logstash-input-tcp 6.0.10-java → 6.1.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 877ef458e968d48f3cd99ecd7f6846ac2f371e8c3897a6ed831b86e1f584d245
-  data.tar.gz: fab3cedbc3b4fab8c5915e219e03cfa6da6ba3aa9bb61d3245e0339535067894
+  metadata.gz: 26d542f495a0b506903b944a54ce0cdab39b93714fadfca025f8b2233ac22135
+  data.tar.gz: 17b2c70fc10f1d1132956c6cf45f752c2e0b992d819e0c54e568882f2da0dada
 SHA512:
-  metadata.gz: 6196c01efc835b13d84528bbc780d6915d40adc7e86b7427d5b0e445fef3f9b3df6049301dbeb6f7321510b908dc16910920b50d602a30e6f049461f9fc8509c
-  data.tar.gz: 41102085f47d341e9db45d8ded793ced779f703102c22929c1382b1047d41269849d8d116e2a73531498b2b9b4430cde135c38a50e29b43aab2e8dc015784231
+  metadata.gz: d03c07e5980298f23fe7309528a1eaef3b5ebc45948362582c9ed922c5c257e24affdca65d92f859b55507f1a3f2b9766c6e09e2949d40cb6a51ed55f48b1646
+  data.tar.gz: 817c0305eff54d5fb35ee66a0b4633cfbcce93a2c2adb43be9d71d9c6dedfb71a4d0a07e7ed665b0267839526716eb721ad8c0dc2c3e1e732430988193e97035

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 6.1.0
+  - Feat: improve SSL error logging/unwrapping [#178](https://github.com/logstash-plugins/logstash-input-tcp/pull/178)
+  - Fix: the plugin will no longer have a side effect of adding the Bouncy-Castle security provider at runtime  
+
 ## 6.0.10
   - bumping dependency commons-io [#174](https://github.com/logstash-plugins/logstash-input-tcp/pull/174)
 

data/lib/logstash/inputs/tcp.rb

@@ -6,7 +6,6 @@ require "logstash/inputs/base"
 require "logstash/util/socket_peer"
 require "logstash-input-tcp_jars"
 require "logstash/inputs/tcp/decoder_impl"
-require "logstash/inputs/tcp/compat_ssl_options"
 
 require "socket"
 require "openssl"
@@ -61,7 +60,8 @@ require "openssl"
 #     }
 class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
-  java_import org.logstash.tcp.InputLoop
+  java_import 'org.logstash.tcp.InputLoop'
+  java_import 'org.logstash.tcp.SslContextBuilder'
 
   config_name "tcp"
 
@@ -103,7 +103,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Useful when the CA chain is not necessary in the system store.
   config :ssl_extra_chain_certs, :validate => :array, :default => []
 
-  # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
+  # Validate client certificates against these authorities. You can define multiple files or paths.
+  # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
@@ -148,10 +149,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     fix_streaming_codecs
 
     if server?
-      ssl_context = get_ssl_context(SslOptions)
-
-
-      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, ssl_context)
+      @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
     end
   end
 
@@ -320,7 +318,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
     socket
   rescue OpenSSL::SSL::SSLError => e
-    @logger.error("SSL Error", :exception => e, :backtrace => e.backtrace)
+    @logger.error("SSL Error", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
     sleep(1) # prevent hammering peer
@@ -362,15 +360,33 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @socket_mutex.synchronize{@connection_sockets.keys.dup}
   end
 
-  def get_ssl_context(options_class)
-    ssl_context = options_class.builder
-      .set_is_ssl_enabled(@ssl_enable)
+  def java_ssl_context
+    SslContextBuilder.new
+      .set_ssl_enabled(@ssl_enable)
       .set_should_verify(@ssl_verify)
       .set_ssl_cert(@ssl_cert)
       .set_ssl_key(@ssl_key)
-      .set_ssl_key_passphrase(@ssl_key_passphrase.value)
+      .set_ssl_key_password(@ssl_key_passphrase.value)
       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-      .build.toSslContext()
+      .build_context
+  rescue java.lang.IllegalArgumentException => e
+    @logger.error("SSL configuration invalid", error_details(e))
+    raise LogStash::ConfigurationError, e
+  rescue java.lang.Exception => e
+    @logger.error("SSL configuration failed", error_details(e, true))
+    raise e
+  end
+
+  def error_details(e, trace = false)
+    error_details = { :exception => e.class, :message => e.message }
+    error_details[:backtrace] = e.backtrace if trace || @logger.debug?
+    cause = e.cause
+    if cause && e != cause
+      error_details[:cause] = { :exception => cause.class, :message => cause.message }
+      error_details[:cause][:backtrace] = cause.backtrace if trace || @logger.debug?
+    end
+    error_details
   end
+
 end

data/logstash-input-tcp.gemspec

@@ -22,6 +22,11 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
 
+  s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
+
+  # we depend on bouncycastle's bcpkix-jdk15on being on the class-path
+  s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2', '< 0.12'
+
   # line vs streaming codecs required for fix_streaming_codecs
   # TODO: fix_streaming_codecs should be refactored to not
   # require the codecs to be installed.

data/version

@@ -1 +1 @@
-6.0.10
+6.1.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.0.10
+  version: 6.1.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-22 00:00:00.000000000 Z
+date: 2021-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -30,6 +30,40 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.7.0
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.7.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  name: jruby-openssl
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.12'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -173,12 +207,11 @@ files:
 - docs/index.asciidoc
 - lib/logstash-input-tcp_jars.rb
 - lib/logstash/inputs/tcp.rb
-- lib/logstash/inputs/tcp/compat_ssl_options.rb
 - lib/logstash/inputs/tcp/decoder_impl.rb
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.10/logstash-input-tcp-6.0.10.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.1.0/logstash-input-tcp-6.1.0.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:

data/lib/logstash/inputs/tcp/compat_ssl_options.rb

@@ -1,147 +0,0 @@
-require 'openssl'
-require "logstash/util/loggable"
-
-# Simulate a normal SslOptions builder:
-#
-#     ssl_context = SslOptions.builder
-#       .set_is_ssl_enabled(@ssl_enable)
-#       .set_should_verify(@ssl_verify)
-#       .set_ssl_cert(@ssl_cert)
-#       .set_ssl_key(@ssl_key)
-#       .set_ssl_key_passphrase(@ssl_key_passphrase.value)
-#       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
-#       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-#       .build.toSslContext()
-class SslOptions
-  include LogStash::Util::Loggable
-
-  java_import 'io.netty.handler.ssl.ClientAuth'
-  java_import 'io.netty.handler.ssl.SslContextBuilder'
-  java_import 'java.security.cert.X509Certificate'
-  java_import 'javax.crypto.Cipher'
-  java_import 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo'
-  java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
-  java_import 'org.bouncycastle.openssl.PEMKeyPair'
-  java_import 'org.bouncycastle.openssl.PEMParser'
-  java_import 'org.bouncycastle.openssl.PEMEncryptedKeyPair'
-  java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
-  java_import 'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder'
-  java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder'
-  java_import 'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo'
-
-  def self.builder
-    new
-  end
-
-  def set_is_ssl_enabled(boolean)
-    @ssl_enabled = boolean
-    self
-  end
-
-  def set_should_verify(boolean)
-    @ssl_verify = boolean
-    self
-  end
-
-  def set_ssl_cert(path)
-    @ssl_cert_path = path
-    self
-  end
-
-  def set_ssl_key(path)
-    @ssl_key_path = path
-    self
-  end
-
-  def set_ssl_key_passphrase(passphrase)
-    @ssl_key_passphrase = passphrase
-    self
-  end
-
-  def set_ssl_extra_chain_certs(certs)
-    @ssl_extra_chain_certs = certs
-    self
-  end
-
-  def set_ssl_certificate_authorities(certs)
-    @ssl_certificate_authorities = certs
-    self
-  end
-
-  def build; self; end
-
-  def toSslContext
-    return nil unless @ssl_enabled
-
-    # Check key strength
-    logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits") unless Cipher.getMaxAllowedKeyLength("AES") > 128
-    # create certificate object
-    cf = java.security.cert.CertificateFactory.getInstance("X.509")
-    cert_chain = []
-    fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
-      cert_chain << cert
-    end
-
-    # convert key from pkcs1 to pkcs8 and get PrivateKey object
-    pem_parser = PEMParser.new(java.io.FileReader.new(@ssl_key_path))
-    java.security.Security.addProvider(BouncyCastleProvider.new)
-    converter = JcaPEMKeyConverter.new
-    case obj = pem_parser.readObject
-    when PEMKeyPair # unencrypted pkcs#1
-      private_key = converter.getKeyPair(obj).private
-    when PrivateKeyInfo # unencrypted pkcs#8
-      private_key = converter.getPrivateKey(obj)
-    when PEMEncryptedKeyPair # encrypted pkcs#1
-      key_char_array = @ssl_key_passphrase.to_java.toCharArray
-      decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
-      key_pair = obj.decryptKeyPair(decryptor)
-      private_key = converter.getKeyPair(key_pair).private
-    when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
-      key_char_array = @ssl_key_passphrase.to_java.toCharArray
-      key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
-      private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
-    else
-      raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
-    end
-
-    @ssl_extra_chain_certs.each do |file|
-      fetch_certificates_from_file(file, cf) do |cert|
-        cert_chain << cert
-      end
-    end
-    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))
-
-    trust_certs = []
-
-    @ssl_certificate_authorities.each do |file|
-      fetch_certificates_from_file(file, cf) do |cert|
-        trust_certs << cert
-      end
-    end
-
-    if trust_certs.any?
-      sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
-    end
-
-    sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
-    sslContextBuilder.build()
-  end
-
-  private
-  def fetch_certificates_from_file(file, cf)
-    fis = java.io.FileInputStream.new(file)
-
-    while (fis.available > 0) do
-      cert = generate_certificate(cf, fis)
-      yield cert if cert
-    end
-  ensure
-    fis.close if fis
-  end
-
-  def generate_certificate(cf, fis)
-    cf.generateCertificate(fis)
-  rescue Java::JavaSecurityCert::CertificateException => e
-    raise e unless e.cause.message == "Empty input"
-  end
-end