Added missing SSL settings

Author: edmocosta

CHANGELOG.md

@@ -1,5 +1,11 @@
 ## 11.14.0
- - Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#1115](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1115)
+ - Added SSL settings for: [#1115](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1115)
+   - `ssl_truststore_type`: The format of the truststore file
+   - `ssl_keystore_type`: The format of the keystore file
+   - `ssl_certificate`: OpenSSL-style X.509 certificate file to authenticate the client
+   - `ssl_key`: OpenSSL-style RSA private key that corresponds to the `ssl_certificate`
+   - `ssl_cipher_suites`: The list of cipher suites
+ - Reviewed and deprecated SSL settings to comply with Logstash's naming convention
    - Deprecated `ssl` in favor of `ssl_enabled`
    - Deprecated `cacert` in favor of `ssl_certificate_authorities`
    - Deprecated `keystore` in favor of `ssl_keystore_path`

docs/index.asciidoc

@@ -359,14 +359,19 @@ This plugin supports the following configuration options plus the
 | <<plugins-{type}s-{plugin}-sniffing_delay>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-sniffing_path>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-ssl_certificate>> |<<path,path>>|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |list of <<path,path>>|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |list of <<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_key>> |<<path,path>>|No
 | <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_type>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
 | <<plugins-{type}s-{plugin}-template>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-template_api>> |<<string,string>>, one of `["auto", "legacy", "composable"]`|No
@@ -787,6 +792,8 @@ deprecated[8.8.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_path>>]
 The keystore used to present a certificate to the server.
 It can be either .jks or .p12
 
+NOTE: You cannot use this setting and `ssl_certificate` at the same time.
+
 [id="plugins-{type}s-{plugin}-keystore_password"]
 ===== `keystore_password`
 deprecated[8.8.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_password>>]
@@ -1055,6 +1062,15 @@ Enable SSL/TLS secured communication to Elasticsearch cluster.
 Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
 If no explicit protocol is specified plain HTTP will be used.
 
+[id="plugins-{type}s-{plugin}-ssl_certificate"]
+===== `ssl_certificate`
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
+
+NOTE: This setting can be used only if `ssl_key` is set.
+
 [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
 ===== `ssl_certificate_authorities`
 
@@ -1063,6 +1079,8 @@ If no explicit protocol is specified plain HTTP will be used.
 
 The .cer or .pem files to validate the server's certificate.
 
+NOTE: You cannot use this setting and `ssl_truststore_path` at the same time.
+
 [id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
 ===== `ssl_certificate_verification`
 deprecated[8.8.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
@@ -1074,6 +1092,14 @@ Option to validate the server's certificate. Disabling this severely compromises
 For more information on disabling certificate verification please read
 https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
 
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+  * Value type is a list of <<string,string>>
+  * There is no default value for this setting
+
+The list of cipher suites to use, listed by priorities.
+Supported cipher suites vary depending on which version of Java is used.
+
 [id="plugins-{type}s-{plugin}-ssl_enabled"]
 ===== `ssl_enabled`
 
@@ -1084,6 +1110,15 @@ Enable SSL/TLS secured communication to Elasticsearch cluster.
 Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
 If no explicit protocol is specified plain HTTP will be used.
 
+[id="plugins-{type}s-{plugin}-ssl_key"]
+===== `ssl_key`
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+OpenSSL-style RSA private key that corresponds to the `ssl_certificate`.
+
+NOTE: This setting can be used only if `ssl_certificate` is set.
+
 [id="plugins-{type}s-{plugin}-ssl_keystore_password"]
 ===== `ssl_keystore_password`
 
@@ -1101,6 +1136,16 @@ Set the keystore password
 The keystore used to present a certificate to the server.
 It can be either .jks or .p12
 
+NOTE: You cannot use this setting and `ssl_certificate` at the same time.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_type"]
+===== `ssl_keystore_type`
+
+  * Value can be any of: `jks`, `pkcs12`
+  * If not provided, the value will be inferred from the keystore filename.
+
+The format of the keystore file. It must be either `jks` or `pkcs12`.
+
 [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
 ===== `ssl_supported_protocols`
 
@@ -1134,7 +1179,16 @@ Set the truststore password
 
 The truststore to validate the server's certificate.
 It can be either .jks or .p12.
-Use either `:truststore` or `:cacert`.
+
+NOTE: You cannot use this setting and `ssl_certificate_authorities` at the same time.
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_type"]
+===== `ssl_truststore_type`
+
+* Value can be any of: `jks`, `pkcs12`
+* If not provided, the value will be inferred from the truststore filename.
+
+The format of the truststore file. It must be either `jks` or `pkcs12`.
 
 [id="plugins-{type}s-{plugin}-ssl_verification_mode"]
 ===== `ssl_verification_mode`

lib/logstash/outputs/elasticsearch/http_client_builder.rb

@@ -112,28 +112,44 @@ def self.setup_ssl(logger, params)
 
       return {:ssl => {:enabled => false}} if params["ssl_enabled"] == false
 
-      ssl_certificate_authorities, ssl_truststore_path, ssl_truststore_password, ssl_keystore_path, ssl_keystore_password, ssl_verification_mode =
-        params.values_at('ssl_certificate_authorities', 'ssl_truststore_path', 'ssl_truststore_password', 'ssl_keystore_path', 'ssl_keystore_password', 'ssl_verification_mode')
+      ssl_certificate_authorities, ssl_truststore_path, ssl_certificate, ssl_keystore_path = params.values_at('ssl_certificate_authorities', 'ssl_truststore_path', 'ssl_certificate', 'ssl_keystore_path')
 
       if ssl_certificate_authorities && ssl_truststore_path
-        raise(LogStash::ConfigurationError, "Use either \"ssl_certificate_authorities\" or \"ssl_truststore_path\" when configuring the CA certificate")
+        raise(LogStash::ConfigurationError, 'Use either "ssl_certificate_authorities/cacert" or "ssl_truststore_path/truststore" when configuring the CA certificate')
+      end
+
+      if ssl_certificate && ssl_keystore_path
+        raise(LogStash::ConfigurationError, 'Use either "ssl_certificate" or "ssl_keystore_path/keystore" when configuring client certificates')
       end
 
       ssl_options = {:enabled => true}
 
       if ssl_certificate_authorities&.any?
-        raise(LogStash::ConfigurationError, "Multiple \"ssl_certificate_authorities\" files are not supported") if ssl_certificate_authorities.size > 1
+        raise(LogStash::ConfigurationError, 'Multiple values on "ssl_certificate_authorities" are not supported by this plugin') if ssl_certificate_authorities.size > 1
         ssl_options[:ca_file] = ssl_certificate_authorities.first
-      elsif ssl_truststore_path
-        ssl_options[:truststore_password] = ssl_truststore_password.value if ssl_truststore_password
       end
 
-      ssl_options[:truststore] = ssl_truststore_path if ssl_truststore_path
+      if ssl_truststore_path
+        ssl_options[:truststore] = ssl_truststore_path
+        ssl_options[:truststore_type] = params["ssl_truststore_type"] if params.include?("ssl_truststore_type")
+        ssl_options[:truststore_password] = params["ssl_truststore_password"].value if params.include?("ssl_truststore_password")
+      end
+
       if ssl_keystore_path
         ssl_options[:keystore] = ssl_keystore_path
-        ssl_options[:keystore_password] = ssl_keystore_password.value if ssl_keystore_password
+        ssl_options[:keystore_type] = params["ssl_keystore_type"] if params.include?("ssl_keystore_type")
+        ssl_options[:keystore_password] = params["ssl_keystore_password"].value if params.include?("ssl_keystore_password")
+      end
+
+      ssl_key = params["ssl_key"]
+      if ssl_certificate && ssl_key
+        ssl_options[:client_cert] = ssl_certificate
+        ssl_options[:client_key] = ssl_key
+      elsif !!ssl_certificate ^ !!ssl_key
+        raise(LogStash::ConfigurationError, 'You must set both "ssl_certificate" and "ssl_key" for client authentication')
       end
 
+      ssl_verification_mode = params["ssl_verification_mode"]
       unless ssl_verification_mode.nil?
         case ssl_verification_mode
           when 'none'
@@ -145,6 +161,7 @@ def self.setup_ssl(logger, params)
         end
       end
 
+      ssl_options[:cipher_suites] = params["ssl_cipher_suites"] if params.include?("ssl_cipher_suites")
       ssl_options[:trust_strategy] = params["ssl_trust_strategy"] if params.include?("ssl_trust_strategy")
 
       protocols = params['ssl_supported_protocols']

lib/logstash/plugin_mixins/elasticsearch/api_configs.rb

@@ -80,6 +80,9 @@ module APIConfigs
         # Use either `:ssl_truststore_path` or `:ssl_certificate_authorities`
         :ssl_truststore_path => { :validate => :path },
 
+        # The format of the truststore file. It must be either jks or pkcs12
+        :ssl_truststore_type => { :validate => %w[pkcs12 jks] },
+
         # Set the truststore password
         :truststore_password => { :validate => :password, :deprecated => "Use 'ssl_truststore_password' instead." },
 
@@ -94,6 +97,9 @@ module APIConfigs
         # It can be either .jks or .p12
         :ssl_keystore_path => { :validate => :path },
 
+        # The format of the keystore file. It must be either jks or pkcs12
+        :ssl_keystore_type => { :validate => %w[pkcs12 jks] },
+
         # Set the keystore password
         :keystore_password => { :validate => :password, :deprecated => "Set 'ssl_keystore_password' instead." },
 
@@ -102,6 +108,16 @@ module APIConfigs
 
         :ssl_supported_protocols => { :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true },
 
+        # OpenSSL-style X.509 certificate certificate to authenticate the client
+        :ssl_certificate => { :validate => :path },
+
+        # OpenSSL-style RSA private key to authenticate the client
+        :ssl_key => { :validate => :path },
+
+        # The list of cipher suites to use, listed by priorities.
+        # Supported cipher suites vary depending on which version of Java is used.
+        :ssl_cipher_suites => { :validate => :string, :list => true },
+
         # This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list.
         # Note: This will return ALL nodes with HTTP enabled (including master nodes!). If you use
         # this with master nodes, you probably want to disable HTTP on them by setting

spec/unit/outputs/elasticsearch_spec.rb

@@ -705,12 +705,6 @@
       include_examples("an encrypted client connection")
     end
 
-    context "With the 'ssl_enabled' option" do
-      let(:options) { {"ssl_enabled" => true}}
-
-      include_examples("an encrypted client connection")
-    end
-
     context "With an https host" do
       let(:options) { {"hosts" => "https://localhost"} }
       include_examples("an encrypted client connection")
@@ -731,15 +725,15 @@
         File.delete(cacert)
       end
 
-      it 'should map new configs into params' do
+      it "should map new configs into params" do
         expect(subject.params).to match hash_including(
                                           "ssl_enabled" => true,
                                           "ssl_verification_mode" => "none",
                                           "ssl_certificate_authorities" => [cacert]
                                         )
       end
 
-      it 'should set new configs variables' do
+      it "should set new configs variables" do
         expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
         expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql("none")
         expect(subject.instance_variable_get(:@ssl_certificate_authorities)).to eql([cacert])
@@ -769,7 +763,7 @@
         File.delete(truststore)
       end
 
-      it 'should map new configs into params' do
+      it "should map new configs into params" do
         expect(subject.params).to match hash_including(
                                           "ssl_enabled" => true,
                                           "ssl_keystore_path" => keystore,
@@ -781,7 +775,7 @@
         expect(subject.params["ssl_truststore_password"].value).to eql("truststore")
       end
 
-      it 'should set new configs variables' do
+      it "should set new configs variables" do
         expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
         expect(subject.instance_variable_get(:@ssl_keystore_path)).to eql(keystore)
         expect(subject.instance_variable_get(:@ssl_keystore_password).value).to eql("keystore")