diff --git a/dev-tools/cmd/dashboards/export_dashboards.go b/dev-tools/cmd/dashboards/export_dashboards.go index 362f3eafb3f..1b2779c72a8 100644 --- a/dev-tools/cmd/dashboards/export_dashboards.go +++ b/dev-tools/cmd/dashboards/export_dashboards.go @@ -25,9 +25,9 @@ import ( "path/filepath" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/dashboards" "github.com/elastic/beats/v7/libbeat/kibana" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) var ( diff --git a/filebeat/fileset/pipelines_test.go b/filebeat/fileset/pipelines_test.go index 68961b3ec38..e99d2c2486e 100644 --- a/filebeat/fileset/pipelines_test.go +++ b/filebeat/fileset/pipelines_test.go @@ -29,9 +29,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) func TestLoadPipelinesWithMultiPipelineFileset(t *testing.T) { diff --git a/filebeat/input/kafka/config.go b/filebeat/input/kafka/config.go index 997693c7c8e..6c1d2a33c0e 100644 --- a/filebeat/input/kafka/config.go +++ b/filebeat/input/kafka/config.go @@ -27,10 +27,10 @@ import ( "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/common/kafka" "github.com/elastic/beats/v7/libbeat/common/transport/kerberos" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/monitoring/adapter" "github.com/elastic/beats/v7/libbeat/reader/parser" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type kafkaInputConfig struct { diff --git a/filebeat/input/mqtt/client.go b/filebeat/input/mqtt/client.go index 068dca04386..bece7ee2bbf 100644 --- a/filebeat/input/mqtt/client.go +++ b/filebeat/input/mqtt/client.go @@ -20,7 +20,7 @@ package mqtt import ( libmqtt "github.com/eclipse/paho.mqtt.golang" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) func createClientOptions(config mqttInputConfig, onConnectHandler func(client libmqtt.Client)) (*libmqtt.ClientOptions, error) { diff --git a/filebeat/input/mqtt/config.go b/filebeat/input/mqtt/config.go index c4fbe2b7735..f78707e53c1 100644 --- a/filebeat/input/mqtt/config.go +++ b/filebeat/input/mqtt/config.go @@ -20,7 +20,7 @@ package mqtt import ( "errors" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type mqttInputConfig struct { diff --git a/filebeat/inputsource/tcp/config.go b/filebeat/inputsource/tcp/config.go index 02039a6c1a6..1e402fadf68 100644 --- a/filebeat/inputsource/tcp/config.go +++ b/filebeat/inputsource/tcp/config.go @@ -22,7 +22,7 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/common/cfgtype" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // Name is the human readable name and identifier. diff --git a/filebeat/inputsource/tcp/handler.go b/filebeat/inputsource/tcp/handler.go index f783e1cec2a..8f6e4af84e7 100644 --- a/filebeat/inputsource/tcp/handler.go +++ b/filebeat/inputsource/tcp/handler.go @@ -23,7 +23,7 @@ import ( "net" "github.com/elastic/beats/v7/filebeat/inputsource" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // MetadataCallback returns common metadata about a tcp connection diff --git a/filebeat/inputsource/tcp/server.go b/filebeat/inputsource/tcp/server.go index 42c88693879..9e35088ebb1 100644 --- a/filebeat/inputsource/tcp/server.go +++ b/filebeat/inputsource/tcp/server.go @@ -26,7 +26,7 @@ import ( "github.com/elastic/beats/v7/filebeat/inputsource" "github.com/elastic/beats/v7/filebeat/inputsource/common/streaming" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // Server represent a TCP server diff --git a/heartbeat/monitors/active/dialchain/dialchain.go b/heartbeat/monitors/active/dialchain/dialchain.go index 332f4859875..62f2730a790 100644 --- a/heartbeat/monitors/active/dialchain/dialchain.go +++ b/heartbeat/monitors/active/dialchain/dialchain.go @@ -19,7 +19,7 @@ package dialchain import ( "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) // DialerChain composes builders for multiple network layers, used to build diff --git a/heartbeat/monitors/active/dialchain/dialers.go b/heartbeat/monitors/active/dialchain/dialers.go index a6a776bca10..c856a0712ed 100644 --- a/heartbeat/monitors/active/dialchain/dialers.go +++ b/heartbeat/monitors/active/dialchain/dialers.go @@ -26,9 +26,9 @@ import ( "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/look" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport" ) // TCPDialer creates a new NetDialer with constant event fields and default diff --git a/heartbeat/monitors/active/dialchain/socks5.go b/heartbeat/monitors/active/dialchain/socks5.go index 39e6e35c854..a3e87c7edaf 100644 --- a/heartbeat/monitors/active/dialchain/socks5.go +++ b/heartbeat/monitors/active/dialchain/socks5.go @@ -22,8 +22,8 @@ import ( "github.com/elastic/beats/v7/heartbeat/look" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport" ) // SOCKS5Layer configures a SOCKS5 proxy layer in a DialerChain. diff --git a/heartbeat/monitors/active/dialchain/tls.go b/heartbeat/monitors/active/dialchain/tls.go index 5786d57e315..da1d85748f4 100644 --- a/heartbeat/monitors/active/dialchain/tls.go +++ b/heartbeat/monitors/active/dialchain/tls.go @@ -25,8 +25,8 @@ import ( "github.com/elastic/beats/v7/heartbeat/monitors/active/dialchain/tlsmeta" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // TLSLayer configures the TLS layer in a DialerChain. diff --git a/heartbeat/monitors/active/dialchain/tlsmeta/tlsmeta.go b/heartbeat/monitors/active/dialchain/tlsmeta/tlsmeta.go index 4dbeaafd0a5..26863b7371d 100644 --- a/heartbeat/monitors/active/dialchain/tlsmeta/tlsmeta.go +++ b/heartbeat/monitors/active/dialchain/tlsmeta/tlsmeta.go @@ -29,8 +29,8 @@ import ( "time" "github.com/elastic/beats/v7/heartbeat/look" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // UnknownTLSHandshakeDuration to be used in AddTLSMetadata when the duration of the TLS handshake can't be determined. diff --git a/heartbeat/monitors/active/dialchain/util.go b/heartbeat/monitors/active/dialchain/util.go index 7b29ca80b39..cb4ddc64cfe 100644 --- a/heartbeat/monitors/active/dialchain/util.go +++ b/heartbeat/monitors/active/dialchain/util.go @@ -22,7 +22,7 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) type timer struct { diff --git a/heartbeat/monitors/active/http/config.go b/heartbeat/monitors/active/http/config.go index 5a820dce8c1..4589ec15610 100644 --- a/heartbeat/monitors/active/http/config.go +++ b/heartbeat/monitors/active/http/config.go @@ -24,8 +24,8 @@ import ( "time" "github.com/elastic/beats/v7/heartbeat/monitors" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/conditions" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type Config struct { diff --git a/heartbeat/monitors/active/http/http.go b/heartbeat/monitors/active/http/http.go index fb18313ff88..9972dd43ff2 100644 --- a/heartbeat/monitors/active/http/http.go +++ b/heartbeat/monitors/active/http/http.go @@ -27,9 +27,9 @@ import ( "github.com/elastic/beats/v7/heartbeat/monitors/jobs" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/common/useragent" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) func init() { diff --git a/heartbeat/monitors/active/http/simple_transp.go b/heartbeat/monitors/active/http/simple_transp.go index 2d4d7815b6a..3a30d656cb2 100644 --- a/heartbeat/monitors/active/http/simple_transp.go +++ b/heartbeat/monitors/active/http/simple_transp.go @@ -28,7 +28,7 @@ import ( "net/url" "strings" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) const ( diff --git a/heartbeat/monitors/active/http/task.go b/heartbeat/monitors/active/http/task.go index ca35a2f4909..6acd855fb67 100644 --- a/heartbeat/monitors/active/http/task.go +++ b/heartbeat/monitors/active/http/task.go @@ -42,8 +42,8 @@ import ( "github.com/elastic/beats/v7/heartbeat/monitors/jobs" "github.com/elastic/beats/v7/heartbeat/reason" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type requestFactory func() (*http.Request, error) diff --git a/heartbeat/monitors/active/tcp/config.go b/heartbeat/monitors/active/tcp/config.go index 692af5ba65f..b062947b624 100644 --- a/heartbeat/monitors/active/tcp/config.go +++ b/heartbeat/monitors/active/tcp/config.go @@ -22,8 +22,8 @@ import ( "time" "github.com/elastic/beats/v7/heartbeat/monitors" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type config struct { diff --git a/heartbeat/monitors/active/tcp/tcp.go b/heartbeat/monitors/active/tcp/tcp.go index 66b6b2ee5db..5961848ac2e 100644 --- a/heartbeat/monitors/active/tcp/tcp.go +++ b/heartbeat/monitors/active/tcp/tcp.go @@ -34,11 +34,11 @@ import ( "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/reason" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) func init() { diff --git a/libbeat/cmd/test/output.go b/libbeat/cmd/test/output.go index 5df48051fc1..3290c283c27 100644 --- a/libbeat/cmd/test/output.go +++ b/libbeat/cmd/test/output.go @@ -26,7 +26,7 @@ import ( "github.com/elastic/beats/v7/libbeat/cmd/instance" "github.com/elastic/beats/v7/libbeat/idxmgmt" "github.com/elastic/beats/v7/libbeat/outputs" - "github.com/elastic/beats/v7/libbeat/testing" + "github.com/elastic/elastic-agent-libs/testing" ) func GenTestOutputCmd(settings instance.Settings) *cobra.Command { diff --git a/libbeat/common/transport/client.go b/libbeat/common/transport/client.go deleted file mode 100644 index fd61ac77058..00000000000 --- a/libbeat/common/transport/client.go +++ /dev/null @@ -1,240 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "fmt" - "net" - "sync" - "time" - - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/beats/v7/libbeat/testing" - "github.com/elastic/elastic-agent-libs/logp" -) - -type Client struct { - log *logp.Logger - dialer Dialer - network string - host string - config Config - - conn net.Conn - mutex sync.Mutex -} - -type Config struct { - Proxy *ProxyConfig - TLS *tlscommon.TLSConfig - Timeout time.Duration - Stats IOStatser -} - -func NewClient(c Config, network, host string, defaultPort int) (*Client, error) { - // do some sanity checks regarding network and Config matching + - // address being parseable - switch network { - case "tcp", "tcp4", "tcp6": - case "udp", "udp4", "udp6": - if c.TLS == nil && c.Proxy == nil { - break - } - fallthrough - default: - return nil, fmt.Errorf("unsupported network type %v", network) - } - - dialer, err := MakeDialer(c) - if err != nil { - return nil, err - } - - return NewClientWithDialer(dialer, c, network, host, defaultPort) -} - -func NewClientWithDialer(d Dialer, c Config, network, host string, defaultPort int) (*Client, error) { - // check address being parseable - host = fullAddress(host, defaultPort) - _, _, err := net.SplitHostPort(host) - if err != nil { - return nil, err - } - - client := &Client{ - log: logp.NewLogger(logSelector), - dialer: d, - network: network, - host: host, - config: c, - } - return client, nil -} - -func (c *Client) Connect() error { - c.mutex.Lock() - defer c.mutex.Unlock() - - if c.conn != nil { - _ = c.conn.Close() - c.conn = nil - } - - conn, err := c.dialer.Dial(c.network, c.host) - if err != nil { - return err - } - c.conn = conn - return nil -} - -func (c *Client) IsConnected() bool { - c.mutex.Lock() - b := c.conn != nil - c.mutex.Unlock() - return b -} - -func (c *Client) Close() error { - c.mutex.Lock() - defer c.mutex.Unlock() - - if c.conn != nil { - c.log.Debug("closing") - err := c.conn.Close() - c.conn = nil - return err - } - return nil -} - -func (c *Client) getConn() net.Conn { - c.mutex.Lock() - conn := c.conn - c.mutex.Unlock() - return conn -} - -func (c *Client) Read(b []byte) (int, error) { - conn := c.getConn() - if conn == nil { - return 0, ErrNotConnected - } - - n, err := conn.Read(b) - return n, c.handleError(err) -} - -func (c *Client) Write(b []byte) (int, error) { - conn := c.getConn() - if conn == nil { - return 0, ErrNotConnected - } - - n, err := c.conn.Write(b) - return n, c.handleError(err) -} - -func (c *Client) LocalAddr() net.Addr { - conn := c.getConn() - if conn != nil { - return c.conn.LocalAddr() - } - return nil -} - -func (c *Client) RemoteAddr() net.Addr { - conn := c.getConn() - if conn != nil { - return c.conn.RemoteAddr() - } - return nil -} - -func (c *Client) Host() string { - return c.host -} - -func (c *Client) SetDeadline(t time.Time) error { - conn := c.getConn() - if conn == nil { - return ErrNotConnected - } - - err := conn.SetDeadline(t) - return c.handleError(err) -} - -func (c *Client) SetReadDeadline(t time.Time) error { - conn := c.getConn() - if conn == nil { - return ErrNotConnected - } - - err := conn.SetReadDeadline(t) - return c.handleError(err) -} - -func (c *Client) SetWriteDeadline(t time.Time) error { - conn := c.getConn() - if conn == nil { - return ErrNotConnected - } - - err := conn.SetWriteDeadline(t) - return c.handleError(err) -} - -func (c *Client) handleError(err error) error { - if err != nil { - c.log.Debugf("handle error: %+v", err) - - if nerr, ok := err.(net.Error); !(ok && (nerr.Temporary() || nerr.Timeout())) { - _ = c.Close() - } - } - return err -} - -func (c *Client) Test(d testing.Driver) { - d.Run("logstash: "+c.host, func(d testing.Driver) { - d.Run("connection", func(d testing.Driver) { - netDialer := TestNetDialer(d, c.config.Timeout) - _, err := netDialer.Dial("tcp", c.host) - d.Fatal("dial up", err) - }) - - if c.config.TLS == nil { - d.Warn("TLS", "secure connection disabled") - } else { - d.Run("TLS", func(d testing.Driver) { - netDialer := NetDialer(c.config.Timeout) - tlsDialer := TestTLSDialer(d, netDialer, c.config.TLS, c.config.Timeout) - _, err := tlsDialer.Dial("tcp", c.host) - d.Fatal("dial up", err) - }) - } - - err := c.Connect() - d.Fatal("talk to server", err) - }) -} - -func (c *Client) String() string { - return c.network + "://" + c.host -} diff --git a/libbeat/common/transport/httpcommon/httpcommon.go b/libbeat/common/transport/httpcommon/httpcommon.go deleted file mode 100644 index 66010b55289..00000000000 --- a/libbeat/common/transport/httpcommon/httpcommon.go +++ /dev/null @@ -1,409 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package httpcommon - -import ( - "net/http" - "time" - - "go.elastic.co/apm/module/apmhttp/v2" - "golang.org/x/net/http2" - - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/elastic-agent-libs/config" - "github.com/elastic/elastic-agent-libs/logp" -) - -// HTTPTransportSettings provides common HTTP settings for HTTP clients. -type HTTPTransportSettings struct { - // TLS provides ssl/tls setup settings - TLS *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty" json:"ssl,omitempty"` - - // Timeout configures the `(http.Transport).Timeout`. - Timeout time.Duration `config:"timeout" yaml:"timeout,omitempty" json:"timeout,omitempty"` - - Proxy HTTPClientProxySettings `config:",inline" yaml:",inline"` - - // TODO: Add more settings: - // - DisableKeepAlive - // - MaxIdleConns - // - IdleConnTimeout - // - ResponseHeaderTimeout - // - ConnectionTimeout (currently 'Timeout' is used for both) -} - -// WithKeepaliveSettings options can be used to modify the Keepalive -type WithKeepaliveSettings struct { - Disable bool - MaxIdleConns int - MaxIdleConnsPerHost int - IdleConnTimeout time.Duration -} - -var _ httpTransportOption = WithKeepaliveSettings{} - -const defaultHTTPTimeout = 90 * time.Second - -type ( - // TransportOption are applied to the http.RoundTripper to be build - // from HTTPTransportSettings. - TransportOption interface{ sealTransportOption() } - - extraSettings struct { - logger *logp.Logger - http2 bool - } - - dialerOption interface { - TransportOption - baseDialer() transport.Dialer - } - dialerModOption interface { - TransportOption - applyDialer(*HTTPTransportSettings, transport.Dialer) transport.Dialer - } - httpTransportOption interface { - TransportOption - applyTransport(*HTTPTransportSettings, *http.Transport) - } - roundTripperOption interface { - TransportOption - applyRoundTripper(*HTTPTransportSettings, http.RoundTripper) http.RoundTripper - } - extraOption interface { - TransportOption - applyExtra(*extraSettings) - } -) - -type baseDialerFunc func() transport.Dialer - -var _ dialerOption = baseDialerFunc(nil) - -func (baseDialerFunc) sealTransportOption() {} -func (fn baseDialerFunc) baseDialer() transport.Dialer { - return fn() -} - -type dialerOptFunc func(transport.Dialer) transport.Dialer - -var _ dialerModOption = dialerOptFunc(nil) - -func (dialerOptFunc) sealTransportOption() {} -func (fn dialerOptFunc) applyDialer(_ *HTTPTransportSettings, d transport.Dialer) transport.Dialer { - return fn(d) - -} - -type transportOptFunc func(*HTTPTransportSettings, *http.Transport) - -var _ httpTransportOption = transportOptFunc(nil) - -func (transportOptFunc) sealTransportOption() {} -func (fn transportOptFunc) applyTransport(s *HTTPTransportSettings, t *http.Transport) { - fn(s, t) -} - -type rtOptFunc func(http.RoundTripper) http.RoundTripper - -var _ roundTripperOption = rtOptFunc(nil) - -func (rtOptFunc) sealTransportOption() {} -func (fn rtOptFunc) applyRoundTripper(_ *HTTPTransportSettings, rt http.RoundTripper) http.RoundTripper { - return fn(rt) -} - -type extraOptionFunc func(*extraSettings) - -func (extraOptionFunc) sealTransportOption() {} -func (fn extraOptionFunc) applyExtra(s *extraSettings) { fn(s) } - -type headerRoundTripper struct { - headers map[string]string - rt http.RoundTripper -} - -func (rt *headerRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { - for k, v := range rt.headers { - if len(req.Header.Get(k)) == 0 { - req.Header.Set(k, v) - } - } - return rt.rt.RoundTrip(req) -} - -// DefaultHTTPTransportSettings returns the default HTTP transport setting. -func DefaultHTTPTransportSettings() HTTPTransportSettings { - return HTTPTransportSettings{ - Proxy: DefaultHTTPClientProxySettings(), - Timeout: defaultHTTPTimeout, - } -} - -// Unpack reads a config object into the settings. -func (settings *HTTPTransportSettings) Unpack(cfg *config.C) error { - tmp := struct { - TLS *tlscommon.Config `config:"ssl"` - Timeout time.Duration `config:"timeout"` - }{Timeout: settings.Timeout} - - if err := cfg.Unpack(&tmp); err != nil { - return err - } - - var proxy HTTPClientProxySettings - if err := cfg.Unpack(&proxy); err != nil { - return err - } - - _, err := tlscommon.LoadTLSConfig(tmp.TLS) - if err != nil { - return err - } - - *settings = HTTPTransportSettings{ - TLS: tmp.TLS, - Timeout: tmp.Timeout, - Proxy: proxy, - } - return nil -} - -// RoundTripper creates a http.RoundTripper for use with http.Client. -// -// The dialers will registers with stats if given. Stats is used to collect metrics for io errors, -// bytes in, and bytes out. -func (settings *HTTPTransportSettings) RoundTripper(opts ...TransportOption) (http.RoundTripper, error) { - var dialer transport.Dialer - - var extra extraSettings - for _, opt := range opts { - if opt, ok := opt.(extraOption); ok { - opt.applyExtra(&extra) - } - } - - for _, opt := range opts { - if dialOpt, ok := opt.(dialerOption); ok { - dialer = dialOpt.baseDialer() - } - } - - if dialer == nil { - dialer = transport.NetDialer(settings.Timeout) - } - - tls, err := tlscommon.LoadTLSConfig(settings.TLS) - if err != nil { - return nil, err - } - - tlsDialer := transport.TLSDialer(dialer, tls, settings.Timeout) - for _, opt := range opts { - if dialOpt, ok := opt.(dialerModOption); ok { - dialer = dialOpt.applyDialer(settings, dialer) - tlsDialer = dialOpt.applyDialer(settings, tlsDialer) - } - } - - if logger := extra.logger; logger != nil { - dialer = transport.LoggingDialer(dialer, logger) - tlsDialer = transport.LoggingDialer(tlsDialer, logger) - } - - var rt http.RoundTripper - if extra.http2 { - rt, err = settings.http2RoundTripper(tls, dialer, tlsDialer, opts...) - } else { - rt, err = settings.httpRoundTripper(tls, dialer, tlsDialer, opts...) - } - - for _, opt := range opts { - if rtOpt, ok := opt.(roundTripperOption); ok { - rt = rtOpt.applyRoundTripper(settings, rt) - } - } - return rt, nil -} - -func (settings *HTTPTransportSettings) httpRoundTripper( - tls *tlscommon.TLSConfig, - dialer, tlsDialer transport.Dialer, - opts ...TransportOption, -) (*http.Transport, error) { - t := http.DefaultTransport.(*http.Transport).Clone() - t.DialContext = nil - t.DialTLSContext = nil - t.Dial = dialer.Dial - t.DialTLS = tlsDialer.Dial - t.TLSClientConfig = tls.ToConfig() - t.ForceAttemptHTTP2 = false - t.Proxy = settings.Proxy.ProxyFunc() - t.ProxyConnectHeader = settings.Proxy.Headers.Headers() - - // reset some internal timeouts to not change old Beats defaults - t.TLSHandshakeTimeout = 0 - t.ExpectContinueTimeout = 0 - - for _, opt := range opts { - if transportOpt, ok := opt.(httpTransportOption); ok { - transportOpt.applyTransport(settings, t) - } - } - - return t, nil -} - -func (settings *HTTPTransportSettings) http2RoundTripper( - tls *tlscommon.TLSConfig, - dialer, tlsDialer transport.Dialer, - opts ...TransportOption, -) (*http2.Transport, error) { - t1, err := settings.httpRoundTripper(tls, dialer, tlsDialer, opts...) - if err != nil { - return nil, err - } - - t2, err := http2.ConfigureTransports(t1) - if err != nil { - return nil, err - } - - t2.AllowHTTP = true - return t2, nil -} - -// Client creates a new http.Client with configured Transport. The transport is -// instrumented using apmhttp.WrapRoundTripper. -func (settings HTTPTransportSettings) Client(opts ...TransportOption) (*http.Client, error) { - rt, err := settings.RoundTripper(opts...) - if err != nil { - return nil, err - } - - return &http.Client{Transport: rt, Timeout: settings.Timeout}, nil -} - -func (opts WithKeepaliveSettings) sealTransportOption() {} -func (opts WithKeepaliveSettings) applyTransport(_ *HTTPTransportSettings, t *http.Transport) { - t.DisableKeepAlives = opts.Disable - if opts.IdleConnTimeout != 0 { - t.IdleConnTimeout = opts.IdleConnTimeout - } - if opts.MaxIdleConns != 0 { - t.MaxIdleConns = opts.MaxIdleConns - } - if opts.MaxIdleConnsPerHost != 0 { - t.MaxIdleConnsPerHost = opts.MaxIdleConnsPerHost - } -} - -// WithBaseDialer configures the dialer used for TCP and TLS connections. -func WithBaseDialer(d transport.Dialer) TransportOption { - return baseDialerFunc(func() transport.Dialer { - return d - }) -} - -// WithIOStats instruments the RoundTripper dialers with the given statser, such -// that bytes in, bytes out, and errors can be monitored. -func WithIOStats(stats transport.IOStatser) TransportOption { - return dialerOptFunc(func(d transport.Dialer) transport.Dialer { - if stats == nil { - return d - } - return transport.StatsDialer(d, stats) - }) -} - -// WithTransportFunc register a custom function that is used to apply -// custom changes to the net.Transport, when the Client is build. -func WithTransportFunc(fn func(*http.Transport)) TransportOption { - return transportOptFunc(func(_ *HTTPTransportSettings, t *http.Transport) { - fn(t) - }) -} - -// WithHTTP2Only will ensure that a HTTP 2 only roundtripper is created. -func WithHTTP2Only(b bool) TransportOption { - return extraOptionFunc(func(settings *extraSettings) { - settings.http2 = b - }) -} - -// WithForceAttemptHTTP2 sets the `http.Tansport.ForceAttemptHTTP2` field. -func WithForceAttemptHTTP2(b bool) TransportOption { - return transportOptFunc(func(settings *HTTPTransportSettings, t *http.Transport) { - t.ForceAttemptHTTP2 = b - }) -} - -// WithNOProxy disables the configured proxy. Proxy environment variables -// like HTTP_PROXY and HTTPS_PROXY will have no affect. -func WithNOProxy() TransportOption { - return transportOptFunc(func(s *HTTPTransportSettings, t *http.Transport) { - t.Proxy = nil - }) -} - -// WithoutProxyEnvironmentVariables disables support for the HTTP_PROXY, HTTPS_PROXY and -// NO_PROXY envionrment variables. Explicitely configured proxy URLs will still applied. -func WithoutProxyEnvironmentVariables() TransportOption { - return transportOptFunc(func(settings *HTTPTransportSettings, t *http.Transport) { - if settings.Proxy.Disable || settings.Proxy.URL == nil { - t.Proxy = nil - } - }) -} - -// WithModRoundtripper allows customization of the roundtipper. -func WithModRoundtripper(w func(http.RoundTripper) http.RoundTripper) TransportOption { - return rtOptFunc(w) -} - -var withAPMHTTPRountTripper = WithModRoundtripper(func(rt http.RoundTripper) http.RoundTripper { - return apmhttp.WrapRoundTripper(rt) -}) - -// WithAPMHTTPInstrumentation insruments the HTTP client via apmhttp.WrapRoundTripper. -// Custom APM round tripper wrappers can be configured via WithModRoundtripper. -func WithAPMHTTPInstrumentation() TransportOption { - return withAPMHTTPRountTripper -} - -// HeaderRoundTripper will return a RoundTripper that sets header KVs if the key is not present. -func HeaderRoundTripper(rt http.RoundTripper, headers map[string]string) http.RoundTripper { - return &headerRoundTripper{headers, rt} -} - -// WithHeaderRoundTripper instuments the HTTP client via a custom http.RoundTripper. -// This RoundTripper will add headers to each request if the key is not present. -func WithHeaderRoundTripper(headers map[string]string) TransportOption { - return WithModRoundtripper(func(rt http.RoundTripper) http.RoundTripper { - return HeaderRoundTripper(rt, headers) - }) -} - -// WithLogger sets the internal logger that will be used to log dial or TCP level errors. -// Logging at the connection level will only happen if the logger has been set. -func WithLogger(logger *logp.Logger) TransportOption { - return extraOptionFunc(func(s *extraSettings) { - s.logger = logger - }) -} diff --git a/libbeat/common/transport/httpcommon/proxy.go b/libbeat/common/transport/httpcommon/proxy.go deleted file mode 100644 index 6efd480acdf..00000000000 --- a/libbeat/common/transport/httpcommon/proxy.go +++ /dev/null @@ -1,106 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package httpcommon - -import ( - "net/http" - "net/url" - - "github.com/elastic/elastic-agent-libs/config" -) - -// HTTPClientProxySettings provides common HTTP proxy setup support. -// -// Proxy usage will be disabled in general if Disable is set. -// If URL is not set, the proxy configuration will default -// to HTTP_PROXY, HTTPS_PROXY, and NO_PROXY. -// -// The default (and zero) value of HTTPClientProxySettings has Proxy support -// enabled, and will select the proxy per URL based on the environment variables. -type HTTPClientProxySettings struct { - // Proxy URL to use for http connections. If the proxy url is configured, - // it is used for all connection attempts. All proxy related environment - // variables are ignored. - URL *ProxyURI `config:"proxy_url" yaml:"proxy_url,omitempty"` - - // Headers configures additonal headers that are send to the proxy - // during CONNECT requests. - Headers ProxyHeaders `config:"proxy_headers" yaml:"proxy_headers,omitempty"` - - // Disable HTTP proxy support. Configured URLs and environment variables - // are ignored. - Disable bool `config:"proxy_disable" yaml:"proxy_disable,omitempty"` -} - -// NewHTTPClientProxySettings creates a new proxy settings based on provided proxy information. -func NewHTTPClientProxySettings(url string, headers map[string]string, disable bool) (*HTTPClientProxySettings, error) { - proxyURI, err := NewProxyURIFromString(url) - if err != nil { - return nil, err - } - - return &HTTPClientProxySettings{ - URL: proxyURI, - Headers: ProxyHeaders(headers), - Disable: disable, - }, nil -} - -// DefaultHTTPClientProxySettings returns the default HTTP proxy setting. -func DefaultHTTPClientProxySettings() HTTPClientProxySettings { - return HTTPClientProxySettings{ - Headers: make(ProxyHeaders), - } -} - -// Unpack sets the proxy settings from a config object. -// Note: Unpack is automatically used by the configuration system if `cfg.Unpack(&x)` is and X contains -// a field of type HTTPClientProxySettings. -func (settings *HTTPClientProxySettings) Unpack(cfg *config.C) error { - tmp := struct { - URL string `config:"proxy_url"` - Disable bool `config:"proxy_disable"` - Headers map[string]string `config:"proxy_headers"` - }{} - - if err := cfg.Unpack(&tmp); err != nil { - return err - } - - s, err := NewHTTPClientProxySettings(tmp.URL, tmp.Headers, tmp.Disable) - if err != nil { - return err - } - - *settings = *s - return nil -} - -// ProxyFunc creates a function that can be used with http.Transport in order to -// configure the HTTP proxy functionality. -func (settings *HTTPClientProxySettings) ProxyFunc() func(*http.Request) (*url.URL, error) { - if settings.Disable { - return nil - } - - if settings.URL == nil { - return http.ProxyFromEnvironment - } - - return http.ProxyURL(settings.URL.URI()) -} diff --git a/libbeat/common/transport/httpcommon/proxy_headers.go b/libbeat/common/transport/httpcommon/proxy_headers.go deleted file mode 100644 index 6aa91b101c4..00000000000 --- a/libbeat/common/transport/httpcommon/proxy_headers.go +++ /dev/null @@ -1,86 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package httpcommon - -import ( - "encoding/json" - "net/http" - - "github.com/elastic/elastic-agent-libs/config" -) - -// ProxyHeaders is a headers for proxy serialized as a map[string]string. -type ProxyHeaders map[string]string - -// MarshalYAML serializes URI as a string. -func (p ProxyHeaders) MarshalYAML() (interface{}, error) { - return p, nil -} - -// MarshalJSON serializes URI as a string. -func (p ProxyHeaders) MarshalJSON() ([]byte, error) { - var m map[string]string = p - return json.Marshal(m) -} - -// Unpack unpacks string into an proxy URI. -func (p *ProxyHeaders) Unpack(cfg *config.C) error { - m := make(map[string]string) - if err := cfg.Unpack(&m); err != nil { - return err - } - - *p = m - return nil -} - -// UnmarshalJSON unpacks string into an proxy URI. -func (p *ProxyHeaders) UnmarshalJSON(b []byte) error { - m := make(map[string]string) - err := json.Unmarshal(b, &m) - if err != nil { - return err - } - - *p = m - return nil -} - -// UnmarshalYAML unpacks string into an proxy URI. -func (p *ProxyHeaders) UnmarshalYAML(unmarshal func(interface{}) error) error { - m := make(map[string]string) - if err := unmarshal(&m); err != nil { - return err - } - - *p = m - return nil -} - -// URI returns conventional url.URL structure. -func (p ProxyHeaders) Headers() http.Header { - var httpHeaders http.Header - if p != nil && len(p) > 0 { - httpHeaders = http.Header{} - for k, v := range p { - httpHeaders.Add(k, v) - } - } - - return httpHeaders -} diff --git a/libbeat/common/transport/httpcommon/proxy_headers_test.go b/libbeat/common/transport/httpcommon/proxy_headers_test.go deleted file mode 100644 index e7c5580a277..00000000000 --- a/libbeat/common/transport/httpcommon/proxy_headers_test.go +++ /dev/null @@ -1,51 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package httpcommon - -import ( - "encoding/json" - "testing" - - "github.com/stretchr/testify/require" - "gopkg.in/yaml.v2" -) - -func TestYamlSerializeDeserializeProxyHeaders(t *testing.T) { - raw := `key1: value1 -key2: value2 -` - var proxyHeaders ProxyHeaders - err := yaml.Unmarshal([]byte(raw), &proxyHeaders) - require.NoError(t, err) - - out, err := yaml.Marshal(proxyHeaders) - require.NoError(t, err) - require.Equal(t, raw, string(out)) -} - -func TestJSONSerializeDeserializeProxyHeaders(t *testing.T) { - raw := `{"key1":"value1","key2":"value2"}` - - var proxyHeaders ProxyHeaders - err := json.Unmarshal([]byte(raw), &proxyHeaders) - require.NoError(t, err) - - out, err := json.Marshal(proxyHeaders) - require.NoError(t, err) - require.Equal(t, raw, string(out)) -} diff --git a/libbeat/common/transport/httpcommon/proxy_uri.go b/libbeat/common/transport/httpcommon/proxy_uri.go deleted file mode 100644 index 191926e919a..00000000000 --- a/libbeat/common/transport/httpcommon/proxy_uri.go +++ /dev/null @@ -1,109 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package httpcommon - -import ( - "encoding/json" - "net/url" - "strings" -) - -// ProxyURI is a URL used for proxy serialized as a string. -type ProxyURI url.URL - -func NewProxyURIFromString(s string) (*ProxyURI, error) { - if s == "" { - return nil, nil - } - - u, err := url.Parse(s) - if err != nil || u == nil { - return nil, err - } - - return NewProxyURIFromURL(*u), nil -} - -func NewProxyURIFromURL(u url.URL) *ProxyURI { - if u == (url.URL{}) { - return nil - } - - p := ProxyURI(u) - return &p -} - -// MarshalYAML serializes URI as a string. -func (p *ProxyURI) MarshalYAML() (interface{}, error) { - u := url.URL(*p) - return u.String(), nil -} - -// MarshalJSON serializes URI as a string. -func (p *ProxyURI) MarshalJSON() ([]byte, error) { - return json.Marshal(p.String()) -} - -// Unpack unpacks string into an proxy URI. -func (p *ProxyURI) Unpack(s string) error { - uri, err := NewProxyURIFromString(s) - if err != nil { - return err - } - - *p = *uri - return nil -} - -// UnmarshalJSON unpacks string into an proxy URI. -func (p *ProxyURI) UnmarshalJSON(b []byte) error { - unqoted := strings.Trim(string(b), `"`) - uri, err := NewProxyURIFromString(unqoted) - if err != nil { - return err - } - - *p = *uri - return nil -} - -// UnmarshalYAML unpacks string into an proxy URI. -func (p *ProxyURI) UnmarshalYAML(unmarshal func(interface{}) error) error { - rawURI := "" - if err := unmarshal(&rawURI); err != nil { - return err - } - - uri, err := NewProxyURIFromString(rawURI) - if err != nil { - return err - } - - *p = *uri - return nil -} - -// URI returns conventional url.URL structure. -func (p *ProxyURI) URI() *url.URL { - return (*url.URL)(p) -} - -// MarshalJSON serializes URI as a string. -func (p *ProxyURI) String() string { - return p.URI().String() -} diff --git a/libbeat/common/transport/httpcommon/proxy_uri_test.go b/libbeat/common/transport/httpcommon/proxy_uri_test.go deleted file mode 100644 index 954da2c79aa..00000000000 --- a/libbeat/common/transport/httpcommon/proxy_uri_test.go +++ /dev/null @@ -1,70 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package httpcommon - -import ( - "encoding/json" - "testing" - - "github.com/stretchr/testify/require" - "gopkg.in/yaml.v2" -) - -func TestYamlSerializeDeserialize(t *testing.T) { - raw := "http://localhost:8080/path\n" - var proxyURI *ProxyURI - err := yaml.Unmarshal([]byte(raw), &proxyURI) - require.NoError(t, err) - - out, err := yaml.Marshal(proxyURI) - require.NoError(t, err) - require.Equal(t, raw, string(out)) -} - -func TestJSONSerializeDeserialize(t *testing.T) { - raw := `{"proxy_uri":"http://localhost:8080/path"}` - proxyURI, err := NewProxyURIFromString("http://localhost:8080/path") - require.NoError(t, err) - s := struct { - P *ProxyURI `json:"proxy_uri"` - }{ - P: proxyURI, - } - err = json.Unmarshal([]byte(raw), &s) - require.NoError(t, err) - - out, err := json.Marshal(s) - require.NoError(t, err) - require.Equal(t, raw, string(out)) -} - -func TestYamlSerializeDeserializeSettings(t *testing.T) { - raw := `proxy_url: http://localhost:8080/path -proxy_headers: - key: val -proxy_disable: true -` - - s := &HTTPClientProxySettings{} - err := yaml.Unmarshal([]byte(raw), &s) - require.NoError(t, err) - - out, err := yaml.Marshal(s) - require.NoError(t, err) - require.Equal(t, raw, string(out)) -} diff --git a/libbeat/common/transport/logging.go b/libbeat/common/transport/logging.go deleted file mode 100644 index 2dbdc388342..00000000000 --- a/libbeat/common/transport/logging.go +++ /dev/null @@ -1,60 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "io" - "net" - - "github.com/elastic/elastic-agent-libs/logp" -) - -type loggingConn struct { - net.Conn - logger *logp.Logger -} - -func LoggingDialer(d Dialer, logger *logp.Logger) Dialer { - return DialerFunc(func(network, addr string) (net.Conn, error) { - logger := logger.With("network", network, "address", addr) - c, err := d.Dial(network, addr) - if err != nil { - logger.Errorf("Error dialing %v", err) - return nil, err - } - - logger.Debugf("Completed dialing successfully") - return &loggingConn{c, logger}, nil - }) -} - -func (l *loggingConn) Read(b []byte) (int, error) { - n, err := l.Conn.Read(b) - if err != nil && err != io.EOF { - l.logger.Debugf("Error reading from connection: %v", err) - } - return n, err -} - -func (l *loggingConn) Write(b []byte) (int, error) { - n, err := l.Conn.Write(b) - if err != nil && err != io.EOF { - l.logger.Debugf("Error writing to connection: %v", err) - } - return n, err -} diff --git a/libbeat/common/transport/pipelistener.go b/libbeat/common/transport/pipelistener.go deleted file mode 100644 index 1878930368c..00000000000 --- a/libbeat/common/transport/pipelistener.go +++ /dev/null @@ -1,103 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "context" - "errors" - "net" - "sync" -) - -// errListenerClosed is the error returned by the Accept -// and DialContext methods of a closed listener. -var errListenerClosed = errors.New("listener is closed") - -// PipeListener is a net.PipeListener that uses net.Pipe -// It is only relevant for the APM Server instrumentation of itself -type PipeListener struct { - conns chan net.Conn - closeOnce sync.Once - closed chan struct{} -} - -// NewPipeListener returns a new PipeListener. -func NewPipeListener() *PipeListener { - l := &PipeListener{ - conns: make(chan net.Conn), - closed: make(chan struct{}), - } - return l -} - -// Close closes the listener. -// This is part of the net.PipeListener interface. -func (l *PipeListener) Close() error { - l.closeOnce.Do(func() { close(l.closed) }) - return nil -} - -// Addr returns the listener's network address. -// This is part of the net.listener interface. -// -// The returned address's network and value are always both -// "pipe", the same as the addresses returned by net.Pipe -// connections. -func (l *PipeListener) Addr() net.Addr { - return pipeAddr{} -} - -// Accept waits for and returns the next connection to the listener. -// This is part of the net.listener address. -func (l *PipeListener) Accept() (net.Conn, error) { - select { - case <-l.closed: - return nil, errListenerClosed - case conn := <-l.conns: - return conn, nil - } -} - -// DialContext dials a connection to the listener, blocking until -// a paired Accept call is made, the listener is closed, or the -// context is canceled/expired. -func (l *PipeListener) DialContext(ctx context.Context, network, addr string) (net.Conn, error) { - client, server := net.Pipe() - select { - case <-l.closed: - client.Close() - server.Close() - return nil, errListenerClosed - case <-ctx.Done(): - client.Close() - server.Close() - return nil, ctx.Err() - case l.conns <- server: - return client, nil - } -} - -type pipeAddr struct{} - -func (pipeAddr) Network() string { - return "pipe" -} - -func (pipeAddr) String() string { - return "pipe" -} diff --git a/libbeat/common/transport/pipelistener_test.go b/libbeat/common/transport/pipelistener_test.go deleted file mode 100644 index 744dae9d495..00000000000 --- a/libbeat/common/transport/pipelistener_test.go +++ /dev/null @@ -1,106 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "context" - "net" - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestNew(t *testing.T) { - l := NewPipeListener() - assert.NotNil(t, l) - defer l.Close() - assert.Implements(t, new(net.Listener), l) -} - -func TestAddr(t *testing.T) { - l := NewPipeListener() - assert.NotNil(t, l) - defer l.Close() - - addr := l.Addr() - assert.NotNil(t, addr) - assert.Equal(t, "pipe", addr.Network()) - assert.Equal(t, "pipe", addr.String()) -} - -func TestDialAccept(t *testing.T) { - l := NewPipeListener() - assert.NotNil(t, l) - defer l.Close() - - clientCh := make(chan net.Conn, 1) - go func() { - defer close(clientCh) - client, err := l.DialContext(context.Background(), "foo", "bar") - if assert.NoError(t, err) { - clientCh <- client - } - }() - - server, err := l.Accept() - assert.NoError(t, err) - client := <-clientCh - defer server.Close() - defer client.Close() - - hello := []byte("hello!") - go client.Write(hello) - buf := make([]byte, len(hello)) - _, err = server.Read(buf) - assert.NoError(t, err) - assert.Equal(t, string(hello), string(buf)) -} - -func TestAcceptClosed(t *testing.T) { - l := NewPipeListener() - assert.NotNil(t, l) - defer l.Close() - - err := l.Close() - assert.NoError(t, err) - _, err = l.Accept() - assert.Error(t, errListenerClosed, err) -} - -func TestDialClosed(t *testing.T) { - l := NewPipeListener() - assert.NotNil(t, l) - defer l.Close() - - err := l.Close() - assert.NoError(t, err) - _, err = l.DialContext(context.Background(), "foo", "bar") - assert.Error(t, errListenerClosed, err) -} - -func TestDialContextCanceled(t *testing.T) { - l := NewPipeListener() - assert.NotNil(t, l) - defer l.Close() - - ctx, cancel := context.WithCancel(context.Background()) - cancel() - - _, err := l.DialContext(ctx, "foo", "bar") - assert.Error(t, context.Canceled, err) -} diff --git a/libbeat/common/transport/proxy.go b/libbeat/common/transport/proxy.go deleted file mode 100644 index 6ef6fd3f30d..00000000000 --- a/libbeat/common/transport/proxy.go +++ /dev/null @@ -1,100 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "net" - "net/url" - - "golang.org/x/net/proxy" - - "github.com/elastic/elastic-agent-libs/logp" -) - -// ProxyConfig holds the configuration information required to proxy -// connections through a SOCKS5 proxy server. -type ProxyConfig struct { - // URL of the SOCKS proxy. Scheme must be socks5. Username and password can be - // embedded in the URL. - URL string `config:"proxy_url"` - - // Resolve names locally instead of on the SOCKS server. - LocalResolve bool `config:"proxy_use_local_resolver"` -} - -func (c *ProxyConfig) Validate() error { - if c.URL == "" { - return nil - } - - url, err := url.Parse(c.URL) - if err != nil { - return err - } - if _, err := proxy.FromURL(url, nil); err != nil { - return err - } - - return nil -} - -func ProxyDialer(log *logp.Logger, config *ProxyConfig, forward Dialer) (Dialer, error) { - if config == nil || config.URL == "" { - return forward, nil - } - - url, err := url.Parse(config.URL) - if err != nil { - return nil, err - } - - if _, err := proxy.FromURL(url, nil); err != nil { - return nil, err - } - - log.Debugf("breaking down proxy URL. Scheme: '%s', host[:port]: '%s', path: '%s'", url.Scheme, url.Host, url.Path) - log.Infof("proxy host: '%s'", url.Host) - return DialerFunc(func(network, address string) (net.Conn, error) { - var err error - var addresses []string - - host, port, err := net.SplitHostPort(address) - if err != nil { - return nil, err - } - - if config.LocalResolve { - addresses, err = net.LookupHost(host) - if err != nil { - log.Warnf(`DNS lookup failure "%s": %+v`, host, err) - return nil, err - } - } else { - // Do not resolve the address locally. It will be resolved on the - // SOCKS server. The beat will have no control over the randomization - // of the IP used when multiple IPs are returned by DNS. - addresses = []string{host} - } - - dialer, err := proxy.FromURL(url, forward) - if err != nil { - return nil, err - } - return DialWith(dialer, network, host, addresses, port) - }), nil -} diff --git a/libbeat/common/transport/stats.go b/libbeat/common/transport/stats.go deleted file mode 100644 index 0399ddd3001..00000000000 --- a/libbeat/common/transport/stats.go +++ /dev/null @@ -1,61 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "context" - "io" - "net" -) - -type IOStatser interface { - WriteError(err error) - WriteBytes(int) - - ReadError(err error) - ReadBytes(int) -} - -type statsConn struct { - net.Conn - stats IOStatser -} - -func StatsDialer(d Dialer, s IOStatser) Dialer { - return ConnWrapper(d, func(c net.Conn) net.Conn { - return &statsConn{c, s} - }) -} - -func (s *statsConn) Read(b []byte) (int, error) { - n, err := s.Conn.Read(b) - if err != nil && err != io.EOF && err != context.Canceled { - s.stats.ReadError(err) - } - s.stats.ReadBytes(n) - return n, err -} - -func (s *statsConn) Write(b []byte) (int, error) { - n, err := s.Conn.Write(b) - if err != nil && err != io.EOF && err != context.Canceled { - s.stats.WriteError(err) - } - s.stats.WriteBytes(n) - return n, err -} diff --git a/libbeat/common/transport/tcp.go b/libbeat/common/transport/tcp.go deleted file mode 100644 index f787df94027..00000000000 --- a/libbeat/common/transport/tcp.go +++ /dev/null @@ -1,73 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "fmt" - "net" - "strings" - "time" - - "github.com/elastic/beats/v7/libbeat/testing" - "github.com/elastic/elastic-agent-libs/logp" -) - -func NetDialer(timeout time.Duration) Dialer { - return TestNetDialer(testing.NullDriver, timeout) -} - -func TestNetDialer(d testing.Driver, timeout time.Duration) Dialer { - return DialerFunc(func(network, address string) (net.Conn, error) { - switch network { - case "tcp", "tcp4", "tcp6", "udp", "udp4", "udp6": - default: - d.Fatal("network type", fmt.Errorf("unsupported network type %v", network)) - return nil, fmt.Errorf("unsupported network type %v", network) - } - - host, port, err := net.SplitHostPort(address) - d.Fatal("parse host", err) - if err != nil { - return nil, err - } - addresses, err := net.LookupHost(host) - d.Fatal("dns lookup", err) - d.Info("addresses", strings.Join(addresses, ", ")) - if err != nil { - logp.NewLogger(logSelector).Warnf(`DNS lookup failure "%s": %+v`, host, err) - return nil, err - } - - // dial via host IP by randomized iteration of known IPs - dialer := &net.Dialer{Timeout: timeout} - return DialWith(dialer, network, host, addresses, port) - }) -} - -// UnixDialer creates a Unix Dialer when using unix domain socket. -func UnixDialer(timeout time.Duration, sockFile string) Dialer { - return TestUnixDialer(testing.NullDriver, timeout, sockFile) -} - -// TestUnixDialer creates a Test Unix Dialer when using domain socket. -func TestUnixDialer(d testing.Driver, timeout time.Duration, sockFile string) Dialer { - return DialerFunc(func(network, address string) (net.Conn, error) { - d.Info("connecting using unix domain socket", sockFile) - return net.DialTimeout("unix", sockFile, timeout) - }) -} diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go deleted file mode 100644 index 25b116d8998..00000000000 --- a/libbeat/common/transport/tls.go +++ /dev/null @@ -1,228 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "crypto/tls" - "errors" - "fmt" - "net" - "sync" - "time" - - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/beats/v7/libbeat/testing" -) - -func TLSDialer(forward Dialer, config *tlscommon.TLSConfig, timeout time.Duration) Dialer { - return TestTLSDialer(testing.NullDriver, forward, config, timeout) -} - -func TestTLSDialer( - d testing.Driver, - forward Dialer, - config *tlscommon.TLSConfig, - timeout time.Duration, -) Dialer { - var lastTLSConfig *tls.Config - var lastNetwork string - var lastAddress string - var m sync.Mutex - - return DialerFunc(func(network, address string) (net.Conn, error) { - switch network { - case "tcp", "tcp4", "tcp6": - default: - return nil, fmt.Errorf("unsupported network type %v", network) - } - - host, _, err := net.SplitHostPort(address) - if err != nil { - return nil, err - } - - var tlsConfig *tls.Config - m.Lock() - if network == lastNetwork && address == lastAddress { - tlsConfig = lastTLSConfig - } - if tlsConfig == nil { - tlsConfig = config.BuildModuleClientConfig(host) - lastNetwork = network - lastAddress = address - lastTLSConfig = tlsConfig - } - m.Unlock() - - return tlsDialWith(d, forward, network, address, timeout, tlsConfig, config) - }) -} - -type DialerH2 interface { - Dial(network, address string, cfg *tls.Config) (net.Conn, error) -} - -type DialerFuncH2 func(network, address string, cfg *tls.Config) (net.Conn, error) - -func (d DialerFuncH2) Dial(network, address string, cfg *tls.Config) (net.Conn, error) { - return d(network, address, cfg) -} - -func TLSDialerH2(forward Dialer, config *tlscommon.TLSConfig, timeout time.Duration) (DialerH2, error) { - return TestTLSDialerH2(testing.NullDriver, forward, config, timeout) -} - -func TestTLSDialerH2( - d testing.Driver, - forward Dialer, - config *tlscommon.TLSConfig, - timeout time.Duration, -) (DialerH2, error) { - var lastTLSConfig *tls.Config - var lastNetwork string - var lastAddress string - var m sync.Mutex - - return DialerFuncH2(func(network, address string, cfg *tls.Config) (net.Conn, error) { - switch network { - case "tcp", "tcp4", "tcp6": - default: - return nil, fmt.Errorf("unsupported network type %v", network) - } - - host, _, err := net.SplitHostPort(address) - if err != nil { - return nil, err - } - - var tlsConfig *tls.Config - m.Lock() - if network == lastNetwork && address == lastAddress { - tlsConfig = lastTLSConfig - } - if tlsConfig == nil { - tlsConfig = config.BuildModuleClientConfig(host) - lastNetwork = network - lastAddress = address - lastTLSConfig = tlsConfig - } - m.Unlock() - - // NextProtos must be set from the passed h2 connection or it will fail - tlsConfig.NextProtos = cfg.NextProtos - - return tlsDialWith(d, forward, network, address, timeout, tlsConfig, config) - }), nil -} - -func tlsDialWith( - d testing.Driver, - dialer Dialer, - network, address string, - timeout time.Duration, - tlsConfig *tls.Config, - config *tlscommon.TLSConfig, -) (net.Conn, error) { - socket, err := dialer.Dial(network, address) - if err != nil { - return nil, err - } - - conn := tls.Client(socket, tlsConfig) - - withTimeout := timeout > 0 - if withTimeout { - if err := conn.SetDeadline(time.Now().Add(timeout)); err != nil { - d.Fatal("timeout", err) - _ = conn.Close() - return nil, err - } - } - - // config might be nil, so get the zero-value and then read what is in config. - // We assume that the zero-value is the default value - var verification tlscommon.TLSVerificationMode - if config != nil { - verification = config.Verification - } - - // We only check the status of config.Verification (`ssl.verification_mode` - // in the configuration file) because we have a custom verification logic - // implemented by setting tlsConfig.VerifyConnection that runs regardless of - // the status of tlsConfig.InsecureSkipVerify. - // For verification modes VerifyFull and VerifyCeritifcate we set - // tlsConfig.InsecureSkipVerify to true, hence it's not an indicator of - // whether TLS verification is enabled or not. - if verification == tlscommon.VerifyNone { - d.Warn("security", "server's certificate chain verification is disabled") - } else { - d.Info("security", "server's certificate chain verification is enabled") - } - - err = conn.Handshake() - d.Fatal("handshake", err) - if err != nil { - _ = conn.Close() - return nil, err - } - - // remove timeout if handshake was subject to timeout: - if withTimeout { - conn.SetDeadline(time.Time{}) - } - - if err := postVerifyTLSConnection(d, conn, config); err != nil { - _ = conn.Close() - return nil, err - } - - return conn, nil -} - -func postVerifyTLSConnection(d testing.Driver, conn *tls.Conn, config *tlscommon.TLSConfig) error { - st := conn.ConnectionState() - - if !st.HandshakeComplete { - err := errors.New("incomplete handshake") - d.Fatal("incomplete handshake", err) - return err - } - - d.Info("TLS version", fmt.Sprintf("%v", tlscommon.TLSVersion(st.Version))) - - // no more checks if no extra configs available - if config == nil { - return nil - } - - versions := config.Versions - if versions == nil { - versions = tlscommon.TLSDefaultVersions - } - versionOK := false - for _, version := range versions { - versionOK = versionOK || st.Version == uint16(version) - } - if !versionOK { - err := fmt.Errorf("tls version %v not configured", tlscommon.TLSVersion(st.Version)) - d.Fatal("TLS version", err) - return err - } - - return nil -} diff --git a/libbeat/common/transport/tlscommon/ca_pinning.go b/libbeat/common/transport/tlscommon/ca_pinning.go deleted file mode 100644 index 310d9a63723..00000000000 --- a/libbeat/common/transport/tlscommon/ca_pinning.go +++ /dev/null @@ -1,65 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/sha256" - "crypto/x509" - "encoding/base64" - - "github.com/pkg/errors" -) - -// ErrCAPinMissmatch is returned when no pin is matched in the verified chain. -var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match any of the certificate authorities used to validate the certificate") - -// verifyPeerCertFunc is a callback defined on the tls.Config struct that will called when a -// TLS connection is used. -type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error - -// verifyCAPin loops through the verified chains and will try to match the certificates pin. -// -// NOTE: Defining a PIN to check certificates is not a replacement for the normal TLS validations it's -// an additional validation. In fact if you set `InsecureSkipVerify` to true and a PIN, the -// verifiedChains variable will be empty and the added validation will fail. -func verifyCAPin(hashes []string, verifiedChains [][]*x509.Certificate) error { - for _, chain := range verifiedChains { - for _, certificate := range chain { - h := Fingerprint(certificate) - if matches(hashes, h) { - return nil - } - } - } - return ErrCAPinMissmatch -} - -// Fingerprint takes a certificate and create a hash of the DER encoded public key. -func Fingerprint(certificate *x509.Certificate) string { - hash := sha256.Sum256(certificate.RawSubjectPublicKeyInfo) - return base64.StdEncoding.EncodeToString(hash[:]) -} - -func matches(pins []string, candidate string) bool { - for _, pin := range pins { - if pin == candidate { - return true - } - } - return false -} diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go deleted file mode 100644 index a79b296db89..00000000000 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ /dev/null @@ -1,407 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "bytes" - "crypto/rand" - "crypto/rsa" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "io/ioutil" - "math/big" - "net" - "net/http" - "strings" - "testing" - "time" - - "github.com/pkg/errors" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/elastic-agent-libs/config" -) - -var ser int64 = 1 - -func TestCAPinning(t *testing.T) { - host := "127.0.0.1" - - t.Run("when the ca_sha256 field is not defined we use normal certificate validation", func(t *testing.T) { - cfg := config.MustNewConfigFrom(map[string]interface{}{ - "verification_mode": "strict", - "certificate_authorities": []string{"ca_test.pem"}, - }) - - config := &Config{} - err := cfg.Unpack(config) - require.NoError(t, err) - - tlsCfg, err := LoadTLSConfig(config) - require.NoError(t, err) - - tls := tlsCfg.BuildModuleClientConfig(host) - require.Nil(t, tls.VerifyConnection) - }) - - t.Run("when the ca_sha256 field is defined we use CA cert pinning", func(t *testing.T) { - cfg := config.MustNewConfigFrom(map[string]interface{}{ - "ca_sha256": "hello", - }) - - config := &Config{} - err := cfg.Unpack(config) - require.NoError(t, err) - - tlsCfg, err := LoadTLSConfig(config) - require.NoError(t, err) - - tls := tlsCfg.BuildModuleClientConfig(host) - require.NotNil(t, tls.VerifyConnection) - }) - - t.Run("CA Root -> Certificate and we have the CA root pin", func(t *testing.T) { - verificationModes := []TLSVerificationMode{ - VerifyFull, - VerifyStrict, - VerifyCertificate, - } - for _, mode := range verificationModes { - t.Run(mode.String(), func(t *testing.T) { - msg := []byte("OK received message") - - ca, err := genCA() - require.NoError(t, err) - - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) - require.NoError(t, err) - - mux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(http.StatusOK) - w.Write(msg) - }) - - // Select a random available port from the OS. - addr := "localhost:0" - - l, err := net.Listen("tcp", addr) - - server := &http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{ - serverCert, - }, - }, - } - - // Start server and shut it down when the tests are over. - go server.ServeTLS(l, "", "") - defer l.Close() - - // Root CA Pool - require.NoError(t, err) - rootCAs := x509.NewCertPool() - rootCAs.AddCert(ca.Leaf) - - // Get the pin of the RootCA. - pin := Fingerprint(ca.Leaf) - - tlsC := &TLSConfig{ - Verification: mode, - RootCAs: rootCAs, - CASha256: []string{pin}, - } - - config := tlsC.BuildModuleClientConfig("localhost") - hostToConnect := l.Addr().String() - - transport := &http.Transport{ - TLSClientConfig: config, - } - - client := &http.Client{Transport: transport} - - port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") - - req, err := http.NewRequest("GET", "https://localhost:"+port, nil) - require.NoError(t, err) - resp, err := client.Do(req) - require.NoError(t, err) - content, err := ioutil.ReadAll(resp.Body) - require.NoError(t, err) - - assert.True(t, bytes.Equal(msg, content)) - - // 1. create key-pair - // 2. create pin - // 3. start server - // 4. Connect - // 5. Check wrong key do not work - // 6. Check good key work - // 7. check plain text fails to work. - }) - } - }) - - t.Run("CA Root -> Intermediate -> Certificate and we receive the CA Root Pin", func(t *testing.T) { - msg := []byte("OK received message") - - ca, err := genCA() - require.NoError(t, err) - - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true) - require.NoError(t, err) - - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false) - require.NoError(t, err) - - mux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(http.StatusOK) - w.Write(msg) - }) - - // Select a random available port from the OS. - addr := "localhost:0" - - l, err := net.Listen("tcp", addr) - require.NoError(t, err) - - // Server needs to provides the chain of trust, so server certificate + intermediate. - // RootCAs will trust the intermediate, intermediate will trust the server. - serverCert.Certificate = append(serverCert.Certificate, intermediate.Certificate...) - - server := &http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{ - serverCert, - }, - }, - } - - // Start server and shut it down when the tests are over. - go server.ServeTLS(l, "", "") - defer l.Close() - - // Root CA Pool - rootCAs := x509.NewCertPool() - rootCAs.AddCert(ca.Leaf) - - // Get the pin of the RootCA. - pin := Fingerprint(ca.Leaf) - - tlsC := &TLSConfig{ - RootCAs: rootCAs, - CASha256: []string{pin}, - } - - config := tlsC.BuildModuleClientConfig("localhost") - hostToConnect := l.Addr().String() - - transport := &http.Transport{ - TLSClientConfig: config, - } - - client := &http.Client{Transport: transport} - - port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") - - req, err := http.NewRequest("GET", "https://localhost:"+port, nil) - require.NoError(t, err) - resp, err := client.Do(req) - require.NoError(t, err) - content, err := ioutil.ReadAll(resp.Body) - require.NoError(t, err) - - assert.True(t, bytes.Equal(msg, content)) - }) - - t.Run("When we have the wrong pin we refuse to connect", func(t *testing.T) { - msg := []byte("OK received message") - - ca, err := genCA() - require.NoError(t, err) - - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true) - require.NoError(t, err) - - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false) - require.NoError(t, err) - - mux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(http.StatusOK) - w.Write(msg) - }) - - // Select a random available port from the OS. - addr := "localhost:0" - - l, err := net.Listen("tcp", addr) - require.NoError(t, err) - - // Server needs to provides the chain of trust, so server certificate + intermediate. - // RootCAs will trust the intermediate, intermediate will trust the server. - serverCert.Certificate = append(serverCert.Certificate, intermediate.Certificate...) - - server := &http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{ - serverCert, - }, - }, - } - - // Start server and shut it down when the tests are over. - go server.ServeTLS(l, "", "") - defer l.Close() - - // Root CA Pool - rootCAs := x509.NewCertPool() - rootCAs.AddCert(ca.Leaf) - - // Get the pin of the RootCA. - pin := "wrong-pin" - - tlsC := &TLSConfig{ - RootCAs: rootCAs, - CASha256: []string{pin}, - } - - config := tlsC.BuildModuleClientConfig("localhost") - hostToConnect := l.Addr().String() - - transport := &http.Transport{ - TLSClientConfig: config, - } - - client := &http.Client{Transport: transport} - - port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") - - req, err := http.NewRequest("GET", "https://localhost:"+port, nil) - require.NoError(t, err) - _, err = client.Do(req) - require.Error(t, err) - }) -} - -func genCA() (tls.Certificate, error) { - ca := &x509.Certificate{ - SerialNumber: serial(), - Subject: pkix.Name{ - CommonName: "localhost", - Organization: []string{"TESTING"}, - Country: []string{"CANADA"}, - Province: []string{"QUEBEC"}, - Locality: []string{"MONTREAL"}, - StreetAddress: []string{"testing road"}, - PostalCode: []string{"HOH OHO"}, - }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(1 * time.Hour), - IsCA: true, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - } - - caKey, err := rsa.GenerateKey(rand.Reader, 2048) // less secure key for quicker testing. - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "fail to generate RSA key") - } - - caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caKey.PublicKey, caKey) - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "fail to create certificate") - } - - leaf, err := x509.ParseCertificate(caBytes) - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "fail to parse certificate") - } - - return tls.Certificate{ - Certificate: [][]byte{caBytes}, - PrivateKey: caKey, - Leaf: leaf, - }, nil -} - -// genSignedCert generates a CA and KeyPair and remove the need to depends on code of agent. -func genSignedCert(ca tls.Certificate, keyUsage x509.KeyUsage, isCA bool) (tls.Certificate, error) { - // Create another Cert/key - cert := &x509.Certificate{ - DNSNames: []string{"localhost"}, - SerialNumber: big.NewInt(2000), - Subject: pkix.Name{ - CommonName: "localhost", - Organization: []string{"TESTING"}, - Country: []string{"CANADA"}, - Province: []string{"QUEBEC"}, - Locality: []string{"MONTREAL"}, - StreetAddress: []string{"testing road"}, - PostalCode: []string{"HOH OHO"}, - }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(1 * time.Hour), - IsCA: isCA, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: keyUsage, - BasicConstraintsValid: true, - } - - certKey, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "fail to generate RSA key") - } - - certBytes, err := x509.CreateCertificate( - rand.Reader, - cert, - ca.Leaf, - &certKey.PublicKey, - ca.PrivateKey, - ) - - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "fail to create signed certificate") - } - - leaf, err := x509.ParseCertificate(certBytes) - if err != nil { - return tls.Certificate{}, errors.Wrap(err, "fail to parse the certificate") - } - - return tls.Certificate{ - Certificate: [][]byte{certBytes}, - PrivateKey: certKey, - Leaf: leaf, - }, nil -} - -func serial() *big.Int { - ser = ser + 1 - return big.NewInt(ser) -} diff --git a/libbeat/common/transport/tlscommon/ca_test.key b/libbeat/common/transport/tlscommon/ca_test.key deleted file mode 100644 index 6b658ead57c..00000000000 --- a/libbeat/common/transport/tlscommon/ca_test.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEAv8IiJDAIDl+roQOWe+oSq46Nyuu9R+Iis0V1i6M7zA6Qijbx -CSZ64cCFYQfKheRYQSZRstHPHSUM1gSvUih/sqZqsiNMYDbb9j7geMDvls4c7rsH -x7xImD7nCrEVWkiapGIhkW6SOtVo18Zmw89FUuDFhoRmMHcQ+7AtM4uUNPkSqKcX -vzG093SU0oNdIBdw5PzoQlvBh5DL0iRYC6y22cwJyjWTUEB5vTjOTDxiFzsovRtj -pdjzSZACXyW68b99icLzmxzLvsZ7w8tFJ8uOPQAVxwg6SmMUorURv48sBjfVfN48 -7OjH3d+51ozNJjP1MmKoN2BoE8pWq0jdhOWhDQH+pRiRjfMuL+yvcIJ2pxdOv0F3 -KBkng7qEgEUA8cqaFnawDA7O3a20SeDFWSQtN6LsFjT7EDMzNkML1pJjbGK24QFC -IOOvCJtaccuREN1OfbN1yhTz3VErbJttwO6j2KueasPHXU3qLu2FKOlsXbPy1XMu -LYZgv8Zprcbs4KhQ3/A7/RO1cakxWlRwta63mUIM2xLIMIgRSR+DSZ5dJaDNO6i4 -9eIGQXRxDb9dxA2hoCcoTv7PJKyOpNb5vyxMXJGY7H5j1jEEcqEeuI5uvuUwugQG -tsl1eFLXIeQLerOHEQoS6wMv0fHBtZOVCHu8CCrnt/ag7kn39nkwNofLovECAwEA -AQKCAgA7hRB/1wDJJVzqb2ioMbF12pucXquzwjcvGeIwY4xN/D9VB1StmGoP5GgC -BB8SjBvwrOoy7PiyfSuMyot4nuV0GD+J53bvble8CSw3jvtO/c7xMtBpaMHHr86a -/Pg5u8t0NplgwMdWx6LxRr3jDVThMq9c33+wj2SQGtEM7Mgl4SGvg53VVKJtJJyE -8w1Wxq/eA7o7zqs1XvZE1c8WYJeo5rIrN5HwGPMwjo9KDnwL5erxN60obzykmrSB -v/5UxzE6L27ZuIhtQMJttYxTm9Ucjgg0bRNav4JKNpW5tcDedTootfqHNoHDFoxi -UfXjY8E50HGSLrRfYDCinc1UUMo568Ed9vRPOBSfw9FAZy4iExifmfHJsn8Bepse -xvYQfsYJpEsKoxzTTD7yLZALJEu18+8AHgYG6jFkvIlOUUjUKHiOyU5UlFErHk/P -W2n9FZPzSTnZQ2J06Rwmj2ILZ86kXIYoL8kEJSYTCG4TQ6KX4oeJq8v4yVHf+SiD -ZiYFWLAZbZQ46lL/7+dyy3rhLErm57DgYhJL/BqLys0GZdaazh12AcDcLjSQ6Yoh -xQYOogq+6xB4k8mqMkNmln5JWdhzFGAzkhClnCToYpvPK8KTg3a0cLV7X1wLlyh9 -Nr0kGATrUr2bHzBZazhwMkSXh+JUDZhyK0ZflqySQX8lQbMooQKCAQEA5ZVySenZ -qfRNHdcdjIf/J7/vu9cDnPAqszbGpt/GeLD3yag8zTUnTh8ZjFhQ3LH4SQ/4TdmF -37PsuNIzlay1TJ2b6lf0XoDG9DgbW3PpuRSVy2QIse7p6lsyNISn6bIJR1XSr9aP -pbgiQK9svq+QN0rSWSsQEDZB9rTNC+VcMY0r4043MxGFwGauiSoARmu6yqD3y/3q -ah3bz1UTZpUbnlO6PHT2nE+pV+YVHNz/MfprEFc+Ob9vCm6oCEhQyyAnOjcFxDjV -6J2uxn8MhDjvGOsJ8OfJt9UDhVBbzJXBfOZXO7bLDbWMzTfaa7BcQRaNkOY+ZPC/ -tW62E12hhxlHfQKCAQEA1dKC+LXFmQp36Dp1IrPEvU+AFF67MnxQErKptaCcGCo0 -A/udpSC3ivja5dPxJOM+wF0Vz3601biJUhI8Sar+P+V67dLrK/uY30Aq9GNrjtTj -sDqZejqvJak+nHa+CHe8RfkMlrTs/bgTSdQ0Go4k7+pH+Vi1pVnE07PQT8n772JY -ibLrkx54EUWqhh0+/q8MHd7pdNEYGhfft54GddZG6Tnmg4/PDyLcF9+TL86sV3Hv -uV6ftGVjE/Jrer3RCvGz28iYCy+pXLtg6xt768iI0bTDL5A9EopLiONRVu7hJJf5 -nYTmvQdjbVsfm7a9o/UxG3jOkgIy5W3haCVOFt2rhQKCAQBfVXWF99No3YeAUql0 -h6yOhwc3yws3CgvRK3fGJ7o0t9fNJ01IMUBHEmb7fljlrAlb3YPQX/lVcVNlU/QT -vQnz7Kan4yoYbAUxuHKzwShWsJObR8jMilcb+A6a/FL1mfZ8Zsj8N26i9BlVHwNb -E3AhZbJ/UIB1GvK9TUqwG+fys5p74yjMzgPqZzkmwAgpNeb06W68iI3kzs1OBRfv -Sw+S6VW2cSNOuU2qsGIoACUATepTeMbgF/w2Kskf11elYY6of9ynJKq+02uWBX/f -D/1JLaCNJtL+wTebDklwZOdZxBSJOViMMs1rEjxi53MHnCPg/Zr/M3GIF5cH56OB -hB/JAoIBAQCt8/4zYoYoFJkqZ+yF1+R18yiK6eq3juUB4TIqHkj/a843c0t0XKKV -wBEtqvhi/zE9BD3LOhTaTrABAe7kK+V+jC4vL0m91YkwDx8jBYMqh03ZQEM+amG1 -bPQQDJZbgzW7Y3r3XKf1XfzrMmVVOVEZkesOEzpsFBUJ+h692uBIhyTqmZIHdWFP -A/NP+pkWT8i2wHQDYlyOVd/enQQ6d6Hm+gDsBWH5uW1/SpeO7D/PQFU75JxfAaDS -SIViLOzVT3/4jUAM0bCiTZryisCNOO7+VGX62wikfbgn3G9/HwYxZCZiHQ4uuMUN -4XVclBXCPqa959F+faV0e6lGthrKhXqVAoIBAGAVqGQrexKADcE3TKbOBAaOi8vo -9HcTraZWOBY8QSP5xQZRey3L3sNrCTmT8L8fNmvXMMBoK9Lm51EYS8vgedUvlII9 -rC19IT0TG39AdFQH4/rWfcF9eqpneItPWuCRM3UokfeqDkS+4pBEGVOhI+dNr0oJ -APXpue6CgbD9xLvNAvdn0/PgmD0tV4HO6VUbJ9W3yFE1j+m1vNHVwk36nEdaL1aC -x7DTAiMGqrcTDr7DXwOImhPLrSWkLPxmIp+GD4831cmJqSSp/Lg/6OHa5fFZEJg7 -gkY+tjXMvUbuSx4lrOW6SY9LIxi7xTcRdfnd9g6z/G7IyGvXTevXDpopASo= ------END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/ca_test.pem b/libbeat/common/transport/tlscommon/ca_test.pem deleted file mode 100644 index dcc8b984b78..00000000000 --- a/libbeat/common/transport/tlscommon/ca_test.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFTDCCAzSgAwIBAgIRAOAMlgVxz4G+Zj/EtBTvpg4wDQYJKoZIhvcNAQENBQAw -LzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB2VsYXN0aWMxDjAMBgNVBAsTBWJlYXRz -MB4XDTE3MDUxODIwMzI1MVoXDTI3MDUxODIwMzI1MVowLzELMAkGA1UEBhMCVVMx -EDAOBgNVBAoTB2VsYXN0aWMxDjAMBgNVBAsTBWJlYXRzMIICIjANBgkqhkiG9w0B -AQEFAAOCAg8AMIICCgKCAgEAv8IiJDAIDl+roQOWe+oSq46Nyuu9R+Iis0V1i6M7 -zA6QijbxCSZ64cCFYQfKheRYQSZRstHPHSUM1gSvUih/sqZqsiNMYDbb9j7geMDv -ls4c7rsHx7xImD7nCrEVWkiapGIhkW6SOtVo18Zmw89FUuDFhoRmMHcQ+7AtM4uU -NPkSqKcXvzG093SU0oNdIBdw5PzoQlvBh5DL0iRYC6y22cwJyjWTUEB5vTjOTDxi -FzsovRtjpdjzSZACXyW68b99icLzmxzLvsZ7w8tFJ8uOPQAVxwg6SmMUorURv48s -BjfVfN487OjH3d+51ozNJjP1MmKoN2BoE8pWq0jdhOWhDQH+pRiRjfMuL+yvcIJ2 -pxdOv0F3KBkng7qEgEUA8cqaFnawDA7O3a20SeDFWSQtN6LsFjT7EDMzNkML1pJj -bGK24QFCIOOvCJtaccuREN1OfbN1yhTz3VErbJttwO6j2KueasPHXU3qLu2FKOls -XbPy1XMuLYZgv8Zprcbs4KhQ3/A7/RO1cakxWlRwta63mUIM2xLIMIgRSR+DSZ5d -JaDNO6i49eIGQXRxDb9dxA2hoCcoTv7PJKyOpNb5vyxMXJGY7H5j1jEEcqEeuI5u -vuUwugQGtsl1eFLXIeQLerOHEQoS6wMv0fHBtZOVCHu8CCrnt/ag7kn39nkwNofL -ovECAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMC -BggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDgQHBAUxMjM0NTAPBgNV -HREECDAGhwR/AAABMA0GCSqGSIb3DQEBDQUAA4ICAQBjeGIfFqXuwHiClMytJNZL -cRyjeZ6PJIAQtqh8Vi+XD2JiDTkwJ/g4R0FbgqE/icGkm/hsJ6BEwp8ep5eXevjS -Hb8tVbM5Uc31yyIKcJMgnfS8O0eIXi5PxgFWPcUXxrsjwHyQREqj96HImmzOm99O -MJhifWT3YP8OEMyl1KpioPaXafhc4ATEiRVZizHM9z+phyINBNghH3OaN91ZnsKJ -El7mvOLjRi7fuSxBWJntKVAZAwXK+nH+z/Ay4AZFA9HgFHo3PGpKUaLOYCIsGxAq -GP4V/WsOtEJ9rP5TR92pOvcj49T47FmwSYaRtoXHDVuoun0fdwT4DxWJdksqdWzG -ieRls2IrZIvR2FT/A/XdQG3kZ79WA/K3OAGDgxv0PCpw6ssAMvgjR03TjEXpwMmN -SNcrx1H6l8DHFHJN9f7SofO/J0hkA+fRZUFxP5R+P2BPU0hV14H9iSie/bxhSWIW -ieAh0K1SNRbffXeYUvAgrjEvG5x40TktnvjHb20lxc1F1gqB+855kfZdiJeUeizi -syq6OnCEp+RSBdK7J3scm7t6Nt3GRndJMO9hNDprogTqHxQbZ0jficntGd7Lbp+C -CBegkhOzD6cp2rGlyYI+MmvdXFaHbsUJj2tfjHQdo2YjQ1s8r2pw219LTzPvO/Dz -morZ618ezCBBqxHsDF6DCA== ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go deleted file mode 100644 index 0bb2e35c20c..00000000000 --- a/libbeat/common/transport/tlscommon/config.go +++ /dev/null @@ -1,111 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/tls" - "sync" - - "github.com/joeshaw/multierror" - - "github.com/elastic/beats/v7/libbeat/common/cfgwarn" -) - -var warnOnce sync.Once - -// Config defines the user configurable options in the yaml file. -type Config struct { - Enabled *bool `config:"enabled" yaml:"enabled,omitempty"` - VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full' - Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"` - CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"` - CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"` - Certificate CertificateConfig `config:",inline" yaml:",inline"` - CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"` - Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"` - CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` - CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"` -} - -// LoadTLSConfig will load a certificate from config with all TLS based keys -// defined. If Certificate and CertificateKey are configured, client authentication -// will be configured. If no CAs are configured, the host CA will be used by go -// built-in TLS support. -func LoadTLSConfig(config *Config) (*TLSConfig, error) { - if !config.IsEnabled() { - return nil, nil - } - - fail := multierror.Errors{} - logFail := func(es ...error) { - for _, e := range es { - if e != nil { - fail = append(fail, e) - } - } - } - - var curves []tls.CurveID - for _, id := range config.CurveTypes { - curves = append(curves, tls.CurveID(id)) - } - - cert, err := LoadCertificate(&config.Certificate) - logFail(err) - - cas, errs := LoadCertificateAuthorities(config.CAs) - logFail(errs...) - - // fail, if any error occurred when loading certificate files - if err = fail.Err(); err != nil { - return nil, err - } - - var certs []tls.Certificate - if cert != nil { - certs = []tls.Certificate{*cert} - } - - // return config if no error occurred - return &TLSConfig{ - Versions: config.Versions, - Verification: config.VerificationMode, - Certificates: certs, - RootCAs: cas, - CipherSuites: config.CipherSuites, - CurvePreferences: curves, - Renegotiation: tls.RenegotiationSupport(config.Renegotiation), - CASha256: config.CASha256, - CATrustedFingerprint: config.CATrustedFingerprint, - }, nil -} - -// Validate values the TLSConfig struct making sure certificate sure we have both a certificate and -// a key. -func (c *Config) Validate() error { - warnOnce.Do(func() { - cfgwarn.Deprecate("8.0.0", "Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed.") - }) - - return c.Certificate.Validate() -} - -// IsEnabled returns true if the `enable` field is set to true in the yaml. -func (c *Config) IsEnabled() bool { - return c != nil && (c.Enabled == nil || *c.Enabled) -} diff --git a/libbeat/common/transport/tlscommon/server_config.go b/libbeat/common/transport/tlscommon/server_config.go deleted file mode 100644 index 43beaf7141c..00000000000 --- a/libbeat/common/transport/tlscommon/server_config.go +++ /dev/null @@ -1,132 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/tls" - - "github.com/joeshaw/multierror" - - "github.com/elastic/elastic-agent-libs/config" -) - -// ServerConfig defines the user configurable tls options for any TCP based service. -type ServerConfig struct { - Enabled *bool `config:"enabled"` - VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict', 'certificate' - Versions []TLSVersion `config:"supported_protocols"` - CipherSuites []CipherSuite `config:"cipher_suites"` - CAs []string `config:"certificate_authorities"` - Certificate CertificateConfig `config:",inline"` - CurveTypes []tlsCurveType `config:"curve_types"` - ClientAuth tlsClientAuth `config:"client_authentication"` //`none`, `optional` or `required` - CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` -} - -// LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang -// network types. -func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) { - if !config.IsEnabled() { - return nil, nil - } - - fail := multierror.Errors{} - logFail := func(es ...error) { - for _, e := range es { - if e != nil { - fail = append(fail, e) - } - } - } - - var cipherSuites []uint16 - for _, suite := range config.CipherSuites { - cipherSuites = append(cipherSuites, uint16(suite)) - } - - var curves []tls.CurveID - for _, id := range config.CurveTypes { - curves = append(curves, tls.CurveID(id)) - } - - cert, err := LoadCertificate(&config.Certificate) - logFail(err) - - cas, errs := LoadCertificateAuthorities(config.CAs) - logFail(errs...) - - // fail, if any error occurred when loading certificate files - if err = fail.Err(); err != nil { - return nil, err - } - - var certs []tls.Certificate - if cert != nil { - certs = []tls.Certificate{*cert} - } - - // return config if no error occurred - return &TLSConfig{ - Versions: config.Versions, - Verification: config.VerificationMode, - Certificates: certs, - ClientCAs: cas, - CipherSuites: config.CipherSuites, - CurvePreferences: curves, - ClientAuth: tls.ClientAuthType(config.ClientAuth), - CASha256: config.CASha256, - }, nil -} - -// Unpack unpacks the TLS Server configuration. -func (c *ServerConfig) Unpack(cfg config.C) error { - const clientAuthKey = "client_authentication" - const ca = "certificate_authorities" - - // When we have explicitely defined the `certificate_authorities` in the configuration we default - // to `required` for the `client_authentication`, when CA is not defined we should set to `none`. - if cfg.HasField(ca) && !cfg.HasField(clientAuthKey) { - cfg.SetString(clientAuthKey, -1, "required") - } - type serverCfg ServerConfig - var sCfg serverCfg - if err := cfg.Unpack(&sCfg); err != nil { - return err - } - *c = ServerConfig(sCfg) - return nil -} - -// Validate values the TLSConfig struct making sure certificate sure we have both a certificate and -// a key. -func (c *ServerConfig) Validate() error { - if c.IsEnabled() { - // c.Certificate.Validate() ensures that both a certificate and key - // are specified, or neither are specified. For server-side TLS we - // require both to be specified. - if c.Certificate.Certificate == "" { - return ErrCertificateUnspecified - } - } - return c.Certificate.Validate() -} - -// IsEnabled returns true if the `enable` field is set to true in the yaml. -func (c *ServerConfig) IsEnabled() bool { - return c != nil && (c.Enabled == nil || *c.Enabled) -} diff --git a/libbeat/common/transport/tlscommon/testdata/ca.crt b/libbeat/common/transport/tlscommon/testdata/ca.crt deleted file mode 100644 index f08fd34367e..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/ca.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFhzCCA2+gAwIBAgIUL0vc8AdVKIcjap/RSpH21trR70swDQYJKoZIhvcNAQEL -BQAwUzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM -DVNhbiBGcmFuY2lzY28xFzAVBgNVBAMMDmNhQGV4YW1wbGUuY29tMB4XDTIxMDEy -NTE2MzQ0OFoXDTMxMDEyMzE2MzQ0OFowUzELMAkGA1UEBhMCVVMxEzARBgNVBAgM -CkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMMDmNh -QGV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx0rP -p+sMWe3RehThE5Mh1s8uKsujG0q+Q62s4G4mBE5tQnmSS0LoezWuGMKNyjWQR4dt -IvicPZQfEhqOvdYAIA5fsQE8CMoXW50Q43kQlBUbvZH0yldUFtFtRLPD4RRtwB26 -sUhWLUUCdk4mZBUmAuhMbIoov+TZ8/EZBdqjRBqM9p+k/C9xfitqXKmBWvWOmc0i -NUpxMjJ0C18vVcoAneiMQbB4iBNFviSLxrhnH9sno6IKG/WSCmOaPirmGzMr/PYQ -Wa4j69xQfGd4VBwolShI+fkoCmMQMk06XENUXo9V75sgbV0U0PAjBv4Kqye/r6s2 -1wJKNnS8Ib4rBJAeh5PqebVmpgJUc8lAeC/4SE3Edw6yGILwuGnfZjZJeRgX+OMd -u5K29gvx4Kf0ZZ5F34vzsDwa8CGTTvdth8aNDhO4ETThxUtjqXSA91ewf93Tf3X5 -Rzbg1K5hSHFVcd53Hec6/5Aqiw5PBARa2Ekj1ZW9PHHrSf/x+axyOyK+akUOoI8X -FlgImdr21pKZPSFNpvrYURRYDz8/ftFlcbsx32D3/uQZJW6FpvyguFWnVrGFm7He -ptWvYP2wM0XSOsHQXhogv09sgZhxgViHbc7/PZXOpTFlQt1MXygXVuf0eBUTiJI4 -a595gF4F6Kx/ppBjWge+ZUUsnFjhHVhHvhzvncUCAwEAAaNTMFEwHQYDVR0OBBYE -FHg4mXfbBjMpE8mJUh/yPrfuD2yBMB8GA1UdIwQYMBaAFHg4mXfbBjMpE8mJUh/y -PrfuD2yBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAA+yu1mF -QoMeL5MwWr7O8q41Fu1n6BpRMm6KD0JOVWCJezW7anOJmcuySk6j2FRMPl3Z2fMH -p1I4420LlxN9H7QD5TVUJWCcujb2W9vhH9/R0qj9G9gkixfI0H/cGWd+Pe71ub5b -wxBTIe7U20uQ9imje8rShiZvgg3EocbWgPZcDnfHFjXVw/A1ocyIwpqjxooU8jiN -n1479sYR+R5TMc0zgZrTOKspcbNq5TEK138sFt79VB2d4oJNV/D0p0GktKpwisiZ -+xjr6iD2gZ9GGi0l0nQmtmLs+QAMuj+yOZX8CPwJlg7JuJYJ/nu0I5tBB1kOBml6 -Jk2o5o3gU6FbfLc3j7aQ/kRP14ByfXqXPTVNbPxrVzFEsAx/NVWaVqbH9iwSye1G -M4kpvZ9RvEHHegNxoN3spKaJkpM056gTBJhWQIHGCOAqv7Izm68NqjSX6+wx92iZ -ujR1PR9pJdOYtjhdmQrWGLK7a06AaOo1v5iQOJ9SN48ucyN2hY2wIZ5IMdQC2I9P -IhIRTSX28cT0WRnH9Sdv9fWQLSfNwrcYWiTDd5+0ImspCC3HzwcTjqTCoT6utrmU -eHAzLPjoUu9FvnrZJW3eMOffvHSh3lK8yW3dv2HKFoXaBD5dL2irk4yacSAIIo2f -4T44UqQSs2U1ip1CHbP64vI1FRNfhDdZRU8w ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/ca.key b/libbeat/common/transport/tlscommon/testdata/ca.key deleted file mode 100644 index 9061f4479dc..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/ca.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEAx0rPp+sMWe3RehThE5Mh1s8uKsujG0q+Q62s4G4mBE5tQnmS -S0LoezWuGMKNyjWQR4dtIvicPZQfEhqOvdYAIA5fsQE8CMoXW50Q43kQlBUbvZH0 -yldUFtFtRLPD4RRtwB26sUhWLUUCdk4mZBUmAuhMbIoov+TZ8/EZBdqjRBqM9p+k -/C9xfitqXKmBWvWOmc0iNUpxMjJ0C18vVcoAneiMQbB4iBNFviSLxrhnH9sno6IK -G/WSCmOaPirmGzMr/PYQWa4j69xQfGd4VBwolShI+fkoCmMQMk06XENUXo9V75sg -bV0U0PAjBv4Kqye/r6s21wJKNnS8Ib4rBJAeh5PqebVmpgJUc8lAeC/4SE3Edw6y -GILwuGnfZjZJeRgX+OMdu5K29gvx4Kf0ZZ5F34vzsDwa8CGTTvdth8aNDhO4ETTh -xUtjqXSA91ewf93Tf3X5Rzbg1K5hSHFVcd53Hec6/5Aqiw5PBARa2Ekj1ZW9PHHr -Sf/x+axyOyK+akUOoI8XFlgImdr21pKZPSFNpvrYURRYDz8/ftFlcbsx32D3/uQZ -JW6FpvyguFWnVrGFm7HeptWvYP2wM0XSOsHQXhogv09sgZhxgViHbc7/PZXOpTFl -Qt1MXygXVuf0eBUTiJI4a595gF4F6Kx/ppBjWge+ZUUsnFjhHVhHvhzvncUCAwEA -AQKCAgBD0xIY88WgVW+VPMXdA5XgpWHw7pz0DNvz7IeJWfNWQ9qrZPSE6KB2Ti6R -/qSCzPftYAmkfTevPVnVr3Qk50/jmQC4HNNxqlWIuEunHuyleQmX2rSUqGPV4DBv -0T44u9seJwAClbu+bF4KJU6rgQcOtkBMMDjuFdSXUNZTR7WI2ABhbrOXoA3gAqaQ -IqADdM6zSTz7JfqgOsuDk0Fo0Pakxx/0uzpKFUUHESkA2IFANjWnWt5V5Z1uK7ey -sKbfWur9jEDERJ+1BaXesNgix/KH0M4FROZ7ontAo0fZXpC4HdABW6oNjkAnW5KQ -LqUy2rRB9OMVCZJ4NgJQ+YdqZiH9J63IIObGDyV5MDNmu3N88aGaT/29LrOTX2+A -g1FZZxdEBapRonk1KRvoX2PfPWReB02ThSQePVb7LEQ4ETMP/Qdc4ACynTrkhRot -ehcHpuiSkpu0sZgZh+7l5+PxTIHspmeg/Dws6f0m9yJjpzS4ATOfo5AX6ZjFy6vf -IEJZ9Rj7F4CB15jj5jQ1Bd6lYgqqaHbrUOupLLN8fIe/S+IK6uETczAgvYaNazhf -8sS2xxFRNWKwImHrhg8yq/oA5Zfpyu4ypEck/XM/cXh49b3HjxhyKA1Xa2tBaXjX -JPgIw+lMRBMLkxCcp3B5s0pPqw+FB2JNW9xOE3aaRcmPmRm0AQKCAQEA+i6/U4kW -gVkDIqykj2OmBzIyWFnJSrnnDWKUmwf5F8X3oT6F5+v9ltqBeHuwfH8FaOQ4kf7e -5G2BT9mujay4yUtFX0/ok+/UdfWBli718JYp6TnqGQHn/ABwvngDKdDkvx4UJ9bV -jUZiQnKbMCHuuXlpiV6ByzyCPGdvU+ND5m5WBln82B184FicnsUQWcU4XnLVu3Rs -WBeLR42/mP91byQc/ZUjEUWnYPyiK/SFcHP2B5B88aJYNboMGwfupePTijl278Oh -Y0U8zcPaY9fp/tjEJtDvv299psY42wfv+kUl9qPWv9wY9DB47Itc+ecdmUeL2w76 -thi1ZeTL7Of8LQKCAQEAy+0ha/p/F3AkX4vZs2Du+u04BcU+Lnjn6jpXFVudeJl/ -o8X3ctcv5C8Lf2Zb3cl5xgDV17/W0sH8oVcyOje78mAC180mMrTSbGECMdgy5y0/ -kVu+qaksPL/PuVz1rdFGSJGh588DTGVceXGqEnvZwPO+zwbGExgXKDfZQirq95Fp -7ocvQqRHOj/jVyNhSzSMJEcjG6fWCzBLIvQGYnT/pmVZCV3zJhKyRf8LwDu01nZf -b62YYuzrrHm5xUXs/GtySdfibDgDDCAu0WBJzDlayaVttQHIXV98/1zdEMo3WQmz -QfhN6q1iXNP0TDZdixvSY7qPPkwpuAgoFIAVarBu+QKCAQAlkTl3oME5YRVgco4v -XeZDdF0s+SaJywqP7vqjoPndgQOjOdE/tycYLO1+GwywVR6J1qNMAPqVUIA3bleQ -vJvu1hevrT8eX8gGgnwYAis6GkJm3CRz5t5f7+z+HOVUtSJ0NF8QcGkW0rfUhIMb -Ii1HupyHXSKeUxK3YUzNSvYaNv1B7OdTyHHE+mliSfMfl8bUH+hKQrw2Kirm7rkT -j2Ch9MlJpshiQpRUsvrjIM+cyDzse9zXJ+qY/rvsny9Nx70vJ1vduwGT94Se3UcA -8R4Y/5HMxlkJ5QL4NRG6iiGV8iY2N/n6S2GP4Wt3EaI/gF3oc17j4QbyqxkqGMYq -Z9dtAoIBABHAdb1ZlACtUW1D1lKoKIWNaugNsIkJG18nbvc7/2xFKHhQPmcv1kpt -0floJq0a4c/buMHMQF4eZuiAl627tk+2DelNQXr+hKbMlw1RvbSkGrmDnAhW4rPz -GpkPP4++/PhKPSbZvXbECBXGUEDFqUIDteN9unZlDXcBzZbV95hPf0I1YGbTuCOY -9ihauxh53Y026BZ7OMXGkXPcfEXL24lXnzWSiR0SWZSATDyStf5JVat6GB7ccvOT -sRk8KhIbJFrLQTmccp92mby+Pg5aG84b6X3tRsziCBaOtevFPqYwkvs2K0o3h61/ -AfA0d1YpuNnXnqqUpLkRdLO8JqEf9LkCggEBALDwHe1SSdKc7BDws8zxr6bJyVxL -h2nvA43SWhhSA3jsQtxi4xS0f1GRzWoczjAJFNcLRCdnKkEBfMpBL03s9rexy1Pa -3Dd1WaiyDfvGpbTr8l0M+R5kEcr5MfCfsAKcnoN4/egaqkNLKMi7eFfrEloiRO3y -rX7DmH2p8Oe0cY5bhSBJrwMS2fVh/SYfOiCVLhymmuH4hVmtJ6YCBWAY4Fhk16Iu -wsiTfvbibKSvFA9MJe+25UQugdVgHLzG84OSK4lMDMd37BTex84dH1P/r5shvuLx -nBSUOKXETOQMAA71hoMveHxox9fwGSmh2oLeaEVvdpADpWfpsCZzt05iXjM= ------END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.crt b/libbeat/common/transport/tlscommon/testdata/cacert.crt deleted file mode 100644 index debdf7e246e..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/cacert.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.key b/libbeat/common/transport/tlscommon/testdata/cacert.key deleted file mode 100644 index e864b93ed66..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/cacert.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB -mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ -l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn -1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh -nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs -x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n -/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO -YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 -K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm -zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L -d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa -szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X -3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI -4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY -QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT -iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl -EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV -+Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t -f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv -l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt -kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo -VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 -zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv -UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 -Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp ------END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.crt b/libbeat/common/transport/tlscommon/testdata/client1.crt deleted file mode 100644 index c3139a72a77..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/client1.crt +++ /dev/null @@ -1,48 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV -BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 -hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n -26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 -5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z -zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU -mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud -EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME -gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP -MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh -dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB -/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N -Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 -myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w -En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN -2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J -u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.key b/libbeat/common/transport/tlscommon/testdata/client1.key deleted file mode 100644 index ce5274b758f..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/client1.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz -NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD -MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP -RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W -3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N -/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck -04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 -1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR -iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j -wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa -NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ -27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw -nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 -HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx -71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz -1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w -xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu -2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 -8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde -RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM -T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds -4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE -UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy -q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L -ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc ------END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/es-leaf.crt b/libbeat/common/transport/tlscommon/testdata/es-leaf.crt deleted file mode 100644 index 89d5087eb94..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/es-leaf.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeDCCA2CgAwIBAgIUV7+XlHjcV++/ezqTkJrXSFc1dpAwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yMzExMzAxMDMzNTda -MBExDzANBgNVBAMTBngtd2luZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBALL045X6ywAHg9tWuViNyXu30rHhJa/AI45ZwLWzQMEwnCWnMvV0Cy3FgUd6 -VKw4Rg55/SfBKShhTRjC4PmDIHDIBgpm4NWpREIW2+cZfeEU8B34ucK/ZHycTFQ1 -Guh8HfvFy5J3OYT+8Wfz94ZxvVLMOGROTSiWdL2foVk98tbHgL1K3qyv1v0rgIjt -smZ7G4tbl3sBCuYceUL7X/+0kavJGls2T/rtxxEIfj5dNz4h65KmABrrAJfrEx35 -y2jCdY2XQsBxxMvbHEXXJKhrjQ8pajMcWAlDBKweiNIDdgBDYWpodpr4f3A6ZJkM -Nplw7KyLna4s3BO/g7fd5/FyQGFuLPraFtFnTXGqH+LjX0td74bdSP22/uhU3cKY -3y64I3/HEaEY5JITgUArExcMVpXuKJKqXEb+LtjGmUbAiO8Z7QKL+PqmU+3tJJ0p -kXnS07m3F/MgrDir/VCnYGQcXeteBwEgmcOwPmxz98eOSBhtb0PrimycF2tQuT8b -mCU+evTPC+KQ+8XY5vBwdPGpf6YAaHuVhNtKqBQnYOpsadS7zw5DJ0Y1Kp9z0ZPL -ch4DxE40xqAFmxWnAfpy2scD8LGJ1zDII90tAtYdu+3Wlzj6uMqUdqPuJED7XD41 -mlF2OjB5ipTs/1Jjl3pEnGG94sw5bQmnS1xFQp/DO3mjlgFBAgMBAAGjgZwwgZkw -HQYDVR0OBBYEFJKNxskBHE5xQ9S24puXSKm6/bLKMB8GA1UdIwQYMBaAFHEdsBBS -VCiK0fDIVe2vNN8JvHmcMEwGA1UdEQRFMEOHEP6AAAAAAAAAtw+3JU5DX8mCCWxv -Y2FsaG9zdIcQAAAAAAAAAAAAAAAAAAAAAYcEfwAAAYcEwKgqtoIGeC13aW5nMAkG -A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAF5JAIQ9cu2xroh2F85fBr/F0s8D -aRV6AJpkjSVKInMm7omn+GLB80TwQZ6NsGuXrbaq0rcM85khsBs4rWn5MqescYG/ -8A7gZ4EtYE3LIyeqiqBByrtIqszZeXm7ITDSF/lwn7X2swe7orkhVD4tVEvKH6L6 -Ql0oNe5UBN1Rm9NskDltMDzE2A25slkm99CAdPERDEjBpvd3eDcfbQdHeuAOPfUV -T8P2DAdW4SC955bxnc0GPTla5TKXWWLde3egow5a4LeJv6KVWPTC9chEXZyQKp4p -jvWZW1fTO/kC3oj97tfqoH/r35/+qyXmg38HNAFbEoVM3bsO0vqrI5CbkWTkB1Xb -7CY6jJxemyEprl2gmkgfA/MXBHFc3RoIL7JcX7Sk8ZWpnEVK3KyoyK1RJ5kY1Cz4 -SRw4KLJA4Cu6DE7vXy9pTlIeeQARgQOUxnrlRGYHpKRIwgjrhwEjVqc0CPwj7rWr -0VY4MW80FPFIePpqy3DjoJmORQU632iu/5zeUS4dZ11Ms7NTakqqnFHi7XczqeZn -4HqPW8ebQTXrqRXMF/X30x6gkK1R1tXHSbve7cTQWJEwJd+MS2aA5Npt7hGznjPn -Y1p4k9jEz5BnbLtZ2RbAj2FuL4Ee6iJoyZpFbi/SW+h+1ZaPCeUTnxUkDLEiXpdk -tN8H6/6dudhy6btm ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/es-root-ca-cert.crt b/libbeat/common/transport/tlscommon/testdata/es-root-ca-cert.crt deleted file mode 100644 index 6234774adc9..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/es-root-ca-cert.crt +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFWTCCA0GgAwIBAgIUAoPlJ3hVr921EyJfiT+9lVft3fcwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yNDExMjkxMDMzNTda -MDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25maWd1 -cmF0aW9uIEhUVFAgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2 -soq+heCJNHsMuyyyLndREhYmxYFav06XOLB5oC1bAt+0WMo3n7rxVB8dAhfvigof -DsTIytnCcK+Th8ll2k4Bs2weF16ZhvvC2FKbSkdUxNXnXfx7gdKDXZLbfref5FiL -ucwxa7CtVL28Lfws9J5dZTTAuxR2XxaX+TJbH6MbQgKUYR+DnK8T3jSfiDTQtiHs -+pd+C8hSdMgzKCynYP36VZbtz1ynWjvQ/0wxARO6q2OLZGBNh2ncoFEmosXgc0ir -Vh9NrVmozSI0H2f6W07imqL3oe1pe3bwW/OdfeahCBY3IvDLDn8q8wDl91gRta3n -EsMsiuBRSRRpT0grgoCFNy+wiIrETVLaI2HJ0UpVIpcoS7K5l2zN/wA+w+hAOdh0 -PoBt8AoC1aCCGM4osCTKqbgbOg957io2twuvWJ6ae3J2k5FFDMvIfMfL+5HhPSRp -nYiRDPOhapDhaXhHa4pEFONpdiJJgmqymLqjW4liZOGft28dSkISK3iiBL74p/gu -X/sBI7PZANycpyVjnLHK+FwPlRZPkrqCw2Gke4Oqm9uydwM08uRVZcNylVS7H0ip -9BEcxKlXJSaULnTqQXkiPGKGkCrrIIsNQTFjoaBIBP2o69NSZ0SozDf4aCnYy10v -U1dwI9yisOmMfDkakNcAPXfRfmuuJlstl1W1RraQswIDAQABo1MwUTAdBgNVHQ4E -FgQUcR2wEFJUKIrR8MhV7a803wm8eZwwHwYDVR0jBBgwFoAUcR2wEFJUKIrR8MhV -7a803wm8eZwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAiHrC -NxCNsyUYLFVivL9AsJ5Y3IrhAHUzYwofLBJiMYNFsaEi3P1VU3TNlo98kzi2QkdY -NPFtRYoOg6sEI0KPEBw54kLP/Q/FJK7jeJSyhJ9V/Z+NS081YHqrMP4YPK6mM4qa -XuM7hpx37vkLDdfrDPionbcLk7Zz+2t6bIThrwta0idMY6LKeFfW1EWeggK6inNc -Ub3n1qcTyOp1RfcLlHCdb17JhgY5hROmqVfhgLlbT0bx1NZS4pRWhw5CDKsflMUe -SyHbLE1BTH6yE0nNXbR6FgDKjQNUSSZBOBck0hdSaRArALavujjBojHmJYWt1jWO -bcBErzwKKwH/peUh7Wgnq1L/lqym9K9AniWUyhvKn8AbxGLnILDMYOSrvlPF2uU+ -uvp2EzhPUyOgYycC28H4fFUdDeoN5FVP+4sFFK+FIgfqLfVMTgDPmGAbkqA6WKlH -fgQ2fP4oB2ZkN0EPxivXkvZkhDVlIXeoisUkNCgAfVuwCjvOLnqz8u0tTnp/wXxq -XAXUPLcG71YFzABlkwuPdA5GhFAL1Rv8GQJEznhZ8mYz/yTtcg/z3pYEhDcM92Cb -161BormFYVRI1B80rSpzeQwJVfvgCwnWOTat+1joFHCzpl99nHu8tMxi6lkO1G9E -8vdk/J0zMMnhO52V2EMNdH2fTJUMZYixBm4BeEM= ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/server.crt b/libbeat/common/transport/tlscommon/testdata/server.crt deleted file mode 100644 index 50ca5ce8b32..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/server.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDlTCCAX0CAQEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCVVMxEzARBgNV -BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMM -DmNhQGV4YW1wbGUuY29tMB4XDTIxMDEyNTE2MzQ0OVoXDTMxMDEyMzE2MzQ0OVow -UjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh -biBGcmFuY2lzY28xFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBALFuNygrGLLSnD//JRfU6xMDqgizeVdQqDlLaP/HxQ84 -9RPWnjfbyx2M25JYcLvewPqKQ80lOYnMRhpvujmuKP7gQHNDWOsyXH5JljTX78Wb -I+nuVMeYjbUOh+6EgYNY59G5rH7xqgeu3y1YERfNdchEG8xjSxYeIZ7Ev6VMFF8r -AgMBAAEwDQYJKoZIhvcNAQELBQADggIBALyHDjVcY6Po1eHWTUCLLOW1ZzzkX4qu -gsfJM6qTIZIqh/O6tROGqH9kRw8SarIIZvtztfzuYtmQBE0qkBMzPzdN3x+3C4pz -jf2vsEKRqva9mf9y+JM0Mv0WUuPfusHxPKOCl1on71kP1GL1bYylKqazgVa2tAVa -78xs35YIuCM5apt0X+QO+Tnz/qfqJ7t3F7mP1aeCjYm8J20S8vKTYgkRkFX/8VJB -1zRPl0CAMyoHOMcrmb7wX8V1CIER7VBQ7h580B7/7okrw+Hr3xyMOA0w1DiRUQJE -biHBuDTRDmRg6W5nAwNLFLp/RfHttny0nEEcnzcjEStEKyDGbNg1W2ieWuIhgUza -L3W3ld9LDD9pMnQ8yYTMcL+J2Ir6ErhpGL3Hks42W2c/qYhvo3we6B2ADfsS7P+m -ku5W7/G2fDIlj6rtzaAeur+LSgsjU6kc1et2SJxjcJMPrS4xHxpAhJzD7h7f5N/B -RBc5cT2sE2vuUBRGkz0wC9AC2/kxmv4RwjsrYTY8rEOqHRkxDF18lfFocAoq7Hvr -lO6ft9/knzTQzKiizc6unXsLhUCvBzt50bA/gVLXmUmr1sncATKHWOLbvfRWat4I -0m52jlowgqnJPsXtl+wwNYHaw9gF71RTx/Ov2vZ8xm5SeBNkO8cpdAftETAEqpgp -fDlIVeywLvoN ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/server.key b/libbeat/common/transport/tlscommon/testdata/server.key deleted file mode 100644 index 8bb153a9006..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCxbjcoKxiy0pw//yUX1OsTA6oIs3lXUKg5S2j/x8UPOPUT1p43 -28sdjNuSWHC73sD6ikPNJTmJzEYab7o5rij+4EBzQ1jrMlx+SZY01+/FmyPp7lTH -mI21DofuhIGDWOfRuax+8aoHrt8tWBEXzXXIRBvMY0sWHiGexL+lTBRfKwIDAQAB -AoGAaBKW5cfJl/JzVhJphn4MWL3YeXwUW4Pi+KBj+UwLKW+mSTmk2mzgyfd6P3AC -yB/Tn+GD/YutIUehgxYv7G9ceZC85EsPM6+1s887olgKNKbCiZZvrLBcBCzEhzkN -QpC2/cuOOVYdYYQJZp9RX7herAJ5aqxZHUUtCrudgfCiAckCQQDo37NhBBfUlLc4 -LW3ryxydsh7MrTMU63+5IVtXosV3TFdWN9LC6CCarkILcOG5tmEmM6v1UQRAgCkm -lb+/3SrXAkEAwwz9+mcAU1lTTiy+dCJkKepviT4Ex+BFl0yJPfSN5+/Wg15DjwsN -vdE0H5nAT65aECiYy8V9DKNwHNcTIaZXzQJBAMvoPOBhPiCVC410MgC6e9cVRWTA -766Muuy26Y1l6HQac4r6HGEv8oSeuxPbhrsfmBdkPVjz1L5Juj6f9yOgHEcCQHMH -pHkaaay+D00ZQjDHX38AzUqJEtS1xRTXhFDPeyj/3uiWnQ0tHauGR1EjobDcSC0j -ZAk4rOjZMnMvvA6qRTkCQQCT6B0edwnMc9q/4XcdF+LptWRiYNbSKkrisb304N+d -lqbB76fGQY22onWcZEvcOmifmzmgj56QXSUot+fkNlVK ------END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/tls.crt b/libbeat/common/transport/tlscommon/testdata/tls.crt deleted file mode 100644 index d6528ccec0d..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw -FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3 -MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl -bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p -yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH -hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c -jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30 -t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n -R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv -MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou -x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft -cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz -LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC -AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6 -JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC -l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg -3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT -itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC -zODbmFEr7N0FzCN6hU8PjcLLhg== ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt b/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt deleted file mode 100644 index 710dda0acef..00000000000 --- a/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDmjCCAoKgAwIBAgIfVNT1201IZeL6eZ5nBDNfdg7z5Rx3pSWKx48R5xEUMzAN -BgkqhkiG9w0BAQUFADBmMQkwBwYDVQQGEwAxCTAHBgNVBAoMADEJMAcGA1UECwwA -MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xDzANBgkqhkiG9w0BCQEWADEYMBYG -A1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTIwMDcyMzIzNTE1NloXDTMwMDcyNDIz -NTE1NlowTDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsMADEYMBYGA1UE -AwwPd3d3LmV4YW1wbGUuY29tMQ8wDQYJKoZIhvcNAQkBFgAwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDUM6FCJj36941WQVrIKVjHCNKf0bdGiinfxGgL -4SaUywGUo35mp70SFSpEcl3HE5B62Nab3axZ7N3oYeCD5iCJGPI0JWE3/gPdn5ao -2xsGr1sKS+453dkmpDBEnTHNo7HjmvZIDIEzKHDW1QnfeeSGef9TKtVsnoDhGp+u -mMndqBBUEXE/4tIrFuKZLQjxlchw6JQ6fpjmXxZKRCgXJq18/x9jfJnduYpb/DOc -bXfQKZCbJeQdlZO9yxwwmzetZ/7kRZ774qvYtcHs+RVH5tPob1J/xgEoVpE4XAgp -IrYrYCA159ejRJfb5Zs9Hx0AbatzFzTrHzod+jhfDpCh/NX3AgMBAAGjTzBNMB0G -A1UdDgQWBBSuVtBMQ/Q6YHXDi6FQxOGzp+U5pTAfBgNVHSMEGDAWgBSuVtBMQ/Q6 -YHXDi6FQxOGzp+U5pTALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBADNC -AZZUgG4uXpDEIcWKT7gI8G+lbQJjIYciCNtqJsSpxOyN1Vs6tt8FXZBrVjxCa+Ik -TpBZ0OxhY7Ry3veqVoeh9o8ASM8mvFE7y/CjZHtqxh5Q/Q1O5/UuMVy4ilT4hzEb -jXvoH+gLCVxPcaV4cfqfWEWoW3RwfG+NtBq7ZnCl5o7ATDjDl1qe9sZ1rvIq7mLb -Lk7lvNjqZU1PBRj6riW84Tv+yZc2kytqu61l8+NmphKwrKUgVUcbY37knmNIF2tB -pl742yDqYtSu3ODWFtjNw2CZRGhTOcJMXasBFpjch0dz3uM++As0n9r63cNDssDi -GQ6OHiviqMYraJMVFsc= ------END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/tls.go b/libbeat/common/transport/tlscommon/tls.go deleted file mode 100644 index 18a127e1eab..00000000000 --- a/libbeat/common/transport/tlscommon/tls.go +++ /dev/null @@ -1,246 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "bytes" - "crypto/tls" - "crypto/x509" - "encoding/pem" - "errors" - "fmt" - "io" - "io/ioutil" - "os" - "strings" - - "github.com/elastic/elastic-agent-libs/logp" -) - -const logSelector = "tls" - -// LoadCertificate will load a certificate from disk and return a tls.Certificate or error -func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error) { - if err := config.Validate(); err != nil { - return nil, err - } - - certificate := config.Certificate - key := config.Key - if certificate == "" { - return nil, nil - } - - log := logp.NewLogger(logSelector) - - certPEM, err := ReadPEMFile(log, certificate, config.Passphrase) - if err != nil { - log.Errorf("Failed reading certificate file %v: %+v", certificate, err) - return nil, fmt.Errorf("%v %v", err, certificate) - } - - keyPEM, err := ReadPEMFile(log, key, config.Passphrase) - if err != nil { - log.Errorf("Failed reading key file %v: %+v", key, err) - return nil, fmt.Errorf("%v %v", err, key) - } - - cert, err := tls.X509KeyPair(certPEM, keyPEM) - if err != nil { - log.Errorf("Failed loading client certificate %+v", err) - return nil, err - } - - log.Debugf("Loading certificate: %v and key %v", certificate, key) - return &cert, nil -} - -// ReadPEMFile reads a PEM formatted string either from disk or passed as a plain text starting with a "-" -// and decrypt it with the provided password and return the raw content. -func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error) { - pass := []byte(passphrase) - var blocks []*pem.Block - - r, err := NewPEMReader(s) - if err != nil { - return nil, err - } - defer r.Close() - - content, err := ioutil.ReadAll(r) - if err != nil { - return nil, err - } - - for len(content) > 0 { - var block *pem.Block - - block, content = pem.Decode(content) - if block == nil { - if len(blocks) == 0 { - return nil, errors.New("no pem file") - } - break - } - - if x509.IsEncryptedPEMBlock(block) { - var buffer []byte - var err error - if len(pass) == 0 { - err = errors.New("No passphrase available") - } else { - // Note, decrypting pem might succeed even with wrong password, but - // only noise will be stored in buffer in this case. - buffer, err = x509.DecryptPEMBlock(block, pass) - } - - if err != nil { - log.Errorf("Dropping encrypted pem '%v' block read from %v. %+v", - block.Type, r, err) - continue - } - - // DEK-Info contains encryption info. Remove header to mark block as - // unencrypted. - delete(block.Headers, "DEK-Info") - block.Bytes = buffer - } - blocks = append(blocks, block) - } - - if len(blocks) == 0 { - return nil, errors.New("no PEM blocks") - } - - // re-encode available, decrypted blocks - buffer := bytes.NewBuffer(nil) - for _, block := range blocks { - err := pem.Encode(buffer, block) - if err != nil { - return nil, err - } - } - return buffer.Bytes(), nil -} - -// LoadCertificateAuthorities read the slice of CAcert and return a Certpool. -func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error) { - errors := []error{} - - if len(CAs) == 0 { - return nil, nil - } - - log := logp.NewLogger(logSelector) - roots := x509.NewCertPool() - for _, s := range CAs { - r, err := NewPEMReader(s) - if err != nil { - log.Errorf("Failed reading CA certificate: %+v", err) - errors = append(errors, fmt.Errorf("%v reading %v", err, r)) - continue - } - defer r.Close() - - pemData, err := ioutil.ReadAll(r) - if err != nil { - log.Errorf("Failed reading CA certificate: %+v", err) - errors = append(errors, fmt.Errorf("%v reading %v", err, r)) - continue - } - - if ok := roots.AppendCertsFromPEM(pemData); !ok { - log.Error("Failed to add CA to the cert pool, CA is not a valid PEM document") - errors = append(errors, fmt.Errorf("%v adding %v to the list of known CAs", ErrNotACertificate, r)) - continue - } - log.Debugf("Successfully loaded CA certificate: %v", r) - } - - return roots, errors -} - -func extractMinMaxVersion(versions []TLSVersion) (uint16, uint16) { - if len(versions) == 0 { - versions = TLSDefaultVersions - } - - minVersion := uint16(0xffff) - maxVersion := uint16(0) - for _, version := range versions { - v := uint16(version) - if v < minVersion { - minVersion = v - } - if v > maxVersion { - maxVersion = v - } - } - - return minVersion, maxVersion -} - -// ResolveTLSVersion takes the integer representation and return the name. -func ResolveTLSVersion(v uint16) string { - return TLSVersion(v).String() -} - -// ResolveCipherSuite takes the integer representation and return the cipher name. -func ResolveCipherSuite(cipher uint16) string { - return CipherSuite(cipher).String() -} - -// PEMReader allows to read a certificate in PEM format either through the disk or from a string. -type PEMReader struct { - reader io.ReadCloser - debugStr string -} - -// NewPEMReader returns a new PEMReader. -func NewPEMReader(certificate string) (*PEMReader, error) { - if IsPEMString(certificate) { - return &PEMReader{reader: ioutil.NopCloser(strings.NewReader(certificate)), debugStr: "inline"}, nil - } - - r, err := os.Open(certificate) - if err != nil { - return nil, err - } - return &PEMReader{reader: r, debugStr: certificate}, nil -} - -// Close closes the target io.ReadCloser. -func (p *PEMReader) Close() error { - return p.reader.Close() -} - -// Read read bytes from the io.ReadCloser. -func (p *PEMReader) Read(b []byte) (n int, err error) { - return p.reader.Read(b) -} - -func (p *PEMReader) String() string { - return p.debugStr -} - -// IsPEMString returns true if the provided string match a PEM formatted certificate. try to pem decode to validate. -func IsPEMString(s string) bool { - // Trim the certificates to make sure we tolerate any yaml weirdness, we assume that the string starts - // with "-" and let further validation verifies the PEM format. - return strings.HasPrefix(strings.TrimSpace(s), "-") -} diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go deleted file mode 100644 index c9aaadb5921..00000000000 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ /dev/null @@ -1,351 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "bytes" - "crypto/sha256" - "crypto/tls" - "crypto/x509" - "encoding/hex" - "fmt" - "net" - "time" - - "github.com/pkg/errors" - - "github.com/elastic/elastic-agent-libs/logp" -) - -// TLSConfig is the interface used to configure a tcp client or server from a `Config` -type TLSConfig struct { - - // List of allowed SSL/TLS protocol versions. Connections might be dropped - // after handshake succeeded, if TLS version in use is not listed. - Versions []TLSVersion - - // Configure SSL/TLS verification mode used during handshake. By default - // VerifyFull will be used. - Verification TLSVerificationMode - - // List of certificate chains to present to the other side of the - // connection. - Certificates []tls.Certificate - - // Set of root certificate authorities use to verify server certificates. - // If RootCAs is nil, TLS might use the system its root CA set (not supported - // on MS Windows). - RootCAs *x509.CertPool - - // Set of root certificate authorities use to verify client certificates. - // If ClientCAs is nil, TLS might use the system its root CA set (not supported - // on MS Windows). - ClientCAs *x509.CertPool - - // List of supported cipher suites. If nil, a default list provided by the - // implementation will be used. - CipherSuites []CipherSuite - - // Types of elliptic curves that will be used in an ECDHE handshake. If empty, - // the implementation will choose a default. - CurvePreferences []tls.CurveID - - // Renegotiation controls what types of renegotiation are supported. - // The default, never, is correct for the vast majority of applications. - Renegotiation tls.RenegotiationSupport - - // ClientAuth controls how we want to verify certificate from a client, `none`, `optional` and - // `required`, default to required. Do not affect TCP client. - ClientAuth tls.ClientAuthType - - // CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust - // the server certificate. - CASha256 []string - - // CATrustedFingerprint is the HEX encoded fingerprint of a CA certificate. If present in the chain - // this certificate will be added to the list of trusted CAs (RootCAs) during the handshake. - CATrustedFingerprint string - - // time returns the current time as the number of seconds since the epoch. - // If time is nil, TLS uses time.Now. - time func() time.Time -} - -var ( - MissingPeerCertificate = errors.New("missing peer certificates") -) - -// ToConfig generates a tls.Config object. Note, you must use BuildModuleClientConfig to generate a config with -// ServerName set, use that method for servers with SNI. -// By default VerifyConnection is set to client mode. -func (c *TLSConfig) ToConfig() *tls.Config { - if c == nil { - return &tls.Config{} - } - - minVersion, maxVersion := extractMinMaxVersion(c.Versions) - - insecure := c.Verification != VerifyStrict - if c.Verification == VerifyNone { - logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") - } - - return &tls.Config{ - MinVersion: minVersion, - MaxVersion: maxVersion, - Certificates: c.Certificates, - RootCAs: c.RootCAs, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: insecure, - CipherSuites: convCipherSuites(c.CipherSuites), - CurvePreferences: c.CurvePreferences, - Renegotiation: c.Renegotiation, - ClientAuth: c.ClientAuth, - Time: c.time, - VerifyConnection: makeVerifyConnection(c), - } -} - -// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`. -func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config { - if c == nil { - // use default TLS settings, if config is empty. - return &tls.Config{ - ServerName: host, - InsecureSkipVerify: true, - VerifyConnection: makeVerifyConnection(&TLSConfig{ - Verification: VerifyFull, - }), - } - } - - config := c.ToConfig() - config.ServerName = host - return config -} - -// BuildServerConfig takes the TLSConfig and transform it into a `tls.Config` for server side objects. -func (c *TLSConfig) BuildServerConfig(host string) *tls.Config { - if c == nil { - // use default TLS settings, if config is empty. - return &tls.Config{ - ServerName: host, - InsecureSkipVerify: true, - VerifyConnection: makeVerifyServerConnection(&TLSConfig{ - Verification: VerifyFull, - }), - } - } - - config := c.ToConfig() - config.ServerName = host - config.VerifyConnection = makeVerifyServerConnection(c) - return config -} - -func trustRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error { - logger := logp.NewLogger("tls") - logger.Info("'ca_trusted_fingerprint' set, looking for matching fingerprints") - fingerprint, err := hex.DecodeString(cfg.CATrustedFingerprint) - if err != nil { - return fmt.Errorf("decode 'ca_trusted_fingerprint': %w", err) - } - - for _, cert := range peerCerts { - // Compute digest for each certificate. - digest := sha256.Sum256(cert.Raw) - - if bytes.Equal(digest[0:], fingerprint) { - logger.Info("CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'") - // Make sure the fingerprint matches a CA certificate - if cert.IsCA { - if cfg.RootCAs == nil { - cfg.RootCAs = x509.NewCertPool() - } - - cfg.RootCAs.AddCert(cert) - return nil - } - } - } - - logger.Warn("no CA certificate matching the fingerprint") - return nil -} - -func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { - switch cfg.Verification { - case VerifyFull: - return func(cs tls.ConnectionState) error { - if cfg.CATrustedFingerprint != "" { - if err := trustRootCA(cfg, cs.PeerCertificates); err != nil { - return err - } - } - // On the client side, PeerCertificates can't be empty. - if len(cs.PeerCertificates) == 0 { - return MissingPeerCertificate - } - - opts := x509.VerifyOptions{ - Roots: cfg.RootCAs, - Intermediates: x509.NewCertPool(), - } - err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) - if err != nil { - return err - } - return verifyHostname(cs.PeerCertificates[0], cs.ServerName) - } - case VerifyCertificate: - return func(cs tls.ConnectionState) error { - if cfg.CATrustedFingerprint != "" { - if err := trustRootCA(cfg, cs.PeerCertificates); err != nil { - return err - } - } - // On the client side, PeerCertificates can't be empty. - if len(cs.PeerCertificates) == 0 { - return MissingPeerCertificate - } - - opts := x509.VerifyOptions{ - Roots: cfg.RootCAs, - Intermediates: x509.NewCertPool(), - } - return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) - } - case VerifyStrict: - if len(cfg.CASha256) > 0 { - return func(cs tls.ConnectionState) error { - if cfg.CATrustedFingerprint != "" { - if err := trustRootCA(cfg, cs.PeerCertificates); err != nil { - return err - } - } - return verifyCAPin(cfg.CASha256, cs.VerifiedChains) - } - } - default: - } - - return nil -} - -func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error { - switch cfg.Verification { - case VerifyFull: - return func(cs tls.ConnectionState) error { - if len(cs.PeerCertificates) == 0 { - if cfg.ClientAuth == tls.RequireAndVerifyClientCert { - return MissingPeerCertificate - } - return nil - } - - opts := x509.VerifyOptions{ - Roots: cfg.ClientCAs, - Intermediates: x509.NewCertPool(), - KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, - } - err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) - if err != nil { - return err - } - return verifyHostname(cs.PeerCertificates[0], cs.ServerName) - } - case VerifyCertificate: - return func(cs tls.ConnectionState) error { - if len(cs.PeerCertificates) == 0 { - if cfg.ClientAuth == tls.RequireAndVerifyClientCert { - return MissingPeerCertificate - } - return nil - } - - opts := x509.VerifyOptions{ - Roots: cfg.ClientCAs, - Intermediates: x509.NewCertPool(), - KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, - } - return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) - } - case VerifyStrict: - if len(cfg.CASha256) > 0 { - return func(cs tls.ConnectionState) error { - return verifyCAPin(cfg.CASha256, cs.VerifiedChains) - } - } - default: - } - - return nil - -} - -func verifyCertsWithOpts(certs []*x509.Certificate, casha256 []string, opts x509.VerifyOptions) error { - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) - } - verifiedChains, err := certs[0].Verify(opts) - if err != nil { - return err - } - - if len(casha256) > 0 { - return verifyCAPin(casha256, verifiedChains) - } - return nil -} - -func verifyHostname(cert *x509.Certificate, hostname string) error { - if hostname == "" { - return nil - } - // check if the server name is an IP - ip := hostname - if len(ip) >= 3 && ip[0] == '[' && ip[len(ip)-1] == ']' { - ip = ip[1 : len(ip)-1] - } - parsedIP := net.ParseIP(ip) - if parsedIP != nil { - for _, certIP := range cert.IPAddresses { - if parsedIP.Equal(certIP) { - return nil - } - } - return x509.HostnameError{Certificate: cert, Host: hostname} - } - - dnsnames := cert.DNSNames - if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { - if cert.Subject.CommonName != "" { - dnsnames = []string{cert.Subject.CommonName} - } - } - - for _, name := range dnsnames { - if matchHostnames(name, hostname) { - if !validHostname(name, true) { - return fmt.Errorf("invalid hostname in cert") - } - return nil - } - } - return x509.HostnameError{Certificate: cert, Host: hostname} -} diff --git a/libbeat/common/transport/tlscommon/tls_config_test.go b/libbeat/common/transport/tlscommon/tls_config_test.go deleted file mode 100644 index 2fd0b76e2a0..00000000000 --- a/libbeat/common/transport/tlscommon/tls_config_test.go +++ /dev/null @@ -1,384 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/tls" - "crypto/x509" - "encoding/pem" - "io/ioutil" - "path/filepath" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func TestMakeVerifyServerConnection(t *testing.T) { - testCerts := openTestCerts(t) - - testCA, errs := LoadCertificateAuthorities([]string{ - filepath.Join("testdata", "ca.crt"), - filepath.Join("testdata", "cacert.crt"), - }) - if len(errs) > 0 { - t.Fatalf("failed to load test certificate authorities: %+v", errs) - } - - testcases := map[string]struct { - verificationMode TLSVerificationMode - clientAuth tls.ClientAuthType - certAuthorities *x509.CertPool - peerCerts []*x509.Certificate - serverName string - expectedCallback bool - expectedError error - }{ - "default verification without certificates when required": { - verificationMode: VerifyFull, - clientAuth: tls.RequireAndVerifyClientCert, - peerCerts: nil, - serverName: "", - expectedCallback: true, - expectedError: MissingPeerCertificate, - }, - "default verification with certificates when required with expired cert": { - verificationMode: VerifyFull, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["expired"]}, - serverName: "", - expectedCallback: true, - expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, - }, - "default verification with certificates when required with incorrect server name in cert": { - verificationMode: VerifyFull, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["correct"]}, - serverName: "bad.example.com", - expectedCallback: true, - expectedError: x509.HostnameError{Certificate: testCerts["correct"], Host: "bad.example.com"}, - }, - "default verification with certificates when required with correct cert": { - verificationMode: VerifyFull, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["correct"]}, - serverName: "localhost", - expectedCallback: true, - expectedError: nil, - }, - "default verification with certificates when required with correct wildcard cert": { - verificationMode: VerifyFull, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["wildcard"]}, - serverName: "hello.example.com", - expectedCallback: true, - expectedError: nil, - }, - "certificate verification with certificates when required with correct cert": { - verificationMode: VerifyCertificate, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["correct"]}, - serverName: "localhost", - expectedCallback: true, - expectedError: nil, - }, - "certificate verification with certificates when required with expired cert": { - verificationMode: VerifyCertificate, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["expired"]}, - serverName: "localhost", - expectedCallback: true, - expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, - }, - "certificate verification with certificates when required with incorrect server name in cert": { - verificationMode: VerifyCertificate, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["correct"]}, - serverName: "bad.example.com", - expectedCallback: true, - expectedError: nil, - }, - "strict verification with certificates when required with correct cert": { - verificationMode: VerifyStrict, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["correct"]}, - serverName: "localhost", - expectedCallback: false, - expectedError: nil, - }, - "default verification with certificates when required with cert signed by unkown authority": { - verificationMode: VerifyFull, - clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, - serverName: "", - expectedCallback: true, - expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, - }, - "default verification without certificates not required": { - verificationMode: VerifyFull, - clientAuth: tls.NoClientCert, - peerCerts: nil, - serverName: "", - expectedCallback: true, - expectedError: nil, - }, - "no verification without certificates not required": { - verificationMode: VerifyNone, - clientAuth: tls.NoClientCert, - peerCerts: nil, - serverName: "", - expectedError: nil, - }, - } - - for name, test := range testcases { - t.Run(name, func(t *testing.T) { - cfg := &TLSConfig{ - Verification: test.verificationMode, - ClientAuth: test.clientAuth, - ClientCAs: test.certAuthorities, - } - - verifier := makeVerifyServerConnection(cfg) - if !test.expectedCallback { - assert.Nil(t, verifier) - return - } - - err := verifier(tls.ConnectionState{ - PeerCertificates: test.peerCerts, - ServerName: test.serverName, - }) - if test.expectedError == nil { - assert.NoError(t, err) - } else { - require.Error(t, err) - // We want to ensure the error type/message are the expected ones - // so we compare the types and the message - assert.IsType(t, test.expectedError, err) - assert.Contains(t, err.Error(), test.expectedError.Error()) - } - }) - } -} - -func openTestCerts(t testing.TB) map[string]*x509.Certificate { - t.Helper() - certs := make(map[string]*x509.Certificate, 0) - - for testcase, certname := range map[string]string{ - "expired": "tls.crt", - "unknown authority": "unsigned_tls.crt", - "correct": "client1.crt", - "wildcard": "server.crt", - "es-leaf": "es-leaf.crt", - "es-root-ca": "es-root-ca-cert.crt", - } { - - certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) - if err != nil { - t.Fatalf("reading file %q: %+v", certname, err) - } - block, _ := pem.Decode(certBytes) - testCert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - t.Fatalf("parsing certificate %q: %+v", certname, err) - } - certs[testcase] = testCert - } - - return certs -} - -func TestTrustRootCA(t *testing.T) { - certs := openTestCerts(t) - - nonEmptyCertPool := x509.NewCertPool() - nonEmptyCertPool.AddCert(certs["wildcard"]) - nonEmptyCertPool.AddCert(certs["unknown authority"]) - - testCases := []struct { - name string - rootCAs *x509.CertPool - caTrustedFingerprint string - peerCerts []*x509.Certificate - expectingError bool - expectedRootCAsLen int - }{ - { - name: "RootCA cert matches the fingerprint and is added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, - expectedRootCAsLen: 1, - }, - { - name: "RootCA cert doesn not matche the fingerprint and is not added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, - expectedRootCAsLen: 0, - }, - { - name: "non empty CertPool has the RootCA added", - rootCAs: nonEmptyCertPool, - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, - expectedRootCAsLen: 3, - }, - { - name: "invalis HEX encoding", - caTrustedFingerprint: "INVALID ENCODING", - expectedRootCAsLen: 0, - expectingError: true, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - cfg := TLSConfig{ - RootCAs: tc.rootCAs, - CATrustedFingerprint: tc.caTrustedFingerprint, - } - err := trustRootCA(&cfg, tc.peerCerts) - if tc.expectingError && err == nil { - t.Fatal("expecting an error when calling trustRootCA") - } - - if !tc.expectingError && err != nil { - t.Fatalf("did not expect an error calling trustRootCA: %v", err) - } - - if tc.expectedRootCAsLen != 0 { - if cfg.RootCAs == nil { - t.Fatal("cfg.RootCAs cannot be nil") - } - - // we want to know the number of certificates in the CertPool (RootCAs), as it is not - // directly available, we use this workaround of reading the number of subjects in the pool. - if got, expected := len(cfg.RootCAs.Subjects()), tc.expectedRootCAsLen; got != expected { - t.Fatalf("expecting cfg.RootCAs to have %d element, got %d instead", expected, got) - } - } - }) - } -} - -func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { - testCerts := openTestCerts(t) - - testcases := map[string]struct { - verificationMode TLSVerificationMode - peerCerts []*x509.Certificate - serverName string - expectedCallback bool - expectingError bool - CATrustedFingerprint string - CASHA256 []string - }{ - "CATrustedFingerprint and verification mode:VerifyFull": { - verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - }, - "CATrustedFingerprint and verification mode:VerifyCertificate": { - verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - }, - "CATrustedFingerprint and verification mode:VerifyStrict": { - verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, - }, - "CATrustedFingerprint and verification mode:VerifyNone": { - verificationMode: VerifyNone, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: false, - }, - "invalid CATrustedFingerprint and verification mode:VerifyFull returns error": { - verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: true, - CATrustedFingerprint: "INVALID HEX ENCODING", - expectingError: true, - }, - "invalid CATrustedFingerprint and verification mode:VerifyCertificate returns error": { - verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: true, - CATrustedFingerprint: "INVALID HEX ENCODING", - expectingError: true, - }, - "invalid CATrustedFingerprint and verification mode:VerifyStrict returns error": { - verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, - serverName: "localhost", - expectedCallback: true, - CATrustedFingerprint: "INVALID HEX ENCODING", - expectingError: true, - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, - }, - } - - for name, test := range testcases { - t.Run(name, func(t *testing.T) { - cfg := &TLSConfig{ - Verification: test.verificationMode, - CATrustedFingerprint: test.CATrustedFingerprint, - CASha256: test.CASHA256, - } - - verifier := makeVerifyConnection(cfg) - if test.expectedCallback { - require.NotNil(t, verifier, "makeVerifyConnection returned a nil verifier") - } else { - require.Nil(t, verifier) - return - } - - err := verifier(tls.ConnectionState{ - PeerCertificates: test.peerCerts, - ServerName: test.serverName, - VerifiedChains: [][]*x509.Certificate{test.peerCerts}, - }) - if test.expectingError { - assert.Error(t, err) - } else { - assert.NoError(t, err) - } - }) - } -} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go deleted file mode 100644 index f52218aaa41..00000000000 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ /dev/null @@ -1,643 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -//go:build !integration -// +build !integration - -package tlscommon - -import ( - "crypto/tls" - "fmt" - "io/ioutil" - "os" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/elastic-agent-libs/config" -) - -// test TLS config loading - -func load(yamlStr string) (*Config, error) { - var cfg Config - config, err := config.NewConfigWithYAML([]byte(yamlStr), "") - if err != nil { - return nil, err - } - - if err = config.Unpack(&cfg); err != nil { - return nil, err - } - return &cfg, nil -} - -func mustLoad(t *testing.T, yamlStr string) *Config { - cfg, err := load(yamlStr) - if err != nil { - t.Fatal(err) - } - return cfg -} - -func TestEmptyTlsConfig(t *testing.T) { - cfg, err := load("") - assert.NoError(t, err) - - assert.Equal(t, cfg, &Config{}) -} - -func TestLoadWithEmptyValues(t *testing.T) { - cfg, err := load(` - enabled: - verification_mode: - certificate: - key: - key_passphrase: - certificate_authorities: - cipher_suites: - curve_types: - supported_protocols: - `) - - assert.NoError(t, err) - assert.Equal(t, cfg, &Config{}) -} - -func TestNoLoadNilConfig(t *testing.T) { - cfg, err := LoadTLSConfig(nil) - assert.NoError(t, err) - assert.Nil(t, cfg) -} - -func TestNoLoadDisabledConfig(t *testing.T) { - enabled := false - cfg, err := LoadTLSConfig(&Config{Enabled: &enabled}) - assert.NoError(t, err) - assert.Nil(t, cfg) -} - -func TestValuesSet(t *testing.T) { - cfg, err := load(` - enabled: true - certificate_authorities: ["ca1.pem", "ca2.pem"] - certificate: mycert.pem - key: mycert.key - verification_mode: none - cipher_suites: - - ECDHE-ECDSA-AES-256-CBC-SHA - - ECDHE-ECDSA-AES-256-GCM-SHA384 - supported_protocols: [TLSv1.1, TLSv1.2] - curve_types: - - P-521 - renegotiation: freely - `) - - if err != nil { - t.Fatal(err) - } - - assert.Equal(t, "mycert.pem", cfg.Certificate.Certificate) - assert.Equal(t, "mycert.key", cfg.Certificate.Key) - assert.Len(t, cfg.CAs, 2) - assert.Equal(t, VerifyNone, cfg.VerificationMode) - assert.Len(t, cfg.CipherSuites, 2) - assert.Equal(t, - []TLSVersion{TLSVersion11, TLSVersion12}, - cfg.Versions) - assert.Len(t, cfg.CurveTypes, 1) - assert.Equal(t, - tls.RenegotiateFreelyAsClient, - tls.RenegotiationSupport(cfg.Renegotiation)) -} - -func TestApplyEmptyConfig(t *testing.T) { - tmp, err := LoadTLSConfig(&Config{}) - if err != nil { - t.Fatal(err) - } - - cfg := tmp.BuildModuleClientConfig("") - assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) - assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) - assert.Len(t, cfg.Certificates, 0) - assert.Nil(t, cfg.RootCAs) - assert.Equal(t, true, cfg.InsecureSkipVerify) - assert.Len(t, cfg.CipherSuites, 0) - assert.Len(t, cfg.CurvePreferences, 0) - assert.Equal(t, tls.RenegotiateNever, cfg.Renegotiation) -} - -func TestApplyWithConfig(t *testing.T) { - tmp, err := LoadTLSConfig(mustLoad(t, ` - certificate: ca_test.pem - key: ca_test.key - certificate_authorities: [ca_test.pem] - verification_mode: none - cipher_suites: - - "ECDHE-ECDSA-AES-256-CBC-SHA" - - "ECDHE-ECDSA-AES-256-GCM-SHA384" - curve_types: [P-384] - renegotiation: once - `)) - if err != nil { - t.Fatal(err) - } - - cfg := tmp.BuildModuleClientConfig("") - assert.NotNil(t, cfg) - assert.Len(t, cfg.Certificates, 1) - assert.NotNil(t, cfg.RootCAs) - assert.Equal(t, true, cfg.InsecureSkipVerify) - assert.Len(t, cfg.CipherSuites, 2) - assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) - assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) - assert.Len(t, cfg.CurvePreferences, 1) - assert.Equal(t, tls.RenegotiateOnceAsClient, cfg.Renegotiation) -} - -func TestServerConfigDefaults(t *testing.T) { - t.Run("when CA is not explicitly set", func(t *testing.T) { - var c ServerConfig - config := config.MustNewConfigFrom(` -certificate: mycert.pem -key: mykey.pem -`) - err := config.Unpack(&c) - require.NoError(t, err) - c.Certificate = CertificateConfig{} // prevent reading non-existent files - tmp, err := LoadTLSServerConfig(&c) - require.NoError(t, err) - - cfg := tmp.BuildModuleClientConfig("") - - assert.NotNil(t, cfg) - // values not set by default - assert.Len(t, cfg.Certificates, 0) - assert.Nil(t, cfg.ClientCAs) - assert.Len(t, cfg.CipherSuites, 0) - assert.Len(t, cfg.CurvePreferences, 0) - // values set by default - assert.Equal(t, true, cfg.InsecureSkipVerify) - assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) - assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) - assert.Equal(t, tls.NoClientCert, cfg.ClientAuth) - }) - t.Run("when CA is explicitly set", func(t *testing.T) { - - yamlStr := ` - certificate_authorities: [ca_test.pem] - certificate: mycert.pem - key: mykey.pem -` - var c ServerConfig - config, err := config.NewConfigWithYAML([]byte(yamlStr), "") - err = config.Unpack(&c) - c.Certificate = CertificateConfig{} // prevent reading non-existent files - require.NoError(t, err) - tmp, err := LoadTLSServerConfig(&c) - require.NoError(t, err) - - cfg := tmp.BuildModuleClientConfig("") - - assert.NotNil(t, cfg) - // values not set by default - assert.Len(t, cfg.Certificates, 0) - assert.NotNil(t, cfg.ClientCAs) - assert.Len(t, cfg.CipherSuites, 0) - assert.Len(t, cfg.CurvePreferences, 0) - // values set by default - assert.Equal(t, true, cfg.InsecureSkipVerify) - assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) - assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) - assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth) - }) -} - -func TestApplyWithServerConfig(t *testing.T) { - yamlStr := ` - certificate: ca_test.pem - key: ca_test.key - certificate_authorities: [ca_test.pem] - verification_mode: none - client_authentication: optional - cipher_suites: - - "ECDHE-ECDSA-AES-256-CBC-SHA" - - "ECDHE-ECDSA-AES-256-GCM-SHA384" - curve_types: [P-384] - ` - var c ServerConfig - config, err := config.NewConfigWithYAML([]byte(yamlStr), "") - for i, ver := range TLSDefaultVersions { - config.SetString("supported_protocols", i, ver.String()) - } - - if !assert.NoError(t, err) { - return - } - - err = config.Unpack(&c) - if !assert.NoError(t, err) { - return - } - tmp, err := LoadTLSServerConfig(&c) - if !assert.NoError(t, err) { - return - } - - cfg := tmp.BuildModuleClientConfig("") - assert.NotNil(t, cfg) - assert.Len(t, cfg.Certificates, 1) - assert.NotNil(t, cfg.ClientCAs) - assert.Equal(t, true, cfg.InsecureSkipVerify) - assert.Len(t, cfg.CipherSuites, 2) - assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) - assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) - assert.Len(t, cfg.CurvePreferences, 1) - assert.Equal(t, tls.VerifyClientCertIfGiven, cfg.ClientAuth) -} - -func TestCertificateFails(t *testing.T) { - tests := []struct { - title string - yaml string - }{ - { - "certificate without key", - "certificate: mycert.pem", - }, - { - "key without certificate", - "key: mycert.key", - }, - { - "unknown cipher suite", - "cipher_suites: ['unknown cipher suite']", - }, - { - "unknown version", - "supported_protocols: [UnknownTLSv1.1]", - }, - { - "unknown curve type", - "curve_types: ['unknown curve type']", - }, - { - "unknown renegotiation type", - "renegotiation: always", - }, - } - - for i, test := range tests { - t.Run(fmt.Sprintf("run test (%v): %v", i, test.title), func(t *testing.T) { - config, err := config.NewConfigWithYAML([]byte(test.yaml), "") - if err != nil { - t.Error(err) - return - } - - // one must fail: validators on Unpack or transformation to *tls.Config - var tlscfg Config - if err = config.Unpack(&tlscfg); err != nil { - t.Log(err) - return - } - _, err = LoadTLSConfig(&tlscfg) - t.Log(err) - assert.Error(t, err) - }) - } -} - -func TestResolveTLSVersion(t *testing.T) { - v := ResolveTLSVersion(tls.VersionTLS11) - assert.Equal(t, "TLSv1.1", v) -} - -func TestResolveCipherSuite(t *testing.T) { - c := ResolveCipherSuite(tls.TLS_RSA_WITH_AES_128_CBC_SHA) - assert.Equal(t, "RSA-AES-128-CBC-SHA", c) -} - -func TestPEMString(t *testing.T) { - t.Run("is PEM formatted String", func(t *testing.T) { - c := `-----BEGIN CERTIFICATE----- -MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF -ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 -MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n -fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl -94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t -/D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP -PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 -CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O -BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux -8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D -874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw -3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA -H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu -8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 -yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk -sxSmbIUfc2SGJGCJD4I= ------END CERTIFICATE-----` - assert.True(t, IsPEMString(c)) - }) - - // Well use `|` if you want to keep the newline, theses are required so the PEM document is valid. - t.Run("From the YAML/multiline", func(t *testing.T) { - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: - - | - -----BEGIN CERTIFICATE----- - MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - sxSmbIUfc2SGJGCJD4I= - -----END CERTIFICATE----- -cipher_suites: null -curve_types: null -supported_protocols: null - `) - assert.NoError(t, err) - assert.True(t, IsPEMString(cfg.CAs[0])) - }) - - t.Run("is not a PEM formatted String", func(t *testing.T) { - c := "/tmp/certificate" - assert.False(t, IsPEMString(c)) - }) - - t.Run("is an empty string", func(t *testing.T) { - c := "" - assert.False(t, IsPEMString(c)) - }) -} - -func TestCertificate(t *testing.T) { - // Write certificate to a temporary file. - c := `-----BEGIN CERTIFICATE----- -MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF -ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 -MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n -fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl -94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t -/D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP -PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 -CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O -BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux -8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D -874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw -3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA -H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu -8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 -yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk -sxSmbIUfc2SGJGCJD4I= ------END CERTIFICATE-----` - f, err := ioutil.TempFile("", "certificate.crt") - f.WriteString(c) - f.Close() - assert.NoError(t, err) - defer os.Remove(f.Name()) - - t.Run("certificate authorities", func(t *testing.T) { - t.Run("From configuration", func(t *testing.T) { - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: - - | - -----BEGIN CERTIFICATE----- - MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - sxSmbIUfc2SGJGCJD4I= - -----END CERTIFICATE----- -cipher_suites: null -curve_types: null -supported_protocols: null - `) - assert.NoError(t, err) - tlsC, err := LoadTLSConfig(cfg) - assert.NoError(t, err) - assert.NotNil(t, tlsC) - }) - - t.Run("From disk", func(t *testing.T) { - // Create a dummy configuration and append the CA after. - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: -cipher_suites: null -curve_types: null -supported_protocols: null - `) - - cfg.CAs = []string{f.Name()} - tlsC, err := LoadTLSConfig(cfg) - assert.NoError(t, err) - - assert.NotNil(t, tlsC) - }) - - t.Run("mixed from disk and embed", func(t *testing.T) { - // Create a dummy configuration and append the CA after. - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: -cipher_suites: null -curve_types: null -supported_protocols: null - `) - - cfg.CAs = []string{f.Name(), c} - tlsC, err := LoadTLSConfig(cfg) - assert.NoError(t, err) - - assert.NotNil(t, tlsC) - }) - }) - - t.Run("Certificate and Private keys", func(t *testing.T) { - key := ` ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI -sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP -Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F -KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 -MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z -HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ -nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx -Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 -eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ -Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM -epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve -Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn -BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 -VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU -zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 -GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA -5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 -TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF -hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li -e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze -Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T -kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ -kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav -NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K -0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc -nygO9KTJuUiBrLr0AHEnqko= ------END PRIVATE KEY----- -` - - t.Run("embed", func(t *testing.T) { - // Create a dummy configuration and append the CA after. - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: -cipher_suites: null -curve_types: null -supported_protocols: null - `) - cfg.Certificate.Certificate = c - cfg.Certificate.Key = key - - tlsC, err := LoadTLSConfig(cfg) - assert.NoError(t, err) - - assert.NotNil(t, tlsC) - }) - - t.Run("embed small key", func(t *testing.T) { - // Create a dummy configuration and append the CA after. - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: -cipher_suites: null -curve_types: null -supported_protocols: null - `) - certificate := ` ------BEGIN CERTIFICATE----- -MIIBmzCCAUCgAwIBAgIRAOQpDyaFimzmueynALHkFEcwCgYIKoZIzj0EAwIwJjEk -MCIGA1UEChMbVEVTVCAtIEVsYXN0aWMgSW50ZWdyYXRpb25zMB4XDTIxMDIwMjE1 -NTkxMFoXDTQxMDEyODE1NTkxMFowJjEkMCIGA1UEChMbVEVTVCAtIEVsYXN0aWMg -SW50ZWdyYXRpb25zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBc7UEvBd+5SG -Z6QQfgBaPh/VAlf7ovpa/wfSmbHfBhee+dTvdAO1p90lannCkZmc7OfWAlQ1eTgJ -QW668CJwE6NPME0wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB -MAwGA1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INZWxhc3RpYy1hZ2VudDAKBggqhkjO -PQQDAgNJADBGAiEAhpGWL4lxsdb3+hHv0y4ppw6B7IJJLCeCwHLyHt2Dkx4CIQD6 -OEU+yuHzbWa18JVkHafxwnpwQmxwZA3VNitM/AyGTQ== ------END CERTIFICATE----- -` - key := ` ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFDQJ1CPLXrUbUFqj -ED8dqsGuVQdcPK7CHpsCeTtAgQqhRANCAAQFztQS8F37lIZnpBB+AFo+H9UCV/ui -+lr/B9KZsd8GF5751O90A7Wn3SVqecKRmZzs59YCVDV5OAlBbrrwInAT ------END PRIVATE KEY----- -` - cfg.Certificate.Certificate = certificate - cfg.Certificate.Key = key - - tlsC, err := LoadTLSConfig(cfg) - assert.NoError(t, err) - - assert.NotNil(t, tlsC) - }) - - t.Run("From disk", func(t *testing.T) { - k, err := ioutil.TempFile("", "certificate.key") - k.WriteString(key) - k.Close() - assert.NoError(t, err) - defer os.Remove(k.Name()) - // Create a dummy configuration and append the CA after. - cfg, err := load(` -enabled: true -verification_mode: null -certificate: null -key: null -key_passphrase: null -certificate_authorities: -cipher_suites: null -curve_types: null -supported_protocols: null - `) - - cfg.Certificate.Certificate = f.Name() - cfg.Certificate.Key = k.Name() - - tlsC, err := LoadTLSConfig(cfg) - assert.NoError(t, err) - - assert.NotNil(t, tlsC) - }) - }) -} diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go deleted file mode 100644 index c7bd09791f6..00000000000 --- a/libbeat/common/transport/tlscommon/types.go +++ /dev/null @@ -1,285 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/tls" - "errors" - "fmt" -) - -var ( - // ErrNotACertificate indicates a PEM file to be loaded not being a valid - // PEM file or certificate. - ErrNotACertificate = errors.New("file is not a certificate") - - // ErrCertificateNoKey indicate a configuration error with missing key file - ErrKeyUnspecified = errors.New("key file not configured") - - // ErrKeyNoCertificate indicate a configuration error with missing certificate file - ErrCertificateUnspecified = errors.New("certificate file not configured") -) - -var tlsCipherSuites = map[string]CipherSuite{ - // ECDHE-ECDSA - "ECDHE-ECDSA-AES-128-CBC-SHA": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), - "ECDHE-ECDSA-AES-128-CBC-SHA256": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), - "ECDHE-ECDSA-AES-128-GCM-SHA256": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), - "ECDHE-ECDSA-AES-256-CBC-SHA": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), - "ECDHE-ECDSA-AES-256-GCM-SHA384": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), - "ECDHE-ECDSA-CHACHA20-POLY1305": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305), - "ECDHE-ECDSA-RC4-128-SHA": CipherSuite(tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA), - - // ECDHE-RSA - "ECDHE-RSA-3DES-CBC3-SHA": CipherSuite(tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA), - "ECDHE-RSA-AES-128-CBC-SHA": CipherSuite(tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), - "ECDHE-RSA-AES-128-CBC-SHA256": CipherSuite(tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), - "ECDHE-RSA-AES-128-GCM-SHA256": CipherSuite(tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), - "ECDHE-RSA-AES-256-CBC-SHA": CipherSuite(tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), - "ECDHE-RSA-AES-256-GCM-SHA384": CipherSuite(tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), - "ECDHE-RSA-CHACHA20-POLY1205": CipherSuite(tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305), - "ECDHE-RSA-RC4-128-SHA": CipherSuite(tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA), - - // RSA-X - "RSA-RC4-128-SHA": CipherSuite(tls.TLS_RSA_WITH_RC4_128_SHA), - "RSA-3DES-CBC3-SHA": CipherSuite(tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA), - - // RSA-AES - "RSA-AES-128-CBC-SHA": CipherSuite(tls.TLS_RSA_WITH_AES_128_CBC_SHA), - "RSA-AES-128-CBC-SHA256": CipherSuite(tls.TLS_RSA_WITH_AES_128_CBC_SHA256), - "RSA-AES-128-GCM-SHA256": CipherSuite(tls.TLS_RSA_WITH_AES_128_GCM_SHA256), - "RSA-AES-256-CBC-SHA": CipherSuite(tls.TLS_RSA_WITH_AES_256_CBC_SHA), - "RSA-AES-256-GCM-SHA384": CipherSuite(tls.TLS_RSA_WITH_AES_256_GCM_SHA384), - - "TLS-AES-128-GCM-SHA256": CipherSuite(tls.TLS_AES_128_GCM_SHA256), - "TLS-AES-256-GCM-SHA384": CipherSuite(tls.TLS_AES_256_GCM_SHA384), - "TLS-CHACHA20-POLY1305-SHA256": CipherSuite(tls.TLS_CHACHA20_POLY1305_SHA256), -} - -var tlsCipherSuitesInverse = make(map[CipherSuite]string, len(tlsCipherSuites)) -var tlsRenegotiationSupportTypesInverse = make(map[TlsRenegotiationSupport]string, len(tlsRenegotiationSupportTypes)) -var tlsVerificationModesInverse = make(map[TLSVerificationMode]string, len(tlsVerificationModes)) - -const unknownString = "unknown" - -// Init creates a inverse representation of the values mapping. -func init() { - for cipherName, i := range tlsCipherSuites { - tlsCipherSuitesInverse[i] = cipherName - } - - for name, t := range tlsRenegotiationSupportTypes { - tlsRenegotiationSupportTypesInverse[t] = name - } - - for name, t := range tlsVerificationModes { - tlsVerificationModesInverse[t] = name - } -} - -var tlsCurveTypes = map[string]tlsCurveType{ - "P-256": tlsCurveType(tls.CurveP256), - "P-384": tlsCurveType(tls.CurveP384), - "P-521": tlsCurveType(tls.CurveP521), - "X25519": tlsCurveType(tls.X25519), -} - -var tlsRenegotiationSupportTypes = map[string]TlsRenegotiationSupport{ - "never": TlsRenegotiationSupport(tls.RenegotiateNever), - "once": TlsRenegotiationSupport(tls.RenegotiateOnceAsClient), - "freely": TlsRenegotiationSupport(tls.RenegotiateFreelyAsClient), -} - -type tlsClientAuth int - -const ( - tlsClientAuthNone tlsClientAuth = tlsClientAuth(tls.NoClientCert) - tlsClientAuthOptional = tlsClientAuth(tls.VerifyClientCertIfGiven) - tlsClientAuthRequired = tlsClientAuth(tls.RequireAndVerifyClientCert) -) - -var tlsClientAuthTypes = map[string]tlsClientAuth{ - "none": tlsClientAuthNone, - "optional": tlsClientAuthOptional, - "required": tlsClientAuthRequired, -} - -// TLSVerificationMode represents the type of verification to do on the remote host: -// `none`, `certificate`, and `full` and we default to `full`. -// Internally this option is transformed into the `insecure` field in the `tls.Config` struct. -type TLSVerificationMode uint8 - -// Constants of the supported verification mode. -const ( - VerifyFull TLSVerificationMode = iota - VerifyNone - VerifyCertificate - VerifyStrict -) - -var tlsVerificationModes = map[string]TLSVerificationMode{ - "": VerifyFull, - "full": VerifyFull, - "strict": VerifyStrict, - "none": VerifyNone, - "certificate": VerifyCertificate, -} - -func (m TLSVerificationMode) String() string { - if s, ok := tlsVerificationModesInverse[m]; ok { - return s - } - return unknownString -} - -// MarshalText marshal the verification mode into a human readable value. -func (m TLSVerificationMode) MarshalText() ([]byte, error) { - if s, ok := tlsVerificationModesInverse[m]; ok { - return []byte(s), nil - } - return nil, fmt.Errorf("could not marshal '%+v' to text", m) -} - -// Unpack unpacks the string into constants. -func (m *TLSVerificationMode) Unpack(in interface{}) error { - if in == nil { - *m = VerifyFull - return nil - } - - s, ok := in.(string) - if !ok { - return fmt.Errorf("verification mode must be an identifier") - } - - mode, found := tlsVerificationModes[s] - if !found { - return fmt.Errorf("unknown verification mode '%v'", s) - } - - *m = mode - return nil -} - -func (m *tlsClientAuth) Unpack(s string) error { - mode, found := tlsClientAuthTypes[s] - if !found { - return fmt.Errorf("unknown client authentication mode'%v'", s) - } - - *m = mode - return nil -} - -type CipherSuite uint16 - -func (cs *CipherSuite) Unpack(s string) error { - suite, found := tlsCipherSuites[s] - if !found { - return fmt.Errorf("invalid tls cipher suite '%v'", s) - } - - *cs = suite - return nil -} - -func (cs CipherSuite) String() string { - if s, found := tlsCipherSuitesInverse[cs]; found { - return s - } - return unknownString -} - -type tlsCurveType tls.CurveID - -func (ct *tlsCurveType) Unpack(s string) error { - t, found := tlsCurveTypes[s] - if !found { - return fmt.Errorf("invalid tls curve type '%v'", s) - } - - *ct = t - return nil -} - -type TlsRenegotiationSupport tls.RenegotiationSupport - -func (r TlsRenegotiationSupport) String() string { - if t, found := tlsRenegotiationSupportTypesInverse[r]; found { - return t - } - return "" -} - -func (r *TlsRenegotiationSupport) Unpack(s string) error { - t, found := tlsRenegotiationSupportTypes[s] - if !found { - return fmt.Errorf("invalid tls renegotiation type '%v'", s) - } - - *r = t - return nil -} - -func (r TlsRenegotiationSupport) MarshalText() ([]byte, error) { - if t, found := tlsRenegotiationSupportTypesInverse[r]; found { - return []byte(t), nil - } - - return nil, fmt.Errorf("could not marshal '%+v' to text", r) -} - -func (r TlsRenegotiationSupport) MarshalYAML() (interface{}, error) { - if t, found := tlsRenegotiationSupportTypesInverse[r]; found { - return t, nil - } - - return nil, fmt.Errorf("could not marshal '%+v' to text", r) -} - -// CertificateConfig define a common set of fields for a certificate. -type CertificateConfig struct { - Certificate string `config:"certificate" yaml:"certificate,omitempty"` - Key string `config:"key" yaml:"key,omitempty"` - Passphrase string `config:"key_passphrase" yaml:"key_passphrase,omitempty"` -} - -// Validate validates the CertificateConfig -func (c *CertificateConfig) Validate() error { - hasCertificate := c.Certificate != "" - hasKey := c.Key != "" - - switch { - case hasCertificate && !hasKey: - return ErrKeyUnspecified - case !hasCertificate && hasKey: - return ErrCertificateUnspecified - } - return nil -} - -func convCipherSuites(suites []CipherSuite) []uint16 { - if len(suites) == 0 { - return nil - } - cipherSuites := make([]uint16, len(suites)) - for i, s := range suites { - cipherSuites[i] = uint16(s) - } - return cipherSuites -} diff --git a/libbeat/common/transport/tlscommon/validhostname.go b/libbeat/common/transport/tlscommon/validhostname.go deleted file mode 100644 index a6b2af7fb7c..00000000000 --- a/libbeat/common/transport/tlscommon/validhostname.go +++ /dev/null @@ -1,159 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Copyright (c) 2009 The Go Authors. All rights reserved. - -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are -// met: - -// * Redistributions of source code must retain the above copyright -// notice, this list of conditions and the following disclaimer. -// * Redistributions in binary form must reproduce the above -// copyright notice, this list of conditions and the following disclaimer -// in the documentation and/or other materials provided with the -// distribution. -// * Neither the name of Google Inc. nor the names of its -// contributors may be used to endorse or promote products derived from -// this software without specific prior written permission. - -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -// This file contains code adapted from golang's crypto/x509/verify.go - -package tlscommon - -import ( - "strings" - "unicode/utf8" -) - -func matchHostnames(pattern, host string) bool { - pattern = toLowerCaseASCII(pattern) - host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) - - if len(pattern) == 0 || len(host) == 0 { - return false - } - - patternParts := strings.Split(pattern, ".") - hostParts := strings.Split(host, ".") - - if len(patternParts) != len(hostParts) { - return false - } - - for i, patternPart := range patternParts { - if i == 0 && patternPart == "*" { - continue - } - if patternPart != hostParts[i] { - return false - } - } - - return true -} - -// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use -// an explicitly ASCII function to avoid any sharp corners resulting from -// performing Unicode operations on DNS labels. -func toLowerCaseASCII(in string) string { - // If the string is already lower-case then there's nothing to do. - isAlreadyLowerCase := true - for _, c := range in { - if c == utf8.RuneError { - // If we get a UTF-8 error then there might be - // upper-case ASCII bytes in the invalid sequence. - isAlreadyLowerCase = false - break - } - if 'A' <= c && c <= 'Z' { - isAlreadyLowerCase = false - break - } - } - - if isAlreadyLowerCase { - return in - } - - out := []byte(in) - for i, c := range out { - if 'A' <= c && c <= 'Z' { - out[i] += 'a' - 'A' - } - } - return string(out) -} - -// validHostname reports whether host is a valid hostname that can be matched or -// matched against according to RFC 6125 2.2, with some leniency to accommodate -// legacy values. -func validHostname(host string, isPattern bool) bool { - if !isPattern { - host = strings.TrimSuffix(host, ".") - } - if len(host) == 0 { - return false - } - - for i, part := range strings.Split(host, ".") { - if part == "" { - // Empty label. - return false - } - if isPattern && i == 0 && part == "*" { - // Only allow full left-most wildcards, as those are the only ones - // we match, and matching literal '*' characters is probably never - // the expected behavior. - continue - } - for j, c := range part { - if 'a' <= c && c <= 'z' { - continue - } - if '0' <= c && c <= '9' { - continue - } - if 'A' <= c && c <= 'Z' { - continue - } - if c == '-' && j != 0 { - continue - } - if c == '_' { - // Not a valid character in hostnames, but commonly - // found in deployments outside the WebPKI. - continue - } - return false - } - } - - return true -} diff --git a/libbeat/common/transport/tlscommon/versions.go b/libbeat/common/transport/tlscommon/versions.go deleted file mode 100644 index a589f0af3cd..00000000000 --- a/libbeat/common/transport/tlscommon/versions.go +++ /dev/null @@ -1,49 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import "fmt" - -// TLSVersion type for TLS version. -type TLSVersion uint16 - -func (v TLSVersion) String() string { - if details := v.Details(); details != nil { - return details.Combined - } - return "unknown" -} - -// Details returns a a ProtocolAndVersions struct containing detailed version metadata. -func (v TLSVersion) Details() *TLSVersionDetails { - if found, ok := tlsInverseLookup[v]; ok { - return &found - } - return nil -} - -//Unpack transforms the string into a constant. -func (v *TLSVersion) Unpack(s string) error { - version, found := tlsProtocolVersions[s] - if !found { - return fmt.Errorf("invalid tls version '%v'", s) - } - - *v = version - return nil -} diff --git a/libbeat/common/transport/tlscommon/versions_default.go b/libbeat/common/transport/tlscommon/versions_default.go deleted file mode 100644 index 0d0ea0d2df0..00000000000 --- a/libbeat/common/transport/tlscommon/versions_default.go +++ /dev/null @@ -1,81 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -//go:build go1.13 -// +build go1.13 - -package tlscommon - -import ( - "crypto/tls" -) - -// Define all the possible TLS version. -const ( - TLSVersion10 TLSVersion = tls.VersionTLS10 - TLSVersion11 TLSVersion = tls.VersionTLS11 - TLSVersion12 TLSVersion = tls.VersionTLS12 - TLSVersion13 TLSVersion = tls.VersionTLS13 - - // TLSVersionMin is the min TLS version supported. - TLSVersionMin = TLSVersion10 - - // TLSVersionMax is the max TLS version supported. - TLSVersionMax = TLSVersion13 - - // TLSVersionDefaultMin is the minimal default TLS version that is - // enabled by default. TLSVersionDefaultMin is >= TLSVersionMin - TLSVersionDefaultMin = TLSVersion11 - - // TLSVersionDefaultMax is the max default TLS version that - // is enabled by default. - TLSVersionDefaultMax = TLSVersionMax -) - -// TLSDefaultVersions list of versions of TLS we should support. -var TLSDefaultVersions = []TLSVersion{ - TLSVersion11, - TLSVersion12, - TLSVersion13, -} - -var tlsProtocolVersions = map[string]TLSVersion{ - "TLSv1": TLSVersion10, - "TLSv1.0": TLSVersion10, - "TLSv1.1": TLSVersion11, - "TLSv1.2": TLSVersion12, - "TLSv1.3": TLSVersion13, -} - -// Intended for ECS's tls.version_protocol_field, which does not include -// numeric version and should be lower case -type TLSVersionDetails struct { - Version string - Protocol string - Combined string -} - -func (pv TLSVersionDetails) String() string { - return pv.Combined -} - -var tlsInverseLookup = map[TLSVersion]TLSVersionDetails{ - TLSVersion10: TLSVersionDetails{Version: "1.0", Protocol: "tls", Combined: "TLSv1.0"}, - TLSVersion11: TLSVersionDetails{Version: "1.1", Protocol: "tls", Combined: "TLSv1.1"}, - TLSVersion12: TLSVersionDetails{Version: "1.2", Protocol: "tls", Combined: "TLSv1.2"}, - TLSVersion13: TLSVersionDetails{Version: "1.3", Protocol: "tls", Combined: "TLSv1.3"}, -} diff --git a/libbeat/common/transport/tlscommon/versions_legacy.go b/libbeat/common/transport/tlscommon/versions_legacy.go deleted file mode 100644 index 3d538a7ab9f..00000000000 --- a/libbeat/common/transport/tlscommon/versions_legacy.go +++ /dev/null @@ -1,63 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -//go:build !go1.13 -// +build !go1.13 - -package tlscommon - -import "crypto/tls" - -const ( - TLSVersion10 TLSVersion = tls.VersionTLS10 - TLSVersion11 TLSVersion = tls.VersionTLS11 - TLSVersion12 TLSVersion = tls.VersionTLS12 - - // TLSVersionMin is the min TLS version supported. - TLSVersionMin = TLSVersion10 - - // TLSVersionMax is the max TLS version supported. - TLSVersionMax = TLSVersion12 - - // TLSVersionDefaultMin is the minimal default TLS version that is - // enabled by default. TLSVersionDefaultMin is >= TLSVersionMin - TLSVersionDefaultMin = TLSVersion10 - - // TLSVersionDefaultMax is the max default TLS version that - // is enabled by default. - TLSVersionDefaultMax = TLSVersionMax -) - -// TLSDefaultVersions list of versions of TLS we should support. -var TLSDefaultVersions = []TLSVersion{ - TLSVersion10, - TLSVersion11, - TLSVersion12, -} - -var tlsProtocolVersions = map[string]TLSVersion{ - "TLSv1": TLSVersion10, - "TLSv1.0": TLSVersion10, - "TLSv1.1": TLSVersion11, - "TLSv1.2": TLSVersion12, -} - -var tlsProtocolVersionsInverse = map[TLSVersion]string{ - TLSVersion10: "TLSv1.0", - TLSVersion11: "TLSv1.1", - TLSVersion12: "TLSv1.2", -} diff --git a/libbeat/common/transport/tlscommon/versions_test.go b/libbeat/common/transport/tlscommon/versions_test.go deleted file mode 100644 index 7f2b2e02763..00000000000 --- a/libbeat/common/transport/tlscommon/versions_test.go +++ /dev/null @@ -1,72 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/tls" - "testing" - - "github.com/stretchr/testify/require" -) - -func TestTLSVersion(t *testing.T) { - // These tests are a bit verbose, but given the sensitivity to changes here, it's not a bad idea. - tests := []struct { - name string - v uint16 - want *TLSVersionDetails - }{ - { - "unknown", - 0x0, - nil, - }, - { - "TLSv1.0", - tls.VersionTLS10, - &TLSVersionDetails{Version: "1.0", Protocol: "tls", Combined: "TLSv1.0"}, - }, - { - "TLSv1.1", - tls.VersionTLS11, - &TLSVersionDetails{Version: "1.1", Protocol: "tls", Combined: "TLSv1.1"}, - }, - { - "TLSv1.2", - tls.VersionTLS12, - &TLSVersionDetails{Version: "1.2", Protocol: "tls", Combined: "TLSv1.2"}, - }, - { - "TLSv1.3", - tls.VersionTLS13, - &TLSVersionDetails{Version: "1.3", Protocol: "tls", Combined: "TLSv1.3"}, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - tv := TLSVersion(tt.v) - require.Equal(t, tt.want, tv.Details()) - if tt.want == nil { - require.Equal(t, tt.want, tv.Details()) - require.Equal(t, tt.name, "unknown") - } else { - require.Equal(t, tt.name, tv.String()) - } - }) - } -} diff --git a/libbeat/common/transport/transport.go b/libbeat/common/transport/transport.go deleted file mode 100644 index 1b14f3645c3..00000000000 --- a/libbeat/common/transport/transport.go +++ /dev/null @@ -1,64 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "errors" - "net" - - "github.com/elastic/elastic-agent-libs/logp" -) - -type Dialer interface { - Dial(network, address string) (net.Conn, error) -} - -type DialerFunc func(network, address string) (net.Conn, error) - -var ( - ErrNotConnected = errors.New("client is not connected") -) - -func (d DialerFunc) Dial(network, address string) (net.Conn, error) { - return d(network, address) -} - -func Dial(c Config, network, address string) (net.Conn, error) { - d, err := MakeDialer(c) - if err != nil { - return nil, err - } - return d.Dial(network, address) -} - -func MakeDialer(c Config) (Dialer, error) { - var err error - dialer := NetDialer(c.Timeout) - dialer, err = ProxyDialer(logp.NewLogger(logSelector), c.Proxy, dialer) - if err != nil { - return nil, err - } - if c.Stats != nil { - dialer = StatsDialer(dialer, c.Stats) - } - - if c.TLS != nil { - return TLSDialer(dialer, c.TLS, c.Timeout), nil - } - return dialer, nil -} diff --git a/libbeat/common/transport/transptest/testing.go b/libbeat/common/transport/transptest/testing.go index 1649957c624..26e799ec84e 100644 --- a/libbeat/common/transport/transptest/testing.go +++ b/libbeat/common/transport/transptest/testing.go @@ -31,8 +31,8 @@ import ( "testing" "time" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type MockServer struct { diff --git a/libbeat/common/transport/transptest/testing_test.go b/libbeat/common/transport/transptest/testing_test.go index 8e317ef17ed..6cb5599b2e8 100644 --- a/libbeat/common/transport/transptest/testing_test.go +++ b/libbeat/common/transport/transptest/testing_test.go @@ -29,7 +29,7 @@ import ( socks5 "github.com/armon/go-socks5" "github.com/stretchr/testify/assert" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) // netSOCKS5Proxy starts a new SOCKS5 proxy server that listens on localhost. diff --git a/libbeat/common/transport/util.go b/libbeat/common/transport/util.go deleted file mode 100644 index 9dbe7c84f9c..00000000000 --- a/libbeat/common/transport/util.go +++ /dev/null @@ -1,82 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "fmt" - "math/rand" - "net" - "strings" -) - -const logSelector = "transport" - -func fullAddress(host string, defaultPort int) string { - if _, _, err := net.SplitHostPort(host); err == nil { - return host - } - - idx := strings.Index(host, ":") - if idx >= 0 { - // IPv6 address detected - return fmt.Sprintf("[%v]:%v", host, defaultPort) - } - return fmt.Sprintf("%v:%v", host, defaultPort) -} - -// DialWith randomly dials one of a number of addresses with a given dialer. -// -// Use this to select and dial one IP being known for one host name. -func DialWith( - dialer Dialer, - network, host string, - addresses []string, - port string, -) (c net.Conn, err error) { - switch len(addresses) { - case 0: - return nil, fmt.Errorf("no route to host %v", host) - case 1: - return dialer.Dial(network, net.JoinHostPort(addresses[0], port)) - } - - // Use randomization on DNS reported addresses combined with timeout and ACKs - // to spread potential load when starting up large number of beats using - // lumberjack. - // - // RFCs discussing reasons for ignoring order of DNS records: - // http://www.ietf.org/rfc/rfc3484.txt - // > is specific to locality-based address selection for multiple dns - // > records, but exists as prior art in "Choose some different ordering for - // > the dns records" done by a client - // - // https://tools.ietf.org/html/rfc1794 - // > "Clients, of course, may reorder this information" - with respect to - // > handling order of dns records in a response.forwarded. Really required? - for _, i := range rand.Perm(len(addresses)) { - c, err = dialer.Dial(network, net.JoinHostPort(addresses[i], port)) - if err == nil && c != nil { - return c, err - } - } - - if err == nil { - err = fmt.Errorf("unable to connect to '%v'", host) - } - return nil, err -} diff --git a/libbeat/common/transport/wrap.go b/libbeat/common/transport/wrap.go deleted file mode 100644 index 7192899652b..00000000000 --- a/libbeat/common/transport/wrap.go +++ /dev/null @@ -1,32 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package transport - -import ( - "net" -) - -func ConnWrapper(d Dialer, w func(net.Conn) net.Conn) Dialer { - return DialerFunc(func(network, addr string) (net.Conn, error) { - c, err := d.Dial(network, addr) - if err != nil { - return nil, err - } - return w(c), nil - }) -} diff --git a/libbeat/esleg/eslegclient/config.go b/libbeat/esleg/eslegclient/config.go index d442cc2de5d..11b9bd2e653 100644 --- a/libbeat/esleg/eslegclient/config.go +++ b/libbeat/esleg/eslegclient/config.go @@ -20,8 +20,8 @@ package eslegclient import ( "fmt" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/transport/kerberos" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type config struct { diff --git a/libbeat/esleg/eslegclient/connection.go b/libbeat/esleg/eslegclient/connection.go index ee72609f77e..b4dbab273a8 100644 --- a/libbeat/esleg/eslegclient/connection.go +++ b/libbeat/esleg/eslegclient/connection.go @@ -31,14 +31,14 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/productorigin" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/transport/kerberos" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/common/useragent" - "github.com/elastic/beats/v7/libbeat/testing" cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/testing" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type esHTTPClient interface { diff --git a/libbeat/esleg/eslegclient/connection_integration_test.go b/libbeat/esleg/eslegclient/connection_integration_test.go index b3bc60210a1..3268a948b6c 100644 --- a/libbeat/esleg/eslegclient/connection_integration_test.go +++ b/libbeat/esleg/eslegclient/connection_integration_test.go @@ -34,10 +34,10 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegtest" "github.com/elastic/beats/v7/libbeat/outputs" conf "github.com/elastic/elastic-agent-libs/config" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) func TestConnect(t *testing.T) { diff --git a/libbeat/idxmgmt/ilm/client_handler_integration_test.go b/libbeat/idxmgmt/ilm/client_handler_integration_test.go index 1ed34cde284..270b1d20807 100644 --- a/libbeat/idxmgmt/ilm/client_handler_integration_test.go +++ b/libbeat/idxmgmt/ilm/client_handler_integration_test.go @@ -32,11 +32,11 @@ import ( "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/idxmgmt/ilm" "github.com/elastic/beats/v7/libbeat/version" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) const ( diff --git a/libbeat/instrumentation/instrumentation.go b/libbeat/instrumentation/instrumentation.go index d4bf821c02a..3c3515f0b5a 100644 --- a/libbeat/instrumentation/instrumentation.go +++ b/libbeat/instrumentation/instrumentation.go @@ -28,9 +28,9 @@ import ( "go.elastic.co/apm/v2" apmtransport "go.elastic.co/apm/v2/transport" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport" ) // Instrumentation is an interface that can return an APM tracer a net.listener diff --git a/libbeat/kibana/client.go b/libbeat/kibana/client.go index 76dc639ec96..e1bf56a557c 100644 --- a/libbeat/kibana/client.go +++ b/libbeat/kibana/client.go @@ -36,10 +36,10 @@ import ( "github.com/joeshaw/multierror" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/useragent" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) var ( diff --git a/libbeat/kibana/client_config.go b/libbeat/kibana/client_config.go index c8c3758c71b..2a47073aa28 100644 --- a/libbeat/kibana/client_config.go +++ b/libbeat/kibana/client_config.go @@ -20,7 +20,7 @@ package kibana import ( "fmt" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) // ClientConfig to connect to Kibana diff --git a/libbeat/licenser/elastic_fetcher_integration_test.go b/libbeat/licenser/elastic_fetcher_integration_test.go index b1a21d937cd..f0f490a44d4 100644 --- a/libbeat/licenser/elastic_fetcher_integration_test.go +++ b/libbeat/licenser/elastic_fetcher_integration_test.go @@ -27,8 +27,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/common/cli" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) const ( diff --git a/libbeat/monitoring/report/elasticsearch/client.go b/libbeat/monitoring/report/elasticsearch/client.go index 85bc80deba3..c7f50a13d75 100644 --- a/libbeat/monitoring/report/elasticsearch/client.go +++ b/libbeat/monitoring/report/elasticsearch/client.go @@ -33,9 +33,9 @@ import ( "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/monitoring/report" "github.com/elastic/beats/v7/libbeat/publisher" - "github.com/elastic/beats/v7/libbeat/testing" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/testing" ) var createDocPrivAvailableESVersion = common.MustNewVersion("7.5.0") diff --git a/libbeat/monitoring/report/elasticsearch/config.go b/libbeat/monitoring/report/elasticsearch/config.go index 6cb30e47d3d..0d21a0479f5 100644 --- a/libbeat/monitoring/report/elasticsearch/config.go +++ b/libbeat/monitoring/report/elasticsearch/config.go @@ -21,7 +21,7 @@ import ( "fmt" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) // config is subset of libbeat/outputs/elasticsearch config tailored diff --git a/libbeat/monitoring/report/elasticsearch/elasticsearch.go b/libbeat/monitoring/report/elasticsearch/elasticsearch.go index 636e24b9be9..7b8a15c17a8 100644 --- a/libbeat/monitoring/report/elasticsearch/elasticsearch.go +++ b/libbeat/monitoring/report/elasticsearch/elasticsearch.go @@ -26,7 +26,6 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/monitoring/report" @@ -38,6 +37,7 @@ import ( conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type reporter struct { diff --git a/libbeat/outputs/elasticsearch/client.go b/libbeat/outputs/elasticsearch/client.go index 6fcb9ede10a..80436190f61 100644 --- a/libbeat/outputs/elasticsearch/client.go +++ b/libbeat/outputs/elasticsearch/client.go @@ -34,9 +34,9 @@ import ( "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/outil" "github.com/elastic/beats/v7/libbeat/publisher" - "github.com/elastic/beats/v7/libbeat/testing" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/testing" ) var ( diff --git a/libbeat/outputs/elasticsearch/client_proxy_test.go b/libbeat/outputs/elasticsearch/client_proxy_test.go index 91b4765b72a..e3fd914bbe7 100644 --- a/libbeat/outputs/elasticsearch/client_proxy_test.go +++ b/libbeat/outputs/elasticsearch/client_proxy_test.go @@ -34,9 +34,9 @@ import ( "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common/atomic" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/outputs/outil" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) // These constants are inserted into client http request headers and confirmed diff --git a/libbeat/outputs/elasticsearch/config.go b/libbeat/outputs/elasticsearch/config.go index d47afea2722..7134e9333cb 100644 --- a/libbeat/outputs/elasticsearch/config.go +++ b/libbeat/outputs/elasticsearch/config.go @@ -21,9 +21,9 @@ import ( "fmt" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/transport/kerberos" "github.com/elastic/elastic-agent-libs/config" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type elasticsearchConfig struct { diff --git a/libbeat/outputs/failover.go b/libbeat/outputs/failover.go index f64720a7895..3e999e8321f 100644 --- a/libbeat/outputs/failover.go +++ b/libbeat/outputs/failover.go @@ -25,7 +25,7 @@ import ( "strings" "github.com/elastic/beats/v7/libbeat/publisher" - "github.com/elastic/beats/v7/libbeat/testing" + "github.com/elastic/elastic-agent-libs/testing" ) type failoverClient struct { diff --git a/libbeat/outputs/kafka/client.go b/libbeat/outputs/kafka/client.go index 8eb853cdc42..24bbc61145d 100644 --- a/libbeat/outputs/kafka/client.go +++ b/libbeat/outputs/kafka/client.go @@ -30,13 +30,13 @@ import ( "github.com/eapache/go-resiliency/breaker" "github.com/elastic/beats/v7/libbeat/common/fmtstr" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/codec" "github.com/elastic/beats/v7/libbeat/outputs/outil" "github.com/elastic/beats/v7/libbeat/publisher" - "github.com/elastic/beats/v7/libbeat/testing" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/testing" + "github.com/elastic/elastic-agent-libs/transport" ) type client struct { diff --git a/libbeat/outputs/kafka/config.go b/libbeat/outputs/kafka/config.go index c5e353a7cbc..26b74bfc204 100644 --- a/libbeat/outputs/kafka/config.go +++ b/libbeat/outputs/kafka/config.go @@ -31,12 +31,12 @@ import ( "github.com/elastic/beats/v7/libbeat/common/fmtstr" "github.com/elastic/beats/v7/libbeat/common/kafka" "github.com/elastic/beats/v7/libbeat/common/transport/kerberos" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/monitoring/adapter" "github.com/elastic/beats/v7/libbeat/outputs/codec" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type backoffConfig struct { diff --git a/libbeat/outputs/logstash/async.go b/libbeat/outputs/logstash/async.go index 4d5ee6d671c..1458ee9d382 100644 --- a/libbeat/outputs/logstash/async.go +++ b/libbeat/outputs/logstash/async.go @@ -26,10 +26,10 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common/atomic" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport" v2 "github.com/elastic/go-lumber/client/v2" ) diff --git a/libbeat/outputs/logstash/async_test.go b/libbeat/outputs/logstash/async_test.go index c1fb80b68e8..85964fd4b60 100644 --- a/libbeat/outputs/logstash/async_test.go +++ b/libbeat/outputs/logstash/async_test.go @@ -27,9 +27,9 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/outest" + "github.com/elastic/elastic-agent-libs/transport" ) type testAsyncDriver struct { diff --git a/libbeat/outputs/logstash/client_test.go b/libbeat/outputs/logstash/client_test.go index 72d73e9231e..cece3e91286 100644 --- a/libbeat/outputs/logstash/client_test.go +++ b/libbeat/outputs/logstash/client_test.go @@ -28,10 +28,10 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/common/transport/transptest" "github.com/elastic/beats/v7/libbeat/outputs/outest" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport" v2 "github.com/elastic/go-lumber/server/v2" ) diff --git a/libbeat/outputs/logstash/config.go b/libbeat/outputs/logstash/config.go index 1012a6ac357..82747fe01d0 100644 --- a/libbeat/outputs/logstash/config.go +++ b/libbeat/outputs/logstash/config.go @@ -25,8 +25,8 @@ import ( "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type Config struct { diff --git a/libbeat/outputs/logstash/logstash.go b/libbeat/outputs/logstash/logstash.go index c6e11bf9fe5..5e7cdfeee7a 100644 --- a/libbeat/outputs/logstash/logstash.go +++ b/libbeat/outputs/logstash/logstash.go @@ -19,10 +19,10 @@ package logstash import ( "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/outputs" conf "github.com/elastic/elastic-agent-libs/config" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) const ( diff --git a/libbeat/outputs/logstash/logstash_integration_test.go b/libbeat/outputs/logstash/logstash_integration_test.go index ddb60455c5b..210a92871d5 100644 --- a/libbeat/outputs/logstash/logstash_integration_test.go +++ b/libbeat/outputs/logstash/logstash_integration_test.go @@ -33,7 +33,6 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common/fmtstr" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/idxmgmt" "github.com/elastic/beats/v7/libbeat/outputs" @@ -42,6 +41,7 @@ import ( "github.com/elastic/beats/v7/libbeat/outputs/outil" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) const ( diff --git a/libbeat/outputs/logstash/sync.go b/libbeat/outputs/logstash/sync.go index befeec7b6c2..ad4293eb9f7 100644 --- a/libbeat/outputs/logstash/sync.go +++ b/libbeat/outputs/logstash/sync.go @@ -22,10 +22,10 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport" v2 "github.com/elastic/go-lumber/client/v2" ) diff --git a/libbeat/outputs/logstash/sync_test.go b/libbeat/outputs/logstash/sync_test.go index ab95b456d2f..d4dbdfd89da 100644 --- a/libbeat/outputs/logstash/sync_test.go +++ b/libbeat/outputs/logstash/sync_test.go @@ -27,10 +27,10 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/common/transport/transptest" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/outest" + "github.com/elastic/elastic-agent-libs/transport" ) type testSyncDriver struct { diff --git a/libbeat/outputs/redis/client.go b/libbeat/outputs/redis/client.go index 0f4fc142b9f..5165d894f65 100644 --- a/libbeat/outputs/redis/client.go +++ b/libbeat/outputs/redis/client.go @@ -28,13 +28,13 @@ import ( "github.com/gomodule/redigo/redis" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/codec" "github.com/elastic/beats/v7/libbeat/outputs/outil" "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport" ) var ( diff --git a/libbeat/outputs/redis/config.go b/libbeat/outputs/redis/config.go index 68b2f8f2703..01c8f2e0238 100644 --- a/libbeat/outputs/redis/config.go +++ b/libbeat/outputs/redis/config.go @@ -21,9 +21,9 @@ import ( "fmt" "time" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/outputs/codec" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type redisConfig struct { diff --git a/libbeat/outputs/redis/redis.go b/libbeat/outputs/redis/redis.go index 37d64435f9a..026cb04d4f8 100644 --- a/libbeat/outputs/redis/redis.go +++ b/libbeat/outputs/redis/redis.go @@ -26,12 +26,12 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/common/transport" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/codec" "github.com/elastic/beats/v7/libbeat/outputs/outil" "github.com/elastic/elastic-agent-libs/config" + "github.com/elastic/elastic-agent-libs/transport" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type redisOut struct { diff --git a/libbeat/outputs/shipper/config.go b/libbeat/outputs/shipper/config.go index b358efb3675..401c69dec98 100644 --- a/libbeat/outputs/shipper/config.go +++ b/libbeat/outputs/shipper/config.go @@ -20,7 +20,7 @@ package shipper import ( "time" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type Config struct { diff --git a/libbeat/outputs/shipper/shipper.go b/libbeat/outputs/shipper/shipper.go index 0b486b2c33f..651b310612a 100644 --- a/libbeat/outputs/shipper/shipper.go +++ b/libbeat/outputs/shipper/shipper.go @@ -23,13 +23,13 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/outputs" sc "github.com/elastic/beats/v7/libbeat/outputs/shipper/api" "github.com/elastic/beats/v7/libbeat/publisher" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" "google.golang.org/grpc" "google.golang.org/grpc/backoff" diff --git a/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go b/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go index 6615d1ff7e5..28582dc24bf 100644 --- a/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go +++ b/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go @@ -25,12 +25,12 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/processors" jsprocessor "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) const ( diff --git a/libbeat/processors/add_cloud_metadata/config.go b/libbeat/processors/add_cloud_metadata/config.go index 93a31137592..341ec036eb3 100644 --- a/libbeat/processors/add_cloud_metadata/config.go +++ b/libbeat/processors/add_cloud_metadata/config.go @@ -21,7 +21,7 @@ import ( "fmt" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type config struct { diff --git a/libbeat/processors/add_cloud_metadata/http_fetcher.go b/libbeat/processors/add_cloud_metadata/http_fetcher.go index 56105d31d82..54edd81aad1 100644 --- a/libbeat/processors/add_cloud_metadata/http_fetcher.go +++ b/libbeat/processors/add_cloud_metadata/http_fetcher.go @@ -26,9 +26,9 @@ import ( "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type httpMetadataFetcher struct { diff --git a/libbeat/processors/add_cloud_metadata/provider_aws_ec2.go b/libbeat/processors/add_cloud_metadata/provider_aws_ec2.go index 3bf5afc7b77..54ac4eaf9b2 100644 --- a/libbeat/processors/add_cloud_metadata/provider_aws_ec2.go +++ b/libbeat/processors/add_cloud_metadata/provider_aws_ec2.go @@ -29,8 +29,8 @@ import ( s "github.com/elastic/beats/v7/libbeat/common/schema" c "github.com/elastic/beats/v7/libbeat/common/schema/mapstriface" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" conf "github.com/elastic/elastic-agent-libs/config" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) const ( diff --git a/libbeat/template/load_integration_test.go b/libbeat/template/load_integration_test.go index ed39ad0cc53..63db5965f3b 100644 --- a/libbeat/template/load_integration_test.go +++ b/libbeat/template/load_integration_test.go @@ -37,11 +37,11 @@ import ( "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" "github.com/elastic/beats/v7/libbeat/esleg/eslegtest" "github.com/elastic/beats/v7/libbeat/version" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) func init() { diff --git a/metricbeat/helper/config.go b/metricbeat/helper/config.go index d97e9248245..c4ba55c0e6d 100644 --- a/metricbeat/helper/config.go +++ b/metricbeat/helper/config.go @@ -20,7 +20,7 @@ package helper import ( "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) // Config for an HTTP helper diff --git a/metricbeat/helper/dialer/dialer.go b/metricbeat/helper/dialer/dialer.go index 77370265cc5..e7cfa898ec3 100644 --- a/metricbeat/helper/dialer/dialer.go +++ b/metricbeat/helper/dialer/dialer.go @@ -21,7 +21,7 @@ import ( "fmt" "time" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) // Builder is a dialer builder. diff --git a/metricbeat/helper/dialer/dialer_posix.go b/metricbeat/helper/dialer/dialer_posix.go index 37c1a1af85c..9bc30100424 100644 --- a/metricbeat/helper/dialer/dialer_posix.go +++ b/metricbeat/helper/dialer/dialer_posix.go @@ -26,7 +26,7 @@ import ( "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) // UnixDialerBuilder creates a builder to dial over unix domain socket. diff --git a/metricbeat/helper/dialer/dialer_windows.go b/metricbeat/helper/dialer/dialer_windows.go index 95c72cefaad..f5865cf75df 100644 --- a/metricbeat/helper/dialer/dialer_windows.go +++ b/metricbeat/helper/dialer/dialer_windows.go @@ -30,7 +30,7 @@ import ( winio "github.com/Microsoft/go-winio" "github.com/elastic/beats/v7/libbeat/api/npipe" - "github.com/elastic/beats/v7/libbeat/common/transport" + "github.com/elastic/elastic-agent-libs/transport" ) // UnixDialerBuilder creates a builder to dial over a unix domain socket. diff --git a/metricbeat/helper/http.go b/metricbeat/helper/http.go index 9fbbf696a33..d06c3c7faee 100644 --- a/metricbeat/helper/http.go +++ b/metricbeat/helper/http.go @@ -28,10 +28,10 @@ import ( "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/useragent" "github.com/elastic/beats/v7/metricbeat/helper/dialer" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) var userAgent = useragent.UserAgent("Metricbeat") diff --git a/metricbeat/helper/server/http/config.go b/metricbeat/helper/server/http/config.go index 726e1ca4dbb..b3033384341 100644 --- a/metricbeat/helper/server/http/config.go +++ b/metricbeat/helper/server/http/config.go @@ -17,7 +17,7 @@ package http -import "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" +import "github.com/elastic/elastic-agent-libs/transport/tlscommon" type HttpConfig struct { Host string `config:"host"` diff --git a/metricbeat/helper/server/http/http.go b/metricbeat/helper/server/http/http.go index 44e09384e18..782b0938471 100644 --- a/metricbeat/helper/server/http/http.go +++ b/metricbeat/helper/server/http/http.go @@ -24,11 +24,11 @@ import ( "net/http" "strconv" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/metricbeat/helper/server" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type HttpServer struct { diff --git a/metricbeat/module/elasticsearch/index/data_test.go b/metricbeat/module/elasticsearch/index/data_test.go index 8d8a73816e6..a01bc9ff5ff 100644 --- a/metricbeat/module/elasticsearch/index/data_test.go +++ b/metricbeat/module/elasticsearch/index/data_test.go @@ -30,11 +30,11 @@ import ( "github.com/stretchr/testify/require" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/metricbeat/helper" "github.com/elastic/beats/v7/metricbeat/mb" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) var info = elasticsearch.Info{ diff --git a/metricbeat/module/kafka/config.go b/metricbeat/module/kafka/config.go index e3e4aa11866..8730e3546ab 100644 --- a/metricbeat/module/kafka/config.go +++ b/metricbeat/module/kafka/config.go @@ -22,7 +22,7 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/common/kafka" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) type metricsetConfig struct { diff --git a/metricbeat/module/kafka/metricset.go b/metricbeat/module/kafka/metricset.go index ee46788f0f9..3e4ed411ac8 100644 --- a/metricbeat/module/kafka/metricset.go +++ b/metricbeat/module/kafka/metricset.go @@ -20,8 +20,8 @@ package kafka import ( "crypto/tls" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // MetricSet is the base metricset for all Kafka metricsets diff --git a/metricbeat/module/mongodb/metricset.go b/metricbeat/module/mongodb/metricset.go index c7f7735b4a8..d99de5d3698 100644 --- a/metricbeat/module/mongodb/metricset.go +++ b/metricbeat/module/mongodb/metricset.go @@ -23,9 +23,9 @@ import ( "gopkg.in/mgo.v2" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // ModuleConfig contains the common configuration for this module diff --git a/metricbeat/module/prometheus/remote_write/config.go b/metricbeat/module/prometheus/remote_write/config.go index 17390858cac..d7fbb7dfb23 100644 --- a/metricbeat/module/prometheus/remote_write/config.go +++ b/metricbeat/module/prometheus/remote_write/config.go @@ -17,7 +17,7 @@ package remote_write -import "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" +import "github.com/elastic/elastic-agent-libs/transport/tlscommon" type Config struct { Host string `config:"host"` diff --git a/x-pack/filebeat/input/http_endpoint/config.go b/x-pack/filebeat/input/http_endpoint/config.go index bd49e8f0a07..8dfe384747b 100644 --- a/x-pack/filebeat/input/http_endpoint/config.go +++ b/x-pack/filebeat/input/http_endpoint/config.go @@ -9,7 +9,7 @@ import ( "errors" "net/textproto" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // Config contains information about httpjson configuration diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index 3fc0064f004..890b8a5ec66 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -12,10 +12,10 @@ import ( v2 "github.com/elastic/beats/v7/filebeat/input/v2" stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/feature" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" "github.com/elastic/go-concert/ctxtool" ) diff --git a/x-pack/filebeat/input/httpjson/chain.go b/x-pack/filebeat/input/httpjson/chain.go index 5cf2a8f6d5c..f877876bee3 100644 --- a/x-pack/filebeat/input/httpjson/chain.go +++ b/x-pack/filebeat/input/httpjson/chain.go @@ -57,8 +57,8 @@ package httpjson import ( - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) // chainConfig for chain request. diff --git a/x-pack/filebeat/input/httpjson/config.go b/x-pack/filebeat/input/httpjson/config.go index c0d36589be4..cf8e018fa87 100644 --- a/x-pack/filebeat/input/httpjson/config.go +++ b/x-pack/filebeat/input/httpjson/config.go @@ -8,7 +8,7 @@ import ( "errors" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type config struct { diff --git a/x-pack/filebeat/input/httpjson/config_request.go b/x-pack/filebeat/input/httpjson/config_request.go index 7fe070c540a..b4a6c5bfc55 100644 --- a/x-pack/filebeat/input/httpjson/config_request.go +++ b/x-pack/filebeat/input/httpjson/config_request.go @@ -12,8 +12,8 @@ import ( "strings" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type retryConfig struct { diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go index 82f9e7530b7..1e8b2a244fe 100644 --- a/x-pack/filebeat/input/httpjson/input.go +++ b/x-pack/filebeat/input/httpjson/input.go @@ -19,11 +19,11 @@ import ( v2 "github.com/elastic/beats/v7/filebeat/input/v2" inputcursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/libbeat/common/useragent" "github.com/elastic/beats/v7/libbeat/feature" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" "github.com/elastic/go-concert/ctxtool" "github.com/elastic/go-concert/timed" ) diff --git a/x-pack/filebeat/input/o365audit/auth/cert.go b/x-pack/filebeat/input/o365audit/auth/cert.go index dc8e1584a3a..1d0dc9f7526 100644 --- a/x-pack/filebeat/input/o365audit/auth/cert.go +++ b/x-pack/filebeat/input/o365audit/auth/cert.go @@ -12,7 +12,7 @@ import ( "github.com/Azure/go-autorest/autorest/adal" "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // NewProviderFromCertificate returns a TokenProvider that uses certificate-based diff --git a/x-pack/filebeat/input/o365audit/config.go b/x-pack/filebeat/input/o365audit/config.go index 1251ebe731d..d6178e9cbcc 100644 --- a/x-pack/filebeat/input/o365audit/config.go +++ b/x-pack/filebeat/input/o365audit/config.go @@ -11,8 +11,8 @@ import ( "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/x-pack/filebeat/input/o365audit/auth" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // Config for the O365 audit API input. diff --git a/x-pack/heartbeat/monitors/browser/source/zipurl.go b/x-pack/heartbeat/monitors/browser/source/zipurl.go index 5a88cb92dfd..9833ab0cefa 100644 --- a/x-pack/heartbeat/monitors/browser/source/zipurl.go +++ b/x-pack/heartbeat/monitors/browser/source/zipurl.go @@ -16,8 +16,8 @@ import ( "strings" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) type ZipURLSource struct { diff --git a/x-pack/libbeat/common/aws/credentials.go b/x-pack/libbeat/common/aws/credentials.go index 24e9ef04aa6..f7d2e909513 100644 --- a/x-pack/libbeat/common/aws/credentials.go +++ b/x-pack/libbeat/common/aws/credentials.go @@ -17,9 +17,9 @@ import ( "github.com/aws/aws-sdk-go-v2/aws/stscreds" "github.com/aws/aws-sdk-go-v2/service/sts" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // OptionalGovCloudFIPS is a list of services on AWS GovCloud that is not FIPS by default. diff --git a/x-pack/libbeat/common/aws/credentials_test.go b/x-pack/libbeat/common/aws/credentials_test.go index 3b5c6233cfc..8c0e7c16c99 100644 --- a/x-pack/libbeat/common/aws/credentials_test.go +++ b/x-pack/libbeat/common/aws/credentials_test.go @@ -12,7 +12,7 @@ import ( awssdk "github.com/aws/aws-sdk-go-v2/aws" "github.com/stretchr/testify/assert" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) func TestInitializeAWSConfig(t *testing.T) { diff --git a/x-pack/libbeat/common/cloudfoundry/config.go b/x-pack/libbeat/common/cloudfoundry/config.go index a78755062e4..cfb012a0911 100644 --- a/x-pack/libbeat/common/cloudfoundry/config.go +++ b/x-pack/libbeat/common/cloudfoundry/config.go @@ -9,7 +9,7 @@ import ( "strings" "time" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) const ( diff --git a/x-pack/libbeat/common/cloudfoundry/hub.go b/x-pack/libbeat/common/cloudfoundry/hub.go index e27cbf3ecb2..e6ab4ce76ca 100644 --- a/x-pack/libbeat/common/cloudfoundry/hub.go +++ b/x-pack/libbeat/common/cloudfoundry/hub.go @@ -11,9 +11,9 @@ import ( "github.com/cloudfoundry-community/go-cfclient" "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // Client interface exposed by Hub.Client.