Class: LogStash::Filters::CipherKms

Inherits:
Base
  • Object
show all
Defined in:
lib/logstash/filters/cipher_kms.rb

Overview

This filter parses a source and apply a cipher or decipher before storing it in the target. It uses AWS KMS to generate the envelope key for ciphering/deciphering.

Constant Summary collapse

KMS_RUBY_CIPHER_MAP =

Mapping between AWS KMS available ciphers and correlated Ruby ciphers

{"AES_128" => "AES-128-cbc", "AES_256" => "AES-256-cbc"}.freeze

Instance Method Summary collapse

Instance Method Details

#cipher_process(key, data) ⇒ Object 



212
213
214
215
216
 
# File 'lib/logstash/filters/cipher_kms.rb', line 212

def cipher_process(key, data)
  cipher_set_required_params(key)
  result = @cipher.update(data) + @cipher.final
  result
end

#cipher_set_required_params(key) ⇒ Object 



207
208
209
210
 
# File 'lib/logstash/filters/cipher_kms.rb', line 207

def cipher_set_required_params(key)
  @cipher.key = key
  @cipher.iv = @random_iv
end

#decrypt(data, metadata) ⇒ Object 



188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
 
# File 'lib/logstash/filters/cipher_kms.rb', line 188

def decrypt(data, metadata)
  kms_response = @kms.decrypt(ciphertext_blob: Base64.strict_decode64(metadata),
                              encryption_context: @encryption_context)

  data = Base64.strict_decode64(data) if @base64
  @random_iv = data.byteslice(0, @iv_random_length)
  data = data.byteslice(@iv_random_length..data.length)

  result = cipher_process(kms_response.plaintext, data)
  result.force_encoding('utf-8')
  begin
    result = JSON.parse(result)
  rescue JSON::ParserError
    # ignored, return as is
  end

  result
end

#encrypt(data) ⇒ Object 



169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
 
# File 'lib/logstash/filters/cipher_kms.rb', line 169

def encrypt(data)
  @random_iv = OpenSSL::Random.random_bytes(@iv_random_length)
  kms_response = @kms.generate_data_key(key_id: @key_id, key_spec: @algorithm,
                                        encryption_context: @encryption_context) # => returns a ciphertext and a plaintext key

  begin
    data = JSON.generate(data)
  rescue JSON::GeneratorError
    # ignored, use as is
  end
  result = cipher_process(kms_response.plaintext, data)

  # Prepend padding and base64 encoding if configured
  result = @random_iv + result unless @random_iv.nil?
  result = Base64.strict_encode64(result).encode('utf-8') if @base64
  metadata = Base64.strict_encode64(kms_response.ciphertext_blob).encode('utf-8')
  [result, metadata]
end

#filter(event) ⇒ Object 



136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
# File 'lib/logstash/filters/cipher_kms.rb', line 136

def filter(event)
  # If decrypt or encrypt fails, we keep it it intact.
  begin
    if event.get(@source).blank?
      @logger.debug("Event to filter, event 'source' field: " + @source + ' was nil or blank, doing nothing.')
      return
    end

    @logger.debug('Event to filter', event: event)
    data = event.get(@source)

    if @mode == 'encrypt'
      result, metadata = encrypt(data)
      event.set(@crypt_metadata, metadata)
    elsif @mode == 'decrypt'
      result = decrypt(data, event.get(@crypt_metadata))
      event.remove(@crypt_metadata)
    end

    @total_cipher_uses += 1
    unless result.nil?
      event.set(@target, result)
      filter_matched(event)
    end
  rescue => e
    @logger.warn('Exception caught on cipher filter', event: event, error: e)
    # force a re-initialize on error to be safe
    init_cipher
  ensure
    rotate_cipher_if_needed
  end
end

#init_cipherObject 



225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
 
# File 'lib/logstash/filters/cipher_kms.rb', line 225

def init_cipher
  @logger.debug('Encryption Context: ' + @encryption_context.to_s, plugin: self.class.name)

  credentials = nil
  if !@access_key_id.blank? && !@secret_access_key.blank?
    credentials = Aws::Credentials.new(@access_key_id, @secret_access_key)
    @logger.debug('Using Static Credentials', plugin: self.class.name)
  elsif !@aws_shared_credentials_path.blank? || !@aws_profile.blank?
    credentials = Aws::SharedCredentials.new(path: @aws_shared_credentials_path, profile_name: @aws_profile)
    @logger.debug('Using Shared Credentials', plugin: self.class.name)
  elsif @aws_instance_profile
    credentials = Aws::InstanceProfileCredentials.new
    @logger.debug('Using Instance Profile Credentials', plugin: self.class.name)
  elsif @aws_ecs_credentials
    credentials = Aws::ECSCredentials.new
    @logger.debug('Using ECS Credentials', plugin: self.class.name)
  end

  @kms = Aws::KMS::Client.new(region: @region, credentials: credentials)

  @total_cipher_uses = 0
  @cipher = OpenSSL::Cipher.new(KMS_RUBY_CIPHER_MAP[@algorithm])
  set_cipher_crypt_mode

  @logger.debug('Cipher initialisation done', mode: @mode, iv_random_length: @iv_random_length,
                                              algorithm: @algorithm, base64: @base64,
                                              max_cipher_reuse: @max_cipher_reuse)
end

#registerObject 



130
131
132
133
134
 
# File 'lib/logstash/filters/cipher_kms.rb', line 130

def register
  require 'base64' if @base64
  validate_config
  init_cipher
end

#rotate_cipher_if_neededObject 



218
219
220
221
222
223
 
# File 'lib/logstash/filters/cipher_kms.rb', line 218

def rotate_cipher_if_needed
  if !@max_cipher_reuse.nil? && @total_cipher_uses >= @max_cipher_reuse
    @logger.debug('max_cipher_reuse[' + @max_cipher_reuse.to_s + '] reached, total_cipher_uses = ' + @total_cipher_uses.to_s)
    init_cipher
  end
end

#set_cipher_crypt_modeObject 



254
255
256
257
258
259
260
 
# File 'lib/logstash/filters/cipher_kms.rb', line 254

def set_cipher_crypt_mode
  if @mode == 'encrypt'
    @cipher.encrypt
  elsif @mode == 'decrypt'
    @cipher.decrypt
  end
end

#validate_configObject 



262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
 
# File 'lib/logstash/filters/cipher_kms.rb', line 262

def validate_config
  @encryption_context.each do |_, value|
    unless value.is_a?(String)
      raise LogStash::ConfigurationError, 'Values in encryption_context must be strings, aborting.'
    end
  end

  unless KMS_RUBY_CIPHER_MAP.key?(@algorithm)
    raise LogStash::ConfigurationError, 'You can only use one of the following algorithms: ' + KMS_RUBY_CIPHER_MAP.keys.to_s + ', aborting.'
  end

  unless @mode == 'encrypt' || @mode == 'decrypt'
    @logger.error('Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\"', mode: @mode)
    raise LogStash::ConfigurationError, 'Invalid cipher mode. Valid values are \"encrypt\" or \"decrypt\", aborting.'
  end

  true
end