Class: Fluent::SecureForwardInput

Inherits:

Input

• Object
• Input
• Fluent::SecureForwardInput

Includes:

Mixin::ConfigPlaceholders

Defined in:

lib/fluent/plugin/in_secure_forward.rb,
lib/fluent/plugin/in_secure_forward.rb

Defined Under Namespace

Classes: Session

Constant Summary

DEFAULT_SECURE_LISTEN_PORT =

24284

Instance Attribute Summary

• #nodes ⇒ Object readonly

  Returns the value of attribute nodes.

• #read_interval ⇒ Object readonly

  Returns the value of attribute read_interval.

• #sessions ⇒ Object readonly

  node/socket/thread list which has sslsocket instance keepaliving to client.

• #socket_interval ⇒ Object readonly

  Returns the value of attribute socket_interval.

Instance Method Summary

• #cert_auto_generate ⇒ Object

  meaningless for security…? not implemented yet config_param :dns_reverse_lookup_check, :bool, :default => false.

• #certificate ⇒ Object
• #configure(conf) ⇒ Object
• #initialize ⇒ SecureForwardInput constructor

  A new instance of SecureForwardInput.

• #on_message(msg) ⇒ Object
• #run ⇒ Object

  sslsocket server thread.

• #select_authenticate_users(node, username) ⇒ Object
• #shutdown ⇒ Object
• #start ⇒ Object

Constructor Details

#initialize ⇒ SecureForwardInput

Returns a new instance of SecureForwardInput.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 66

def initialize
  super
  require 'ipaddr'
  require 'socket'
  require 'openssl'
  require 'digest'
  require 'securerandom'
end

Instance Attribute Details

#nodes ⇒ Object (readonly)

Returns the value of attribute nodes.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 62

def nodes
  @nodes
end

#read_interval ⇒ Object (readonly)

Returns the value of attribute read_interval.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 49

def read_interval
  @read_interval
end

#sessions ⇒ Object (readonly)

node/socket/thread list which has sslsocket instance keepaliving to client

# File 'lib/fluent/plugin/in_secure_forward.rb', line 64

def sessions
  @sessions
end

#socket_interval ⇒ Object (readonly)

Returns the value of attribute socket_interval.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 49

def socket_interval
  @socket_interval
end

Instance Method Details

#cert_auto_generate ⇒ Object

meaningless for security…? not implemented yet config_param :dns_reverse_lookup_check, :bool, :default => false

# File 'lib/fluent/plugin/in_secure_forward.rb', line 33

config_param :cert_auto_generate, :bool, :default => false

#certificate ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 147

def certificate
  return @cert, @key if @cert && @key

  if @cert_auto_generate
    key = OpenSSL::PKey::RSA.generate(@generate_private_key_length)

    digest = OpenSSL::Digest::SHA1.new
    issuer = subject = OpenSSL::X509::Name.new
    subject.add_entry('C', @generate_cert_country)
    subject.add_entry('ST', @generate_cert_state)
    subject.add_entry('L', @generate_cert_locality)
    subject.add_entry('CN', @generate_cert_common_name)

    cer = OpenSSL::X509::Certificate.new
    cer.not_before = Time.at(0)
    cer.not_after = Time.at(0)
    cer.public_key = key
    cer.serial = 1
    cer.issuer = issuer
    cer.subject  = subject
    cer.sign(key, digest)

    @cert = cer
    @key = key
    return @cert, @key
  end

  @cert = OpenSSL::X509::Certificate.new(File.read(@cert_file_path))
  @key = OpenSSL::PKey::RSA.new(File.read(@private_key_file), @private_key_passphrase)
end

#configure(conf) ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 80

def configure(conf)
  super

  unless @cert_auto_generate || @cert_file_path
    raise Fluent::ConfigError, "One of 'cert_auto_generate' or 'cert_file_path' must be specified"
  end

  @read_interval = @read_interval_msec / 1000.0
  @socket_interval = @socket_interval_msec / 1000.0

  @nodes = []

  @clients.each do |client|
    if client.host && client.network
      raise Fluent::ConfigError, "both of 'host' and 'network' are specified for client"
    end
    if !client.host && !client.network
      raise Fluent::ConfigError, "Either of 'host' and 'network' must be specified for client"
    end
    source = nil
    if client.host
      begin
        source = IPSocket.getaddress(client.host)
      rescue SocketError => e
        raise Fluent::ConfigError, "host '#{client.host}' cannot be resolved"
      end
    end
    source_addr = begin
                    IPAddr.new(source || client.network)
                  rescue ArgumentError => e
                    raise Fluent::ConfigError, "network '#{client.network}' address format is invalid"
                  end
    @nodes.push({
        address: source_addr,
        shared_key: (client.shared_key || @shared_key),
        users: (client.users ? client.users.split(',') : nil)
      })
  end

  @generate_cert_common_name ||= @self_hostname
  self.certificate
  true
end

#on_message(msg) ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 207

def on_message(msg)
  # NOTE: copy&paste from Fluent::ForwardInput#on_message(msg)

  # TODO: format error
  tag = msg[0].to_s
  entries = msg[1]

  if entries.class == String
    # PackedForward
    es = MessagePackEventStream.new(entries, @cached_unpacker)
    Fluent::Engine.emit_stream(tag, es)

  elsif entries.class == Array
    # Forward
    es = Fluent::MultiEventStream.new
    entries.each {|e|
      time = e[0].to_i
      time = (now ||= Fluent::Engine.now) if time == 0
      record = e[1]
      es.add(time, record)
    }
    Fluent::Engine.emit_stream(tag, es)

  else
    # Message
    time = msg[1]
    time = Fluent::Engine.now if time == 0
    record = msg[2]
    Fluent::Engine.emit(tag, time, record)
  end
end

#run ⇒ Object

sslsocket server thread

# File 'lib/fluent/plugin/in_secure_forward.rb', line 178

def run # sslsocket server thread
  log.trace "setup for ssl sessions"
  cert, key = self.certificate
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.cert = cert
  ctx.key = key

  log.trace "start to listen", :bind => @bind, :port => @port
  server = TCPServer.new(@bind, @port)
  log.trace "starting SSL server", :bind => @bind, :port => @port
  @sock = OpenSSL::SSL::SSLServer.new(server, ctx)
  @sock.start_immediately = false
  begin
    log.trace "accepting sessions"
    loop do
      while socket = @sock.accept
        log.trace "accept tcp connection (ssl session not established yet)"
        @sessions.push Session.new(self, socket)

        # cleanup closed session instance
        @sessions.delete_if(&:closed?)
        log.trace "session instances:", :all => @sessions.size, :closed => @sessions.select(&:closed?).size
      end
    end
  rescue OpenSSL::SSL::SSLError => e
    raise unless e.message.start_with?('SSL_accept SYSCALL') # signal trap on accept
  end
end

#select_authenticate_users(node, username) ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 139

def select_authenticate_users(node, username)
  if node.nil? || node[:users].nil?
    @users.select{|u| u.username == username}
  else
    @users.select{|u| node[:users].include?(u.username) && u.username == username}
  end
end

#shutdown ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 132

def shutdown
  @listener.kill
  @listener.join
  @sessions.each{ |s| s.shutdown }
  @sock.close
end

#start ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 124

def start
  super
  OpenSSL::Random.seed(SecureRandom.random_bytes(16))
  @sessions = []
  @sock = nil
  @listener = Thread.new(&method(:run))
end