TCP input TLS - Add certificate file path to configuration.

BonnyAD9 · BonnyAD9 · commit ad7a7c05f423 · 2025-03-25T09:51:50.000+01:00
diff --git a/src/plugins/input/tcp/src/Config.cpp b/src/plugins/input/tcp/src/Config.cpp
@@ -30,19 +30,22 @@ namespace tcp_in {
  * <params>
  *  <localPort>...</localPort>                    <!-- optional -->
  *  <localIPAddress>...</localIPAddress>          <!-- optional, multiple times -->
+ *  <certificatePath>...</certificatePath>        <!-- optional -->
  * </params>
  */
 
 enum ParamsXmlNodes {
     PARAM_PORT,
     PARAM_IPADDR,
+    PARAM_CERTIFICATE,
 };
 
 static const struct fds_xml_args args_params[] = {
     FDS_OPTS_ROOT("params"),
-    FDS_OPTS_ELEM(PARAM_PORT  , "localPort"     , FDS_OPTS_T_UINT  , FDS_OPTS_P_OPT),
-    FDS_OPTS_ELEM(PARAM_IPADDR, "localIPAddress", FDS_OPTS_T_STRING, FDS_OPTS_P_OPT
-                                                                   | FDS_OPTS_P_MULTI),
+    FDS_OPTS_ELEM(PARAM_PORT       , "localPort"      , FDS_OPTS_T_UINT  , FDS_OPTS_P_OPT),
+    FDS_OPTS_ELEM(PARAM_IPADDR     , "localIPAddress" , FDS_OPTS_T_STRING, FDS_OPTS_P_OPT
+                                                                         | FDS_OPTS_P_MULTI),
+    FDS_OPTS_ELEM(PARAM_CERTIFICATE, "certificateFile", FDS_OPTS_T_STRING, FDS_OPTS_P_OPT),
     FDS_OPTS_END,
 };
 
@@ -69,6 +72,7 @@ Config::Config(ipx_ctx *ctx, const char *params) : local_port(DEFAULT_PORT), loc
 void Config::parse_params(ipx_ctx *ctx, fds_xml_ctx_t *params) {
     const struct fds_xml_cont *content;
     bool empty_address = false;
+    bool empty_cert = false;
 
     while (fds_xml_next(params, &content) != FDS_EOC) {
         switch (content->id) {
@@ -92,6 +96,15 @@ void Config::parse_params(ipx_ctx *ctx, fds_xml_ctx_t *params) {
                 empty_address = true;
             }
             break;
+        case PARAM_CERTIFICATE:
+            assert(content->type == FDS_OPTS_T_STRING);
+            // check if the string is not empty
+            if (*content->ptr_string) {
+                certificate_file = content->ptr_string;
+            } else {
+                empty_cert = true;
+            }
+            break;
         default:
             throw std::invalid_argument("Unexpected element within <params>.");
         }
@@ -104,6 +117,14 @@ void Config::parse_params(ipx_ctx *ctx, fds_xml_ctx_t *params) {
             "listen on all interfaces but only on the specified addresses."
         );
     }
+
+    if (empty_cert) {
+        IPX_CTX_WARNING(
+            ctx,
+            "Empty certificate path in configuration ignored. Tcp plugin will "
+            "NOT accept TLS connections."
+        )
+    }
 }
 
 } // namespace tcp_in
diff --git a/src/plugins/input/tcp/src/Config.hpp b/src/plugins/input/tcp/src/Config.hpp
@@ -10,8 +10,9 @@
 
 #pragma once
 
-#include <vector>  // std::vector
 #include <cstdint> // uint16_t
+#include <string>
+#include <vector>  // std::vector
 
 #include <libfds.h> // fds_xml_ctx_t
 
@@ -25,6 +26,11 @@ namespace tcp_in {
 struct Config {
     uint16_t local_port;
     std::vector<IpAddress> local_addrs;
+    /**
+     * @brief Path to file in pem format which contains certificate and private key for TLS. If
+     * empty TLS is not accepted.
+     */
+    std::string certificate_file;
 
     /**
      * @brief Parse configuration of the TCP plugin
