logstash-input-tcp 5.0.10-java → 5.1.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f637d5ed9693d5beb15a48cdd0fea3add3c5df312cf5efce134570c62ede5778
-  data.tar.gz: bba5e2a6a9e4b3ce69af2ddf9e3941125388df73504c9345f24342372aa2338c
+  metadata.gz: 4bdc4fa864025d5a16b2df9fa53895cede35c8ec8dbea33d9860abed4f69c8ff
+  data.tar.gz: 81f17ce76abfb8461e4c5ac8f6d844912cb718794daf46b37c1ad3d5db699583
 SHA512:
-  metadata.gz: bdbdff7d0d2de89aada8254d93d72f528cb0bd1b605af6bdb7533a831c89492b34af296d142726c68a5d863727cedd344bb4c9e8f5ef356dfc491e442bc83eb2
-  data.tar.gz: e74e3262ea1c3f7f10ae82653e3a581361fadf9daafb0a44926f3f47138c0ef1e3c620ce013fb03cfd010858e8e79b865b23e95156fdcc9bea3c0489e0ee859b
+  metadata.gz: 7042bdc571be68b767a0c8968b2e58f3a3e680b75df7f545286e3510739b427e462cd4faf2202daf52bfee18f4a92ec5bad3aec475cb23f5d255fb2a754f489a
+  data.tar.gz: 5d97f02d553595cf493fc704c091e870653d5179017dfa677ec68223e56d7d7fd29e5912040df4e4274ace070e6f1aece3bb4c9904a7d5d310e675446fd9cae3

data/CHANGELOG.md

@@ -1,9 +1,9 @@
-## 5.0.10
-  - Correctly set up the certificate chain so that the server will present cert + chain to client
+## 5.1.0
+ - Added new configuration option `dns_reverse_lookup_enabled` to allow users to disable costly DNS reverse lookups [#100](https://github.com/logstash-plugins/logstash-input-tcp/issues/100)
 
 ## 5.0.9
   - New configuration option to set TCP keep-alive [#16](https://github.com/logstash-plugins/logstash-input-tcp/pull/116)
-
+  
 ## 5.0.8
   - Reorder shut down of the two event loops to prevent RejectedExecutionException
 

data/docs/index.asciidoc

@@ -83,13 +83,13 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
 | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
-| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-dns_reverse_lookup_enabled>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -140,17 +140,7 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
   * Value type is <<path,path>>
   * There is no default value for this setting.
 
-Path to certificate in PEM format. This certificate will be presented
-to the connecting clients.
-
-[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
-===== `ssl_extra_chain_certs`
-
-  * Value type is <<array,array>>
-  * Default value is `[]`
-
-Validate client certificate or certificate chain against these authorities.
-You can define multiple files or paths. All the certificates will be read and added to the trust store.
+SSL certificate path
 
 [id="plugins-{type}s-{plugin}-ssl_enable"]
 ===== `ssl_enable` 
@@ -166,9 +156,8 @@ Enable SSL (must be set for other `ssl_` options to take effect).
   * Value type is <<array,array>>
   * Default value is `[]`
 
-An Array of paths to extra X509 certificates.
-These are used together with the certificate to construct the certificate chain
-presented to the client.
+An Array of extra X509 certificates to be added to the certificate chain.
+Useful when the CA chain is not necessary in the system store.
 
 [id="plugins-{type}s-{plugin}-ssl_key"]
 ===== `ssl_key` 
@@ -176,7 +165,7 @@ presented to the client.
   * Value type is <<path,path>>
   * There is no default value for this setting.
 
-The path to the private key corresponding to the specified certificate (PEM format).
+SSL key path
 
 [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
 ===== `ssl_key_passphrase` 
@@ -184,7 +173,7 @@ The path to the private key corresponding to the specified certificate (PEM form
   * Value type is <<password,password>>
   * Default value is `nil`
 
-SSL key passphrase for the private key.
+SSL key passphrase
 
 [id="plugins-{type}s-{plugin}-ssl_verify"]
 ===== `ssl_verify` 
@@ -203,6 +192,16 @@ For input, sets the field `sslsubject` to that of the client certificate.
 
 Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
 
+[id="plugins-{type}s-{plugin}-dns_reverse_lookup_enabled"]
+===== `dns_reverse_lookup_enabled`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `true`
+
+It is possible to avoid DNS reverse-lookups by disabling this setting. If disabled,
+the address metadata that is added to events will contain the source address as-specified
+at the TCP layer and IPs will not be resolved to hostnames.
+
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]

data/lib/logstash/inputs/tcp.rb

@@ -105,12 +105,12 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Useful when the CA chain is not necessary in the system store.
   config :ssl_extra_chain_certs, :validate => :array, :default => []
 
-  # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
-  config :ssl_certificate_authorities, :validate => :array, :default => []
-
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
   config :tcp_keep_alive, :validate => :boolean, :default => false
 
+  # Option to allow users to avoid DNS Reverse Lookup.
+  config :dns_reverse_lookup_enabled, :validate => :boolean, :default => true
+
   HOST_FIELD = "host".freeze
   HOST_IP_FIELD = "[@metadata][ip_address]".freeze
   PORT_FIELD = "port".freeze
@@ -200,6 +200,10 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     end
   end
 
+  def dns_reverse_lookup_enabled?
+    @dns_reverse_lookup_enabled
+  end
+
   private
 
   RUN_LOOP_ERROR_MESSAGE="TCP input server encountered error"
@@ -313,10 +317,6 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
       @ssl_context = OpenSSL::SSL::SSLContext.new
       @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
       @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
-      if @ssl_extra_chain_certs.any?
-        @ssl_context.extra_chain_cert = @ssl_extra_chain_certs.map {|cert_path| OpenSSL::X509::Certificate.new(File.read(cert_path)) }
-        @ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@ssl_cert)))
-      end
       if @ssl_verify
         @ssl_context.cert_store  = load_cert_store
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
@@ -332,7 +332,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def load_cert_store
     cert_store = OpenSSL::X509::Store.new
     cert_store.set_default_paths
-    @ssl_certificate_authorities.each do |cert|
+    @ssl_extra_chain_certs.each do |cert|
       cert_store.add_file(cert)
     end
     cert_store

data/lib/logstash/inputs/tcp/decoder_impl.rb

@@ -51,10 +51,17 @@ class DecoderImpl
     else
       filtered = received
       @ip_address = channel_addr.get_address.get_host_address
-      @address = channel_addr.get_host_name
+      @address = extract_host_name(channel_addr)
       @port = channel_addr.get_port
     end
     @first_read = false
     filtered
   end
+
+  private
+  def extract_host_name(channel_addr)
+    return channel_addr.get_host_string unless @tcp.dns_reverse_lookup_enabled?
+
+    channel_addr.get_host_name
+  end
 end

data/spec/inputs/tcp_spec.rb

@@ -335,9 +335,11 @@ describe LogStash::Inputs::Tcp do
       end
 
       context "when ssl_enable is true" do
-        let(:self_signed_cert) { helper.certificate }
-        let(:certificate) { self_signed_cert.first }
-        let(:key) { self_signed_cert.last }
+        let(:pki) { Flores::PKI.generate }
+        let(:certificate) { pki[0] }
+        let(:key) { pki[1] }
+        let(:certificate_file) { Stud::Temporary.file }
+        let(:key_file) { Stud::Temporary.file }
         let(:queue) { Queue.new }
 
         let(:config) do
@@ -345,59 +347,30 @@ describe LogStash::Inputs::Tcp do
             "host" => "127.0.0.1",
             "port" => port,
             "ssl_enable" => true,
-            "ssl_cert" => certificate.path,
-            "ssl_key" => key.path,
-            "ssl_certificate_authorities" => certificate.path
+            "ssl_cert" => certificate_file.path,
+            "ssl_key" => key_file.path,
+
+            # Trust our self-signed cert.
+            # TODO(sissel): Make this a separate certificate for the client
+            "ssl_extra_chain_certs" => certificate_file.path
           }
         end
 
         subject(:input) { LogStash::Plugin.lookup("input", "tcp").new(config) }
 
         before do
+          certificate_file.write(certificate)
+          key_file.write(key)
+
+          # Close to flush the file writes.
+          certificate_file.close
+          key_file.close
           subject.register
         end
 
-        context "when using a certificate chain" do
-          let(:chain_of_certificates) { helper.chain_of_certificates }
-          let(:config) do
-            {
-              "host" => "127.0.0.1",
-              "port" => port,
-              "ssl_enable" => true,
-              "ssl_cert" => chain_of_certificates[:b_cert].path,
-              "ssl_key" => chain_of_certificates[:b_key].path,
-              "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
-              "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-              "ssl_verify" => true
-            }
-          end
-          let(:tcp) { TCPSocket.new("127.0.0.1", port) }
-          let(:sslcontext) do
-            sslcontext = OpenSSL::SSL::SSLContext.new
-            sslcontext.verify_mode = OpenSSL::SSL::VERIFY_PEER
-            sslcontext.ca_file = chain_of_certificates[:root_ca].path
-            sslcontext.cert = OpenSSL::X509::Certificate.new(File.read(chain_of_certificates[:aa_cert].path))
-            sslcontext.key = OpenSSL::PKey::RSA.new(File.read(chain_of_certificates[:aa_key].path))
-            sslcontext
-          end
-          let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
-          let(:input_task) { Stud::Task.new { input.run(queue) } }
-
-          before do
-            input_task
-          end
-
-          it "should be able to connect and write data" do
-            sslsocket.connect
-            sslsocket.write("Hello world\n")
-            tcp.flush
-            sslsocket.close
-            tcp.close
-            result = input_task.thread.join(0.5)
-            expect(result).to be_nil
-            expect(queue.size).to eq(1)
-          end
-
+        after do
+          File.unlink(certificate_file.path)
+          File.unlink(key_file.path)
         end
 
         context "with a poorly-behaving client" do
@@ -483,8 +456,8 @@ describe LogStash::Inputs::Tcp do
             let(:garbage) { Flores::Random.iterations(max_length).collect { Flores::Random.integer(1...255) }.pack("C*") }
 
             before do
-              sslcontext.cert = OpenSSL::X509::Certificate.new(File.read(certificate))
-              sslcontext.key = OpenSSL::PKey::RSA.new(File.read(key))
+              sslcontext.cert = certificate
+              sslcontext.key = key
               sslcontext.verify_mode = OpenSSL::SSL::VERIFY_NONE
 
               sslsocket.connect

data/version

@@ -1 +1 @@
-5.0.10
+5.1.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 5.0.10
+  version: 5.1.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-10-24 00:00:00.000000000 Z
+date: 2018-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -163,7 +163,7 @@ files:
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.0.10/logstash-input-tcp-5.0.10.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.1.0/logstash-input-tcp-5.1.0.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: