Fix TLS and SSL config option parsing (#4247)

This commit is contained in:
Daniel Nelson 2018-06-06 18:29:59 -07:00 committed by GitHub
parent 229b6bd944
commit acba20af1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 31 additions and 19 deletions

2
Godeps
View File

@ -34,7 +34,7 @@ github.com/hailocab/go-hostpool e80d13ce29ede4452c43dea11e79b9bc8a15b478
github.com/hashicorp/consul 5174058f0d2bda63fa5198ab96c33d9a909c58ed github.com/hashicorp/consul 5174058f0d2bda63fa5198ab96c33d9a909c58ed
github.com/influxdata/go-syslog 84f3b60009444d298f97454feb1f20cf91d1fa6e github.com/influxdata/go-syslog 84f3b60009444d298f97454feb1f20cf91d1fa6e
github.com/influxdata/tail c43482518d410361b6c383d7aebce33d0471d7bc github.com/influxdata/tail c43482518d410361b6c383d7aebce33d0471d7bc
github.com/influxdata/toml 5d1d907f22ead1cd47adde17ceec5bda9cacaf8f github.com/influxdata/toml 2a2e3012f7cfbef64091cc79776311e65dfa211b
github.com/influxdata/wlog 7c63b0a71ef8300adc255344d275e10e5c3a71ec github.com/influxdata/wlog 7c63b0a71ef8300adc255344d275e10e5c3a71ec
github.com/fsnotify/fsnotify c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9 github.com/fsnotify/fsnotify c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9
github.com/jackc/pgx 63f58fd32edb5684b9e9f4cfaac847c6b42b3917 github.com/jackc/pgx 63f58fd32edb5684b9e9f4cfaac847c6b42b3917

View File

@ -17,7 +17,7 @@ type ClientConfig struct {
// Deprecated in 1.7; use TLS variables above // Deprecated in 1.7; use TLS variables above
SSLCA string `toml:"ssl_ca"` SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"` SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_ca"` SSLKey string `toml:"ssl_key"`
} }
// ServerConfig represents the standard server TLS config. // ServerConfig represents the standard server TLS config.

View File

@ -14,7 +14,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption. # ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
# note that port will likely need to be changed to 636 for ldaps # note that port will likely need to be changed to 636 for ldaps
# valid options: "" | "starttls" | "ldaps" # valid options: "" | "starttls" | "ldaps"
ssl = "" tls = ""
# skip peer certificate verification. Default is false. # skip peer certificate verification. Default is false.
insecure_skip_verify = false insecure_skip_verify = false

View File

@ -15,9 +15,11 @@ import (
type Openldap struct { type Openldap struct {
Host string Host string
Port int Port int
Ssl string SSL string `toml:"ssl"` // Deprecated in 1.7; use TLS
TLS string `toml:"tls"`
InsecureSkipVerify bool InsecureSkipVerify bool
SslCa string SSLCA string `toml:"ssl_ca"` // Deprecated in 1.7; use TLSCA
TLSCA string `toml:"tls_ca"`
BindDn string BindDn string
BindPassword string BindPassword string
ReverseMetricNames bool ReverseMetricNames bool
@ -30,7 +32,7 @@ const sampleConfig string = `
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption. # ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
# note that port will likely need to be changed to 636 for ldaps # note that port will likely need to be changed to 636 for ldaps
# valid options: "" | "starttls" | "ldaps" # valid options: "" | "starttls" | "ldaps"
ssl = "" tls = ""
# skip peer certificate verification. Default is false. # skip peer certificate verification. Default is false.
insecure_skip_verify = false insecure_skip_verify = false
@ -70,9 +72,11 @@ func NewOpenldap() *Openldap {
return &Openldap{ return &Openldap{
Host: "localhost", Host: "localhost",
Port: 389, Port: 389,
Ssl: "", SSL: "",
TLS: "",
InsecureSkipVerify: false, InsecureSkipVerify: false,
SslCa: "", SSLCA: "",
TLSCA: "",
BindDn: "", BindDn: "",
BindPassword: "", BindPassword: "",
ReverseMetricNames: false, ReverseMetricNames: false,
@ -81,12 +85,19 @@ func NewOpenldap() *Openldap {
// gather metrics // gather metrics
func (o *Openldap) Gather(acc telegraf.Accumulator) error { func (o *Openldap) Gather(acc telegraf.Accumulator) error {
if o.TLS == "" {
o.TLS = o.SSL
}
if o.TLSCA == "" {
o.TLSCA = o.SSLCA
}
var err error var err error
var l *ldap.Conn var l *ldap.Conn
if o.Ssl != "" { if o.TLS != "" {
// build tls config // build tls config
clientTLSConfig := tls.ClientConfig{ clientTLSConfig := tls.ClientConfig{
SSLCA: o.SslCa, TLSCA: o.TLSCA,
InsecureSkipVerify: o.InsecureSkipVerify, InsecureSkipVerify: o.InsecureSkipVerify,
} }
tlsConfig, err := clientTLSConfig.TLSConfig() tlsConfig, err := clientTLSConfig.TLSConfig()
@ -94,13 +105,13 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
acc.AddError(err) acc.AddError(err)
return nil return nil
} }
if o.Ssl == "ldaps" { if o.TLS == "ldaps" {
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port), tlsConfig) l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port), tlsConfig)
if err != nil { if err != nil {
acc.AddError(err) acc.AddError(err)
return nil return nil
} }
} else if o.Ssl == "starttls" { } else if o.TLS == "starttls" {
l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port)) l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port))
if err != nil { if err != nil {
acc.AddError(err) acc.AddError(err)
@ -108,7 +119,7 @@ func (o *Openldap) Gather(acc telegraf.Accumulator) error {
} }
err = l.StartTLS(tlsConfig) err = l.StartTLS(tlsConfig)
} else { } else {
acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.Ssl)) acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.TLS))
return nil return nil
} }
} else { } else {

View File

@ -1,10 +1,11 @@
package openldap package openldap
import ( import (
"gopkg.in/ldap.v2"
"strconv" "strconv"
"testing" "testing"
"gopkg.in/ldap.v2"
"github.com/influxdata/telegraf/testutil" "github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -74,7 +75,7 @@ func TestOpenldapStartTLS(t *testing.T) {
o := &Openldap{ o := &Openldap{
Host: testutil.GetLocalHost(), Host: testutil.GetLocalHost(),
Port: 389, Port: 389,
Ssl: "starttls", SSL: "starttls",
InsecureSkipVerify: true, InsecureSkipVerify: true,
} }
@ -92,7 +93,7 @@ func TestOpenldapLDAPS(t *testing.T) {
o := &Openldap{ o := &Openldap{
Host: testutil.GetLocalHost(), Host: testutil.GetLocalHost(),
Port: 636, Port: 636,
Ssl: "ldaps", SSL: "ldaps",
InsecureSkipVerify: true, InsecureSkipVerify: true,
} }
@ -110,7 +111,7 @@ func TestOpenldapInvalidSSL(t *testing.T) {
o := &Openldap{ o := &Openldap{
Host: testutil.GetLocalHost(), Host: testutil.GetLocalHost(),
Port: 636, Port: 636,
Ssl: "invalid", SSL: "invalid",
InsecureSkipVerify: true, InsecureSkipVerify: true,
} }
@ -129,7 +130,7 @@ func TestOpenldapBind(t *testing.T) {
o := &Openldap{ o := &Openldap{
Host: testutil.GetLocalHost(), Host: testutil.GetLocalHost(),
Port: 389, Port: 389,
Ssl: "", SSL: "",
InsecureSkipVerify: true, InsecureSkipVerify: true,
BindDn: "cn=manager,cn=config", BindDn: "cn=manager,cn=config",
BindPassword: "secret", BindPassword: "secret",
@ -157,7 +158,7 @@ func TestOpenldapReverseMetrics(t *testing.T) {
o := &Openldap{ o := &Openldap{
Host: testutil.GetLocalHost(), Host: testutil.GetLocalHost(),
Port: 389, Port: 389,
Ssl: "", SSL: "",
InsecureSkipVerify: true, InsecureSkipVerify: true,
BindDn: "cn=manager,cn=config", BindDn: "cn=manager,cn=config",
BindPassword: "secret", BindPassword: "secret",