Skip to content

Fluent Filter plugin for JSON Web Token (JSON Web Encryption and JSON Web Signature using JSON Web Key)

License

Notifications You must be signed in to change notification settings

toyokazu/fluent-plugin-jwt-filter

Repository files navigation

Fluent::Plugin::Jwt::Filter

Fluent Filter plugin for encrypting and decrypting messages using JSON Web Token technology (JSON Web Encryption, JSON Web Signature and JSON Web Key). This plugin uses json-jwt to encrypt/decrypt messages.

in_secure_forward and out_secure_forward can support encryption and authentication between fluentd instances. However, if a user intends to share their data via third party data broker like EverySense, they may wants to encrypt their data end-to-end fashion. fluent-plugin-jwt-filter can support end-to-end (from fluentd to fluentd) encryption.

Installation

Add this line to your application's Gemfile:

gem 'fluent-plugin-jwt-filter'

And then execute:

bundle

Or install it yourself as:

gem install fluent-plugin-jwt-filter

Usage

fluent-plugin-jwt-filter provides encrypt and decrypt of messages.

<filter test>
  @type jwt
  method encrypt
</filter>

Encrypt/Decrypt can be selected by method option.

Encryption

In the following example, input from in_tail plugin is encrypted by jwt-filter and then outputted by out_forward plugin.

<source>
  @type tail
  path /tmp/test.log
  pos_file /tmp/test.log.pos
  tag test
  format json
</source>

<filter test>
  @type jwt
  method encrypt
</filter>

<match test>
  @type forward
  <server>
    host ::1
    port 24224
  </server>
</match>

For encryption, the following options are available.

  • jwk_pub_file: is a file name which records public key of JSON Web Key (JWK). JWK public and private key can be easily generated by jwk_tool (default name: key.pub).

  • block_cipher_alg: is an algorithm to encrypt the contents. Block cipher is used for encryption and symmetric key of block cipher is encrypted by key encryption algorithm. Currently json-jwt supports A128GCM, A256GCM, A128CBC-HS256 and A256CBC-HS512 (default A128GCM and require "ruby > 2.0.0").

  • key_encryption_alg: is an algorithm to encrypt block cipher encryption key. Basically public key algorithm is assumed. If JWK is created as symmetric key, this option is not required (default RSA1_5).

    @type jwt jwk_pub_file fluent/key.pub block_cipher_alg A128GCM key_encryption_alg RSA1_5

Decryption

In the following example, input from in_forward plugin is decrypted by jwt-filter and then outputted by out_stdout plugin.

<source>
  @type forward
  port 24224
  bind ::1
</source>

<filter test>
  @type jwt
  method decrypt
</filter>

<match test>
  type stdout
</match>

For decryption, the following options are available.

  • jwk_file: is a file name which records private key of JSON Web Key (JWK). As already mentioned in Encryption section, JWK public and private key can be easily generated by jwk_tool (default name: key)

    @type jwt method decrypt jwk_file fluent/key

About

Fluent Filter plugin for JSON Web Token (JSON Web Encryption and JSON Web Signature using JSON Web Key)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages