RubyGems - logstash-filter-cipher - Versions diffs - 2.0.6 → 4.0.1 - Mend

logstash-filter-cipher 2.0.6 → 4.0.1

Files changed (8) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +29 -8
data/LICENSE +199 -10
data/docs/index.asciidoc +53 -73
data/lib/logstash/filters/cipher.rb +132 -114
data/logstash-filter-cipher.gemspec +5 -3
data/spec/filters/cipher_spec.rb +124 -195
metadata +28 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: cbca0f8a8e9f7238c622ddddd6b3bea364bc7593
-  data.tar.gz: 25501d5359ee6bd2294ef782c9d24845fe0a7880
+SHA256:
+  metadata.gz: 46b796b1a113a179ffd905368531092245493669a2cd8f9ad7a40f5a70bf93c0
+  data.tar.gz: d8cdd9b1516c58531124337c8a80c084ce1b64e34b1a9fc2bafc13f95a899b2d
 SHA512:
-  metadata.gz: 356b67cc860424b7da5c28f865de3faea3d1db4fdafee60cabcc64c960762319d39d6d8050cdcb182d0fea116d8893f476b1a14301558b9b37b2ed97eadc24ba
-  data.tar.gz: 9686860078d4b348ed59d19643cbc4d30dfbc60b13a604da32e41f0341e616031eef0c4e0e17cd92871a0aa0689cfa28921e60602ed88533c8da7cc77739ea3a
+  metadata.gz: 87e5034edcfdc5d8f2a6e41e41e92dd0b775e26dd463f167e026bfa4a543a37a9a07bed65882fa72206c893a7c9962657434af4f4013dd166a184a5deb02a6ad
+  data.tar.gz: 6e79143228ccef00b0495d446c5780683e6c94cc8ce67e12781c0f24a780cc2ac62a68e3be289dc232df1995b879a8407468f33b57e924f2dc9b11a6ee8d539e

data/CHANGELOG.md CHANGED

@@ -1,12 +1,33 @@
-# 2.0.5
-  - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
-# 2.0.4
-  - New dependency requirements for logstash-core for the 5.0 release
+## 4.0.1
+  - General improvements to code and docs [#29](https://github.com/logstash-plugins/logstash-filter-cipher/pull/29)
+    - Fixed threadsafety; this plugin can now be used in pipelines with more than one worker.
+    - Fixed a potential leak of the configured key into logs; the key is now only included if trace-level logging is enabled.
+    - Fixed an issue where configurations that used invalid `mode` or `algorithm` settings could produce unhelpful error messages.
+    - Fixed an issue where a bad payload could cause the plugin to crash; when exceptions are encountered, the offending event will now be tagged with `_cipherfiltererror`.
+    - Improved documentation substantially.
+## 4.0.0
+  - Removed obsolete iv field
+## 3.0.1
+  - Update gemspec summary
+## 3.0.0
+  - Mark deprecated iv field obsolete
+## 2.0.7
+  - Fix some documentation issues
+## 2.0.5
+ - internal,deps: Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
+## 2.0.4
+ - internal,deps: New dependency requirements for logstash-core for the 5.0 release
 ## 2.0.3
- - fixes base64 encoding issue, adds support for random IVs
+ - bugfix: fixes base64 encoding issue, adds support for random IVs
 ## 2.0.0
- - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
+ - internal: Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
- - Dependency on logstash-core update to 2.0
+ - internal,deps: Dependency on logstash-core update to 2.0

data/LICENSE CHANGED

@@ -1,13 +1,202 @@
-Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
-    http://www.apache.org/licenses/LICENSE-2.0
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+   1. Definitions.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+   END OF TERMS AND CONDITIONS
+   APPENDIX: How to apply the Apache License to your work.
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+   Copyright 2020 Elastic and contributors
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/docs/index.asciidoc CHANGED

@@ -12,7 +12,7 @@ START - GENERATED VARIABLES, DO NOT EDIT!
 END - GENERATED VARIABLES, DO NOT EDIT!
 ///////////////////////////////////////////
-[id="plugins-{type}-{plugin}"]
+[id="plugins-{type}s-{plugin}"]
 === Cipher filter plugin
@@ -23,6 +23,9 @@ include::{include_path}/plugin_header.asciidoc[]
 This filter parses a source and apply a cipher or decipher before
 storing it in the target.
+NOTE: Prior to version 4.0.1, this plugin was not thread-safe and
+      could not safely be used with multiple pipeline workers.
 [id="plugins-{type}s-{plugin}-options"]
 ==== Cipher Filter Configuration Options
@@ -37,7 +40,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-cipher_padding>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-iv_random_length>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-key>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-key_pad>> |<<,>>|No
+| <<plugins-{type}s-{plugin}-key_pad>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-key_size>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-max_cipher_reuse>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>|Yes
@@ -57,89 +60,63 @@ filter plugins.
   * Value type is <<string,string>>
   * There is no default value for this setting.
-The cipher algorithm
+The cipher algorithm to use for encryption and decryption operations.
-A list of supported algorithms can be obtained by
-[source,ruby]
-    puts OpenSSL::Cipher.ciphers
+A list of supported algorithms depends on the versions of Logstash, JRuby, and Java this plugin is running in, but can be obtained by running:
+[source,sh]
+    cd $LOGSTASH_HOME # <-- your Logstash distribution root
+    bin/ruby -ropenssl -e 'puts OpenSSL::Cipher.ciphers'
 [id="plugins-{type}s-{plugin}-base64"]
 ===== `base64`
   * Value type is <<boolean,boolean>>
   * Default value is `true`
-Do we have to perform a `base64` decode or encode?
-If we are decrypting, `base64` decode will be done before.
-If we are encrypting, `base64` will be done after.
+  * Unless this option is disabled:
+  ** When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the source ciphertext will be `base64`-decoded before it is deciphered.
+  ** When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the result ciphertext will be `base64`-encoded before it is stored.
 [id="plugins-{type}s-{plugin}-cipher_padding"]
 ===== `cipher_padding`
   * Value type is <<string,string>>
+  ** `0`: means `false`
+  ** `1`: means `true`
   * There is no default value for this setting.
-Cipher padding to use. Enables or disables padding.
+Enables or disables padding in encryption operations.
-By default encryption operations are padded using standard block padding
-and the padding is checked and removed when decrypting. If the pad
-parameter is zero then no padding is performed, the total amount of data
-encrypted or decrypted must then be a multiple of the block size or an
-error will occur.
+In encryption operations with block-ciphers, the input plaintext must be
+an _exact_ multiple of the cipher's block-size unless padding is enabled.
-See EVP_CIPHER_CTX_set_padding for further information.
+Disabling padding by setting this value to `0` will cause this plugin to
+fail to encrypt any input plaintext that doesn't strictly adhere to the
+<<plugins-{type}s-{plugin}-algorithm>>'s block size requirements.
-We are using Openssl jRuby which uses default padding to PKCS5Padding
-If you want to change it, set this parameter. If you want to disable
-it, Set this parameter to 0
 [source,ruby]
     filter { cipher { cipher_padding => 0 }}
-[id="plugins-{type}s-{plugin}-iv"]
-===== `iv`  (DEPRECATED)
-  * DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
-  * Value type is <<string,string>>
-  * There is no default value for this setting.
-The initialization vector to use (statically hard-coded). For
-a random IV see the iv_random_length property
-NOTE: If iv_random_length is set, it takes precedence over any value set for "iv"
-The cipher modes CBC, CFB, OFB and CTR all need an "initialization
-vector", or short, IV. ECB mode is the only mode that does not require
-an IV, but there is almost no legitimate use case for this mode
-because of the fact that it does not sufficiently hide plaintext patterns.
-For AES algorithms set this to a 16 byte string.
-[source,ruby]
-    filter { cipher { iv => "1234567890123456" }}
-Deprecated: Please use `iv_random_length` instead
 [id="plugins-{type}s-{plugin}-iv_random_length"]
 ===== `iv_random_length`
   * Value type is <<number,number>>
   * There is no default value for this setting.
-Force an random IV to be used per encryption invocation and specify
-the length of the random IV that will be generated via:
-      OpenSSL::Random.random_bytes(int_length)
+In encryption operations, this plugin generates a random Initialization
+Vector (IV) per encryption operation. This is a standard best-practice to ensure
+that the resulting ciphertexts cannot be compared to infer equivalence
+of the source plaintext. This unique IV is then _prepended_ to the resulting
+ciphertext before it is stored, ensuring it is available to any process
+that needs to decrypt it.
-If iv_random_length is set, it takes precedence over any value set for "iv"
+In decryption operations, the IV is assumed to have been prepended to
+the ciphertext, so this plugin needs to know the length of the IV in
+order to split the input appropriately.
-Enabling this will force the plugin to generate a unique
-random IV for each encryption call. This random IV will be prepended to the
-encrypted result bytes and then base64 encoded. On decryption "iv_random_length" must
-also be set to utilize this feature. Random IV's are better than statically
-hardcoded IVs
+The size of the IV is generally dependent on which <<plugins-{type}s-{plugin}-algorithm>>
+is used. AES Algorithms generally use a 16-byte IV:
-For AES algorithms you can set this to a 16
 [source,ruby]
     filter { cipher { iv_random_length => 16 }}
@@ -149,7 +126,7 @@ For AES algorithms you can set this to a 16
   * Value type is <<string,string>>
   * There is no default value for this setting.
-The key to use
+The key to use for encryption and decryption operations.
 NOTE: If you encounter an error message at runtime containing the following:
@@ -165,7 +142,7 @@ Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrength
   * Value type is <<string,string>>
   * Default value is `"\u0000"`
-The character used to pad the key
+The character used to pad the key to the required <<plugins-{type}s-{plugin}-key_size>>.
 [id="plugins-{type}s-{plugin}-key_size"]
 ===== `key_size`
@@ -173,10 +150,9 @@ The character used to pad the key
   * Value type is <<number,number>>
   * Default value is `16`
-The key size to pad
-It depends of the cipher algorithm. If your key doesn't need
-padding, don't set this parameter
+The cipher's required key size, which depends on which <<plugins-{type}s-{plugin}-algorithm>>
+you are using. If a <<plugins-{type}s-{plugin}-key>> is specified with a shorter value,
+it will be padded with <<plugins-{type}s-{plugin}-key_pad>>.
 Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
 [source,ruby]
@@ -189,9 +165,9 @@ Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
   * Value type is <<number,number>>
   * Default value is `1`
-If this is set the internal Cipher instance will be
-re-used up to @max_cipher_reuse times before being
-reset() and re-created from scratch. This is an option
+If this value is set, the internal Cipher instance will be
+re-used up to `max_cipher_reuse` times before it is re-created
+from scratch. This is an option
 for efficiency where lots of data is being encrypted
 and decrypted using this filter. This lets the filter
 avoid creating new Cipher instances over and over
@@ -207,21 +183,22 @@ instance and max_cipher_reuse = 1 by default
   * This is a required setting.
   * Value type is <<string,string>>
+  ** `encrypt`: encrypts a plaintext value into IV + ciphertext
+  ** `decrypt`: decrypts an IV + ciphertext value into plaintext
   * There is no default value for this setting.
-Encrypting or decrypting some data
-Valid values are encrypt or decrypt
 [id="plugins-{type}s-{plugin}-source"]
 ===== `source`
   * Value type is <<string,string>>
   * Default value is `"message"`
-The field to perform filter
+The name of the source field.
-Example, to use the @message field (default) :
+* When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the `source` should be a field containing plaintext
+* When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the `source` should be a field containing IV + ciphertext
+Example, to use the `message` field (default) :
 [source,ruby]
     filter { cipher { source => "message" } }
@@ -231,13 +208,16 @@ Example, to use the @message field (default) :
   * Value type is <<string,string>>
   * Default value is `"message"`
-The name of the container to put the result
+The name of the target field to put the result:
+* When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the IV + ciphertext result will be stored in the `target` field
+* When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the plaintext result will be stored in the `target` field
-Example, to place the result into crypt :
+Example, to place the result into crypt:
 [source,ruby]
     filter { cipher { target => "crypt" } }
 [id="plugins-{type}s-{plugin}-common-options"]
-include::{include_path}/{type}.asciidoc[]
+include::{include_path}/{type}.asciidoc[]

data/lib/logstash/filters/cipher.rb CHANGED

@@ -1,8 +1,7 @@
 # encoding: utf-8
 require "logstash/filters/base"
-require "logstash/namespace"
 require "openssl"
+require "concurrent/atomic/thread_local_var"
 # This filter parses a source and apply a cipher or decipher before
 # storing it in the target.
@@ -40,7 +39,7 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   #
   # Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
   #
-  config :key, :validate => :string
+  config :key, :validate => :password
   # The key size to pad
   #
@@ -61,12 +60,12 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   # A list of supported algorithms can be obtained by
   # [source,ruby]
   #     puts OpenSSL::Cipher.ciphers
-  config :algorithm, :validate => :string, :required => true
+  config :algorithm, :validate => OpenSSL::Cipher.ciphers, :required => true
   # Encrypting or decrypting some data
   #
   # Valid values are encrypt or decrypt
-  config :mode, :validate => :string, :required => true
+  config :mode, :validate => %w(encrypt decrypt), :required => true
   # Cipher padding to use. Enables or disables padding.
   #
@@ -85,30 +84,11 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   #     filter { cipher { cipher_padding => 0 }}
   config :cipher_padding, :validate => :string
-  # The initialization vector to use (statically hard-coded). For
-  # a random IV see the iv_random_length property
-  #
-  # NOTE: If iv_random_length is set, it takes precedence over any value set for "iv"
-  #
-  # The cipher modes CBC, CFB, OFB and CTR all need an "initialization
-  # vector", or short, IV. ECB mode is the only mode that does not require
-  # an IV, but there is almost no legitimate use case for this mode
-  # because of the fact that it does not sufficiently hide plaintext patterns.
-  #
-  # For AES algorithms set this to a 16 byte string.
-  # [source,ruby]
-  #     filter { cipher { iv => "1234567890123456" }}
-  #
-  # Deprecated: Please use `iv_random_length` instead
-  config :iv, :validate => :string, :deprecated => "Please use 'iv_random_length'"
   # Force an random IV to be used per encryption invocation and specify
   # the length of the random IV that will be generated via:
   #
   #       OpenSSL::Random.random_bytes(int_length)
   #
-  # If iv_random_length is set, it takes precedence over any value set for "iv"
-  #
   # Enabling this will force the plugin to generate a unique
   # random IV for each encryption call. This random IV will be prepended to the
   # encrypted result bytes and then base64 encoded. On decryption "iv_random_length" must
@@ -118,7 +98,7 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   # For AES algorithms you can set this to a 16
   # [source,ruby]
   #     filter { cipher { iv_random_length => 16 }}
-  config :iv_random_length, :validate => :number
+  config :iv_random_length, :validate => :number, :required => true
   # If this is set the internal Cipher instance will be
   # re-used up to @max_cipher_reuse times before being
@@ -136,120 +116,158 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   def register
     require 'base64' if @base64
-    init_cipher
-  end # def register
+    if cipher_reuse_enabled?
+      @reusable_cipher = Concurrent::ThreadLocalVar.new
+      @cipher_reuse_count = Concurrent::ThreadLocalVar.new
+    end
+    if @key.value.length != @key_size
+      @logger.debug("key length is " + @key.length.to_s + ", padding it to " + @key_size.to_s + " with '" + @key_pad.to_s + "'")
+      @key = @key.class.new(@key.value[0,@key_size].ljust(@key_size,@key_pad))
+    end
+  end # def register
   def filter(event)
-    #If decrypt or encrypt fails, we keep it it intact.
-    begin
-      if (event[@source].nil? || event[@source].empty?)
-        @logger.debug("Event to filter, event 'source' field: " + @source + " was null(nil) or blank, doing nothing")
-        return
-      end
-      #@logger.debug("Event to filter", :event => event)
-      data = event[@source]
-      if @mode == "decrypt"
-        data =  Base64.strict_decode64(data) if @base64 == true
-        if !@iv_random_length.nil?
-          @random_iv = data.byteslice(0,@iv_random_length)
-          data = data.byteslice(@iv_random_length..data.length)
-        end
-      end
-      if !@iv_random_length.nil? and @mode == "encrypt"
-        @random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
-      end
-      # if iv_random_length is specified, generate a new one
-      # and force the cipher's IV = to the random value
-      if !@iv_random_length.nil?
-        @cipher.iv = @random_iv
-      end
-      result = @cipher.update(data) + @cipher.final
-      if @mode == "encrypt"
-        # if we have a random_iv, prepend that to the crypted result
-        if !@random_iv.nil?
-          result = @random_iv + result
-        end
-        result =  Base64.strict_encode64(result).encode("utf-8") if @base64 == true
-      end
+    source = event.get(@source)
+    if (source.nil? || source.empty?)
+      @logger.debug("Event to filter, event 'source' field: " + @source + " was null(nil) or blank, doing nothing")
+      return
+    end
-    rescue => e
-      @logger.warn("Exception catch on cipher filter", :event => event, :error => e)
+    result = case(@mode)
+             when "encrypt" then do_encrypt(source)
+             when "decrypt" then do_decrypt(source)
+             else
+               @logger.error("Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"", :mode => @mode)
+               raise "Internal Error, aborting."
+             end
-      # force a re-initialize on error to be safe
-      init_cipher
+    event.set(@target, result)
+    filter_matched(event) unless result.nil?
+  rescue => e
+    @logger.error("An error occurred while #{@mode}ing.", :exception => e.message)
+    event.tag("_cipherfiltererror")
+  end
-    else
-      @total_cipher_uses += 1
+  private
-      result = result.force_encoding("utf-8") if @mode == "decrypt"
+  def cipher_reuse_enabled?
+    @max_cipher_reuse > 1
+  end
-      event[@target]= result
+  ##
+  # @param plaintext [String]
+  # @return [String]: ciphertext
+  def do_encrypt(plaintext)
+    with_cipher do |cipher|
+      random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
+      cipher.iv = random_iv
-      #Is it necessary to add 'if !result.nil?' ? exception have been already catched.
-      #In doubt, I keep it.
-      filter_matched(event) if !result.nil?
+      ciphertext = random_iv + cipher.update(plaintext) + cipher.final
-      if !@max_cipher_reuse.nil? and @total_cipher_uses >= @max_cipher_reuse
-        @logger.debug("max_cipher_reuse["+@max_cipher_reuse.to_s+"] reached, total_cipher_uses = "+@total_cipher_uses.to_s)
-        init_cipher
-      end
+      ciphertext = Base64.strict_encode64(ciphertext).encode("utf-8") if @base64 == true
+      ciphertext
     end
-  end # def filter
-  def init_cipher
+  end
+  ##
+  # @param ciphertext_with_iv [String]
+  # @return [String] plaintext
+  def do_decrypt(ciphertext_with_iv)
+    ciphertext_with_iv = Base64.strict_decode64(ciphertext_with_iv) if @base64 == true
+    encoded_iv = ciphertext_with_iv.byteslice(0..@iv_random_length)
+    ciphertext = ciphertext_with_iv.byteslice(@iv_random_length..-1)
+    with_cipher do |cipher|
+      cipher.iv = encoded_iv
+      plaintext = cipher.update(ciphertext) + cipher.final
+      plaintext.force_encoding("UTF-8")
+      plaintext
+    end
+  end
-    if !@cipher.nil?
-      @cipher.reset
-      @cipher = nil
+  ##
+  # Returns a new or freshly-reset cipher, bypassing cipher reuse if it is not enabled
+  #
+  # @yieldparam [OpenSSL::Cipher]
+  # @yieldreturn [Object]: the object that this method should return
+  # @return [Object]: the object that was returned by the yielded block
+  def with_cipher
+    return yield(init_cipher) unless cipher_reuse_enabled?
+    with_reusable_cipher do |reusable_cipher|
+      yield reusable_cipher
     end
+  end
-    @cipher = OpenSSL::Cipher.new(@algorithm)
+  ##
+  # Returns a new or freshly-reset cipher.
+  #
+  # @yieldparam [OpenSSL::Cipher]
+  # @yieldreturn [Object]: the object that this method should return
+  # @return [Object]: the object that was returned by the yielded block
+  def with_reusable_cipher
+    cipher = get_or_init_reusable_cipher
+    result = yield(cipher)
+    cleanup_reusable_cipher
+    return result
+  rescue => e
+    # when an error is encountered, we cannot trust the state of the cipher object.
+    @logger.debug("shared cipher: removing because an exception was raised in #{Thread.current}", :exception => e.message)
+    destroy_reusable_cipher
+    raise
+  end
+  def get_or_init_reusable_cipher
+    if @reusable_cipher.value.nil?
+      @logger.debug("shared cipher: initializing for #{Thread.current}")
+      @reusable_cipher.value = init_cipher
+      @cipher_reuse_count.value = 0
+    end
-    @total_cipher_uses = 0
+    @cipher_reuse_count.value += 1
+    @reusable_cipher.value
+  end
-    if @mode == "encrypt"
-      @cipher.encrypt
-    elsif @mode == "decrypt"
-      @cipher.decrypt
+  def cleanup_reusable_cipher
+    if @cipher_reuse_count.value >= @max_cipher_reuse
+      @logger.debug("shared cipher: max_cipher_reuse[#{@max_cipher_reuse}] reached for #{Thread.current}, total_cipher_uses = #{@cipher_reuse_count.value}") if @logger.debug?
+      destroy_reusable_cipher
     else
-      @logger.error("Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"", :mode => @mode)
-      raise "Bad configuration, aborting."
+      @logger.debug("shared cipher: resetting for #{Thread.current}")
+      @reusable_cipher.value.reset
     end
+  end
-    if @key.length != @key_size
-      @logger.debug("key length is " + @key.length.to_s + ", padding it to " + @key_size.to_s + " with '" + @key_pad.to_s + "'")
-      @key = @key[0,@key_size].ljust(@key_size,@key_pad)
-    end
+  def destroy_reusable_cipher
+    @reusable_cipher.value = nil
+    @cipher_reuse_count.value = 0
+  end
-    @cipher.key = @key
+  ##
+  # @return [OpenSSL::Cipher]
+  def init_cipher
+    cipher = OpenSSL::Cipher.new(@algorithm)
-    if !@iv.nil? and !@iv.empty? and @iv_random_length.nil?
-      @cipher.iv = @iv if @iv
+    cipher.public_send(@mode)
-    elsif !@iv_random_length.nil?
-      @logger.debug("iv_random_length is configured, ignoring any statically defined value for 'iv'", :iv_random_length => @iv_random_length)
-    else
-      raise "cipher plugin: either 'iv' or 'iv_random_length' must be configured, but not both; aborting"
-    end
+    cipher.key = @key.value
-    @cipher.padding = @cipher_padding if @cipher_padding
+    cipher.padding = @cipher_padding if @cipher_padding
+    if @logger.trace?
+      @logger.trace("Cipher initialisation done", :mode => @mode,
+                                                  :key => @key.value,
+                                                  :iv_random_length => @iv_random_length,
+                                                  :iv_random => @iv_random,
+                                                  :cipher_padding => @cipher_padding)
+    end
-    @logger.debug("Cipher initialisation done", :mode => @mode, :key => @key, :iv => @iv, :iv_random => @iv_random, :cipher_padding => @cipher_padding)
+    cipher
   end # def init_cipher

data/logstash-filter-cipher.gemspec CHANGED

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-filter-cipher'
-  s.version         = '2.0.6'
+  s.version         = '4.0.1'
   s.licenses        = ['Apache License (2.0)']
-  s.summary         = "This filter parses a source and apply a cipher or decipher before storing it in the target"
+  s.summary         = "Applies or removes a cipher to an event"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
   s.authors         = ["Elastic"]
   s.email           = 'info@elastic.co'
@@ -19,8 +19,10 @@ Gem::Specification.new do |s|
   # Special flag to let us know this is actually a logstash plugin
   s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
   # Gem dependencies
-  s.add_runtime_dependency "logstash-core-plugin-api", "~> 1.0"
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "concurrent-ruby", '~> 1.0'
   s.add_development_dependency 'logstash-devutils'
 end

data/spec/filters/cipher_spec.rb CHANGED

@@ -1,215 +1,144 @@
-    # encoding: utf-8
+# encoding: utf-8
+require 'logstash-core'
+require 'logstash/json'
+require "logstash/codecs/base"
+require 'logstash/filters/cipher'
-    require "logstash/devutils/rspec/spec_helper"
-    require 'logstash/filters/cipher'
+describe LogStash::Filters::Cipher do
-    describe LogStash::Filters::Cipher do
+  let(:cleartext) do
+    'شسيبشن٤٤ت٥ت داھدساققبمر фывапролдзщшгнекутцйячсмить asdfghjklqpoiuztreyxcvbnm,.-öäü+ä123ß´yö.,;LÖÜ*O 來少精清皆人址法田手扌打表氵開日大木裝 1234567890#$%^&*()!@#;:\'?.>,<testAESEn+=_-~`}]'
+  end
-      let(:cleartext) do
-        'شسيبشن٤٤ت٥ت داھدساققبمر фывапролдзщшгнекутцйячсмить asdfghjklqpoiuztreyxcvbnm,.-öäü+ä123ß´yö.,;LÖÜ*O 來少精清皆人址法田手扌打表氵開日大木裝 1234567890#$%^&*()!@#;:\'?.>,<testAESEn+=_-~`}]'
-      end
+  describe 'single event, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
+    let(:event) do
+      LogStash::Event.new(LogStash::Json.load("{\"message\":\"#{cleartext}\"}"))
+    end
-      let(:event) do
-        "{\"message\":\"#{cleartext}\"}"
-      end
+    let(:encrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "encrypt",
+        "source" => "message",
+        "target" => "message_crypted",
+        "base64" => true,
+        "max_cipher_reuse" => 1)
+    end
-      let(:pipeline) { LogStash::Pipeline.new(config) }
+    let(:decrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "decrypt",
+        "source" => "message_crypted",
+        "target" => "message_decrypted",
+        "base64" => true,
+        "max_cipher_reuse" => 1)
+    end
-      let(:events) do
-        arr = event.is_a?(Array) ? event : [event]
-        arr.map do |evt|
-          LogStash::Event.new(evt.is_a?(String) ? LogStash::Json.load(evt) : evt)
-        end
-      end
+    before(:each) do
+      encrypter.register
+      decrypter.register
+    end
-      let(:results) do
-        pipeline.instance_eval { @filters.each(&:register) }
-        results  = []
-        events.each do |evt|
-          # filter call the block on all filtered events, included new events added by the filter
-          pipeline.filter(evt) do |filtered_event|
-            results.push(filtered_event)
-          end
-        end
-        pipeline.flush_filters(:final => true) { |flushed_event| results << flushed_event }
-        results.select { |e| !e.cancelled? }
-      end
+    let(:result) do
+      encrypter.filter(event)
+      decrypter.filter(event)
+      event
+    end
-      describe 'single event, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
-        let(:config) do
-          <<-CONFIG
-    filter {
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "encrypt"
-            source => "message"
-            target => "message_crypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "decrypt"
-            source => "message_crypted"
-            target => "message_decrypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-    }
-    CONFIG
-        end
-        it 'validate initial cleartext message' do
-          result = results.first
-          expect(result["message"]).to eq(cleartext)
-        end
-        it 'validate decrypted message' do
-          result = results.first
-          expect(result["message_decrypted"]).to eq(result["message"])
-        end
-        it 'validate encrypted message is not equal to message' do
-          result = results.first
-          expect(result["message"]).not_to eq(result["message_crypted"])
-        end
+    it 'validate initial cleartext message' do
+      expect(result.get("message")).to eq(cleartext)
+    end
-      end
+    it 'validate decrypted message' do
+      expect(result.get("message_decrypted")).to eq(result.get("message"))
+    end
+    it 'validate encrypted message is not equal to message' do
+      expect(result.get("message")).not_to eq(result.get("message_crypted"))
+    end
+  end
+  describe '1000 events, 11 re-use, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
-      describe 'single event, encrypt/decrypt aes-128-cbc, 16b STATIC IV, 16b key, b64 encode' do
-        let(:config) do
-          <<-CONFIG
-    filter {
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv => "1234567890123456"
-            key => "1234567890123456"
-            key_size => 16
-            mode => "encrypt"
-            source => "message"
-            target => "message_crypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv => "1234567890123456"
-            key => "1234567890123456"
-            key_size => 16
-            mode => "decrypt"
-            source => "message_crypted"
-            target => "message_decrypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-    }
-    CONFIG
-        end
-        it 'validate initial cleartext message' do
-          result = results.first
-          expect(result["message"]).to eq(cleartext)
-        end
-        it 'validate decrypted message' do
-          result = results.first
-          expect(result["message_decrypted"]).to eq(result["message"])
-        end
-        it 'validate encrypted message is not equal to message' do
-          result = results.first
-          expect(result["message"]).not_to eq(result["message_crypted"])
-        end
+    total_events = 1000
+    let(:events) do
+      (1..total_events).map do |i|
+        LogStash::Event.new(LogStash::Json.load("{\"message\":\"#{cleartext}\"}"))
       end
+    end
+    let(:encrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "encrypt",
+        "source" => "message",
+        "target" => "message_crypted",
+        "base64" => true,
+        "max_cipher_reuse" => 11)
+    end
+    let(:decrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "decrypt",
+        "source" => "message_crypted",
+        "target" => "message_decrypted",
+        "base64" => true,
+        "max_cipher_reuse" => 11)
+    end
+    before(:each) do
+      encrypter.register
+      decrypter.register
+    end
+    let(:results) do
+      events.each do |e|
+        encrypter.filter(e)
+        decrypter.filter(e)
+      end
+      events
+    end
-      describe '1000 events, 11 re-use, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
-        total_events = 1000
-        let(:event) do
-          events = []
-         (1..total_events).each do |i|
-            events.push("{\"message\":\"#{cleartext}\"}")
-          end
-          return events
-        end
-        let(:config) do
-          <<-CONFIG
-    filter {
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "encrypt"
-            source => "message"
-            target => "message_crypted"
-            base64 => true
-            max_cipher_reuse => 11
-        }
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "decrypt"
-            source => "message_crypted"
-            target => "message_decrypted"
-            base64 => true
-            max_cipher_reuse => 11
-        }
-    }
-    CONFIG
-        end
-        it 'validate total events' do
-          expect(results.length).to eq(total_events)
-        end
-        it 'validate initial cleartext message' do
-          results.each do |result|
-            expect(result["message"]).to eq(cleartext)
-          end
-        end
-        it 'validate decrypted message' do
-          results.each do |result|
-            expect(result["message_decrypted"]).to eq(result["message"])
-          end
-        end
-        it 'validate encrypted message is not equal to message' do
-          results.each do |result|
-            expect(result["message"]).not_to eq(result["message_crypted"])
-          end
-        end
+    it 'validate total events' do
+      expect(results.length).to eq(total_events)
+    end
+    it 'validate initial cleartext message' do
+      results.each do |result|
+        expect(result.get("message")).to eq(cleartext)
       end
+    end
+    it 'validate decrypted message' do
+      results.each do |result|
+        expect(result.get("message_decrypted")).to eq(result.get("message"))
+      end
     end
+    it 'validate encrypted message is not equal to message' do
+      results.each do |result|
+        expect(result.get("message")).not_to eq(result.get("message_crypted"))
+      end
+    end
+  end
+end

metadata CHANGED

@@ -1,22 +1,42 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-cipher
 version: !ruby/object:Gem::Version
-  version: 2.0.6
+  version: 4.0.1
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-06-23 00:00:00.000000000 Z
+date: 2020-09-23 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-  name: logstash-core-plugin-api
+  name: concurrent-ruby
   prerelease: false
   type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
@@ -38,7 +58,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
 email: info@elastic.co
 executables: []
 extensions: []
@@ -76,9 +98,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.6.13
 signing_key:
 specification_version: 4
-summary: This filter parses a source and apply a cipher or decipher before storing it in the target
+summary: Applies or removes a cipher to an event
 test_files:
 - spec/filters/cipher_spec.rb