logstash-output-http 5.2.5 → 5.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7bc2a004219fe6c466a5d60b24de18d1e70e8350da5f204279e43bdc0205b24a
-  data.tar.gz: a3e44b45451030f4ba285df7875b418ef043df81e0689230b20a3de295484cde
+  metadata.gz: 58ad383035622e8cc13441e89147871f55669f22ff22835a0d6db9a87d1ab185
+  data.tar.gz: 28498a16c1ee3fefcf87cb6990ca99a90be82cb3e73438dc8a564d171a3bcc9f
 SHA512:
-  metadata.gz: d9d08edfc5f3cb590177d1b529b30fde4e7fc4ed3ee70bca99dcd2e0c4cdb01cb91f90d5deb0fb60efc6ce3e632ff7db2bcb82890c4f7ad6a08a576c209f9fd9
-  data.tar.gz: 79c522bf0c7be7dd4d60abccef78eb52dd52f8f3a3cd30fd141941aef6e1288ea5e5249fe718fbf4452b2f81a8f09d168ffabba7ecc2a6b374a9f25cedf886a4
+  metadata.gz: a14293accaea16058469ad4e2c92b759b8686fee8b068f31dd3d8984679260cb32c080287f08e02e9c2ac60ca84c8129fbe042eb76ca69333959cc07da50d6ae
+  data.tar.gz: e92646b17dbe8662d707526cb983f898bfa80392662bfe0658ad8abb80e0b786acbc24e73bce98e6621a8b99b75e90bede275cd7162da2a3b9137e93954525dc

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## 5.3.0
+  - Feat: support ssl_verification_mode option [#126](https://github.com/logstash-plugins/logstash-output-http/pull/126)
+
 ## 5.2.5
   - Reduce amount of default logging on a failed request [#122](https://github.com/logstash-plugins/logstash-output-http/pull/122)
 

data/docs/index.asciidoc

@@ -66,6 +66,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-retry_non_idempotent>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-retryable_codes>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-socket_timeout>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-truststore_type>> |<<string,string>>|No
@@ -337,6 +338,22 @@ If encountered as response codes this plugin will retry these requests
 
 Timeout (in seconds) to wait for data on the socket. Default is `10s`
 
+[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
+===== `ssl_verification_mode`
+
+  * Value type is <<string,string>>
+  * Supported values are: `full`, `none`
+  * Default value is `full`
+
+Controls the verification of server certificates.
+The `full` option verifies that the provided certificate is signed by a trusted authority (CA)
+and also that the server’s hostname (or IP address) matches the names identified within the certificate.
+
+The `none` setting performs no verification of the server’s certificate.
+This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration.
+It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors.
+Using `none`  in production environments is strongly discouraged.
+
 [id="plugins-{type}s-{plugin}-truststore"]
 ===== `truststore` 
 

data/lib/logstash/outputs/http.rb

@@ -138,10 +138,11 @@ class LogStash::Outputs::Http < LogStash::Outputs::Base
   end
 
   def log_retryable_response(response)
+    retry_msg = @retry_failed ? 'will retry' : "won't retry"
     if (response.code == 429)
-      @logger.debug? && @logger.debug("Encountered a 429 response, will retry. This is not serious, just flow control via HTTP")
+      @logger.debug? && @logger.debug("Encountered a 429 response, #{retry_msg}. This is not serious, just flow control via HTTP")
     else
-      @logger.warn("Encountered a retryable HTTP request in HTTP output, will retry", :code => response.code, :body => response.body)
+      @logger.warn("Encountered a retryable HTTP request in HTTP output, #{retry_msg}", :code => response.code, :body => response.body)
     end
   end
 
@@ -299,7 +300,7 @@ class LogStash::Outputs::Http < LogStash::Outputs::Base
 
   # This is split into a separate method mostly to help testing
   def log_failure(message, opts)
-    @logger.error("[HTTP Output Failure] #{message}", opts)
+    @logger.error(message, opts)
   end
 
   # Format the HTTP body

data/logstash-output-http.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-output-http'
-  s.version         = '5.2.5'
+  s.version         = '5.3.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Sends events to a generic HTTP or HTTPS endpoint"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency "logstash-mixin-http_client", ">= 6.0.0", "< 8.0.0"
+  s.add_runtime_dependency "logstash-mixin-http_client", ">= 7.1.0", "< 8.0.0"
 
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'sinatra'

data/spec/outputs/http_spec.rb

@@ -3,6 +3,9 @@ require "logstash/outputs/http"
 require "logstash/codecs/plain"
 require "thread"
 require "sinatra"
+require "webrick"
+require "webrick/https"
+require 'openssl'
 require_relative "../supports/compressed_requests"
 
 PORT = rand(65535-1024) + 1025
@@ -22,9 +25,20 @@ class TestApp < Sinatra::Base
   # on the fly uncompress gzip content
   use CompressedRequests
 
-  # disable WEBrick logging
+  set :environment, :production
+  set :sessions, false
+
+  @@server_settings = {
+      :AccessLog => [], # disable WEBrick logging
+      :Logger => WEBrick::BasicLog::new(nil, WEBrick::BasicLog::FATAL)
+  }
+
   def self.server_settings
-    { :AccessLog => [], :Logger => WEBrick::BasicLog::new(nil, WEBrick::BasicLog::FATAL) }
+    @@server_settings
+  end
+
+  def self.server_settings=(settings)
+    @@server_settings = settings
   end
 
   def self.multiroute(methods, path, &block)
@@ -72,31 +86,22 @@ class TestApp < Sinatra::Base
   end
 end
 
-RSpec.configure do |config|
+RSpec.configure do
   #http://stackoverflow.com/questions/6557079/start-and-call-ruby-http-server-in-the-same-script
-  def sinatra_run_wait(app, opts)
+  def start_app_and_wait(app, opts = {})
     queue = Queue.new
 
-    t = java.lang.Thread.new(
-      proc do
-        begin
-          app.run!(opts) do |server|
-            queue.push("started")
-          end
-        rescue => e
-          puts "Error in webserver thread #{e}"
-          # ignore
+    Thread.start do
+      begin
+        app.start!({ server: 'WEBrick', port: PORT }.merge opts) do |server|
+          queue.push(server)
         end
+      rescue => e
+        warn "Error starting app: #{e.inspect}" # ignore
       end
-    )
-    t.daemon = true
-    t.start
-    queue.pop # blocks until the run! callback runs
-  end
+    end
 
-  config.before(:suite) do
-    sinatra_run_wait(TestApp, :port => PORT, :server => 'webrick')
-    puts "Test webserver on port #{PORT}"
+    queue.pop # blocks until the start! callback runs
   end
 end
 
@@ -104,6 +109,15 @@ describe LogStash::Outputs::Http do
   # Wait for the async request to finish in this spinlock
   # Requires pool_max to be 1
 
+  before(:all) do
+    @server = start_app_and_wait(TestApp)
+  end
+
+  after(:all) do
+    @server.shutdown # WEBrick::HTTPServer
+    TestApp.stop! rescue nil
+  end
+
   let(:port) { PORT }
   let(:event) {
     LogStash::Event.new({"message" => "hi"})
@@ -398,3 +412,75 @@ describe LogStash::Outputs::Http do
     end
   end
 end
+
+describe LogStash::Outputs::Http do # different block as we're starting web server with TLS
+
+  @@default_server_settings = TestApp.server_settings.dup
+
+  before do
+    cert, key = WEBrick::Utils.create_self_signed_cert 2048, [["CN", ssl_cert_host]], "Logstash testing"
+    TestApp.server_settings = @@default_server_settings.merge({
+       :SSLEnable       => true,
+       :SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
+       :SSLCertificate  => cert,
+       :SSLPrivateKey   => key
+    })
+
+    TestApp.last_request = nil
+
+    @server = start_app_and_wait(TestApp)
+  end
+
+  after do
+    @server.shutdown # WEBrick::HTTPServer
+
+    TestApp.stop! rescue nil
+    TestApp.server_settings = @@default_server_settings
+  end
+
+  let(:ssl_cert_host) { 'localhost' }
+
+  let(:port) { PORT }
+  let(:url) { "https://localhost:#{port}/good" }
+  let(:method) { "post" }
+
+  let(:config) { { "url" => url, "http_method" => method } }
+
+  subject { LogStash::Outputs::Http.new(config) }
+
+  before { subject.register }
+  after  { subject.close }
+
+  let(:last_request) { TestApp.last_request }
+  let(:last_request_body) { last_request.body.read }
+
+  let(:event) { LogStash::Event.new("message" => "hello!") }
+
+  context 'with default (full) verification' do
+
+    let(:config) { super() } # 'ssl_verification_mode' => 'full'
+
+    it "does NOT process the request (due client protocol exception)" do
+      # Manticore's default verification does not accept self-signed certificates!
+      Thread.start do
+        subject.multi_receive [ event ]
+      end
+      sleep 1.5
+
+      expect(last_request).to be nil
+    end
+
+  end
+
+  context 'with verification disabled' do
+
+    let(:config) { super().merge 'ssl_verification_mode' => 'none' }
+
+    it "should process the request" do
+      subject.multi_receive [ event ]
+      expect(last_request_body).to include '"message":"hello!"'
+    end
+
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-http
 version: !ruby/object:Gem::Version
-  version: 5.2.5
+  version: 5.3.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-27 00:00:00.000000000 Z
+date: 2022-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: 7.1.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 8.0.0
@@ -46,7 +46,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.0
+        version: 7.1.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 8.0.0
@@ -132,8 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Sends events to a generic HTTP or HTTPS endpoint