RubyGems - logstash-output-syslog - Versions diffs - 3.0.4 → 3.1.0 - Mend

logstash-output-syslog 3.0.4 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +13 -1
data/LICENSE +199 -10
data/README.md +1 -1
data/docs/index.asciidoc +125 -29
data/lib/logstash/outputs/syslog.rb +103 -11
data/logstash-output-syslog.gemspec +2 -2
data/spec/fixtures/README.txt +1 -0
data/spec/fixtures/ca-crl.pem +11 -0
data/spec/fixtures/ca-key.pem +28 -0
data/spec/fixtures/ca.pem +18 -0
data/spec/fixtures/certs.yaml +41 -0
data/spec/fixtures/client-ec-key.pem +5 -0
data/spec/fixtures/client-ec.pem +13 -0
data/spec/fixtures/client-key.pem +28 -0
data/spec/fixtures/client.pem +18 -0
data/spec/fixtures/invalid.pem +1 -0
data/spec/fixtures/revoked-server-key.pem +28 -0
data/spec/fixtures/revoked-server.pem +18 -0
data/spec/fixtures/untrusted-server-key.pem +28 -0
data/spec/fixtures/untrusted-server.pem +18 -0
data/spec/fixtures/valid-server-key.pem +28 -0
data/spec/fixtures/valid-server.pem +18 -0
data/spec/outputs/syslog_spec.rb +34 -0
data/spec/outputs/syslog_tls_spec.rb +276 -0
metadata +58 -14

data/spec/outputs/syslog_tls_spec.rb ADDED Viewed

@@ -0,0 +1,276 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/outputs/syslog"
+require "logstash/codecs/plain"
+require "json"
+describe LogStash::Outputs::Syslog do
+  FIXTURES_PATH = File.expand_path("../fixtures", File.dirname(__FILE__))
+  subject do
+    plugin = LogStash::Plugin.lookup("output", "syslog").new(options)
+    plugin.register
+    plugin
+  end
+  let(:port) do
+    begin
+      # Start high to better avoid common services
+      port = rand(10000..65535)
+      s = TCPServer.new("127.0.0.1", port)
+      s.close
+      port
+    rescue Errno::EADDRINUSE
+      retry
+    end
+  end
+  let(:server) { TCPServer.new("127.0.0.1", port) }
+  shared_examples "syslog output" do
+    it "should write expected format" do
+      Thread.start { sleep 0.25; subject.receive event }
+      socket = secure_server.accept
+      expect(socket.cipher).to eq(chosen_cipher) if defined?(chosen_cipher)
+      expect(socket.ssl_version).to eq(chosen_tls_version) if defined?(chosen_tls_version)
+      read = socket.sysread(100)
+      expect(read.size).to be > 0
+      expect(read).to match(output)
+    end
+  end
+  context "connects with TLS" do
+    let(:event) { LogStash::Event.new({ "message" => "foo bar", "host" => "baz" }) }
+    let(:options) { { "host" => "localhost", "port" => port, "protocol" => "ssl-tcp",
+      "ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem"),
+      "ssl_cert" => File.join(FIXTURES_PATH, "client.pem"),
+      "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem") } }
+    # The output details are tested in syslog_spec.rb so simply check for message to be present.
+    let(:output) { /foo bar/ }
+    let(:secure_server) do
+      # Create TLS server with given certificate and private key, and verify client certificate against CA.
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(server_cert_file))
+      ssl_context.key = OpenSSL::PKey::read(File.read(server_pkey_file), nil)
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ssl_context.ciphers = "ALL"
+      ssl_context.cert_store = OpenSSL::X509::Store.new
+      ssl_context.cert_store.add_cert(OpenSSL::X509::Certificate.new(File.read(File.join(FIXTURES_PATH, "ca.pem"))))
+      OpenSSL::SSL::SSLServer.new(server, ssl_context)
+    end
+    after(:each) do
+      secure_server.close rescue nil
+    end
+    context "server with valid certificates" do
+      let(:server_cert_file) { File.join(FIXTURES_PATH, "valid-server.pem") }
+      let(:server_pkey_file) { File.join(FIXTURES_PATH, "valid-server-key.pem") }
+      context "with SSL verification" do
+        let(:options ) { super().merge("ssl_verify" => true) }
+        it_behaves_like "syslog output"
+      end
+      context "with TLSv1.2" do
+        let(:options ) { super().merge("ssl_supported_protocols" => ["TLSv1.2"]) }
+        let(:chosen_tls_version) { "TLSv1.2" }
+        it_behaves_like "syslog output"
+      end
+      context "with TLSv1.3" do
+        let(:options ) { super().merge("ssl_supported_protocols" => ["TLSv1.3"]) }
+        let(:chosen_tls_version) { "TLSv1.3" }
+        it_behaves_like "syslog output"
+      end
+      context "with TLSv1.2 and TLSv1.3" do
+        let(:options ) { super().merge("ssl_supported_protocols" => ["TLSv1.2", "TLSv1.3"]) }
+        let(:chosen_tls_version) { "TLSv1.3" }
+        it_behaves_like "syslog output"
+      end
+      context "with cipher suites" do
+        let(:options ) { super().merge("ssl_cipher_suites" => ["TLS_CHACHA20_POLY1305_SHA256"]) }
+        let(:chosen_cipher) { "TLS_CHACHA20_POLY1305_SHA256" }
+        it_behaves_like "syslog output"
+      end
+      context "with deprecated ssl_cert and ssl_cacert" do
+        # Override parent options to test only deprecated options.
+        let(:options) { { "host" => "localhost", "port" => port, "protocol" => "ssl-tcp", "ssl_verify" => true,
+          "ssl_cert" => File.join(FIXTURES_PATH, "client.pem"),
+          "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
+          "ssl_cacert" => File.join(FIXTURES_PATH, "ca.pem")
+        } }
+        it_behaves_like "syslog output"
+      end
+    end
+    context "server with untrusted certificates" do
+      let(:server_cert_file) { File.join(FIXTURES_PATH, "untrusted-server.pem") }
+      let(:server_pkey_file) { File.join(FIXTURES_PATH, "untrusted-server-key.pem") }
+      context "ssl_verify disabled" do
+        let(:options ) { super().merge("ssl_verify" => false) }
+        it_behaves_like "syslog output"
+      end
+      context "ssl_verify enabled" do
+        let(:options ) { super().merge("ssl_verify" => true) }
+        it "should refuse to connect" do
+          Thread.start { secure_server.accept rescue nil }
+          expect(subject.logger).to receive(:error).with(/SSL Error/i, hash_including(exception: OpenSSL::SSL::SSLError)).once.and_throw :TEST_DONE
+          expect { subject.receive event }.to throw_symbol(:TEST_DONE)
+        end
+      end
+    end
+    context "server with revoked certificates" do
+      let(:options ) { super().merge("ssl_verify" => true, "ssl_crl_path" => File.join(FIXTURES_PATH, "ca-crl.pem")) }
+      let(:server_cert_file) { File.join(FIXTURES_PATH, "revoked-server.pem") }
+      let(:server_pkey_file) { File.join(FIXTURES_PATH, "revoked-server-key.pem") }
+      shared_examples "refuses connection" do
+        it "syslog output refuses to connect" do
+          Thread.start { secure_server.accept rescue nil }
+          expect(subject.logger).to receive(:error).with(/SSL Error/i, hash_including(exception: OpenSSL::SSL::SSLError)).once.and_throw :TEST_DONE
+          expect { subject.receive event }.to throw_symbol(:TEST_DONE)
+        end
+      end
+      context "with default ssl_crl_check" do
+        it_behaves_like "refuses connection"
+      end
+      context "with chain ssl_crl_check" do
+        let(:options ) { super().merge("ssl_crl_check" => ["chain"]) }
+        it_behaves_like "refuses connection"
+      end
+    end
+  end
+  context "read PEM" do
+    let(:options) { { "host" => "localhost", "port" => port, "protocol" => "ssl-tcp", "ssl_verify" => true } }
+    context "RSA certificate and private key" do
+      let(:options ) { super().merge(
+        "ssl_certificate" => File.join(FIXTURES_PATH, "client.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
+        "ssl_certificate_authorities" => [File.join(FIXTURES_PATH, "ca.pem")],
+        "ssl_crl_path"  => File.join(FIXTURES_PATH, "ca-crl.pem")
+      ) }
+      it "register succeeds" do
+        expect { subject.register }.not_to raise_error
+      end
+    end
+    context "EC certificate and private key" do
+      let(:options ) { super().merge(
+        "ssl_certificate" => File.join(FIXTURES_PATH, "client-ec.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "client-ec-key.pem"),
+        "ssl_certificate_authorities" => [File.join(FIXTURES_PATH, "ca.pem")],
+        "ssl_crl_path"  => File.join(FIXTURES_PATH, "ca-crl.pem")
+      ) }
+      it "register succeeds" do
+        expect { subject.register }.not_to raise_error
+      end
+    end
+    context "invalid client certificate" do
+      let(:options ) { super().merge(
+        "ssl_certificate" => File.join(FIXTURES_PATH, "invalid.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
+        "ssl_certificate_authorities" => [File.join(FIXTURES_PATH, "ca.pem")],
+        "ssl_crl_path"  => File.join(FIXTURES_PATH, "ca-crl.pem")
+      ) }
+      it "register raises error" do
+        expect { subject.register }.to raise_error(OpenSSL::X509::CertificateError, /malformed PEM data/)
+      end
+    end
+    context "invalid client private key" do
+      let(:options ) { super().merge(
+        "ssl_certificate" => File.join(FIXTURES_PATH, "client.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "invalid.pem"),
+        "ssl_certificate_authorities" => [File.join(FIXTURES_PATH, "ca.pem")],
+        "ssl_crl_path"  => File.join(FIXTURES_PATH, "ca-crl.pem")
+      ) }
+      it "register raises error" do
+        expect { subject.register }.to raise_error(OpenSSL::PKey::PKeyError, /Could not parse PKey/)
+      end
+    end
+    context "invalid CRL" do
+      let(:options ) { super().merge(
+        "ssl_certificate" => File.join(FIXTURES_PATH, "client.pem"),
+        "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
+        "ssl_certificate_authorities" => [File.join(FIXTURES_PATH, "ca.pem")],
+        "ssl_crl_path"  => File.join(FIXTURES_PATH, "invalid.pem")
+      ) }
+      it "register raises error" do
+        expect { subject.register }.to raise_error(OpenSSL::X509::CRLError, /malformed PEM data/)
+      end
+    end
+  end
+  context "CRL options validation" do
+    let(:options) { { "host" => "localhost", "port" => port, "protocol" => "ssl-tcp", "ssl_verify" => true,
+      "ssl_certificate" => File.join(FIXTURES_PATH, "client.pem"),
+      "ssl_key" => File.join(FIXTURES_PATH, "client-key.pem"),
+      "ssl_certificate_authorities" => [File.join(FIXTURES_PATH, "ca.pem")],
+      "ssl_crl_path" => File.join(FIXTURES_PATH, "ca-crl.pem") } }
+    context "when ssl_crl_check contains only leaf" do
+      let(:options) { super().merge("ssl_crl_check" => ["leaf"]) }
+      it "should register without errors" do
+        expect { subject.register }.not_to raise_error
+      end
+    end
+    context "when ssl_crl_check contains only chain" do
+      let(:options) { super().merge("ssl_crl_check" => ["chain"]) }
+      it "should register without errors" do
+        expect { subject.register }.not_to raise_error
+      end
+    end
+    context "when ssl_crl_check contains both leaf and chain" do
+      let(:options) { super().merge("ssl_crl_check" => ["leaf", "chain"]) }
+      it "should raise ConfigurationError for mutually exclusive options" do
+        expect { subject.register }.to raise_error(LogStash::ConfigurationError, /ssl_crl_check can only contain one of 'leaf' or 'chain'/)
+      end
+    end
+    context "when ssl_crl_check is set without ssl_crl_path" do
+      let(:options) { super().reject { |k| k == "ssl_crl_path" }.merge("ssl_crl_check" => ["leaf"]) }
+      it "should raise ConfigurationError for missing ssl_crl_path" do
+        expect { subject.register }.to raise_error(LogStash::ConfigurationError, /ssl_crl_check is set but ssl_crl_path is not set/)
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-syslog
 version: !ruby/object:Gem::Version
-  version: 3.0.4
+  version: 3.1.0
 platform: ruby
 authors:
 - Elastic
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-11-13 00:00:00.000000000 Z
+date: 2025-12-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -19,9 +19,8 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
-  name: logstash-core-plugin-api
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -31,42 +30,56 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
 - !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-codec-plain
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
+  name: logstash-mixin-normalize_config_support
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-devutils
+  type: :runtime
   prerelease: false
-  type: :development
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
+  name: logstash-devutils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-codec-json
+  type: :development
   prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -89,14 +102,30 @@ files:
 - docs/index.asciidoc
 - lib/logstash/outputs/syslog.rb
 - logstash-output-syslog.gemspec
+- spec/fixtures/README.txt
+- spec/fixtures/ca-crl.pem
+- spec/fixtures/ca-key.pem
+- spec/fixtures/ca.pem
+- spec/fixtures/certs.yaml
+- spec/fixtures/client-ec-key.pem
+- spec/fixtures/client-ec.pem
+- spec/fixtures/client-key.pem
+- spec/fixtures/client.pem
+- spec/fixtures/invalid.pem
+- spec/fixtures/revoked-server-key.pem
+- spec/fixtures/revoked-server.pem
+- spec/fixtures/untrusted-server-key.pem
+- spec/fixtures/untrusted-server.pem
+- spec/fixtures/valid-server-key.pem
+- spec/fixtures/valid-server.pem
 - spec/outputs/syslog_spec.rb
+- spec/outputs/syslog_tls_spec.rb
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)
 metadata:
   logstash_plugin: 'true'
   logstash_group: output
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -111,10 +140,25 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.6.11
-signing_key:
+rubygems_version: 3.6.3
 specification_version: 4
 summary: Sends events to a `syslog` server
 test_files:
+- spec/fixtures/README.txt
+- spec/fixtures/ca-crl.pem
+- spec/fixtures/ca-key.pem
+- spec/fixtures/ca.pem
+- spec/fixtures/certs.yaml
+- spec/fixtures/client-ec-key.pem
+- spec/fixtures/client-ec.pem
+- spec/fixtures/client-key.pem
+- spec/fixtures/client.pem
+- spec/fixtures/invalid.pem
+- spec/fixtures/revoked-server-key.pem
+- spec/fixtures/revoked-server.pem
+- spec/fixtures/untrusted-server-key.pem
+- spec/fixtures/untrusted-server.pem
+- spec/fixtures/valid-server-key.pem
+- spec/fixtures/valid-server.pem
 - spec/outputs/syslog_spec.rb
+- spec/outputs/syslog_tls_spec.rb