ssl: use NoopHostnameVerifier when ssl_verification_mode is 'none' (#165)

yaauie · mashhurs · web-flow · commit aad460b32eda · 2024-10-11T09:30:17.000-07:00
* ssl: use NoopHostnameVerifier when ssl_verification_mode is 'none' Fixes: #164 * Unit and integration tests added for the where SSL verification mode is disabled over SSL connection. (#168) --------- Co-authored-by: Mashhur <99575341+mashhurs@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 0.1.15
+  - Fixes the connection failure where SSL verification mode is disabled over SSL connection [#165](https://github.com/elastic/logstash-filter-elastic_integration/pull/165)
+
 ## 0.1.14
   - Fix: register available PainlessExtension-s, resolving an issue where the pipelines for some integrations would fail to compile [#162](https://github.com/elastic/logstash-filter-elastic_integration/pull/162)
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.1.14
+0.1.15
diff --git a/spec/integration/elastic_integration_spec.rb b/spec/integration/elastic_integration_spec.rb
@@ -29,7 +29,6 @@
       "password" => integ_user_password,
       "ssl_enabled" => true,
       "ssl_verification_mode" => "certificate",
-      "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt",
       "ssl_certificate" => "spec/fixtures/test_certs/client_from_root.crt",
       "ssl_key" => "spec/fixtures/test_certs/client_from_root.key.pkcs8",
       "ssl_key_passphrase" => "12345678"
@@ -115,6 +114,11 @@
   end
 
   context '#pipeline execution' do
+    let(:settings) {
+      super().merge(
+        "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt"
+      )
+    }
 
     before(:each) do
       subject.register
@@ -1133,6 +1137,12 @@ def path; @path; end
   end
 
   context '#multi-pipeline execution' do
+    let(:settings) {
+      super().merge(
+        "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt"
+      )
+    }
+
     before(:each) do
       subject.register
     end
@@ -1168,6 +1178,11 @@ def path; @path; end
   end
 
   context '#failures' do
+    let(:settings) {
+      super().merge(
+        "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt"
+      )
+    }
 
     before(:each) do
       subject.register
@@ -1227,6 +1242,11 @@ def path; @path; end
   end
 
   context '#privileges' do
+    let(:settings) {
+      super().merge(
+        "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt"
+      )
+    }
     # a user who doesn't have pipeline privileges
     let(:integ_user_name) {
       "ls_integration_tests_user"
@@ -1323,6 +1343,11 @@ def path; @path; end
   end
 
   context '#emulating real scenario' do
+    let(:settings) {
+      super().merge(
+        "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt"
+      )
+    }
     let(:index_settings) {
       {
         "type" => "log",
@@ -1406,7 +1431,8 @@ def path; @path; end
       let(:settings) {
         super().merge(
           # certificate is signed with localhost/127.0.0.1, should complain
-          "ssl_verification_mode" => "full"
+          "ssl_verification_mode" => "full",
+          "ssl_certificate_authorities" => "spec/fixtures/test_certs/root.crt"
         )
       }
 
@@ -1428,6 +1454,30 @@ def path; @path; end
           end)
       end
     end
+
+    describe 'when SSL enabled and verification is disabled' do
+
+      let(:settings) {
+        super().merge(
+          "ssl_enabled" => true,
+          "ssl_verification_mode" => "none"
+        )
+      }
+
+      # just need to fill the params, we don't/can't send any request to ES
+      let(:pipeline_processor) {
+        '{
+          "dissect": {
+            "field": "dissect_field",
+            "pattern" : "%{clientip} %{ident} %{auth} [%{@timestamp}] \"%{verb} %{request} HTTP/%{httpversion}\" %{status} %{size}"
+          }
+        }'
+      }
+
+      it 'establishes a connection' do
+        expect { subject.register }.not_to raise_error
+      end
+    end
   end
 
 end
diff --git a/spec/unit/elastic_integration_spec.rb b/spec/unit/elastic_integration_spec.rb
@@ -412,6 +412,14 @@
           end
         end
 
+        describe "with `ssl_enabled`" do
+          let(:config) { super().merge("ssl_enabled" => true) }
+
+          it "establishes a connection" do
+            expect{ registered_plugin }.not_to raise_error
+          end
+        end
+
       end
 
       describe "with `ssl_verification_mode` is not `none`" do
diff --git a/src/main/java/co/elastic/logstash/filters/elasticintegration/ElasticsearchRestClientBuilder.java b/src/main/java/co/elastic/logstash/filters/elasticintegration/ElasticsearchRestClientBuilder.java
@@ -340,7 +340,7 @@ public void configureSSLContext(final SSLContextBuilder sslContextBuilder) {
         }
 
         public void configureHttpClient(final HttpAsyncClientBuilder httpClientBuilder) {
-            if (sslVerificationMode == SSLVerificationMode.CERTIFICATE) {
+            if (sslVerificationMode == SSLVerificationMode.CERTIFICATE || sslVerificationMode == SSLVerificationMode.NONE ) {
                 httpClientBuilder.setSSLHostnameVerifier(new NoopHostnameVerifier());
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -340,7 +340,7 @@ public void configureSSLContext(final SSLContextBuilder sslContextBuilder) {`
`340`	`340`	`}`
`341`	`341`
`342`	`342`	`public void configureHttpClient(final HttpAsyncClientBuilder httpClientBuilder) {`
`343`		`- if (sslVerificationMode == SSLVerificationMode.CERTIFICATE) {`
	`343`	`+ if (sslVerificationMode == SSLVerificationMode.CERTIFICATE \|\| sslVerificationMode == SSLVerificationMode.NONE ) {`
`344`	`344`	`httpClientBuilder.setSSLHostnameVerifier(new NoopHostnameVerifier());`
`345`	`345`	`}`
`346`	`346`	`}`