logstash-filter-cipher 4.0.0 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d8e456f6087e8f9329260bc8b0143035e9d1fa01ba4f1528967d2dccd5910bed
-  data.tar.gz: acd6dd98bf9a974fc1d3f619a0ecc10c555e13b51bb4d248ee37f9d3c9acc0eb
+  metadata.gz: 46b796b1a113a179ffd905368531092245493669a2cd8f9ad7a40f5a70bf93c0
+  data.tar.gz: d8cdd9b1516c58531124337c8a80c084ce1b64e34b1a9fc2bafc13f95a899b2d
 SHA512:
-  metadata.gz: f01dde0f3cc877114b466e82361770540336fb41992afbed7d67ea2c230972b42ca88b6fafeca23c20be81f2bda5428ab06198f6a8c67090433e8f5c3a44ab0a
-  data.tar.gz: 681000d52f6bfb763d92f47a0b5d41b67901538525402c0f3ba8b622c41c59fb3917bd91ef4362daaeaeea5762e072b3f062b4424fd0025a5b3ce574cdd71eaa
+  metadata.gz: 87e5034edcfdc5d8f2a6e41e41e92dd0b775e26dd463f167e026bfa4a543a37a9a07bed65882fa72206c893a7c9962657434af4f4013dd166a184a5deb02a6ad
+  data.tar.gz: 6e79143228ccef00b0495d446c5780683e6c94cc8ce67e12781c0f24a780cc2ac62a68e3be289dc232df1995b879a8407468f33b57e924f2dc9b11a6ee8d539e

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 4.0.1
+  - General improvements to code and docs [#29](https://github.com/logstash-plugins/logstash-filter-cipher/pull/29)
+    - Fixed threadsafety; this plugin can now be used in pipelines with more than one worker.
+    - Fixed a potential leak of the configured key into logs; the key is now only included if trace-level logging is enabled.
+    - Fixed an issue where configurations that used invalid `mode` or `algorithm` settings could produce unhelpful error messages.
+    - Fixed an issue where a bad payload could cause the plugin to crash; when exceptions are encountered, the offending event will now be tagged with `_cipherfiltererror`.
+    - Improved documentation substantially.
+
 ## 4.0.0
   - Removed obsolete iv field
 
@@ -23,4 +31,3 @@
  - internal: Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, 
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
  - internal,deps: Dependency on logstash-core update to 2.0
-

data/LICENSE

@@ -1,13 +1,202 @@
-Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-    http://www.apache.org/licenses/LICENSE-2.0
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2020 Elastic and contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/docs/index.asciidoc

@@ -23,6 +23,9 @@ include::{include_path}/plugin_header.asciidoc[]
 This filter parses a source and apply a cipher or decipher before
 storing it in the target.
 
+NOTE: Prior to version 4.0.1, this plugin was not thread-safe and
+      could not safely be used with multiple pipeline workers.
+
 
 [id="plugins-{type}s-{plugin}-options"]
 ==== Cipher Filter Configuration Options
@@ -37,7 +40,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-cipher_padding>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-iv_random_length>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-key>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-key_pad>> |<<,>>|No
+| <<plugins-{type}s-{plugin}-key_pad>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-key_size>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-max_cipher_reuse>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>|Yes
@@ -57,43 +60,40 @@ filter plugins.
   * Value type is <<string,string>>
   * There is no default value for this setting.
 
-The cipher algorithm
+The cipher algorithm to use for encryption and decryption operations.
 
-A list of supported algorithms can be obtained by
-[source,ruby]
-    puts OpenSSL::Cipher.ciphers
+A list of supported algorithms depends on the versions of Logstash, JRuby, and Java this plugin is running in, but can be obtained by running:
+[source,sh]
+    cd $LOGSTASH_HOME # <-- your Logstash distribution root
+    bin/ruby -ropenssl -e 'puts OpenSSL::Cipher.ciphers'
 
 [id="plugins-{type}s-{plugin}-base64"]
 ===== `base64` 
 
   * Value type is <<boolean,boolean>>
   * Default value is `true`
-
-Do we have to perform a `base64` decode or encode?
-
-If we are decrypting, `base64` decode will be done before.
-If we are encrypting, `base64` will be done after.
+  * Unless this option is disabled:
+  ** When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the source ciphertext will be `base64`-decoded before it is deciphered.
+  ** When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the result ciphertext will be `base64`-encoded before it is stored.
 
 
 [id="plugins-{type}s-{plugin}-cipher_padding"]
 ===== `cipher_padding` 
 
   * Value type is <<string,string>>
+  ** `0`: means `false`
+  ** `1`: means `true`
   * There is no default value for this setting.
 
-Cipher padding to use. Enables or disables padding.
+Enables or disables padding in encryption operations.
 
-By default encryption operations are padded using standard block padding
-and the padding is checked and removed when decrypting. If the pad
-parameter is zero then no padding is performed, the total amount of data
-encrypted or decrypted must then be a multiple of the block size or an
-error will occur.
+In encryption operations with block-ciphers, the input plaintext must be
+an _exact_ multiple of the cipher's block-size unless padding is enabled.
 
-See EVP_CIPHER_CTX_set_padding for further information.
+Disabling padding by setting this value to `0` will cause this plugin to
+fail to encrypt any input plaintext that doesn't strictly adhere to the
+<<plugins-{type}s-{plugin}-algorithm>>'s block size requirements.
 
-We are using Openssl jRuby which uses default padding to PKCS5Padding
-If you want to change it, set this parameter. If you want to disable
-it, Set this parameter to 0
 [source,ruby]
     filter { cipher { cipher_padding => 0 }}
 
@@ -103,20 +103,20 @@ it, Set this parameter to 0
   * Value type is <<number,number>>
   * There is no default value for this setting.
 
-Force an random IV to be used per encryption invocation and specify
-the length of the random IV that will be generated via:
-
-      OpenSSL::Random.random_bytes(int_length)
+In encryption operations, this plugin generates a random Initialization
+Vector (IV) per encryption operation. This is a standard best-practice to ensure
+that the resulting ciphertexts cannot be compared to infer equivalence
+of the source plaintext. This unique IV is then _prepended_ to the resulting
+ciphertext before it is stored, ensuring it is available to any process
+that needs to decrypt it.
 
-If iv_random_length is set, it takes precedence over any value set for "iv"
+In decryption operations, the IV is assumed to have been prepended to
+the ciphertext, so this plugin needs to know the length of the IV in
+order to split the input appropriately.
 
-Enabling this will force the plugin to generate a unique
-random IV for each encryption call. This random IV will be prepended to the
-encrypted result bytes and then base64 encoded. On decryption "iv_random_length" must
-also be set to utilize this feature. Random IV's are better than statically
-hardcoded IVs
+The size of the IV is generally dependent on which <<plugins-{type}s-{plugin}-algorithm>>
+is used. AES Algorithms generally use a 16-byte IV:
 
-For AES algorithms you can set this to a 16
 [source,ruby]
     filter { cipher { iv_random_length => 16 }}
 
@@ -126,7 +126,7 @@ For AES algorithms you can set this to a 16
   * Value type is <<string,string>>
   * There is no default value for this setting.
 
-The key to use
+The key to use for encryption and decryption operations.
 
 NOTE: If you encounter an error message at runtime containing the following:
 
@@ -142,7 +142,7 @@ Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrength
   * Value type is <<string,string>>
   * Default value is `"\u0000"`
 
-The character used to pad the key
+The character used to pad the key to the required <<plugins-{type}s-{plugin}-key_size>>.
 
 [id="plugins-{type}s-{plugin}-key_size"]
 ===== `key_size` 
@@ -150,10 +150,9 @@ The character used to pad the key
   * Value type is <<number,number>>
   * Default value is `16`
 
-The key size to pad
-
-It depends of the cipher algorithm. If your key doesn't need
-padding, don't set this parameter
+The cipher's required key size, which depends on which <<plugins-{type}s-{plugin}-algorithm>>
+you are using. If a <<plugins-{type}s-{plugin}-key>> is specified with a shorter value,
+it will be padded with <<plugins-{type}s-{plugin}-key_pad>>.
 
 Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars 
 [source,ruby]
@@ -166,9 +165,9 @@ Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
   * Value type is <<number,number>>
   * Default value is `1`
 
-If this is set the internal Cipher instance will be
-re-used up to @max_cipher_reuse times before being
-reset() and re-created from scratch. This is an option
+If this value is set, the internal Cipher instance will be
+re-used up to `max_cipher_reuse` times before it is re-created
+from scratch. This is an option
 for efficiency where lots of data is being encrypted
 and decrypted using this filter. This lets the filter
 avoid creating new Cipher instances over and over
@@ -184,21 +183,22 @@ instance and max_cipher_reuse = 1 by default
 
   * This is a required setting.
   * Value type is <<string,string>>
+  ** `encrypt`: encrypts a plaintext value into IV + ciphertext
+  ** `decrypt`: decrypts an IV + ciphertext value into plaintext
   * There is no default value for this setting.
 
-Encrypting or decrypting some data
-
-Valid values are encrypt or decrypt
-
 [id="plugins-{type}s-{plugin}-source"]
 ===== `source` 
 
   * Value type is <<string,string>>
   * Default value is `"message"`
 
-The field to perform filter
+The name of the source field.
 
-Example, to use the @message field (default) :
+* When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the `source` should be a field containing plaintext
+* When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the `source` should be a field containing IV + ciphertext
+
+Example, to use the `message` field (default) :
 [source,ruby]
     filter { cipher { source => "message" } }
 
@@ -208,13 +208,16 @@ Example, to use the @message field (default) :
   * Value type is <<string,string>>
   * Default value is `"message"`
 
-The name of the container to put the result
+The name of the target field to put the result:
+
+* When <<plugins-{type}s-{plugin}-mode,`mode => encrypt`>>, the IV + ciphertext result will be stored in the `target` field
+* When <<plugins-{type}s-{plugin}-mode,`mode => decrypt`>>, the plaintext result will be stored in the `target` field
 
-Example, to place the result into crypt :
+Example, to place the result into crypt:
 [source,ruby]
     filter { cipher { target => "crypt" } }
 
 
 
 [id="plugins-{type}s-{plugin}-common-options"]
-include::{include_path}/{type}.asciidoc[]
+include::{include_path}/{type}.asciidoc[]

data/lib/logstash/filters/cipher.rb

@@ -1,6 +1,7 @@
 # encoding: utf-8
 require "logstash/filters/base"
 require "openssl"
+require "concurrent/atomic/thread_local_var"
 
 # This filter parses a source and apply a cipher or decipher before
 # storing it in the target.
@@ -38,7 +39,7 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   #
   # Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
   #
-  config :key, :validate => :string
+  config :key, :validate => :password
 
   # The key size to pad
   #
@@ -59,12 +60,12 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
   # A list of supported algorithms can be obtained by
   # [source,ruby]
   #     puts OpenSSL::Cipher.ciphers
-  config :algorithm, :validate => :string, :required => true
+  config :algorithm, :validate => OpenSSL::Cipher.ciphers, :required => true
 
   # Encrypting or decrypting some data
   #
   # Valid values are encrypt or decrypt
-  config :mode, :validate => :string, :required => true
+  config :mode, :validate => %w(encrypt decrypt), :required => true
 
   # Cipher padding to use. Enables or disables padding.
   #
@@ -115,103 +116,158 @@ class LogStash::Filters::Cipher < LogStash::Filters::Base
 
   def register
     require 'base64' if @base64
-    init_cipher
-  end # def register
+    if cipher_reuse_enabled?
+      @reusable_cipher = Concurrent::ThreadLocalVar.new
+      @cipher_reuse_count = Concurrent::ThreadLocalVar.new
+    end
 
+    if @key.value.length != @key_size
+      @logger.debug("key length is " + @key.length.to_s + ", padding it to " + @key_size.to_s + " with '" + @key_pad.to_s + "'")
+      @key = @key.class.new(@key.value[0,@key_size].ljust(@key_size,@key_pad))
+    end
+  end # def register
 
   def filter(event)
-    
-
+    source = event.get(@source)
+    if (source.nil? || source.empty?)
+      @logger.debug("Event to filter, event 'source' field: " + @source + " was null(nil) or blank, doing nothing")
+      return
+    end
 
-    #If decrypt or encrypt fails, we keep it it intact.
-    begin
+    result = case(@mode)
+             when "encrypt" then do_encrypt(source)
+             when "decrypt" then do_decrypt(source)
+             else
+               @logger.error("Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"", :mode => @mode)
+               raise "Internal Error, aborting."
+             end
 
-      if (event.get(@source).nil? || event.get(@source).empty?)
-        @logger.debug("Event to filter, event 'source' field: " + @source + " was null(nil) or blank, doing nothing")
-        return
-      end
+    event.set(@target, result)
+    filter_matched(event) unless result.nil?
+  rescue => e
+    @logger.error("An error occurred while #{@mode}ing.", :exception => e.message)
+    event.tag("_cipherfiltererror")
+  end
 
-      #@logger.debug("Event to filter", :event => event)
-      data = event.get(@source)
-      if @mode == "decrypt"
-        data =  Base64.strict_decode64(data) if @base64 == true
-        @random_iv = data.byteslice(0,@iv_random_length)
-        data = data.byteslice(@iv_random_length..data.length)
-      end
+  private
 
-      if @mode == "encrypt"
-        @random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
-      end
+  def cipher_reuse_enabled?
+    @max_cipher_reuse > 1
+  end
 
-      @cipher.iv = @random_iv
+  ##
+  # @param plaintext [String]
+  # @return [String]: ciphertext
+  def do_encrypt(plaintext)
+    with_cipher do |cipher|
+      random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
+      cipher.iv = random_iv
 
-      result = @cipher.update(data) + @cipher.final
+      ciphertext = random_iv + cipher.update(plaintext) + cipher.final
 
-      if @mode == "encrypt"
+      ciphertext = Base64.strict_encode64(ciphertext).encode("utf-8") if @base64 == true
 
-        # if we have a random_iv, prepend that to the crypted result
-        if !@random_iv.nil?
-          result = @random_iv + result
-        end
+      ciphertext
+    end
+  end
+
+  ##
+  # @param ciphertext_with_iv [String]
+  # @return [String] plaintext
+  def do_decrypt(ciphertext_with_iv)
+    ciphertext_with_iv = Base64.strict_decode64(ciphertext_with_iv) if @base64 == true
+    encoded_iv = ciphertext_with_iv.byteslice(0..@iv_random_length)
+    ciphertext = ciphertext_with_iv.byteslice(@iv_random_length..-1)
+
+    with_cipher do |cipher|
+      cipher.iv = encoded_iv
+      plaintext = cipher.update(ciphertext) + cipher.final
+      plaintext.force_encoding("UTF-8")
+      plaintext
+    end
+  end
 
-        result =  Base64.strict_encode64(result).encode("utf-8") if @base64 == true
-      end
+  ##
+  # Returns a new or freshly-reset cipher, bypassing cipher reuse if it is not enabled
+  #
+  # @yieldparam [OpenSSL::Cipher]
+  # @yieldreturn [Object]: the object that this method should return
+  # @return [Object]: the object that was returned by the yielded block
+  def with_cipher
+    return yield(init_cipher) unless cipher_reuse_enabled?
+
+    with_reusable_cipher do |reusable_cipher|
+      yield reusable_cipher
+    end
+  end
 
-    rescue => e
-      @logger.warn("Exception catch on cipher filter", :event => event, :error => e)
+  ##
+  # Returns a new or freshly-reset cipher.
+  #
+  # @yieldparam [OpenSSL::Cipher]
+  # @yieldreturn [Object]: the object that this method should return
+  # @return [Object]: the object that was returned by the yielded block
+  def with_reusable_cipher
+    cipher = get_or_init_reusable_cipher
+
+    result = yield(cipher)
+
+    cleanup_reusable_cipher
+
+    return result
+  rescue => e
+    # when an error is encountered, we cannot trust the state of the cipher object.
+    @logger.debug("shared cipher: removing because an exception was raised in #{Thread.current}", :exception => e.message)
+    destroy_reusable_cipher
+    raise
+  end
+
+  def get_or_init_reusable_cipher
+    if @reusable_cipher.value.nil?
+      @logger.debug("shared cipher: initializing for #{Thread.current}")
+      @reusable_cipher.value = init_cipher
+      @cipher_reuse_count.value = 0
+    end
 
-      # force a re-initialize on error to be safe
-      init_cipher
+    @cipher_reuse_count.value += 1
+    @reusable_cipher.value
+  end
 
+  def cleanup_reusable_cipher
+    if @cipher_reuse_count.value >= @max_cipher_reuse
+      @logger.debug("shared cipher: max_cipher_reuse[#{@max_cipher_reuse}] reached for #{Thread.current}, total_cipher_uses = #{@cipher_reuse_count.value}") if @logger.debug?
+      destroy_reusable_cipher
     else
-      @total_cipher_uses += 1
-
-      result = result.force_encoding("utf-8") if @mode == "decrypt"
-
-      event.set(@target, result)
-
-      #Is it necessary to add 'if !result.nil?' ? exception have been already catched.
-      #In doubt, I keep it.
-      filter_matched(event) if !result.nil?
-
-      if !@max_cipher_reuse.nil? and @total_cipher_uses >= @max_cipher_reuse
-        @logger.debug("max_cipher_reuse["+@max_cipher_reuse.to_s+"] reached, total_cipher_uses = "+@total_cipher_uses.to_s)
-        init_cipher
-      end
-
+      @logger.debug("shared cipher: resetting for #{Thread.current}")
+      @reusable_cipher.value.reset
     end
-  end # def filter
+  end
 
-  def init_cipher
+  def destroy_reusable_cipher
+    @reusable_cipher.value = nil
+    @cipher_reuse_count.value = 0
+  end
 
-    if !@cipher.nil?
-      @cipher.reset
-      @cipher = nil
-    end
+  ##
+  # @return [OpenSSL::Cipher]
+  def init_cipher
+    cipher = OpenSSL::Cipher.new(@algorithm)
 
-    @cipher = OpenSSL::Cipher.new(@algorithm)
+    cipher.public_send(@mode)
 
-    @total_cipher_uses = 0
+    cipher.key = @key.value
 
-    if @mode == "encrypt"
-      @cipher.encrypt
-    elsif @mode == "decrypt"
-      @cipher.decrypt
-    else
-      @logger.error("Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"", :mode => @mode)
-      raise "Bad configuration, aborting."
-    end
+    cipher.padding = @cipher_padding if @cipher_padding
 
-    if @key.length != @key_size
-      @logger.debug("key length is " + @key.length.to_s + ", padding it to " + @key_size.to_s + " with '" + @key_pad.to_s + "'")
-      @key = @key[0,@key_size].ljust(@key_size,@key_pad)
+    if @logger.trace?
+      @logger.trace("Cipher initialisation done", :mode => @mode,
+                                                  :key => @key.value,
+                                                  :iv_random_length => @iv_random_length,
+                                                  :iv_random => @iv_random,
+                                                  :cipher_padding => @cipher_padding)
     end
 
-    @cipher.key = @key
-
-    @cipher.padding = @cipher_padding if @cipher_padding
-
-    @logger.debug("Cipher initialisation done", :mode => @mode, :key => @key, :iv_random_length => @iv_random_length, :iv_random => @iv_random, :cipher_padding => @cipher_padding)
+    cipher
   end # def init_cipher
 
 

data/logstash-filter-cipher.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-filter-cipher'
-  s.version         = '4.0.0'
+  s.version         = '4.0.1'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Applies or removes a cipher to an event"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
 
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
+  s.add_runtime_dependency "concurrent-ruby", '~> 1.0'
 
   s.add_development_dependency 'logstash-devutils'
 end

data/spec/filters/cipher_spec.rb

@@ -1,5 +1,6 @@
 # encoding: utf-8
 require 'logstash-core'
+require 'logstash/json'
 require "logstash/codecs/base"
 require 'logstash/filters/cipher'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-filter-cipher
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.0.1
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-11 00:00:00.000000000 Z
+date: 2020-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -30,6 +30,20 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: concurrent-ruby
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements: