Feat: add ssl_verification_mode => 'full' / 'none'

.travis.yml

@@ -2,21 +2,18 @@
 sudo: false
 language: ruby
 cache: bundler
-rvm:
-- jruby-1.7.25
-script: bundle exec rspec spec && bundle exec rspec spec --tag integration
+
+script: bundle exec rspec spec
 jdk: openjdk8
 matrix:
   include:
-  - rvm: jruby-9.1.13.0
-    env: LOGSTASH_BRANCH=master
-  - rvm: jruby-9.1.13.0
-    env: LOGSTASH_BRANCH=7.0
+  - rvm: jruby-9.2.20.1
+    env: LOGSTASH_BRANCH=8.0
+  - rvm: jruby-9.2.20.1
+    env: LOGSTASH_BRANCH=7.16
   - rvm: jruby-9.1.13.0
     env: LOGSTASH_BRANCH=6.7
-  - rvm: jruby-9.1.13.0
-    env: LOGSTASH_BRANCH=6.6
-  - rvm: jruby-1.7.27
-    env: LOGSTASH_BRANCH=5.6
+  - rvm: jruby-9.2.7.0
+    env: LOGSTASH_BRANCH=6.8
   fast_finish: true
 before_install: gem install bundler -v '< 2'

CHANGELOG.md

@@ -1,5 +1,8 @@
+## 7.1.0
+  - Feat: add `ssl_verification_mode` [#39](https://github.com/logstash-plugins/logstash-mixin-http_client/pull/39) 
+
 ## 7.0.0
-  - Removed obsolete ssl_certificate_verify option
+  - Removed obsolete `ssl_certificate_verify` option
 
 ## 6.0.1
   - Fix some documentation issues

lib/logstash/plugin_mixins/http_client.rb

@@ -70,6 +70,12 @@ def setup_http_client_config
     # Specify the keystore type here. One of `JKS` or `PKCS12`. Default is `JKS`
     config :keystore_type, :validate => :string, :default => "JKS"
 
+    # Naming aligned with the Elastic stack.
+    #   full: verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the
+    #         server’s hostname (or IP address) matches the names identified within the certificate
+    #   none: no verification of the server’s certificate
+    config :ssl_verification_mode, :validate => ['full', 'none'], :default => 'full'
+
     # If you need to use a custom truststore (`.jks`) specify that here. This does not work with .pem certs!
     config :truststore, :validate => :path
 
@@ -170,6 +176,17 @@ def client_config
       raise InvalidHTTPConfigError, "You must specify both client_cert and client_key for an HTTP client, or neither!"
     end
 
+    case @ssl_verification_mode
+    when 'full'
+      # NOTE: would make sense to have :browser here but historically we've used the (:strict) default
+      #
+      # supporting `ssl_verification_mode => strict` the same way ES does might require upstream Manticore
+      # changes -> as in ES/Beats setting `strict` means: "if the SAN is empty return an error"
+      c[:ssl][:verify] = :strict # :default
+    when 'none'
+      c[:ssl][:verify] = :disable
+    end
+
     c
   end
 

logstash-mixin-http_client.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-mixin-http_client'
-  s.version         = '7.0.0'
+  s.version         = '7.1.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "AWS mixins to provide a unified interface for Amazon Webservice"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-codec-plain'
-  s.add_runtime_dependency 'manticore', '>= 0.5.2', '< 1.0.0'
+  s.add_runtime_dependency 'manticore', '>= 0.8.0', '< 1.0.0'
 
   s.add_development_dependency 'logstash-devutils'
   s.add_development_dependency 'stud'

spec/plugin_mixin/http_client_spec.rb

@@ -85,7 +85,7 @@ class Dummy < LogStash::Inputs::Base
     end
   end
 
-describe "http auth" do
+  describe "http auth" do
     subject { Dummy.new(client_config).send(:client_config)[:auth] }
 
     let(:user) { "myuser" }
@@ -113,7 +113,7 @@ class Dummy < LogStash::Inputs::Base
     end
 
     context "with a user but no password specified" do
-      let(:client_config) { c = super; c.delete("password"); c }
+      let(:client_config) { c = super(); c.delete("password"); c }
 
       it "should raise a configuration error" do
         expect { subject }.to raise_error(::LogStash::ConfigurationError)
@@ -185,4 +185,35 @@ class Dummy < LogStash::Inputs::Base
       include_examples("raising a configuration error")
     end
   end
+
+  describe "with verify mode" do
+    let(:file) { Stud::Temporary.file }
+    let(:path) { file.path }
+    after { File.unlink(path)}
+
+    context "default" do
+      let(:conf) { basic_config }
+
+      it "sets manticore verify" do
+        expect( Dummy.new(conf).client_config[:ssl] ).to include :verify => :strict
+      end
+    end
+
+    context "'full'" do
+      let(:conf) { basic_config.merge("ssl_verification_mode" => 'full') }
+
+      it "sets manticore verify" do
+        expect( Dummy.new(conf).client_config[:ssl] ).to include :verify => :strict
+      end
+    end
+
+    context "'none'" do
+      let(:conf) { basic_config.merge("ssl_verification_mode" => 'none') }
+
+      it "sets manticore verify" do
+        expect( Dummy.new(conf).client_config[:ssl] ).to include :verify => :disable
+      end
+    end
+
+  end
 end