RubyGems - logstash-output-http - Versions diffs - 5.4.1 → 5.5.0 - Mend

logstash-output-http 5.4.1 → 5.5.0

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f8c174b5f5725b3dff206924edcff21ebc71899e386c1a301860dba438bbec5
-  data.tar.gz: dd6f158c15357a1dee6bfc3ad6e0faa4f6080c3fc2a89b6050b188bd3d016d4a
+  metadata.gz: 69cfc19c5b3ecafee365f0a532e6390f087d80aa6810d8e6dfd7b33dbc78457b
+  data.tar.gz: 01c64da9e9de7c6d69198d6ba84844729ef06449bc1858d7769f10c7ee89d417
 SHA512:
-  metadata.gz: 2d668381891939636b2462361fe0011d5ced8461b5a1a5e7f2662aa765e4672b6377e2dd37a05073eaa8e0602d60632496fa48ec9c42ab5063839f02214f2e9d
-  data.tar.gz: b3ff1de393aee131f18a1d8d75f05389f6a74642e695626b1e9b4b03eec99b7a26017cea50b97315f35594013650785a8b3e11bfcc7acd4e5d32ed118340f208
+  metadata.gz: 6489a0ec4a312b2e4dea006fdba7fd14ea51df714ce62ba1b344417d9147272454a46bf87031fc1ac878027acd0cd5be44e70b6f572d89599de08ebbecee35c5
+  data.tar.gz: a8c247a839589cf6df3cb11f7123b0f097905502127656cba405a7af5d6d4123e6684d113478d1781a99670ff7512562303ca5df30e78b13cb201b225f61b905

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,6 @@
+## 5.5.0
+  - Feat: added `ssl_supported_protocols` option [#131](https://github.com/logstash-plugins/logstash-output-http/pull/131)
 ## 5.4.1
   - Fix retry indefinitely in termination process. This feature requires Logstash 8.1 [#129](https://github.com/logstash-plugins/logstash-output-http/pull/129)
   - Docs: Add retry policy description [#130](https://github.com/logstash-plugins/logstash-output-http/pull/130)

data/docs/index.asciidoc CHANGED Viewed

@@ -100,6 +100,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-retry_non_idempotent>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-retryable_codes>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-socket_timeout>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|No
@@ -378,6 +379,23 @@ See <<plugins-{type}s-{plugin}-retry_policy,Retry Policy>> for more information.
 Timeout (in seconds) to wait for data on the socket. Default is `10s`
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+  * Value type is <<string,string>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
+For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
 [id="plugins-{type}s-{plugin}-ssl_verification_mode"]
 ===== `ssl_verification_mode`

data/lib/logstash/outputs/http.rb CHANGED Viewed

@@ -272,7 +272,7 @@ class LogStash::Outputs::Http < LogStash::Outputs::Base
       :url => url,
       :method => @http_method,
       :message => exception.message,
-      :class => exception.class.name,
+      :class => exception.class,
       :will_retry => will_retry
     }
     if @logger.debug?

data/logstash-output-http.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-output-http'
-  s.version         = '5.4.1'
+  s.version         = '5.5.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Sends events to a generic HTTP or HTTPS endpoint"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency "logstash-mixin-http_client", ">= 7.1.0", "< 8.0.0"
+  s.add_runtime_dependency "logstash-mixin-http_client", ">= 7.2.0", "< 8.0.0"
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'sinatra'

data/spec/outputs/http_spec.rb CHANGED Viewed

@@ -1,109 +1,4 @@
-require "logstash/devutils/rspec/spec_helper"
-require "logstash/outputs/http"
-require "logstash/codecs/plain"
-require "thread"
-require "sinatra"
-require "webrick"
-require "webrick/https"
-require 'openssl'
-require_relative "../supports/compressed_requests"
-PORT = rand(65535-1024) + 1025
-class LogStash::Outputs::Http
-  attr_writer :agent
-  attr_reader :request_tokens
-end
-# note that Sinatra startup and shutdown messages are directly logged to stderr so
-# it is not really possible to disable them without reopening stderr which is not advisable.
-#
-# == Sinatra (v1.4.6) has taken the stage on 51572 for development with backup from WEBrick
-# == Sinatra has ended his set (crowd applauds)
-#
-class TestApp < Sinatra::Base
-  # on the fly uncompress gzip content
-  use CompressedRequests
-  set :environment, :production
-  set :sessions, false
-  @@server_settings = {
-      :AccessLog => [], # disable WEBrick logging
-      :Logger => WEBrick::BasicLog::new(nil, WEBrick::BasicLog::FATAL)
-  }
-  def self.server_settings
-    @@server_settings
-  end
-  def self.server_settings=(settings)
-    @@server_settings = settings
-  end
-  def self.multiroute(methods, path, &block)
-    methods.each do |method|
-      method.to_sym
-      self.send method, path, &block
-    end
-  end
-  def self.last_request=(request)
-    @last_request = request
-  end
-  def self.last_request
-    @last_request
-  end
-  def self.retry_fail_count=(count)
-    @retry_fail_count = count
-  end
-  def self.retry_fail_count()
-    @retry_fail_count || 2
-  end
-  multiroute(%w(get post put patch delete), "/good") do
-    self.class.last_request = request
-    [200, "YUP"]
-  end
-  multiroute(%w(get post put patch delete), "/bad") do
-    self.class.last_request = request
-    [400, "YUP"]
-  end
-  multiroute(%w(get post put patch delete), "/retry") do
-    self.class.last_request = request
-    if self.class.retry_fail_count > 0
-      self.class.retry_fail_count -= 1
-      [429, "Will succeed in #{self.class.retry_fail_count}"]
-    else
-      [200, "Done Retrying"]
-    end
-  end
-end
-RSpec.configure do
-  #http://stackoverflow.com/questions/6557079/start-and-call-ruby-http-server-in-the-same-script
-  def start_app_and_wait(app, opts = {})
-    queue = Queue.new
-    Thread.start do
-      begin
-        app.start!({ server: 'WEBrick', port: PORT }.merge opts) do |server|
-          queue.push(server)
-        end
-      rescue => e
-        warn "Error starting app: #{e.inspect}" # ignore
-      end
-    end
-    queue.pop # blocks until the start! callback runs
-  end
-end
+require File.expand_path('../spec_helper.rb', File.dirname(__FILE__))
 describe LogStash::Outputs::Http do
   # Wait for the async request to finish in this spinlock
@@ -520,24 +415,28 @@ describe LogStash::Outputs::Http do
   end
 end
-describe LogStash::Outputs::Http do # different block as we're starting web server with TLS
+RSpec.describe LogStash::Outputs::Http do # different block as we're starting web server with TLS
   @@default_server_settings = TestApp.server_settings.dup
   before do
-    cert, key = WEBrick::Utils.create_self_signed_cert 2048, [["CN", ssl_cert_host]], "Logstash testing"
-    TestApp.server_settings = @@default_server_settings.merge({
-       :SSLEnable       => true,
-       :SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
-       :SSLCertificate  => cert,
-       :SSLPrivateKey   => key
-    })
+    TestApp.server_settings = @@default_server_settings.merge(webrick_config)
     TestApp.last_request = nil
     @server = start_app_and_wait(TestApp)
   end
+  let(:webrick_config) do
+    cert, key = WEBrick::Utils.create_self_signed_cert 2048, [["CN", ssl_cert_host]], "Logstash testing"
+    {
+      SSLEnable: true,
+      SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
+      SSLCertificate: cert,
+      SSLPrivateKey: key
+    }
+  end
   after do
     @server.shutdown # WEBrick::HTTPServer
@@ -590,4 +489,44 @@ describe LogStash::Outputs::Http do # different block as we're starting web serv
   end
+  context 'with supported_protocols set to (disabled) 1.1' do
+    let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.1'], 'ssl_verification_mode' => 'none' }
+    it "keeps retrying due a protocol exception" do # TLSv1.1 not enabled by default
+      expect(subject).to receive(:log_failure).
+          with('Could not fetch URL', hash_including(message: 'No appropriate protocol (protocol is disabled or cipher suites are inappropriate)')).
+          at_least(:once)
+      Thread.start { subject.multi_receive [ event ] }
+      sleep 1.0
+    end
+  end unless tls_version_enabled_by_default?('TLSv1.1')
+  context 'with supported_protocols set to 1.2/1.3' do
+    let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.2', 'TLSv1.3'], 'ssl_verification_mode' => 'none' }
+    let(:webrick_config) { super().merge SSLVersion: 'TLSv1.2' }
+    it "should process the request" do
+      subject.multi_receive [ event ]
+      expect(last_request_body).to include '"message":"hello!"'
+    end
+  end
+  context 'with supported_protocols set to 1.3' do
+    let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.3'], 'ssl_verification_mode' => 'none' }
+    let(:webrick_config) { super().merge SSLVersion: 'TLSv1.3' }
+    it "should process the request" do
+      subject.multi_receive [ event ]
+      expect(last_request_body).to include '"message":"hello!"'
+    end
+  end if tls_version_enabled_by_default?('TLSv1.3') && JOpenSSL::VERSION > '0.12' # due WEBrick uses OpenSSL
 end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,136 @@
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/outputs/http"
+require "logstash/codecs/plain"
+require "thread"
+require "sinatra"
+require "webrick"
+require "webrick/https"
+require 'openssl'
+require "supports/compressed_requests"
+PORT = rand(65535-1024) + 1025
+class LogStash::Outputs::Http
+  attr_writer :agent
+  attr_reader :request_tokens
+end
+# NOTE: extend WEBrick with support for config[:SSLVersion]
+WEBrick::GenericServer.class_eval do
+  alias_method :__setup_ssl_context, :setup_ssl_context
+  def setup_ssl_context(config)
+    ctx = __setup_ssl_context(config)
+    ctx.ssl_version = config[:SSLVersion] if config[:SSLVersion]
+    ctx
+  end
+end
+# note that Sinatra startup and shutdown messages are directly logged to stderr so
+# it is not really possible to disable them without reopening stderr which is not advisable.
+#
+# == Sinatra (v1.4.6) has taken the stage on 51572 for development with backup from WEBrick
+# == Sinatra has ended his set (crowd applauds)
+#
+class TestApp < Sinatra::Base
+  # on the fly uncompress gzip content
+  use CompressedRequests
+  set :environment, :production
+  set :sessions, false
+  @@server_settings = {
+      :AccessLog => [], # disable WEBrick logging
+      :Logger => WEBrick::BasicLog::new(nil, WEBrick::BasicLog::FATAL)
+  }
+  def self.server_settings
+    @@server_settings
+  end
+  def self.server_settings=(settings)
+    @@server_settings = settings
+  end
+  def self.multiroute(methods, path, &block)
+    methods.each do |method|
+      method.to_sym
+      self.send method, path, &block
+    end
+  end
+  def self.last_request=(request)
+    @last_request = request
+  end
+  def self.last_request
+    @last_request
+  end
+  def self.retry_fail_count=(count)
+    @retry_fail_count = count
+  end
+  def self.retry_fail_count()
+    @retry_fail_count || 2
+  end
+  multiroute(%w(get post put patch delete), "/good") do
+    self.class.last_request = request
+    [200, "YUP"]
+  end
+  multiroute(%w(get post put patch delete), "/bad") do
+    self.class.last_request = request
+    [400, "YUP"]
+  end
+  multiroute(%w(get post put patch delete), "/retry") do
+    self.class.last_request = request
+    if self.class.retry_fail_count > 0
+      self.class.retry_fail_count -= 1
+      [429, "Will succeed in #{self.class.retry_fail_count}"]
+    else
+      [200, "Done Retrying"]
+    end
+  end
+end
+RSpec.configure do |config|
+  #http://stackoverflow.com/questions/6557079/start-and-call-ruby-http-server-in-the-same-script
+  def start_app_and_wait(app, opts = {})
+    queue = Queue.new
+    Thread.start do
+      begin
+        app.start!({ server: 'WEBrick', port: PORT }.merge opts) do |server|
+          yield(server) if block_given?
+          queue.push(server)
+        end
+      rescue => e
+        warn "Error starting app: #{e.inspect}" # ignore
+      end
+    end
+    queue.pop # blocks until the start! callback runs
+  end
+  config.extend(Module.new do
+    def tls_version_enabled_by_default?(tls_version)
+      begin
+        context = javax.net.ssl.SSLContext.getInstance('TLS')
+        context.init nil, nil, nil
+        context.getDefaultSSLParameters.getProtocols.include? tls_version.to_s
+      rescue => e
+        warn "#{__method__} failed : #{e.inspect}"
+        nil
+      end
+    end
+  end)
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-http
 version: !ruby/object:Gem::Version
-  version: 5.4.1
+  version: 5.5.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-04 00:00:00.000000000 Z
+date: 2022-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.2.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 8.0.0
@@ -46,7 +46,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.2.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 8.0.0
@@ -110,6 +110,7 @@ files:
 - lib/logstash/outputs/http.rb
 - logstash-output-http.gemspec
 - spec/outputs/http_spec.rb
+- spec/spec_helper.rb
 - spec/supports/compressed_requests.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
@@ -138,4 +139,5 @@ specification_version: 4
 summary: Sends events to a generic HTTP or HTTPS endpoint
 test_files:
 - spec/outputs/http_spec.rb
+- spec/spec_helper.rb
 - spec/supports/compressed_requests.rb