From acba20af1a268e23dfe053e943d64e904e90d5b3 Mon Sep 17 00:00:00 2001 From: Daniel Nelson Date: Wed, 6 Jun 2018 18:29:59 -0700 Subject: [PATCH] Fix TLS and SSL config option parsing (#4247) --- Godeps | 2 +- internal/tls/config.go | 2 +- plugins/inputs/openldap/README.md | 2 +- plugins/inputs/openldap/openldap.go | 31 ++++++++++++++++-------- plugins/inputs/openldap/openldap_test.go | 13 +++++----- 5 files changed, 31 insertions(+), 19 deletions(-) diff --git a/Godeps b/Godeps index 5bc29b200..00fdc835c 100644 --- a/Godeps +++ b/Godeps @@ -34,7 +34,7 @@ github.com/hailocab/go-hostpool e80d13ce29ede4452c43dea11e79b9bc8a15b478 github.com/hashicorp/consul 5174058f0d2bda63fa5198ab96c33d9a909c58ed github.com/influxdata/go-syslog 84f3b60009444d298f97454feb1f20cf91d1fa6e github.com/influxdata/tail c43482518d410361b6c383d7aebce33d0471d7bc -github.com/influxdata/toml 5d1d907f22ead1cd47adde17ceec5bda9cacaf8f +github.com/influxdata/toml 2a2e3012f7cfbef64091cc79776311e65dfa211b github.com/influxdata/wlog 7c63b0a71ef8300adc255344d275e10e5c3a71ec github.com/fsnotify/fsnotify c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9 github.com/jackc/pgx 63f58fd32edb5684b9e9f4cfaac847c6b42b3917 diff --git a/internal/tls/config.go b/internal/tls/config.go index 25c0678d4..ce7958343 100644 --- a/internal/tls/config.go +++ b/internal/tls/config.go @@ -17,7 +17,7 @@ type ClientConfig struct { // Deprecated in 1.7; use TLS variables above SSLCA string `toml:"ssl_ca"` SSLCert string `toml:"ssl_cert"` - SSLKey string `toml:"ssl_ca"` + SSLKey string `toml:"ssl_key"` } // ServerConfig represents the standard server TLS config. diff --git a/plugins/inputs/openldap/README.md b/plugins/inputs/openldap/README.md index aac600219..619e845c7 100644 --- a/plugins/inputs/openldap/README.md +++ b/plugins/inputs/openldap/README.md @@ -14,7 +14,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev # ldaps, starttls, or no encryption. default is an empty string, disabling all encryption. # note that port will likely need to be changed to 636 for ldaps # valid options: "" | "starttls" | "ldaps" - ssl = "" + tls = "" # skip peer certificate verification. Default is false. insecure_skip_verify = false diff --git a/plugins/inputs/openldap/openldap.go b/plugins/inputs/openldap/openldap.go index 8a423ba51..9e69c8a21 100644 --- a/plugins/inputs/openldap/openldap.go +++ b/plugins/inputs/openldap/openldap.go @@ -15,9 +15,11 @@ import ( type Openldap struct { Host string Port int - Ssl string + SSL string `toml:"ssl"` // Deprecated in 1.7; use TLS + TLS string `toml:"tls"` InsecureSkipVerify bool - SslCa string + SSLCA string `toml:"ssl_ca"` // Deprecated in 1.7; use TLSCA + TLSCA string `toml:"tls_ca"` BindDn string BindPassword string ReverseMetricNames bool @@ -30,7 +32,7 @@ const sampleConfig string = ` # ldaps, starttls, or no encryption. default is an empty string, disabling all encryption. # note that port will likely need to be changed to 636 for ldaps # valid options: "" | "starttls" | "ldaps" - ssl = "" + tls = "" # skip peer certificate verification. Default is false. insecure_skip_verify = false @@ -70,9 +72,11 @@ func NewOpenldap() *Openldap { return &Openldap{ Host: "localhost", Port: 389, - Ssl: "", + SSL: "", + TLS: "", InsecureSkipVerify: false, - SslCa: "", + SSLCA: "", + TLSCA: "", BindDn: "", BindPassword: "", ReverseMetricNames: false, @@ -81,12 +85,19 @@ func NewOpenldap() *Openldap { // gather metrics func (o *Openldap) Gather(acc telegraf.Accumulator) error { + if o.TLS == "" { + o.TLS = o.SSL + } + if o.TLSCA == "" { + o.TLSCA = o.SSLCA + } + var err error var l *ldap.Conn - if o.Ssl != "" { + if o.TLS != "" { // build tls config clientTLSConfig := tls.ClientConfig{ - SSLCA: o.SslCa, + TLSCA: o.TLSCA, InsecureSkipVerify: o.InsecureSkipVerify, } tlsConfig, err := clientTLSConfig.TLSConfig() @@ -94,13 +105,13 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error { acc.AddError(err) return nil } - if o.Ssl == "ldaps" { + if o.TLS == "ldaps" { l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port), tlsConfig) if err != nil { acc.AddError(err) return nil } - } else if o.Ssl == "starttls" { + } else if o.TLS == "starttls" { l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port)) if err != nil { acc.AddError(err) @@ -108,7 +119,7 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error { } err = l.StartTLS(tlsConfig) } else { - acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.Ssl)) + acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.TLS)) return nil } } else { diff --git a/plugins/inputs/openldap/openldap_test.go b/plugins/inputs/openldap/openldap_test.go index b33354ece..10835896f 100644 --- a/plugins/inputs/openldap/openldap_test.go +++ b/plugins/inputs/openldap/openldap_test.go @@ -1,10 +1,11 @@ package openldap import ( - "gopkg.in/ldap.v2" "strconv" "testing" + "gopkg.in/ldap.v2" + "github.com/influxdata/telegraf/testutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -74,7 +75,7 @@ func TestOpenldapStartTLS(t *testing.T) { o := &Openldap{ Host: testutil.GetLocalHost(), Port: 389, - Ssl: "starttls", + SSL: "starttls", InsecureSkipVerify: true, } @@ -92,7 +93,7 @@ func TestOpenldapLDAPS(t *testing.T) { o := &Openldap{ Host: testutil.GetLocalHost(), Port: 636, - Ssl: "ldaps", + SSL: "ldaps", InsecureSkipVerify: true, } @@ -110,7 +111,7 @@ func TestOpenldapInvalidSSL(t *testing.T) { o := &Openldap{ Host: testutil.GetLocalHost(), Port: 636, - Ssl: "invalid", + SSL: "invalid", InsecureSkipVerify: true, } @@ -129,7 +130,7 @@ func TestOpenldapBind(t *testing.T) { o := &Openldap{ Host: testutil.GetLocalHost(), Port: 389, - Ssl: "", + SSL: "", InsecureSkipVerify: true, BindDn: "cn=manager,cn=config", BindPassword: "secret", @@ -157,7 +158,7 @@ func TestOpenldapReverseMetrics(t *testing.T) { o := &Openldap{ Host: testutil.GetLocalHost(), Port: 389, - Ssl: "", + SSL: "", InsecureSkipVerify: true, BindDn: "cn=manager,cn=config", BindPassword: "secret",