logstash-input-elasticsearch 5.3.1 → 5.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a9727073ca11cfa69a6f7c7b2f697ddf5867cef0bba4d4e4516eb32aad0dfcd0
4
- data.tar.gz: f48cdc3e58b58bf3d06e56edb7887b61f8a7d3b9ea01492cae2ba300d91c9a0a
3
+ metadata.gz: f16f7eb70ca4239c5d779c5fa8c77d0778ab48277c7f6ca4003d20894d0d7108
4
+ data.tar.gz: 59baf110729b3f8e353087dda028b6e6dc7c6973449307756729d451ddc4192e
5
5
  SHA512:
6
- metadata.gz: 7f0266cbad4a06a7c65bf33dcc4bf79a58a5fd43da7ad7ee007298f9492a23dd939c73dff55eb1880ee6a4f88299946f8b5f113a8267e529cbafb00d417e4ccc
7
- data.tar.gz: 8ae4f0721c282efa2f3384047d94aa0494adf17feb8a6061563fd65b99d6a040ebf0654d36a0f67ab41668e438d087f9473adc30a539f04eec0dc4eb9d984bb5
6
+ metadata.gz: 5450236e4c130d4a7737520de8571d9364327703c8b715ed3aa6de638f604e83c0062ebc2d1f36fecbb7d11d6e29931f8e713008ae89529f843d048c8f82227d
7
+ data.tar.gz: 1e5fdda8c6feafa77d40eda3940155995fba96b1c6d925b74e3392e246eb893a46dc38912335011cc9bd9235a4bf9ad68a0378b8799e48947ea98f68c1cb2207
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 5.3.2
2
+ - Support Elastic Cloud API keys in the `api_key` option, which now accepts an `id:api_key` pair, its base64-encoded form, or an `essu_` Cloud API key, and rejects an unrecognized format at startup [#274](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/274)
3
+
1
4
  ## 5.3.1
2
5
  - Fix serverless request failure caused by conflicting `compatible-with` and `Elastic-Api-Version` headers when using elasticsearch-ruby v9 [#269](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/269)
3
6
 
data/docs/index.asciidoc CHANGED
@@ -404,10 +404,12 @@ input plugins.
404
404
 
405
405
  Authenticate using Elasticsearch API key. Note that this option also requires enabling the <<plugins-{type}s-{plugin}-ssl_enabled>> option.
406
406
 
407
- Format is `id:api_key` where `id` and `api_key` are as returned by the
407
+ The format is `id:api_key`, where `id` and `api_key` are as returned by the
408
408
  Elasticsearch
409
409
  {ref}/security-api-create-api-key.html[Create
410
- API key API].
410
+ API key API]. The base64-encoded form of that pair is also accepted, as is an
411
+ https://www.elastic.co/docs/deploy-manage/api-keys/elastic-cloud-api-keys[Elastic Cloud API key]
412
+ (prefixed with `essu_`), which is used as-is.
411
413
 
412
414
  [id="plugins-{type}s-{plugin}-ca_trusted_fingerprint"]
413
415
  ===== `ca_trusted_fingerprint`
@@ -216,7 +216,8 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base
216
216
  config :cloud_auth, :validate => :password
217
217
 
218
218
  # Authenticate using Elasticsearch API key.
219
- # format is id:api_key (as returned by https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html[Create API key])
219
+ # Format is either the `id:api_key` pair (as returned by https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html[Create API key]),
220
+ # its base64-encoded form, or an https://www.elastic.co/docs/deploy-manage/api-keys/elastic-cloud-api-keys[Elastic Cloud API key] (prefixed with `essu_`) can be used.
220
221
  config :api_key, :validate => :password
221
222
 
222
223
  # Set the address of a forward HTTP proxy.
@@ -542,10 +543,32 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base
542
543
  def setup_api_key(api_key)
543
544
  return {} unless (api_key&.value)
544
545
 
545
- token = base64?(api_key.value) ? api_key.value : Base64.strict_encode64(api_key.value)
546
+ token = resolve_api_key(api_key.value)
546
547
  { 'Authorization' => "ApiKey #{token}" }
547
548
  end
548
549
 
550
+ # Resolves the `api_key` value into the credential used in the
551
+ # `Authorization: ApiKey` header. An already base64-encoded key and an Elastic
552
+ # Cloud API key are used as-is; a raw `id:api_key` pair is base64-encoded. An
553
+ # unrecognized value is rejected so a malformed key surfaces at startup rather
554
+ # than as a later authentication failure.
555
+ def resolve_api_key(key_value)
556
+ if base64?(key_value) || cloud_api_key?(key_value)
557
+ key_value
558
+ elsif key_value.match?(/\A[^:]+:[^:]+\z/)
559
+ Base64.strict_encode64(key_value)
560
+ else
561
+ raise LogStash::ConfigurationError, "Invalid api_key format. Expected a base64-encoded key, an 'id:api_key' pair, or a Cloud API key (essu_ prefix)."
562
+ end
563
+ end
564
+
565
+ # Elastic Cloud API keys (such as the unified Serverless keys) are opaque
566
+ # tokens prefixed with `essu_` that Elasticsearch accepts verbatim in the
567
+ # `Authorization: ApiKey` header, with no base64 encoding.
568
+ def cloud_api_key?(string)
569
+ string.match?(/\Aessu_.+/)
570
+ end
571
+
549
572
  def base64?(string)
550
573
  string == Base64.strict_encode64(Base64.strict_decode64(string))
551
574
  rescue ArgumentError
@@ -835,6 +835,28 @@ describe LogStash::Inputs::Elasticsearch, :ecs_compatibility_support do
835
835
  it_behaves_like "a plugin that sets the ApiKey authorization header"
836
836
  end
837
837
 
838
+ context "with an Elastic Cloud API key (essu_ prefix)" do
839
+ # The suffix is intentionally not canonical base64: a Cloud key is opaque
840
+ # and must be forwarded verbatim regardless of its payload encoding.
841
+ let(:api_key_value) { "essu_VFZGblZreFhTekJ4ZDB4M2NHUnZRMEU2YzNWd1pYSnpaV055WlhRPQ==AAAAAAAA" }
842
+
843
+ it "sets the Authorization header verbatim without re-encoding" do
844
+ plugin.register
845
+ client = plugin.send(:client)
846
+ auth_header = client.transport.options[:transport_options][:headers]['Authorization']
847
+
848
+ expect(auth_header).to eql("ApiKey #{api_key_value}")
849
+ end
850
+ end
851
+
852
+ context "with an unrecognized api_key format" do
853
+ let(:api_key_value) { "not-a-valid-key" }
854
+
855
+ it "fails registration with a configuration error" do
856
+ expect { plugin.register }.to raise_error(LogStash::ConfigurationError, /Invalid api_key format/)
857
+ end
858
+ end
859
+
838
860
  context 'user also set' do
839
861
  let(:config) { super().merge({ 'api_key' => 'foo:bar', 'user' => 'another' }) }
840
862
 
data/version CHANGED
@@ -1 +1 @@
1
- 5.3.1
1
+ 5.3.2
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-input-elasticsearch
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.3.1
4
+ version: 5.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
8
  bindir: bin
9
9
  cert_chain: []
10
- date: 2026-06-18 00:00:00.000000000 Z
10
+ date: 2026-07-03 00:00:00.000000000 Z
11
11
  dependencies:
12
12
  - !ruby/object:Gem::Dependency
13
13
  name: logstash-core-plugin-api