fluent-plugin-jwt-filter 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +36 -0
- data/Gemfile +4 -0
- data/LICENSE +21 -0
- data/README.md +93 -0
- data/Rakefile +10 -0
- data/fluent-plugin-jwt-filter.gemspec +28 -0
- data/lib/fluent/plugin/filter_jwt.rb +104 -0
- metadata +109 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: c1a845ef248b3483055373fe08f0983fc53722c9
|
4
|
+
data.tar.gz: bb38737a51bbff5dd75c89bf64aa370a564ec73b
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 3f7141152a8eb55f6cdb876cd11cf6c9de7aa8f537f40349ecdece86675f75ff41b5301cd6efb78b53440ee5ff534332afea3ca3244eac23f6d9c7e446e26dce
|
7
|
+
data.tar.gz: 24fdd23f753ac3783a92b657ca1579913741bf6e54298e803541d363f1f857b95fa89e630c0ccb245a37ad8fb025f451355d7f6b253af8f45235ad56ab6a2853
|
data/.gitignore
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
*.gem
|
2
|
+
*.rbc
|
3
|
+
/.config
|
4
|
+
/coverage/
|
5
|
+
/InstalledFiles
|
6
|
+
/pkg/
|
7
|
+
/spec/reports/
|
8
|
+
/spec/examples.txt
|
9
|
+
/test/tmp/
|
10
|
+
/test/version_tmp/
|
11
|
+
/tmp/
|
12
|
+
|
13
|
+
## Specific to RubyMotion:
|
14
|
+
.dat*
|
15
|
+
.repl_history
|
16
|
+
build/
|
17
|
+
|
18
|
+
## Documentation cache and generated files:
|
19
|
+
/.yardoc/
|
20
|
+
/_yardoc/
|
21
|
+
/doc/
|
22
|
+
/rdoc/
|
23
|
+
|
24
|
+
## Environment normalization:
|
25
|
+
/.bundle/
|
26
|
+
/vendor/bundle
|
27
|
+
/lib/bundler/man/
|
28
|
+
|
29
|
+
# for a library or gem, you might want to ignore these files since the code is
|
30
|
+
# intended to run in multiple environments; otherwise, check them in:
|
31
|
+
# Gemfile.lock
|
32
|
+
# .ruby-version
|
33
|
+
# .ruby-gemset
|
34
|
+
|
35
|
+
# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
|
36
|
+
.rvmrc
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2016 Toyokazu Akiyama
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
21
|
+
SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,93 @@
|
|
1
|
+
# Fluent::Plugin::Jwt::Filter
|
2
|
+
|
3
|
+
Fluent Filter plugin for encrypting and decrypting messages using JSON Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key). This plugin uses [json-jwt](https://github.com/nov/json-jwt) to encrypt/decrypt messages.
|
4
|
+
|
5
|
+
## Installation
|
6
|
+
|
7
|
+
Add this line to your application's Gemfile:
|
8
|
+
|
9
|
+
gem 'fluent-plugin-jwt-filter'
|
10
|
+
|
11
|
+
And then execute:
|
12
|
+
|
13
|
+
bundle
|
14
|
+
|
15
|
+
Or install it yourself as:
|
16
|
+
|
17
|
+
gem install fluent-plugin-jwt-filter
|
18
|
+
|
19
|
+
## Usage
|
20
|
+
|
21
|
+
fluent-plugin-jwt-filter provides encrypt and decrypt of messages.
|
22
|
+
|
23
|
+
<filter test>
|
24
|
+
@type jwt
|
25
|
+
method encrypt
|
26
|
+
</filter>
|
27
|
+
|
28
|
+
Encrypt/Decrypt can be selected by **method** option.
|
29
|
+
|
30
|
+
### Encryption
|
31
|
+
|
32
|
+
In the following example, input from in_tail plugin is encrypted by jwt-filter and then outputted by out_forward plugin.
|
33
|
+
|
34
|
+
<source>
|
35
|
+
@type tail
|
36
|
+
path /tmp/test.log
|
37
|
+
pos_file /tmp/test.log.pos
|
38
|
+
tag test
|
39
|
+
format json
|
40
|
+
</source>
|
41
|
+
|
42
|
+
<filter test>
|
43
|
+
@type jwt
|
44
|
+
method encrypt
|
45
|
+
</filter>
|
46
|
+
|
47
|
+
<match test>
|
48
|
+
@type forward
|
49
|
+
<server>
|
50
|
+
host ::1
|
51
|
+
port 24224
|
52
|
+
</server>
|
53
|
+
</match>
|
54
|
+
|
55
|
+
For encryption, the following options are available.
|
56
|
+
|
57
|
+
- **jwk_pub_file**: is a file name which records public key of JSON Web Key (JWK). JWK public and private key can be easily generated by [jwk_tool](https://github.com/toyokazu/jwk-tool).
|
58
|
+
- **block_cipher_alg**: is an algorithm to encrypt the contents. Block cipher is used for encryption and symmetric key of block cipher is encrypted by key encryption algorithm. Currently json-jwt supports A128GCM, A256GCM, A128CBC-HS256 and A256CBC-HS512 (default A128GCM and require "ruby > 2.0.0").
|
59
|
+
- **key_encryption_alg**: is an algorithm to encrypt block cipher encryption key. Basically public key algorithm is assumed. If JWK is created as symmetric key, this option is not required (default RSA1_5).
|
60
|
+
|
61
|
+
<filter test>
|
62
|
+
@type jwt
|
63
|
+
jwk_pub_file fluent/key.pub
|
64
|
+
block_cipher_alg A128GCM
|
65
|
+
key_encryption_alg RSA1_5
|
66
|
+
</filter>
|
67
|
+
|
68
|
+
|
69
|
+
### Decryption
|
70
|
+
|
71
|
+
In the following example, input from in_forward plugin is decrypted by jwt-filter and then outputted by out_stdout plugin.
|
72
|
+
|
73
|
+
<source>
|
74
|
+
@type forward
|
75
|
+
port 24224
|
76
|
+
bind ::1
|
77
|
+
</source>
|
78
|
+
|
79
|
+
<filter test>
|
80
|
+
@type jwt
|
81
|
+
method decrypt
|
82
|
+
</filter>
|
83
|
+
|
84
|
+
<match test>
|
85
|
+
type stdout
|
86
|
+
</match>
|
87
|
+
|
88
|
+
For decryption, the following options are available.
|
89
|
+
|
90
|
+
config_param :method, :string, :default => "encrypt"
|
91
|
+
config_param :jwk_file, :string, :default => "key"
|
92
|
+
|
93
|
+
- **jwk_file**: is a file name which records private key of JSON Web Key (JWK). As already mentioned in Encryption section, JWK public and private key can be easily generated by [jwk_tool](https://github.com/toyokazu/jwk-tool).
|
data/Rakefile
ADDED
@@ -0,0 +1,28 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
|
5
|
+
Gem::Specification.new do |spec|
|
6
|
+
spec.name = "fluent-plugin-jwt-filter"
|
7
|
+
spec.version = "0.0.1"
|
8
|
+
spec.authors = ["Toyokazu Akiyama"]
|
9
|
+
spec.email = ["toyokazu@gmail.com"]
|
10
|
+
|
11
|
+
spec.summary = %q{Fluent Filter plugin for encrypting and decrypting messages using JSON Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key)}
|
12
|
+
spec.description = %q{Fluent Filter plugin for encrypting and decrypting messages using JSON Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key)}
|
13
|
+
spec.homepage = "https://github.com/toyokazu/fluent-plugin-jwt-formatter"
|
14
|
+
spec.license = "MIT"
|
15
|
+
|
16
|
+
spec.files = `git ls-files`.gsub(/images\/[\w\.]+\n/, "").split($/)
|
17
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
18
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
19
|
+
spec.require_paths = ["lib"]
|
20
|
+
|
21
|
+
spec.required_ruby_version = '>= 2.0.0'
|
22
|
+
|
23
|
+
spec.add_dependency 'fluentd', '>= 0.10.0'
|
24
|
+
spec.add_runtime_dependency("json-jwt", [">= 1.5.2"])
|
25
|
+
|
26
|
+
spec.add_development_dependency "bundler", "~> 1.10"
|
27
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
28
|
+
end
|
@@ -0,0 +1,104 @@
|
|
1
|
+
require 'json/jwt'
|
2
|
+
module Fluent
|
3
|
+
# JwtFilter
|
4
|
+
# Encrypt/Decript JSON message using JSON Web Token Technology
|
5
|
+
# For encryption, JSON Web Key (public) is used
|
6
|
+
# For decryption, JSON Web Key (private) is used
|
7
|
+
# Currently symmetric key is not supported in JSON Web Key (TODO)
|
8
|
+
#
|
9
|
+
# Example encrypted JSON message is as follows:
|
10
|
+
# {
|
11
|
+
# "protected": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0",
|
12
|
+
# "encrypted_key": "P8dKW8KE5nJm7s9GDENrcSW2iNw0Fo4FqDxRwyr6JSGCPCwjc_agoEq7O8xhWX_WoRZin90ORPP1oO5_kavTIcppnRcmquxm1jhQtKk77-HN9Efo7DQf3yfgdnD7xv-M1I_rCPeHVFm33BNB6TIhCo1fUfhEUM8GjjC8PLFFwOcDUNf1vw1-WjUqMhUf-b45s6CHhYdpDqzs7GYuovDo0LMeFeBSc4Xntw_vWPMeHxsuVyuZpDHUQm-dX5wnmQ4UhZPzEhkkVJw1oz2uTMjcl6mi1bucKGy1zNaGN-JEhg5_2QgijqTxRtJgOBlVtHLJ5HABT4tI6-v06M3dPryz5w",
|
13
|
+
# "iv": "xYk2s_39pHvLBZy3",
|
14
|
+
# "ciphertext": "taCQAMBZtKgQfh5LaWs",
|
15
|
+
# "tag": "nbWyhG82A-eCJMvdhbrSJw"
|
16
|
+
# }
|
17
|
+
class JwtFilter < Filter
|
18
|
+
# Register this filter as "jwt"
|
19
|
+
Plugin.register_filter("jwt", self)
|
20
|
+
|
21
|
+
config_param :method, :string, :default => "encrypt"
|
22
|
+
config_param :jwk_file, :string, :default => "key"
|
23
|
+
config_param :jwk_pub_file, :string, :default => "key.pub"
|
24
|
+
config_param :block_cipher_alg, :string, :default => "A128GCM"
|
25
|
+
config_param :key_encryption_alg, :string, :default => "RSA1_5"
|
26
|
+
|
27
|
+
def not_supported_error
|
28
|
+
$log.error "JwtFilter: Not supported method is specified"
|
29
|
+
end
|
30
|
+
|
31
|
+
# This method is called after config_params have read configuration parameters
|
32
|
+
def configure(conf)
|
33
|
+
super
|
34
|
+
begin
|
35
|
+
case @method
|
36
|
+
when "encrypt"
|
37
|
+
# read public key from file
|
38
|
+
@jwk_pub = JSON::JWK.new(JSON.parse(open(@jwk_pub_file).read))
|
39
|
+
when "decrypt"
|
40
|
+
# read private key from file
|
41
|
+
@jwk = JSON::JWK.new(JSON.parse(open(@jwk_file).read))
|
42
|
+
else
|
43
|
+
not_supported_error
|
44
|
+
end
|
45
|
+
rescue JSON::ParserError => e
|
46
|
+
$log.error "JSON Web Key parse error", :error => e.to_s
|
47
|
+
$log.debug_backtrace(e.backtrace)
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
def start
|
52
|
+
super
|
53
|
+
end
|
54
|
+
|
55
|
+
def shutdown
|
56
|
+
super
|
57
|
+
end
|
58
|
+
|
59
|
+
def filter(tag, time, record)
|
60
|
+
case @method
|
61
|
+
when "encrypt"
|
62
|
+
encrypt(record)
|
63
|
+
when "decrypt"
|
64
|
+
decrypt(record)
|
65
|
+
else
|
66
|
+
not_supported_error
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
# This is the method that formats the data output.
|
71
|
+
def encrypt(record)
|
72
|
+
begin
|
73
|
+
# encrypt JSON format record
|
74
|
+
jwe = JSON::JWE.new(record.to_json)
|
75
|
+
# choose block cipher algorithm
|
76
|
+
jwe.enc = @block_cipher_alg.to_sym
|
77
|
+
# choose cipher algorithm for encrypting block cipher key (symmetric cipher key)
|
78
|
+
jwe.alg = @key_encryption_alg.to_sym
|
79
|
+
# encryption
|
80
|
+
jwe.encrypt!(@jwk_pub.to_key)
|
81
|
+
# output the result in JSON format
|
82
|
+
jwe.as_json
|
83
|
+
rescue Exception => e
|
84
|
+
$log.error "Error", :error => e.to_s
|
85
|
+
$log.debug_backtrace(e.backtrace)
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
def decrypt(record)
|
90
|
+
begin
|
91
|
+
# decrypt JSON format cipher data
|
92
|
+
jwe_dec = JSON::JWE.decode_json_serialized(record, @jwk.to_key)
|
93
|
+
$log.debug jwe_dec.plain_text
|
94
|
+
JSON.parse(jwe_dec.plain_text)
|
95
|
+
rescue JSON::ParserError => e
|
96
|
+
$log.error "Message parse error", :error => e.to_s
|
97
|
+
$log.debug_backtrace(e.backtrace)
|
98
|
+
rescue Exception => e
|
99
|
+
$log.error "Error", :error => e.to_s
|
100
|
+
$log.debug_backtrace(e.backtrace)
|
101
|
+
end
|
102
|
+
end
|
103
|
+
end
|
104
|
+
end
|
metadata
ADDED
@@ -0,0 +1,109 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: fluent-plugin-jwt-filter
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Toyokazu Akiyama
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2016-03-05 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: fluentd
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: 0.10.0
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: 0.10.0
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: json-jwt
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 1.5.2
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: 1.5.2
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: bundler
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '1.10'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '1.10'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: rake
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '10.0'
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - "~>"
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '10.0'
|
69
|
+
description: Fluent Filter plugin for encrypting and decrypting messages using JSON
|
70
|
+
Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key)
|
71
|
+
email:
|
72
|
+
- toyokazu@gmail.com
|
73
|
+
executables: []
|
74
|
+
extensions: []
|
75
|
+
extra_rdoc_files: []
|
76
|
+
files:
|
77
|
+
- ".gitignore"
|
78
|
+
- Gemfile
|
79
|
+
- LICENSE
|
80
|
+
- README.md
|
81
|
+
- Rakefile
|
82
|
+
- fluent-plugin-jwt-filter.gemspec
|
83
|
+
- lib/fluent/plugin/filter_jwt.rb
|
84
|
+
homepage: https://github.com/toyokazu/fluent-plugin-jwt-formatter
|
85
|
+
licenses:
|
86
|
+
- MIT
|
87
|
+
metadata: {}
|
88
|
+
post_install_message:
|
89
|
+
rdoc_options: []
|
90
|
+
require_paths:
|
91
|
+
- lib
|
92
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ">="
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: 2.0.0
|
97
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
98
|
+
requirements:
|
99
|
+
- - ">="
|
100
|
+
- !ruby/object:Gem::Version
|
101
|
+
version: '0'
|
102
|
+
requirements: []
|
103
|
+
rubyforge_project:
|
104
|
+
rubygems_version: 2.4.5.1
|
105
|
+
signing_key:
|
106
|
+
specification_version: 4
|
107
|
+
summary: Fluent Filter plugin for encrypting and decrypting messages using JSON Web
|
108
|
+
Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key)
|
109
|
+
test_files: []
|