Pull request logstash-plugins#1: update from upstream

Merge in THOT/logstash-input-http from dev-edefaria to prod

* commit '476e106429ff76ad4fa6a55a1fba15c182d815cf':
  Doc: Update deprecation notices to standard (logstash-plugins#154)
  Feat: review and deprecate ssl protocol/cipher settings (logstash-plugins#151)
  Codec pipeline context (logstash-plugins#153)
  ensure execution_context is propagated to additional_codecs (logstash-plugins#152)
  Doc: Clarify description and make minor grammar fixes (logstash-plugins#150)
  Feat: TLSv1.3 support (logstash-plugins#146)
  Build: do not package log4j-api dependency (logstash-plugins#149)
  Update log4j version to 2.17.0 (logstash-plugins#148)

Author: Edward De-Faria

CHANGELOG.md

@@ -1,3 +1,19 @@
+## 3.6.0
+ - Feat: review and deprecate ssl protocol/cipher related settings [#151](https://github.com/logstash-plugins/logstash-input-http/pull/151)
+
+## 3.5.1
+ - Fix: codecs provided with `additional_codecs` now correctly run in the pipeline's context, which means that they respect the `pipeline.ecs_compatibility` setting [#152](https://github.com/logstash-plugins/logstash-input-http/pull/152)
+
+## 3.5.0
+ - Feat: TLSv1.3 support [#146](https://github.com/logstash-plugins/logstash-input-http/pull/146)
+
+## 3.4.5
+ - Build: do not package log4j-api dependency [#149](https://github.com/logstash-plugins/logstash-input-http/pull/149).
+   Logstash provides the log4j framework and the dependency is not needed except testing and compiling.
+
+## 3.4.4
+ - Update log4j dependency to 2.17.0
+
 ## 3.4.3
  - Update log4j dependency to 2.15.0
  - Fix: update to Gradle 7 [#145](https://github.com/logstash-plugins/logstash-input-http/pull/145)

VERSION

@@ -1 +1 @@
-3.4.3
+3.6.0

build.gradle

@@ -10,12 +10,14 @@ version rootProject.file('VERSION').text.trim()
 
 description = "HTTP Input Netty implementation"
 
+String log4jVersion = '2.17.0'
+
 sourceCompatibility = 1.8
 targetCompatibility = 1.8
 
-String log4jVersion = '2.17.1'
-String netty4Version = '4.1.73.Final'
-String nettyTcnativeVersion = '2.0.46.Final'
+String log4jVersion = '2.17.2'
+String netty4Version = '4.1.77.Final'
+String nettyTcnativeVersion = '2.0.52.Final'
 
 repositories {
     mavenCentral()

docs/index.asciidoc

@@ -91,11 +91,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 |=======================================================================
 |Setting |Input type|Required
 | <<plugins-{type}s-{plugin}-additional_codecs>> |<<hash,hash>>|No
-| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
 | <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-keystore>> |<<path,path>>|No
-| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-keystore>> |<<path,path>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-max_pending_requests>> |<<number,number>>|No
@@ -104,15 +104,17 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
 | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -132,26 +134,24 @@ and no codec for the request's content-type is found
 
 [id="plugins-{type}s-{plugin}-cipher_suites"]
 ===== `cipher_suites` 
+deprecated[3.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_cipher_suites>>]
 
   * Value type is <<array,array>>
-  * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
 
-The list of ciphers suite to use, listed by priorities.
+The list of cipher suites to use, listed by priorities.
 
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
 
-* Value type is <<string,string>>
-* Supported values are:
-** `disabled`: unstructured connection metadata added at root level
-** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
+  * Value type is <<string,string>>
+  * Supported values are:
+  ** `disabled`: unstructured connection metadata added at root level
+  ** `v1`,`v8`: headers added under `[@metadata][http][header]`. Some are copied to structured ECS fields `http`, `url`, `user_agent` and `host`
 
 Controls this plugin's compatibility with the
 {ecs-ref}[Elastic Common Schema (ECS)].
 See <<plugins-{type}s-{plugin}-ecs_metadata>> for detailed information.
 
-Example output:
-
 **Sample output: ECS disabled**
 [source,text]
 -----
@@ -214,28 +214,22 @@ The host or ip to bind
 
 [id="plugins-{type}s-{plugin}-keystore"]
 ===== `keystore`
+deprecated[3.1.0, Use <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> instead]
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
-  * This option is deprecated
 
 The JKS keystore to validate the client's certificates
 
-Note: This option is deprecated and it will be removed in the next major version of Logstash.
-Use `ssl_certificate` and `ssl_key` instead.
-
 [id="plugins-{type}s-{plugin}-keystore_password"]
 ===== `keystore_password`
+deprecated[3.1.0, Use <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> instead]
 
   * Value type is <<password,password>>
   * There is no default value for this setting.
-  * This option is deprecated
 
 Set the truststore password
 
-Note: This option is deprecated and it will be removed in the next major version of Logstash.
-Use `ssl_certificate` and `ssl_key` instead.
-
 [id="plugins-{type}s-{plugin}-password"]
 ===== `password` 
 
@@ -342,6 +336,17 @@ be read and added to the trust store. You need to configure the `ssl_verify_mode
 to `peer` or `force_peer` to enable the verification.
 
 
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+
+  * Value type is <<array,array>>
+  * Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']`
+
+The list of cipher suites to use, listed by priorities.
+This default list applies for OpenJDK 11.0.14 and higher.
+For older JDK versions, the default list includes only suites supported by that version.
+For example, the ChaCha20 family of ciphers is not supported in older versions.
+
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout` 
 
@@ -357,7 +362,7 @@ Time in milliseconds for an incomplete ssl handshake to timeout
   * There is no default value for this setting.
 
 SSL key to use.
-NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
+NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs8.html[OpenSSL]
 for more information.
 
 [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
@@ -368,6 +373,23 @@ for more information.
 
 SSL key passphrase to use.
 
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+  * Value type is <<array,array>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+
+List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
+
+For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
+
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
+
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
 ===== `ssl_verify_mode` 
 
@@ -394,21 +416,21 @@ Number of threads to use for both accepting connections and handling requests
 
 [id="plugins-{type}s-{plugin}-tls_max_version"]
 ===== `tls_max_version` 
+deprecated[3.6.0]
 
   * Value type is <<number,number>>
-  * Default value is `1.2`
 
-The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+The maximum TLS version allowed for the encrypted connections.
+The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-tls_min_version"]
 ===== `tls_min_version` 
+deprecated[3.6.0]
 
   * Value type is <<number,number>>
-  * Default value is `1`
 
-The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+The minimum TLS version allowed for the encrypted connections.
+The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-user"]
 ===== `user` 
@@ -420,16 +442,13 @@ Username for basic authorization
 
 [id="plugins-{type}s-{plugin}-verify_mode"]
 ===== `verify_mode`
+deprecated[3.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verify_mode>>]
 
   * Value can be any of: `none`, `peer`, `force_peer`
   * Default value is `"none"`
-  * This option is deprecated
 
 Set the client certificate verification method. Valid methods: none, peer, force_peer
 
-Note: This option is deprecated and it will be removed in the next major version of Logstash.
-Use `ssl_verify_mode` instead.
-
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]