Skip to content

Commit

Permalink
Fix TLS and SSL config option parsing (#4247)
Browse files Browse the repository at this point in the history
  • Loading branch information
danielnelson authored Jun 7, 2018
1 parent 312843c commit 661cdc4
Show file tree
Hide file tree
Showing 5 changed files with 31 additions and 19 deletions.
2 changes: 1 addition & 1 deletion Godeps
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ github.com/hailocab/go-hostpool e80d13ce29ede4452c43dea11e79b9bc8a15b478
github.com/hashicorp/consul 5174058f0d2bda63fa5198ab96c33d9a909c58ed
github.com/influxdata/go-syslog 84f3b60009444d298f97454feb1f20cf91d1fa6e
github.com/influxdata/tail c43482518d410361b6c383d7aebce33d0471d7bc
github.com/influxdata/toml 5d1d907f22ead1cd47adde17ceec5bda9cacaf8f
github.com/influxdata/toml 2a2e3012f7cfbef64091cc79776311e65dfa211b
github.com/influxdata/wlog 7c63b0a71ef8300adc255344d275e10e5c3a71ec
github.com/fsnotify/fsnotify c2828203cd70a50dcccfb2761f8b1f8ceef9a8e9
github.com/jackc/pgx 63f58fd32edb5684b9e9f4cfaac847c6b42b3917
Expand Down
2 changes: 1 addition & 1 deletion internal/tls/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ type ClientConfig struct {
// Deprecated in 1.7; use TLS variables above
SSLCA string `toml:"ssl_ca"`
SSLCert string `toml:"ssl_cert"`
SSLKey string `toml:"ssl_ca"`
SSLKey string `toml:"ssl_key"`
}

// ServerConfig represents the standard server TLS config.
Expand Down
2 changes: 1 addition & 1 deletion plugins/inputs/openldap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ To use this plugin you must enable the [monitoring](https://www.openldap.org/dev
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
# note that port will likely need to be changed to 636 for ldaps
# valid options: "" | "starttls" | "ldaps"
ssl = ""
tls = ""

# skip peer certificate verification. Default is false.
insecure_skip_verify = false
Expand Down
31 changes: 21 additions & 10 deletions plugins/inputs/openldap/openldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,11 @@ import (
type Openldap struct {
Host string
Port int
Ssl string
SSL string `toml:"ssl"` // Deprecated in 1.7; use TLS
TLS string `toml:"tls"`
InsecureSkipVerify bool
SslCa string
SSLCA string `toml:"ssl_ca"` // Deprecated in 1.7; use TLSCA
TLSCA string `toml:"tls_ca"`
BindDn string
BindPassword string
ReverseMetricNames bool
Expand All @@ -30,7 +32,7 @@ const sampleConfig string = `
# ldaps, starttls, or no encryption. default is an empty string, disabling all encryption.
# note that port will likely need to be changed to 636 for ldaps
# valid options: "" | "starttls" | "ldaps"
ssl = ""
tls = ""
# skip peer certificate verification. Default is false.
insecure_skip_verify = false
Expand Down Expand Up @@ -70,9 +72,11 @@ func NewOpenldap() *Openldap {
return &Openldap{
Host: "localhost",
Port: 389,
Ssl: "",
SSL: "",
TLS: "",
InsecureSkipVerify: false,
SslCa: "",
SSLCA: "",
TLSCA: "",
BindDn: "",
BindPassword: "",
ReverseMetricNames: false,
Expand All @@ -81,34 +85,41 @@ func NewOpenldap() *Openldap {

// gather metrics
func (o *Openldap) Gather(acc telegraf.Accumulator) error {
if o.TLS == "" {
o.TLS = o.SSL
}
if o.TLSCA == "" {
o.TLSCA = o.SSLCA
}

var err error
var l *ldap.Conn
if o.Ssl != "" {
if o.TLS != "" {
// build tls config
clientTLSConfig := tls.ClientConfig{
SSLCA: o.SslCa,
TLSCA: o.TLSCA,
InsecureSkipVerify: o.InsecureSkipVerify,
}
tlsConfig, err := clientTLSConfig.TLSConfig()
if err != nil {
acc.AddError(err)
return nil
}
if o.Ssl == "ldaps" {
if o.TLS == "ldaps" {
l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port), tlsConfig)
if err != nil {
acc.AddError(err)
return nil
}
} else if o.Ssl == "starttls" {
} else if o.TLS == "starttls" {
l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", o.Host, o.Port))
if err != nil {
acc.AddError(err)
return nil
}
err = l.StartTLS(tlsConfig)
} else {
acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.Ssl))
acc.AddError(fmt.Errorf("Invalid setting for ssl: %s", o.TLS))
return nil
}
} else {
Expand Down
13 changes: 7 additions & 6 deletions plugins/inputs/openldap/openldap_test.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
package openldap

import (
"gopkg.in/ldap.v2"
"strconv"
"testing"

"gopkg.in/ldap.v2"

"github.com/influxdata/telegraf/testutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -74,7 +75,7 @@ func TestOpenldapStartTLS(t *testing.T) {
o := &Openldap{
Host: testutil.GetLocalHost(),
Port: 389,
Ssl: "starttls",
SSL: "starttls",
InsecureSkipVerify: true,
}

Expand All @@ -92,7 +93,7 @@ func TestOpenldapLDAPS(t *testing.T) {
o := &Openldap{
Host: testutil.GetLocalHost(),
Port: 636,
Ssl: "ldaps",
SSL: "ldaps",
InsecureSkipVerify: true,
}

Expand All @@ -110,7 +111,7 @@ func TestOpenldapInvalidSSL(t *testing.T) {
o := &Openldap{
Host: testutil.GetLocalHost(),
Port: 636,
Ssl: "invalid",
SSL: "invalid",
InsecureSkipVerify: true,
}

Expand All @@ -129,7 +130,7 @@ func TestOpenldapBind(t *testing.T) {
o := &Openldap{
Host: testutil.GetLocalHost(),
Port: 389,
Ssl: "",
SSL: "",
InsecureSkipVerify: true,
BindDn: "cn=manager,cn=config",
BindPassword: "secret",
Expand Down Expand Up @@ -157,7 +158,7 @@ func TestOpenldapReverseMetrics(t *testing.T) {
o := &Openldap{
Host: testutil.GetLocalHost(),
Port: 389,
Ssl: "",
SSL: "",
InsecureSkipVerify: true,
BindDn: "cn=manager,cn=config",
BindPassword: "secret",
Expand Down

0 comments on commit 661cdc4

Please sign in to comment.