Standardize SSL settings

CHANGELOG.md

@@ -1,3 +1,10 @@
+## 3.7.0
+ - Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#164](https://github.com/logstash-plugins/logstash-input-http/pull/164)
+   - Deprecated `ssl` in favor of `ssl_enabled`
+   - Deprecated `ssl_verify_mode` in favor of `ssl_client_authentication`
+   - Deprecated `keystore` in favor of `ssl_keystore_path`
+   - Deprecated `keystore_password` in favor of `ssl_keystore_password`
+
 ## 3.6.1
  - Update Netty dependency to 4.1.87 [#162](https://github.com/logstash-plugins/logstash-input-http/pull/162)
 

VERSION

@@ -1 +1 @@
-3.6.1
+3.7.0

build.gradle

@@ -12,6 +12,7 @@ description = "HTTP Input Netty implementation"
 
 String log4jVersion = '2.17.0'
 String nettyVersion = '4.1.87.Final'
+String junitVersion = '5.9.2'
 
 sourceCompatibility = 1.8
 targetCompatibility = 1.8
@@ -21,8 +22,9 @@ repositories {
 }
 
 dependencies {
-    testImplementation 'junit:junit:4.12'
-    testImplementation 'org.hamcrest:hamcrest-library:1.3'
+    testImplementation "org.junit.jupiter:junit-jupiter-api:${junitVersion}"
+    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${junitVersion}"
+    testImplementation 'org.hamcrest:hamcrest-library:2.2'
     testImplementation "org.apache.logging.log4j:log4j-core:${log4jVersion}"
 
     implementation "io.netty:netty-buffer:${nettyVersion}"
@@ -36,8 +38,10 @@ dependencies {
 }
 
 test {
+    useJUnitPlatform()
     systemProperties.put "io.netty.leakDetectionLevel", "paranoid"
     testLogging {
+        events "passed", "skipped", "failed"
         exceptionFormat = 'full'
     }
 }

docs/index.asciidoc

@@ -101,15 +101,19 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-max_pending_requests>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-response_headers>> |<<hash,hash>>|No
 | <<plugins-{type}s-{plugin}-response_code>> |<<number,number>>, one of `[200, 201, 202, 204]`|No
-| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
 | <<plugins-{type}s-{plugin}-threads>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
@@ -214,7 +218,7 @@ The host or ip to bind
 
 [id="plugins-{type}s-{plugin}-keystore"]
 ===== `keystore`
-deprecated[3.1.0, Use <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> instead]
+deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_path>> instead]
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -223,12 +227,12 @@ The JKS keystore to validate the client's certificates
 
 [id="plugins-{type}s-{plugin}-keystore_password"]
 ===== `keystore_password`
-deprecated[3.1.0, Use <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> instead]
+deprecated[3.7.0, Use <<plugins-{type}s-{plugin}-ssl_keystore_password>> instead]
 
   * Value type is <<password,password>>
   * There is no default value for this setting.
 
-Set the truststore password
+Set the keystore password
 
 [id="plugins-{type}s-{plugin}-password"]
 ===== `password` 
@@ -308,6 +312,7 @@ specify target field for the client host of the http request
 
 [id="plugins-{type}s-{plugin}-ssl"]
 ===== `ssl` 
+deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
@@ -332,8 +337,8 @@ SSL certificate to use.
 
 Validate client certificates against these authorities. 
 You can define multiple files or paths. All the certificates will
-be read and added to the trust store. You need to configure the `ssl_verify_mode`
-to `peer` or `force_peer` to enable the verification.
+be read and added to the trust store. You need to configure the <<plugins-{type}s-{plugin}-ssl_client_authentication>>
+to `optional` or `required` to enable the verification.
 
 
 [id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
@@ -347,6 +352,27 @@ This default list applies for OpenJDK 11.0.14 and higher.
 For older JDK versions, the default list includes only suites supported by that version.
 For example, the ChaCha20 family of ciphers is not supported in older versions.
 
+[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
+===== `ssl_client_authentication`
+
+* Value can be any of: `none`, `optional`, `required`
+* Default value is `"none"`
+
+Controls the server's behavior in regard to requesting a certificate from client connections:
+`required` forces a client to present a certificate, while `optional` requests a client certificate
+but the client is not required to present one. Defaults to `none`, which disables the client authentication.
+
+NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
+
+* Value type is <<boolean,boolean>>
+* Default value is `false`
+
+Events are by default sent in plain text. You can enable encryption by setting `ssl_enabled` to true and configuring
+the <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> options.
+
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout` 
 
@@ -373,6 +399,22 @@ for more information.
 
 SSL key passphrase to use.
 
+[id="plugins-{type}s-{plugin}-ssl_keystore_path"]
+===== `ssl_keystore_path`
+
+ * Value type is <<path,path>>
+ * There is no default value for this setting.
+
+The JKS keystore to validate the client's certificates
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
+===== `ssl_keystore_password`
+
+ * Value type is <<password,password>>
+ * There is no default value for this setting.
+
+Set the JKS keystore password
+
 [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
 ===== `ssl_supported_protocols`
 
@@ -392,6 +434,7 @@ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.
 
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
 ===== `ssl_verify_mode` 
+deprecated[3.7.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
 
   * Value can be any of: `none`, `peer`, `force_peer`
   * Default value is `"none"`
@@ -404,7 +447,7 @@ If the client provides a certificate, it will be validated.
 `force_peer` will make the server ask the client to provide a certificate.
 If the client doesn't provide a certificate, the connection will be closed.
 
-This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
+This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.
 
 [id="plugins-{type}s-{plugin}-threads"]
 ===== `threads`