spec/unit/outputs/redis_spec.rb in logstash-output-redis-5.0.0 vs spec/unit/outputs/redis_spec.rb in logstash-output-redis-5.2.0

@@ -1,10 +1,11 @@
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/outputs/redis"
 require "logstash/json"
 require "redis"
 require "flores/random"
+require "flores/pki"
 
 describe LogStash::Outputs::Redis do
 
   context "Redis#receive in batch mode" do
     # this is a regression test harness to verify fix for https://github.com/logstash-plugins/logstash-output-redis/issues/26
@@ -36,7 +37,108 @@
       10000.times do |i|
         expect{redis.receive(LogStash::Event.new({"message" => "test-#{i}"}))}.to_not raise_error
       end
     end
   end
-end
 
+  context "with SSL enabled" do
+    let(:config) {{ "ssl_enabled" => true, "key" => "key", "data_type" => "list" }}
+    subject(:plugin) { described_class.new(config) }
+
+    context "and not providing a certificate/key pair" do
+      it "registers without error" do
+        expect { plugin.register }.to_not raise_error
+      end
+    end
+
+    context "and providing a certificate/key pair" do
+      let(:cert_key_pair) { Flores::PKI.generate }
+      let(:certificate) do
+        path = Tempfile.new('certificate').path
+        IO.write(path, cert_key_pair.first.to_s)
+        path
+      end
+      let(:key) do
+        path = Tempfile.new('key').path
+        IO.write(path, cert_key_pair[1].to_s)
+        path
+      end
+      let(:config) { super().merge("ssl_certificate" => certificate, "ssl_key" => key) }
+
+      it "registers without error" do
+        expect { plugin.register }.to_not raise_error
+      end
+    end
+
+    FIXTURES_PATH = File.expand_path('../../fixtures', File.dirname(__FILE__))
+
+    context "and plain-text certificate/key" do
+      let(:key_file) { File.join(FIXTURES_PATH, 'certificates/redis.key') }
+      let(:crt_file) { File.join(FIXTURES_PATH, 'certificates/redis.crt') }
+      let(:config) { super().merge("ssl_certificate" => crt_file, "ssl_key" => key_file) }
+
+      it "registers without error" do
+        expect { plugin.register }.to_not raise_error
+      end
+
+      context 'with password set' do
+        let(:config) { super().merge("ssl_key_passphrase" => 'ignored') }
+
+        it "registers without error" do # password simply ignored
+          expect { plugin.register }.to_not raise_error
+        end
+      end
+
+      context 'with supported protocol' do
+        let(:config) { super().merge("ssl_supported_protocols" => %w[TLSv1.2 TLSv1.3]) }
+
+        it 'configures minimum TLS version' do
+          plugin.register
+          ssl_params = plugin.send(:setup_ssl_params)
+          expect(ssl_params).to match(a_hash_including(:min_version => :TLS1_2, :max_version => :TLS1_3))
+        end
+      end
+    end
+
+    context "with only ssl_certificate set" do
+      let(:config) { super().merge("ssl_certificate" => File.join(FIXTURES_PATH, 'certificates/redis.crt')) }
+
+      it "should raise a configuration error to request also `ssl_key`" do
+        expect { plugin.register }.to raise_error(LogStash::ConfigurationError, /Using an `ssl_certificate` requires an `ssl_key`/)
+      end
+    end
+
+    context "with only ssl_key set" do
+      let(:config) { super().merge("ssl_key" => File.join(FIXTURES_PATH, 'certificates/redis.key')) }
+
+      it "should raise a configuration error to request also `ssl_key`" do
+        expect { plugin.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate` is required when using an `ssl_key`/)
+      end
+    end
+
+    context "with ssl_certificate_authorities" do
+      let(:certificate_path) { File.join(FIXTURES_PATH, 'certificates/redis.crt') }
+      let(:config) do
+        super().merge('ssl_certificate_authorities' => [certificate_path])
+      end
+
+      it "sets cert_store values" do
+        ssl_store = double(OpenSSL::X509::Store.new)
+        allow(ssl_store).to receive(:set_default_paths)
+        allow(ssl_store).to receive(:add_file)
+        allow(subject).to receive(:new_ssl_certificate_store).and_return(ssl_store)
+        subject.send :setup_ssl_params
+        expect(ssl_store).to have_received(:add_file).with(certificate_path)
+      end
+    end
+
+    context "CAs certificates" do
+      it "includes openssl default paths" do
+        ssl_store = double(OpenSSL::X509::Store.new)
+        allow(ssl_store).to receive(:set_default_paths)
+        allow(plugin).to receive(:new_ssl_certificate_store).and_return(ssl_store)
+        subject.send :setup_ssl_params
+        expect(ssl_store).to have_received(:set_default_paths)
+      end
+    end
+  end
+end