logstash-codec-avro 3.4.1-java → 3.5.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 58f5ee3b7dd49fc9d5ea8a85c8b91cd042e67027a6b80440b48f3c943f149397
-  data.tar.gz: f0321dffe64cc44165dd5ccfc95fb4d8b7cbcff561aa8f1a048f7c79f53881ba
+  metadata.gz: f88b7ec7b7a620275c87c502ae364c753450765dc059b0097c99ca1d21ef7d90
+  data.tar.gz: aa5749396621ee5061f10149e4f2d922bcf866421ff68065b2c84c28af60b65f
 SHA512:
-  metadata.gz: 9af8121f74ead4621f3979b638125c209e6790248d81681fdeb060f886d0f84e79cbb560c6c009d1cc21c5e94120e484830dd26186d93a5726c08e2187ab744f
-  data.tar.gz: 13e6a4db21017088f70f062d054625547b728a633788fdd5478f13a81746e9f9f23840cc73140fa8b82617f827c9a746b586b5fca669db300a08ef0209b4b06d
+  metadata.gz: c09cd06cbd9a0b51d54786b05c584d08b6a2b43241554f41a7910378fe2cae9a14c74496b4d0232cb293a74bd8f9117c2b2de8c7afe34803f27504df56d5e256
+  data.tar.gz: d57d16ee2c57f4a98b64bf2a8556f48fc369d36db0ce93604727d24b5d69fc65d776c993ca6c2d222c4bba5607ff370b127c13232f7055829a9918c400beed9a

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 3.5.0
+  - Add SSL/TLS support for HTTPS schema registry connections
+    - Add `ssl_enabled` option to enable/disable SSL
+    - Add `ssl_certificate` and `ssl_key` options for PEM-based client authentication (unencrypted keys only)
+    - Add `ssl_certificate_authorities` option for PEM-based server certificate validation
+    - Add `ssl_verification_mode` option to control SSL verification (full, none)
+    - Add `ssl_cipher_suites` option to configure cipher suites
+    - Add `ssl_supported_protocols` option to configure TLS protocol versions (TLSv1.1, TLSv1.2, TLSv1.3)
+    - Add `ssl_truststore_path` and `ssl_truststore_password` options for server certificate validation (JKS/PKCS12)
+    - Add `ssl_keystore_path` and `ssl_keystore_password` options for mutual TLS authentication (JKS/PKCS12)
+    - Add `ssl_truststore_type` and `ssl_keystore_type` options (JKS or PKCS12)
+  - Add HTTP proxy support with `proxy` option
+  - Add HTTP basic authentication support with `username` and `password` options
+
 ## 3.4.1
   - Fixes `(Errno::ENOENT) No such file or directory` error [#43](https://github.com/logstash-plugins/logstash-codec-avro/pull/43)
 

data/docs/index.asciidoc

@@ -83,9 +83,25 @@ output {
 |Setting |Input type|Required
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
 | <<plugins-{type}s-{plugin}-encoding>> | <<string,string>>, one of `["binary", "base64"]`|No
+| <<plugins-{type}s-{plugin}-password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-proxy>> |<<uri,uri>>|No
 | <<plugins-{type}s-{plugin}-schema_uri>> |<<string,string>>|Yes
+| <<plugins-{type}s-{plugin}-ssl_certificate>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |list of <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_key>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_type>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-tag_on_failure>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-target>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-username>> |<<string,string>>|No
 |=======================================================================
 
 &nbsp;
@@ -112,6 +128,23 @@ Use `base64` (default) to indicate that this codec sends or expects to receive b
 Set this option to `binary` to indicate that this codec sends or expects to receive binary Avro data.
 
 
+[id="plugins-{type}s-{plugin}-password"]
+===== `password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+Password for HTTP basic authentication when fetching remote schemas.
+Used together with `username`.
+
+[id="plugins-{type}s-{plugin}-proxy"]
+===== `proxy`
+
+* Value type is <<uri,uri>>
+* There is no default value for this setting.
+
+The address of a forward HTTP proxy to use when contacting a remote schema registry.
+
 [id="plugins-{type}s-{plugin}-schema_uri"]
 ===== `schema_uri` 
 
@@ -134,6 +167,172 @@ example:
 
 tag events with `_avroparsefailure` when decode fails
 
+[id="plugins-{type}s-{plugin}-ssl_certificate"]
+===== `ssl_certificate`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+Path to PEM encoded certificate file for client authentication (mutual TLS).
+You may use this setting or <<plugins-{type}s-{plugin}-ssl_keystore_path>>, but not both simultaneously.
+
+*Example*
+[source,ruby]
+----------------------------------
+ssl_certificate => "/path/to/client.crt"
+----------------------------------
+
+[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
+===== `ssl_certificate_authorities`
+
+* Value type is a list of <<path,path>>
+* There is no default value for this setting.
+
+Path to PEM encoded CA certificate file(s) for server verification.
+This is an alternative to using <<plugins-{type}s-{plugin}-ssl_truststore_path>>.
+You may use this setting or <<plugins-{type}s-{plugin}-ssl_truststore_path>>, but not both simultaneously.
+
+*Example*
+[source,ruby]
+----------------------------------
+ssl_certificate_authorities => ["/path/to/ca.crt"]
+----------------------------------
+
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+
+* Value type is <<array,array>>
+* There is no default value for this setting.
+
+The list of cipher suites to use, listed by priorities.
+Supported cipher suites vary depending on which version of Java is used.
+
+[id="plugins-{type}s-{plugin}-ssl_key"]
+===== `ssl_key`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+Path to PEM encoded private key file for client authentication.
+Must be used together with <<plugins-{type}s-{plugin}-ssl_certificate>>.
+The private key must be unencrypted (passphrase-protected keys are not supported).
+
+*Example*
+[source,ruby]
+----------------------------------
+ssl_key => "/path/to/client.key"
+----------------------------------
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
+
+* Value type is <<boolean,boolean>>
+* There is no default value for this setting.
+
+Enable SSL/TLS secured communication to remote schema registry.
+When using HTTPS schema URIs, SSL is automatically enabled.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_path"]
+===== `ssl_keystore_path`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+The path to the JKS or PKCS12 keystore file for client certificate authentication.
+Use this when the schema registry requires mutual TLS (mTLS) authentication.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
+===== `ssl_keystore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+The password for the keystore file specified in <<plugins-{type}s-{plugin}-ssl_keystore_path>>.
+
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_type"]
+===== `ssl_keystore_type`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The format of the keystore file. It must be either `jks` or `pkcs12`.
+
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+* Value type is <<array,array>>
+* Default value is `[]` (uses Java defaults)
+* Valid values are: `TLSv1.1`, `TLSv1.2`, `TLSv1.3`
+
+List of allowed SSL/TLS protocol versions.
+When not specified, the JVM defaults are used.
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_path"]
+===== `ssl_truststore_path`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+The path to the JKS or PKCS12 truststore file containing certificates to verify
+the schema registry server's certificate.
+
+*Example*
+[source,ruby]
+----------------------------------
+input {
+  kafka {
+    codec => avro {
+        schema_uri => "https://schema-registry.example.com:8081/schemas/ids/1"
+        ssl_truststore_path => "/path/to/truststore.jks"
+        ssl_truststore_password => "${TRUSTSTORE_PASSWORD}"
+    }
+  }
+}
+----------------------------------
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_password"]
+===== `ssl_truststore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+The password for the truststore file specified in <<plugins-{type}s-{plugin}-ssl_truststore_path>>.
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_type"]
+===== `ssl_truststore_type`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The format of the truststore file. It must be either `jks` or `pkcs12`.
+
+[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
+===== `ssl_verification_mode`
+
+* Value type is <<string,string>>
+* Default value is `"full"`
+* Valid options are: `full`, `none`
+
+Options to verify the server's certificate:
+
+* `full`: Validates that the provided certificate has an issue date that's within the not_before and not_after dates; chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate. (recommended)
+* `none`: Performs no certificate validation. **Warning:** Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
+
+*Example*
+[source,ruby]
+----------------------------------
+input {
+  kafka {
+    codec => avro {
+        schema_uri => "https://schema-registry.example.com:8081/schemas/ids/1"
+        ssl_certificate_authorities => ["/path/to/ca.crt"]
+        ssl_verification_mode => "full"
+    }
+  }
+}
+----------------------------------
+
 [id="plugins-{type}s-{plugin}-target"]
 ===== `target`
 
@@ -156,3 +355,26 @@ input {
   }
 }
 ----------------------------------
+
+[id="plugins-{type}s-{plugin}-username"]
+===== `username`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+Username for HTTP basic authentication when fetching remote schemas.
+Used together with `password`.
+
+*Example*
+[source,ruby]
+----------------------------------
+input {
+  kafka {
+    codec => avro {
+        schema_uri => "https://schema-registry.example.com:8081/schemas/ids/1"
+        username => "registry_user"
+        password => "${REGISTRY_PASSWORD}"
+    }
+  }
+}
+----------------------------------

data/lib/logstash/codecs/avro.rb

@@ -1,7 +1,9 @@
 # encoding: utf-8
 require "open-uri"
+require "manticore"
 require "avro"
 require "base64"
+require "json"
 require "logstash/codecs/base"
 require "logstash/event"
 require "logstash/timestamp"
@@ -50,6 +52,17 @@ require 'logstash/plugin_mixins/event_support/event_factory_adapter'
 # }
 # ----------------------------------
 class LogStash::Codecs::Avro < LogStash::Codecs::Base
+  class BadResponseCodeError < LogStash::Error
+    attr_reader :code, :message, :uri
+
+    def initialize(code, message, uri)
+      @code = code
+      @message = message
+      @uri = uri
+      super("HTTP #{code}: #{message} (#{uri})")
+    end
+  end
+
   config_name "avro"
 
   include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
@@ -84,9 +97,59 @@ class LogStash::Codecs::Avro < LogStash::Codecs::Base
   # NOTE: the target is only relevant while decoding data into a new event.
   config :target, :validate => :field_reference
 
-  def open_and_read(uri_string)
-    URI.open(uri_string, &:read)
-  end
+  # Proxy server URL for schema registry connections
+  config :proxy, :validate => :uri
+
+  # Username for HTTP basic authentication
+  config :username, :validate => :string
+
+  # Password for HTTP basic authentication
+  config :password, :validate => :password
+
+  # Enable SSL/TLS secured communication to remote schema registry
+  config :ssl_enabled, :validate => :boolean
+
+  # PEM-based SSL configuration (alternative to keystore/truststore)
+  # Path to PEM encoded certificate file for client authentication
+  config :ssl_certificate, :validate => :path
+
+  # Path to PEM encoded private key file for client authentication
+  config :ssl_key, :validate => :path
+
+  # Path to PEM encoded CA certificate file(s) for server verification
+  # Can be a single file or directory containing multiple CA certificates
+  config :ssl_certificate_authorities, :validate => :path, :list => true
+
+  # Options to verify the server's certificate.
+  # "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates;
+  # chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
+  # "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
+  config :ssl_verification_mode, :validate => %w[full none]
+
+  # The keystore path
+  config :ssl_keystore_path, :validate => :path
+
+  # The keystore password
+  config :ssl_keystore_password, :validate => :password
+
+  # Keystore type (jks or pkcs12)
+  config :ssl_keystore_type, :validate => %w[jks pkcs12]
+
+  # The truststore path
+  config :ssl_truststore_path, :validate => :path
+
+  # The truststore password
+  config :ssl_truststore_password, :validate => :password
+
+  # Truststore type (jks or pkcs12)
+  config :ssl_truststore_type, :validate => %w[jks pkcs12]
+
+  # The list of cipher suites to use, listed by priorities.
+  # Supported cipher suites vary depending on which version of Java is used.
+  config :ssl_cipher_suites, :validate => :string, :list => true
+
+  # SSL supported protocols
+  config :ssl_supported_protocols, :validate => %w[TLSv1.1 TLSv1.2 TLSv1.3], :list => true
 
   public
   def initialize(*params)
@@ -95,7 +158,7 @@ class LogStash::Codecs::Avro < LogStash::Codecs::Base
   end
 
   def register
-    @schema = Avro::Schema.parse(open_and_read(schema_uri))
+    @schema = Avro::Schema.parse(fetch_schema(schema_uri))
   end
 
   public
@@ -129,6 +192,186 @@ class LogStash::Codecs::Avro < LogStash::Codecs::Base
       @on_event.call(event, Base64.strict_encode64(buffer.string))
     else
       @on_event.call(event, buffer.string)
-    end  
+    end
+  end
+
+  private
+  def fetch_schema(uri_string)
+    http_connection = uri_string.start_with?('http://')
+    https_connection = uri_string.start_with?('https://')
+
+    if http_connection
+      ssl_config_provided = original_params.keys.select {|k| k.start_with?("ssl_") && k != "ssl_enabled" }
+      if ssl_config_provided.any?
+        raise_config_error! "When SSL is disabled, the following provided parameters are not allowed: #{ssl_config_provided}"
+      end
+
+      credentials_configured = @username && @password
+      @logger.warn("Credentials are being sent over unencrypted HTTP. This may bring security risk.") if credentials_configured
+      fetch_remote_schema(uri_string)
+    elsif https_connection
+      validate_ssl_settings!
+      fetch_remote_schema(uri_string)
+    else
+      # local schema
+      URI.open(uri_string, &:read)
+    end
+  end
+
+  def fetch_remote_schema(uri_string)
+    client = nil
+    client_options = {}
+
+    if @proxy && !@proxy.empty?
+      client_options[:proxy] = @proxy.to_s
+    end
+
+    basic_auth_options = build_basic_auth
+    client_options[:auth] = basic_auth_options unless basic_auth_options.empty?
+
+    if @ssl_enabled
+      ssl_options = build_ssl_options
+      client_options[:ssl] = ssl_options unless ssl_options.empty?
+    end
+
+    client = Manticore::Client.new(client_options)
+
+    @logger.debug("Fetching schema from #{uri_string}")
+
+    max_retries = 3
+    retry_count = 0
+    body = nil
+
+    begin
+      response = client.get(uri_string).call
+
+      unless response.code == 200
+        @logger.error("Failed to fetch schema from #{uri_string}: #{response.code} - #{response.message}")
+        raise BadResponseCodeError.new(response.code, response.message, uri_string)
+      end
+
+      body = response.body
+
+      # Parse and extract schema
+      parsed = JSON.parse(body)
+      return parsed.is_a?(Hash) && parsed.has_key?('schema') ? parsed['schema'] : body
+
+    rescue JSON::ParserError
+      return body
+    rescue Manticore::ManticoreException, BadResponseCodeError => e
+      # 4xx don't retry
+      if e.is_a?(BadResponseCodeError) && e.code >= 400 && e.code < 500
+        @logger.error("Failed to fetch schema from #{uri_string}: #{e.code} - #{e.message}")
+        raise
+      end
+
+      # retry block
+      retry_count += 1
+      if retry_count < max_retries
+        backoff_time = 2 ** (retry_count)  # Exponential backoff: 1s, 2s, 4s
+        @logger.warn("Attempt #{retry_count}/#{max_retries} failed for #{uri_string}: #{e.class} - #{e.message}. Retrying in #{backoff_time}s...")
+        sleep(backoff_time)
+        retry
+      else
+        @logger.error("Failed to fetch schema from #{uri_string} after #{max_retries} attempts: #{e.class} - #{e.message}")
+        raise
+      end
+    end
+  ensure
+    client.close if client
+  end
+
+  def build_basic_auth
+    if !@username && !@password
+      return {}
+    end
+
+    raise LogStash::ConfigurationError, "`username` requires `password`" if @username && !@password
+    raise LogStash::ConfigurationError, "`password` is not allowed unless `username` is specified" if !@username && @password
+
+    raise LogStash::ConfigurationError, "Empty `username` or `password` is not allowed" if @username.empty? || @password.value.empty?
+
+    {:user => @username, :password => @password.value}
+  end
+
+  def validate_ssl_settings!
+    @ssl_enabled = true if @ssl_enabled.nil?
+    raise_config_error! "Secured #{@schema_uri} connection requires `ssl_enabled => true`. " unless @ssl_enabled
+    @ssl_verification_mode = "full".freeze if @ssl_verification_mode.nil?
+
+    # optional: presenting our identity
+    raise_config_error! "`ssl_certificate` and `ssl_keystore_path` cannot be used together." if @ssl_certificate && @ssl_keystore_path
+    raise_config_error! "`ssl_certificate` requires `ssl_key`" if @ssl_certificate && !@ssl_key
+    ensure_readable_and_non_writable! "ssl_certificate", @ssl_certificate if @ssl_certificate
+
+    raise_config_error! "`ssl_key` is not allowed unless `ssl_certificate` is specified" if @ssl_key && !@ssl_certificate
+    ensure_readable_and_non_writable! "ssl_key", @ssl_key if @ssl_key
+
+    raise_config_error! "`ssl_keystore_password` is not allowed unless `ssl_keystore_path` is specified" if @ssl_keystore_password && !@ssl_keystore_path
+    raise_config_error! "`ssl_keystore_password` cannot be empty" if @ssl_keystore_password && @ssl_keystore_password.value.empty?
+    raise_config_error! "`ssl_keystore_type` is not allowed unless `ssl_keystore_path` is specified" if @ssl_keystore_type && !@ssl_keystore_path
+
+    ensure_readable_and_non_writable! "ssl_keystore_path", @ssl_keystore_path if @ssl_keystore_path
+
+    # establishing trust of the server we connect to
+    # system-provided trust requires verification mode enabled
+    if @ssl_verification_mode == "none"
+      raise_config_error! "`ssl_truststore_path` requires `ssl_verification_mode` to be `full`" if @ssl_truststore_path
+      raise_config_error! "`ssl_truststore_password` requires `ssl_truststore_path` and `ssl_verification_mode => 'full'`" if @ssl_truststore_password
+      raise_config_error! "`ssl_certificate_authorities` requires `ssl_verification_mode` to be `full`" if @ssl_certificate_authorities
+    end
+
+    raise_config_error! "`ssl_truststore_path` and `ssl_certificate_authorities` cannot be used together." if @ssl_truststore_path && @ssl_certificate_authorities
+    ensure_readable_and_non_writable! "ssl_truststore_path", @ssl_truststore_path if @ssl_truststore_path
+
+    raise_config_error! "`ssl_truststore_password` is not allowed unless `ssl_truststore_path` is specified" if !@ssl_truststore_path && @ssl_truststore_password
+    raise_config_error! "`ssl_truststore_password` cannot be empty" if @ssl_truststore_password && @ssl_truststore_password.value.empty?
+
+    if !@ssl_truststore_path && @ssl_certificate_authorities&.empty?
+      raise_config_error! "`ssl_certificate_authorities` cannot be empty"
+    end
+
+    if @ssl_certificate_authorities && !@ssl_certificate_authorities.empty?
+      raise_config_error! "Multiple values on `ssl_certificate_authorities` are not supported by this plugin" if @ssl_certificate_authorities.size > 1
+      ensure_readable_and_non_writable! "ssl_certificate_authorities", @ssl_certificate_authorities.first
+    end
+  end
+
+  def build_ssl_options
+    ssl_options = {}
+
+    ssl_options[:client_cert] = @ssl_certificate if @ssl_certificate
+    ssl_options[:client_key] = @ssl_key if @ssl_key
+
+    ssl_options[:ca_file] = @ssl_certificate_authorities&.first if @ssl_certificate_authorities
+
+    ssl_options[:cipher_suites] = @ssl_cipher_suites if @ssl_cipher_suites
+
+    ssl_options[:verify] = :default if @ssl_verification_mode == 'full'
+    ssl_options[:verify] = :disable if @ssl_verification_mode == 'none'
+
+    ssl_options[:keystore] = @ssl_keystore_path if @ssl_keystore_path
+    ssl_options[:keystore_password] = @ssl_keystore_password&.value if @ssl_keystore_path && @ssl_keystore_password
+    ssl_options[:keystore_type] = @ssl_keystore_type.downcase if @ssl_keystore_path && @ssl_keystore_type
+
+    ssl_options[:truststore] = @ssl_truststore_path if @ssl_truststore_path
+    ssl_options[:truststore_password] = @ssl_truststore_password&.value if @ssl_truststore_path && @ssl_truststore_password
+    ssl_options[:truststore_type] = @ssl_truststore_type.downcase if @ssl_truststore_path && @ssl_truststore_type
+
+    ssl_options[:protocols] = @ssl_supported_protocols if @ssl_supported_protocols && @ssl_supported_protocols&.any?
+
+    ssl_options
+  end
+
+  ##
+  # @param message [String]
+  # @raise [LogStash::ConfigurationError]
+  def raise_config_error!(message)
+    raise LogStash::ConfigurationError, message
+  end
+
+  def ensure_readable_and_non_writable!(name, path)
+    raise_config_error! "Specified #{name} #{path} path must be readable." unless File.readable?(path)
+    raise_config_error! "Specified #{name} #{path} path must not be writable." if File.writable?(path)
   end
 end

data/logstash-codec-avro.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-avro'
-  s.version         = '3.4.1'
+  s.version         = '3.5.0'
   s.platform        = 'java'
   s.licenses        = ['Apache-2.0']
   s.summary         = "Reads serialized Avro records as Logstash events"
@@ -23,6 +23,7 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency "avro", "~> 1.10.2" #(Apache 2.0 license)
+  s.add_runtime_dependency "manticore", '>= 0.8.0', '< 1.0.0'
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~> 1.3'
   s.add_runtime_dependency 'logstash-mixin-event_support', '~> 1.0'
   s.add_runtime_dependency 'logstash-mixin-validator_support', '~> 1.0'