logstash-plugins · lucabelluccini · Oct 11, 2018 · Apr 13, 2022 · Apr 13, 2022
diff --git a/docs/index.asciidoc b/docs/index.asciidoc
@@ -56,6 +56,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 |=======================================================================
 |Setting |Input type|Required
 | <<plugins-{type}s-{plugin}-base64encode>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-base64url>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-concatenate_sources>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-concatenate_all_fields>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
@@ -79,6 +80,15 @@ filter plugins.
 When set to `true`, the `SHA1`, `SHA256`, `SHA384`, `SHA512` and `MD5` fingerprint methods will produce
 base64 encoded rather than hex encoded strings.
 
+[id="plugins-{type}s-{plugin}-base64url"]
+===== `base64url` 
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+Requires `base64encode` to be set to `true`.
+When set to `true`, the base64url variant will be used, as described in [RFC4648 section 5](https://tools.ietf.org/html/rfc4648#section-5).
+
 [id="plugins-{type}s-{plugin}-concatenate_sources"]
 ===== `concatenate_sources` 
 

diff --git a/lib/logstash/filters/fingerprint.rb b/lib/logstash/filters/fingerprint.rb
@@ -44,6 +44,10 @@ class LogStash::Filters::Fingerprint < LogStash::Filters::Base
   # base64 encoded rather than hex encoded strings.
   config :base64encode, :validate => :boolean, :default => false
 
+  # When set to `true`, the base64url encoder https://tools.ietf.org/html/rfc4648 is used.
+  # Requires `base64encode` to be enabled.
+  config :base64url, :validate => :boolean, :default => false
+
   # The fingerprint method to use.
   #
   # If set to `SHA1`, `SHA256`, `SHA384`, `SHA512`, or `MD5` and a key is set,
@@ -193,8 +197,12 @@ def fingerprint_openssl(data)
       end
     else
       if @base64encode
-        hash = OpenSSL::HMAC.digest(digest, @key, data.to_s)
-        Base64.strict_encode64(hash).force_encoding(Encoding::UTF_8)
+        hash = OpenSSL::HMAC.digest(@digest, @key, data.to_s)
+        if @base64url
+          Base64.urlsafe_encode64(hash).force_encoding(Encoding::UTF_8)
+        else 
+          Base64.strict_encode64(hash).force_encoding(Encoding::UTF_8)
+        end
       else
         OpenSSL::HMAC.hexdigest(digest, @key, data.to_s).force_encoding(Encoding::UTF_8)
       end

diff --git a/spec/filters/fingerprint_spec.rb b/spec/filters/fingerprint_spec.rb
@@ -93,10 +93,16 @@
             it "fingerprints the value" do
               expect(fingerprint).to eq("NFvsPv8kLVO1aJFsJhCz45PYhda5bWQ/OElP10v0qco=")
             end
+            context "and base64url encoding" do
+              let(:config) { super().merge("base64url" => true) }
+              it "fingerprints the value" do
+                expect(fingerprint).to eq("MzQ1YmVjM2VmZjI0MmQ1M2I1Njg5MTZjMjYxMGIzZTM5M2Q4ODVkNmI5NmQ2NDNmMzg0OTRmZDc0YmY0YTljYQ==")
+              end
+            end
           end
         end
-      end
-
+      end    
+      
       context "the SHA384 algorithm" do
         let(:fingerprint_method) { "SHA384" }
         it "fingerprints the value" do