logstash-input-tcp 2.0.5 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5c7064c954a185e8f91e06bd314abb3daacc80d8
-  data.tar.gz: ca2dd0c7f7fdac14a7ea33027a62bd3dccfcc497
+  metadata.gz: bc8a144097d1b6d3ee89c67da0a9598c20816dc0
+  data.tar.gz: db3e1d7399ee28bcdbad61d343c589249287ad3d
 SHA512:
-  metadata.gz: b7ca6d3d05531210c046bf3bb4e093839679434721c0d6e5d5bacc2f881786322689af56c296dd312daabd51febf615c20b6710f41dee00d5252bcbcaf3e45af
-  data.tar.gz: 6f37a0e1cf9c291e00fa4d6c0f24eb008375fc961c931ec3bcb345e2256a5f274cf2ce64d0198f28a7befd7c0e51e4cb594635929beefc7f6685c8a501297fa5
+  metadata.gz: d8b9f22e646a94b0624d961075589d48899595e9aaedb4111fcc1cf6118a9173366f3caf6f7b0315c8048d0a6d850ee6da0319eea9f413413d5a6d2511d09c12
+  data.tar.gz: a5d0c419104ca62126ad38c4e3a0a83a81083df5febe5184a4c7edff44893a9b4141589830a99bbfaff365652cbcb43f8cdeb11e88d3fe6b341e36b32911a175

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 3.0.0
+ - Deprecate ssl_cacert as it's confusing, does it job but when willing to add a chain of certificated the name and behaviour is a bit confusing. 
+ - Add ssl_extra_chain_certs that allows you to specify a list of certificates path that will be added to the CAStore.
+ - Make ssl_verify=true as a default value, if using ssl and performing validation is not reasonable as security might be compromised.
+ - Add tests to verify behaviour under different SSL connection circumstances.
+ - Fixes #3 and #9.
+
+## 2.1.0
+ - Added the receiving port in the event payload, fixes #4
+
 ## 2.0.5
  - Fixed malformed SSL crashing Logstash, see https://github.com/logstash-plugins/logstash-input-tcp/pull/25
 

data/lib/logstash/inputs/tcp.rb

@@ -35,10 +35,10 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
   # Verify the identity of the other end of the SSL connection against the CA.
   # For input, sets the field `sslsubject` to that of the client certificate.
-  config :ssl_verify, :validate => :boolean, :default => false
+  config :ssl_verify, :validate => :boolean, :default => true
 
   # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
-  config :ssl_cacert, :validate => :path
+  config :ssl_cacert, :validate => :path, :deprecated => "This setting is deprecated in favor of extra_chain_cert as it sets a more clear expectation to add more X509 certificates to the store"
 
   # SSL certificate path
   config :ssl_cert, :validate => :path
@@ -49,6 +49,10 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # SSL key passphrase
   config :ssl_key_passphrase, :validate => :password, :default => nil
 
+  # An Array of extra X509 certificates to be added to the certificate chain.
+  # Useful when the CA chain is not necessary in the system store.
+  config :ssl_extra_chain_certs, :validate => :array, :default => []
+
   def initialize(*args)
     super(*args)
 
@@ -126,7 +130,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def run_client(output_queue)
     while !stop?
       self.client_socket = new_client_socket
-      handle_socket(client_socket, client_socket.peeraddr[3], output_queue, @codec.clone)
+      handle_socket(client_socket, client_socket.peeraddr[3], client_socket.peeraddr[1], output_queue, @codec.clone)
     end
   ensure
     # catch all rescue nil on close to discard any close errors or invalid socket
@@ -137,17 +141,18 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     Thread.new(output_queue, socket) do |q, s|
       begin
         @logger.debug? && @logger.debug("Accepted connection", :client => s.peer, :server => "#{@host}:#{@port}")
-        handle_socket(s, s.peeraddr[3], q, @codec.clone)
+        handle_socket(s, s.peeraddr[3], s.peeraddr[1], q, @codec.clone)
       ensure
         delete_connection_socket(s)
       end
     end
   end
 
-  def handle_socket(socket, client_address, output_queue, codec)
+  def handle_socket(socket, client_address, client_port, output_queue, codec)
     while !stop?
       codec.decode(read(socket)) do |event|
         event["host"] ||= client_address
+        event["port"] ||= client_port
         event["sslsubject"] ||= socket.peer_cert.subject if @ssl_enable && @ssl_verify
         decorate(event)
         output_queue << event
@@ -170,12 +175,28 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
     codec.respond_to?(:flush) && codec.flush do |event|
       event["host"] ||= client_address
+      event["port"] ||= client_port
       event["sslsubject"] ||= socket.peer_cert.subject if @ssl_enable && @ssl_verify
       decorate(event)
       output_queue << event
     end
   end
 
+  private
+  def client_thread(output_queue, socket)
+    Thread.new(output_queue, socket) do |q, s|
+      begin
+        @logger.debug? && @logger.debug("Accepted connection", :client => s.peer, :server => "#{@host}:#{@port}")
+        handle_socket(s, s.peeraddr[3], s.peeraddr[1], q, @codec.clone)
+      rescue Interrupted
+        s.close rescue nil
+      ensure
+        @client_threads_lock.synchronize{@client_threads.delete(Thread.current)}
+      end
+    end
+  end
+
+  private
   def server?
     @mode == "server"
   end
@@ -192,15 +213,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
       @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
       @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
       if @ssl_verify
-        @cert_store = OpenSSL::X509::Store.new
-        # Load the system default certificate path to the store
-        @cert_store.set_default_paths
-        if File.directory?(@ssl_cacert)
-          @cert_store.add_path(@ssl_cacert)
-        else
-          @cert_store.add_file(@ssl_cacert)
-        end
-        @ssl_context.cert_store = @cert_store
+        @ssl_context.cert_store  = load_cert_store
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       end
     rescue => e
@@ -211,9 +224,22 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @ssl_context
   end
 
+  def load_cert_store
+    cert_store = OpenSSL::X509::Store.new
+    cert_store.set_default_paths
+    if File.directory?(@ssl_cacert)
+      cert_store.add_path(@ssl_cacert)
+    else
+      cert_store.add_file(@ssl_cacert)
+    end if @ssl_cacert
+    @ssl_extra_chain_certs.each do |cert|
+      cert_store.add_file(cert)
+    end
+    cert_store
+  end
+
   def new_server_socket
     @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}")
-
     begin
       socket = TCPServer.new(@host, @port)
     rescue Errno::EADDRINUSE

data/logstash-input-tcp.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-input-tcp'
-  s.version         = '2.0.5'
+  s.version         = '3.0.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Read events over a TCP socket."
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
@@ -26,6 +26,9 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-codec-line'
   s.add_runtime_dependency 'logstash-codec-json'
   s.add_runtime_dependency 'logstash-codec-json_lines'
+
   s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'flores', '~> 0.0.6'
+  s.add_development_dependency 'stud', '~> 0.0.22'
 end
 

data/spec/inputs/tcp_spec.rb

@@ -4,7 +4,10 @@ require "socket"
 require "timeout"
 require "logstash/json"
 require "logstash/inputs/tcp"
-require 'stud/try'
+require "stud/try"
+require "flores/pki"
+require "openssl"
+
 require_relative "../spec_helper"
 
 describe LogStash::Inputs::Tcp do
@@ -251,7 +254,6 @@ describe LogStash::Inputs::Tcp do
             socket.flush
           end
         end
-
         socket.close rescue nil
 
         result
@@ -269,8 +271,154 @@ describe LogStash::Inputs::Tcp do
         end
       end
 
-    end
+      it "should add the host and port to the generated event" do
+        events.each do |event|
+          expect(event["host"]).to eq("127.0.0.1")
+          expect(event["port"]).to be_an(Fixnum)
+        end
+      end
+
+      describe "ssl" do
+
+        let(:certificate) { helper.certificate }
+
+        subject(:input) { LogStash::Plugin.lookup("input", "tcp").new(config) }
+
+        let(:config) do
+          { "host" => "0.0.0.0", "port" => port, "ssl_verify" => false,
+            "ssl_enable" => true, "ssl_cert" => certificate[0].path, "ssl_key" => certificate[1].path }
+        end
+
+        let(:events) do
+
+          socket = Stud::try(5.times) do
+            ssl_context = OpenSSL::SSL::SSLContext.new
+            socket = TCPSocket.new("127.0.0.1", port)
+            OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
+          end
+
+          result = helper.pipelineless_input(subject, nevents) do
+            socket.connect
+            nevents.times do |i|
+              socket.puts("msg #{i}")
+              socket.flush
+            end
+          end
+          socket.close rescue nil
+
+          result
+        end
+
+        it "should receive events" do
+          expect(events.size).to be(nevents)
+        end
+
+        describe "when ssl_verify is on" do
+
+          let(:chain_of_certificates) { helper.chain_of_certificates }
+
+          let(:ssl_context) do
+            ssl_context      = OpenSSL::SSL::SSLContext.new
+            ssl_context.cert = OpenSSL::X509::Certificate.new(client_certificate)
+            ssl_context.key  = OpenSSL::PKey::RSA.new(client_key)
+            ssl_context
+          end
+
+          context "and the verification fails" do
+
+            let(:config) do
+              { "host" => "0.0.0.0", "port" => port,
+                "ssl_enable" => true, "ssl_verify" => true,
+                "ssl_cert" => chain_of_certificates[:a_cert].path, "ssl_key" => chain_of_certificates[:a_key].path }
+            end
+
+            let(:client_certificate) { File.read(chain_of_certificates[:b_cert].path) }
+            let(:client_key) { File.read(chain_of_certificates[:b_key].path) }
+
+            let(:socket) do
+              client = TCPSocket.new("127.0.0.1", port)
+              OpenSSL::SSL::SSLSocket.new(client, ssl_context)
+            end
 
+            it "should raise an exception when connecting" do
+              helper.pipelineless_input(subject, 0) do
+                expect { socket.connect }.to raise_error
+                socket.close rescue nil
+              end
+            end
+          end
+          context "and using the root CA" do
+
+            let(:config) do
+              { "host" => "0.0.0.0", "port" => port,
+                "ssl_enable" => true, "ssl_verify" => true,
+                "ssl_cert" => chain_of_certificates[:a_cert].path, "ssl_key" => chain_of_certificates[:a_key].path,
+                "ssl_cacert" => chain_of_certificates[:root_ca].path }
+            end
+
+            let(:client_certificate) { File.read(chain_of_certificates[:aa_cert].path) }
+            let(:client_key) { File.read(chain_of_certificates[:aa_key].path) }
+
+            let(:events) do
+              socket = Stud::try(5.times) do
+                socket = TCPSocket.new("127.0.0.1", port)
+                OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
+              end
+              result = helper.pipelineless_input(subject, nevents) do
+                socket.connect
+                nevents.times do |i|
+                  socket.puts("msg #{i}")
+                  socket.flush
+                end
+              end
+              socket.close rescue nil
+
+              result
+            end
+
+            it "should receive events" do
+              expect(events.size).to be(nevents)
+            end
+
+          end
+
+          context "using an extra chain of certificates" do
+
+            let(:config) do
+              { "host" => "0.0.0.0", "port" => port,
+                "ssl_enable" => true, "ssl_verify" => true,
+                "ssl_cert" => chain_of_certificates[:b_cert].path, "ssl_key" => chain_of_certificates[:b_key].path,
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:root_ca].path, chain_of_certificates[:a_cert].path, chain_of_certificates[:b_cert].path ] }
+            end
+
+            let(:client_certificate) { File.read(chain_of_certificates[:c_cert].path) }
+            let(:client_key) { File.read(chain_of_certificates[:c_key].path) }
+
+            let(:events) do
+              socket = Stud::try(5.times) do
+                socket = TCPSocket.new("127.0.0.1", port)
+                OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
+              end
+              result = helper.pipelineless_input(subject, nevents) do
+                socket.connect
+                nevents.times do |i|
+                  socket.puts("msg #{i}")
+                  socket.flush
+                end
+              end
+              socket.close rescue nil
+
+              result
+            end
+
+            it "should receive events" do
+              expect(events.size).to be(nevents)
+            end
+          end
+        end
+
+      end
+    end
     it_behaves_like "an interruptible input plugin" do
       let(:config) { { "port" => port } }
     end

data/spec/spec_helper.rb

@@ -1,5 +1,7 @@
 # encoding: utf-8
 require "logstash/devutils/rspec/spec_helper"
+require "tempfile"
+require "stud/temporary"
 
 # this has been taken from the udp input, it should be DRYed
 
@@ -19,4 +21,71 @@ class TcpHelpers
     input_thread.join
     result
   end
+
+  def certificate
+    certificate, key = Flores::PKI.generate("CN=localhost", { :key_size => 2048 })
+    [new_temp_file('cert', certificate), new_temp_file('key', key)]
+  end
+
+  def chain_of_certificates
+    root_ca, root_key = build_root_ca
+    a_cert,   a_key = build_certificate(root_ca, root_key, "A_Cert")
+    aa_cert, aa_key = build_certificate(root_ca, root_key, "AA_Cert")
+    b_cert, b_key = build_certificate(a_cert, a_key, "B_Cert")
+    c_cert, c_key = build_certificate(b_cert, b_key, "C_Cert")
+    { :root_ca => new_temp_file('', root_ca), :root_key => new_temp_file('', root_key),
+      :a_cert  => new_temp_file('', a_cert),  :a_key    => new_temp_file('', a_key),
+      :aa_cert => new_temp_file('', aa_cert), :aa_key   => new_temp_file('', aa_key),
+      :b_cert  => new_temp_file('', b_cert),  :b_key    => new_temp_file('', b_key),
+      :c_cert  => new_temp_file('', c_cert),  :c_key    => new_temp_file('', c_key)}
+  end
+
+  private
+
+  def new_temp_file(name, data)
+    file = Stud::Temporary.file
+    file.write(data)
+    file.rewind
+    file
+  end
+
+  def build_certificate(root_ca, root_key=nil, name="")
+    key = ( root_key.nil? ? OpenSSL::PKey::RSA.new(2048) : root_key )
+    options = { :serial => 2, :subject => "/DC=org/DC=ruby-lang/CN=Ruby#{name}", :key => key, :issuer => root_ca.subject}
+    cert = new_certificate(options)
+    add_ca_extensions(cert, nil, root_ca)
+    [ cert.sign(key, OpenSSL::Digest::SHA256.new), key ]
+  end
+
+  def build_root_ca
+    key = OpenSSL::PKey::RSA.new(2048)
+    options = { :serial => 1, :subject => "/DC=org/DC=ruby-lang/CN=Ruby CA", :key => key}
+    ca = new_certificate(options)
+    add_ca_extensions(ca)
+    [ ca.sign(key, OpenSSL::Digest::SHA256.new), key ]
+  end
+
+  def new_certificate(options)
+    cert  = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = options.fetch(:serial, 1)
+    cert.subject = OpenSSL::X509::Name.parse(options.fetch(:subject, "/DC=org/DC=ruby-lang/CN=Ruby CA"))
+    cert.issuer  = options.fetch(:issuer, cert.subject)
+    cert.public_key = options[:key].public_key
+    cert.not_before = Time.now
+    cert.not_after  = cert.not_before + 2 * 365 * 86400
+    cert
+  end
+
+  def add_ca_extensions(certificate, subject=nil, issuer=nil)
+    factory = OpenSSL::X509::ExtensionFactory.new
+    factory.subject_certificate = (subject.nil? ? certificate : subject)
+    factory.issuer_certificate  = (issuer.nil?  ? certificate : issuer)
+
+    certificate.add_extension(factory.create_extension("basicConstraints","CA:TRUE",true))
+    certificate.add_extension(factory.create_extension("keyUsage","keyCertSign, cRLSign, digitalSignature", true))
+    certificate.add_extension(factory.create_extension("subjectKeyIdentifier","hash",false))
+    certificate.add_extension(factory.create_extension("authorityKeyIdentifier","keyid:always",false))
+  end
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 2.0.5
+  version: 3.0.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-11-25 00:00:00.000000000 Z
+date: 2015-11-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logstash-core
@@ -100,6 +100,34 @@ dependencies:
         version: '0'
   prerelease: false
   type: :development
+- !ruby/object:Gem::Dependency
+  name: flores
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.6
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.6
+  prerelease: false
+  type: :development
+- !ruby/object:Gem::Dependency
+  name: stud
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+  prerelease: false
+  type: :development
 description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
@@ -138,10 +166,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.4.6
 signing_key:
 specification_version: 4
 summary: Read events over a TCP socket.
 test_files:
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
+has_rdoc: