From 44a9de66aab945f664cda98c183803ea91c745e9 Mon Sep 17 00:00:00 2001 From: Edmo Vamerlatti Costa <11836452+edmocosta@users.noreply.github.com> Date: Mon, 17 Jun 2024 14:18:12 +0200 Subject: [PATCH] Add ssl_enabled option (#44) This commit added a new ssl_enabled setting for enabling/disabling the other SSL configurations, so plugins using this mixing can easily be compliant with the Logstash SSL standards. --- CHANGELOG.md | 3 +++ lib/logstash/plugin_mixins/http_client.rb | 10 +++++++++ logstash-mixin-http_client.gemspec | 2 +- spec/plugin_mixin/http_client_ssl_spec.rb | 26 +++++++++++++++++++++++ 4 files changed, 40 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 01ecfce..f77359c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 7.4.0 + - Adds new `ssl_enabled` setting for enabling/disabling the SSL configurations [#44](https://github.com/logstash-plugins/logstash-mixin-http_client/pull/44) + ## 7.3.0 - Adds standardized SSL settings and deprecates their non-standard counterparts. Deprecated settings will continue to work, and will provide pipeline maintainers with guidance toward using their standardized counterparts [#42](https://github.com/logstash-plugins/logstash-mixin-http_client/pull/42) - Adds new `ssl_truststore_path`, `ssl_truststore_password`, and `ssl_truststore_type` settings for configuring SSL-trust using a PKCS-12 or JKS trust store, deprecating their `truststore`, `truststore_password`, and `truststore_type` counterparts. diff --git a/lib/logstash/plugin_mixins/http_client.rb b/lib/logstash/plugin_mixins/http_client.rb index b1b689a..0970f43 100644 --- a/lib/logstash/plugin_mixins/http_client.rb +++ b/lib/logstash/plugin_mixins/http_client.rb @@ -75,6 +75,9 @@ def self.included(base) # See https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/conn/PoolingHttpClientConnectionManager.html#setValidateAfterInactivity(int)[these docs for more info] base.config :validate_after_inactivity, :validate => :number, :default => 200 + # Enable/disable the SSL configurations + base.config :ssl_enabled, :validate => :boolean, :default => true + # If you need to use a custom X.509 CA (.pem certs) specify the path to that here base.config :ssl_certificate_authorities, :validate => :path, :list => :true @@ -188,6 +191,13 @@ def client_config def ssl_options options = {} + + unless @ssl_enabled + ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k.start_with?('ssl_') } + self.logger.warn("Configured SSL settings are not used when `ssl_enabled` is set to `false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any? + return options + end + if @ssl_certificate_authorities&.any? raise LogStash::ConfigurationError, 'Multiple values on `ssl_certificate_authorities` are not supported by this plugin' if @ssl_certificate_authorities.size > 1 diff --git a/logstash-mixin-http_client.gemspec b/logstash-mixin-http_client.gemspec index efe6fba..8184163 100644 --- a/logstash-mixin-http_client.gemspec +++ b/logstash-mixin-http_client.gemspec @@ -1,6 +1,6 @@ Gem::Specification.new do |s| s.name = 'logstash-mixin-http_client' - s.version = '7.3.0' + s.version = '7.4.0' s.licenses = ['Apache License (2.0)'] s.summary = "AWS mixins to provide a unified interface for Amazon Webservice" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" diff --git a/spec/plugin_mixin/http_client_ssl_spec.rb b/spec/plugin_mixin/http_client_ssl_spec.rb index 281e8b2..82d8e42 100644 --- a/spec/plugin_mixin/http_client_ssl_spec.rb +++ b/spec/plugin_mixin/http_client_ssl_spec.rb @@ -339,6 +339,32 @@ end end end + + describe 'with ssl_enabled' do + context 'set to false' do + let(:basic_config) { super().merge('ssl_enabled' => false) } + let(:plugin) { plugin_class.new(basic_config) } + + it 'should not configure the client :ssl' do + expect(plugin.client_config[:ssl]).to eq({}) + end + + context 'and another ssl_* config set' do + let(:basic_config) { super().merge('ssl_verification_mode' => 'none') } + let(:logger_mock) { double('logger') } + + before(:each) do + allow(plugin).to receive(:logger).and_return(logger_mock) + end + + it 'should log a warn message' do + allow(logger_mock).to receive(:warn) + plugin.client_config + expect(logger_mock).to have_received(:warn).with('Configured SSL settings are not used when `ssl_enabled` is set to `false`: ["ssl_verification_mode"]') + end + end + end + end end end