From 8013e8ea9b6a93cd9a6af426cdb0b6366eb42313 Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Fri, 13 Apr 2018 18:28:00 -0700 Subject: [PATCH 1/9] Add TLS support to socker listener service input plugin --- plugins/inputs/socket_listener/README.md | 7 ++++ .../inputs/socket_listener/socket_listener.go | 32 ++++++++++++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/plugins/inputs/socket_listener/README.md b/plugins/inputs/socket_listener/README.md index 698f3aeeedf68..9beddf51b1749 100644 --- a/plugins/inputs/socket_listener/README.md +++ b/plugins/inputs/socket_listener/README.md @@ -35,6 +35,13 @@ This is a sample configuration for the plugin. ## 0 (default) is unlimited. # read_timeout = "30s" + ## Optional SSL configuration. + ## Only applies to stream sockets (e.g. TCP). + # ssl_ca = "/etc/telegraf/ca.pem" + # ssl_cert = "/etc/telegraf/cert.pem" + # ssl_key = "/etc/telegraf/key.pem" + # ssl_client_auth = true + ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. ## For datagram sockets, once the buffer fills up, metrics will start dropping. diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 2ad6c42645f1c..a7a68945576d3 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -12,6 +12,7 @@ import ( "time" + "crypto/tls" "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/plugins/inputs" @@ -163,6 +164,10 @@ type SocketListener struct { MaxConnections int ReadBufferSize int ReadTimeout *internal.Duration + SSLCA string + SSLCert string + SSLKey string + SSLClientAuth bool KeepAlivePeriod *internal.Duration parsers.Parser @@ -198,6 +203,13 @@ func (sl *SocketListener) SampleConfig() string { ## 0 (default) is unlimited. # read_timeout = "30s" + ## Optional SSL configuration. + ## Only applies to stream sockets (e.g. TCP). + # ssl_ca = "/etc/telegraf/ca.pem" + # ssl_cert = "/etc/telegraf/cert.pem" + # ssl_key = "/etc/telegraf/key.pem" + # ssl_client_auth = true + ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. ## For datagram sockets, once the buffer fills up, metrics will start dropping. @@ -242,7 +254,25 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error { switch spl[0] { case "tcp", "tcp4", "tcp6", "unix", "unixpacket": - l, err := net.Listen(spl[0], spl[1]) + var ( + err error + l net.Listener + ) + + tlsCfg, err := internal.GetTLSConfig(sl.SSLCert, sl.SSLKey, sl.SSLCA, false) + if err != nil { + return nil + } + + if tlsCfg == nil { + l, err = net.Listen(spl[0], spl[1]) + } else { + if sl.SSLClientAuth { + tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert + tlsCfg.ClientCAs = tlsCfg.RootCAs + } + l, err = tls.Listen(spl[0], spl[1], tlsCfg) + } if err != nil { return err } From f1ed50c73707884a8310a46bfe88c1d905ff5c7b Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Fri, 13 Apr 2018 18:42:45 -0700 Subject: [PATCH 2/9] Add TLS support to socket writer output plugin --- plugins/outputs/socket_writer/README.md | 7 ++++ .../outputs/socket_writer/socket_writer.go | 32 +++++++++++++++++-- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/plugins/outputs/socket_writer/README.md b/plugins/outputs/socket_writer/README.md index e8b5a0174df4d..8e28c5f88ddbe 100644 --- a/plugins/outputs/socket_writer/README.md +++ b/plugins/outputs/socket_writer/README.md @@ -19,6 +19,13 @@ It can output data in any of the [supported output formats](https://github.com/i # address = "unix:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock" + ## Optional SSL Config + # ssl_ca = "/etc/telegraf/ca.pem" + # ssl_cert = "/etc/telegraf/cert.pem" + # ssl_key = "/etc/telegraf/key.pem" + ## Use SSL but skip chain & host verification + # insecure_skip_verify = false + ## Period between keep alive probes. ## Only applies to TCP sockets. ## 0 disables keep alive probes. diff --git a/plugins/outputs/socket_writer/socket_writer.go b/plugins/outputs/socket_writer/socket_writer.go index 503130c624f45..855df4a8fb905 100644 --- a/plugins/outputs/socket_writer/socket_writer.go +++ b/plugins/outputs/socket_writer/socket_writer.go @@ -6,6 +6,7 @@ import ( "net" "strings" + "crypto/tls" "github.com/influxdata/telegraf" "github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/plugins/outputs" @@ -13,8 +14,12 @@ import ( ) type SocketWriter struct { - Address string - KeepAlivePeriod *internal.Duration + Address string + KeepAlivePeriod *internal.Duration + SSLCA string + SSLCert string + SSLKey string + InsecureSkipVerify bool serializers.Serializer @@ -39,6 +44,13 @@ func (sw *SocketWriter) SampleConfig() string { # address = "unix:///tmp/telegraf.sock" # address = "unixgram:///tmp/telegraf.sock" + ## Optional SSL Config + # ssl_ca = "/etc/telegraf/ca.pem" + # ssl_cert = "/etc/telegraf/cert.pem" + # ssl_key = "/etc/telegraf/key.pem" + ## Use SSL but skip chain & host verification + # insecure_skip_verify = false + ## Period between keep alive probes. ## Only applies to TCP sockets. ## 0 disables keep alive probes. @@ -58,12 +70,26 @@ func (sw *SocketWriter) SetSerializer(s serializers.Serializer) { } func (sw *SocketWriter) Connect() error { + var ( + c net.Conn + err error + ) + spl := strings.SplitN(sw.Address, "://", 2) if len(spl) != 2 { return fmt.Errorf("invalid address: %s", sw.Address) } - c, err := net.Dial(spl[0], spl[1]) + tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) + if err != nil { + return err + } + + if tlsCfg == nil { + c, err = net.Dial(spl[0], spl[1]) + } else { + c, err = tls.Dial(spl[0], spl[1], tlsCfg) + } if err != nil { return err } From 1257911b67807e7bea29fd607bdd40bbc6460ee2 Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Fri, 13 Apr 2018 18:47:22 -0700 Subject: [PATCH 3/9] Tweak docs --- plugins/inputs/socket_listener/README.md | 6 ++++-- plugins/inputs/socket_listener/socket_listener.go | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/plugins/inputs/socket_listener/README.md b/plugins/inputs/socket_listener/README.md index 9beddf51b1749..7bc2ada3d896c 100644 --- a/plugins/inputs/socket_listener/README.md +++ b/plugins/inputs/socket_listener/README.md @@ -37,10 +37,12 @@ This is a sample configuration for the plugin. ## Optional SSL configuration. ## Only applies to stream sockets (e.g. TCP). - # ssl_ca = "/etc/telegraf/ca.pem" # ssl_cert = "/etc/telegraf/cert.pem" # ssl_key = "/etc/telegraf/key.pem" - # ssl_client_auth = true + ## Enable and require client certificate authentication. + # ssl_client_auth = false + ## CA used to verify client certificates. + # ssl_ca = "/etc/telegraf/ca.pem" ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index a7a68945576d3..c46ce56e46053 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -205,10 +205,12 @@ func (sl *SocketListener) SampleConfig() string { ## Optional SSL configuration. ## Only applies to stream sockets (e.g. TCP). - # ssl_ca = "/etc/telegraf/ca.pem" # ssl_cert = "/etc/telegraf/cert.pem" # ssl_key = "/etc/telegraf/key.pem" - # ssl_client_auth = true + ## Enable and require client certificate authentication. + # ssl_client_auth = false + ## CA used to verify client certificates. + # ssl_ca = "/etc/telegraf/ca.pem" ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. From 8f68b2f9b2afada83726fe3b8b5bec29e98a6623 Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Fri, 13 Apr 2018 19:08:55 -0700 Subject: [PATCH 4/9] Use GetServerTLSConfig and GetClientTLSConfig --- internal/internal.go | 62 ++++++++++++++++++- plugins/inputs/socket_listener/README.md | 4 +- .../inputs/socket_listener/socket_listener.go | 12 ++-- .../outputs/socket_writer/socket_writer.go | 2 +- 4 files changed, 66 insertions(+), 14 deletions(-) diff --git a/internal/internal.go b/internal/internal.go index aae7aa773f87e..a25ca45c02575 100644 --- a/internal/internal.go +++ b/internal/internal.go @@ -112,12 +112,21 @@ func RandomString(n int) string { return string(bytes) } -// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files. -// you must give the full path to the files. -// If all files are blank and InsecureSkipVerify=false, returns a nil pointer. +// Deprecated - use GetClientTLSConfig or GetServerTLSConfig instead. func GetTLSConfig( SSLCert, SSLKey, SSLCA string, InsecureSkipVerify bool, +) (*tls.Config, error) { + return GetClientTLSConfig(SSLCert, SSLKey, SSLCA, InsecureSkipVerify) +} + +// GetClientTLSConfig gets a tls.Config object from the given certs, key, and CA files +// for use with a client. +// The full path to each file must be provided. +// Returns a nil pointer if all files are blank and InsecureSkipVerify=false. +func GetClientTLSConfig( + SSLCert, SSLKey, SSLCA string, + InsecureSkipVerify bool, ) (*tls.Config, error) { if SSLCert == "" && SSLKey == "" && SSLCA == "" && !InsecureSkipVerify { return nil, nil @@ -155,6 +164,53 @@ func GetTLSConfig( return t, nil } +// GetServerTLSConfig gets a tls.Config object from the given certs, key, and one or more CA files +// for use with a server. +// The full path to each file must be provided. +// Returns a nil pointer if all files are blank. +func GetServerTLSConfig( + SSLCert, SSLKey string, + SSLCA []string, + SSLClientAuth bool, +) (*tls.Config, error) { + if SSLCert == "" && SSLKey == "" && len(SSLCA) == 0 { + return nil, nil + } + + t := &tls.Config{} + + if len(SSLCA) != 0 { + caCertPool := x509.NewCertPool() + for _, cert := range SSLCA { + c, err := ioutil.ReadFile(cert) + if err != nil { + return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", + err)) + } + caCertPool.AppendCertsFromPEM(c) + } + t.ClientCAs = caCertPool + } + + if SSLCert != "" && SSLKey != "" { + cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey) + if err != nil { + return nil, errors.New(fmt.Sprintf( + "Could not load TLS client key/certificate from %s:%s: %s", + SSLKey, SSLCert, err)) + } + + t.Certificates = []tls.Certificate{cert} + t.BuildNameToCertificate() + } + + if SSLClientAuth { + t.ClientAuth = tls.RequireAndVerifyClientCert + } + + return t, nil +} + // SnakeCase converts the given string to snake case following the Golang format: // acronyms are converted to lower-case and preceded by an underscore. func SnakeCase(in string) string { diff --git a/plugins/inputs/socket_listener/README.md b/plugins/inputs/socket_listener/README.md index 7bc2ada3d896c..1620101ad58a5 100644 --- a/plugins/inputs/socket_listener/README.md +++ b/plugins/inputs/socket_listener/README.md @@ -41,8 +41,8 @@ This is a sample configuration for the plugin. # ssl_key = "/etc/telegraf/key.pem" ## Enable and require client certificate authentication. # ssl_client_auth = false - ## CA used to verify client certificates. - # ssl_ca = "/etc/telegraf/ca.pem" + ## CAs used to verify client certificates. + # ssl_ca = ["/etc/telegraf/ca.pem"] ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index c46ce56e46053..86dc34d46dabe 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -164,7 +164,7 @@ type SocketListener struct { MaxConnections int ReadBufferSize int ReadTimeout *internal.Duration - SSLCA string + SSLCA []string SSLCert string SSLKey string SSLClientAuth bool @@ -209,8 +209,8 @@ func (sl *SocketListener) SampleConfig() string { # ssl_key = "/etc/telegraf/key.pem" ## Enable and require client certificate authentication. # ssl_client_auth = false - ## CA used to verify client certificates. - # ssl_ca = "/etc/telegraf/ca.pem" + ## CAs used to verify client certificates. + # ssl_ca = ["/etc/telegraf/ca.pem"] ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. @@ -261,7 +261,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error { l net.Listener ) - tlsCfg, err := internal.GetTLSConfig(sl.SSLCert, sl.SSLKey, sl.SSLCA, false) + tlsCfg, err := internal.GetServerTLSConfig(sl.SSLCert, sl.SSLKey, sl.SSLCA, sl.SSLClientAuth) if err != nil { return nil } @@ -269,10 +269,6 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error { if tlsCfg == nil { l, err = net.Listen(spl[0], spl[1]) } else { - if sl.SSLClientAuth { - tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert - tlsCfg.ClientCAs = tlsCfg.RootCAs - } l, err = tls.Listen(spl[0], spl[1], tlsCfg) } if err != nil { diff --git a/plugins/outputs/socket_writer/socket_writer.go b/plugins/outputs/socket_writer/socket_writer.go index 855df4a8fb905..fd9df2712abb9 100644 --- a/plugins/outputs/socket_writer/socket_writer.go +++ b/plugins/outputs/socket_writer/socket_writer.go @@ -80,7 +80,7 @@ func (sw *SocketWriter) Connect() error { return fmt.Errorf("invalid address: %s", sw.Address) } - tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) + tlsCfg, err := internal.GetClientTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) if err != nil { return err } From d416799382787a19daa9fecd2307312f9d02822f Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Mon, 16 Apr 2018 22:28:45 -0400 Subject: [PATCH 5/9] PR comments --- internal/internal.go | 34 ++++++------------- plugins/inputs/socket_listener/README.md | 12 +++---- .../inputs/socket_listener/socket_listener.go | 31 ++++++++--------- 3 files changed, 30 insertions(+), 47 deletions(-) diff --git a/internal/internal.go b/internal/internal.go index a25ca45c02575..09d75414ca320 100644 --- a/internal/internal.go +++ b/internal/internal.go @@ -112,19 +112,11 @@ func RandomString(n int) string { return string(bytes) } -// Deprecated - use GetClientTLSConfig or GetServerTLSConfig instead. -func GetTLSConfig( - SSLCert, SSLKey, SSLCA string, - InsecureSkipVerify bool, -) (*tls.Config, error) { - return GetClientTLSConfig(SSLCert, SSLKey, SSLCA, InsecureSkipVerify) -} - -// GetClientTLSConfig gets a tls.Config object from the given certs, key, and CA files +// GetTLSConfig gets a tls.Config object from the given certs, key, and CA files // for use with a client. // The full path to each file must be provided. // Returns a nil pointer if all files are blank and InsecureSkipVerify=false. -func GetClientTLSConfig( +func GetTLSConfig( SSLCert, SSLKey, SSLCA string, InsecureSkipVerify bool, ) (*tls.Config, error) { @@ -169,19 +161,18 @@ func GetClientTLSConfig( // The full path to each file must be provided. // Returns a nil pointer if all files are blank. func GetServerTLSConfig( - SSLCert, SSLKey string, - SSLCA []string, - SSLClientAuth bool, + TLSCert, TLSKey string, + TLSAllowedCerts []string, ) (*tls.Config, error) { - if SSLCert == "" && SSLKey == "" && len(SSLCA) == 0 { + if TLSCert == "" && TLSKey == "" && len(TLSAllowedCerts) == 0 { return nil, nil } t := &tls.Config{} - if len(SSLCA) != 0 { + if len(TLSAllowedCerts) != 0 { caCertPool := x509.NewCertPool() - for _, cert := range SSLCA { + for _, cert := range TLSAllowedCerts { c, err := ioutil.ReadFile(cert) if err != nil { return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", @@ -190,24 +181,21 @@ func GetServerTLSConfig( caCertPool.AppendCertsFromPEM(c) } t.ClientCAs = caCertPool + t.ClientAuth = tls.RequireAndVerifyClientCert } - if SSLCert != "" && SSLKey != "" { - cert, err := tls.LoadX509KeyPair(SSLCert, SSLKey) + if TLSCert != "" && TLSKey != "" { + cert, err := tls.LoadX509KeyPair(TLSCert, TLSKey) if err != nil { return nil, errors.New(fmt.Sprintf( "Could not load TLS client key/certificate from %s:%s: %s", - SSLKey, SSLCert, err)) + TLSKey, TLSCert, err)) } t.Certificates = []tls.Certificate{cert} t.BuildNameToCertificate() } - if SSLClientAuth { - t.ClientAuth = tls.RequireAndVerifyClientCert - } - return t, nil } diff --git a/plugins/inputs/socket_listener/README.md b/plugins/inputs/socket_listener/README.md index 1620101ad58a5..ff73b1fbbf8e7 100644 --- a/plugins/inputs/socket_listener/README.md +++ b/plugins/inputs/socket_listener/README.md @@ -35,14 +35,12 @@ This is a sample configuration for the plugin. ## 0 (default) is unlimited. # read_timeout = "30s" - ## Optional SSL configuration. + ## Optional TLS configuration. ## Only applies to stream sockets (e.g. TCP). - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Enable and require client certificate authentication. - # ssl_client_auth = false - ## CAs used to verify client certificates. - # ssl_ca = ["/etc/telegraf/ca.pem"] + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Enables client authentication if set. + # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"] ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 86dc34d46dabe..7a64df8562e7f 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -160,15 +160,14 @@ func (psl *packetSocketListener) listen() { } type SocketListener struct { - ServiceAddress string - MaxConnections int - ReadBufferSize int - ReadTimeout *internal.Duration - SSLCA []string - SSLCert string - SSLKey string - SSLClientAuth bool - KeepAlivePeriod *internal.Duration + ServiceAddress string + MaxConnections int + ReadBufferSize int + ReadTimeout *internal.Duration + TLSAllowedCACerts []string + TLSCert string + TLSKey string + KeepAlivePeriod *internal.Duration parsers.Parser telegraf.Accumulator @@ -203,14 +202,12 @@ func (sl *SocketListener) SampleConfig() string { ## 0 (default) is unlimited. # read_timeout = "30s" - ## Optional SSL configuration. + ## Optional TLS configuration. ## Only applies to stream sockets (e.g. TCP). - # ssl_cert = "/etc/telegraf/cert.pem" - # ssl_key = "/etc/telegraf/key.pem" - ## Enable and require client certificate authentication. - # ssl_client_auth = false - ## CAs used to verify client certificates. - # ssl_ca = ["/etc/telegraf/ca.pem"] + # tls_cert = "/etc/telegraf/cert.pem" + # tls_key = "/etc/telegraf/key.pem" + ## Enables client authentication if set. + # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"] ## Maximum socket buffer size in bytes. ## For stream sockets, once the buffer fills up, the sender will start backing up. @@ -261,7 +258,7 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error { l net.Listener ) - tlsCfg, err := internal.GetServerTLSConfig(sl.SSLCert, sl.SSLKey, sl.SSLCA, sl.SSLClientAuth) + tlsCfg, err := internal.GetServerTLSConfig(sl.TLSCert, sl.TLSKey, sl.TLSAllowedCACerts) if err != nil { return nil } From 2559fffab4f571a1b3294c8814308afc142949bd Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Mon, 16 Apr 2018 22:33:51 -0400 Subject: [PATCH 6/9] Label struct fields --- .../inputs/socket_listener/socket_listener.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 7a64df8562e7f..14d568ec98fb1 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -160,14 +160,14 @@ func (psl *packetSocketListener) listen() { } type SocketListener struct { - ServiceAddress string - MaxConnections int - ReadBufferSize int - ReadTimeout *internal.Duration - TLSAllowedCACerts []string - TLSCert string - TLSKey string - KeepAlivePeriod *internal.Duration + ServiceAddress string `toml:"service_address"` + MaxConnections int `toml:"max_connections"` + ReadBufferSize int `toml:"read_buffer_size"` + ReadTimeout *internal.Duration `toml:"read_timeout"` + TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"` + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` + KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"` parsers.Parser telegraf.Accumulator From 7dbc96b16f3fbb5ac1bba248f81af578bea0b038 Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Mon, 16 Apr 2018 23:11:21 -0400 Subject: [PATCH 7/9] Add testdata and TLS listener test --- .../socket_listener/socket_listener_test.go | 24 +++++++++++++++++++ .../inputs/socket_listener/testdata/ca.pem | 11 +++++++++ .../socket_listener/testdata/client.key | 5 ++++ .../socket_listener/testdata/client.pem | 10 ++++++++ .../socket_listener/testdata/server.key | 5 ++++ .../socket_listener/testdata/server.pem | 11 +++++++++ .../outputs/socket_writer/socket_writer.go | 2 +- 7 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 plugins/inputs/socket_listener/testdata/ca.pem create mode 100644 plugins/inputs/socket_listener/testdata/client.key create mode 100644 plugins/inputs/socket_listener/testdata/client.pem create mode 100644 plugins/inputs/socket_listener/testdata/server.key create mode 100644 plugins/inputs/socket_listener/testdata/server.pem diff --git a/plugins/inputs/socket_listener/socket_listener_test.go b/plugins/inputs/socket_listener/socket_listener_test.go index 4e8335699b2f8..b3f7762245d2d 100644 --- a/plugins/inputs/socket_listener/socket_listener_test.go +++ b/plugins/inputs/socket_listener/socket_listener_test.go @@ -2,12 +2,14 @@ package socket_listener import ( "bytes" + "crypto/tls" "log" "net" "os" "testing" "time" + "github.com/influxdata/telegraf/internal" "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -25,6 +27,28 @@ func testEmptyLog(t *testing.T) func() { } } +func TestSocketListener_tls(t *testing.T) { + defer testEmptyLog(t)() + + sl := newSocketListener() + sl.ServiceAddress = "tcp://127.0.0.1:0" + sl.TLSCert = "testdata/server.pem" + sl.TLSKey = "testdata/server.key" + + acc := &testutil.Accumulator{} + err := sl.Start(acc) + require.NoError(t, err) + defer sl.Stop() + + tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) + require.NoError(t, err) + + secureClient, err := tls.Dial("tcp", sl.Closer.(net.Listener).Addr().String(), tlsCfg) + require.NoError(t, err) + + testSocketListener(t, sl, secureClient) +} + func TestSocketListener_tcp(t *testing.T) { defer testEmptyLog(t)() diff --git a/plugins/inputs/socket_listener/testdata/ca.pem b/plugins/inputs/socket_listener/testdata/ca.pem new file mode 100644 index 0000000000000..9338e08c339e6 --- /dev/null +++ b/plugins/inputs/socket_listener/testdata/ca.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBfjCCASSgAwIBAgIQOcVQOVdiYAlrATkSZ00c2zAKBggqhkjOPQQDAjAkMRAw +DgYDVQQKEwdBY21lIENvMRAwDgYDVQQDEwdSb290IENBMB4XDTE4MDQxNzAyNDAw +NloXDTE5MDQxNzAyNDAwNlowJDEQMA4GA1UEChMHQWNtZSBDbzEQMA4GA1UEAxMH +Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGhlpfpBmoCtiwBYeW+6 +1zR4d8cmsKXWza5blMJIKY9gugDHTbDbW1kbNv+IotXmF94aQKY8SsYyF8SqQstr +MUGjODA2MA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNV +HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQCLhyfDywGQR+NhR68uh+Ps +OohSa5VGAe1nlCWwxjW4ugIgYRHKQ0qyf9kmE/+OlKGi+fsiZRJt57lO+r97YeML +R6o= +-----END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/client.key b/plugins/inputs/socket_listener/testdata/client.key new file mode 100644 index 0000000000000..41b350e2e5339 --- /dev/null +++ b/plugins/inputs/socket_listener/testdata/client.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIAi2HTH3731OXAPNyQB2pyJz3CsyJQMzM6ypofD8q9proAoGCCqGSM49 +AwEHoUQDQgAEfp9yWlCj8cf4pmwAyophsdqLCVSWFQQ41VlKnsnqfeCL3ALXV84W +vYMCpQKTk5ajIxMwaRz5V/RkGs4Y3VJLFg== +-----END EC PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/client.pem b/plugins/inputs/socket_listener/testdata/client.pem new file mode 100644 index 0000000000000..177c9bd8cfba7 --- /dev/null +++ b/plugins/inputs/socket_listener/testdata/client.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBezCCASCgAwIBAgIBBDAKBggqhkjOPQQDAjAkMRAwDgYDVQQKEwdBY21lIENv +MRAwDgYDVQQDEwdSb290IENBMB4XDTE4MDQxNzAyNDAwNloXDTE5MDQxNzAyNDAw +NlowMjEQMA4GA1UEChMHQWNtZSBDbzEeMBwGA1UEAwwVY2xpZW50X2F1dGhfdGVz +dF9jZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfp9yWlCj8cf4pmwAyoph +sdqLCVSWFQQ41VlKnsnqfeCL3ALXV84WvYMCpQKTk5ajIxMwaRz5V/RkGs4Y3VJL +FqM1MDMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1Ud +EwEB/wQCMAAwCgYIKoZIzj0EAwIDSQAwRgIhAMzENYnCp9vbi6WEKKs5Ah5kf5Uq +IQZrsF6rbvX8bUq6AiEAl5pB2DivzzlSO1ME4TUnkH8PuRXoWF4WEhY7EsY7cCA= +-----END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/server.key b/plugins/inputs/socket_listener/testdata/server.key new file mode 100644 index 0000000000000..e46c137922f34 --- /dev/null +++ b/plugins/inputs/socket_listener/testdata/server.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIM6RnKmPvlS8pDPsohwQVFLyHDQyaNKckB3LW97EkDPJoAoGCCqGSM49 +AwEHoUQDQgAEPAtSzaOBtFL6BFEqXLK9B4agy0qpTA/sMUTm9g92hz5Ic+1bVpi7 +33sLjmjjqrYLFust+j+FqpeDRGovUDU0gA== +-----END EC PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/server.pem b/plugins/inputs/socket_listener/testdata/server.pem new file mode 100644 index 0000000000000..bc000dbeebbce --- /dev/null +++ b/plugins/inputs/socket_listener/testdata/server.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBnTCCAUKgAwIBAgIRAMjiXxeTNq5WuymjNs/SMMQwCgYIKoZIzj0EAwIwJDEQ +MA4GA1UEChMHQWNtZSBDbzEQMA4GA1UEAxMHUm9vdCBDQTAeFw0xODA0MTcwMjQw +MDZaFw0xOTA0MTcwMjQwMDZaMCgxEDAOBgNVBAoTB0FjbWUgQ28xFDASBgNVBAMM +C3Rlc3RfY2VydF8xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPAtSzaOBtFL6 +BFEqXLK9B4agy0qpTA/sMUTm9g92hz5Ic+1bVpi733sLjmjjqrYLFust+j+FqpeD +RGovUDU0gKNRME8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB +MAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMAoGCCqG +SM49BAMCA0kAMEYCIQC5LOQXoGLQ1q8vuZhg0CBoBtGhJzq1NQgQrvbWOG1XMQIh +AMXysM4Ppawj9uvhYkdgwhIvM8/Ul5AUtb/GOCxqYhL4 +-----END CERTIFICATE----- diff --git a/plugins/outputs/socket_writer/socket_writer.go b/plugins/outputs/socket_writer/socket_writer.go index fd9df2712abb9..855df4a8fb905 100644 --- a/plugins/outputs/socket_writer/socket_writer.go +++ b/plugins/outputs/socket_writer/socket_writer.go @@ -80,7 +80,7 @@ func (sw *SocketWriter) Connect() error { return fmt.Errorf("invalid address: %s", sw.Address) } - tlsCfg, err := internal.GetClientTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) + tlsCfg, err := internal.GetTLSConfig(sw.SSLCert, sw.SSLKey, sw.SSLCA, sw.InsecureSkipVerify) if err != nil { return err } From 8e1c6861d1d56c1feaa018298acf3e1b6dba4c43 Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Tue, 17 Apr 2018 00:30:35 -0400 Subject: [PATCH 8/9] Minor bugfixes --- internal/internal.go | 11 +++--- .../inputs/socket_listener/socket_listener.go | 4 +- .../socket_listener/socket_listener_test.go | 1 + .../inputs/socket_listener/testdata/ca.pem | 38 ++++++++++++++----- .../socket_listener/testdata/client.key | 32 +++++++++++++--- .../socket_listener/testdata/client.pem | 30 +++++++++++---- .../socket_listener/testdata/server.key | 32 +++++++++++++--- .../socket_listener/testdata/server.pem | 32 +++++++++++----- 8 files changed, 137 insertions(+), 43 deletions(-) diff --git a/internal/internal.go b/internal/internal.go index 09d75414ca320..3227832c991ec 100644 --- a/internal/internal.go +++ b/internal/internal.go @@ -162,17 +162,17 @@ func GetTLSConfig( // Returns a nil pointer if all files are blank. func GetServerTLSConfig( TLSCert, TLSKey string, - TLSAllowedCerts []string, + TLSAllowedCACerts []string, ) (*tls.Config, error) { - if TLSCert == "" && TLSKey == "" && len(TLSAllowedCerts) == 0 { + if TLSCert == "" && TLSKey == "" && len(TLSAllowedCACerts) == 0 { return nil, nil } t := &tls.Config{} - if len(TLSAllowedCerts) != 0 { + if len(TLSAllowedCACerts) != 0 { caCertPool := x509.NewCertPool() - for _, cert := range TLSAllowedCerts { + for _, cert := range TLSAllowedCACerts { c, err := ioutil.ReadFile(cert) if err != nil { return nil, errors.New(fmt.Sprintf("Could not load TLS CA: %s", @@ -193,9 +193,10 @@ func GetServerTLSConfig( } t.Certificates = []tls.Certificate{cert} - t.BuildNameToCertificate() } + t.BuildNameToCertificate() + return t, nil } diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 14d568ec98fb1..249787b5927b8 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -123,9 +123,9 @@ func (ssl *streamSocketListener) read(c net.Conn) { } if err := scnr.Err(); err != nil { - if err, ok := err.(net.Error); ok && err.Timeout() { + if netErr, ok := err.(net.Error); ok && netErr.Timeout() { log.Printf("D! Timeout in plugin [input.socket_listener]: %s", err) - } else if !strings.HasSuffix(err.Error(), ": use of closed network connection") { + } else if netErr != nil && !strings.HasSuffix(err.Error(), ": use of closed network connection") { ssl.AddError(err) } } diff --git a/plugins/inputs/socket_listener/socket_listener_test.go b/plugins/inputs/socket_listener/socket_listener_test.go index b3f7762245d2d..acddb916f94b7 100644 --- a/plugins/inputs/socket_listener/socket_listener_test.go +++ b/plugins/inputs/socket_listener/socket_listener_test.go @@ -34,6 +34,7 @@ func TestSocketListener_tls(t *testing.T) { sl.ServiceAddress = "tcp://127.0.0.1:0" sl.TLSCert = "testdata/server.pem" sl.TLSKey = "testdata/server.key" + sl.TLSAllowedCACerts = []string{"testdata/ca.pem"} acc := &testutil.Accumulator{} err := sl.Start(acc) diff --git a/plugins/inputs/socket_listener/testdata/ca.pem b/plugins/inputs/socket_listener/testdata/ca.pem index 9338e08c339e6..d3b6d9a14080c 100644 --- a/plugins/inputs/socket_listener/testdata/ca.pem +++ b/plugins/inputs/socket_listener/testdata/ca.pem @@ -1,11 +1,31 @@ -----BEGIN CERTIFICATE----- -MIIBfjCCASSgAwIBAgIQOcVQOVdiYAlrATkSZ00c2zAKBggqhkjOPQQDAjAkMRAw -DgYDVQQKEwdBY21lIENvMRAwDgYDVQQDEwdSb290IENBMB4XDTE4MDQxNzAyNDAw -NloXDTE5MDQxNzAyNDAwNlowJDEQMA4GA1UEChMHQWNtZSBDbzEQMA4GA1UEAxMH -Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGhlpfpBmoCtiwBYeW+6 -1zR4d8cmsKXWza5blMJIKY9gugDHTbDbW1kbNv+IotXmF94aQKY8SsYyF8SqQstr -MUGjODA2MA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNV -HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQCLhyfDywGQR+NhR68uh+Ps -OohSa5VGAe1nlCWwxjW4ugIgYRHKQ0qyf9kmE/+OlKGi+fsiZRJt57lO+r97YeML -R6o= +MIIFVTCCAz2gAwIBAgIJAOhLvwv6zUf+MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG +A1UECgwEVGVzdDAeFw0xODA0MTcwNDIwNDZaFw0yMTAyMDQwNDIwNDZaMEExCzAJ +BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN +MAsGA1UECgwEVGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKwE +Xy814CDH03G3Fg2/XSpYZXVMzwp6oq/bUe3iLhkOpA6C4+j07AxAAa22qEPlvYkb +W7oxVJiL0ih1od2FeAxvroBTmjG54j/Syb8OeQsZaJLNp1rRmwYGBIVi284ScaIc +dn+2bfmfpSLjK3SbU5XygtwIE3gh/B7x02UJRNJmJ1faRT2CfTeg/56xnTE4bcR5 +HRrlojoN5laJngowLWAEAvWljCR8oge+ciNYB3xoK8Hgc9+WgTy95G1RBCNkaFFI +73nrcHl6dGOH9UgIqfbHJYxNEarI3o/JAr8DIBS0W4r8r4aY4JQ4LoN3bg4mLHQq +THKkVW5hyBeWe47qmlL0m4F6/+mzVi95NAWG2BQDCZJAWJNc+PbSRHi81838m7ff +O4rixd/F53LUUas8/zVca3vtv+XjOHZzIQLIy1bM4MhzpHlRcSmS9kqxxZ3S70e3 +ZIWFdM0iRrtlBbJeoHIJRDpgPRYIWdRc6XotljTTi6/lN4Bj/0NK4E3iONcDsscN +kiqEHRAWZ4ptCqdVPgYR0S096Fx6OaC3ASODE0Cjb18ylZQRsQi8TiYSihGzuoio +wJwSLdIifDbbSUkjT1384cA/HsOjFQ9xHXYa6cQnAg3TUZyG1lAMJyFWYke+rxmG +srfL/EtIzgbzmEOC5anQjA2pdgUO9Pk2SinJaMApAgMBAAGjUDBOMB0GA1UdDgQW +BBQNJctDLjj8bVKNCYANaOcboPQnmzAfBgNVHSMEGDAWgBQNJctDLjj8bVKNCYAN +aOcboPQnmzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQATSr26Kc8g +3l2zuccoKWM57DQcgRmzSYwEOKA2jn3FWmrAdwozEIkLaTK0OXz0zh2dZxh9V3GR +w0WFCynbGNy/9s33MSi+zIWJOU/MZvt6zGE5CTcTgZ+u5IZyvSubMkPcwQi3Yvcg +AHmWzpF42kT2J5C5MfrSU65hrhPX7hT/CUoV3gN7oxFzj+/ED4kgNorO8SUUJCmq +DJNFbjgsD63EhnvAhn1AeM35GmKdl2enEKqcZsRkE4ZLpU7ibrThEm1aOQuJUtHk +gDAx49QMdQpWnxWxnfoiwpLu7ufR7ls8O9oA8ZJux/SVHEmtkOdRsuMtY5MElFZg +dANlQsdFWDko4ixaxFYzppuPNnRlqjGNnaEFJrNc2KR0Dxgmp28Yh2VyLd4r3fLT +nLVBYF8KzFchUdXYYPNBXwAf/N52jGfugDx8snLxOfzxoUZ4y64qMCpYhntGgBJ1 +Rrk2trcn3Dw19gi8p3ylbdoz/Ch1INDDrO35pd0bZpcwASc/UNU72W5v2kGL0H7o +nJzgtrqeHcoIzNBmBhHlMlnTF5GMfrYGsf5d30KyKv7UL6qJTvT641dpKpB/FFrk +y3AQbKmKRDI+aVzeOlwdy/eJAwt7FikD4bR9GZ4PBX9n9jd4u/PHZNfxtgzplqo1 +oy7kJv0cB/vRKOblmn/vPUfTFtAX7M3GkQ== -----END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/client.key b/plugins/inputs/socket_listener/testdata/client.key index 41b350e2e5339..285a2747825b4 100644 --- a/plugins/inputs/socket_listener/testdata/client.key +++ b/plugins/inputs/socket_listener/testdata/client.key @@ -1,5 +1,27 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIAi2HTH3731OXAPNyQB2pyJz3CsyJQMzM6ypofD8q9proAoGCCqGSM49 -AwEHoUQDQgAEfp9yWlCj8cf4pmwAyophsdqLCVSWFQQ41VlKnsnqfeCL3ALXV84W -vYMCpQKTk5ajIxMwaRz5V/RkGs4Y3VJLFg== ------END EC PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAmRuY+9Gg5V4e9hCd2mYek1jKeoaZijz89EPvox78XzoGdxPf +RoukUcTVS9VWN7HyJBjRA9P+KuHI9dX47skxyxH53uXZvRmGQAJBY4cE07JHvGkZ +eK1heXoWlBzYtivckha7bLBfn1ttAzcFCblUfJdzsn9XDuC4Jfn4oSaKn1o8Rzy1 +KRvyLgvsYxMA/XzhyBzVMyoUOulye7EZx4f+AwSNmNHD4OgtxxPofrrMOtXZ2tC6 +xNOexIZXbsB9dyrUW+4pWXYaadU7fl2V+arAJj+NVxV+3tmGGjmd1MiIypPx6BbP +g7xH20nJ/Y0U6V7gklZpYO1i84RbtR/kqBgi9QIDAQABAoIBAEONJJM+KyHnw/tG +246HbcgO7c7fYhDW1bgj3S/4NNsC6+VP1Dv40nftQzphFtgd37rDZDyvJL3gvlyQ +mnMoO5rgBIGuocHH6C6HkDgMUznft7zOFhnjTVVeY2XX0FmXwoqGEw1iR940ZUV8 +2fEvXrJV1AsWGeALj9PZlTPsoE6rv5sUk9Lh3wCD73m7GSg7DzBRE+6bBze8Lmwn +ZzTvmimhgPJw8LR5rRpYbDbhAJLAfgA7/yPgYEPxA/ffry6Ba4epj8tVNUNOAcOf +PURF+uuIF7RceI2PkdvoNuQyVR5oxQUPUfidfVK5ClUmnHECSgb/FFnYC+nU2vSi +IAnmC6ECgYEAyrUFHyxxuIQAiinjBxa0OQ3ynvMxDnF/+zvWe8536Y61lz9dblKb +0xvFhpOEMfiG/zFdZdWJ+xdq7VQVNMHu4USoskG8sZs5zImMTu50kuDNln7xYqVf +SUuN1U7cp7JouI1qkZAOsytPfAgZN/83hLObd07lAvL44jKYaHVeMmkCgYEAwVxZ +wKXpboHwQawA+4ubsnZ36IlOk21/+FlGJiDg/LB643BS+QhgVNxuB2gL1gOCYkhl +6BBcIhWMvZOIIo5uwnv4fQ+WfFwntU9POFViZgbZvkitQtorB7MXc/NU2BDrNYx2 +TBCiRn/9BaZ4fziW8I3Fx3xQ3rKDBXrexmrJQq0CgYEAvYGQYT12r47Qxlo0gcsL +AA/3E/y9jwgzItglQ6eZ2ULup5C4s0wNm8Zp2s+Mlf8HjgpDi9Gf5ptU/r1N+f2Y +awd6QvRMCSraVUr+Xkh1uV7rNNhGqPd75pT460OH7EtRtb+XsrAf3gcOjyEvGnfC +GpCjNl4OobwvS6ELdRTM1IkCgYAHUGX4uo3k5zdeVJJI8ZP3ITIR8retLfQsQbw8 +jvvTsx1C4ynQT7fNHfVvhEkGVGWnMBPivlOt2mDTfvQkUnzwEF5q5J8NnzLFUfWu +LNSnBVVRNFCRec0s4mJduXOZJLKw+No0sGBjCE5a21wte8eB2+sCS7qHYftAxtAM +c1eflQKBgQDGTFsMvpM8BEPTreinTllFBdjeYchcdY/Ov9DZ3mMVopjAWRD81MKM +zM1RCqwLkgv9FvF79B1FLJ1Inr8e/XIGdcrhE1a4sZdIWdqTWQ4xFrlDgxCquq66 +da09WVBRdvq2kVLAMaBViH2/GP1G4ZV9a8+JHuWKj+Arrr52Qeazjw== +-----END RSA PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/client.pem b/plugins/inputs/socket_listener/testdata/client.pem index 177c9bd8cfba7..d741e6518964e 100644 --- a/plugins/inputs/socket_listener/testdata/client.pem +++ b/plugins/inputs/socket_listener/testdata/client.pem @@ -1,10 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIBezCCASCgAwIBAgIBBDAKBggqhkjOPQQDAjAkMRAwDgYDVQQKEwdBY21lIENv -MRAwDgYDVQQDEwdSb290IENBMB4XDTE4MDQxNzAyNDAwNloXDTE5MDQxNzAyNDAw -NlowMjEQMA4GA1UEChMHQWNtZSBDbzEeMBwGA1UEAwwVY2xpZW50X2F1dGhfdGVz -dF9jZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfp9yWlCj8cf4pmwAyoph -sdqLCVSWFQQ41VlKnsnqfeCL3ALXV84WvYMCpQKTk5ajIxMwaRz5V/RkGs4Y3VJL -FqM1MDMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1Ud -EwEB/wQCMAAwCgYIKoZIzj0EAwIDSQAwRgIhAMzENYnCp9vbi6WEKKs5Ah5kf5Uq -IQZrsF6rbvX8bUq6AiEAl5pB2DivzzlSO1ME4TUnkH8PuRXoWF4WEhY7EsY7cCA= +MIIEEjCCAfoCCQCmcronmMSqXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV +UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM +BFRlc3QwHhcNMTgwNDE3MDQyNDMwWhcNNDUwOTAyMDQyNDMwWjBVMQswCQYDVQQG +EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV +BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAJkbmPvRoOVeHvYQndpmHpNYynqGmYo8/PRD76Me/F86BncT +30aLpFHE1UvVVjex8iQY0QPT/irhyPXV+O7JMcsR+d7l2b0ZhkACQWOHBNOyR7xp +GXitYXl6FpQc2LYr3JIWu2ywX59bbQM3BQm5VHyXc7J/Vw7guCX5+KEmip9aPEc8 +tSkb8i4L7GMTAP184cgc1TMqFDrpcnuxGceH/gMEjZjRw+DoLccT6H66zDrV2drQ +usTTnsSGV27AfXcq1FvuKVl2GmnVO35dlfmqwCY/jVcVft7Zhho5ndTIiMqT8egW +z4O8R9tJyf2NFOle4JJWaWDtYvOEW7Uf5KgYIvUCAwEAATANBgkqhkiG9w0BAQsF +AAOCAgEACJkccOvBavtagiMQc9OLsbo0PkHv7Qk9uTm5Sg9+LjLGUsu+3WLjAAmj +YScHyGbvQzXlwpgo8JuwY0lMNoPfwGuydlJPfOBCbaoAqFp6Vpc/E49J9YovCsqa +2HJUJeuxpf6SiH1Vc1SECjzwzKo03t8ul7t7SNVqA0r9fV4I936FlJOeQ4d5U+Wv +H7c2LmAqbHi2Mwf+m+W6ziOvzp+szspcP2gJDX7hsKEtIlqmHYm2bzZ4fsCuU9xN +3quewBVQUOuParO632yaLgzpGmfzzxLmCPO84lxarJKCxjHG2Q2l30TO/wA44m+r +Wd17HpCT3PkCDG5eSNCSnYqfLm8DE1hLGfHiXxKmrgU94q4wvwVGOlcYa+CQeP9Q +ZW3Tj0Axz0Mqlg1iLLo12+Z/yocSY2nFnFntBFT4qBKNCeD0xH3PxC0HJdK66xBv +MVDE/OE2hBtTTts+vC9yjx4W8thtMSA4VCOgtt5sHjt3ZekiYYh5VZK47Bx/a0uc +8CouRdyppWyPp/cNC+PcGW3YnXpAkxe/bSY/qgfK5kmbeOf+HzvZAIwAH/d9VK0g +AoLNp46eP6U2E2lVvtc/HJ1C/gsiC/1TSIq/kBbYtuIJjhhH3u6IVet7WSD22Akv +o5gOpcoKwy8IPDRC5lJEAAVYUKt7ORo2en3OVg6I4FaQmeBFp5s= -----END CERTIFICATE----- diff --git a/plugins/inputs/socket_listener/testdata/server.key b/plugins/inputs/socket_listener/testdata/server.key index e46c137922f34..4ad8e642f6952 100644 --- a/plugins/inputs/socket_listener/testdata/server.key +++ b/plugins/inputs/socket_listener/testdata/server.key @@ -1,5 +1,27 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIM6RnKmPvlS8pDPsohwQVFLyHDQyaNKckB3LW97EkDPJoAoGCCqGSM49 -AwEHoUQDQgAEPAtSzaOBtFL6BFEqXLK9B4agy0qpTA/sMUTm9g92hz5Ic+1bVpi7 -33sLjmjjqrYLFust+j+FqpeDRGovUDU0gA== ------END EC PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAzkEDLijGOqXNQPAqUjOz5TLuM28SENauknLtcfIyEN/N6PwZ +re5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7HQz8lAKniir2ZH+axkjp5LUE6vYJd +I1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLhN5waKR86jpQaNkfnI7/4U3yrlymK +yaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1urYyiRbju2iL9YmtSM72yWXvFsD1O +I4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U35xG597M031WmR5o67rc63sqs+Q// +V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQWVQIDAQABAoIBAHFxFJy41H7BXulO +rxhTU6jGoHktqBQW4CGwkKTRf3QEhK6WqlEd8Y5eKzZgL1q1HLPSehEyPCYCUjpT +EgxlhLeZ7XI1/mIs8iG3swconimj7Pj60Nt0dqq1njWRJYQsKua0Kw1m0B+rVKBy ++qKRxondlA32HTD6iIg+eAUTuzO/KzimZcyL9hiT/g6aN9k0H5+qURi8dO7VV8fD +zvP8Y+oOGLwW2ccp+ZjFQizjTOkL4lgldr0hsGQXZJNHL94fA7jPdAxAUbnTicMJ +oXM++L3eCwIVabipGxxlqCMj9Dn8yfbQvRGzP2e76QDeROYZHX4osH6vLcZEjx9i +tJ4J+ekCgYEA82kKzkSKmFo4gZxnqAywlfZ2X2PADuMmHdqdiDFwt54orlMlKf/b +wVSvN/djLXwvFHuyzFmJeMFSHKFkYVTOsh8kPSETAIGkcJEMHD3viYn7DwjkQudY +vB/FpBWSiDT0T7qDUCzW3iMbx/JvTUSp7uO4ZuwOu6t6v3PEZwIChQ8CgYEA2Ov9 +FXHmm7sS54HgvZd6Wk8zLMLIDnyMmECjtYOasJ9c40yQHpRlXsb+Dzn/2xhMMwth +Bln2hIiJ/e+G0bzFu4x0cItRPOQeRNyz5Pal8EsATeUwcX4KRKOZaUpDkV6XV1L0 +r/HSk/wed+90B74sGoJY1qsFflOATIUVs7SIllsCgYEAwhGSB/sl9WqZet1U1+um +LyqeHlfNnREGJu9Sgm/Iyt1S2gp4qw/QCkiWmyym6nEEqHQnjj4lGR4pdaJIAkI3 +ulSR9BsWp2S10voSicHn5eUZQld4hs8lNHiwf66jce2mjJrMb3QQrHOZhsWIcDa6 +tjjhoU28QWzrJRIMGYTEtYkCgYA17NSJlDsj06mra5oXB6Ue9jlekz1wfH3nC4qn +AQRfi/5ncw0QzQs2OHnIBz8XlD69IcMI9SxXXioPuo/la+wr54q6v6d+X6c2rzb5 +YGd4CO0WcDdOv2qGDbWBezi41q8AwlqZsqAKsc5ROnG5ywjjviufkfxXnyJx41O1 +zNd3qQKBgGEy+EwUXD5iGeQxdCDnd6iVu14SoBscHO5SpIeDu3DIhnu+7gPq2VMg +Vp9j/iNVtEA3HyYCOeXc2rz9Di1wwt3YijED4birLAkC5YW6YB9rmLMfCNc1EyLh +BKAkUQN3D+XCN4pXdbKvbkOcfYRUHoD+pPBjRYH020OtPBUc6Wkl +-----END RSA PRIVATE KEY----- diff --git a/plugins/inputs/socket_listener/testdata/server.pem b/plugins/inputs/socket_listener/testdata/server.pem index bc000dbeebbce..96cfa0b00a4ca 100644 --- a/plugins/inputs/socket_listener/testdata/server.pem +++ b/plugins/inputs/socket_listener/testdata/server.pem @@ -1,11 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIBnTCCAUKgAwIBAgIRAMjiXxeTNq5WuymjNs/SMMQwCgYIKoZIzj0EAwIwJDEQ -MA4GA1UEChMHQWNtZSBDbzEQMA4GA1UEAxMHUm9vdCBDQTAeFw0xODA0MTcwMjQw -MDZaFw0xOTA0MTcwMjQwMDZaMCgxEDAOBgNVBAoTB0FjbWUgQ28xFDASBgNVBAMM -C3Rlc3RfY2VydF8xMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPAtSzaOBtFL6 -BFEqXLK9B4agy0qpTA/sMUTm9g92hz5Ic+1bVpi733sLjmjjqrYLFust+j+FqpeD -RGovUDU0gKNRME8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB -MAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMAoGCCqG -SM49BAMCA0kAMEYCIQC5LOQXoGLQ1q8vuZhg0CBoBtGhJzq1NQgQrvbWOG1XMQIh -AMXysM4Ppawj9uvhYkdgwhIvM8/Ul5AUtb/GOCxqYhL4 +MIIEJjCCAg4CCQCmcronmMSqXDANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJV +UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM +BFRlc3QwHhcNMTgwNDE3MDQyNDAwWhcNNDUwOTAyMDQyNDAwWjBpMQswCQYDVQQG +EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xITAfBgNV +BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJMTI3LjAuMC4x +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkEDLijGOqXNQPAqUjOz +5TLuM28SENauknLtcfIyEN/N6PwZre5DjokxtDPp+c9yP/9qtn7+dBfdUXg2Mu7H +Qz8lAKniir2ZH+axkjp5LUE6vYJdI1W8lOOc0kXDjozBetgriE0jkgc3v9oDBbLh +N5waKR86jpQaNkfnI7/4U3yrlymKyaT3uD6L1ldUJubdQ/xc1HxdmX8VewBnkK1u +rYyiRbju2iL9YmtSM72yWXvFsD1OI4fP/XuiaymicBmXKL4cu6KYdfn1qeLAV3U3 +5xG597M031WmR5o67rc63sqs+Q//V3dbGqnFXRMkLhoOnuKK0DD28ujY1kctbNQW +VQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQCVgzqFrehoRAMFLMEL8avfokYtsSYc +50Yug4Es0ISo/PRWGeUnv8k1inyE3Y1iR/gbN5n/yjLXJKEflan6BuqGuukfr2eA +fRdDCyPvzQLABdxCx2n6ByQFxj92z82tizf35R2OMuHHWzTckta+7s5EvxwIiUsd +rUuXp+0ltJzlYYW9xTGFiJO9hAbRgMgZiwL8F7ayic8GmLQ1eRK/DfKDCOH3afeX +MNN5FulgjqNyhXHF33vwgIJynGDg2JEhkWjB1DkUAxll0+SMQoYyVGZVrQSGbGw1 +JhOLc8C8bTzfK3qcJDuyldvjiut+To+lpu76R0u0+sn+wxQFL1uCWuAbMJgGsJgM +ARavu2XDeae9X+e8MgJuN1FYS3tihBplPjMJD3UYRybRvHAvQh26BZ7Ch3JNSNST +AL2l5T7JKU+XaWWeo+crV+AnGIJyqyh9Su/n97PEoZoEMGH4Kcl/n/w2Jms60+5s +K0FK2OGNL42ddUfQiVL9CwYQQo70hydjsIo1x8S6+tSFLMAAysQEToSjfAA6qxDu +fgGVMuIYHo0rSkpTVsHVwru08Z5o4m+XDAK0iHalZ4knKsO0lJ+9l7vFnQHlzwt7 +JTjDhnyOKWPIANeWf3PrHPWE7kKpFVBqFBzOvWLJuxDu5NlgLo1PFahsahTqB9bz +qwUyMg/oYWnwqw== -----END CERTIFICATE----- From ff3d6821269d59a6fe6d5f6da88d08282c596925 Mon Sep 17 00:00:00 2001 From: Bob Shannon Date: Tue, 17 Apr 2018 15:33:10 -0400 Subject: [PATCH 9/9] More tests and unix socket support --- .../inputs/socket_listener/socket_listener.go | 8 ++++++ .../socket_listener/socket_listener_test.go | 25 ++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/plugins/inputs/socket_listener/socket_listener.go b/plugins/inputs/socket_listener/socket_listener.go index 249787b5927b8..011a1edb481f4 100644 --- a/plugins/inputs/socket_listener/socket_listener.go +++ b/plugins/inputs/socket_listener/socket_listener.go @@ -338,6 +338,14 @@ func (uc unixCloser) Close() error { return err } +func (uc unixCloser) Accept() (net.Conn, error) { + return uc.closer.(net.Listener).Accept() +} + +func (uc unixCloser) Addr() net.Addr { + return uc.closer.(net.Listener).Addr() +} + func init() { inputs.Add("socket_listener", func() telegraf.Input { return newSocketListener() }) } diff --git a/plugins/inputs/socket_listener/socket_listener_test.go b/plugins/inputs/socket_listener/socket_listener_test.go index acddb916f94b7..b647e724fcedc 100644 --- a/plugins/inputs/socket_listener/socket_listener_test.go +++ b/plugins/inputs/socket_listener/socket_listener_test.go @@ -27,7 +27,7 @@ func testEmptyLog(t *testing.T) func() { } } -func TestSocketListener_tls(t *testing.T) { +func TestSocketListener_tcp_tls(t *testing.T) { defer testEmptyLog(t)() sl := newSocketListener() @@ -50,6 +50,29 @@ func TestSocketListener_tls(t *testing.T) { testSocketListener(t, sl, secureClient) } +func TestSocketListener_unix_tls(t *testing.T) { + defer testEmptyLog(t)() + + sl := newSocketListener() + sl.ServiceAddress = "unix:///tmp/telegraf_test.sock" + sl.TLSCert = "testdata/server.pem" + sl.TLSKey = "testdata/server.key" + sl.TLSAllowedCACerts = []string{"testdata/ca.pem"} + + acc := &testutil.Accumulator{} + err := sl.Start(acc) + require.NoError(t, err) + defer sl.Stop() + + tlsCfg, err := internal.GetTLSConfig("testdata/client.pem", "testdata/client.key", "testdata/ca.pem", true) + require.NoError(t, err) + + secureClient, err := tls.Dial("unix", "/tmp/telegraf_test.sock", tlsCfg) + require.NoError(t, err) + + testSocketListener(t, sl, secureClient) +} + func TestSocketListener_tcp(t *testing.T) { defer testEmptyLog(t)()