: 6.7.0
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
requirement: !ruby/object:Gem::Requirement
|
49
|
+
requirements:
|
50
|
+
- - ">="
|
51
|
+
- !ruby/object:Gem::Version
|
52
|
+
version: 0.10.2
|
53
|
+
- - "<"
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '0.12'
|
56
|
+
name: jruby-openssl
|
57
|
+
prerelease: false
|
58
|
+
type: :runtime
|
59
|
+
version_requirements: !ruby/object:Gem::Requirement
|
60
|
+
requirements:
|
61
|
+
- - ">="
|
62
|
+
- !ruby/object:Gem::Version
|
63
|
+
version: 0.10.2
|
64
|
+
- - "<"
|
65
|
+
- !ruby/object:Gem::Version
|
66
|
+
version: '0.12'
|
33
67
|
- !ruby/object:Gem::Dependency
|
34
68
|
requirement: !ruby/object:Gem::Requirement
|
35
69
|
requirements:
|
@@ -173,12 +207,11 @@ files:
|
|
173
207
|
- docs/index.asciidoc
|
174
208
|
- lib/logstash-input-tcp_jars.rb
|
175
209
|
- lib/logstash/inputs/tcp.rb
|
176
|
-
- lib/logstash/inputs/tcp/compat_ssl_options.rb
|
177
210
|
- lib/logstash/inputs/tcp/decoder_impl.rb
|
178
211
|
- logstash-input-tcp.gemspec
|
179
212
|
- spec/inputs/tcp_spec.rb
|
180
213
|
- spec/spec_helper.rb
|
181
|
-
- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.
|
214
|
+
- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.1.1/logstash-input-tcp-6.1.1.jar
|
182
215
|
- version
|
183
216
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
184
217
|
licenses:
|
@@ -1,147 +0,0 @@
|
|
1
|
-
require 'openssl'
|
2
|
-
require "logstash/util/loggable"
|
3
|
-
|
4
|
-
# Simulate a normal SslOptions builder:
|
5
|
-
#
|
6
|
-
# ssl_context = SslOptions.builder
|
7
|
-
# .set_is_ssl_enabled(@ssl_enable)
|
8
|
-
# .set_should_verify(@ssl_verify)
|
9
|
-
# .set_ssl_cert(@ssl_cert)
|
10
|
-
# .set_ssl_key(@ssl_key)
|
11
|
-
# .set_ssl_key_passphrase(@ssl_key_passphrase.value)
|
12
|
-
# .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
|
13
|
-
# .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
|
14
|
-
# .build.toSslContext()
|
15
|
-
class SslOptions
|
16
|
-
include LogStash::Util::Loggable
|
17
|
-
|
18
|
-
java_import 'io.netty.handler.ssl.ClientAuth'
|
19
|
-
java_import 'io.netty.handler.ssl.SslContextBuilder'
|
20
|
-
java_import 'java.security.cert.X509Certificate'
|
21
|
-
java_import 'javax.crypto.Cipher'
|
22
|
-
java_import 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo'
|
23
|
-
java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
|
24
|
-
java_import 'org.bouncycastle.openssl.PEMKeyPair'
|
25
|
-
java_import 'org.bouncycastle.openssl.PEMParser'
|
26
|
-
java_import 'org.bouncycastle.openssl.PEMEncryptedKeyPair'
|
27
|
-
java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
|
28
|
-
java_import 'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder'
|
29
|
-
java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder'
|
30
|
-
java_import 'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo'
|
31
|
-
|
32
|
-
def self.builder
|
33
|
-
new
|
34
|
-
end
|
35
|
-
|
36
|
-
def set_is_ssl_enabled(boolean)
|
37
|
-
@ssl_enabled = boolean
|
38
|
-
self
|
39
|
-
end
|
40
|
-
|
41
|
-
def set_should_verify(boolean)
|
42
|
-
@ssl_verify = boolean
|
43
|
-
self
|
44
|
-
end
|
45
|
-
|
46
|
-
def set_ssl_cert(path)
|
47
|
-
@ssl_cert_path = path
|
48
|
-
self
|
49
|
-
end
|
50
|
-
|
51
|
-
def set_ssl_key(path)
|
52
|
-
@ssl_key_path = path
|
53
|
-
self
|
54
|
-
end
|
55
|
-
|
56
|
-
def set_ssl_key_passphrase(passphrase)
|
57
|
-
@ssl_key_passphrase = passphrase
|
58
|
-
self
|
59
|
-
end
|
60
|
-
|
61
|
-
def set_ssl_extra_chain_certs(certs)
|
62
|
-
@ssl_extra_chain_certs = certs
|
63
|
-
self
|
64
|
-
end
|
65
|
-
|
66
|
-
def set_ssl_certificate_authorities(certs)
|
67
|
-
@ssl_certificate_authorities = certs
|
68
|
-
self
|
69
|
-
end
|
70
|
-
|
71
|
-
def build; self; end
|
72
|
-
|
73
|
-
def toSslContext
|
74
|
-
return nil unless @ssl_enabled
|
75
|
-
|
76
|
-
# Check key strength
|
77
|
-
logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits") unless Cipher.getMaxAllowedKeyLength("AES") > 128
|
78
|
-
# create certificate object
|
79
|
-
cf = java.security.cert.CertificateFactory.getInstance("X.509")
|
80
|
-
cert_chain = []
|
81
|
-
fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
|
82
|
-
cert_chain << cert
|
83
|
-
end
|
84
|
-
|
85
|
-
# convert key from pkcs1 to pkcs8 and get PrivateKey object
|
86
|
-
pem_parser = PEMParser.new(java.io.FileReader.new(@ssl_key_path))
|
87
|
-
java.security.Security.addProvider(BouncyCastleProvider.new)
|
88
|
-
converter = JcaPEMKeyConverter.new
|
89
|
-
case obj = pem_parser.readObject
|
90
|
-
when PEMKeyPair # unencrypted pkcs#1
|
91
|
-
private_key = converter.getKeyPair(obj).private
|
92
|
-
when PrivateKeyInfo # unencrypted pkcs#8
|
93
|
-
private_key = converter.getPrivateKey(obj)
|
94
|
-
when PEMEncryptedKeyPair # encrypted pkcs#1
|
95
|
-
key_char_array = @ssl_key_passphrase.to_java.toCharArray
|
96
|
-
decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
|
97
|
-
key_pair = obj.decryptKeyPair(decryptor)
|
98
|
-
private_key = converter.getKeyPair(key_pair).private
|
99
|
-
when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
|
100
|
-
key_char_array = @ssl_key_passphrase.to_java.toCharArray
|
101
|
-
key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
|
102
|
-
private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
|
103
|
-
else
|
104
|
-
raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
|
105
|
-
end
|
106
|
-
|
107
|
-
@ssl_extra_chain_certs.each do |file|
|
108
|
-
fetch_certificates_from_file(file, cf) do |cert|
|
109
|
-
cert_chain << cert
|
110
|
-
end
|
111
|
-
end
|
112
|
-
sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))
|
113
|
-
|
114
|
-
trust_certs = []
|
115
|
-
|
116
|
-
@ssl_certificate_authorities.each do |file|
|
117
|
-
fetch_certificates_from_file(file, cf) do |cert|
|
118
|
-
trust_certs << cert
|
119
|
-
end
|
120
|
-
end
|
121
|
-
|
122
|
-
if trust_certs.any?
|
123
|
-
sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
|
124
|
-
end
|
125
|
-
|
126
|
-
sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
|
127
|
-
sslContextBuilder.build()
|
128
|
-
end
|
129
|
-
|
130
|
-
private
|
131
|
-
def fetch_certificates_from_file(file, cf)
|
132
|
-
fis = java.io.FileInputStream.new(file)
|
133
|
-
|
134
|
-
while (fis.available > 0) do
|
135
|
-
cert = generate_certificate(cf, fis)
|
136
|
-
yield cert if cert
|
137
|
-
end
|
138
|
-
ensure
|
139
|
-
fis.close if fis
|
140
|
-
end
|
141
|
-
|
142
|
-
def generate_certificate(cf, fis)
|
143
|
-
cf.generateCertificate(fis)
|
144
|
-
rescue Java::JavaSecurityCert::CertificateException => e
|
145
|
-
raise e unless e.cause.message == "Empty input"
|
146
|
-
end
|
147
|
-
end
|