Remove deprecated SSL settings and simplify SSL configuration

This commit removes deprecated SSL settings and their handling logic: - Replace `ssl` with `ssl_enabled` - Replace `ca_file` with `ssl_certificate_authorities` - Replace `ssl_certificate_verification` with `ssl_verification_mode` Additional changes to simplify SSL handling: - Always set trust strategy regardless of SSL status - Simplify `setup_ssl_params!` to only handle SSL inference when not explicitly configured The functionality remains the same but now uses only the modern SSL configuration options. SSL enablement is still inferred from hosts when not explicitly set, but the logic is simplified and more maintainable.
logstash-plugins · Nov 12, 2024 · 48ebe73 · 48ebe73
1 parent ef8874c
commit 48ebe73
Showing 1 changed file with 5 additions and 45 deletions.
diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb
@@ -198,23 +198,12 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base
   # Set the address of a forward HTTP proxy.
   config :proxy, :validate => :uri_or_empty
 
-  # SSL
-  config :ssl, :validate => :boolean, :default => false, :deprecated => "Set 'ssl_enabled' instead."
-
-  # SSL Certificate Authority file in PEM encoded format, must also include any chain certificates as necessary
-  config :ca_file, :validate => :path, :deprecated => "Set 'ssl_certificate_authorities' instead."
-
   # OpenSSL-style X.509 certificate certificate to authenticate the client
   config :ssl_certificate, :validate => :path
 
   # SSL Certificate Authority files in PEM encoded format, must also include any chain certificates as necessary
   config :ssl_certificate_authorities, :validate => :path, :list => true
 
-  # Option to validate the server's certificate. Disabling this severely compromises security.
-  # For more information on the importance of certificate verification please read
-  # https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
-  config :ssl_certificate_verification, :validate => :boolean, :default => true, :deprecated => "Set 'ssl_verification_mode' instead."
-
   # The list of cipher suites to use, listed by priorities.
   # Supported cipher suites vary depending on which version of Java is used.
   config :ssl_cipher_suites, :validate => :string, :list => true
@@ -404,10 +393,9 @@ def validate_authentication
   def setup_client_ssl
     ssl_options = {}
     ssl_options[:ssl] = true if @ssl_enabled
+    ssl_options[:trust_strategy] = trust_strategy_for_ca_trusted_fingerprint
 
     unless @ssl_enabled
-      # Keep it backward compatible with the deprecated `ssl` option
-      ssl_options[:trust_strategy] = trust_strategy_for_ca_trusted_fingerprint if original_params.include?('ssl')
       return ssl_options
     end
 
@@ -465,44 +453,16 @@ def setup_client_ssl
 
     protocols = params['ssl_supported_protocols']
     ssl_options[:protocols] = protocols if protocols&.any?
-    ssl_options[:trust_strategy] = trust_strategy_for_ca_trusted_fingerprint
 
     ssl_options
   end
 
   def setup_ssl_params!
-    @ssl_enabled = normalize_config(:ssl_enabled) do |normalize|
-      normalize.with_deprecated_alias(:ssl)
-    end
-
-    # Infer the value if neither the deprecate `ssl` and `ssl_enabled` were set
-    infer_ssl_enabled_from_hosts
-
-    @ssl_certificate_authorities = normalize_config(:ssl_certificate_authorities) do |normalize|
-      normalize.with_deprecated_mapping(:ca_file) do |ca_file|
-        [ca_file]
-      end
-    end
-
-    @ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize|
-      normalize.with_deprecated_mapping(:ssl_certificate_verification) do |ssl_certificate_verification|
-        if ssl_certificate_verification == true
-          "full"
-        else
-          "none"
-        end
-      end
+    # Only infer ssl_enabled if it wasn't explicitly set
+    unless original_params.include?('ssl_enabled')
+      @ssl_enabled = effectively_ssl?
+      params['ssl_enabled'] = @ssl_enabled
     end
-
-    params['ssl_enabled'] = @ssl_enabled
-    params['ssl_certificate_authorities'] = @ssl_certificate_authorities unless @ssl_certificate_authorities.nil?
-    params['ssl_verification_mode'] = @ssl_verification_mode unless @ssl_verification_mode.nil?
-  end
-
-  def infer_ssl_enabled_from_hosts
-    return if original_params.include?('ssl') || original_params.include?('ssl_enabled')
-
-    @ssl_enabled = params['ssl_enabled'] = effectively_ssl?
   end
 
   def setup_hosts