Improved SSL specs

Fixes elastic#369
emilykmarx · Feb 18, 2016 · fcea9e1 · fcea9e1
1 parent 1e58b96
commit fcea9e1
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 7 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,5 +1,6 @@
 sudo: false
 before_install:
+  - openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost"   -keyout /tmp/localhost.key -out /tmp/localhost.crt
   - curl -s https://download.elasticsearch.org/elasticsearch/release/org/elasticsearch/distribution/tar/elasticsearch/2.0.0/elasticsearch-2.0.0.tar.gz  > elasticsearch.tar.gz
   - mkdir elasticsearch && tar -xzf elasticsearch.tar.gz --strip-components=1 -C ./elasticsearch/.
   - ln -sn ../../spec/fixtures/scripts elasticsearch/config/.

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 2.5.1
+ - Fix bug where SSL would sometimes not be enabled
+
 ## 2.5.0
  - Host settings now are more robust to bad input
  - Host settings can now take full URLs

diff --git a/lib/logstash/outputs/elasticsearch/http_client.rb b/lib/logstash/outputs/elasticsearch/http_client.rb
@@ -105,7 +105,8 @@ def build_client(options)
       client_settings = options[:client_settings] || {}
       timeout = options[:timeout] || 0
 
-      urls = hosts.map {|host| host_to_url(host, client_settings[:ssl], client_settings[:path])}
+      host_ssl_opt = client_settings[:ssl].nil? ? nil : client_settings[:ssl][:enabled]
+      urls = hosts.map {|host| host_to_url(host, host_ssl_opt, client_settings[:path])}
 
       @client_options = {
         :hosts => urls,
@@ -137,8 +138,10 @@ def host_to_url(host, ssl=nil, path=nil)
                           "https"
                         when false
                           "http"
-                        else
+                        when nil
                           nil
+                        else
+                          raise ArgumentError, "Unexpected SSL value!"
                         end
 
       # Ensure path starts with a /

diff --git a/lib/logstash/outputs/elasticsearch/http_client_builder.rb b/lib/logstash/outputs/elasticsearch/http_client_builder.rb
@@ -59,7 +59,8 @@ def self.setup_proxy(logger, params)
     end
 
     def self.setup_ssl(logger, params)
-      return {} unless params["ssl"]
+      return {} if params["ssl"].nil?
+      return {:ssl => {:enabled => false}} if params["ssl"] == false
 
       cacert, truststore, truststore_password, keystore, keystore_password =
         params.values_at('cacert', 'truststore', 'truststore_password', 'keystore', 'keystore_password')
@@ -68,7 +69,7 @@ def self.setup_ssl(logger, params)
         raise(LogStash::ConfigurationError, "Use either \"cacert\" or \"truststore\" when configuring the CA certificate") if truststore
       end
 
-      ssl_options = {}
+      ssl_options = {:enabled => true}
 
       if cacert
         ssl_options[:ca_file] = cacert

diff --git a/logstash-output-elasticsearch.gemspec b/logstash-output-elasticsearch.gemspec
@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-output-elasticsearch'
-  s.version         = '2.5.0'
+  s.version         = '2.5.1'
   s.licenses        = ['apache-2.0']
   s.summary         = "Logstash Output to Elasticsearch"
   s.description     = "Output events to elasticsearch"

diff --git a/spec/unit/outputs/elasticsearch/http_client_spec.rb b/spec/unit/outputs/elasticsearch/http_client_spec.rb
@@ -58,6 +58,10 @@
         it "should handle an ssl url correctly when SSL is nil" do
           expect(subject.send(:host_to_url, https_hostname_port, nil)).to eql(https_hostname_port)
         end
+
+        it "should raise an exception if an unexpected value is passed in" do
+          expect { subject.send(:host_to_url, https_hostname_port, {})}.to raise_error(ArgumentError)
+        end
       end
 
       describe "path" do

diff --git a/spec/unit/outputs/elasticsearch_spec.rb b/spec/unit/outputs/elasticsearch_spec.rb
@@ -175,4 +175,29 @@
     end
   end
 
+  describe "SSL end to end" do
+    shared_examples("an encrypted client connection") do
+      it "should enable SSL in manticore" do
+        expect(eso.client.client_options[:hosts].map {|h| URI.parse(h).scheme}.uniq).to eql(['https'])
+      end
+    end
+
+    let(:eso) {LogStash::Outputs::ElasticSearch.new(options)}
+    subject(:manticore) { eso.client.client}
+
+    before do
+      eso.register
+    end
+
+    context "With the 'ssl' option" do
+      let(:options) { {"ssl" => true}}
+
+      include_examples("an encrypted client connection")
+    end
+
+    context "With an https host" do
+      let(:options) { {"hosts" => "https://localhost"} }
+      include_examples("an encrypted client connection")
+    end
+  end
 end
diff --git a/spec/unit/outputs/elasticsearch_ssl_spec.rb b/spec/unit/outputs/elasticsearch_ssl_spec.rb
@@ -15,7 +15,7 @@
 
     it "should pass the flag to the ES client" do
       expect(::Elasticsearch::Client).to receive(:new) do |args|
-        expect(args[:ssl]).to eq(:verify => false)
+        expect(args[:ssl]).to eq(:enabled => true, :verify => false)
       end
       subject.register
     end
@@ -44,7 +44,6 @@
       next LogStash::Outputs::ElasticSearch.new(settings)
     end
 
-
     it "should pass the keystore parameters to the ES client" do
       expect(::Elasticsearch::Client).to receive(:new) do |args|
         expect(args[:ssl]).to include(:keystore => keystore_path, :keystore_password => "test")