Feat: improved error handling/logging/unwraping (#133)

The unwrapping at the Java level is for exceptions wrapped by Netty.

Full exception details will be logged at debug level from the Java side - since we seem to prefer (manual) exception logging at the plugin level. We also make sure to log cause, if any, on the Ruby side which now catches all (expected) Java exceptions.

resolves #134

Author: kares

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 3.3.7
+ - Feat: improved error handling/logging/unwraping [#133](https://github.com/logstash-plugins/logstash-input-http/pull/133)
+ 
 ## 3.3.6
  - Fixes a regression introduced in 3.1.0's migration to the Netty back-end that broke some users'
    browser-based workflows. When an instance of this plugin that is configured to require Basic

VERSION

@@ -1 +1 @@
-3.3.6
+3.3.7

lib/logstash/inputs/http.rb

@@ -217,30 +217,24 @@ def create_http_server(message_handler)
   def build_ssl_params
     return nil unless @ssl
 
-    ssl_builder = nil
-
     if @keystore && @keystore_password
       ssl_builder = org.logstash.plugins.inputs.http.util.JksSslBuilder.new(@keystore, @keystore_password.value)
     else
       begin
-        ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
-        .setCipherSuites(normalized_ciphers)
+        ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder
+                          .new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
+                          .setCipherSuites(normalized_ciphers)
       rescue java.lang.IllegalArgumentException => e
-        raise LogStash::ConfigurationError.new(e)
+        @logger.error("SSL configuration invalid", error_details(e))
+        raise LogStash::ConfigurationError, e
       end
 
       if client_authentication?
         ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)
       end
     end
 
-    ssl_context = ssl_builder.build()
-    ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_context)
-    ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
-    ssl_handler_provider.setProtocols(convert_protocols)
-    ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
-
-    ssl_handler_provider
+    new_ssl_handshake_provider(ssl_builder)
   end
 
   def ssl_key_configured?
@@ -259,6 +253,8 @@ def require_certificate_authorities?
     @ssl_verify_mode_final == "force_peer" || @ssl_verify_mode_final == "peer"
   end
 
+  private
+
   def normalized_ciphers
     @cipher_suites.map(&:upcase)
   end
@@ -267,4 +263,31 @@ def convert_protocols
     TLS.get_supported(@tls_min_version..@tls_max_version).map(&:name)
   end
 
+  def new_ssl_handshake_provider(ssl_builder)
+    begin
+      ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_builder.build())
+      ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
+      ssl_handler_provider.setProtocols(convert_protocols)
+      ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
+      ssl_handler_provider
+    rescue java.lang.IllegalArgumentException => e
+      @logger.error("SSL configuration invalid", error_details(e))
+      raise LogStash::ConfigurationError, e
+    rescue java.lang.Exception => e
+      @logger.error("SSL configuration failed", error_details(e, true))
+      raise e
+    end
+  end
+
+  def error_details(e, trace = false)
+    error_details = { :exception => e.class, :message => e.message }
+    error_details[:backtrace] = e.backtrace if trace || @logger.debug?
+    cause = e.cause
+    if cause && e != cause
+      error_details[:cause] = { :exception => cause.class, :message => cause.message }
+      error_details[:cause][:backtrace] = cause.backtrace if trace || @logger.debug?
+    end
+    error_details
+  end
+
 end # class LogStash::Inputs::Http

spec/inputs/http_spec.rb

@@ -386,21 +386,21 @@
       let(:ssl_certificate) { ssc.certificate }
       let(:ssl_key) { ssc.private_key }
 
+      let(:config) do
+        { "port" => port, "ssl" => true, "ssl_certificate" => ssl_certificate.path, "ssl_key" => ssl_key.path }
+      end
+
       after(:each) { ssc.delete }
 
-      subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
-                                           "ssl_certificate" => ssl_certificate.path,
-                                           "ssl_key" => ssl_key.path) }
+      subject { LogStash::Inputs::Http.new(config) }
+
       it "should not raise exception" do
         expect { subject.register }.to_not raise_exception
       end
 
       context "with ssl_verify_mode = none" do
-        subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
-                                             "ssl_certificate" => ssl_certificate.path,
-                                             "ssl_key" => ssl_key.path,
-                                             "ssl_verify_mode" => "none"
-                                            ) }
+        subject { LogStash::Inputs::Http.new(config.merge("ssl_verify_mode" => "none")) }
+
         it "should not raise exception" do
           expect { subject.register }.to_not raise_exception
         end
@@ -419,11 +419,8 @@
         end
       end
       context "with verify_mode = none" do
-        subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
-                                             "ssl_certificate" => ssl_certificate.path,
-                                             "ssl_key" => ssl_key.path,
-                                             "verify_mode" => "none"
-                                            ) }
+        subject { LogStash::Inputs::Http.new(config.merge("verify_mode" => "none")) }
+
         it "should not raise exception" do
           expect { subject.register }.to_not raise_exception
         end
@@ -441,6 +438,67 @@
           end
         end
       end
+
+      context "with invalid cipher_suites" do
+        let(:config) { super.merge("cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
+
+        it "should raise a configuration error" do
+          expect( subject.logger ).to receive(:error) do |msg, opts|
+            expect( msg ).to match /.*?configuration invalid/
+            expect( opts[:message] ).to match /TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38.*? not available/
+          end
+          expect { subject.register }.to raise_error(LogStash::ConfigurationError)
+        end
+      end
+
+      context "with invalid ssl certificate" do
+        before do
+          cert = File.readlines path = config["ssl_certificate"]
+          i = cert.index { |line| line.index('END CERTIFICATE') }
+          cert[i - 1] = ''
+          File.write path, cert.join("\n")
+        end
+
+        it "should raise a configuration error" do
+          expect( subject.logger ).to receive(:error) do |msg, opts|
+            expect( msg ).to match /SSL configuration invalid/
+            expect( opts[:message] ).to match /File does not contain valid certificate/i
+          end
+          expect { subject.register }.to raise_error(LogStash::ConfigurationError)
+        end
+      end
+
+      context "with invalid ssl key config" do
+        let(:config) { super.merge("ssl_key_passphrase" => "1234567890") }
+
+        it "should raise a configuration error" do
+          expect( subject.logger ).to receive(:error) do |msg, opts|
+            expect( msg ).to match /SSL configuration invalid/
+            expect( opts[:message] ).to match /File does not contain valid private key/i
+          end
+          expect { subject.register }.to raise_error(LogStash::ConfigurationError)
+        end
+      end
+
+      context "with invalid ssl certificate_authorities" do
+        let(:config) do
+          super.merge("ssl_verify_mode" => "peer",
+                      "ssl_certificate_authorities" => [ ssc.certificate.path, ssc.private_key.path ])
+        end
+
+        it "should raise a cert error" do
+          expect( subject.logger ).to receive(:error) do |msg, opts|
+            expect( msg ).to match(/SSL configuration failed/), lambda { "unexpected: logger.error #{msg.inspect}, #{opts.inspect}" }
+            expect( opts[:message] ).to match /signed fields invalid/
+          end
+          begin
+            subject.register
+          rescue Java::JavaSecurityCert::CertificateParsingException
+            :pass
+          end
+        end
+      end
+
     end
   end
 end

src/main/java/org/logstash/plugins/inputs/http/util/JksSslBuilder.java

@@ -1,21 +1,13 @@
 package org.logstash.plugins.inputs.http.util;
 
+import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 
-
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
-
-import io.netty.handler.ssl.SslContext;
 import java.io.FileInputStream;
-import java.io.IOException;
-import java.security.KeyManagementException;
 import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
 import java.security.Security;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
 
 public class JksSslBuilder implements SslBuilder {
     private static final String ALGORITHM_SUN_X509 = "SunX509";
@@ -28,7 +20,7 @@ public JksSslBuilder(String keyStorePath, String keyStorePassword) {
         this.keyStorePassword = keyStorePassword.toCharArray();
     }
 
-    public SslContext build() throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
+    public SslContext build() throws Exception {
         String algorithm = Security.getProperty(ALGORITHM);
         if (algorithm == null) {
             algorithm = ALGORITHM_SUN_X509;
@@ -47,6 +39,6 @@ public SslContext build() throws IOException, KeyStoreException, CertificateExce
         SslContextBuilder builder = SslContextBuilder.forServer(kmf);
         builder.trustManager(tmf);
 
-        return builder.build();
+        return SslSimpleBuilder.doBuild(builder);
     }
 }

src/main/java/org/logstash/plugins/inputs/http/util/SslBuilder.java

@@ -11,6 +11,10 @@
 
 public interface SslBuilder {
 
-    SslContext build() throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException;
+    /**
+     * @return context
+     * @throws Exception (IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException)
+     */
+    SslContext build() throws Exception;
 
 }

src/main/java/org/logstash/plugins/inputs/http/util/SslSimpleBuilder.java

@@ -18,6 +18,7 @@
 import java.util.Arrays;
 import java.util.List;
 import javax.crypto.Cipher;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocketFactory;
 
 public class SslSimpleBuilder implements SslBuilder {
@@ -85,7 +86,7 @@ public SslSimpleBuilder setCertificateAuthorities(String[] cert) {
         return this;
     }
 
-    public SslContext build() throws IOException, NoSuchAlgorithmException, CertificateException {
+    public SslContext build() throws Exception {
         SslContextBuilder builder = SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase);
 
         if(logger.isDebugEnabled()) {
@@ -102,7 +103,26 @@ public SslContext build() throws IOException, NoSuchAlgorithmException, Certific
             builder.trustManager(loadCertificateCollection(certificateAuthorities));
         }
 
-        return builder.build();
+        return doBuild(builder);
+    }
+
+    // NOTE: copy-pasta from input-beats
+    static SslContext doBuild(final SslContextBuilder builder) throws Exception {
+        try {
+            return builder.build();
+        } catch (SSLException e) {
+            logger.debug("Failed to initialize SSL", e);
+            // unwrap generic wrapped exception from Netty's JdkSsl{Client|Server}Context
+            if ("failed to initialize the server-side SSL context".equals(e.getMessage()) ||
+                "failed to initialize the client-side SSL context".equals(e.getMessage())) {
+                // Netty catches Exception and simply wraps: throw new SSLException("...", e);
+                if (e.getCause() instanceof Exception) throw (Exception) e.getCause();
+            }
+            throw e;
+        } catch (Exception e) {
+            logger.debug("Failed to initialize SSL", e);
+            throw e;
+        }
     }
 
     private X509Certificate[] loadCertificateCollection(String[] certificates) throws IOException, CertificateException {