Add a configuration parameter to choose using exnterprise store or not

Signed-off-by: Hiroshi Hatake <[email protected]>
fluent · Sep 4, 2019 · dd273aa · dd273aa
1 parent 173d950
commit dd273aa
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/lib/fluent/plugin/out_forward.rb b/lib/fluent/plugin/out_forward.rb
@@ -111,6 +111,8 @@ class ForwardOutput < Output
     config_param :tls_cert_thumbprint, :string, default: nil, secret: true
     desc 'The certificate logical store name on Windows system certstore.'
     config_param :tls_cert_logical_store_name, :string, default: nil
+    desc 'Enable to use certificate enterprise store on Windows system certstore.'
+    config_param :tls_cert_use_enterprise_store, :bool, default: true
     desc "Enable keepalive connection."
     config_param :keepalive, :bool, default: false
     desc "Expired time of keepalive. Default value is nil, which means to keep connection as long as possible"
@@ -361,6 +363,7 @@ def create_transfer_socket(host, port, hostname, &block)
           private_key_passphrase: @tls_client_private_key_passphrase,
           cert_thumbprint: @tls_cert_thumbprint,
           cert_logical_store_name: @tls_cert_logical_store_name,
+          cert_use_enterprise_store: @tls_cert_use_enterprise_store,
 
           # Enabling SO_LINGER causes data loss on Windows
           # https://github.com/fluent/fluentd/issues/1968

diff --git a/lib/fluent/plugin_helper/socket.rb b/lib/fluent/plugin_helper/socket.rb
@@ -100,7 +100,8 @@ def socket_create_tls(
           version: TLS_DEFAULT_VERSION, ciphers: CIPHERS_DEFAULT, insecure: false, verify_fqdn: true, fqdn: nil,
           enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil,
           cert_path: nil, private_key_path: nil, private_key_passphrase: nil,
-          cert_thumbprint: nil, cert_store_name: nil, cert_logical_store_name: nil, **kwargs, &block)
+          cert_thumbprint: nil, cert_logical_store_name: nil, cert_use_enterprise_store: true,
+          **kwargs, &block)
 
         host_is_ipaddress = IPAddr.new(host) rescue false
         fqdn ||= host unless host_is_ipaddress
@@ -119,7 +120,8 @@ def socket_create_tls(
             if enable_system_cert_store
               if Fluent.windows? && cert_logical_store_name
                 log.trace "loading Windows system certificate store"
-                loader = Certstore::OpenSSL::Loader.new(log, cert_store, cert_logical_store_name)
+                loader = Certstore::OpenSSL::Loader.new(log, cert_store, cert_logical_store_name,
+                                                        enterprise: cert_use_enterprise_store)
                 loader.load_cert_store
                 cert_store = loader.cert_store
                 context.cert = loader.get_certificate(cert_thumbprint) if cert_thumbprint