RubyGems - logstash-output-http - Versions diffs - 5.4.1 → 5.5.0 - Mend

logstash-output-http 5.4.1 → 5.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f8c174b5f5725b3dff206924edcff21ebc71899e386c1a301860dba438bbec5
-  data.tar.gz: dd6f158c15357a1dee6bfc3ad6e0faa4f6080c3fc2a89b6050b188bd3d016d4a
+  metadata.gz: 69cfc19c5b3ecafee365f0a532e6390f087d80aa6810d8e6dfd7b33dbc78457b
+  data.tar.gz: 01c64da9e9de7c6d69198d6ba84844729ef06449bc1858d7769f10c7ee89d417
 SHA512:
-  metadata.gz: 2d668381891939636b2462361fe0011d5ced8461b5a1a5e7f2662aa765e4672b6377e2dd37a05073eaa8e0602d60632496fa48ec9c42ab5063839f02214f2e9d
-  data.tar.gz: b3ff1de393aee131f18a1d8d75f05389f6a74642e695626b1e9b4b03eec99b7a26017cea50b97315f35594013650785a8b3e11bfcc7acd4e5d32ed118340f208
+  metadata.gz: 6489a0ec4a312b2e4dea006fdba7fd14ea51df714ce62ba1b344417d9147272454a46bf87031fc1ac878027acd0cd5be44e70b6f572d89599de08ebbecee35c5
+  data.tar.gz: a8c247a839589cf6df3cb11f7123b0f097905502127656cba405a7af5d6d4123e6684d113478d1781a99670ff7512562303ca5df30e78b13cb201b225f61b905

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,6 @@
+## 5.5.0
+  - Feat: added `ssl_supported_protocols` option [#131](https://github.com/logstash-plugins/logstash-output-http/pull/131)
 ## 5.4.1
   - Fix retry indefinitely in termination process. This feature requires Logstash 8.1 [#129](https://github.com/logstash-plugins/logstash-output-http/pull/129)
   - Docs: Add retry policy description [#130](https://github.com/logstash-plugins/logstash-output-http/pull/130)

data/docs/index.asciidoc CHANGED Viewed

@@ -100,6 +100,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-retry_non_idempotent>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-retryable_codes>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-socket_timeout>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|No
@@ -378,6 +379,23 @@ See <<plugins-{type}s-{plugin}-retry_policy,Retry Policy>> for more information.
 Timeout (in seconds) to wait for data on the socket. Default is `10s`
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+  * Value type is <<string,string>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
+For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
 [id="plugins-{type}s-{plugin}-ssl_verification_mode"]
 ===== `ssl_verification_mode`

data/lib/logstash/outputs/http.rb CHANGED Viewed

@@ -272,7 +272,7 @@ class LogStash::Outputs::Http < LogStash::Outputs::Base
       :url => url,
       :method => @http_method,
       :message => exception.message,
-      :class => exception.class.name,
+      :class => exception.class,
       :will_retry => will_retry
     }
     if @logger.debug?

data/logstash-output-http.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-output-http'
-  s.version         = '5.4.1'
+  s.version         = '5.5.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Sends events to a generic HTTP or HTTPS endpoint"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
-  s.add_runtime_dependency "logstash-mixin-http_client", ">= 7.1.0", "< 8.0.0"
+  s.add_runtime_dependency "logstash-mixin-http_client", ">= 7.2.0", "< 8.0.0"
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'sinatra'

data/spec/outputs/http_spec.rb CHANGED Viewed

@@ -1,109 +1,4 @@
-require "logstash/devutils/rspec/spec_helper"
-require "logstash/outputs/http"
-require "logstash/codecs/plain"
-require "thread"
-require "sinatra"
-require "webrick"
-require "webrick/https"
-require 'openssl'
-require_relative "../supports/compressed_requests"
-PORT = rand(65535-1024) + 1025
-class LogStash::Outputs::Http
-  attr_writer :agent
-  attr_reader :request_tokens
-end
-# note that Sinatra startup and shutdown messages are directly logged to stderr so
-# it is not really possible to disable them without reopening stderr which is not advisable.
-#
-# == Sinatra (v1.4.6) has taken the stage on 51572 for development with backup from WEBrick
-# == Sinatra has ended his set (crowd applauds)
-#
-class TestApp < Sinatra::Base
-  # on the fly uncompress gzip content
-  use CompressedRequests
-  set :environment, :production
-  set :sessions, false
-  @@server_settings = {
-      :AccessLog => [], # disable WEBrick logging
-      :Logger => WEBrick::BasicLog::new(nil, WEBrick::BasicLog::FATAL)
-  }
-  def self.server_settings
-    @@server_settings
-  end
-  def self.server_settings=(settings)
-    @@server_settings = settings
-  end
-  def self.multiroute(methods, path, &block)
-    methods.each do |method|
-      method.to_sym
-      self.send method, path, &block
-    end
-  end
-  def self.last_request=(request)
-    @last_request = request
-  end
-  def self.last_request
-    @last_request
-  end
-  def self.retry_fail_count=(count)
-    @retry_fail_count = count
-  end
-  def self.retry_fail_count()
-    @retry_fail_count || 2
-  end
-  multiroute(%w(get post put patch delete), "/good") do
-    self.class.last_request = request
-    [200, "YUP"]
-  end
-  multiroute(%w(get post put patch delete), "/bad") do
-    self.class.last_request = request
-    [400, "YUP"]
-  end
-  multiroute(%w(get post put patch delete), "/retry") do
-    self.class.last_request = request
-    if self.class.retry_fail_count > 0
-      self.class.retry_fail_count -= 1
-      [429, "Will succeed in #{self.class.retry_fail_count}"]
-    else
-      [200, "Done Retrying"]
-    end
-  end
-end
-RSpec.configure do
-  #http://stackoverflow.com/questions/6557079/start-and-call-ruby-http-server-in-the-same-script
-  def start_app_and_wait(app, opts = {})
-    queue = Queue.new
-    Thread.start do
-      begin
-        app.start!({ server: 'WEBrick', port: PORT }.merge opts) do |server|
-          queue.push(server)
-        end
-      rescue => e
-        warn "Error starting app: #{e.inspect}" # ignore
-      end
-    end
-    queue.pop # blocks until the start! callback runs
-  end
-end
+require File.expand_path('../spec_helper.rb', File.dirname(__FILE__))
 describe LogStash::Outputs::Http do
   # Wait for the async request to finish in this spinlock
@@ -520,24 +415,28 @@ describe LogStash::Outputs::Http do
   end
 end
-describe LogStash::Outputs::Http do # different block as we're starting web server with TLS
+RSpec.describe LogStash::Outputs::Http do # different block as we're starting web server with TLS
   @@default_server_settings = TestApp.server_settings.dup
   before do
-    cert, key = WEBrick::Utils.create_self_signed_cert 2048, [["CN", ssl_cert_host]], "Logstash testing"
-    TestApp.server_settings = @@default_server_settings.merge({
-       :SSLEnable       => true,
-       :SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
-       :SSLCertificate  => cert,
-       :SSLPrivateKey   => key
-    })
+    TestApp.server_settings = @@default_server_settings.merge(webrick_config)
     TestApp.last_request = nil
     @server = start_app_and_wait(TestApp)
   end
+  let(:webrick_config) do
+    cert, key = WEBrick::Utils.create_self_signed_cert 2048, [["CN", ssl_cert_host]], "Logstash testing"
+    {
+      SSLEnable: true,
+      SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
+      SSLCertificate: cert,
+      SSLPrivateKey: key
+    }
+  end
   after do
     @server.shutdown # WEBrick::HTTPServer
@@ -590,4 +489,44 @@ describe LogStash::Outputs::Http do # different block as we're starting web serv
   end
+  context 'with supported_protocols set to (disabled) 1.1' do
+    let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.1'], 'ssl_verification_mode' => 'none' }
+    it "keeps retrying due a protocol exception" do # TLSv1.1 not enabled by default
+      expect(subject).to receive(:log_failure).
+          with('Could not fetch URL', hash_including(message: 'No appropriate protocol (protocol is disabled or cipher suites are inappropriate)')).
+          at_least(:once)
+      Thread.start { subject.multi_receive [ event ] }
+      sleep 1.0
+    end
+  end unless tls_version_enabled_by_default?('TLSv1.1')
+  context 'with supported_protocols set to 1.2/1.3' do
+    let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.2', 'TLSv1.3'], 'ssl_verification_mode' => 'none' }
+    let(:webrick_config) { super().merge SSLVersion: 'TLSv1.2' }
+    it "should process the request" do
+      subject.multi_receive [ event ]
+      expect(last_request_body).to include '"message":"hello!"'
+    end
+  end
+  context 'with supported_protocols set to 1.3' do
+    let(:config) { super().merge 'ssl_supported_protocols' => ['TLSv1.3'], 'ssl_verification_mode' => 'none' }
+    let(:webrick_config) { super().merge SSLVersion: 'TLSv1.3' }
+    it "should process the request" do
+      subject.multi_receive [ event ]
+      expect(last_request_body).to include '"message":"hello!"'
+    end
+  end if tls_version_enabled_by_default?('TLSv1.3') && JOpenSSL::VERSION > '0.12' # due WEBrick uses OpenSSL
 end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,136 @@
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/outputs/http"
+require "logstash/codecs/plain"
+require "thread"
+require "sinatra"
+require "webrick"
+require "webrick/https"
+require 'openssl'
+require "supports/compressed_requests"
+PORT = rand(65535-1024) + 1025
+class LogStash::Outputs::Http
+  attr_writer :agent
+  attr_reader :request_tokens
+end
+# NOTE: extend WEBrick with support for config[:SSLVersion]
+WEBrick::GenericServer.class_eval do
+  alias_method :__setup_ssl_context, :setup_ssl_context
+  def setup_ssl_context(config)
+    ctx = __setup_ssl_context(config)
+    ctx.ssl_version = config[:SSLVersion] if config[:SSLVersion]
+    ctx
+  end
+end
+# note that Sinatra startup and shutdown messages are directly logged to stderr so
+# it is not really possible to disable them without reopening stderr which is not advisable.
+#
+# == Sinatra (v1.4.6) has taken the stage on 51572 for development with backup from WEBrick
+# == Sinatra has ended his set (crowd applauds)
+#
+class TestApp < Sinatra::Base
+  # on the fly uncompress gzip content
+  use CompressedRequests
+  set :environment, :production
+  set :sessions, false
+  @@server_settings = {
+      :AccessLog => [], # disable WEBrick logging
+      :Logger => WEBrick::BasicLog::new(nil, WEBrick::BasicLog::FATAL)
+  }
+  def self.server_settings
+    @@server_settings
+  end
+  def self.server_settings=(settings)
+    @@server_settings = settings
+  end
+  def self.multiroute(methods, path, &block)
+    methods.each do |method|
+      method.to_sym
+      self.send method, path, &block
+    end
+  end
+  def self.last_request=(request)
+    @last_request = request
+  end
+  def self.last_request
+    @last_request
+  end
+  def self.retry_fail_count=(count)
+    @retry_fail_count = count
+  end
+  def self.retry_fail_count()
+    @retry_fail_count || 2
+  end
+  multiroute(%w(get post put patch delete), "/good") do
+    self.class.last_request = request
+    [200, "YUP"]
+  end
+  multiroute(%w(get post put patch delete), "/bad") do
+    self.class.last_request = request
+    [400, "YUP"]
+  end
+  multiroute(%w(get post put patch delete), "/retry") do
+    self.class.last_request = request
+    if self.class.retry_fail_count > 0
+      self.class.retry_fail_count -= 1
+      [429, "Will succeed in #{self.class.retry_fail_count}"]
+    else
+      [200, "Done Retrying"]
+    end
+  end
+end
+RSpec.configure do |config|
+  #http://stackoverflow.com/questions/6557079/start-and-call-ruby-http-server-in-the-same-script
+  def start_app_and_wait(app, opts = {})
+    queue = Queue.new
+    Thread.start do
+      begin
+        app.start!({ server: 'WEBrick', port: PORT }.merge opts) do |server|
+          yield(server) if block_given?
+          queue.push(server)
+        end
+      rescue => e
+        warn "Error starting app: #{e.inspect}" # ignore
+      end
+    end
+    queue.pop # blocks until the start! callback runs
+  end
+  config.extend(Module.new do
+    def tls_version_enabled_by_default?(tls_version)
+      begin
+        context = javax.net.ssl.SSLContext.getInstance('TLS')
+        context.init nil, nil, nil
+        context.getDefaultSSLParameters.getProtocols.include? tls_version.to_s
+      rescue => e
+        warn "#{__method__} failed : #{e.inspect}"
+        nil
+      end
+    end
+  end)
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-http
 version: !ruby/object:Gem::Version
-  version: 5.4.1
+  version: 5.5.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-04 00:00:00.000000000 Z
+date: 2022-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -35,7 +35,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.2.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 8.0.0
@@ -46,7 +46,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.2.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 8.0.0
@@ -110,6 +110,7 @@ files:
 - lib/logstash/outputs/http.rb
 - logstash-output-http.gemspec
 - spec/outputs/http_spec.rb
+- spec/spec_helper.rb
 - spec/supports/compressed_requests.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
@@ -138,4 +139,5 @@ specification_version: 4
 summary: Sends events to a generic HTTP or HTTPS endpoint
 test_files:
 - spec/outputs/http_spec.rb
+- spec/spec_helper.rb
 - spec/supports/compressed_requests.rb