diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b42b35..65b11a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## 7.0.0 + - SSL settings that were marked deprecated in version `6.2.0` are now marked obsolete, and will prevent the plugin from starting. + - These settings are: + - `ssl_cert`, which should be replaced by `ssl_certificate` + - `ssl_cacert`, which should be replaced by `ssl_certificate_authorities` + - `ssl_enable`, which should be replaced by `ssl_enabled` + - `ssl_verify`, which should be replaced by `ssl_client_authentication` when `mode` is `server` or `ssl_verification_mode`when mode is `client` + - [58](https://github.com/logstash-plugins/logstash-output-tcp/pull/58) ## 6.2.1 - Document correct default plugin codec [#54](https://github.com/logstash-plugins/logstash-output-tcp/pull/54) diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 228b7f6..b83795b 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -33,6 +33,10 @@ depending on `mode`. This plugin supports the following configuration options plus the <> described later. +NOTE: As of version `7.0.0` of this plugin, a number of previously deprecated settings related to SSL have been removed. Please see the +<> for more details. + + [cols="<,<,<",options="header",] |======================================================================= |Setting |Input type|Required @@ -40,19 +44,15 @@ This plugin supports the following configuration options plus the <> |<>, one of `["server", "client"]`|No | <> |<>|Yes | <> |<>|No -| <> |a valid filesystem path|__Deprecated__ -| <> |a valid filesystem path|__Deprecated__ | <> |a valid filesystem path|No | <> |<>|No | <> |<>|No | <> |<>, one of `["none", "optional", "required"]`|No -| <> |<>|__Deprecated__ | <> |<>|No | <> |a valid filesystem path|No | <> |<>|No | <> |<>|No | <> |<>, one of `["full", "none"]`|No -| <> |<>|No |======================================================================= Also see <> for a list of options supported by all @@ -97,24 +97,6 @@ When mode is `client`, the port to connect to. When connect failed,retry interval in sec. -[id="plugins-{type}s-{plugin}-ssl_cacert"] -===== `ssl_cacert` -deprecated[6.2.0, Replaced by <>] - - * Value type is <> - * There is no default value for this setting. - -The SSL CA certificate, chainfile or CA path. The system CA path is automatically included. - -[id="plugins-{type}s-{plugin}-ssl_cert"] -===== `ssl_cert` -deprecated[6.2.0, Replaced by <>] - - * Value type is <> - * There is no default value for this setting. - -SSL certificate path - [id="plugins-{type}s-{plugin}-ssl_certificate"] ===== `ssl_certificate` @@ -160,15 +142,6 @@ Please note that the server does not validate the client certificate CN (Common NOTE: This setting can be used only if <> is `server` and <> is set. -[id="plugins-{type}s-{plugin}-ssl_enable"] -===== `ssl_enable` -deprecated[6.2.0, Replaced by <>] - - * Value type is <> - * Default value is `false` - -Enable SSL (must be set for other `ssl_` options to take effect). - [id="plugins-{type}s-{plugin}-ssl_enabled"] ===== `ssl_enabled` @@ -223,15 +196,21 @@ has a hostname or IP address that matches the names within the certificate. NOTE: This setting can be used only if <> is `client`. -[id="plugins-{type}s-{plugin}-ssl_verify"] -===== `ssl_verify` -deprecated[6.2.0, Replaced by <> and <>] +[id="plugins-{type}s-{plugin}-obsolete-options"] +==== TCP Output Obsolete Configuration Options + +WARNING: As of version `6.0.0` of this plugin, the following configuration options are no longer available, +and have been replaced by the following options: - * Value type is <> - * Default value is `false` -Verify the identity of the other end of the SSL connection against the CA. -For input, sets the field `sslsubject` to that of the client certificate. +[cols="<,<",options="header",] +|======================================================================= +|Setting|Replaced by +| ssl_cacert |<> +| ssl_cert |<> +| ssl_enable |<> +| ssl_verify |<> in `server` mode and <> in `client` mode +|======================================================================= [id="plugins-{type}s-{plugin}-common-options"] include::{include_path}/{type}.asciidoc[] diff --git a/lib/logstash/outputs/tcp.rb b/lib/logstash/outputs/tcp.rb index e1ac50f..c15eddf 100644 --- a/lib/logstash/outputs/tcp.rb +++ b/lib/logstash/outputs/tcp.rb @@ -3,7 +3,6 @@ require "logstash/namespace" require "thread" require "logstash/util/socket_peer" -require "logstash/plugin_mixins/normalize_config_support" # Write events over a TCP socket. # @@ -13,8 +12,6 @@ # depending on `mode`. class LogStash::Outputs::Tcp < LogStash::Outputs::Base - include LogStash::PluginMixins::NormalizeConfigSupport - config_name "tcp" concurrency :single @@ -35,9 +32,6 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base # `client` connects to a server. config :mode, :validate => ["server", "client"], :default => "client" - # Enable SSL (must be set for other `ssl_` options to take effect). - config :ssl_enable, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_enabled' instead." - # Enable SSL (must be set for other `ssl_` options to take effect). config :ssl_enabled, :validate => :boolean, :default => false @@ -48,10 +42,6 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs. config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none' - # Verify the identity of the other end of the SSL connection against the CA. - # For input, sets the field `sslsubject` to that of the client certificate. - config :ssl_verify, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_client_authentication' when `mode` is 'server' or 'ssl_verification_mode' when mode is `client`" - # Options to verify the server's certificate. # "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates; # chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate. @@ -59,16 +49,11 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base # "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf) config :ssl_verification_mode, :validate => %w[full none], :default => 'full' - # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included. - config :ssl_cacert, :validate => :path, :deprecated => "Use 'ssl_certificate_authorities' instead." # Validate client certificate or certificate chain against these authorities. You can define multiple files. # All the certificates will be read and added to the trust store. config :ssl_certificate_authorities, :validate => :path, :list => true - # SSL certificate path - config :ssl_cert, :validate => :path, :deprecated => "Use 'ssl_certificate' instead." - # SSL certificate path config :ssl_certificate, :validate => :path @@ -84,6 +69,11 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base # The list of ciphers suite to use config :ssl_cipher_suites, :validate => :string, :list => true + config :ssl_enable, :obsolete => "Use 'ssl_enabled' instead." + config :ssl_verify, :obsolete => "Use 'ssl_client_authentication' when `mode` is 'server' or 'ssl_verification_mode' when mode is `client`" + config :ssl_cacert, :obsolete => "Use 'ssl_certificate_authorities' instead." + config :ssl_cert, :obsolete => "Use 'ssl_certificate' instead." + class Client ## @@ -189,11 +179,6 @@ def load_cert_store end private :load_cert_store - def initialize(*args) - super(*args) - setup_ssl_params! - end - # @overload Base#register def register require "socket" @@ -405,47 +390,6 @@ def provided_ssl_enabled_config_name original_params.include?('ssl_enable') ? 'ssl_enable' : 'ssl_enabled' end - def setup_ssl_params! - @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer| - normalizer.with_deprecated_alias(:ssl_enable) - end - - @ssl_certificate = normalize_config(:ssl_certificate) do |normalizer| - normalizer.with_deprecated_alias(:ssl_cert) - end - - if server? - @ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer| - normalizer.with_deprecated_mapping(:ssl_verify) do |ssl_verify| - ssl_verify == true ? 'required' : 'none' - end - end - else - @ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize| - normalize.with_deprecated_mapping(:ssl_verify) do |ssl_verify| - ssl_verify == true ? 'full' : 'none' - end - end - - # Keep backwards compatibility with the default :ssl_verify value (false) - if !original_params.include?('ssl_verify') && !original_params.include?('ssl_verification_mode') - @ssl_verification_mode = 'none' - end - end - - @ssl_certificate_authorities = normalize_config(:ssl_certificate_authorities) do |normalize| - normalize.with_deprecated_mapping(:ssl_cacert) do |ssl_cacert| - if File.directory?(ssl_cacert) - Dir.children(ssl_cacert) - .map{ |f| File.join(ssl_cacert, f) } - .reject{ |f| File.directory?(f) || File.basename(f).start_with?('.') } - else - [ssl_cacert] - end - end - end - end - def server? @mode == "server" end # def server? diff --git a/logstash-output-tcp.gemspec b/logstash-output-tcp.gemspec index efe44f0..22cc528 100644 --- a/logstash-output-tcp.gemspec +++ b/logstash-output-tcp.gemspec @@ -1,7 +1,7 @@ Gem::Specification.new do |s| s.name = 'logstash-output-tcp' - s.version = '6.2.1' + s.version = '7.0.0' s.licenses = ['Apache License (2.0)'] s.summary = "Writes events over a TCP socket" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" @@ -24,7 +24,6 @@ Gem::Specification.new do |s| s.add_runtime_dependency 'logstash-core', '>= 8.1.0' s.add_runtime_dependency 'logstash-codec-json' s.add_runtime_dependency 'stud' - s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0' s.add_runtime_dependency 'jruby-openssl', '>= 0.12.2' # 0.12 supports TLSv1.3 diff --git a/spec/outputs/tcp_spec.rb b/spec/outputs/tcp_spec.rb index 901c285..718ab5b 100644 --- a/spec/outputs/tcp_spec.rb +++ b/spec/outputs/tcp_spec.rb @@ -24,6 +24,25 @@ let(:event) { LogStash::Event.new('message' => 'foo bar') } + ['server', 'client'].each do |mode| + describe "handling obsolete settings for #{mode} mode" do + [{:name => 'ssl_cert', :replacement => 'ssl_certificate', :sample_value => "certificate_path"}, + {:name => 'ssl_cacert', :replacement => 'ssl_certificate_authorities', :sample_value => "certificate_path"}, + {:name => 'ssl_enable', :replacement => 'ssl_enabled', :sample_value => true}, + {:name => 'ssl_verify', :replacement => 'ssl_client_authentication', :sample_value => 'peer'}].each do | obsolete_setting | + context "with obsolete #{obsolete_setting[:name]}" do + let (:deprecated_config) do + config.merge({'mode' => mode, obsolete_setting[:name] => obsolete_setting[:sample_value]}) + end + + it "should raise a config error with the appropriate message" do + expect { LogStash::Outputs::Tcp.new(deprecated_config).register }.to raise_error LogStash::ConfigurationError, /The setting `#{obsolete_setting[:name]}` in plugin `tcp` is obsolete and is no longer available. Use '#{obsolete_setting[:replacement]}'/i + end + end + end + end + end + context 'failing to connect' do before { subject.register } @@ -214,7 +233,7 @@ context 'with supported protocol' do - let(:config) { super().merge("ssl_supported_protocols" => ['TLSv1.2']) } + let(:config) { super().merge("ssl_supported_protocols" => ['TLSv1.2'], "ssl_verification_mode" => "none") } let(:server_min_version) { 'TLS1_2' } @@ -277,7 +296,7 @@ context "and protocol is TLSv1.3" do let(:key_file) { File.join(FIXTURES_PATH, 'plaintext/instance.key') } let(:crt_file) { File.join(FIXTURES_PATH, 'plaintext/instance.crt') } - let(:config) { super().merge("ssl_certificate" => crt_file, "ssl_key" => key_file) } + let(:config) { super().merge("ssl_certificate" => crt_file, "ssl_key" => key_file, "ssl_verification_mode" => "none") } let(:secure_server) do ssl_context = OpenSSL::SSL::SSLContext.new @@ -374,16 +393,6 @@ end end - context "with deprecated ssl_verify = true and no ssl_certificate_authorities" do - let(:config) { super().merge( - 'ssl_verify' => true, - 'ssl_certificate_authorities' => [] - ) } - - it "should register without errors" do - expect { subject.register }.to_not raise_error - end - end %w[required optional].each do |ssl_client_authentication| context "with ssl_client_authentication = `#{ssl_client_authentication}` and no ssl_certificate_authorities" do @@ -409,53 +418,6 @@ end end - context "with deprecated settings" do - let(:ssl_verify) { true } - let(:certificate_path) { File.join(FIXTURES_PATH, 'plaintext/instance.crt') } - let(:config) do - { - "host" => "127.0.0.1", - "port" => port, - "ssl_enable" => true, - "ssl_cert" => certificate_path, - "ssl_key" => File.join(FIXTURES_PATH, 'plaintext/instance.key'), - "ssl_verify" => ssl_verify - } - end - - context "and mode is server" do - let(:config) { super().merge("mode" => 'server') } - [true, false].each do |verify| - context "and ssl_verify is #{verify}" do - let(:ssl_verify) { verify } - - it "should set new configs variables" do - subject.register - expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true) - expect(subject.instance_variable_get(:@ssl_client_authentication)).to eql(verify ? 'required' : 'none') - expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path) - end - end - end - end - - context "and mode is client" do - let(:config) { super().merge("mode" => 'client') } - [true, false].each do |verify| - context "and ssl_verify is #{verify}" do - let(:ssl_verify) { verify } - - it "should set new configs variables" do - subject.register - expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true) - expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql(verify ? 'full' : 'none') - expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path) - end - end - end - end - end - context "with ssl_client_authentication" do let(:config) do super().merge 'ssl_client_authentication' => 'required'