logstash-integration-kafka 11.1.0-java → 11.2.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c8f85bfdadbbd496495603c82ed577db4c23a168db59e6d0034549de6ebb66d1
-  data.tar.gz: 0b3b0bc33d6e64eebcb9e757fede56f747625c864160844ed2a3c76d0b22a155
+  metadata.gz: fa69555ca0e7780e4f9ffb16c0a3308396bab86436009695708b1c03c11a7a96
+  data.tar.gz: e28f2ac5e38ba7cb1289496b3c633756a2607f2d37fee36fd19cc44b8abedf93
 SHA512:
-  metadata.gz: '09e8814f1697c1d38d478881b35102a1e9885c23cdb0b9b2d8860c7577d4b2a40eb580b535afff46273e7139fbbaf603b0ea0de1fbeb68644bcea95b79d9e470'
-  data.tar.gz: 1b0c7ee3ffbcb589268174753db91d0ba7272fc44c04e7ceb2e17d43f9fe2ec31ed4eee7450390adc0bada77c36fedaf14d46bf9b09372a6b55a6e76047a56e4
+  metadata.gz: fc63838c9baf545fffc3984e94faf73e72d8b97d7b4c04af12fc8de639ca55500b50255d1fcf7c6f684e49a2db763adccddb93a3df495301d66a8be769fae3f1
+  data.tar.gz: 540628833b9b3ab000046c07d5143812ce945de4788c58cb66680ff9c8e9d9ebdff8cb82042c52e0bbfa5a806b2deeb04ece1e8bc5e16b73edcf7f38c3be9901

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 11.2.1
+ - Fix nil exception to empty headers of record during event metadata assignment [#140](https://github.com/logstash-plugins/logstash-integration-kafka/pull/140)
+
+## 11.2.0
+ - Added TLS truststore and keystore settings specifically to access the schema registry [#137](https://github.com/logstash-plugins/logstash-integration-kafka/pull/137)
+
 ## 11.1.0
  - Added config `group_instance_id` to use the Kafka's consumer static membership feature [#135](https://github.com/logstash-plugins/logstash-integration-kafka/pull/135)
 

data/docs/input-kafka.asciidoc

@@ -135,6 +135,12 @@ See the https://kafka.apache.org/{kafka_client_doc}/documentation for more detai
 | <<plugins-{type}s-{plugin}-schema_registry_key>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-schema_registry_proxy>> |<<uri,uri>>|No
 | <<plugins-{type}s-{plugin}-schema_registry_secret>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_keystore_location>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_keystore_type>> |<<string,string>>, one of `["jks", "PKCS12"]`|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_truststore_location>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_truststore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_truststore_type>> |<<string,string>>, one of `["jks", "PKCS12"]`|No
 | <<plugins-{type}s-{plugin}-schema_registry_url>> |<<uri,uri>>|No
 | <<plugins-{type}s-{plugin}-schema_registry_validation>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-security_protocol>> |<<string,string>>, one of `["PLAINTEXT", "SSL", "SASL_PLAINTEXT", "SASL_SSL"]`|No
@@ -598,6 +604,54 @@ Set the address of a forward HTTP proxy. An empty string is treated as if proxy
 
 Set the password for basic authorization to access remote Schema Registry.
 
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_keystore_location"]
+===== `schema_registry_ssl_keystore_location`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+If schema registry client authentication is required, this setting stores the keystore path.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_keystore_password"]
+===== `schema_registry_ssl_keystore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+If schema registry authentication is required, this setting stores the keystore password.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_keystore_type"]
+===== `schema_registry_ssl_keystore_type`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The format of the keystore file. It must be either `jks` or `PKCS12`.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_truststore_location"]
+===== `schema_registry_ssl_truststore_location`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+The truststore path to validate the schema registry's certificate.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_truststore_password"]
+===== `schema_registry_ssl_truststore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+The schema registry truststore password.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_truststore_type"]
+===== `schema_registry_ssl_truststore_type`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The format of the schema registry's truststore file. It must be either `jks` or `PKCS12`.
+
 [id="plugins-{type}s-{plugin}-schema_registry_url"]
 ===== `schema_registry_url`
 

data/lib/logstash/inputs/kafka.rb

@@ -373,7 +373,9 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
       event.set("[@metadata][kafka][timestamp]", record.timestamp)
     end
     if @metadata_mode.include?(:headers)
-      record.headers.each do |header|
+      record.headers
+            .select{|h| header_with_value(h) }
+            .each do |header|
         s = String.from_java_bytes(header.value)
         s.force_encoding(Encoding::UTF_8)
         if s.valid_encoding?
@@ -460,6 +462,17 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
         set_trustore_keystore_config(props)
         set_sasl_config(props)
       end
+      if schema_registry_ssl_truststore_location
+        props.put('schema.registry.ssl.truststore.location', schema_registry_ssl_truststore_location)
+        props.put('schema.registry.ssl.truststore.password', schema_registry_ssl_truststore_password.value)
+        props.put('schema.registry.ssl.truststore.type', schema_registry_ssl_truststore_type)
+      end
+
+      if schema_registry_ssl_keystore_location
+        props.put('schema.registry.ssl.keystore.location', schema_registry_ssl_keystore_location)
+        props.put('schema.registry.ssl.keystore.password', schema_registry_ssl_keystore_password.value)
+        props.put('schema.registry.ssl.keystore.type', schema_registry_ssl_keystore_type)
+      end
 
       org.apache.kafka.clients.consumer.KafkaConsumer.new(props)
     rescue => e
@@ -488,4 +501,8 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
     end
   end
 
+  def header_with_value(header)
+    !header.nil? && !header.value.nil? && !header.key.nil?
+  end
+
 end #class LogStash::Inputs::Kafka

data/lib/logstash/plugin_mixins/kafka/avro_schema_registry.rb

@@ -24,6 +24,24 @@ module LogStash module PluginMixins module Kafka
       # This option permits to define a proxy to be used to reach the schema registry service instance.
       config :schema_registry_proxy, :validate => :uri
 
+      # If schema registry client authentication is required, this setting stores the keystore path.
+      config :schema_registry_ssl_keystore_location, :validate => :string
+
+      # The keystore password.
+      config :schema_registry_ssl_keystore_password, :validate => :password
+
+      # The keystore type
+      config :schema_registry_ssl_keystore_type, :validate => ['jks', 'PKCS12'], :default => "jks"
+
+      # The JKS truststore path to validate the Schema Registry's certificate.
+      config :schema_registry_ssl_truststore_location, :validate => :string
+
+      # The truststore password.
+      config :schema_registry_ssl_truststore_password, :validate => :password
+
+      # The truststore type
+      config :schema_registry_ssl_truststore_type, :validate => ['jks', 'PKCS12'], :default => "jks"
+
       # Option to skip validating the schema registry during registration. This can be useful when using
       # certificate based auth
       config :schema_registry_validation, :validate => ['auto', 'skip'], :default => 'auto'
@@ -68,6 +86,19 @@ module LogStash module PluginMixins module Kafka
       if schema_registry_key and !schema_registry_key.empty?
         options[:auth] = {:user => schema_registry_key, :password => schema_registry_secret.value}
       end
+      if schema_registry_ssl_truststore_location and !schema_registry_ssl_truststore_location.empty?
+        options[:ssl] = {} unless options.key?(:ssl)
+        options[:ssl][:truststore] = schema_registry_ssl_truststore_location unless schema_registry_ssl_truststore_location.nil?
+        options[:ssl][:truststore_password] = schema_registry_ssl_truststore_password.value unless schema_registry_ssl_truststore_password.nil?
+        options[:ssl][:truststore_type] = schema_registry_ssl_truststore_type unless schema_registry_ssl_truststore_type.nil?
+      end
+      if schema_registry_ssl_keystore_location and !schema_registry_ssl_keystore_location.empty?
+        options[:ssl] = {} unless options.key? :ssl
+        options[:ssl][:keystore] = schema_registry_ssl_keystore_location unless schema_registry_ssl_keystore_location.nil?
+        options[:ssl][:keystore_password] = schema_registry_ssl_keystore_password.value unless schema_registry_ssl_keystore_password.nil?
+        options[:ssl][:keystore_type] = schema_registry_ssl_keystore_type unless schema_registry_ssl_keystore_type.nil?
+      end
+
       client = Manticore::Client.new(options)
       begin
         response = client.get(@schema_registry_url.uri.to_s + '/subjects').body

data/logstash-integration-kafka.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-integration-kafka'
-  s.version         = '11.1.0'
+  s.version         = '11.2.1'
   s.licenses        = ['Apache-2.0']
   s.summary         = "Integration with Kafka - input and output plugins"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline "+

data/spec/integration/inputs/kafka_spec.rb

@@ -353,10 +353,13 @@ describe "schema registry connection options" do
   end
 end
 
-def save_avro_schema_to_schema_registry(schema_file, subject_name)
+def save_avro_schema_to_schema_registry(schema_file, subject_name, proto = 'http', port = 8081, manticore_options = {})
   raw_schema = File.readlines(schema_file).map(&:chomp).join
   raw_schema_quoted = raw_schema.gsub('"', '\"')
-  response = Manticore.post("http://localhost:8081/subjects/#{subject_name}/versions",
+
+  client = Manticore::Client.new(manticore_options)
+
+  response = client.post("#{proto}://localhost:#{port}/subjects/#{subject_name}/versions",
           body: '{"schema": "' + raw_schema_quoted + '"}',
           headers: {"Content-Type" => "application/vnd.schemaregistry.v1+json"})
   response
@@ -378,8 +381,17 @@ def startup_schema_registry(schema_registry, auth=false)
   end
 end
 
-describe "Schema registry API", :integration => true do
-  schema_registry = Manticore::Client.new
+shared_examples 'it has endpoints available to' do |tls|
+  let(:port) { tls ? 8083 : 8081 }
+  let(:proto) { tls ? 'https' : 'http' }
+
+  manticore_options = {
+    :ssl => {
+      :truststore => File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+      :truststore_password => "changeit"
+    }
+  }
+  schema_registry = Manticore::Client.new(manticore_options)
 
   before(:all) do
     startup_schema_registry(schema_registry)
@@ -391,36 +403,53 @@ describe "Schema registry API", :integration => true do
 
   context 'listing subject on clean instance' do
     it "should return an empty set" do
-      subjects = JSON.parse schema_registry.get('http://localhost:8081/subjects').body
+      subjects = JSON.parse schema_registry.get("#{proto}://localhost:#{port}/subjects").body
       expect( subjects ).to be_empty
     end
   end
 
   context 'send a schema definition' do
     it "save the definition" do
-      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1")
+      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1", proto, port, manticore_options)
       expect( response.code ).to be(200)
       delete_remote_schema(schema_registry, "schema_test_1")
     end
 
     it "delete the schema just added" do
-      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1")
+      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1", proto, port, manticore_options)
       expect( response.code ).to be(200)
 
-      expect( schema_registry.delete('http://localhost:8081/subjects/schema_test_1?permanent=false').code ).to be(200)
+      expect( schema_registry.delete("#{proto}://localhost:#{port}/subjects/schema_test_1?permanent=false").code ).to be(200)
       sleep(1)
-      subjects = JSON.parse schema_registry.get('http://localhost:8081/subjects').body
+      subjects = JSON.parse schema_registry.get("#{proto}://localhost:#{port}/subjects").body
       expect( subjects ).to be_empty
     end
   end
 end
 
+describe "Schema registry API", :integration => true do
+
+  context "when exposed with HTTPS" do
+    it_behaves_like 'it has endpoints available to', true
+  end
+
+  context "when exposed with plain HTTP" do
+    it_behaves_like 'it has endpoints available to', false
+  end
+end
+
 def shutdown_schema_registry
   system('./stop_schema_registry.sh')
 end
 
 describe "Deserializing with the schema registry", :integration => true do
-  schema_registry = Manticore::Client.new
+  manticore_options = {
+    :ssl => {
+      :truststore => File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+      :truststore_password => "changeit"
+    }
+  }
+  schema_registry = Manticore::Client.new(manticore_options)
 
   shared_examples 'it reads from a topic using a schema registry' do |with_auth|
 
@@ -519,28 +548,57 @@ describe "Deserializing with the schema registry", :integration => true do
     end
   end
 
-  context 'with an unauthed schema registry' do
+  shared_examples 'with an unauthed schema registry' do |tls|
+    let(:port) { tls ? 8083 : 8081 }
+    let(:proto) { tls ? 'https' : 'http' }
+
     let(:auth) { false }
     let(:avro_topic_name) { "topic_avro" }
-    let(:subject_url) { "http://localhost:8081/subjects" }
-    let(:plain_config)  { base_config.merge!({'schema_registry_url' => "http://localhost:8081"}) }
+    let(:subject_url) { "#{proto}://localhost:#{port}/subjects" }
+    let(:plain_config)  { base_config.merge!({
+      'schema_registry_url' => "#{proto}://localhost:#{port}",
+      'schema_registry_ssl_truststore_location' => File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+      'schema_registry_ssl_truststore_password' => 'changeit',
+    }) }
 
     it_behaves_like 'it reads from a topic using a schema registry', false
   end
 
-  context 'with an authed schema registry' do
+  context 'with an unauthed schema registry' do
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an unauthed schema registry', true
+    end
+
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an unauthed schema registry', false
+    end
+  end
+
+  shared_examples 'with an authed schema registry' do |tls|
+    let(:port) { tls ? 8083 : 8081 }
+    let(:proto) { tls ? 'https' : 'http' }
     let(:auth) { true }
     let(:user) { "barney" }
     let(:password) { "changeme" }
     let(:avro_topic_name) { "topic_avro_auth" }
-    let(:subject_url) { "http://#{user}:#{password}@localhost:8081/subjects" }
+    let(:subject_url) { "#{proto}://#{user}:#{password}@localhost:#{port}/subjects" }
+    let(:tls_base_config) do
+      if tls
+        base_config.merge({
+          'schema_registry_ssl_truststore_location' => ::File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+          'schema_registry_ssl_truststore_password' => 'changeit',
+        })
+      else
+        base_config
+      end
+    end
 
     context 'using schema_registry_key' do
       let(:plain_config) do
-        base_config.merge!({
-          'schema_registry_url' => "http://localhost:8081",
+        tls_base_config.merge!({
+          'schema_registry_url' => "#{proto}://localhost:#{port}",
           'schema_registry_key' => user,
-          'schema_registry_secret' => password
+          'schema_registry_secret' => password,
         })
       end
 
@@ -549,12 +607,22 @@ describe "Deserializing with the schema registry", :integration => true do
 
     context 'using schema_registry_url' do
       let(:plain_config) do
-        base_config.merge!({
-          'schema_registry_url' => "http://#{user}:#{password}@localhost:8081"
+        tls_base_config.merge!({
+          'schema_registry_url' => "#{proto}://#{user}:#{password}@localhost:#{port}",
         })
       end
 
       it_behaves_like 'it reads from a topic using a schema registry', true
     end
   end
+
+  context 'with an authed schema registry' do
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an authed schema registry', true
+    end
+
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an authed schema registry', false
+    end
+  end
 end

data/spec/unit/inputs/kafka_spec.rb

@@ -287,6 +287,19 @@ describe LogStash::Inputs::Kafka do
       subject.register
       expect(subject.metadata_mode).to include(:record_props)
     end
+
+    context "guards against nil header" do
+      let(:header) { double(:value => nil, :key => "k") }
+      let(:headers) { [ header ] }
+      let(:record) { double(:headers => headers, :topic => "topic", :partition => 0,
+                            :offset => 123456789, :key => "someId", :timestamp => nil ) }
+
+      it "does not raise error when key is nil" do
+        subject.register
+        evt = LogStash::Event.new('message' => 'Hello')
+        expect { subject.maybe_set_metadata(evt, record) }.not_to raise_error
+      end
+    end
   end
 
   context 'with client_rack' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-integration-kafka
 version: !ruby/object:Gem::Version
-  version: 11.1.0
+  version: 11.2.1
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-25 00:00:00.000000000 Z
+date: 2023-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement