logstash-filter-cipher 3.0.0 → 4.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +18 -2
- data/LICENSE +199 -10
- data/README.md +1 -1
- data/docs/index.asciidoc +58 -55
- data/lib/logstash/filters/cipher.rb +131 -77
- data/logstash-filter-cipher.gemspec +3 -2
- data/spec/filters/cipher_spec.rb +1 -0
- metadata +21 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: d993068808d76530c423f9dd3d9ca8953c975d4c5db23516b8240ca116ecf365
|
4
|
+
data.tar.gz: 2fded845fe2b19cbcd18c5cc04752d30a069410322f900d961982cc2dbced2d9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 25a9558d86374002d5e28df0a02ab6fa620672ec5af0ee7727e65e906d723efef90cb8841594ef38d4d1a34206d01a82ea5dcb1d8e0e8411b0c024e2fc68c09b
|
7
|
+
data.tar.gz: e8e4fe428cb66c9860da58c2ed3c8f9202fa808b2cf0680dc48ca5e680e360dfb545f5e50d12bb856b65ad8e35fb6b9e6ac7cdd5a82c73a65078cc2d7d3ac489
|
data/CHANGELOG.md
CHANGED
@@ -1,4 +1,21 @@
|
|
1
|
-
|
1
|
+
## 4.0.2
|
2
|
+
- [DOC] Fixes "Note" formatting for the Key setting [#30](https://github.com/logstash-plugins/logstash-filter-cipher/pull/30)
|
3
|
+
|
4
|
+
## 4.0.1
|
5
|
+
- General improvements to code and docs [#29](https://github.com/logstash-plugins/logstash-filter-cipher/pull/29)
|
6
|
+
- Fixed threadsafety; this plugin can now be used in pipelines with more than one worker.
|
7
|
+
- Fixed a potential leak of the configured key into logs; the key is now only included if trace-level logging is enabled.
|
8
|
+
- Fixed an issue where configurations that used invalid `mode` or `algorithm` settings could produce unhelpful error messages.
|
9
|
+
- Fixed an issue where a bad payload could cause the plugin to crash; when exceptions are encountered, the offending event will now be tagged with `_cipherfiltererror`.
|
10
|
+
- Improved documentation substantially.
|
11
|
+
|
12
|
+
## 4.0.0
|
13
|
+
- Removed obsolete iv field
|
14
|
+
|
15
|
+
## 3.0.1
|
16
|
+
- Update gemspec summary
|
17
|
+
|
18
|
+
## 3.0.0
|
2
19
|
- Mark deprecated iv field obsolete
|
3
20
|
|
4
21
|
## 2.0.7
|
@@ -17,4 +34,3 @@
|
|
17
34
|
- internal: Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
|
18
35
|
instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
|
19
36
|
- internal,deps: Dependency on logstash-core update to 2.0
|
20
|
-
|
data/LICENSE
CHANGED
@@ -1,13 +1,202 @@
|
|
1
|
-
Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
|
2
1
|
|
3
|
-
|
4
|
-
|
5
|
-
|
2
|
+
Apache License
|
3
|
+
Version 2.0, January 2004
|
4
|
+
http://www.apache.org/licenses/
|
6
5
|
|
7
|
-
|
6
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
8
7
|
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
8
|
+
1. Definitions.
|
9
|
+
|
10
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
11
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
12
|
+
|
13
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
14
|
+
the copyright owner that is granting the License.
|
15
|
+
|
16
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
17
|
+
other entities that control, are controlled by, or are under common
|
18
|
+
control with that entity. For the purposes of this definition,
|
19
|
+
"control" means (i) the power, direct or indirect, to cause the
|
20
|
+
direction or management of such entity, whether by contract or
|
21
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
22
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
23
|
+
|
24
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
25
|
+
exercising permissions granted by this License.
|
26
|
+
|
27
|
+
"Source" form shall mean the preferred form for making modifications,
|
28
|
+
including but not limited to software source code, documentation
|
29
|
+
source, and configuration files.
|
30
|
+
|
31
|
+
"Object" form shall mean any form resulting from mechanical
|
32
|
+
transformation or translation of a Source form, including but
|
33
|
+
not limited to compiled object code, generated documentation,
|
34
|
+
and conversions to other media types.
|
35
|
+
|
36
|
+
"Work" shall mean the work of authorship, whether in Source or
|
37
|
+
Object form, made available under the License, as indicated by a
|
38
|
+
copyright notice that is included in or attached to the work
|
39
|
+
(an example is provided in the Appendix below).
|
40
|
+
|
41
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
42
|
+
form, that is based on (or derived from) the Work and for which the
|
43
|
+
editorial revisions, annotations, elaborations, or other modifications
|
44
|
+
represent, as a whole, an original work of authorship. For the purposes
|
45
|
+
of this License, Derivative Works shall not include works that remain
|
46
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
47
|
+
the Work and Derivative Works thereof.
|
48
|
+
|
49
|
+
"Contribution" shall mean any work of authorship, including
|
50
|
+
the original version of the Work and any modifications or additions
|
51
|
+
to that Work or Derivative Works thereof, that is intentionally
|
52
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
53
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
54
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
55
|
+
means any form of electronic, verbal, or written communication sent
|
56
|
+
to the Licensor or its representatives, including but not limited to
|
57
|
+
communication on electronic mailing lists, source code control systems,
|
58
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
59
|
+
Licensor for the purpose of discussing and improving the Work, but
|
60
|
+
excluding communication that is conspicuously marked or otherwise
|
61
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
62
|
+
|
63
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
64
|
+
on behalf of whom a Contribution has been received by Licensor and
|
65
|
+
subsequently incorporated within the Work.
|
66
|
+
|
67
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
68
|
+
this License, each Contributor hereby grants to You a perpetual,
|
69
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
70
|
+
copyright license to reproduce, prepare Derivative Works of,
|
71
|
+
publicly display, publicly perform, sublicense, and distribute the
|
72
|
+
Work and such Derivative Works in Source or Object form.
|
73
|
+
|
74
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
75
|
+
this License, each Contributor hereby grants to You a perpetual,
|
76
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
77
|
+
(except as stated in this section) patent license to make, have made,
|
78
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
79
|
+
where such license applies only to those patent claims licensable
|
80
|
+
by such Contributor that are necessarily infringed by their
|
81
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
82
|
+
with the Work to which such Contribution(s) was submitted. If You
|
83
|
+
institute patent litigation against any entity (including a
|
84
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
85
|
+
or a Contribution incorporated within the Work constitutes direct
|
86
|
+
or contributory patent infringement, then any patent licenses
|
87
|
+
granted to You under this License for that Work shall terminate
|
88
|
+
as of the date such litigation is filed.
|
89
|
+
|
90
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
91
|
+
Work or Derivative Works thereof in any medium, with or without
|
92
|
+
modifications, and in Source or Object form, provided that You
|
93
|
+
meet the following conditions:
|
94
|
+
|
95
|
+
(a) You must give any other recipients of the Work or
|
96
|
+
Derivative Works a copy of this License; and
|
97
|
+
|
98
|
+
(b) You must cause any modified files to carry prominent notices
|
99
|
+
stating that You changed the files; and
|
100
|
+
|
101
|
+
(c) You must retain, in the Source form of any Derivative Works
|
102
|
+
that You distribute, all copyright, patent, trademark, and
|
103
|
+
attribution notices from the Source form of the Work,
|
104
|
+
excluding those notices that do not pertain to any part of
|
105
|
+
the Derivative Works; and
|
106
|
+
|
107
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
108
|
+
distribution, then any Derivative Works that You distribute must
|
109
|
+
include a readable copy of the attribution notices contained
|
110
|
+
within such NOTICE file, excluding those notices that do not
|
111
|
+
pertain to any part of the Derivative Works, in at least one
|
112
|
+
of the following places: within a NOTICE text file distributed
|
113
|
+
as part of the Derivative Works; within the Source form or
|
114
|
+
documentation, if provided along with the Derivative Works; or,
|
115
|
+
within a display generated by the Derivative Works, if and
|
116
|
+
wherever such third-party notices normally appear. The contents
|
117
|
+
of the NOTICE file are for informational purposes only and
|
118
|
+
do not modify the License. You may add Your own attribution
|
119
|
+
notices within Derivative Works that You distribute, alongside
|
120
|
+
or as an addendum to the NOTICE text from the Work, provided
|
121
|
+
that such additional attribution notices cannot be construed
|
122
|
+
as modifying the License.
|
123
|
+
|
124
|
+
You may add Your own copyright statement to Your modifications and
|
125
|
+
may provide additional or different license terms and conditions
|
126
|
+
for use, reproduction, or distribution of Your modifications, or
|
127
|
+
for any such Derivative Works as a whole, provided Your use,
|
128
|
+
reproduction, and distribution of the Work otherwise complies with
|
129
|
+
the conditions stated in this License.
|
130
|
+
|
131
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
132
|
+
any Contribution intentionally submitted for inclusion in the Work
|
133
|
+
by You to the Licensor shall be under the terms and conditions of
|
134
|
+
this License, without any additional terms or conditions.
|
135
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
136
|
+
the terms of any separate license agreement you may have executed
|
137
|
+
with Licensor regarding such Contributions.
|
138
|
+
|
139
|
+
6. Trademarks. This License does not grant permission to use the trade
|
140
|
+
names, trademarks, service marks, or product names of the Licensor,
|
141
|
+
except as required for reasonable and customary use in describing the
|
142
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
143
|
+
|
144
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
145
|
+
agreed to in writing, Licensor provides the Work (and each
|
146
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
147
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
148
|
+
implied, including, without limitation, any warranties or conditions
|
149
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
150
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
151
|
+
appropriateness of using or redistributing the Work and assume any
|
152
|
+
risks associated with Your exercise of permissions under this License.
|
153
|
+
|
154
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
155
|
+
whether in tort (including negligence), contract, or otherwise,
|
156
|
+
unless required by applicable law (such as deliberate and grossly
|
157
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
158
|
+
liable to You for damages, including any direct, indirect, special,
|
159
|
+
incidental, or consequential damages of any character arising as a
|
160
|
+
result of this License or out of the use or inability to use the
|
161
|
+
Work (including but not limited to damages for loss of goodwill,
|
162
|
+
work stoppage, computer failure or malfunction, or any and all
|
163
|
+
other commercial damages or losses), even if such Contributor
|
164
|
+
has been advised of the possibility of such damages.
|
165
|
+
|
166
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
167
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
168
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
169
|
+
or other liability obligations and/or rights consistent with this
|
170
|
+
License. However, in accepting such obligations, You may act only
|
171
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
172
|
+
of any other Contributor, and only if You agree to indemnify,
|
173
|
+
defend, and hold each Contributor harmless for any liability
|
174
|
+
incurred by, or claims asserted against, such Contributor by reason
|
175
|
+
of your accepting any such warranty or additional liability.
|
176
|
+
|
177
|
+
END OF TERMS AND CONDITIONS
|
178
|
+
|
179
|
+
APPENDIX: How to apply the Apache License to your work.
|
180
|
+
|
181
|
+
To apply the Apache License to your work, attach the following
|
182
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
183
|
+
replaced with your own identifying information. (Don't include
|
184
|
+
the brackets!) The text should be enclosed in the appropriate
|
185
|
+
comment syntax for the file format. We also recommend that a
|
186
|
+
file or class name and description of purpose be included on the
|
187
|
+
same "printed page" as the copyright notice for easier
|
188
|
+
identification within third-party archives.
|
189
|
+
|
190
|
+
Copyright 2020 Elastic and contributors
|
191
|
+
|
192
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
193
|
+
you may not use this file except in compliance with the License.
|
194
|
+
You may obtain a copy of the License at
|
195
|
+
|
196
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
197
|
+
|
198
|
+
Unless required by applicable law or agreed to in writing, software
|
199
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
200
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
201
|
+
See the License for the specific language governing permissions and
|
202
|
+
limitations under the License.
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Logstash Plugin
|
2
2
|
|
3
|
-
[![Travis Build Status](https://travis-ci.
|
3
|
+
[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-filter-cipher.svg)](https://travis-ci.com/logstash-plugins/logstash-filter-cipher)
|
4
4
|
|
5
5
|
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
6
6
|
|
data/docs/index.asciidoc
CHANGED
@@ -23,6 +23,9 @@ include::{include_path}/plugin_header.asciidoc[]
|
|
23
23
|
This filter parses a source and apply a cipher or decipher before
|
24
24
|
storing it in the target.
|
25
25
|
|
26
|
+
NOTE: Prior to version 4.0.1, this plugin was not thread-safe and
|
27
|
+
could not safely be used with multiple pipeline workers.
|
28
|
+
|
26
29
|
|
27
30
|
[id="plugins-{type}s-{plugin}-options"]
|
28
31
|
==== Cipher Filter Configuration Options
|
@@ -37,7 +40,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
37
40
|
| <<plugins-{type}s-{plugin}-cipher_padding>> |<<string,string>>|No
|
38
41
|
| <<plugins-{type}s-{plugin}-iv_random_length>> |<<number,number>>|No
|
39
42
|
| <<plugins-{type}s-{plugin}-key>> |<<string,string>>|No
|
40
|
-
| <<plugins-{type}s-{plugin}-key_pad>>
|
43
|
+
| <<plugins-{type}s-{plugin}-key_pad>> |<<string,string>>|No
|
41
44
|
| <<plugins-{type}s-{plugin}-key_size>> |<<number,number>>|No
|
42
45
|
| <<plugins-{type}s-{plugin}-max_cipher_reuse>> |<<number,number>>|No
|
43
46
|
| <<plugins-{type}s-{plugin}-mode>> |<<string,string>>|Yes
|
@@ -57,43 +60,40 @@ filter plugins.
|
|
57
60
|
* Value type is <<string,string>>
|
58
61
|
* There is no default value for this setting.
|
59
62
|
|
60
|
-
The cipher algorithm
|
63
|
+
The cipher algorithm to use for encryption and decryption operations.
|
61
64
|
|
62
|
-
A list of supported algorithms can be obtained by
|
63
|
-
[source,
|
64
|
-
|
65
|
+
A list of supported algorithms depends on the versions of Logstash, JRuby, and Java this plugin is running in, but can be obtained by running:
|
66
|
+
[source,sh]
|
67
|
+
cd $LOGSTASH_HOME # <-- your Logstash distribution root
|
68
|
+
bin/ruby -ropenssl -e 'puts OpenSSL::Cipher.ciphers'
|
65
69
|
|
66
70
|
[id="plugins-{type}s-{plugin}-base64"]
|
67
71
|
===== `base64`
|
68
72
|
|
69
73
|
* Value type is <<boolean,boolean>>
|
70
74
|
* Default value is `true`
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
If we are decrypting, `base64` decode will be done before.
|
75
|
-
If we are encrypting, `base64` will be done after.
|
75
|
+
* Unless this option is disabled:
|
76
|
+
** When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the source ciphertext will be `base64`-decoded before it is deciphered.
|
77
|
+
** When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the result ciphertext will be `base64`-encoded before it is stored.
|
76
78
|
|
77
79
|
|
78
80
|
[id="plugins-{type}s-{plugin}-cipher_padding"]
|
79
81
|
===== `cipher_padding`
|
80
82
|
|
81
83
|
* Value type is <<string,string>>
|
84
|
+
** `0`: means `false`
|
85
|
+
** `1`: means `true`
|
82
86
|
* There is no default value for this setting.
|
83
87
|
|
84
|
-
|
88
|
+
Enables or disables padding in encryption operations.
|
85
89
|
|
86
|
-
|
87
|
-
|
88
|
-
parameter is zero then no padding is performed, the total amount of data
|
89
|
-
encrypted or decrypted must then be a multiple of the block size or an
|
90
|
-
error will occur.
|
90
|
+
In encryption operations with block-ciphers, the input plaintext must be
|
91
|
+
an _exact_ multiple of the cipher's block-size unless padding is enabled.
|
91
92
|
|
92
|
-
|
93
|
+
Disabling padding by setting this value to `0` will cause this plugin to
|
94
|
+
fail to encrypt any input plaintext that doesn't strictly adhere to the
|
95
|
+
<<plugins-{type}s-{plugin}-algorithm>>'s block size requirements.
|
93
96
|
|
94
|
-
We are using Openssl jRuby which uses default padding to PKCS5Padding
|
95
|
-
If you want to change it, set this parameter. If you want to disable
|
96
|
-
it, Set this parameter to 0
|
97
97
|
[source,ruby]
|
98
98
|
filter { cipher { cipher_padding => 0 }}
|
99
99
|
|
@@ -103,20 +103,20 @@ it, Set this parameter to 0
|
|
103
103
|
* Value type is <<number,number>>
|
104
104
|
* There is no default value for this setting.
|
105
105
|
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
106
|
+
In encryption operations, this plugin generates a random Initialization
|
107
|
+
Vector (IV) per encryption operation. This is a standard best-practice to ensure
|
108
|
+
that the resulting ciphertexts cannot be compared to infer equivalence
|
109
|
+
of the source plaintext. This unique IV is then _prepended_ to the resulting
|
110
|
+
ciphertext before it is stored, ensuring it is available to any process
|
111
|
+
that needs to decrypt it.
|
110
112
|
|
111
|
-
|
113
|
+
In decryption operations, the IV is assumed to have been prepended to
|
114
|
+
the ciphertext, so this plugin needs to know the length of the IV in
|
115
|
+
order to split the input appropriately.
|
112
116
|
|
113
|
-
|
114
|
-
|
115
|
-
encrypted result bytes and then base64 encoded. On decryption "iv_random_length" must
|
116
|
-
also be set to utilize this feature. Random IV's are better than statically
|
117
|
-
hardcoded IVs
|
117
|
+
The size of the IV is generally dependent on which <<plugins-{type}s-{plugin}-algorithm>>
|
118
|
+
is used. AES Algorithms generally use a 16-byte IV:
|
118
119
|
|
119
|
-
For AES algorithms you can set this to a 16
|
120
120
|
[source,ruby]
|
121
121
|
filter { cipher { iv_random_length => 16 }}
|
122
122
|
|
@@ -126,15 +126,15 @@ For AES algorithms you can set this to a 16
|
|
126
126
|
* Value type is <<string,string>>
|
127
127
|
* There is no default value for this setting.
|
128
128
|
|
129
|
-
The key to use
|
130
|
-
|
131
|
-
NOTE: If you encounter an error message at runtime containing the following:
|
129
|
+
The key to use for encryption and decryption operations.
|
132
130
|
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
|
131
|
+
[NOTE]
|
132
|
+
============
|
133
|
+
Please read the https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto[UnlimitedStrengthCrypto topic] in the https://github.com/jruby/jruby[jruby] github repo if you see a runtime error that resembles:
|
137
134
|
|
135
|
+
`java.security.InvalidKeyException: Illegal key size: possibly you need to install
|
136
|
+
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE`
|
137
|
+
============
|
138
138
|
|
139
139
|
[id="plugins-{type}s-{plugin}-key_pad"]
|
140
140
|
===== `key_pad`
|
@@ -142,7 +142,7 @@ Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrength
|
|
142
142
|
* Value type is <<string,string>>
|
143
143
|
* Default value is `"\u0000"`
|
144
144
|
|
145
|
-
The character used to pad the key
|
145
|
+
The character used to pad the key to the required <<plugins-{type}s-{plugin}-key_size>>.
|
146
146
|
|
147
147
|
[id="plugins-{type}s-{plugin}-key_size"]
|
148
148
|
===== `key_size`
|
@@ -150,10 +150,9 @@ The character used to pad the key
|
|
150
150
|
* Value type is <<number,number>>
|
151
151
|
* Default value is `16`
|
152
152
|
|
153
|
-
The key size
|
154
|
-
|
155
|
-
|
156
|
-
padding, don't set this parameter
|
153
|
+
The cipher's required key size, which depends on which <<plugins-{type}s-{plugin}-algorithm>>
|
154
|
+
you are using. If a <<plugins-{type}s-{plugin}-key>> is specified with a shorter value,
|
155
|
+
it will be padded with <<plugins-{type}s-{plugin}-key_pad>>.
|
157
156
|
|
158
157
|
Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
|
159
158
|
[source,ruby]
|
@@ -166,9 +165,9 @@ Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
|
|
166
165
|
* Value type is <<number,number>>
|
167
166
|
* Default value is `1`
|
168
167
|
|
169
|
-
If this is set the internal Cipher instance will be
|
170
|
-
re-used up to
|
171
|
-
|
168
|
+
If this value is set, the internal Cipher instance will be
|
169
|
+
re-used up to `max_cipher_reuse` times before it is re-created
|
170
|
+
from scratch. This is an option
|
172
171
|
for efficiency where lots of data is being encrypted
|
173
172
|
and decrypted using this filter. This lets the filter
|
174
173
|
avoid creating new Cipher instances over and over
|
@@ -184,21 +183,22 @@ instance and max_cipher_reuse = 1 by default
|
|
184
183
|
|
185
184
|
* This is a required setting.
|
186
185
|
* Value type is <<string,string>>
|
186
|
+
** `encrypt`: encrypts a plaintext value into IV + ciphertext
|
187
|
+
** `decrypt`: decrypts an IV + ciphertext value into plaintext
|
187
188
|
* There is no default value for this setting.
|
188
189
|
|
189
|
-
Encrypting or decrypting some data
|
190
|
-
|
191
|
-
Valid values are encrypt or decrypt
|
192
|
-
|
193
190
|
[id="plugins-{type}s-{plugin}-source"]
|
194
191
|
===== `source`
|
195
192
|
|
196
193
|
* Value type is <<string,string>>
|
197
194
|
* Default value is `"message"`
|
198
195
|
|
199
|
-
The
|
196
|
+
The name of the source field.
|
197
|
+
|
198
|
+
* When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the `source` should be a field containing plaintext
|
199
|
+
* When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the `source` should be a field containing IV + ciphertext
|
200
200
|
|
201
|
-
Example, to use the
|
201
|
+
Example, to use the `message` field (default) :
|
202
202
|
[source,ruby]
|
203
203
|
filter { cipher { source => "message" } }
|
204
204
|
|
@@ -208,13 +208,16 @@ Example, to use the @message field (default) :
|
|
208
208
|
* Value type is <<string,string>>
|
209
209
|
* Default value is `"message"`
|
210
210
|
|
211
|
-
The name of the
|
211
|
+
The name of the target field to put the result:
|
212
|
+
|
213
|
+
* When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the IV + ciphertext result will be stored in the `target` field
|
214
|
+
* When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the plaintext result will be stored in the `target` field
|
212
215
|
|
213
|
-
Example, to place the result into crypt
|
216
|
+
Example, to place the result into crypt:
|
214
217
|
[source,ruby]
|
215
218
|
filter { cipher { target => "crypt" } }
|
216
219
|
|
217
220
|
|
218
221
|
|
219
222
|
[id="plugins-{type}s-{plugin}-common-options"]
|
220
|
-
include::{include_path}/{type}.asciidoc[]
|
223
|
+
include::{include_path}/{type}.asciidoc[]
|
@@ -1,6 +1,7 @@
|
|
1
1
|
# encoding: utf-8
|
2
2
|
require "logstash/filters/base"
|
3
3
|
require "openssl"
|
4
|
+
require "concurrent/atomic/thread_local_var"
|
4
5
|
|
5
6
|
# This filter parses a source and apply a cipher or decipher before
|
6
7
|
# storing it in the target.
|
@@ -38,7 +39,7 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
|
|
38
39
|
#
|
39
40
|
# Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
|
40
41
|
#
|
41
|
-
config :key, :validate => :
|
42
|
+
config :key, :validate => :password
|
42
43
|
|
43
44
|
# The key size to pad
|
44
45
|
#
|
@@ -59,12 +60,12 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
|
|
59
60
|
# A list of supported algorithms can be obtained by
|
60
61
|
# [source,ruby]
|
61
62
|
# puts OpenSSL::Cipher.ciphers
|
62
|
-
config :algorithm, :validate =>
|
63
|
+
config :algorithm, :validate => OpenSSL::Cipher.ciphers, :required => true
|
63
64
|
|
64
65
|
# Encrypting or decrypting some data
|
65
66
|
#
|
66
67
|
# Valid values are encrypt or decrypt
|
67
|
-
config :mode, :validate =>
|
68
|
+
config :mode, :validate => %w(encrypt decrypt), :required => true
|
68
69
|
|
69
70
|
# Cipher padding to use. Enables or disables padding.
|
70
71
|
#
|
@@ -83,8 +84,6 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
|
|
83
84
|
# filter { cipher { cipher_padding => 0 }}
|
84
85
|
config :cipher_padding, :validate => :string
|
85
86
|
|
86
|
-
config :iv, :validate => :string, :obsolete => "Please use 'iv_random_length'"
|
87
|
-
|
88
87
|
# Force an random IV to be used per encryption invocation and specify
|
89
88
|
# the length of the random IV that will be generated via:
|
90
89
|
#
|
@@ -117,103 +116,158 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
|
|
117
116
|
|
118
117
|
def register
|
119
118
|
require 'base64' if @base64
|
120
|
-
|
121
|
-
|
119
|
+
if cipher_reuse_enabled?
|
120
|
+
@reusable_cipher = Concurrent::ThreadLocalVar.new
|
121
|
+
@cipher_reuse_count = Concurrent::ThreadLocalVar.new
|
122
|
+
end
|
122
123
|
|
124
|
+
if @key.value.length != @key_size
|
125
|
+
@logger.debug("key length is " + @key.length.to_s + ", padding it to " + @key_size.to_s + " with '" + @key_pad.to_s + "'")
|
126
|
+
@key = @key.class.new(@key.value[0,@key_size].ljust(@key_size,@key_pad))
|
127
|
+
end
|
128
|
+
end # def register
|
123
129
|
|
124
130
|
def filter(event)
|
125
|
-
|
126
|
-
|
131
|
+
source = event.get(@source)
|
132
|
+
if (source.nil? || source.empty?)
|
133
|
+
@logger.debug("Event to filter, event 'source' field: " + @source + " was null(nil) or blank, doing nothing")
|
134
|
+
return
|
135
|
+
end
|
127
136
|
|
128
|
-
|
129
|
-
|
137
|
+
result = case(@mode)
|
138
|
+
when "encrypt" then do_encrypt(source)
|
139
|
+
when "decrypt" then do_decrypt(source)
|
140
|
+
else
|
141
|
+
@logger.error("Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"", :mode => @mode)
|
142
|
+
raise "Internal Error, aborting."
|
143
|
+
end
|
130
144
|
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
145
|
+
event.set(@target, result)
|
146
|
+
filter_matched(event) unless result.nil?
|
147
|
+
rescue => e
|
148
|
+
@logger.error("An error occurred while #{@mode}ing.", :exception => e.message)
|
149
|
+
event.tag("_cipherfiltererror")
|
150
|
+
end
|
135
151
|
|
136
|
-
|
137
|
-
data = event.get(@source)
|
138
|
-
if @mode == "decrypt"
|
139
|
-
data = Base64.strict_decode64(data) if @base64 == true
|
140
|
-
@random_iv = data.byteslice(0,@iv_random_length)
|
141
|
-
data = data.byteslice(@iv_random_length..data.length)
|
142
|
-
end
|
152
|
+
private
|
143
153
|
|
144
|
-
|
145
|
-
|
146
|
-
|
154
|
+
def cipher_reuse_enabled?
|
155
|
+
@max_cipher_reuse > 1
|
156
|
+
end
|
147
157
|
|
148
|
-
|
158
|
+
##
|
159
|
+
# @param plaintext [String]
|
160
|
+
# @return [String]: ciphertext
|
161
|
+
def do_encrypt(plaintext)
|
162
|
+
with_cipher do |cipher|
|
163
|
+
random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
|
164
|
+
cipher.iv = random_iv
|
149
165
|
|
150
|
-
|
166
|
+
ciphertext = random_iv + cipher.update(plaintext) + cipher.final
|
151
167
|
|
152
|
-
if @
|
168
|
+
ciphertext = Base64.strict_encode64(ciphertext).encode("utf-8") if @base64 == true
|
153
169
|
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
170
|
+
ciphertext
|
171
|
+
end
|
172
|
+
end
|
173
|
+
|
174
|
+
##
|
175
|
+
# @param ciphertext_with_iv [String]
|
176
|
+
# @return [String] plaintext
|
177
|
+
def do_decrypt(ciphertext_with_iv)
|
178
|
+
ciphertext_with_iv = Base64.strict_decode64(ciphertext_with_iv) if @base64 == true
|
179
|
+
encoded_iv = ciphertext_with_iv.byteslice(0..@iv_random_length)
|
180
|
+
ciphertext = ciphertext_with_iv.byteslice(@iv_random_length..-1)
|
181
|
+
|
182
|
+
with_cipher do |cipher|
|
183
|
+
cipher.iv = encoded_iv
|
184
|
+
plaintext = cipher.update(ciphertext) + cipher.final
|
185
|
+
plaintext.force_encoding("UTF-8")
|
186
|
+
plaintext
|
187
|
+
end
|
188
|
+
end
|
158
189
|
|
159
|
-
|
160
|
-
|
190
|
+
##
|
191
|
+
# Returns a new or freshly-reset cipher, bypassing cipher reuse if it is not enabled
|
192
|
+
#
|
193
|
+
# @yieldparam [OpenSSL::Cipher]
|
194
|
+
# @yieldreturn [Object]: the object that this method should return
|
195
|
+
# @return [Object]: the object that was returned by the yielded block
|
196
|
+
def with_cipher
|
197
|
+
return yield(init_cipher) unless cipher_reuse_enabled?
|
198
|
+
|
199
|
+
with_reusable_cipher do |reusable_cipher|
|
200
|
+
yield reusable_cipher
|
201
|
+
end
|
202
|
+
end
|
161
203
|
|
162
|
-
|
163
|
-
|
204
|
+
##
|
205
|
+
# Returns a new or freshly-reset cipher.
|
206
|
+
#
|
207
|
+
# @yieldparam [OpenSSL::Cipher]
|
208
|
+
# @yieldreturn [Object]: the object that this method should return
|
209
|
+
# @return [Object]: the object that was returned by the yielded block
|
210
|
+
def with_reusable_cipher
|
211
|
+
cipher = get_or_init_reusable_cipher
|
212
|
+
|
213
|
+
result = yield(cipher)
|
214
|
+
|
215
|
+
cleanup_reusable_cipher
|
216
|
+
|
217
|
+
return result
|
218
|
+
rescue => e
|
219
|
+
# when an error is encountered, we cannot trust the state of the cipher object.
|
220
|
+
@logger.debug("shared cipher: removing because an exception was raised in #{Thread.current}", :exception => e.message)
|
221
|
+
destroy_reusable_cipher
|
222
|
+
raise
|
223
|
+
end
|
224
|
+
|
225
|
+
def get_or_init_reusable_cipher
|
226
|
+
if @reusable_cipher.value.nil?
|
227
|
+
@logger.debug("shared cipher: initializing for #{Thread.current}")
|
228
|
+
@reusable_cipher.value = init_cipher
|
229
|
+
@cipher_reuse_count.value = 0
|
230
|
+
end
|
164
231
|
|
165
|
-
|
166
|
-
|
232
|
+
@cipher_reuse_count.value += 1
|
233
|
+
@reusable_cipher.value
|
234
|
+
end
|
167
235
|
|
236
|
+
def cleanup_reusable_cipher
|
237
|
+
if @cipher_reuse_count.value >= @max_cipher_reuse
|
238
|
+
@logger.debug("shared cipher: max_cipher_reuse[#{@max_cipher_reuse}] reached for #{Thread.current}, total_cipher_uses = #{@cipher_reuse_count.value}") if @logger.debug?
|
239
|
+
destroy_reusable_cipher
|
168
240
|
else
|
169
|
-
@
|
170
|
-
|
171
|
-
result = result.force_encoding("utf-8") if @mode == "decrypt"
|
172
|
-
|
173
|
-
event.set(@target, result)
|
174
|
-
|
175
|
-
#Is it necessary to add 'if !result.nil?' ? exception have been already catched.
|
176
|
-
#In doubt, I keep it.
|
177
|
-
filter_matched(event) if !result.nil?
|
178
|
-
|
179
|
-
if !@max_cipher_reuse.nil? and @total_cipher_uses >= @max_cipher_reuse
|
180
|
-
@logger.debug("max_cipher_reuse["+@max_cipher_reuse.to_s+"] reached, total_cipher_uses = "+@total_cipher_uses.to_s)
|
181
|
-
init_cipher
|
182
|
-
end
|
183
|
-
|
241
|
+
@logger.debug("shared cipher: resetting for #{Thread.current}")
|
242
|
+
@reusable_cipher.value.reset
|
184
243
|
end
|
185
|
-
end
|
244
|
+
end
|
186
245
|
|
187
|
-
def
|
246
|
+
def destroy_reusable_cipher
|
247
|
+
@reusable_cipher.value = nil
|
248
|
+
@cipher_reuse_count.value = 0
|
249
|
+
end
|
188
250
|
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
251
|
+
##
|
252
|
+
# @return [OpenSSL::Cipher]
|
253
|
+
def init_cipher
|
254
|
+
cipher = OpenSSL::Cipher.new(@algorithm)
|
193
255
|
|
194
|
-
|
256
|
+
cipher.public_send(@mode)
|
195
257
|
|
196
|
-
|
258
|
+
cipher.key = @key.value
|
197
259
|
|
198
|
-
|
199
|
-
@cipher.encrypt
|
200
|
-
elsif @mode == "decrypt"
|
201
|
-
@cipher.decrypt
|
202
|
-
else
|
203
|
-
@logger.error("Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"", :mode => @mode)
|
204
|
-
raise "Bad configuration, aborting."
|
205
|
-
end
|
260
|
+
cipher.padding = @cipher_padding if @cipher_padding
|
206
261
|
|
207
|
-
if @
|
208
|
-
@logger.
|
209
|
-
|
262
|
+
if @logger.trace?
|
263
|
+
@logger.trace("Cipher initialisation done", :mode => @mode,
|
264
|
+
:key => @key.value,
|
265
|
+
:iv_random_length => @iv_random_length,
|
266
|
+
:iv_random => @iv_random,
|
267
|
+
:cipher_padding => @cipher_padding)
|
210
268
|
end
|
211
269
|
|
212
|
-
|
213
|
-
|
214
|
-
@cipher.padding = @cipher_padding if @cipher_padding
|
215
|
-
|
216
|
-
@logger.debug("Cipher initialisation done", :mode => @mode, :key => @key, :iv_random_length => @iv_random_length, :iv_random => @iv_random, :cipher_padding => @cipher_padding)
|
270
|
+
cipher
|
217
271
|
end # def init_cipher
|
218
272
|
|
219
273
|
|
@@ -1,9 +1,9 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-filter-cipher'
|
4
|
-
s.version = '
|
4
|
+
s.version = '4.0.2'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
|
-
s.summary = "
|
6
|
+
s.summary = "Applies or removes a cipher to an event"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
8
8
|
s.authors = ["Elastic"]
|
9
9
|
s.email = 'info@elastic.co'
|
@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
|
|
22
22
|
|
23
23
|
# Gem dependencies
|
24
24
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
25
|
+
s.add_runtime_dependency "concurrent-ruby", '~> 1.0'
|
25
26
|
|
26
27
|
s.add_development_dependency 'logstash-devutils'
|
27
28
|
end
|
data/spec/filters/cipher_spec.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-filter-cipher
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 4.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -30,6 +30,20 @@ dependencies:
|
|
30
30
|
- - "<="
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
|
+
- !ruby/object:Gem::Dependency
|
34
|
+
requirement: !ruby/object:Gem::Requirement
|
35
|
+
requirements:
|
36
|
+
- - "~>"
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: '1.0'
|
39
|
+
name: concurrent-ruby
|
40
|
+
prerelease: false
|
41
|
+
type: :runtime
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - "~>"
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '1.0'
|
33
47
|
- !ruby/object:Gem::Dependency
|
34
48
|
requirement: !ruby/object:Gem::Requirement
|
35
49
|
requirements:
|
@@ -44,7 +58,9 @@ dependencies:
|
|
44
58
|
- - ">="
|
45
59
|
- !ruby/object:Gem::Version
|
46
60
|
version: '0'
|
47
|
-
description: This gem is a Logstash plugin required to be installed on top of the
|
61
|
+
description: This gem is a Logstash plugin required to be installed on top of the
|
62
|
+
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
63
|
+
gem is not a stand-alone program
|
48
64
|
email: info@elastic.co
|
49
65
|
executables: []
|
50
66
|
extensions: []
|
@@ -81,10 +97,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
81
97
|
- !ruby/object:Gem::Version
|
82
98
|
version: '0'
|
83
99
|
requirements: []
|
84
|
-
|
85
|
-
rubygems_version: 2.4.8
|
100
|
+
rubygems_version: 3.1.6
|
86
101
|
signing_key:
|
87
102
|
specification_version: 4
|
88
|
-
summary:
|
103
|
+
summary: Applies or removes a cipher to an event
|
89
104
|
test_files:
|
90
105
|
- spec/filters/cipher_spec.rb
|