From 21ba198ffb900f363c955a4e260a215c8b3f7b3e Mon Sep 17 00:00:00 2001 From: Rob Bavey Date: Thu, 14 Feb 2019 15:12:15 -0500 Subject: [PATCH 1/2] Improve consistency of messaging around `ssl_verify_mode` Ensure that log messages use the correct settings and values for `ssl_verify_mode`. Use downcased version of `force_peer` and `peer` in ruby code and logs consistently rather than mixing cases. --- lib/logstash/inputs/beats.rb | 6 +++--- spec/inputs/beats_spec.rb | 19 ++++++++++++++----- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/lib/logstash/inputs/beats.rb b/lib/logstash/inputs/beats.rb index 5d65df93..09f676be 100644 --- a/lib/logstash/inputs/beats.rb +++ b/lib/logstash/inputs/beats.rb @@ -145,11 +145,11 @@ def register end if @ssl && require_certificate_authorities? && !client_authentification? - raise LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`" + raise LogStash::ConfigurationError, "Using `ssl_verify_mode` set to `peer` or `force_peer`, requires the configuration of `certificate_authorities`" end if client_authentication_metadata? && !require_certificate_authorities? - raise LogStash::ConfigurationError, "Enabling `peer_metadata` requires using `verify_mode` set to PEER or FORCE_PEER" + raise LogStash::ConfigurationError, "Enabling `peer_metadata` requires using `ssl_verify_mode` set to `peer` or `force_peer`" end # Logstash 6.x breaking change (introduced with 4.0.0 of this gem) @@ -217,7 +217,7 @@ def client_authentication_metadata? end def client_authentication_required? - @ssl_verify_mode == "force_peer" + @ssl_verify_mode == "force_peer" end def require_certificate_authorities? diff --git a/spec/inputs/beats_spec.rb b/spec/inputs/beats_spec.rb index cb5341fd..0c88f633 100644 --- a/spec/inputs/beats_spec.rb +++ b/spec/inputs/beats_spec.rb @@ -62,13 +62,22 @@ end end - context "verify_mode" do - context "verify_mode configured to PEER" do + context "ssl_verify_mode" do + context 'ssl_verify_mode requires downcased values' do + let(:config) { {"ssl_certificate_authorities" => [certificate.ssl_cert], "port" => 0, "ssl" => true, "ssl_verify_mode" => "PEER", "ssl_certificate" => certificate.ssl_cert, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "Beats"} } + + it "raise a ConfigurationError when ssl_verify_mode is not downcased" do + expect {LogStash::Inputs::Beats.new(config)}.to raise_error(LogStash::ConfigurationError) + end + + end + + context "ssl_verify_mode configured to peer" do let(:config) { { "port" => 0, "ssl" => true, "ssl_verify_mode" => "peer", "ssl_certificate" => certificate.ssl_cert, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "Beats"} } it "raise a ConfigurationError when certificate_authorities is not set" do plugin = LogStash::Inputs::Beats.new(config) - expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`") + expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_verify_mode` set to `peer` or `force_peer`, requires the configuration of `certificate_authorities`") end it "doesn't raise a configuration error when certificate_authorities is set" do @@ -78,12 +87,12 @@ end end - context "verify_mode configured to FORCE_PEER" do + context "ssl_verify_mode configured to force_peer" do let(:config) { { "port" => 0, "ssl" => true, "ssl_verify_mode" => "force_peer", "ssl_certificate" => certificate.ssl_cert, "ssl_key" => certificate.ssl_key, "type" => "example", "tags" => "Beats"} } it "raise a ConfigurationError when certificate_authorities is not set" do plugin = LogStash::Inputs::Beats.new(config) - expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`") + expect {plugin.register}.to raise_error(LogStash::ConfigurationError, "Using `ssl_verify_mode` set to `peer` or `force_peer`, requires the configuration of `certificate_authorities`") end it "doesn't raise a configuration error when certificate_authorities is set" do From 19d7506ab87c3d438ede2349f78d64563e2a6d87 Mon Sep 17 00:00:00 2001 From: Rob Bavey Date: Mon, 25 Feb 2019 13:18:45 -0500 Subject: [PATCH 2/2] Update other instance of inconsistent capialization --- lib/logstash/inputs/beats.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/logstash/inputs/beats.rb b/lib/logstash/inputs/beats.rb index 09f676be..5b77c5cc 100644 --- a/lib/logstash/inputs/beats.rb +++ b/lib/logstash/inputs/beats.rb @@ -177,9 +177,9 @@ def create_server ssl_builder.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout) if client_authentification? - if @ssl_verify_mode.upcase == "FORCE_PEER" + if @ssl_verify_mode == "force_peer" ssl_builder.setVerifyMode(org.logstash.netty.SslSimpleBuilder::SslClientVerifyMode::FORCE_PEER) - elsif @ssl_verify_mode.upcase == "PEER" + elsif @ssl_verify_mode == "peer" ssl_builder.setVerifyMode(org.logstash.netty.SslSimpleBuilder::SslClientVerifyMode::VERIFY_PEER) end ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)