RubyGems - logstash-filter-cipher - Versions diffs - 2.0.7 → 3.0.0 - Mend

logstash-filter-cipher 2.0.7 → 3.0.0

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +3 -0
data/docs/index.asciidoc +0 -23
data/lib/logstash/filters/cipher.rb +10 -46
data/logstash-filter-cipher.gemspec +3 -2
data/spec/filters/cipher_spec.rb +123 -195
metadata +12 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eb8a36f3ee9e8c96a94133c1dec5528514c2c448
-  data.tar.gz: 85bf16fd717f4eece52336c2cc206539d77d6a85
+  metadata.gz: 98f7eee7d009598d46ceb96dd6c731a328206b1e
+  data.tar.gz: 434b055742014838598d35287605c9975b893c56
 SHA512:
-  metadata.gz: 4d4181334e38e3eafce57eee431da438be940eb17307fd0a79458cbb2d069961add8d6413fed31af43ca0892252f17060bb07f7a8e712a21a855a9a38cab3197
-  data.tar.gz: fe1a7a34af4d2b2a672b3ba4fe2593bda637cf29ff1a9a101a613febe9b236971cbdbf4f352aebf4b29b79230efbf62e005201514da57c13a985ed821eca478b
+  metadata.gz: a10c0455125608f96177b00d607020d805be56db9749316e7a554ed43000d88cc685637f0b65a78350811c7cd8b73294274cf7ede1ecacf3a4d31f87bbf65c4a
+  data.tar.gz: 61cf16ce5286967379ccddb678e437d6b9d1468ed735a6f9dc76b764de9663d81a257e66e39384347860a2cca5b68ca91f665ad63325836f76843c29bf7d26fd

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,6 @@
+# 3.0.0
+  - Mark deprecated iv field obsolete
 ## 2.0.7
   - Fix some documentation issues

data/docs/index.asciidoc CHANGED Viewed

@@ -97,29 +97,6 @@ it, Set this parameter to 0
 [source,ruby]
     filter { cipher { cipher_padding => 0 }}
-[id="plugins-{type}s-{plugin}-iv"]
-===== `iv`  (DEPRECATED)
-  * DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
-  * Value type is <<string,string>>
-  * There is no default value for this setting.
-The initialization vector to use (statically hard-coded). For
-a random IV see the iv_random_length property
-NOTE: If iv_random_length is set, it takes precedence over any value set for "iv"
-The cipher modes CBC, CFB, OFB and CTR all need an "initialization
-vector", or short, IV. ECB mode is the only mode that does not require
-an IV, but there is almost no legitimate use case for this mode
-because of the fact that it does not sufficiently hide plaintext patterns.
-For AES algorithms set this to a 16 byte string.
-[source,ruby]
-    filter { cipher { iv => "1234567890123456" }}
-Deprecated: Please use `iv_random_length` instead
 [id="plugins-{type}s-{plugin}-iv_random_length"]
 ===== `iv_random_length`

data/lib/logstash/filters/cipher.rb CHANGED Viewed

@@ -1,9 +1,7 @@
 # encoding: utf-8
 require "logstash/filters/base"
-require "logstash/namespace"
 require "openssl"
 # This filter parses a source and apply a cipher or decipher before
 # storing it in the target.
 #
@@ -85,30 +83,13 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   #     filter { cipher { cipher_padding => 0 }}
   config :cipher_padding, :validate => :string
-  # The initialization vector to use (statically hard-coded). For
-  # a random IV see the iv_random_length property
-  #
-  # NOTE: If iv_random_length is set, it takes precedence over any value set for "iv"
-  #
-  # The cipher modes CBC, CFB, OFB and CTR all need an "initialization
-  # vector", or short, IV. ECB mode is the only mode that does not require
-  # an IV, but there is almost no legitimate use case for this mode
-  # because of the fact that it does not sufficiently hide plaintext patterns.
-  #
-  # For AES algorithms set this to a 16 byte string.
-  # [source,ruby]
-  #     filter { cipher { iv => "1234567890123456" }}
-  #
-  # Deprecated: Please use `iv_random_length` instead
-  config :iv, :validate => :string, :deprecated => "Please use 'iv_random_length'"
+  config :iv, :validate => :string, :obsolete => "Please use 'iv_random_length'"
   # Force an random IV to be used per encryption invocation and specify
   # the length of the random IV that will be generated via:
   #
   #       OpenSSL::Random.random_bytes(int_length)
   #
-  # If iv_random_length is set, it takes precedence over any value set for "iv"
-  #
   # Enabling this will force the plugin to generate a unique
   # random IV for each encryption call. This random IV will be prepended to the
   # encrypted result bytes and then base64 encoded. On decryption "iv_random_length" must
@@ -118,7 +99,7 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   # For AES algorithms you can set this to a 16
   # [source,ruby]
   #     filter { cipher { iv_random_length => 16 }}
-  config :iv_random_length, :validate => :number
+  config :iv_random_length, :validate => :number, :required => true
   # If this is set the internal Cipher instance will be
   # re-used up to @max_cipher_reuse times before being
@@ -147,32 +128,24 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
     #If decrypt or encrypt fails, we keep it it intact.
     begin
-      if (event[@source].nil? || event[@source].empty?)
+      if (event.get(@source).nil? || event.get(@source).empty?)
         @logger.debug("Event to filter, event 'source' field: " + @source + " was null(nil) or blank, doing nothing")
         return
       end
       #@logger.debug("Event to filter", :event => event)
-      data = event[@source]
+      data = event.get(@source)
       if @mode == "decrypt"
         data =  Base64.strict_decode64(data) if @base64 == true
-        if !@iv_random_length.nil?
-          @random_iv = data.byteslice(0,@iv_random_length)
-          data = data.byteslice(@iv_random_length..data.length)
-        end
+        @random_iv = data.byteslice(0,@iv_random_length)
+        data = data.byteslice(@iv_random_length..data.length)
       end
-      if !@iv_random_length.nil? and @mode == "encrypt"
+      if @mode == "encrypt"
         @random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
       end
-      # if iv_random_length is specified, generate a new one
-      # and force the cipher's IV = to the random value
-      if !@iv_random_length.nil?
-        @cipher.iv = @random_iv
-      end
+      @cipher.iv = @random_iv
       result = @cipher.update(data) + @cipher.final
@@ -197,7 +170,7 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
       result = result.force_encoding("utf-8") if @mode == "decrypt"
-      event[@target]= result
+      event.set(@target, result)
       #Is it necessary to add 'if !result.nil?' ? exception have been already catched.
       #In doubt, I keep it.
@@ -238,18 +211,9 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
     @cipher.key = @key
-    if !@iv.nil? and !@iv.empty? and @iv_random_length.nil?
-      @cipher.iv = @iv if @iv
-    elsif !@iv_random_length.nil?
-      @logger.debug("iv_random_length is configured, ignoring any statically defined value for 'iv'", :iv_random_length => @iv_random_length)
-    else
-      raise "cipher plugin: either 'iv' or 'iv_random_length' must be configured, but not both; aborting"
-    end
     @cipher.padding = @cipher_padding if @cipher_padding
-    @logger.debug("Cipher initialisation done", :mode => @mode, :key => @key, :iv => @iv, :iv_random => @iv_random, :cipher_padding => @cipher_padding)
+    @logger.debug("Cipher initialisation done", :mode => @mode, :key => @key, :iv_random_length => @iv_random_length, :iv_random => @iv_random, :cipher_padding => @cipher_padding)
   end # def init_cipher

data/logstash-filter-cipher.gemspec CHANGED Viewed

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-filter-cipher'
-  s.version         = '2.0.7'
+  s.version         = '3.0.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "This filter parses a source and apply a cipher or decipher before storing it in the target"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -19,8 +19,9 @@ Gem::Specification.new do |s|
   # Special flag to let us know this is actually a logstash plugin
   s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
   # Gem dependencies
-  s.add_runtime_dependency "logstash-core-plugin-api", "~> 1.0"
+  s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_development_dependency 'logstash-devutils'
 end

data/spec/filters/cipher_spec.rb CHANGED Viewed

@@ -1,215 +1,143 @@
-    # encoding: utf-8
+# encoding: utf-8
+require 'logstash-core'
+require "logstash/codecs/base"
+require 'logstash/filters/cipher'
-    require "logstash/devutils/rspec/spec_helper"
-    require 'logstash/filters/cipher'
+describe LogStash::Filters::Cipher do
-    describe LogStash::Filters::Cipher do
+  let(:cleartext) do
+    'شسيبشن٤٤ت٥ت داھدساققبمر фывапролдзщшгнекутцйячсмить asdfghjklqpoiuztreyxcvbnm,.-öäü+ä123ß´yö.,;LÖÜ*O 來少精清皆人址法田手扌打表氵開日大木裝 1234567890#$%^&*()!@#;:\'?.>,<testAESEn+=_-~`}]'
+  end
-      let(:cleartext) do
-        'شسيبشن٤٤ت٥ت داھدساققبمر фывапролдзщшгнекутцйячсмить asdfghjklqpoiuztreyxcvbnm,.-öäü+ä123ß´yö.,;LÖÜ*O 來少精清皆人址法田手扌打表氵開日大木裝 1234567890#$%^&*()!@#;:\'?.>,<testAESEn+=_-~`}]'
-      end
+  describe 'single event, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
+    let(:event) do
+      LogStash::Event.new(LogStash::Json.load("{\"message\":\"#{cleartext}\"}"))
+    end
-      let(:event) do
-        "{\"message\":\"#{cleartext}\"}"
-      end
+    let(:encrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "encrypt",
+        "source" => "message",
+        "target" => "message_crypted",
+        "base64" => true,
+        "max_cipher_reuse" => 1)
+    end
-      let(:pipeline) { LogStash::Pipeline.new(config) }
+    let(:decrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "decrypt",
+        "source" => "message_crypted",
+        "target" => "message_decrypted",
+        "base64" => true,
+        "max_cipher_reuse" => 1)
+    end
-      let(:events) do
-        arr = event.is_a?(Array) ? event : [event]
-        arr.map do |evt|
-          LogStash::Event.new(evt.is_a?(String) ? LogStash::Json.load(evt) : evt)
-        end
-      end
+    before(:each) do
+      encrypter.register
+      decrypter.register
+    end
-      let(:results) do
-        pipeline.instance_eval { @filters.each(&:register) }
-        results  = []
-        events.each do |evt|
-          # filter call the block on all filtered events, included new events added by the filter
-          pipeline.filter(evt) do |filtered_event|
-            results.push(filtered_event)
-          end
-        end
-        pipeline.flush_filters(:final => true) { |flushed_event| results << flushed_event }
-        results.select { |e| !e.cancelled? }
-      end
+    let(:result) do
+      encrypter.filter(event)
+      decrypter.filter(event)
+      event
+    end
-      describe 'single event, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
-        let(:config) do
-          <<-CONFIG
-    filter {
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "encrypt"
-            source => "message"
-            target => "message_crypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "decrypt"
-            source => "message_crypted"
-            target => "message_decrypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-    }
-    CONFIG
-        end
-        it 'validate initial cleartext message' do
-          result = results.first
-          expect(result["message"]).to eq(cleartext)
-        end
-        it 'validate decrypted message' do
-          result = results.first
-          expect(result["message_decrypted"]).to eq(result["message"])
-        end
-        it 'validate encrypted message is not equal to message' do
-          result = results.first
-          expect(result["message"]).not_to eq(result["message_crypted"])
-        end
+    it 'validate initial cleartext message' do
+      expect(result.get("message")).to eq(cleartext)
+    end
-      end
+    it 'validate decrypted message' do
+      expect(result.get("message_decrypted")).to eq(result.get("message"))
+    end
+    it 'validate encrypted message is not equal to message' do
+      expect(result.get("message")).not_to eq(result.get("message_crypted"))
+    end
+  end
+  describe '1000 events, 11 re-use, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
-      describe 'single event, encrypt/decrypt aes-128-cbc, 16b STATIC IV, 16b key, b64 encode' do
-        let(:config) do
-          <<-CONFIG
-    filter {
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv => "1234567890123456"
-            key => "1234567890123456"
-            key_size => 16
-            mode => "encrypt"
-            source => "message"
-            target => "message_crypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv => "1234567890123456"
-            key => "1234567890123456"
-            key_size => 16
-            mode => "decrypt"
-            source => "message_crypted"
-            target => "message_decrypted"
-            base64 => true
-            max_cipher_reuse => 1
-        }
-    }
-    CONFIG
-        end
-        it 'validate initial cleartext message' do
-          result = results.first
-          expect(result["message"]).to eq(cleartext)
-        end
-        it 'validate decrypted message' do
-          result = results.first
-          expect(result["message_decrypted"]).to eq(result["message"])
-        end
-        it 'validate encrypted message is not equal to message' do
-          result = results.first
-          expect(result["message"]).not_to eq(result["message_crypted"])
-        end
+    total_events = 1000
+    let(:events) do
+      (1..total_events).map do |i|
+        LogStash::Event.new(LogStash::Json.load("{\"message\":\"#{cleartext}\"}"))
       end
+    end
+    let(:encrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "encrypt",
+        "source" => "message",
+        "target" => "message_crypted",
+        "base64" => true,
+        "max_cipher_reuse" => 11)
+    end
+    let(:decrypter) do
+      described_class.new(
+        "algorithm" => "aes-128-cbc",
+        "cipher_padding" => 1,
+        "iv_random_length" => 16,
+        "key" => "1234567890123456",
+        "key_size" => 16,
+        "mode" => "decrypt",
+        "source" => "message_crypted",
+        "target" => "message_decrypted",
+        "base64" => true,
+        "max_cipher_reuse" => 11)
+    end
+    before(:each) do
+      encrypter.register
+      decrypter.register
+    end
+    let(:results) do
+      events.each do |e|
+        encrypter.filter(e)
+        decrypter.filter(e)
+      end
+      events
+    end
-      describe '1000 events, 11 re-use, encrypt/decrypt aes-128-cbc, 16b RANDOM IV, 16b key, b64 encode' do
-        total_events = 1000
-        let(:event) do
-          events = []
-         (1..total_events).each do |i|
-            events.push("{\"message\":\"#{cleartext}\"}")
-          end
-          return events
-        end
-        let(:config) do
-          <<-CONFIG
-    filter {
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "encrypt"
-            source => "message"
-            target => "message_crypted"
-            base64 => true
-            max_cipher_reuse => 11
-        }
-        cipher {
-            algorithm => "aes-128-cbc"
-            cipher_padding => 1
-            iv_random_length => 16
-            key => "1234567890123456"
-            key_size => 16
-            mode => "decrypt"
-            source => "message_crypted"
-            target => "message_decrypted"
-            base64 => true
-            max_cipher_reuse => 11
-        }
-    }
-    CONFIG
-        end
-        it 'validate total events' do
-          expect(results.length).to eq(total_events)
-        end
-        it 'validate initial cleartext message' do
-          results.each do |result|
-            expect(result["message"]).to eq(cleartext)
-          end
-        end
-        it 'validate decrypted message' do
-          results.each do |result|
-            expect(result["message_decrypted"]).to eq(result["message"])
-          end
-        end
-        it 'validate encrypted message is not equal to message' do
-          results.each do |result|
-            expect(result["message"]).not_to eq(result["message_crypted"])
-          end
-        end
+    it 'validate total events' do
+      expect(results.length).to eq(total_events)
+    end
+    it 'validate initial cleartext message' do
+      results.each do |result|
+        expect(result.get("message")).to eq(cleartext)
       end
+    end
+    it 'validate decrypted message' do
+      results.each do |result|
+        expect(result.get("message_decrypted")).to eq(result.get("message"))
+      end
     end
+    it 'validate encrypted message is not equal to message' do
+      results.each do |result|
+        expect(result.get("message")).not_to eq(result.get("message_crypted"))
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-cipher
 version: !ruby/object:Gem::Version
-  version: 2.0.7
+  version: 3.0.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-08-15 00:00:00.000000000 Z
+date: 2017-10-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.99'
   name: logstash-core-plugin-api
   prerelease: false
   type: :runtime
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.99'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements: