logstash-filter-cipher_kms 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 120788fc1c7dfcf06d11e79d904c069b42bdca37478818ea2543e0c5ef4aa2e4
+  data.tar.gz: 9bdd3463342e201bd16aad72ad5b51d227408dd410a99d46139eabd599e80385
+SHA512:
+  metadata.gz: 2066e76d16630aed26d9acb86bebd281b70b1d35d3e9bf9ab000a4000b72d0f9f1e8d4a85c9c9e0181a13d325f2fb16445bac0c2ad4a792659dc7976d5024528
+  data.tar.gz: 2e56c12977c50929600d13131a622987f8401a60eb9e35635e0dc3b9e2e41e786ef50d463c231d88239385d519327ba84d97c6cd657a74855f7dff0167e3831c

data/CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.1.0
+  - Plugin created with the logstash plugin generator

data/CONTRIBUTORS

@@ -0,0 +1,10 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Avihoo Mamka - avihoo.mamka@onfido.com
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-cipher_kms
+Example filter plugin. This should help bootstrap your effort to write your own filter plugin!

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gemspec
+

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,86 @@
+# Logstash Plugin
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-cipher_kms", :path => "/your/local/logstash-filter-cipher_kms"
+```
+- Install plugin
+```sh
+bin/logstash-plugin install --no-verify
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {cipher_kms {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-cipher_kms.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/logstash-plugin install /your/local/plugin/logstash-filter-cipher_kms.gem
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash/filters/cipher_kms.rb

@@ -0,0 +1,281 @@
+# encoding: utf-8
+
+require 'active_support/core_ext'
+require 'aws-sdk'
+require 'rubygems'
+require 'json'
+require 'logstash/filters/base'
+require 'logstash/namespace'
+require 'openssl'
+
+# This filter parses a source and apply a cipher or decipher before
+# storing it in the target.
+# It uses AWS KMS to generate the envelope key for ciphering/deciphering.
+class LogStash::Filters::CipherKms < LogStash::Filters::Base
+  config_name 'cipher_kms'
+
+  # The field to perform filter
+  #
+  # Example, to use the @message field (default):
+  # [source,ruby]
+  #     filter { cipher_kms { source => "message" } }
+  config :source, validate: :string, default: 'message'
+
+  # The name of the container to put the result
+  #
+  # Example, to place the result into crypt :
+  # [source,ruby]
+  #     filter { cipher_kms { target => "crypt" } }
+  config :target, validate: :string, default: 'message'
+
+  # The name of the container to put the crypt metadata
+  #
+  # Example, to place the crypt metadata into crypt_metadata :
+  # [source,ruby]
+  #     filter { cipher_kms { crypt_metadata => "crypt_metadata" } }
+  config :crypt_metadata, validate: :string, default: 'crypt_metadata'
+
+  # Do we have to perform a `base64` decode or encode?
+  #
+  # If we are decrypting, `base64` decode will be done before.
+  # If we are encrypting, `base64` will be done after.
+  #
+  config :base64, validate: :boolean, default: true
+
+  # The AWS KMS key id to use
+  #
+  config :key_id, validate: :string, required: true
+
+  # The AWS region for KMS (e.g. eu-west-1)
+  # See http://docs.aws.amazon.com/general/latest/gr/rande.html#kms_region
+  config :region, validate: :string, required: true
+
+  # An optional aws access key id to use for AWS.
+  #
+  config :access_key_id, validate: :string, default: nil
+
+  # An optional secret access key to use for AWS.
+  #
+  config :secret_access_key, validate: :string, default: nil
+
+  # An optional AWS profile to use.
+  # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-multiple-profiles
+  config :aws_profile, validate: :string, default: nil
+
+  # An optional path for the shared credentials file.
+  # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
+  config :aws_shared_credentials_path, validate: :string, default: nil
+
+  # An optional setting whether to use AWS instance profile.
+  # See http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
+  config :aws_instance_profile, validate: :boolean, default: false
+
+  # An optional setting whether to use AWS ECS credentials.
+  # See http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
+  config :aws_ecs_credentials, validate: :boolean, default: false
+
+  # An encryption context to use to encrypting and decrypting data.
+  # When encrypting, the encryption context is sent as a part of the payload.
+  # When decrypting, if any of the key-value pairs specified in encryption_context
+  # fails to match the payload's encryption context, then decryption will fail.
+  # Nested hashes are not supported. This is just a flat map of key value pairs.
+  # See: http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
+  config :encryption_context, validate: :hash, default: {}
+
+  # The cipher algorithm
+  #
+  # Due to AWS KMS restrictions the available algorithms are: AES_128, AES_256
+  # The mapping for the equivalent Ruby ciphers are as follows:
+  # {AES_128 => AES-128-cbc, AES_256 => AES-256-cbc}
+  config :algorithm, validate: :string, required: true
+
+  # Encrypting or decrypting some data
+  #
+  # Valid values are encrypt or decrypt
+  config :mode, validate: :string, required: true
+
+  # Force a random IV to be used per encryption invocation and specify
+  # the length of the random IV that will be generated via:
+  #
+  #       OpenSSL::Random.random_bytes(int_length)
+  #
+  # Enabling this will force the plugin to generate a unique
+  # random IV for each encryption call. This random IV will be prepended to the
+  # encrypted result bytes and then base64 encoded.
+  # On decryption "iv_random_length" must also be set to utilize this feature.
+  # Random IV's are better than statically hardcoded IVs.
+  #
+  # For AES algorithms you can set this to a 16
+  # [source,ruby]
+  #     filter { cipher { iv_random_length => 16 }}
+  config :iv_random_length, validate: :number, required: true
+
+  # If this is set, the internal Cipher instance will be
+  # re-used up to @max_cipher_reuse times before being
+  # reset() and re-created from scratch. This is an option
+  # for efficiency where lots of data is being encrypted
+  # and decrypted using this filter. This lets the filter
+  # avoid creating new Cipher instances over and over
+  # for each encrypt/decrypt operation.
+  #
+  # This is optional, the default is no re-use of the Cipher
+  # instance and max_cipher_reuse = 1 by default
+  # [source,ruby]
+  #     filter { cipher { max_cipher_reuse => 1000 }}
+  config :max_cipher_reuse, validate: :number, default: 1
+
+  # Mapping between AWS KMS available ciphers and correlated Ruby ciphers
+  KMS_RUBY_CIPHER_MAP = {"AES_128" => "AES-128-cbc", "AES_256" => "AES-256-cbc"}.freeze
+
+  def register
+    require 'base64' if @base64
+    validate_config
+    init_cipher
+  end
+
+  def filter(event)
+    # If decrypt or encrypt fails, we keep it it intact.
+    begin
+      if event.get(@source).blank?
+        @logger.debug("Event to filter, event 'source' field: " + @source + ' was nil or blank, doing nothing.')
+        return
+      end
+
+      @logger.debug('Event to filter', event: event)
+      data = event.get(@source)
+
+      if @mode == 'encrypt'
+        result, metadata = encrypt(data)
+        event.set(@crypt_metadata, metadata)
+      elsif @mode == 'decrypt'
+        result = decrypt(data, event.get(@crypt_metadata))
+        event.remove(@crypt_metadata)
+      end
+
+      @total_cipher_uses += 1
+      unless result.nil?
+        event.set(@target, result)
+        filter_matched(event)
+      end
+    rescue => e
+      @logger.warn('Exception caught on cipher filter', event: event, error: e)
+      # force a re-initialize on error to be safe
+      init_cipher
+    ensure
+      rotate_cipher_if_needed
+    end
+  end
+
+  def encrypt(data)
+    @random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
+    kms_response = @kms.generate_data_key(key_id: @key_id, key_spec: @algorithm,
+                                          encryption_context: @encryption_context) # => returns a ciphertext and a plaintext key
+
+    begin
+      data = JSON.generate(data)
+    rescue JSON::GeneratorError
+      # ignored, use as is
+    end
+    result = cipher_process(kms_response.plaintext, data)
+
+    # Prepend padding and base64 encoding if configured
+    result = @random_iv + result unless @random_iv.nil?
+    result = Base64.strict_encode64(result).encode('utf-8') if @base64
+    metadata = Base64.strict_encode64(kms_response.ciphertext_blob).encode('utf-8')
+    [result, metadata]
+  end
+
+  def decrypt(data, metadata)
+    kms_response = @kms.decrypt(ciphertext_blob: Base64.strict_decode64(metadata),
+                                encryption_context: @encryption_context)
+
+    data = Base64.strict_decode64(data) if @base64
+    @random_iv = data.byteslice(0, @iv_random_length)
+    data = data.byteslice(@iv_random_length..data.length)
+
+    result = cipher_process(kms_response.plaintext, data)
+    result.force_encoding('utf-8')
+    begin
+      result = JSON.parse(result)
+    rescue JSON::ParserError
+      # ignored, return as is
+    end
+
+    result
+  end
+
+  def cipher_set_required_params(key)
+    @cipher.key = key
+    @cipher.iv = @random_iv
+  end
+
+  def cipher_process(key, data)
+    cipher_set_required_params(key)
+    result = @cipher.update(data) + @cipher.final
+    result
+  end
+
+  def rotate_cipher_if_needed
+    if !@max_cipher_reuse.nil? && @total_cipher_uses >= @max_cipher_reuse
+      @logger.debug('max_cipher_reuse[' + @max_cipher_reuse.to_s + '] reached, total_cipher_uses = ' + @total_cipher_uses.to_s)
+      init_cipher
+    end
+  end
+
+  def init_cipher
+    @logger.debug('Encryption Context: ' + @encryption_context.to_s, plugin: self.class.name)
+
+    credentials = nil
+    if !@access_key_id.blank? && !@secret_access_key.blank?
+      credentials = Aws::Credentials.new(@access_key_id, @secret_access_key)
+      @logger.debug('Using Static Credentials', plugin: self.class.name)
+    elsif !@aws_shared_credentials_path.blank? || !@aws_profile.blank?
+      credentials = Aws::SharedCredentials.new(path: @aws_shared_credentials_path, profile_name: @aws_profile)
+      @logger.debug('Using Shared Credentials', plugin: self.class.name)
+    elsif @aws_instance_profile
+      credentials = Aws::InstanceProfileCredentials.new
+      @logger.debug('Using Instance Profile Credentials', plugin: self.class.name)
+    elsif @aws_ecs_credentials
+      credentials = Aws::ECSCredentials.new
+      @logger.debug('Using ECS Credentials', plugin: self.class.name)
+    end
+
+    @kms = Aws::KMS::Client.new(region: @region, credentials: credentials)
+
+    @total_cipher_uses = 0
+    @cipher = OpenSSL::Cipher.new(KMS_RUBY_CIPHER_MAP[@algorithm])
+    set_cipher_crypt_mode
+
+    @logger.debug('Cipher initialisation done', mode: @mode, iv_random_length: @iv_random_length,
+                                                algorithm: @algorithm, base64: @base64,
+                                                max_cipher_reuse: @max_cipher_reuse)
+  end
+
+  def set_cipher_crypt_mode
+    if @mode == 'encrypt'
+      @cipher.encrypt
+    elsif @mode == 'decrypt'
+      @cipher.decrypt
+    end
+  end
+
+  def validate_config
+    @encryption_context.each do |_, value|
+      unless value.is_a?(String)
+        raise LogStash::ConfigurationError, 'Values in encryption_context must be strings, aborting.'
+      end
+    end
+
+    unless KMS_RUBY_CIPHER_MAP.key?(@algorithm)
+      raise LogStash::ConfigurationError, 'You can only use one of the following algorithms: ' + KMS_RUBY_CIPHER_MAP.keys.to_s + ', aborting.'
+    end
+
+    unless @mode == 'encrypt' || @mode == 'decrypt'
+      @logger.error('Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"', mode: @mode)
+      raise LogStash::ConfigurationError, 'Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\", aborting.'
+    end
+
+    true
+  end
+
+end

data/logstash-filter-cipher_kms.gemspec

@@ -0,0 +1,32 @@
+# encoding: utf-8
+
+Gem::Specification.new do |s|
+  s.name          = 'logstash-filter-cipher_kms'
+  s.version       = '0.1.0'
+  s.licenses      = ['Apache License (2.0)']
+  s.summary       = 'This is a Logstash plugin to allow data
+                      encryption/decryption using AWS KMS.'
+  s.description   = 'This is a Logstash plugin to allow data
+                      encryption/decryption using AWS KMS.'
+  s.homepage      = 'https://github.com/onfido/logstash-filter-cipher_kms'
+  s.authors       = ['Onfido']
+  s.email         = 'engineering@onfido.com'
+  s.require_paths = ['lib']
+
+  # Files
+  s.files = Dir['lib/**/*', 'spec/**/*', 'vendor/**/*', '*.gemspec', '*.md',
+                'CONTRIBUTORS', 'Gemfile', 'LICENSE', 'NOTICE.TXT']
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
+  s.add_development_dependency 'logstash-devutils'
+  s.add_dependency('activesupport')
+  s.add_dependency('aws-sdk', '~> 2')
+  s.add_development_dependency('vcr', '~> 4.0.0')
+  s.add_development_dependency('webmock', '~> 3.1.1')
+end

data/spec/filters/cipher_kms_spec.rb

@@ -0,0 +1,153 @@
+# encoding: utf-8
+
+require_relative '../spec_helper'
+require 'logstash/filters/cipher_kms'
+
+describe LogStash::Filters::CipherKms do
+
+  describe 'configuration validations' do
+
+    it 'should pass validation with encrypt mode' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt'
+      )
+      expect(config.validate_config).to eq(true)
+    end
+
+    it 'should pass validation with decrypt mode' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'decrypt'
+      )
+      expect(config.validate_config).to eq(true)
+    end
+
+    it 'should fail validation with invalid crypt mode' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'foo'
+      )
+      expect {config.validate_config}.to raise_error(LogStash::ConfigurationError)
+    end
+
+    it 'should pass validation with AES_128 algorithm' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt'
+      )
+      expect(config.validate_config).to eq(true)
+    end
+
+    it 'should pass validation with AES_256 algorithm' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_256',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt'
+      )
+      expect(config.validate_config).to eq(true)
+    end
+
+    it 'should fail validation with invalid algorithm' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'foo',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt'
+      )
+      expect {config.validate_config}.to raise_error(LogStash::ConfigurationError)
+    end
+
+    it 'should pass validation with valid encryption context' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt',
+        'encryption_context' => {'foo' => 'bar'}
+      )
+      expect(config.validate_config).to eq(true)
+    end
+
+    it 'should pass validation with a missing encryption context param' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt'
+      )
+      expect(config.validate_config).to eq(true)
+    end
+
+    it 'should fail validation with an invalid encryption context' do
+      config = described_class.new(
+        'key_id' => 'id',
+        'region' => 'us-west-1',
+        'algorithm' => 'AES_128',
+        'iv_random_length' => 16,
+        'mode' => 'encrypt',
+        'encryption_context' => {'foo' => {'bar' => 'foobar'}}
+      )
+      expect {config.validate_config}.to raise_error(LogStash::ConfigurationError)
+    end
+  end
+
+  describe 'decryption' do
+    it 'returns a plain text version of the input' do
+      encrypter = described_class.new(
+        'algorithm' => 'AES_256',
+        'mode' => 'encrypt',
+        'base64' => true,
+        'key_id' => 'arn:aws:kms:eu-west-1:666666666666:alias/kms-key',
+        'iv_random_length' => 16,
+        'region' => 'eu-west-1',
+        'access_key_id' => 'fake_aws_key',
+        'secret_access_key' => 'fake_aws_secret_key',
+        'encryption_context' => {
+            'kms_cmk_id' => 'arn:aws:kms:eu-west-1:666666666666:alias/kms-key'
+        }
+      )
+      decrypter = described_class.new(
+        'algorithm' => 'AES_256',
+        'mode' => 'decrypt',
+        'base64' => true,
+        'key_id' => 'arn:aws:kms:eu-west-1:666666666666:alias/kms-key',
+        'iv_random_length' => 16,
+        'region' => 'eu-west-1',
+        'access_key_id' => 'fake_aws_key',
+        'secret_access_key' => 'fake_aws_secret_key',
+        'encryption_context' => {
+            'kms_cmk_id' => 'arn:aws:kms:eu-west-1:666666666666:alias/kms-key'
+        }
+      )
+      plain_text = 'foo'
+      event = LogStash::Event.new(LogStash::Json.load("{\"message\":\"#{plain_text}\"}"))
+      encrypter.register
+      decrypter.register
+
+      VCR.use_cassette('aws_kms_communication') do
+        encrypter.filter(event)
+        decrypter.filter(event)
+      end
+
+      expect(event.get('message')).to eq(plain_text)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+# encoding: utf-8
+
+require 'logstash/devutils/rspec/spec_helper'
+require 'vcr'
+
+VCR.configure do |config|
+  config.cassette_library_dir = "fixtures/vcr_cassettes"
+  config.hook_into :webmock
+end

metadata

@@ -0,0 +1,143 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-cipher_kms
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Onfido
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-02-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: activesupport
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  name: aws-sdk
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+  name: vcr
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.1
+  name: webmock
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.1
+description: |-
+  This is a Logstash plugin to allow data
+                        encryption/decryption using AWS KMS.
+email: engineering@onfido.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- README.md
+- lib/logstash/filters/cipher_kms.rb
+- logstash-filter-cipher_kms.gemspec
+- spec/filters/cipher_kms_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/onfido/logstash-filter-cipher_kms
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.13
+signing_key:
+specification_version: 4
+summary: This is a Logstash plugin to allow data encryption/decryption using AWS KMS.
+test_files:
+- spec/filters/cipher_kms_spec.rb
+- spec/spec_helper.rb