Ported tests and minor adjusts

CHANGELOG.md

@@ -1,3 +1,17 @@
+## 7.3.0
+  - Standardized SSL settings: [#42](https://github.com/logstash-plugins/logstash-mixin-http_client/pull/42)  
+    - Deprecated `cacert` in favor of `ssl_certificate_authorities`
+    - Deprecated`client_cert` in favor of `ssl_certificate`
+    - Deprecated `client_key` in favor of `ssl_key`
+    - Deprecated `keystore` in favor of `ssl_keystore_path`
+    - Deprecated `keystore_password` in favor of `ssl_keystore_password`
+    - Deprecated `keystore_type` in favor of `ssl_keystore_type`
+    - Deprecated `truststore` in favor of `ssl_truststore_path`
+    - Deprecated `truststore_password` in favor of `ssl_truststore_password`
+    - Deprecated `truststore_type` in favor of `ssl_truststore_type`
+  - Added a module configuration to disable the deprecated SSL configs `:with_deprecated`
+  - Added the `ssl_cipher_suites` option
+
 ## 7.2.0
   - Feat: add `ssl_supported_protocols` option [#40](https://github.com/logstash-plugins/logstash-mixin-http_client/pull/40) 
 

lib/logstash/plugin_mixins/http_client.rb

@@ -80,6 +80,7 @@ def self.included(base)
 
       # If you'd like to use a client certificate (note, most people don't want this) set the path to the x509 cert here
       base.config :ssl_certificate, :validate => :path
+
       # If you're using a client certificate specify the path to the encryption key here
       base.config :ssl_key, :validate => :path
 
@@ -90,15 +91,22 @@ def self.included(base)
       # Note, most .jks files created with keytool require a password!
       base.config :ssl_keystore_password, :validate => :password
 
-      # Specify the keystore type here. One of `JKS` or `PKCS12`. Default is `JKS`
-      base.config :ssl_keystore_type, :validate => %w(pkcs12 jks), :default => "jks"
+      # Specify the keystore type here. One of `jks` or `pkcs12`.
+      # The default value is inferred from the filename.
+      # Note: If it's unable to determine the type based on the filename, it uses the
+      # `keystore.type` security property, or "jks" as default value.
+      base.config :ssl_keystore_type, :validate => %w(pkcs12 jks)
 
       # Naming aligned with the Elastic stack.
       #   full: verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the
       #         server’s hostname (or IP address) matches the names identified within the certificate
       #   none: no verification of the server’s certificate
       base.config :ssl_verification_mode, :validate => ['full', 'none'], :default => 'full'
 
+      # The list of cipher suites to use, listed by priorities.
+      # Supported cipher suites vary depending on which version of Java is used.
+      base.config :ssl_cipher_suites, :validate => :string, :list => true
+
       # NOTE: the default setting [] uses Java SSL engine defaults.
       base.config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true
 
@@ -109,8 +117,11 @@ def self.included(base)
       # Note, most .jks files created with keytool require a password!
       base.config :ssl_truststore_password, :validate => :password
 
-      # Specify the truststore type here. One of `JKS` or `PKCS12`. Default is `JKS`
-      base.config :ssl_truststore_type, :validate => %w(pkcs12 jks), :default => "jks"
+      # Specify the truststore type here. One of `JKS` or `PKCS12`.
+      # The default value is inferred from the filename.
+      # Note: If it's unable to determine the type based on the filename, it uses the
+      # `keystore.type` security property, or "jks" as default value.
+      base.config :ssl_truststore_type, :validate => %w(pkcs12 jks)
 
       # Enable cookie support. With this enabled the client will persist cookies
       # across requests as a normal web browser would. Enabled by default

lib/logstash/plugin_mixins/http_client/deprecated_ssl_config_support.rb

@@ -38,14 +38,20 @@ def initialize(*a)
         end
       end
 
+      params['ssl_certificate_authorities'] = @ssl_certificate_authorities unless @ssl_certificate_authorities.nil?
+
       @ssl_certificate = normalize_config(:ssl_certificate) do |normalize|
         normalize.with_deprecated_alias(:client_cert)
       end
 
+      params['ssl_certificate'] = @ssl_certificate unless @ssl_certificate.nil?
+
       @ssl_key = normalize_config(:ssl_key) do |normalize|
         normalize.with_deprecated_alias(:client_key)
       end
 
+      params['ssl_key'] = @ssl_key unless @ssl_key.nil?
+
       %w[keystore truststore].each do |store|
         %w[path type password].each do |variable|
           config_name = "ssl_#{store}_#{variable}"

logstash-mixin-http_client.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-mixin-http_client'
-  s.version         = '7.2.0'
+  s.version         = '7.3.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "AWS mixins to provide a unified interface for Amazon Webservice"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

spec/plugin_mixin/http_client_spec.rb

@@ -30,79 +30,6 @@ class Dummy < LogStash::Inputs::Base
     expect(impl.send(:client)).to eql(impl.client)
   end
 
-  shared_examples "setting ca bundles" do |key, type|
-    subject { Dummy.new(conf).send(:client_config) }
-
-    it "should correctly set the path" do
-      expect(subject[:ssl][key]).to eql(path), "Expected to find path for #{key}"
-    end
-
-    if type == :jks
-      let(:store_password) { conf["#{key}_password"] }
-      let(:store_type) { conf["#{key}_type"]}
-
-      it "should set the bundle password" do
-        expect(subject[:ssl]["#{key}_password".to_sym]).to eql(store_password)
-      end
-
-      it "should set the bundle type" do
-        expect(subject[:ssl]["#{key}_type".to_sym]).to eql(store_type)
-      end
-    end
-  end
-
-  shared_examples 'a deprecated setting with guidance' do |deprecations_and_guidance|
-
-    let(:logger_stub) { double('Logger').as_null_object }
-
-    before(:each) do
-      allow(Dummy).to receive(:logger).and_return(logger_stub)
-    end
-
-    deprecations_and_guidance.each do |deprecated_setting_name, canonical_setting_name|
-      it "emits a warning about the setting `#{deprecated_setting_name}` being deprecated and provides guidance to use `#{canonical_setting_name}`" do
-        Dummy.new(conf)
-
-        deprecation_text = "deprecated config setting \"#{deprecated_setting_name}\" set"
-        guidance_text = "Use `#{canonical_setting_name}` instead"
-
-        expect(logger_stub).to have_received(:warn).with(a_string_including(deprecation_text).and(including(guidance_text)), anything)
-      end
-    end
-  end
-
-  describe "with a custom ssl bundle" do
-    let(:file) { Stud::Temporary.file }
-    let(:path) { file.path }
-    after { File.unlink(path)}
-
-    context "with x509" do
-      let(:conf) { basic_config.merge("cacert" => path) }
-
-      include_examples("setting ca bundles", :ca_file)
-
-      it_behaves_like('a deprecated setting with guidance',
-                      'cacert' => 'ssl_certificate_authorities')
-    end
-
-    context "with JKS" do
-      let(:conf) {
-        basic_config.merge(
-          "truststore" => path,
-          "truststore_password" => "foobar",
-          "truststore_type" => "jks"
-        )
-      }
-
-      include_examples("setting ca bundles", :truststore, :jks)
-
-      it_behaves_like('a deprecated setting with guidance',
-                      'truststore' => 'ssl_truststore_path',
-                      'truststore_password' => 'ssl_truststore_password',
-                      'truststore_type' => 'ssl_truststore_type')
-    end
-  end
-
   describe "with a custom validate_after_activity" do
     subject { Dummy.new(client_config).send(:client_config) }
 
@@ -149,146 +76,4 @@ class Dummy < LogStash::Inputs::Base
       end
     end
   end
-
-  ["keystore", "truststore"].each do |store|
-    describe "with a custom #{store}" do
-      let(:file) { Stud::Temporary.file }
-      let(:path) { file.path }
-      let(:password) { "foo" }
-      after { File.unlink(path)}
-
-      let(:conf) {
-        basic_config.merge(
-          store => path,
-          "#{store}_password" => password,
-          "#{store}_type" => "jks"
-        ).compact
-      }
-
-      include_examples("setting ca bundles", store.to_sym, :jks)
-
-
-
-      it_behaves_like('a deprecated setting with guidance',
-                      "#{store}" => "ssl_#{store}_path",
-                      "#{store}_password" => "ssl_#{store}_password",
-                      "#{store}_type" => "ssl_#{store}_type")
-
-      context "with no password set" do
-        let(:password) { nil }
-
-        it "should raise an error" do
-          expect do
-            Dummy.new(conf).client_config
-          end.to raise_error(LogStash::ConfigurationError)
-        end
-      end
-    end
-  end
-
-  describe "with a client cert" do
-    let(:file) { Stud::Temporary.file }
-    let(:path) { file.path }
-    after { File.unlink(path)}
-
-    context "with correct client certs" do
-      let(:conf) { basic_config.merge("client_cert" => path, "client_key" => path) }
-
-      it "should create without error" do
-        expect {
-          Dummy.new(conf).client_config
-        }.not_to raise_error
-      end
-
-      it_behaves_like('a deprecated setting with guidance',
-                      'client_cert' => 'ssl_certificate',
-                      'client_key' => 'ssl_key')
-    end
-
-    shared_examples("raising a configuration error") do
-      it "should raise an error error" do
-        expect {
-          Dummy.new(conf).client_config
-        }.to raise_error(LogStash::PluginMixins::HttpClient::InvalidHTTPConfigError)
-      end
-    end
-
-    context "without a key" do
-      let(:conf) { basic_config.merge("client_cert" => path) }
-
-      include_examples("raising a configuration error")
-    end
-
-    context "without a cert" do
-      let(:conf) { basic_config.merge("client_key" => path) }
-
-      include_examples("raising a configuration error")
-    end
-  end
-
-  describe "with verify mode" do
-    let(:file) { Stud::Temporary.file }
-    let(:path) { file.path }
-    after { File.unlink(path)}
-
-    context "default" do
-      let(:conf) { basic_config }
-
-      it "sets manticore verify to :strict" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to include :verify => :strict
-      end
-    end
-
-    context "'full'" do
-      let(:conf) { basic_config.merge("ssl_verification_mode" => 'full') }
-
-      it "sets manticore verify to :strict" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to include :verify => :strict
-      end
-    end
-
-    context "'none'" do
-      let(:conf) { basic_config.merge("ssl_verification_mode" => 'none') }
-
-      it "sets manticore verify to :disable" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to include :verify => :disable
-      end
-    end
-
-  end
-
-  describe "with supported protocols" do
-    context "default" do
-      let(:conf) { basic_config }
-
-      it "does not set manticore protocols option" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to_not include :protocols
-      end
-    end
-
-    context "empty" do
-      let(:conf) { basic_config.merge("ssl_supported_protocols" => []) }
-
-      it "does not set manticore protocols option" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to_not include :protocols
-      end
-    end
-
-    context "'TLSv1.3'" do
-      let(:conf) { basic_config.merge("ssl_supported_protocols" => ['TLSv1.3']) }
-
-      it "sets manticore protocols option" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to include :protocols => ['TLSv1.3']
-      end
-    end
-
-    context "'TLSv1.2' and 'TLSv1.3'" do
-      let(:conf) { basic_config.merge("ssl_supported_protocols" => ['TLSv1.3', 'TLSv1.2']) }
-
-      it "sets manticore protocols option" do
-        expect( Dummy.new(conf).client_config[:ssl] ).to include :protocols => ['TLSv1.3', 'TLSv1.2']
-      end
-    end
-
-  end
 end