Remove deprecated SSL settings (#182)

robbavey · web-flow · commit 587efec39bd6 · 2024-12-16T09:38:05.000-05:00
* Remove deprecated SSL settings This commit marks SSL settings `obsolete` that were previously marked as `deprecated` as part of the SSL Settings Standardization process implemented in `3.7.0` of this plugin. Marking these settings as `obsolete` is a *breaking change* that will stop the plugin from starting, and forces users to move to the new standard settings. SSL settings that were marked deprecated in version `3.7.0` are now marked obsolete, and will prevent the plugin from starting. - These settings are: - `tls_min_version`, which should be replaced by `ssl_supported_protocols` - `tls_max_version`, which should be replaced by `ssl_supported_protocols` - `cipher_suites`, which should bre replaced by `ssl_cipher_suites` - `ssl`, which should bre replaced by `ssl_enabled` - `keystore`, which should bre replaced by `ssl_keystore_path` - `keystore_password`, which should bre replaced by `ssl_keystore_password` - `ssl_verify_mode`, which should bre replaced by `ssl_client_authentication` - `verify_mode`, which should bre replaced by `ssl_client_authentication` - [#182](#182) This commit cleans up some code to handle duplicate settings, and removes tests that were put in place to support the co-existence of deprecated and non-deprecated settings, replacing them with tests that verify that obsolete settings are identified early, and information about the deprecation is related to the user.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,16 @@
+## 4.0.0
+- SSL settings that were marked deprecated in version `3.7.0` are now marked obsolete, and will prevent the plugin from starting.
+- These settings are:
+    - `tls_min_version`, which should be replaced by `ssl_supported_protocols`
+    - `tls_max_version`, which should be replaced by `ssl_supported_protocols`
+    - `cipher_suites`, which should bre replaced by `ssl_cipher_suites`
+    - `ssl`, which should bre replaced by `ssl_enabled`
+    - `keystore`, which should bre replaced by `ssl_keystore_path`
+    - `keystore_password`, which should bre replaced by `ssl_keystore_password`
+    - `ssl_verify_mode`, which should bre replaced by `ssl_client_authentication`
+    - `verify_mode`, which should bre replaced by `ssl_client_authentication`
+    - [#182](https://github.com/logstash-plugins/logstash-input-http/pull/182)
+
 ## 3.9.2
  - Upgrade netty to 4.1.115 [#183](https://github.com/logstash-plugins/logstash-input-http/pull/183)
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.9.2
+4.0.0
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
@@ -87,21 +87,21 @@ for the request's content-type is found in the `additional_codecs` setting.
 
 This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
 
+NOTE: As of version `4.0.0` of this plugin, a number of previously deprecated settings related to SSL have been removed.
+Please check out <<plugins-{type}s-{plugin}-obsolete-options>> for details.
+
+
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
 | <<plugins-{type}s-{plugin}-additional_codecs>> |<<hash,hash>>|No
-| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-keystore>> |<<path,path>>|__Deprecated__
-| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-max_pending_requests>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-response_headers>> |<<hash,hash>>|No
 | <<plugins-{type}s-{plugin}-response_code>> |<<number,number>>, one of `[200, 201, 202, 204]`|No
-| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
@@ -117,12 +117,8 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
 | <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
 | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
-| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -140,13 +136,6 @@ Apply specific codecs for specific content types.
 The default codec will be applied only after this list is checked
 and no codec for the request's content-type is found
 
-[id="plugins-{type}s-{plugin}-cipher_suites"]
-===== `cipher_suites` 
-deprecated[3.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_cipher_suites>>]
-
-  * Value type is <<array,array>>
-
-The list of cipher suites to use, listed by priorities.
 
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
@@ -220,23 +209,6 @@ See <<plugins-{type}s-{plugin}-ecs_metadata>> for detailed information.
 
 The host or ip to bind
 
-[id="plugins-{type}s-{plugin}-keystore"]
-===== `keystore`
-deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_path>> instead]
-
-  * Value type is <<path,path>>
-  * There is no default value for this setting.
-
-The JKS keystore to validate the client's certificates
-
-[id="plugins-{type}s-{plugin}-keystore_password"]
-===== `keystore_password`
-deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_password>> instead]
-
-  * Value type is <<password,password>>
-  * There is no default value for this setting.
-
-Set the keystore password
 
 [id="plugins-{type}s-{plugin}-password"]
 ===== `password` 
@@ -314,16 +286,6 @@ specify a target field for the client host of the http request
 
 specify target field for the client host of the http request
 
-[id="plugins-{type}s-{plugin}-ssl"]
-===== `ssl` 
-deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
-
-  * Value type is <<boolean,boolean>>
-  * Default value is `false`
-
-Events are, by default, sent in plain text. You can
-enable encryption by setting `ssl` to true and configuring
-the `ssl_certificate` and `ssl_key` options.
 
 [id="plugins-{type}s-{plugin}-ssl_certificate"]
 ===== `ssl_certificate` 
@@ -473,22 +435,6 @@ NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate
 
 The format of the truststore file. It must be either `jks` or `pkcs12`.
 
-[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
-===== `ssl_verify_mode` 
-deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
-
-  * Value can be any of: `none`, `peer`, `force_peer`
-  * Default value is `"none"`
-
-By default the server doesn't do any client verification.
-
-`peer` will make the server ask the client to provide a certificate. 
-If the client provides a certificate, it will be validated.
-
-`force_peer` will make the server ask the client to provide a certificate.
-If the client doesn't provide a certificate, the connection will be closed.
-
-This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.
 
 [id="plugins-{type}s-{plugin}-threads"]
 ===== `threads` 
@@ -498,23 +444,6 @@ This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_aut
 
 Number of threads to use for both accepting connections and handling requests
 
-[id="plugins-{type}s-{plugin}-tls_max_version"]
-===== `tls_max_version` 
-deprecated[3.6.0]
-
-  * Value type is <<number,number>>
-
-The maximum TLS version allowed for the encrypted connections.
-The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
-
-[id="plugins-{type}s-{plugin}-tls_min_version"]
-===== `tls_min_version` 
-deprecated[3.6.0]
-
-  * Value type is <<number,number>>
-
-The minimum TLS version allowed for the encrypted connections.
-The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-user"]
 ===== `user` 
@@ -524,15 +453,24 @@ The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 fo
 
 Username for basic authorization
 
-[id="plugins-{type}s-{plugin}-verify_mode"]
-===== `verify_mode`
-deprecated[3.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verify_mode>>]
-
-  * Value can be any of: `none`, `peer`, `force_peer`
-  * Default value is `"none"`
+[id="plugins-{type}s-{plugin}-obsolete-options"]
+==== HTTP Input Obsolete Configuration Options
 
-Set the client certificate verification method. Valid methods: none, peer, force_peer
+WARNING: As of version `4.0.0` of this plugin, some configuration options have been replaced.
+The plugin will fail to start if it contains any of these obsolete options.
 
+[cols="<,<",options="header",]
+|=======================================================================
+|Setting|Replaced by
+| cipher_suites |<<plugins-{type}s-{plugin}-ssl_cipher_suites>>
+| keystore |<<plugins-{type}s-{plugin}-ssl_keystore_path>>
+| keystore_password |<<plugins-{type}s-{plugin}-ssl_keystore_password>>
+| ssl |<<plugins-{type}s-{plugin}-ssl_enabled>>
+| ssl_verify_mode |<<plugins-{type}s-{plugin}-ssl_client_authentication>>
+| tls_max_version |<<plugins-{type}s-{plugin}-ssl_supported_protocols>>
+| tls_min_version |<<plugins-{type}s-{plugin}-ssl_supported_protocols>>
+| verify_mode |<<plugins-{type}s-{plugin}-ssl_client_authentication>>
+|=======================================================================
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
diff --git a/lib/logstash/inputs/http.rb b/lib/logstash/inputs/http.rb
@@ -55,11 +55,6 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   # Password for basic authorization
   config :password, :validate => :password, :required => false
 
-  # Events are by default sent in plain text. You can
-  # enable encryption by setting `ssl` to true and configuring
-  # the `ssl_certificate` and `ssl_key` options.
-  config :ssl, :validate => :boolean, :default => false, :deprecated => "Set 'ssl_enabled' instead."
-
   # Events are by default sent in plain text. You can
   # enable encryption by setting `ssl` to true and configuring
   # the `ssl_certificate` and `ssl_key` options.
@@ -108,17 +103,6 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
   config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none'
 
-  # By default the server doesn't do any client verification.
-  #
-  # `peer` will make the server ask the client to provide a certificate.
-  # If the client provides a certificate, it will be validated.
-  #
-  # `force_peer` will make the server ask the client to provide a certificate.
-  # If the client doesn't provide a certificate, the connection will be closed.
-  #
-  # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
-  config :ssl_verify_mode, :validate => ["none", "peer", "force_peer"], :default => "none", :deprecated => "Set 'ssl_client_authentication' instead."
-
   # Time in milliseconds for an incomplete ssl handshake to timeout
   config :ssl_handshake_timeout, :validate => :number, :default => 10000
 
@@ -150,25 +134,15 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
 
   config :response_code, :validate => [200, 201, 202, 204], :default => 200
 
-  # Deprecated options
-
-  # The JKS keystore to validate the client's certificates
-  config :keystore, :validate => :path, :deprecated => "Set 'ssl_keystore_path' instead."
-
-  # The JKS keystore password
-  config :keystore_password, :validate => :password, :deprecated => "Set 'ssl_keystore_password' instead."
-
-  config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none', :deprecated => "Set 'ssl_client_authentication' instead."
-
-  config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
-
-  # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
-  config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."
-
-  # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
-  config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
+  # Obsolete Settings
+  config :ssl, :obsolete => "Set 'ssl_enabled' instead."
+  config :keystore, :obsolete => "Set 'ssl_keystore_path' instead."
+  config :keystore_password, :validate => :password, :obsolete => "Set 'ssl_keystore_password' instead."
+  config :verify_mode, :obsolete => "Set 'ssl_client_authentication' instead."
+  config :cipher_suites, :obsolete => "Set 'ssl_cipher_suites' instead."
+  config :tls_min_version, :obsolete => "Set 'ssl_supported_protocols' instead."
+  config :tls_max_version, :obsolete => "Set 'ssl_supported_protocols' instead."
+  config :ssl_verify_mode, :obsolete => "Set 'ssl_client_authentication' instead."
 
   attr_reader :codecs
 
@@ -200,8 +174,6 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   public
   def register
 
-    setup_ssl_params!
-
     validate_ssl_settings!
 
     if @user && @password
@@ -342,34 +314,6 @@ def validate_ssl_settings!
   end
 
   def setup_ssl_params!
-    @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
-      normalizer.with_deprecated_alias(:ssl)
-    end
-
-    @ssl_cipher_suites = normalize_config(:ssl_cipher_suites) do |normalizer|
-      normalizer.with_deprecated_alias(:cipher_suites)
-    end
-
-    @ssl_supported_protocols = normalize_config(:ssl_supported_protocols) do |normalizer|
-      normalizer.with_deprecated_mapping(:tls_min_version, :tls_max_version) do |tls_min_version, tls_max_version|
-        TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
-      end
-    end
-
-    @ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
-      normalizer.with_deprecated_mapping(:verify_mode, :ssl_verify_mode) do |verify_mode, ssl_verify_mode|
-        normalize_ssl_client_authentication_value!(verify_mode, ssl_verify_mode)
-      end
-    end
-
-    @ssl_keystore_path = normalize_config(:ssl_keystore_path) do |normalizer|
-      normalizer.with_deprecated_alias(:keystore)
-    end
-
-    @ssl_keystore_password = normalize_config(:ssl_keystore_password) do |normalizer|
-      normalizer.with_deprecated_alias(:keystore_password)
-    end
-
     params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
     params['ssl_cipher_suites'] = @ssl_cipher_suites unless @ssl_cipher_suites.nil?
     params['ssl_supported_protocols'] = @ssl_supported_protocols unless @ssl_supported_protocols.nil?
@@ -378,17 +322,6 @@ def setup_ssl_params!
     params['ssl_keystore_password'] = @ssl_keystore_password unless @ssl_keystore_password.nil?
   end
 
-  def normalize_ssl_client_authentication_value!(verify_mode, ssl_verify_mode)
-    verify_mode_explicitly_set = original_params.key?("verify_mode")
-
-    if verify_mode_explicitly_set && original_params.key?("ssl_verify_mode")
-      raise LogStash::ConfigurationError, "Both (deprecated) `ssl_verify_mode` and `verify_mode` were set. Use only `ssl_verify_mode`"
-    end
-
-    deprecated_value = (verify_mode_explicitly_set ? verify_mode : ssl_verify_mode).downcase
-    SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP[deprecated_value]
-  end
-
   def create_http_server(message_handler)
     org.logstash.plugins.inputs.http.NettyHttpServer.new(
       @host, @port, message_handler, build_ssl_params, @threads, @max_pending_requests, @max_content_length, @response_code)
@@ -467,13 +400,7 @@ def ssl_client_authentication_optional?
   end
 
   def provided_ssl_client_authentication_config(values = [@ssl_client_authentication])
-    if original_params.include?('ssl_verify_mode')
-      ['ssl_verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
-    elsif original_params.include?('verify_mode')
-      ['verify_mode', *values.map { |v| SSL_VERIFY_MODE_TO_CLIENT_AUTHENTICATION_MAP.key(v) }]
-    else
       ['ssl_client_authentication', *values]
-    end
   end
 
   private
diff --git a/spec/inputs/http_spec.rb b/spec/inputs/http_spec.rb
