Fix TLS and SSL config option parsing (#4247)
This commit is contained in:
parent
229b6bd944
commit
acba20af1a
2
Godeps
2
Godeps
|
@ -34,7 +34,7 @@ github.com/hailocab/go-hostpool e80d13ce29ede4452c43dea11e79b9bc8a15b478
|
||||||
github.com/hashicorp/consul 5174058f0d2bda63fa5198ab96c33d9a909c58ed
|
github.com/hashicorp/consul 5174058f0d2bda63fa5198ab96c33d9a909c58ed
|
||||||
github.com/influxdata/go-syslog 84f3b60009444d298f97454feb1f20cf91d1fa6e
|
github.com/influxdata/go-syslog 84f3b60009444d298f97454feb1f20cf91d1fa6e
|
||||||
github.com/influxdata/tail c43482518d410361b6c383d7aebce33d0471d7bc
|
github.com/influxdata/tail c43482518d410361b6c383d7aebce33d0471d7bc
|
||||||
github.com/influxdata/toml 5d1d907f22ead1cd47adde17ceec5bda9cacaf8f
|
github.com/influxdata/toml 2a2e3012f7cfbef64091cc79776311e65dfa211b
|
||||||
github.com/influxdata/wlog 7c63b0a71ef8300adc255344d275e10e5c3a71ec
|
github.com/influxdata/wlog 7c63b0a71ef8300adc255344d275e10e5c3a71ec
|
||||||
github.com/fsnotify/fsnotify c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9
|
github.com/fsnotify/fsnotify c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9
|
||||||
github.com/jackc/pgx 63f58fd32edb5684b9e9f4cfaac847c6b42b3917
|
github.com/jackc/pgx 63f58fd32edb5684b9e9f4cfaac847c6b42b3917
|
||||||
|
|
|
@ -17,7 +17,7 @@ type ClientConfig struct {
|
||||||
// Deprecated in 1.7; use TLS variables above
|
// Deprecated in 1.7; use TLS variables above
|
||||||
SSLCA string `toml:"ssl_ca"`
|
SSLCA string `toml:"ssl_ca"`
|
||||||
SSLCert string `toml:"ssl_cert"`
|
SSLCert string `toml:"ssl_cert"`
|
||||||
SSLKey string `toml:"ssl_ca"`
|
SSLKey string `toml:"ssl_key"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ServerConfig represents the standard server TLS config.
|
// ServerConfig represents the standard server TLS config.
|
||||||
|
|
|
@ -14,7 +14,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev
|
||||||
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
|
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
|
||||||
# note that port will likely need to be changed to 636 for ldaps
|
# note that port will likely need to be changed to 636 for ldaps
|
||||||
# valid options: "" | "starttls" | "ldaps"
|
# valid options: "" | "starttls" | "ldaps"
|
||||||
ssl = ""
|
tls = ""
|
||||||
|
|
||||||
# skip peer certificate verification. Default is false.
|
# skip peer certificate verification. Default is false.
|
||||||
insecure_skip_verify = false
|
insecure_skip_verify = false
|
||||||
|
|
|
@ -15,9 +15,11 @@ import (
|
||||||
type Openldap struct {
|
type Openldap struct {
|
||||||
Host string
|
Host string
|
||||||
Port int
|
Port int
|
||||||
Ssl string
|
SSL string `toml:"ssl"` // Deprecated in 1.7; use TLS
|
||||||
|
TLS string `toml:"tls"`
|
||||||
InsecureSkipVerify bool
|
InsecureSkipVerify bool
|
||||||
SslCa string
|
SSLCA string `toml:"ssl_ca"` // Deprecated in 1.7; use TLSCA
|
||||||
|
TLSCA string `toml:"tls_ca"`
|
||||||
BindDn string
|
BindDn string
|
||||||
BindPassword string
|
BindPassword string
|
||||||
ReverseMetricNames bool
|
ReverseMetricNames bool
|
||||||
|
@ -30,7 +32,7 @@ const sampleConfig string = `
|
||||||
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
|
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
|
||||||
# note that port will likely need to be changed to 636 for ldaps
|
# note that port will likely need to be changed to 636 for ldaps
|
||||||
# valid options: "" | "starttls" | "ldaps"
|
# valid options: "" | "starttls" | "ldaps"
|
||||||
ssl = ""
|
tls = ""
|
||||||
|
|
||||||
# skip peer certificate verification. Default is false.
|
# skip peer certificate verification. Default is false.
|
||||||
insecure_skip_verify = false
|
insecure_skip_verify = false
|
||||||
|
@ -70,9 +72,11 @@ func NewOpenldap() *Openldap {
|
||||||
return &Openldap{
|
return &Openldap{
|
||||||
Host: "localhost",
|
Host: "localhost",
|
||||||
Port: 389,
|
Port: 389,
|
||||||
Ssl: "",
|
SSL: "",
|
||||||
|
TLS: "",
|
||||||
InsecureSkipVerify: false,
|
InsecureSkipVerify: false,
|
||||||
SslCa: "",
|
SSLCA: "",
|
||||||
|
TLSCA: "",
|
||||||
BindDn: "",
|
BindDn: "",
|
||||||
BindPassword: "",
|
BindPassword: "",
|
||||||
ReverseMetricNames: false,
|
ReverseMetricNames: false,
|
||||||
|
@ -81,12 +85,19 @@ func NewOpenldap() *Openldap {
|
||||||
|
|
||||||
// gather metrics
|
// gather metrics
|
||||||
func (o *Openldap) Gather(acc telegraf.Accumulator) error {
|
func (o *Openldap) Gather(acc telegraf.Accumulator) error {
|
||||||
|
if o.TLS == "" {
|
||||||
|
o.TLS = o.SSL
|
||||||
|
}
|
||||||
|
if o.TLSCA == "" {
|
||||||
|
o.TLSCA = o.SSLCA
|
||||||
|
}
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
var l *ldap.Conn
|
var l *ldap.Conn
|
||||||
if o.Ssl != "" {
|
if o.TLS != "" {
|
||||||
// build tls config
|
// build tls config
|
||||||
clientTLSConfig := tls.ClientConfig{
|
clientTLSConfig := tls.ClientConfig{
|
||||||
SSLCA: o.SslCa,
|
TLSCA: o.TLSCA,
|
||||||
InsecureSkipVerify: o.InsecureSkipVerify,
|
InsecureSkipVerify: o.InsecureSkipVerify,
|
||||||
}
|
}
|
||||||
tlsConfig, err := clientTLSConfig.TLSConfig()
|
tlsConfig, err := clientTLSConfig.TLSConfig()
|
||||||
|
@ -94,13 +105,13 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
|
||||||
acc.AddError(err)
|
acc.AddError(err)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if o.Ssl == "ldaps" {
|
if o.TLS == "ldaps" {
|
||||||
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port), tlsConfig)
|
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port), tlsConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
acc.AddError(err)
|
acc.AddError(err)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
} else if o.Ssl == "starttls" {
|
} else if o.TLS == "starttls" {
|
||||||
l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port))
|
l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
acc.AddError(err)
|
acc.AddError(err)
|
||||||
|
@ -108,7 +119,7 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
|
||||||
}
|
}
|
||||||
err = l.StartTLS(tlsConfig)
|
err = l.StartTLS(tlsConfig)
|
||||||
} else {
|
} else {
|
||||||
acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.Ssl))
|
acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.TLS))
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
package openldap
|
package openldap
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"gopkg.in/ldap.v2"
|
|
||||||
"strconv"
|
"strconv"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"gopkg.in/ldap.v2"
|
||||||
|
|
||||||
"github.com/influxdata/telegraf/testutil"
|
"github.com/influxdata/telegraf/testutil"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
@ -74,7 +75,7 @@ func TestOpenldapStartTLS(t *testing.T) {
|
||||||
o := &Openldap{
|
o := &Openldap{
|
||||||
Host: testutil.GetLocalHost(),
|
Host: testutil.GetLocalHost(),
|
||||||
Port: 389,
|
Port: 389,
|
||||||
Ssl: "starttls",
|
SSL: "starttls",
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -92,7 +93,7 @@ func TestOpenldapLDAPS(t *testing.T) {
|
||||||
o := &Openldap{
|
o := &Openldap{
|
||||||
Host: testutil.GetLocalHost(),
|
Host: testutil.GetLocalHost(),
|
||||||
Port: 636,
|
Port: 636,
|
||||||
Ssl: "ldaps",
|
SSL: "ldaps",
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -110,7 +111,7 @@ func TestOpenldapInvalidSSL(t *testing.T) {
|
||||||
o := &Openldap{
|
o := &Openldap{
|
||||||
Host: testutil.GetLocalHost(),
|
Host: testutil.GetLocalHost(),
|
||||||
Port: 636,
|
Port: 636,
|
||||||
Ssl: "invalid",
|
SSL: "invalid",
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -129,7 +130,7 @@ func TestOpenldapBind(t *testing.T) {
|
||||||
o := &Openldap{
|
o := &Openldap{
|
||||||
Host: testutil.GetLocalHost(),
|
Host: testutil.GetLocalHost(),
|
||||||
Port: 389,
|
Port: 389,
|
||||||
Ssl: "",
|
SSL: "",
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
BindDn: "cn=manager,cn=config",
|
BindDn: "cn=manager,cn=config",
|
||||||
BindPassword: "secret",
|
BindPassword: "secret",
|
||||||
|
@ -157,7 +158,7 @@ func TestOpenldapReverseMetrics(t *testing.T) {
|
||||||
o := &Openldap{
|
o := &Openldap{
|
||||||
Host: testutil.GetLocalHost(),
|
Host: testutil.GetLocalHost(),
|
||||||
Port: 389,
|
Port: 389,
|
||||||
Ssl: "",
|
SSL: "",
|
||||||
InsecureSkipVerify: true,
|
InsecureSkipVerify: true,
|
||||||
BindDn: "cn=manager,cn=config",
|
BindDn: "cn=manager,cn=config",
|
||||||
BindPassword: "secret",
|
BindPassword: "secret",
|
||||||
|
|
Loading…
Reference in New Issue