network_verifier: plugin New Network Verifier plugin type

CMakeLists.txt

@@ -743,6 +743,7 @@ if(FLB_TLS)
   find_package(OpenSSL)
   if(OPENSSL_FOUND)
     FLB_DEFINITION(FLB_HAVE_OPENSSL)
+    include_directories(${OPENSSL_INCLUDE_DIR})
   endif()
 
   if (FLB_SYSTEM_WINDOWS AND NOT(OPENSSL_FOUND))

include/fluent-bit/config_format/flb_cf.h

@@ -60,6 +60,7 @@ enum section_type {
     FLB_CF_PLUGINS,               /* plugins             */
     FLB_CF_UPSTREAM_SERVERS,      /* upstream_servers    */
     FLB_CF_CUSTOM,                /* [CUSTOM]            */
+    FLB_CF_NETWORK_VERIFIER,      /* [network_verifier]      */
     FLB_CF_INPUT,                 /* [INPUT]             */
     FLB_CF_FILTER,                /* [FILTER]            */
     FLB_CF_OUTPUT,                /* [OUTPUT]            */
@@ -112,6 +113,9 @@ struct flb_cf {
     /* 'custom' type plugins */
     struct mk_list customs;
 
+    /* 'network_verifier' type plugins */
+    struct mk_list network_verifiers;
+
     /* pipeline */
     struct mk_list inputs;
     struct mk_list filters;

include/fluent-bit/flb_config.h

@@ -136,6 +136,7 @@ struct flb_config {
     struct mk_list parser_plugins;      /* not yet implemented */
     struct mk_list filter_plugins;
     struct mk_list out_plugins;
+    struct mk_list network_verifier_plugins;
 
     /* Custom instances */
     struct mk_list customs;
@@ -156,6 +157,9 @@ struct flb_config {
     /* Filter instances */
     struct mk_list filters;
 
+    /* Network Verifier instances */
+    struct mk_list network_verifiers;
+
     struct mk_event_loop *evl;          /* the event loop (mk_core) */
 
     struct flb_bucket_queue *evl_bktq;   /* bucket queue for evl track event priority */

include/fluent-bit/flb_connection.h

@@ -181,4 +181,7 @@ void flb_connection_unset_connection_timeout(struct flb_connection *connection);
 void flb_connection_reset_io_timeout(struct flb_connection *connection);
 void flb_connection_unset_io_timeout(struct flb_connection *connection);
 
+void flb_connection_notify_error(const struct flb_connection* conn,
+    const char* dest, int port, int error_code, const char* error_msg);
+
 #endif

include/fluent-bit/flb_input.h

@@ -458,6 +458,10 @@ struct flb_input_instance {
     char *tls_max_version;               /* Maximum protocol version of TLS */
     char *tls_ciphers;                   /* TLS ciphers */
 
+
+    char *network_verifier;           /* Network Verifier alias */
+    struct flb_network_verifier_instance* verifier_ins;
+
     struct mk_list *tls_config_map;
 
 #ifdef FLB_HAVE_TLS

include/fluent-bit/flb_network_verifier.h

@@ -0,0 +1,95 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+
+/*  Fluent Bit
+ *  ==========
+ *  Copyright (C) 2015-2024 The Fluent Bit Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef FLB_NETWORK_VERIFIER_H
+#define FLB_NETWORK_VERIFIER_H
+
+#include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_config.h>
+#include <fluent-bit/flb_config_map.h>
+
+#include <openssl/types.h>
+
+#define FLB_X509_STORE_EX_INDEX 0
+
+struct flb_network_verifier_instance;
+
+struct flb_network_verifier_plugin {
+    char *name;            /* Name                               */
+    char *description;     /* Description                        */
+
+    /* Config map */
+    struct flb_config_map *config_map;
+
+    /* Callbacks */
+    int (*cb_init) (struct flb_network_verifier_instance *, struct flb_config *);
+    int (*cb_verify_tls) (int, X509_STORE_CTX *);
+    int (*cb_connection_failure) (struct flb_network_verifier_instance*, const char*, int, int, const char*);
+    int (*cb_exit) (void *, struct flb_config *);
+
+    struct mk_list _head;  /* Link to parent list (config->network_verifier_plugins) */
+};
+
+/*
+ * Each initialized plugin must have an instance, the same plugin may be
+ * loaded more than one time.
+ *
+ * An instance will contain basic fixed plugin data while also
+ * allowing for plugin context data, generated when the plugin is invoked.
+ */
+struct flb_network_verifier_instance {
+    int id;                                 /* instance id              */
+    int log_level;                          /* instance log level       */
+    char name[32];                          /* numbered name            */
+    char *alias;                            /* alias name               */
+    void *context;                          /* Instance local context   */
+    struct flb_network_verifier_plugin *plugin; /* original plugin   */
+
+    struct mk_list properties;              /* config properties        */
+    struct mk_list *config_map;             /* configuration map        */
+
+    /* Keep a reference to the original context this instance belongs to */
+    const struct flb_config *config;
+
+    struct mk_list _head;                   /* config->network_verifiers  */
+};
+
+struct flb_network_verifier_instance *flb_network_verifier_new(
+    struct flb_config *config, const char *name);
+
+const char *flb_network_verifier_get_alias(
+    struct flb_network_verifier_instance *ins);
+
+int flb_network_verifier_set_property(
+   struct flb_network_verifier_instance *ins, const char *k, const char *v);
+int flb_network_verifier_plugin_property_check(
+    struct flb_network_verifier_instance *ins,
+    struct flb_config *config);
+int flb_network_verifier_init_all(struct flb_config *config);
+void flb_network_verifier_exit(struct flb_config *config);
+
+void flb_network_verifier_instance_destroy(
+    struct flb_network_verifier_instance *ins);
+
+const struct flb_network_verifier_instance *find_network_verifier_instance(
+                struct flb_config *config,
+                const char* alias);
+
+
+#endif

include/fluent-bit/flb_network_verifier_plugin.h

@@ -0,0 +1,47 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+
+/*  Fluent Bit
+ *  ==========
+ *  Copyright (C) 2015-2024 The Fluent Bit Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef FLB_NETWORK_VERIFIER_PLUGIN_H
+#define FLB_NETWORK_VERIFIER_PLUGIN_H
+
+#include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_network_verifier.h>
+#include <fluent-bit/flb_log.h>
+
+#define flb_plg_log(ctx, level, fmt, ...)                                \
+    if (flb_log_check_level(ctx->log_level, level))                      \
+        flb_log_print(level, NULL, 0, "[network_verifier:%s:%s] " fmt,       \
+                      ctx->plugin->name,                                 \
+                      flb_network_verifier_get_alias(ctx), ##__VA_ARGS__)
+
+#define flb_plg_error(ctx, fmt, ...) \
+    flb_plg_log(ctx, FLB_LOG_ERROR, fmt, ##__VA_ARGS__)
+
+#define flb_plg_warn(ctx, fmt, ...)  \
+    flb_plg_log(ctx, FLB_LOG_WARN, fmt, ##__VA_ARGS__)
+
+#define flb_plg_info(ctx, fmt, ...)  \
+    flb_plg_log(ctx, FLB_LOG_INFO, fmt, ##__VA_ARGS__)
+
+#define flb_plg_debug(ctx, fmt, ...) \
+    flb_plg_log(ctx, FLB_LOG_DEBUG, fmt, ##__VA_ARGS__)
+
+#define flb_plg_trace(ctx, fmt, ...) \
+    flb_plg_log(ctx, FLB_LOG_TRACE, fmt, ##__VA_ARGS__)
+#endif

include/fluent-bit/flb_output.h

@@ -48,6 +48,7 @@
 #include <fluent-bit/flb_upstream_ha.h>
 #include <fluent-bit/flb_event.h>
 #include <fluent-bit/flb_processor.h>
+#include <fluent-bit/flb_network_verifier.h>
 
 #include <cfl/cfl.h>
 #include <cmetrics/cmetrics.h>
@@ -377,6 +378,8 @@ struct flb_output_instance {
     char *tls_win_thumbprints;               /* CertStore Thumbprints (Windows) */
 # endif
 #endif
+    char* network_verifier;           /* Connection Verifier alias */
+    struct flb_network_verifier_instance* verifier_ins;
 
     /*
      * network info:

include/fluent-bit/flb_plugin.h

@@ -28,6 +28,7 @@
 #define FLB_PLUGIN_FILTER    2
 #define FLB_PLUGIN_OUTPUT    3
 #define FLB_PLUGIN_PROCESSOR 4
+#define FLB_PLUGIN_NETWORK_VERIFIER 5
 
 /* Informational contexts for discovered dynamic plugins */
 struct flb_plugin {
@@ -42,6 +43,7 @@ struct flb_plugins {
     struct mk_list processor;
     struct mk_list filter;
     struct mk_list output;
+    struct mk_list network_verifier;
 };
 
 struct flb_plugins *flb_plugin_create();

include/fluent-bit/flb_plugins.h.in

@@ -25,6 +25,7 @@
 #include <fluent-bit/flb_input.h>
 #include <fluent-bit/flb_output.h>
 #include <fluent-bit/flb_filter.h>
+#include <fluent-bit/flb_network_verifier.h>
 #include <fluent-bit/flb_config.h>
 #include <fluent-bit/flb_log.h>
 
@@ -34,6 +35,7 @@ extern struct flb_output_plugin *flb_zig_native_output_plugin_init(void *);
 @FLB_OUT_PLUGINS_DECL@
 @FLB_FILTER_PLUGINS_DECL@
 @FLB_PROCESSOR_PLUGINS_DECL@
+@FLB_NETWORK_VERIFIER_PLUGINS_DECL@
 
 int flb_plugins_register(struct flb_config *config)
 {
@@ -42,12 +44,14 @@ int flb_plugins_register(struct flb_config *config)
     struct flb_output_plugin *out;
     struct flb_filter_plugin *filter;
     struct flb_processor_plugin *processor;
+    struct flb_network_verifier_plugin *network_verifier;
 
 @FLB_CUSTOM_PLUGINS_ADD@
 @FLB_IN_PLUGINS_ADD@
 @FLB_OUT_PLUGINS_ADD@
 @FLB_FILTER_PLUGINS_ADD@
 @FLB_PROCESSOR_PLUGINS_ADD@
+@FLB_NETWORK_VERIFIER_PLUGINS_ADD@
 
     return 0;
 }
@@ -61,6 +65,7 @@ void flb_plugins_unregister(struct flb_config *config)
     struct flb_output_plugin *out;
     struct flb_filter_plugin *filter;
     struct flb_processor_plugin *processor;
+    struct flb_network_verifier_plugin *network_verifier;
 
     mk_list_foreach_safe(head, tmp, &config->custom_plugins) {
         custom = mk_list_entry(head, struct flb_custom_plugin, _head);
@@ -100,6 +105,12 @@ void flb_plugins_unregister(struct flb_config *config)
         mk_list_del(&processor->_head);
         flb_free(processor);
     }
+
+    mk_list_foreach_safe(head, tmp, &config->network_verifier_plugins) {
+        network_verifier = mk_list_entry(head, struct flb_network_verifier_plugin, _head);
+        mk_list_del(&network_verifier->_head);
+        flb_free(network_verifier);
+    }
 }
 
 #endif

include/fluent-bit/flb_stream.h

@@ -48,6 +48,8 @@ struct flb_stream {
     struct flb_net_setup net;
 
     struct mk_list       _head;
+
+    struct flb_network_verifier_instance* verifier_ins;
 };
 
 static inline int flb_stream_is_shutting_down(struct flb_stream *stream)

include/fluent-bit/flb_upstream_node.h

@@ -43,6 +43,7 @@ struct flb_upstream_node {
     char *tls_crt_file;       /* Certificate                  */
     char *tls_key_file;       /* Cert Key                     */
     char *tls_key_passwd;     /* Cert Key Password            */
+    char *network_verifier;   /* Network Verifier alias       */
 
     /* context with mbedTLS contexts and data */
     struct flb_tls *tls;
@@ -74,6 +75,7 @@ struct flb_upstream_node *flb_upstream_node_create(flb_sds_t name, flb_sds_t hos
                                                    const char *tls_crt_file,
                                                    const char *tls_key_file,
                                                    const char *tls_key_passwd,
+                                                   const char *network_verifier,
                                                    struct flb_hash_table *ht,
                                                    struct flb_config *config);
 const char *flb_upstream_node_get_property(const char *prop,

include/fluent-bit/tls/flb_tls.h

@@ -25,6 +25,8 @@
 #include <fluent-bit/flb_info.h>
 #include <fluent-bit/flb_config.h>
 #include <fluent-bit/flb_coro.h>
+#include <fluent-bit/flb_network_verifier.h>
+
 #include <stddef.h>
 
 #define FLB_TLS_ALPN_MAX_LENGTH 16
@@ -69,7 +71,8 @@ struct flb_tls_backend {
     void *(*context_create) (int, int, int,
                              const char *, const char *,
                              const char *, const char *,
-                             const char *, const char *);
+                             const char *, const char *,
+                             const struct flb_network_verifier_instance *);
 
     /* destroy backend context */
     void (*context_destroy) (void *);
@@ -126,7 +129,8 @@ struct flb_tls *flb_tls_create(int mode,
                                const char *vhost,
                                const char *ca_path,
                                const char *ca_file, const char *crt_file,
-                               const char *key_file, const char *key_passwd);
+                               const char *key_file, const char *key_passwd,
+                               const struct flb_network_verifier_instance *conn_ins);
 
 int flb_tls_destroy(struct flb_tls *tls);
 

plugins/CMakeLists.txt

@@ -36,6 +36,43 @@ macro(REGISTER_CUSTOM_PLUGIN name)
   endif()
 endmacro()
 
+
+# REGISTER_NETWORK_VERIFIER_PLUGIN
+macro(REGISTER_NETWORK_VERIFIER_PLUGIN name)
+  string(FIND ${name} "=" pos)
+  if(pos GREATER -1)
+    string(REPLACE "=" ";" list ${name})
+    list(GET list 0 p_name)
+    list(GET list 1 p_path)
+    message(STATUS "EXTERNAL NETWORK_VERIFIER PLUGIN name='${p_name}' path='${p_path}'")
+  else()
+    set(p_name ${name})
+  endif()
+
+  string(TOUPPER ${p_name} NAME)
+  if(FLB_${NAME} OR p_path)
+    set(FLB_NETWORK_VERIFIER_PLUGINS_DECL "${FLB_NETWORK_VERIFIER_PLUGINS_DECL}extern struct flb_network_verifier_plugin ${p_name}_plugin;\n")
+
+    # C code
+    set(C_CODE          "    network_verifier = flb_malloc(sizeof(struct flb_network_verifier_plugin));\n")
+    set(C_CODE "${C_CODE}    if (!network_verifier) {\n")
+    set(C_CODE "${C_CODE}        flb_errno();\n")
+    set(C_CODE "${C_CODE}        return -1;\n")
+    set(C_CODE "${C_CODE}    }\n")
+    set(C_CODE "${C_CODE}    memcpy(network_verifier, &${p_name}_plugin, sizeof(struct flb_network_verifier_plugin));\n")
+    set(C_CODE "${C_CODE}    mk_list_add(&network_verifier->_head, &config->network_verifier_plugins);\n\n")
+
+    set(FLB_NETWORK_VERIFIER_PLUGINS_ADD "${FLB_NETWORK_VERIFIER_PLUGINS_ADD}${C_CODE}")
+
+    if (p_path)
+      add_subdirectory(${p_path} ${p_path})
+    else()
+      add_subdirectory(${p_name})
+    endif()
+    set(flb_plugins "${flb_plugins}flb-plugin-${p_name};")
+  endif()
+endmacro()
+
 # REGISTER_IN_PLUGIN
 macro(REGISTER_IN_PLUGIN name)
   string(FIND ${name} "=" pos)