Class: Fluent::JwtFilter

Inherits:
Filter
  • Object
show all
Defined in:
lib/fluent/plugin/filter_jwt.rb

Overview

JwtFilter Encrypt/Decript JSON message using JSON Web Token Technology For encryption, JSON Web Key (public) is used For decryption, JSON Web Key (private) is used Currently symmetric key is not supported in JSON Web Key (TODO)

Example encrypted JSON message is as follows: {“jwe_encrypted”:

{
  "protected": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0",
  "encrypted_key": "P8dKW8KE5nJm7s9GDENrcSW2iNw0Fo4FqDxRwyr6JSGCPCwjc_agoEq7O8xhWX_WoRZin90ORPP1oO5_kavTIcppnRcmquxm1jhQtKk77-HN9Efo7DQf3yfgdnD7xv-M1I_rCPeHVFm33BNB6TIhCo1fUfhEUM8GjjC8PLFFwOcDUNf1vw1-WjUqMhUf-b45s6CHhYdpDqzs7GYuovDo0LMeFeBSc4Xntw_vWPMeHxsuVyuZpDHUQm-dX5wnmQ4UhZPzEhkkVJw1oz2uTMjcl6mi1bucKGy1zNaGN-JEhg5_2QgijqTxRtJgOBlVtHLJ5HABT4tI6-v06M3dPryz5w",
  "iv": "xYk2s_39pHvLBZy3",
  "ciphertext": "taCQAMBZtKgQfh5LaWs",
  "tag": "nbWyhG82A-eCJMvdhbrSJw"
}

}

If some attributes added to the contents during the transfer, the decrypted contents are merged into the modified hash.

Instance Method Summary collapse

Instance Method Details

#configure(conf) ⇒ Object

This method is called after config_params have read configuration parameters



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 37

def configure(conf)
  super
  begin
    case @method
    when "encrypt"
      # read public key from file
      @jwk_pub = JSON::JWK.new(JSON.parse(open(@jwk_pub_file).read))
    when "decrypt"
      # read private key from file
      @jwk = JSON::JWK.new(JSON.parse(open(@jwk_file).read))
    else
      not_supported_error
    end
  rescue JSON::ParserError => e
    $log.error "JSON Web Key parse error", :error => e.to_s
    $log.debug_backtrace(e.backtrace)
  end
end

#decrypt(record) ⇒ Object 



96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 96

def decrypt(record)
  begin
    # decrypt JSON format cipher data
    jwe_dec = JSON::JWE.decode_json_serialized(record["jwe_encrypted"], @jwk.to_key)
    $log.debug jwe_dec.plain_text
    # merge decrypted contents into original contents without jwe_encrypted
    output = record.select {|k| k != "jwe_encrypted"}.merge(JSON.parse(jwe_dec.plain_text))
    $log.debug output
    output
  rescue JSON::ParserError => e
    $log.error "Message parse error", :error => e.to_s
    $log.debug_backtrace(e.backtrace)
  rescue Exception => e
    $log.error "Error", :error => e.to_s
    $log.debug_backtrace(e.backtrace)
  end
end

#encrypt(record) ⇒ Object

This is the method that formats the data output.



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 76

def encrypt(record)
  begin
    # encrypt JSON format record
    jwe = JSON::JWE.new(record.to_json)
    # choose block cipher algorithm
    jwe.enc = @block_cipher_alg.to_sym
    # choose cipher algorithm for encrypting block cipher key (symmetric cipher key)
    jwe.alg = @key_encryption_alg.to_sym
    # encryption
    jwe.encrypt!(@jwk_pub.to_key)
    # output the result in JSON format
    output = {jwe_encrypted: jwe.as_json}
    $log.debug output
    output
  rescue Exception => e
    $log.error "Error", :error => e.to_s
    $log.debug_backtrace(e.backtrace)
  end
end

#filter(tag, time, record) ⇒ Object 



64
65
66
67
68
69
70
71
72
73
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 64

def filter(tag, time, record)
  case @method
  when "encrypt"
    encrypt(record)
  when "decrypt"
    decrypt(record)
  else
    not_supported_error
  end
end

#not_supported_errorObject 



32
33
34
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 32

def not_supported_error
  $log.error "JwtFilter: Not supported method is specified"
end

#shutdownObject 



60
61
62
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 60

def shutdown
  super
end

#startObject 



56
57
58
 
# File 'lib/fluent/plugin/filter_jwt.rb', line 56

def start
  super
end