logstash-integration-aws 7.1.2-java → 7.1.4-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4f6e46b00a5cb0487616ed1720d776ae6d589d89e5be4a6d55a9b53c7e51cb0
-  data.tar.gz: 7f964cd0dc2e9ea1677fa7fefd3b0cc211739a1548b2359eb7586c6cde1a98c8
+  metadata.gz: a30619ed8bc31761d0134555c20ba7f9e682cce080d89d36e83cbc1a402d4678
+  data.tar.gz: f1b9247104f4e1ad28b6bab42696ebf064f9fac37d0cfdcf03a3269bcb25566b
 SHA512:
-  metadata.gz: cb8df373a0e770f985cb1510a6ff90c2dfca243f131c40dd8ca56a4423fa03a06d89fd380b66ba9125f5b89fc8d49f5a9c55764d8285fb820e0ea36aefac6b49
-  data.tar.gz: 4e4d5e964240f264ad1d8c15e3c09b3c8ea68a2fdb04616223d13f40970763af75597d8e3164ef623104ae5fbb0acfce9fd4d24d1c542c7cb12fd1c357b399bf
+  metadata.gz: b424d54d88b11c1cdc12b5d27e5da5d6c3900331f4dab53d0f6931ddfa4adaf678251103f3ec7f70ae3a52c632ed83138efe153efd122d84ff916e7091e09fa7
+  data.tar.gz: d585032f64c6f9f3ffcc91653bf06446e157e6c2f4f1370f084ab18967b900e64a36f0df76e4b5325380b19ed795fbe4e91a7039737270a106ad9b57d78d1634

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 7.1.4
+  - Fix `use_aws_bundled_ca` to use bundled ca certs per plugin level instead of global [#33](https://github.com/logstash-plugins/logstash-integration-aws/pull/33)
+
+## 7.1.3
+  - Added an option `use_aws_bundled_ca` to use bundled ca certs that ships with AWS SDK to verify SSL peer certificates [#32](https://github.com/logstash-plugins/logstash-integration-aws/pull/32)
+
 ## 7.1.2
   - Fix: adaptations to run with JRuby 9.4 [#29](https://github.com/logstash-plugins/logstash-integration-aws/pull/29)
 

data/VERSION

@@ -1 +1 @@
-7.1.2
+7.1.4

data/docs/input-cloudwatch.asciidoc

@@ -125,6 +125,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-secret_access_key>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-statistics>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-use_ssl>> |<<boolean,boolean>>|No
 |=======================================================================
 
@@ -301,6 +302,16 @@ The AWS Session token for temporary credential
 
 Specify the statistics to fetch for each namespace
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
+
 [id="plugins-{type}s-{plugin}-use_ssl"]
 ===== `use_ssl` 
 
@@ -313,7 +324,6 @@ Should we require (true) or disable (false) using SSL for communicating with the
 The AWS SDK for Ruby defaults to SSL so we preserve that
 
 
-
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
 

data/docs/input-s3.asciidoc

@@ -78,6 +78,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-sincedb_path>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-temporary_directory>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-watch_for_new_files>> |<<boolean,boolean>>|No
 |=======================================================================
 
@@ -331,6 +332,16 @@ If specified, this setting must be a filename path and not just a directory.
 
 Set the directory where logstash will store the tmp files before processing them.
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
+
 [id="plugins-{type}s-{plugin}-watch_for_new_files"]
 ===== `watch_for_new_files`
 

data/docs/input-sqs.asciidoc

@@ -102,6 +102,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-sent_timestamp_field>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -278,7 +279,15 @@ The AWS Session token for temporary credential
   * Default value is `1`
 
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
 
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
 
 
 [id="plugins-{type}s-{plugin}-common-options"]

data/docs/output-cloudwatch.asciidoc

@@ -106,6 +106,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-timeframe>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-unit>> |<<string,string>>, one of `["Seconds", "Microseconds", "Milliseconds", "Bytes", "Kilobytes", "Megabytes", "Gigabytes", "Terabytes", "Bits", "Kilobits", "Megabits", "Gigabits", "Terabits", "Percent", "Count", "Bytes/Second", "Kilobytes/Second", "Megabytes/Second", "Gigabytes/Second", "Terabytes/Second", "Bits/Second", "Kilobits/Second", "Megabits/Second", "Gigabits/Second", "Terabits/Second", "Count/Second", "None"]`|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-value>> |<<string,string>>|No
 |=======================================================================
 
@@ -302,6 +303,16 @@ See the Rufus Scheduler docs for an https://github.com/jmettraux/rufus-scheduler
 The default unit to use for events which do not have a `CW_unit` field
 If you set this option you should probably set the "value" option along with it
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
+
 [id="plugins-{type}s-{plugin}-value"]
 ===== `value` 
 

data/docs/output-s3.asciidoc

@@ -113,6 +113,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-upload_multipart_threshold>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-upload_queue_size>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-upload_workers_count>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-validate_credentials_on_root_bucket>> |<<boolean,boolean>>|No
 |=======================================================================
 
@@ -425,6 +426,16 @@ Number of items we can keep in the local queue before uploading them
 
 Specify how many workers to use to upload the files to S3
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
+
 [id="plugins-{type}s-{plugin}-validate_credentials_on_root_bucket"]
 ===== `validate_credentials_on_root_bucket` 
 

data/docs/output-sns.asciidoc

@@ -65,6 +65,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-region>> |<<string,string>>, one of `["us-east-1", "us-east-2", "us-west-1", "us-west-2", "eu-central-1", "eu-west-1", "eu-west-2", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ap-northeast-2", "sa-east-1", "us-gov-west-1", "cn-north-1", "ap-south-1", "ca-central-1"]`|No
 | <<plugins-{type}s-{plugin}-secret_access_key>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -158,6 +159,15 @@ The AWS Secret Access Key
 
 The AWS Session token for temporary credential
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
 
 
 [id="plugins-{type}s-{plugin}-common-options"]

data/docs/output-sqs.asciidoc

@@ -97,6 +97,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-role_session_name>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-secret_access_key>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-session_token>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-use_aws_bundled_ca>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -234,7 +235,15 @@ The AWS Secret Access Key
 
 The AWS Session token for temporary credential
 
+[id="plugins-{type}s-{plugin}-use_aws_bundled_ca"]
+===== `use_aws_bundled_ca`
 
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Use bundled CA certificates that ship with AWS SDK to verify SSL peer certificates.
+For cases where the default certificates are unavailable, e.g. Windows,
+you can set this to `true`.
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]

data/lib/logstash/plugin_mixins/aws_config/generic.rb

@@ -50,5 +50,12 @@ module LogStash::PluginMixins::AwsConfig::Generic
     # ----------------------------------
     #
     config :aws_credentials_file, :validate => :string
+
+    # By default, this plugin uses cert available to OpenSSL provided by OS
+    # when verifying SSL peer certificates.
+    # For cases where the default cert is unavailable, e.g. Windows,
+    # you can use the bundled ca certificate provided by AWS SDK
+    # by setting `use_aws_bundled_ca` to true
+    config :use_aws_bundled_ca, :validate => :boolean, :default => false
   end
 end

data/lib/logstash/plugin_mixins/aws_config/v2.rb

@@ -35,6 +35,13 @@ module LogStash::PluginMixins::AwsConfig::V2
       opts = symbolize_keys_and_cast_true_false(additional_settings).merge(opts)
     end
 
+    if @use_aws_bundled_ca
+      aws_core_library = Gem.loaded_specs['aws-sdk-core']&.full_gem_path or fail("AWS Core library not available")
+      opts[:ssl_ca_bundle] = File.expand_path('ca-bundle.crt', aws_core_library).tap do |aws_core_ca_bundle|
+        fail("AWS Core CA bundle not found") unless File.exists?(aws_core_ca_bundle)
+      end
+    end
+
     return opts
   end
 

data/lib/logstash-integration-aws_jars.rb

@@ -1,4 +1,4 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
 
 require 'jar_dependencies'
-require_jar('org.logstash.plugins.integration.aws', 'logstash-integration-aws', '7.1.2')
+require_jar('org.logstash.plugins.integration.aws', 'logstash-integration-aws', '7.1.4')

data/spec/plugin_mixin/aws_config_spec.rb

@@ -152,6 +152,25 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
 
       end
     end
+
+  end
+
+  describe 'use aws bundled ca' do
+    context 'set to true' do
+      let(:settings) { { 'use_aws_bundled_ca' => true } }
+
+      it 'points ssl_ca_bundle to aws-sdk-core certs' do
+        expect(subject[:ssl_ca_bundle]).to match /aws-sdk-core.*ca-bundle\.crt\z/
+      end
+    end
+
+    context 'set to false' do
+      let(:settings) { { 'use_aws_bundled_ca' => false } }
+
+      it 'does not include the AWS bundled CA' do
+        expect(subject).to_not include :ssl_ca_bundle
+      end
+    end
   end
 
   describe 'config proxy' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-integration-aws
 version: !ruby/object:Gem::Version
-  version: 7.1.2
+  version: 7.1.4
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-06-08 00:00:00.000000000 Z
+date: 2023-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -408,7 +408,7 @@ files:
 - spec/spec_helper.rb
 - spec/support/helpers.rb
 - spec/unit/outputs/sqs_spec.rb
-- vendor/jar-dependencies/org/logstash/plugins/integration/aws/logstash-integration-aws/7.1.2/logstash-integration-aws-7.1.2.jar
+- vendor/jar-dependencies/org/logstash/plugins/integration/aws/logstash-integration-aws/7.1.4/logstash-integration-aws-7.1.4.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache-2.0