Class: Fluent::SecureForwardInput

Inherits:

Input

• Object
• Input
• Fluent::SecureForwardInput

Includes:

Mixin::ConfigPlaceholders

Defined in:

lib/fluent/plugin/in_secure_forward.rb,
lib/fluent/plugin/in_secure_forward.rb

Defined Under Namespace

Classes: Session

Constant Summary

DEFAULT_SECURE_LISTEN_PORT =

24284

Instance Attribute Summary

• #nodes ⇒ Object readonly

  <user> username .…

• #read_interval ⇒ Object readonly

  Returns the value of attribute read_interval.

• #sessions ⇒ Object readonly

  <client> host ipaddr/hostname shared_key .…

• #socket_interval ⇒ Object readonly

  Returns the value of attribute socket_interval.

• #users ⇒ Object readonly

  list of (username, password) by <user> tag.

Instance Method Summary

• #cert_auto_generate ⇒ Object

  meaningless for security…? not implemented yet config_param :dns_reverse_lookup_check, :bool, :default => false.

• #certificate ⇒ Object
• #configure(conf) ⇒ Object
• #initialize ⇒ SecureForwardInput constructor

  A new instance of SecureForwardInput.

• #on_message(msg) ⇒ Object
• #run ⇒ Object

  sslsocket server thread.

• #select_authenticate_users(node, username) ⇒ Object
• #shutdown ⇒ Object
• #start ⇒ Object

Constructor Details

#initialize ⇒ SecureForwardInput

Returns a new instance of SecureForwardInput.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 65

def initialize
  super
  require 'socket'
  require 'openssl'
  require 'digest'
end

Instance Attribute Details

#nodes ⇒ Object (readonly)

<user>

username ....
password ....

</user>

# File 'lib/fluent/plugin/in_secure_forward.rb', line 56

def nodes
  @nodes
end

#read_interval ⇒ Object (readonly)

Returns the value of attribute read_interval.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 49

def read_interval
  @read_interval
end

#sessions ⇒ Object (readonly)

<client>

host ipaddr/hostname
shared_key .... # optional shared key
users username,list,of,allowed

</client>

# File 'lib/fluent/plugin/in_secure_forward.rb', line 63

def sessions
  @sessions
end

#socket_interval ⇒ Object (readonly)

Returns the value of attribute socket_interval.

# File 'lib/fluent/plugin/in_secure_forward.rb', line 49

def socket_interval
  @socket_interval
end

#users ⇒ Object (readonly)

list of (username, password) by <user> tag

# File 'lib/fluent/plugin/in_secure_forward.rb', line 51

def users
  @users
end

Instance Method Details

#cert_auto_generate ⇒ Object

meaningless for security…? not implemented yet config_param :dns_reverse_lookup_check, :bool, :default => false

# File 'lib/fluent/plugin/in_secure_forward.rb', line 33

config_param :cert_auto_generate, :bool, :default => false

#certificate ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 141

def certificate
  return @cert, @key if @cert && @key

  if @cert_auto_generate
    key = OpenSSL::PKey::RSA.generate(@generate_private_key_length)

    digest = OpenSSL::Digest::SHA1.new
    issuer = subject = OpenSSL::X509::Name.new
    subject.add_entry('C', @generate_cert_country)
    subject.add_entry('ST', @generate_cert_state)
    subject.add_entry('L', @generate_cert_locality)
    subject.add_entry('CN', @generate_cert_common_name)

    cer = OpenSSL::X509::Certificate.new
    cer.not_before = Time.at(0)
    cer.not_after = Time.at(0)
    cer.public_key = key
    cer.serial = 1
    cer.issuer = issuer
    cer.subject  = subject
    cer.sign(key, digest)

    @cert = cer
    @key = key
    return @cert, @key
  end

  @cert = OpenSSL::X509::Certificate.new(File.read(@cert_file_path))
  @key = OpenSSL::PKey::RSA.new(File.read(@private_key_file), @private_key_passphrase)
end

#configure(conf) ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 77

def configure(conf)
  super

  unless @cert_auto_generate || @cert_file_path
    raise Fluent::ConfigError, "One of 'cert_auto_generate' or 'cert_file_path' must be specified"
  end

  @read_interval = @read_interval_msec / 1000.0
  @socket_interval = @socket_interval_msec / 1000.0

  @users = []
  @nodes = []
  conf.elements.each do |element|
    case element.name
    when 'user'
      unless element['username'] && element['password']
        raise Fluent::ConfigError, "username/password pair missing in <user>"
      end
      @users.push({
          username: element['username'],
          password: element['password']
        })
    when 'client'
      unless element['host']
        raise Fluent::ConfigError, "host missing in <client>"
      end
      @nodes.push({
          host: element['host'],
          shared_key: (element['shared_key'] || @shared_key),
          users: (element['users'] ? element['users'].split(',') : nil),
        })
    else
      raise Fluent::ConfigError, "unknown config tag name"
    end
  end

  @generate_cert_common_name ||= @self_hostname
  self.certificate
  true
end

#on_message(msg) ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 197

def on_message(msg)
  # NOTE: copy&paste from Fluent::ForwardInput#on_message(msg)

  # TODO: format error
  tag = msg[0].to_s
  entries = msg[1]

  if entries.class == String
    # PackedForward
    es = MessagePackEventStream.new(entries, @cached_unpacker)
    Fluent::Engine.emit_stream(tag, es)

  elsif entries.class == Array
    # Forward
    es = Fluent::MultiEventStream.new
    entries.each {|e|
      time = e[0].to_i
      time = (now ||= Fluent::Engine.now) if time == 0
      record = e[1]
      es.add(time, record)
    }
    Fluent::Engine.emit_stream(tag, es)

  else
    # Message
    time = msg[1]
    time = Fluent::Engine.now if time == 0
    record = msg[2]
    Fluent::Engine.emit(tag, time, record)
  end
end

#run ⇒ Object

sslsocket server thread

# File 'lib/fluent/plugin/in_secure_forward.rb', line 172

def run # sslsocket server thread
  log.trace "setup for ssl sessions"
  cert, key = self.certificate
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.cert = cert
  ctx.key = key

  log.trace "start to listen", :bind => @bind, :port => @port
  server = TCPServer.new(@bind, @port)
  log.trace "starting SSL server", :bind => @bind, :port => @port
  @sock = OpenSSL::SSL::SSLServer.new(server, ctx)
  @sock.start_immediately = false
  begin
    log.trace "accepting sessions"
    loop do
      while socket = @sock.accept
        log.trace "accept tcp connection (ssl session not established yet)"
        @sessions.push Session.new(self, socket)
      end
    end
  rescue OpenSSL::SSL::SSLError => e
    raise unless e.message.start_with?('SSL_accept SYSCALL') # signal trap on accept
  end
end

#select_authenticate_users(node, username) ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 133

def select_authenticate_users(node, username)
  if node.nil? || node[:users].nil?
    @users.select{|u| u[:username] == username}
  else
    @users.select{|u| node[:users].include?(u[:username]) && u[:username] == username}
  end
end

#shutdown ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 126

def shutdown
  @listener.kill
  @listener.join
  @sessions.each{ |s| s.shutdown }
  @sock.close
end

#start ⇒ Object

# File 'lib/fluent/plugin/in_secure_forward.rb', line 118

def start
  super
  OpenSSL::Random.seed(File.read("/dev/urandom", 16))
  @sessions = []
  @sock = nil
  @listener = Thread.new(&method(:run))
end