Skip to content

Commit

Permalink
Remove deprecated SSL settings
Browse files Browse the repository at this point in the history
This commit marks SSL settings `obsolete` that were previously marked as `deprecated` as part

of the SSL Settings Standardization process implemented in `3.7.0` of this plugin.

Marking these settings as `obsolete` is a *breaking change* that will stop the plugin from starting, and forces users to move to the new standard settings.

This commit makes the following configuration settings obsolete:

This commit cleans up some code to handle duplicate settings, and removes tests that were put in place to support the co-existence of deprecated and non-deprecated settings, replacing them with tests that verify that obsolete settings are identified early, and information about the deprecation is related to the user.
  • Loading branch information
robbavey committed Nov 22, 2024
1 parent 11979ab commit fca12fd
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 321 deletions.
13 changes: 13 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,16 @@
## 4.0.0
- SSL settings that were marked deprecated in version `3.7.0` are now marked obsolete, and will prevent the plugin from starting.
- These settings are:
- `tls_min_version`, which should be replaced by `ssl_supported_protocols`
- `tls_max_version`, which should be replaced by `ssl_supported_protocols`
- `cipher_suites`, which should bre replaced by `ssl_cipher_suites`
- `ssl`, which should bre replaced by `ssl_enabled`
- `keystore`, which should bre replaced by `ssl_keystore_path`
- `keystore_password`, which should bre replaced by `ssl_keystore_password`
- `ssl_verify_mode`, which should bre replaced by `ssl_client_authentication`
- `verify_mode`, which should bre replaced by `ssl_client_authentication`
- [#182](https://github.com/logstash-plugins/logstash-input-http/pull/182)

## 3.9.2
- Upgrade netty to 4.1.115 [#183](https://github.com/logstash-plugins/logstash-input-http/pull/183)

Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
3.9.2
4.0.0
84 changes: 0 additions & 84 deletions docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -91,17 +91,13 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|=======================================================================
|Setting |Input type|Required
| <<plugins-{type}s-{plugin}-additional_codecs>> |<<hash,hash>>|No
| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|__Deprecated__
| <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
| <<plugins-{type}s-{plugin}-keystore>> |<<path,path>>|__Deprecated__
| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|__Deprecated__
| <<plugins-{type}s-{plugin}-password>> |<<password,password>>|No
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-max_pending_requests>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-response_headers>> |<<hash,hash>>|No
| <<plugins-{type}s-{plugin}-response_code>> |<<number,number>>, one of `[200, 201, 202, 204]`|No
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
Expand All @@ -117,12 +113,8 @@ This plugin supports the following configuration options plus the <<plugins-{typ
| <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
| <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
| <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
| <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
| <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
| <<plugins-{type}s-{plugin}-verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
|=======================================================================

Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
Expand All @@ -140,13 +132,6 @@ Apply specific codecs for specific content types.
The default codec will be applied only after this list is checked
and no codec for the request's content-type is found

[id="plugins-{type}s-{plugin}-cipher_suites"]
===== `cipher_suites`
deprecated[3.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_cipher_suites>>]

* Value type is <<array,array>>

The list of cipher suites to use, listed by priorities.

[id="plugins-{type}s-{plugin}-ecs_compatibility"]
===== `ecs_compatibility`
Expand Down Expand Up @@ -220,23 +205,6 @@ See <<plugins-{type}s-{plugin}-ecs_metadata>> for detailed information.

The host or ip to bind

[id="plugins-{type}s-{plugin}-keystore"]
===== `keystore`
deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_path>> instead]

* Value type is <<path,path>>
* There is no default value for this setting.

The JKS keystore to validate the client's certificates

[id="plugins-{type}s-{plugin}-keystore_password"]
===== `keystore_password`
deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_password>> instead]

* Value type is <<password,password>>
* There is no default value for this setting.

Set the keystore password

[id="plugins-{type}s-{plugin}-password"]
===== `password`
Expand Down Expand Up @@ -314,16 +282,6 @@ specify a target field for the client host of the http request

specify target field for the client host of the http request

[id="plugins-{type}s-{plugin}-ssl"]
===== `ssl`
deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]

* Value type is <<boolean,boolean>>
* Default value is `false`

Events are, by default, sent in plain text. You can
enable encryption by setting `ssl` to true and configuring
the `ssl_certificate` and `ssl_key` options.

[id="plugins-{type}s-{plugin}-ssl_certificate"]
===== `ssl_certificate`
Expand Down Expand Up @@ -473,22 +431,6 @@ NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate

The format of the truststore file. It must be either `jks` or `pkcs12`.

[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
===== `ssl_verify_mode`
deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]

* Value can be any of: `none`, `peer`, `force_peer`
* Default value is `"none"`

By default the server doesn't do any client verification.

`peer` will make the server ask the client to provide a certificate.
If the client provides a certificate, it will be validated.

`force_peer` will make the server ask the client to provide a certificate.
If the client doesn't provide a certificate, the connection will be closed.

This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.

[id="plugins-{type}s-{plugin}-threads"]
===== `threads`
Expand All @@ -498,23 +440,6 @@ This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_aut

Number of threads to use for both accepting connections and handling requests

[id="plugins-{type}s-{plugin}-tls_max_version"]
===== `tls_max_version`
deprecated[3.6.0]

* Value type is <<number,number>>

The maximum TLS version allowed for the encrypted connections.
The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3

[id="plugins-{type}s-{plugin}-tls_min_version"]
===== `tls_min_version`
deprecated[3.6.0]

* Value type is <<number,number>>

The minimum TLS version allowed for the encrypted connections.
The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3

[id="plugins-{type}s-{plugin}-user"]
===== `user`
Expand All @@ -524,15 +449,6 @@ The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 fo

Username for basic authorization

[id="plugins-{type}s-{plugin}-verify_mode"]
===== `verify_mode`
deprecated[3.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verify_mode>>]

* Value can be any of: `none`, `peer`, `force_peer`
* Default value is `"none"`

Set the client certificate verification method. Valid methods: none, peer, force_peer


[id="plugins-{type}s-{plugin}-common-options"]
include::{include_path}/{type}.asciidoc[]
Expand Down
91 changes: 9 additions & 82 deletions lib/logstash/inputs/http.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,6 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
# Password for basic authorization
config :password, :validate => :password, :required => false

# Events are by default sent in plain text. You can
# enable encryption by setting `ssl` to true and configuring
# the `ssl_certificate` and `ssl_key` options.
config :ssl, :validate => :boolean, :default => false, :deprecated => "Set 'ssl_enabled' instead."

# Events are by default sent in plain text. You can
# enable encryption by setting `ssl` to true and configuring
# the `ssl_certificate` and `ssl_key` options.
Expand Down Expand Up @@ -108,17 +103,6 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
# This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none'

# By default the server doesn't do any client verification.
#
# `peer` will make the server ask the client to provide a certificate.
# If the client provides a certificate, it will be validated.
#
# `force_peer` will make the server ask the client to provide a certificate.
# If the client doesn't provide a certificate, the connection will be closed.
#
# This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none", :deprecated => "Set 'ssl_client_authentication' instead."

# Time in milliseconds for an incomplete ssl handshake to timeout
config :ssl_handshake_timeout, :validate => :number, :default => 10000

Expand Down Expand Up @@ -150,25 +134,15 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base

config :response_code, :validate => [200, 201, 202, 204], :default => 200

# Deprecated options

# The JKS keystore to validate the client's certificates
config :keystore, :validate => :path, :deprecated => "Set 'ssl_keystore_path' instead."

# The JKS keystore password
config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_keystore_password' instead."

config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_client_authentication' instead."

config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."

# The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
# 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."

# The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
# 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
# Obsolete Settings
config :ssl, :validate => :boolean, :default => false, :obsolete => "Set 'ssl_enabled' instead."
config :keystore, :validate => :path, :obsolete => "Set 'ssl_keystore_path' instead."
config :keystore_password, :validate => :password, :obsolete => "Set 'ssl_keystore_password' instead."
config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :obsolete => "Set 'ssl_client_authentication' instead."
config :cipher_suites, :validate => :array, :default => [], :obsolete => "Set 'ssl_cipher_suites' instead."
config :tls_min_version, :validate => :number, :default => TLS.min.version, :obsolete => "Set 'ssl_supported_protocols' instead."
config :tls_max_version, :validate => :number, :default => TLS.max.version, :obsolete => "Set 'ssl_supported_protocols' instead."
config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none", :obsolete => "Set 'ssl_client_authentication' instead."

attr_reader :codecs

Expand Down Expand Up @@ -200,8 +174,6 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
public
def register

setup_ssl_params!

validate_ssl_settings!

if @user && @password
Expand Down Expand Up @@ -342,34 +314,6 @@ def validate_ssl_settings!
end

def setup_ssl_params!
@ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
normalizer.with_deprecated_alias(:ssl)
end

@ssl_cipher_suites = normalize_config(:ssl_cipher_suites) do |normalizer|
normalizer.with_deprecated_alias(:cipher_suites)
end

@ssl_supported_protocols = normalize_config(:ssl_supported_protocols) do |normalizer|
normalizer.with_deprecated_mapping(:tls_min_version, :tls_max_version) do |tls_min_version, tls_max_version|
TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
end
end

@ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
normalizer.with_deprecated_mapping(:verify_mode, :ssl_verify_mode) do |verify_mode, ssl_verify_mode|
normalize_ssl_client_authentication_value!(verify_mode, ssl_verify_mode)
end
end

@ssl_keystore_path = normalize_config(:ssl_keystore_path) do |normalizer|
normalizer.with_deprecated_alias(:keystore)
end

@ssl_keystore_password = normalize_config(:ssl_keystore_password) do |normalizer|
normalizer.with_deprecated_alias(:keystore_password)
end

params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
params['ssl_cipher_suites'] = @ssl_cipher_suites unless @ssl_cipher_suites.nil?
params['ssl_supported_protocols'] = @ssl_supported_protocols unless @ssl_supported_protocols.nil?
Expand All @@ -378,17 +322,6 @@ def setup_ssl_params!
params['ssl_keystore_password'] = @ssl_keystore_password unless @ssl_keystore_password.nil?
end

def normalize_ssl_client_authentication_value!(verify_mode, ssl_verify_mode)
verify_mode_explicitly_set = original_params.key?("verify_mode")

if verify_mode_explicitly_set && original_params.key?("ssl_verify_mode")
raise LogStash::ConfigurationError, "Both (deprecated) `ssl_verify_mode` and `verify_mode` were set. Use only `ssl_verify_mode`"
end

deprecated_value = (verify_mode_explicitly_set ? verify_mode : ssl_verify_mode).downcase
SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP[deprecated_value]
end

def create_http_server(message_handler)
org.logstash.plugins.inputs.http.NettyHttpServer.new(
@host, @port, message_handler, build_ssl_params, @threads, @max_pending_requests, @max_content_length, @response_code)
Expand Down Expand Up @@ -467,13 +400,7 @@ def ssl_client_authentication_optional?
end

def provided_ssl_client_authentication_config(values = [@ssl_client_authentication])
if original_params.include?('ssl_verify_mode')
['ssl_verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
elsif original_params.include?('verify_mode')
['verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
else
['ssl_client_authentication', *values]
end
end

private
Expand Down
Loading

0 comments on commit fca12fd

Please sign in to comment.