TCP input TLS - Use TlsDecoder in DecoderFactory.

Author: BonnyAD9

src/plugins/input/tcp/src/ClientManager.hpp

@@ -33,6 +33,13 @@ class ClientManager {
      */
     ClientManager(ipx_ctx_t *ctx, DecoderFactory factory);
 
+    /**
+     * @brief Initialize TLS. This is separately from constructor because it may prompt the user for
+     * password for private key.
+     * @param conf Configuration for the initialization.
+     */
+    void initialize_tls(const Config &conf) { m_factory.initialize_tls(conf); }
+
     /**
      * @brief Adds connection to the vector and epoll.
      * @param fd file descriptor of the new tcp connection.

src/plugins/input/tcp/src/DecoderFactory.cpp

@@ -26,12 +26,15 @@
 #include "Decoder.hpp"      // Decoder
 #include "Lz4Decoder.hpp"   // LZ4_MAGIC, Lz4Decoder
 #include "IpfixDecoder.hpp" // IPFIX_MAGIC, IpfixDecoder
+#include "tls/TlsDecoder.hpp"
 
 #include <iostream>
 
 namespace tcp_in {
 
-DecoderFactory::DecoderFactory() {};
+DecoderFactory::DecoderFactory(ipx_ctx_t *ctx) : m_ctx(ctx) {
+    // TLS is initialized separately because it may prompt the user.
+};
 
 std::unique_ptr<Decoder> DecoderFactory::detect_decoder(int fd) {
     // number of bytes neaded to detect the decoder
@@ -48,14 +51,26 @@ std::unique_ptr<Decoder> DecoderFactory::detect_decoder(int fd) {
     if (res == -1) {
         const char *err_msg;
         ipx_strerror(errno, err_msg);
-        throw std::runtime_error("Failed to receive start of first message: " + std::string(err_msg));
+        throw std::runtime_error(
+            "Failed to receive start of first message: " + std::string(err_msg)
+        );
     }
 
     constexpr const char *not_enough_data_err =
         "Failed to read enough bytes to recognize the decoder";
 
     // check decoders in order from shortest magic number to longest
 
+    if (res < 1) {
+        throw std::runtime_error(not_enough_data_err);
+    }
+
+    // TLS decoder
+    auto magic_u8 = buf[0];
+    if (magic_u8 == tls::TLS_MAGIC) {
+        return create_tls_decoder(fd);
+    }
+
     if (res < 2) {
         throw std::runtime_error(not_enough_data_err);
     }
@@ -79,6 +94,15 @@ std::unique_ptr<Decoder> DecoderFactory::detect_decoder(int fd) {
     throw std::runtime_error("Failed to recognize the decoder.");
 }
 
+void DecoderFactory::initialize_tls(const Config &conf) {
+    if (!conf.certificate_file.empty()) {
+        IPX_CTX_INFO(m_ctx, "Initializing TLS decoder.");
+        m_tls_factory = std::unique_ptr<tls::DecoderFactory>(new tls::DecoderFactory(conf));
+    } else {
+        IPX_CTX_INFO(m_ctx, "TLS Decoder is disabled.");
+    }
+}
+
 std::unique_ptr<Decoder> DecoderFactory::create_ipfix_decoder(int fd) {
     return std::unique_ptr<Decoder>(new IpfixDecoder(fd));
 }
@@ -87,5 +111,12 @@ std::unique_ptr<Decoder> DecoderFactory::create_lz4_decoder(int fd) {
     return std::unique_ptr<Decoder>(new Lz4Decoder(fd));
 }
 
+std::unique_ptr<Decoder> DecoderFactory::create_tls_decoder(int fd) {
+    if (!m_tls_factory) {
+        throw std::runtime_error("TLS decoder is not enabled.");
+    }
+    return m_tls_factory->create(fd);
+}
+
 } // namespace tcp_in
 

src/plugins/input/tcp/src/DecoderFactory.hpp

@@ -12,14 +12,16 @@
 
 #include <memory> // std::unique_ptr
 
+#include "Config.hpp"
 #include "Decoder.hpp" // Decoder
+#include "tls/DecoderFactory.hpp"
 
 namespace tcp_in {
 
 /** Factory for TCP decoders. */
 class DecoderFactory {
 public:
-    DecoderFactory();
+    DecoderFactory(ipx_ctx_t *ctx);
 
     /**
      * @brief Detects the type of decoder that should be used to decode the given stream and
@@ -31,9 +33,20 @@ class DecoderFactory {
      */
     std::unique_ptr<Decoder> detect_decoder(int fd);
 
+    /**
+     * @brief Initialize TLS. This is separately from constructor because it may prompt the user for
+     * password for private key.
+     * @param conf Configuration for the initialization.
+     */
+    void initialize_tls(const Config &conf);
+
 private:
     std::unique_ptr<Decoder> create_ipfix_decoder(int fd);
     std::unique_ptr<Decoder> create_lz4_decoder(int fd);
+    std::unique_ptr<Decoder> create_tls_decoder(int fd);
+
+    ipx_ctx_t *m_ctx;
+    std::unique_ptr<tls::DecoderFactory> m_tls_factory;
 };
 
 } // namespace tcp_in

src/plugins/input/tcp/src/IpxPlugin.cpp

@@ -38,6 +38,7 @@ int ipx_plugin_init(ipx_ctx_t *ctx, const char *params) {
     try {
         Config conf(ctx, params);
         plugin = new Plugin(ctx, conf);
+        plugin->initialize_tls(conf); // This may prompt the user for password for private key.
     } catch (std::exception &ex) {
         IPX_CTX_ERROR(ctx, "%s", ex.what());
         return IPX_ERR_DENIED;

src/plugins/input/tcp/src/Plugin.cpp

@@ -24,7 +24,7 @@ namespace tcp_in {
 
 Plugin::Plugin(ipx_ctx_t *ctx, Config &config) :
     m_ctx(ctx),
-    m_clients(ctx, DecoderFactory()),
+    m_clients(ctx, DecoderFactory(ctx)),
     m_acceptor(m_clients, ctx)
 {
     m_acceptor.bind_addresses(config);

src/plugins/input/tcp/src/Plugin.hpp

@@ -30,6 +30,13 @@ class Plugin {
      */
     Plugin(ipx_ctx_t *ctx, Config &config);
 
+    /**
+     * @brief Initialize TLS. This is separately from constructor because it may prompt the user for
+     * password for private key.
+     * @param conf Configuration for the initialization.
+     */
+    void initialize_tls(const Config &conf) { m_clients.initialize_tls(conf); }
+
     // force that Plugin stays in its original memory (so that reference to `m_clients` in acceptor
     // stays valid)
     Plugin(const Plugin &) = delete;