logstash-input-tcp 6.3.0-java → 6.3.2-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f018798315cfe0b020a135261fd6145a2854fe8d432bec36b69168e72b21a226
-  data.tar.gz: 1c38f5e86c898ffe936a7970cbb50fe3b8ce2fe0e7ec0d8f9d99dabd13fd0046
+  metadata.gz: a99781d8e7ec4789fddfe3e3ccaa4812b0ccfabe9aa14c0447e4df8f9d5b7139
+  data.tar.gz: 8639abb1efc3737b87d44daaca5de642353ec6262a72a786c0f25ba20cc459cc
 SHA512:
-  metadata.gz: df77c83316a7c9793b34ca0efeb16efa83ca53b3c59b1edbf53223a801e0dea865efbad074598d47013547f0beced6565cef49a109e13beb98c19859cbafa6c3
-  data.tar.gz: cf3e87359d1666fb6bbc6b42a595bf303714f19bd2cba77a4dc608c0d240b8d57bf9fdd59e38bb5ec4e1ccbc5996c42d0e92b2f99e5c06cd071eea8a10f0ae98
+  metadata.gz: 80b58441b54df57b6859c80febd75ea53ccc32120c5d35c24993a6c44cbb57cef054413269c29f112d842264ea4d2bbfe7a0840bc0408149825088ac641dabeb
+  data.tar.gz: 4de35f8cb6891989ed1bf659e35865460a90b80505f232e719ce978540c78748ce205b6c7c43940980e1214e4b46a2f373824b3edb16ddc2a32797666b96b6ea

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 6.3.2
+  - Update Netty dependency to 4.1.87 [#209](https://github.com/logstash-plugins/logstash-input-tcp/pull/209)
+
+## 6.3.1
+  - Fixes a regression in which the ssl_subject was missing for SSL-secured connections in server mode [#199](https://github.com/logstash-plugins/logstash-input-tcp/pull/199)
+
 ## 6.3.0
   - Feat: ssl_supported_protocols (TLSv1.3) + ssl_cipher_suites [#198](https://github.com/logstash-plugins/logstash-input-tcp/pull/198)
 

data/lib/logstash/inputs/tcp/decoder_impl.rb

@@ -11,16 +11,17 @@ class LogStash::Inputs::Tcp::DecoderImpl
     @first_read = true
   end
 
-  def decode(channel_addr, data)
+  def decode(ctx, data)
+    channel = ctx.channel()
     bytes = Java::byte[data.readableBytes].new
     data.getBytes(0, bytes)
     data.release
     tbuf = String.from_java_bytes bytes, "ASCII-8BIT"
     if @first_read
-      tbuf = init_first_read(channel_addr, tbuf)
+      tbuf = init_first_read(channel, tbuf)
     end
     @tcp.decode_buffer(@ip_address, @address, @port, @codec,
-                       @proxy_address, @proxy_port, tbuf, nil)
+                         @proxy_address, @proxy_port, tbuf, @sslsubject)
   end
 
   def copy
@@ -28,11 +29,12 @@ class LogStash::Inputs::Tcp::DecoderImpl
   end
 
   def flush
-    @tcp.flush_codec(@codec, @ip_address, @address, @port, nil)
+    @tcp.flush_codec(@codec, @ip_address, @address, @port, @sslsubject)
   end
 
   private
-  def init_first_read(channel_addr, received)
+  def init_first_read(channel, received)
+    channel_addr = channel.remoteAddress()
     if @tcp.proxy_protocol
       pp_hdr, filtered = received.split("\r\n", 2)
       pp_info = pp_hdr.split(/\s/)
@@ -53,10 +55,20 @@ class LogStash::Inputs::Tcp::DecoderImpl
       @address = extract_host_name(channel_addr) # name _or_ address of sender
       @port = channel_addr.get_port # outgoing port of sender (probably random)
     end
+    @sslsubject = extract_sslsubject(channel)
     @first_read = false
     filtered
   end
 
+  private
+  def extract_sslsubject(channel)
+    return nil unless @tcp.ssl_enable && @tcp.ssl_verify
+
+    channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName()
+  rescue Exception => e
+    nil
+  end
+
   private
   def extract_host_name(channel_addr)
     channel_addr = java.net.InetSocketAddress.new(channel_addr, 0) if channel_addr.kind_of?(String)

data/lib/logstash/inputs/tcp.rb

@@ -190,19 +190,19 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   end
 
   def decode_buffer(client_ip_address, client_address, client_port, codec, proxy_address,
-                    proxy_port, tbuf, socket)
+                    proxy_port, tbuf, ssl_subject)
     codec.decode(tbuf) do |event|
       if @proxy_protocol
         event.set(@field_proxy_host, proxy_address) unless event.get(@field_proxy_host)
         event.set(@field_proxy_port, proxy_port) unless event.get(@field_proxy_port)
       end
-      enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
+      enqueue_decorated(event, client_ip_address, client_address, client_port, ssl_subject)
     end
   end
 
-  def flush_codec(codec, client_ip_address, client_address, client_port, socket)
+  def flush_codec(codec, client_ip_address, client_address, client_port, ssl_subject)
     codec.flush do |event|
-      enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
+      enqueue_decorated(event, client_ip_address, client_address, client_port, ssl_subject)
     end
   end
 
@@ -222,10 +222,14 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     client_socket.close rescue nil
   end
 
+  # only called in client mode
   def handle_socket(socket)
     client_address = socket.peeraddr[3]
     client_ip_address = socket.peeraddr[2]
     client_port = socket.peeraddr[1]
+
+    # Client mode sslsubject extraction, server mode happens in DecoderImpl#decode
+    ssl_subject = socket.peer_cert.subject.to_s if @ssl_enable && @ssl_verify
     peer = "#{client_address}:#{client_port}"
     first_read = true
     codec = @codec.clone
@@ -249,7 +253,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
         end
       end
       decode_buffer(client_ip_address, client_address, client_port, codec, proxy_address,
-                    proxy_port, tbuf, socket)
+                    proxy_port, tbuf, ssl_subject)
     end
   rescue EOFError
     @logger.debug? && @logger.debug("Connection closed", :client => peer)
@@ -263,14 +267,14 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   ensure
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
-    flush_codec(codec, client_ip_address, client_address, client_port, socket)
+    flush_codec(codec, client_ip_address, client_address, client_port, ssl_subject)
   end
 
-  def enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
+  def enqueue_decorated(event, client_ip_address, client_address, client_port, ssl_subject)
     event.set(@field_host, client_address) unless event.get(@field_host)
     event.set(@field_host_ip, client_ip_address) unless event.get(@field_host_ip)
     event.set(@field_port, client_port) unless event.get(@field_port)
-    event.set(@field_sslsubject, socket.peer_cert.subject.to_s) if socket && @ssl_enable && @ssl_verify && event.get(@field_sslsubject).nil?
+    event.set(@field_sslsubject, ssl_subject) unless ssl_subject.nil? || event.get(@field_sslsubject)
     decorate(event)
     @output_queue << event
   end

data/lib/logstash-input-tcp_jars.rb

@@ -1,7 +1,12 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
 
 require 'jar_dependencies'
-require_jar('io.netty', 'netty-all', '4.1.65.Final')
+require_jar('io.netty', 'netty-buffer', '4.1.87.Final')
+require_jar('io.netty', 'netty-codec', '4.1.87.Final')
+require_jar('io.netty', 'netty-common', '4.1.87.Final')
+require_jar('io.netty', 'netty-transport', '4.1.87.Final')
+require_jar('io.netty', 'netty-handler', '4.1.87.Final')
+require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.87.Final')
 require_jar('commons-io', 'commons-io', '2.8.0')
 
-require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.3.0')
+require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.3.2')

data/spec/inputs/tcp_spec.rb

@@ -541,7 +541,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       end
     end
 
-    describe "#receive" do
+    describe "#receive", :ecs_compatibility_support do
       shared_examples "receiving events" do
         # TODO(sissel): Implement normal event-receipt tests as as a shared example
       end
@@ -549,7 +549,10 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       context "when ssl_enable is true" do
         let(:input) { subject }
         let(:queue) { Queue.new }
-        before(:each) { subject.register }
+        before(:each) do
+          allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility) if defined?(ecs_compatibility)
+          subject.register
+        end
 
         context "when using a certificate chain" do
           chain_of_certificates = TcpHelpers.new.chain_of_certificates
@@ -651,6 +654,38 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             end
           end
 
+          context "with a regular TLS setup" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:b_cert].path,
+                "ssl_key" => chain_of_certificates[:b_key].path,
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+
+            ecs_compatibility_matrix(:disabled,:v1, :v8 => :v1) do |ecs_select|
+              it "extracts the TLS subject from connections" do
+                result = TcpHelpers.pipelineless_input(subject, 1) do
+                  sslsocket.connect
+                  sslsocket.write("#{message}\n")
+                  tcp.flush
+                  sslsocket.close
+                  tcp.close
+                end
+                expect(result.size).to eq(1)
+                event = result.first
+
+                ssl_subject_field = ecs_select[disabled: 'sslsubject', v1:'[@metadata][input][tcp][tls][client][subject]']
+                expect(event.get(ssl_subject_field)).to eq("CN=RubyAA_Cert,DC=ruby-lang,DC=org")
+              end
+            end
+          end
+
           context "with enforced protocol version" do
             let(:config) do
               base_config.merge 'ssl_supported_protocols' => [ tls_version ]

data/version

@@ -1 +1 @@
-6.3.0
+6.3.2

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.3.0
+  version: 6.3.2
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-06 00:00:00.000000000 Z
+date: 2023-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -232,8 +232,13 @@ files:
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
 - vendor/jar-dependencies/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
-- vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.0/logstash-input-tcp-6.3.0.jar
+- vendor/jar-dependencies/io/netty/netty-buffer/4.1.87.Final/netty-buffer-4.1.87.Final.jar
+- vendor/jar-dependencies/io/netty/netty-codec/4.1.87.Final/netty-codec-4.1.87.Final.jar
+- vendor/jar-dependencies/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar
+- vendor/jar-dependencies/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar
+- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.87.Final/netty-transport-native-unix-common-4.1.87.Final.jar
+- vendor/jar-dependencies/io/netty/netty-transport/4.1.87.Final/netty-transport-4.1.87.Final.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.2/logstash-input-tcp-6.3.2.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: