|
 |
c17bfd |
From 02772eb5f28b3c3a98f0d739b6210ca82d58f7ee Mon Sep 17 00:00:00 2001
|
|
|
c17bfd |
From: Rich Megginson <rmeggins@redhat.com>
|
|
|
c17bfd |
Date: Thu, 8 Feb 2018 18:13:13 -0700
|
|
|
c17bfd |
Subject: [PATCH] omelasticsearch - add support for CA cert, client cert auth
|
|
|
c17bfd |
|
|
|
c17bfd |
This allows omelasticsearch to perform client cert based authentication
|
|
|
c17bfd |
to Elasticsearch.
|
|
|
c17bfd |
Add the following parameters:
|
|
|
c17bfd |
`tls.cacert` - Full path and filename of the file containing the CA cert
|
|
|
c17bfd |
for the CA that issued the Elasticsearch server(s) cert(s)
|
|
|
c17bfd |
`tls.mycert` - Full path and filename of the file containing the client
|
|
|
c17bfd |
cert used to authenticate to Elasticsearch
|
|
|
c17bfd |
`tls.myprivkey` - Full path and filename of the file containing the client
|
|
|
c17bfd |
key used to authenticate to Elasticsearch
|
|
|
c17bfd |
---
|
|
|
c17bfd |
plugins/omelasticsearch/omelasticsearch.c | 79 ++++++++++++++++++++++++++++---
|
|
|
c17bfd |
1 file changed, 73 insertions(+), 6 deletions(-)
|
|
|
c17bfd |
|
|
|
c17bfd |
diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
|
|
|
c17bfd |
index 97d8fb233..88bd5e16c 100644
|
|
|
c17bfd |
--- a/plugins/omelasticsearch/omelasticsearch.c
|
|
|
c17bfd |
+++ b/plugins/omelasticsearch/omelasticsearch.c
|
|
|
c17bfd |
@@ -110,6 +110,9 @@ typedef struct _instanceData {
|
|
|
c17bfd |
size_t maxbytes;
|
|
|
c17bfd |
sbool useHttps;
|
|
|
c17bfd |
sbool allowUnsignedCerts;
|
|
|
c17bfd |
+ uchar *caCertFile;
|
|
|
c17bfd |
+ uchar *myCertFile;
|
|
|
c17bfd |
+ uchar *myPrivKeyFile;
|
|
|
c17bfd |
} instanceData;
|
|
|
c17bfd |
|
|
|
c17bfd |
typedef struct wrkrInstanceData {
|
|
|
c17bfd |
@@ -154,7 +157,10 @@ static struct cnfparamdescr actpdescr[] = {
|
|
|
c17bfd |
{ "template", eCmdHdlrGetWord, 0 },
|
|
|
c17bfd |
{ "dynbulkid", eCmdHdlrBinary, 0 },
|
|
|
c17bfd |
{ "bulkid", eCmdHdlrGetWord, 0 },
|
|
|
c17bfd |
- { "allowunsignedcerts", eCmdHdlrBinary, 0 }
|
|
|
c17bfd |
+ { "allowunsignedcerts", eCmdHdlrBinary, 0 },
|
|
|
c17bfd |
+ { "tls.cacert", eCmdHdlrString, 0 },
|
|
|
c17bfd |
+ { "tls.mycert", eCmdHdlrString, 0 },
|
|
|
c17bfd |
+ { "tls.myprivkey", eCmdHdlrString, 0 }
|
|
|
c17bfd |
};
|
|
|
c17bfd |
static struct cnfparamblk actpblk =
|
|
|
c17bfd |
{ CNFPARAMBLK_VERSION,
|
|
|
c17bfd |
@@ -168,6 +174,9 @@ BEGINcreateInstance
|
|
|
c17bfd |
CODESTARTcreateInstance
|
|
|
c17bfd |
pData->fdErrFile = -1;
|
|
|
c17bfd |
pthread_mutex_init(&pData->mutErrFile, NULL);
|
|
|
c17bfd |
+ pData->caCertFile = NULL;
|
|
|
c17bfd |
+ pData->myCertFile = NULL;
|
|
|
c17bfd |
+ pData->myPrivKeyFile = NULL;
|
|
|
c17bfd |
ENDcreateInstance
|
|
|
c17bfd |
|
|
|
c17bfd |
BEGINcreateWrkrInstance
|
|
|
c17bfd |
@@ -216,6 +225,9 @@ CODESTARTfreeInstance
|
|
|
c17bfd |
free(pData->timeout);
|
|
|
c17bfd |
free(pData->errorFile);
|
|
|
c17bfd |
free(pData->bulkId);
|
|
|
c17bfd |
+ free(pData->caCertFile);
|
|
|
c17bfd |
+ free(pData->myCertFile);
|
|
|
c17bfd |
+ free(pData->myPrivKeyFile);
|
|
|
c17bfd |
ENDfreeInstance
|
|
|
c17bfd |
|
|
|
c17bfd |
BEGINfreeWrkrInstance
|
|
|
c17bfd |
@@ -270,6 +282,9 @@ CODESTARTdbgPrintInstInfo
|
|
|
c17bfd |
dbgprintf("\tinterleaved=%d\n", pData->interleaved);
|
|
|
c17bfd |
dbgprintf("\tdynbulkid=%d\n", pData->dynBulkId);
|
|
|
c17bfd |
dbgprintf("\tbulkid='%s'\n", pData->bulkId);
|
|
|
c17bfd |
+ dbgprintf("\ttls.cacert='%s'\n", pData->caCertFile);
|
|
|
c17bfd |
+ dbgprintf("\ttls.mycert='%s'\n", pData->myCertFile);
|
|
|
c17bfd |
+ dbgprintf("\ttls.myprivkey='%s'\n", pData->myPrivKeyFile);
|
|
|
c17bfd |
ENDdbgPrintInstInfo
|
|
|
c17bfd |
|
|
|
c17bfd |
|
|
|
c17bfd |
@@ -311,7 +326,7 @@ computeBaseUrl(const char*const serverParam,
|
|
|
c17bfd |
r = useHttps ? es_addBuf(&urlBuf, SCHEME_HTTPS, sizeof(SCHEME_HTTPS)-1) :
|
|
|
c17bfd |
es_addBuf(&urlBuf, SCHEME_HTTP, sizeof(SCHEME_HTTP)-1);
|
|
|
c17bfd |
|
|
|
c17bfd |
- if (r == 0) r = es_addBuf(&urlBuf, serverParam, strlen(serverParam));
|
|
|
c17bfd |
+ if (r == 0) r = es_addBuf(&urlBuf, (char *)serverParam, strlen(serverParam));
|
|
|
c17bfd |
if (r == 0 && !strchr(host, ':')) {
|
|
|
c17bfd |
snprintf(portBuf, sizeof(portBuf), ":%d", defaultPort);
|
|
|
c17bfd |
r = es_addBuf(&urlBuf, portBuf, strlen(portBuf));
|
|
|
c17bfd |
@@ -1296,7 +1311,7 @@ finalize_it:
|
|
|
c17bfd |
}
|
|
|
c17bfd |
|
|
|
c17bfd |
static void
|
|
|
c17bfd |
-curlCheckConnSetup(CURL *handle, HEADER *header, long timeout, sbool allowUnsignedCerts)
|
|
|
c17bfd |
+curlCheckConnSetup(CURL *handle, HEADER *header, long timeout, sbool allowUnsignedCerts, wrkrInstanceData_t *pWrkrData)
|
|
|
c17bfd |
{
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_HTTPHEADER, header);
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_NOBODY, TRUE);
|
|
|
c17bfd |
@@ -1305,13 +1320,21 @@ curlCheckConnSetup(CURL *handle, HEADER *header, long timeout, sbool allowUnsign
|
|
|
c17bfd |
|
|
|
c17bfd |
if(allowUnsignedCerts)
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, FALSE);
|
|
|
c17bfd |
+ if(pWrkrData->pData->caCertFile)
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_CAINFO, pWrkrData->pData->caCertFile);
|
|
|
c17bfd |
+ if(pWrkrData->pData->myCertFile)
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_SSLCERT, pWrkrData->pData->myCertFile);
|
|
|
c17bfd |
+ if(pWrkrData->pData->myPrivKeyFile)
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_SSLKEY, pWrkrData->pData->myPrivKeyFile);
|
|
|
c17bfd |
+ /* uncomment for in-dept debuggung:
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_VERBOSE, TRUE); */
|
|
|
c17bfd |
|
|
|
c17bfd |
/* Only enable for debugging
|
|
|
c17bfd |
curl_easy_setopt(curl, CURLOPT_VERBOSE, TRUE); */
|
|
|
c17bfd |
}
|
|
|
c17bfd |
|
|
|
c17bfd |
static void
|
|
|
c17bfd |
-curlPostSetup(CURL *handle, HEADER *header, uchar* authBuf)
|
|
|
c17bfd |
+curlPostSetup(CURL *handle, HEADER *header, uchar* authBuf, wrkrInstanceData_t *pWrkrData)
|
|
|
c17bfd |
{
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_HTTPHEADER, header);
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, curlResult);
|
|
|
c17bfd |
@@ -1322,6 +1345,12 @@ curlPostSetup(CURL *handle, HEADER *header, uchar* authBuf)
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_USERPWD, authBuf);
|
|
|
c17bfd |
curl_easy_setopt(handle, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
|
|
|
c17bfd |
}
|
|
|
c17bfd |
+ if(pWrkrData->pData->caCertFile)
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_CAINFO, pWrkrData->pData->caCertFile);
|
|
|
c17bfd |
+ if(pWrkrData->pData->myCertFile)
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_SSLCERT, pWrkrData->pData->myCertFile);
|
|
|
c17bfd |
+ if(pWrkrData->pData->myPrivKeyFile)
|
|
|
c17bfd |
+ curl_easy_setopt(handle, CURLOPT_SSLKEY, pWrkrData->pData->myPrivKeyFile);
|
|
|
c17bfd |
}
|
|
|
c17bfd |
|
|
|
c17bfd |
static rsRetVal
|
|
|
c17bfd |
@@ -1332,7 +1361,7 @@ curlSetup(wrkrInstanceData_t *pWrkrData, instanceData *pData)
|
|
|
c17bfd |
if (pWrkrData->curlPostHandle == NULL) {
|
|
|
c17bfd |
return RS_RET_OBJ_CREATION_FAILED;
|
|
|
c17bfd |
}
|
|
|
c17bfd |
- curlPostSetup(pWrkrData->curlPostHandle, pWrkrData->curlHeader, pData->authBuf);
|
|
|
c17bfd |
+ curlPostSetup(pWrkrData->curlPostHandle, pWrkrData->curlHeader, pData->authBuf, pWrkrData);
|
|
|
c17bfd |
|
|
|
c17bfd |
pWrkrData->curlCheckConnHandle = curl_easy_init();
|
|
|
c17bfd |
if (pWrkrData->curlCheckConnHandle == NULL) {
|
|
|
c17bfd |
@@ -1341,7 +1370,7 @@ curlSetup(wrkrInstanceData_t *pWrkrData, instanceData *pData)
|
|
|
c17bfd |
return RS_RET_OBJ_CREATION_FAILED;
|
|
|
c17bfd |
}
|
|
|
c17bfd |
curlCheckConnSetup(pWrkrData->curlCheckConnHandle, pWrkrData->curlHeader,
|
|
|
c17bfd |
- pData->healthCheckTimeout, pData->allowUnsignedCerts);
|
|
|
c17bfd |
+ pData->healthCheckTimeout, pData->allowUnsignedCerts, pWrkrData);
|
|
|
c17bfd |
|
|
|
c17bfd |
return RS_RET_OK;
|
|
|
c17bfd |
}
|
|
|
c17bfd |
@@ -1372,6 +1401,9 @@ setInstParamDefaults(instanceData *pData)
|
|
|
c17bfd |
pData->interleaved=0;
|
|
|
c17bfd |
pData->dynBulkId= 0;
|
|
|
c17bfd |
pData->bulkId = NULL;
|
|
|
c17bfd |
+ pData->caCertFile = NULL;
|
|
|
c17bfd |
+ pData->myCertFile = NULL;
|
|
|
c17bfd |
+ pData->myPrivKeyFile = NULL;
|
|
|
c17bfd |
}
|
|
|
c17bfd |
|
|
|
c17bfd |
BEGINnewActInst
|
|
|
c17bfd |
@@ -1380,6 +1412,8 @@ BEGINnewActInst
|
|
|
c17bfd |
struct cnfarray* servers = NULL;
|
|
|
c17bfd |
int i;
|
|
|
c17bfd |
int iNumTpls;
|
|
|
c17bfd |
+ FILE *fp;
|
|
|
c17bfd |
+ char errStr[1024];
|
|
|
c17bfd |
CODESTARTnewActInst
|
|
|
c17bfd |
if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL) {
|
|
|
c17bfd |
ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
|
|
|
c17bfd |
@@ -1435,6 +1469,39 @@ CODESTARTnewActInst
|
|
|
c17bfd |
pData->dynBulkId = pvals[i].val.d.n;
|
|
|
c17bfd |
} else if(!strcmp(actpblk.descr[i].name, "bulkid")) {
|
|
|
c17bfd |
pData->bulkId = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
|
|
|
c17bfd |
+ } else if(!strcmp(actpblk.descr[i].name, "tls.cacert")) {
|
|
|
c17bfd |
+ pData->caCertFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
|
|
|
c17bfd |
+ fp = fopen((const char*)pData->caCertFile, "r");
|
|
|
c17bfd |
+ if(fp == NULL) {
|
|
|
c17bfd |
+ rs_strerror_r(errno, errStr, sizeof(errStr));
|
|
|
c17bfd |
+ errmsg.LogError(0, RS_RET_NO_FILE_ACCESS,
|
|
|
c17bfd |
+ "error: 'tls.cacert' file %s couldn't be accessed: %s\n",
|
|
|
c17bfd |
+ pData->caCertFile, errStr);
|
|
|
c17bfd |
+ } else {
|
|
|
c17bfd |
+ fclose(fp);
|
|
|
c17bfd |
+ }
|
|
|
c17bfd |
+ } else if(!strcmp(actpblk.descr[i].name, "tls.mycert")) {
|
|
|
c17bfd |
+ pData->myCertFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
|
|
|
c17bfd |
+ fp = fopen((const char*)pData->myCertFile, "r");
|
|
|
c17bfd |
+ if(fp == NULL) {
|
|
|
c17bfd |
+ rs_strerror_r(errno, errStr, sizeof(errStr));
|
|
|
c17bfd |
+ errmsg.LogError(0, RS_RET_NO_FILE_ACCESS,
|
|
|
c17bfd |
+ "error: 'tls.mycert' file %s couldn't be accessed: %s\n",
|
|
|
c17bfd |
+ pData->myCertFile, errStr);
|
|
|
c17bfd |
+ } else {
|
|
|
c17bfd |
+ fclose(fp);
|
|
|
c17bfd |
+ }
|
|
|
c17bfd |
+ } else if(!strcmp(actpblk.descr[i].name, "tls.myprivkey")) {
|
|
|
c17bfd |
+ pData->myPrivKeyFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
|
|
|
c17bfd |
+ fp = fopen((const char*)pData->myPrivKeyFile, "r");
|
|
|
c17bfd |
+ if(fp == NULL) {
|
|
|
c17bfd |
+ rs_strerror_r(errno, errStr, sizeof(errStr));
|
|
|
c17bfd |
+ errmsg.LogError(0, RS_RET_NO_FILE_ACCESS,
|
|
|
c17bfd |
+ "error: 'tls.myprivkey' file %s couldn't be accessed: %s\n",
|
|
|
c17bfd |
+ pData->myPrivKeyFile, errStr);
|
|
|
c17bfd |
+ } else {
|
|
|
c17bfd |
+ fclose(fp);
|
|
|
c17bfd |
+ }
|
|
|
c17bfd |
} else {
|
|
|
c17bfd |
dbgprintf("omelasticsearch: program error, non-handled "
|
|
|
c17bfd |
"param '%s'\n", actpblk.descr[i].name);
|
|
|
c17bfd |
--
|
|
|
c17bfd |
2.14.3
|
|
|
c17bfd |
|