Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix syslog tls min version. Add test coverage for all TLS plugins. #393

Merged
merged 3 commits into from
Feb 8, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
./temp/plugins
temp/
test/tls/
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -3,6 +3,7 @@ PLUGINS := $(shell ls ./plugins)

.PHONY: test
test:
bash scripts/test_certificate.sh
$(MAKE) for-all CMD="go clean -testcache ./..."
$(MAKE) for-all CMD="go test ./..."

2 changes: 1 addition & 1 deletion plugins/rsyslog.yaml
Original file line number Diff line number Diff line change
@@ -125,7 +125,7 @@ pipeline:
enable: {{ $tls_enable }}
certificate: {{ $tls_certificate }}
private_key: {{ $tls_private_key }}
min_version: "{{ $tls_min_version }}"
min_version: {{ $tls_min_version }}
add_labels: true
output: rsyslog_parser
# {{ end }}
2 changes: 1 addition & 1 deletion plugins/syslog.yaml
Original file line number Diff line number Diff line change
@@ -129,7 +129,7 @@ pipeline:
enable: {{ $tls_enable }}
certificate: {{ $tls_certificate }}
private_key: {{ $tls_private_key }}
min_version: "{{ $tls_min_version }}"
min_version: {{ $tls_min_version }}
add_labels: true
output: syslog_parser
# {{ end }}
2 changes: 1 addition & 1 deletion plugins/syslogng.yaml
Original file line number Diff line number Diff line change
@@ -125,7 +125,7 @@ pipeline:
enable: {{ $tls_enable }}
certificate: {{ $tls_certificate }}
private_key: {{ $tls_private_key }}
min_version: "{{ $tls_min_version }}"
min_version: {{ $tls_min_version }}
add_labels: true
output: syslogng_parser
# {{ end }}
2 changes: 1 addition & 1 deletion plugins/tcp.yaml
Original file line number Diff line number Diff line change
@@ -88,7 +88,7 @@ pipeline:
enable: {{ $enable_tls }}
certificate: {{ $certificate_file }}
private_key: {{ $private_key_file }}
min_version: "{{ $min_version }}"
min_version: {{ $min_version }}
# {{ end }}

- type: move
79 changes: 79 additions & 0 deletions scripts/test_certificate.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
#!/usr/bin/env bash

set -e

rm -rf test/tls
mkdir -p test/tls
touch test/tls/index.txt
echo 00 > test/tls/serial

cat <<- EOF > test/tls/openssl.conf
[ ca ]
default_ca = my_ca
[ my_ca ]
database = test/tls/index.txt
serial = test/tls/serial
new_certs_dir = test/tls/
x509_extensions = my_cert
name_opt = ca_default
cert_opt = ca_default
default_md = default
policy = policy_match
# 'copy_extensions' will copy over SAN ("X509v3 Subject Alternative Name") from CSR
copy_extensions = copy
[ my_cert ]
basicConstraints = CA:FALSE
nsComment = "generated by github.com/observiq/stanza-plugins"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ policy_match ]
# ensure CSR fields match that of delivered Cert
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF

# certificate authority
openssl genrsa -out test/tls/plugins-ca.key 2048
openssl req -new -x509 -sha256 \
-key test/tls/plugins-ca.key \
-out test/tls/plugins-ca.crt \
-days 10950 \
-subj "/C=US/ST=Michigan/L=GrandRapids/O=observIQ/OU=plugins/CN=plugins-ca"

# certificate
openssl genrsa -out test/tls/plugins.key 2048
openssl req -new -key test/tls/plugins.key -out test/tls/plugins.csr \
-subj "/C=US/ST=Michigan/L=GrandRapids/O=observIQ/OU=plugins/CN=localhost" \
-addext "subjectAltName=DNS:localhost,DNS:plugins.plugins-dev.svc.cluster.local"
openssl ca \
-create_serial \
-cert test/tls/plugins-ca.crt \
-keyfile test/tls/plugins-ca.key \
-days 9125 \
-in test/tls/plugins.csr \
-batch \
-config test/tls/openssl.conf \
-out test/tls/plugins.crt

# append ca.crt to server certificate
cat test/tls/plugins-ca.crt >> test/tls/plugins.crt

# client cert
openssl genrsa -out test/tls/plugins-client.key 2048
openssl req -new -key test/tls/plugins-client.key -out test/tls/plugins-client.csr \
-subj "/C=US/ST=Michigan/L=GrandRapids/O=observIQ/OU=plugins/CN=plugins-dev-client"
openssl ca \
-create_serial \
-cert test/tls/plugins-ca.crt \
-keyfile test/tls/plugins-ca.key \
-days 9125 \
-in test/tls/plugins-client.csr \
-batch \
-config test/tls/openssl.conf \
-out test/tls/plugins-client.crt

chmod 0644 test/tls/*
8 changes: 8 additions & 0 deletions test/configs/http/valid/tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pipeline:
- type: http
listen_port: 9090
enable_tls: true
certificate_file: ./tls/plugins.crt
private_key_file: ./tls/plugins.key
min_version: "1.3"
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/rsyslog/invalid/invalid_connection_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: socket
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/rsyslog/invalid/invalid_ip.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: rsyslog
listen_port: 5140
listen_ip: 1.1
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/rsyslog/invalid/invalid_ip_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: rsyslog
listen_port: 5140
listen_ip: 100
- type: stdout
4 changes: 4 additions & 0 deletions test/configs/rsyslog/invalid/invalid_port_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
pipeline:
- type: rsyslog
listen_port: "5140"
- type: stdout
8 changes: 8 additions & 0 deletions test/configs/rsyslog/invalid/invalid_tls_crt.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt.doesnotexist
tls_private_key: ./tls/plugins.key
- type: stdout
8 changes: 8 additions & 0 deletions test/configs/rsyslog/invalid/invalid_tls_key.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key.doesnotexist
- type: stdout
9 changes: 9 additions & 0 deletions test/configs/rsyslog/invalid/invalid_tls_min_version.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
tls_min_version: "2.2"
- type: stdout
10 changes: 10 additions & 0 deletions test/configs/rsyslog/invalid/invalid_tls_min_version_1.0.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
# value is valid but 1.1 is the min allowed by enum
tls_min_version: "1.0"
- type: stdout
10 changes: 10 additions & 0 deletions test/configs/rsyslog/invalid/invalid_tls_min_version_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
# should be string
tls_min_version: 1.3
- type: stdout
4 changes: 4 additions & 0 deletions test/configs/rsyslog/valid/minimal.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
pipeline:
- type: rsyslog
listen_port: 5140
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/rsyslog/valid/minimal_tcp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/rsyslog/valid/minimal_udp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: udp
- type: stdout
8 changes: 8 additions & 0 deletions test/configs/rsyslog/valid/tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
- type: stdout
9 changes: 9 additions & 0 deletions test/configs/rsyslog/valid/tls_1.1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
tls_min_version: "1.1"
- type: stdout
9 changes: 9 additions & 0 deletions test/configs/rsyslog/valid/tls_1.2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
tls_min_version: "1.3"
- type: stdout
9 changes: 9 additions & 0 deletions test/configs/rsyslog/valid/tls_1.3.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
tls_min_version: "1.3"
- type: stdout
12 changes: 12 additions & 0 deletions test/configs/rsyslog/valid/udp_with_bad_tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# udp skips tls config, so a bad tls config should still run
pipeline:
- type: rsyslog
listen_port: 5140
connection_type: udp
tls_enable: true
# bad paths do not matter because the certificate is never read due to being in
# udp mode
tls_certificate: ./tls/plugins.crt.bad
tls_private_key: ./tls/plugins.key.bad
tls_min_version: "1.3" # this must be valid because it is checked at when plugin is compiled
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/syslog/invalid/invalid_connection_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: socket
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/syslog/invalid/invalid_ip.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: syslog
listen_port: 5140
listen_ip: 1.1
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/syslog/invalid/invalid_ip_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: syslog
listen_port: 5140
listen_ip: 100
- type: stdout
4 changes: 4 additions & 0 deletions test/configs/syslog/invalid/invalid_port_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
pipeline:
- type: syslog
listen_port: "5140"
- type: stdout
8 changes: 8 additions & 0 deletions test/configs/syslog/invalid/invalid_tls_crt.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt.doesnotexist
tls_private_key: ./tls/plugins.key
- type: stdout
8 changes: 8 additions & 0 deletions test/configs/syslog/invalid/invalid_tls_key.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key.doesnotexist
- type: stdout
9 changes: 9 additions & 0 deletions test/configs/syslog/invalid/invalid_tls_min_version.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
tls_min_version: "2.2"
- type: stdout
10 changes: 10 additions & 0 deletions test/configs/syslog/invalid/invalid_tls_min_version_1.0.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
# value is valid but 1.1 is the min allowed by enum
tls_min_version: "1.0"
- type: stdout
10 changes: 10 additions & 0 deletions test/configs/syslog/invalid/invalid_tls_min_version_type.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: tcp
tls_enable: true
tls_certificate: ./tls/plugins.crt
tls_private_key: ./tls/plugins.key
# should be string
tls_min_version: 1.3
- type: stdout
4 changes: 4 additions & 0 deletions test/configs/syslog/valid/minimal.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
pipeline:
- type: syslog
listen_port: 5140
- type: stdout
5 changes: 5 additions & 0 deletions test/configs/syslog/valid/minimal_tcp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pipeline:
- type: syslog
listen_port: 5140
connection_type: tcp
- type: stdout
Loading