Support both, encoded and non encoded api-key formats on plugin configuration

alexcams · alexcams · commit 957b22bd23fe · 2025-09-17T12:58:29.000+02:00
diff --git a/lib/logstash/filters/elasticsearch/client.rb b/lib/logstash/filters/elasticsearch/client.rb
@@ -101,12 +101,20 @@ def setup_basic_auth(user, password)
       end
 
       def setup_api_key(api_key)
-        return {} unless (api_key && api_key.value)
+        return {} unless (api_key&.value)
 
-        token = ::Base64.strict_encode64(api_key.value)
+        token = is_base64?(api_key.value) ?  api_key.value : Base64.strict_encode64(api_key.value)
         { 'Authorization' => "ApiKey #{token}" }
       end
 
+      def is_base64?(string)
+        begin
+          string == Base64.strict_encode64(Base64.strict_decode64(string))
+        rescue ArgumentError
+          false
+        end
+      end
+
       def get_transport_client_class
         # LS-core includes `elasticsearch` gem. The gem is composed of two separate gems: `elasticsearch-api` and `elasticsearch-transport`
         # And now `elasticsearch-transport` is old, instead we have `elastic-transport`.
diff --git a/spec/filters/elasticsearch_spec.rb b/spec/filters/elasticsearch_spec.rb
@@ -324,14 +324,26 @@ def wait_receive_request
       end
 
       context "with ssl" do
-        let(:config) { super().merge({ 'api_key' => LogStash::Util::Password.new('foo:bar'), "ssl_enabled" => true }) }
+        let(:config) { super().merge("ssl_enabled" => true) }
+        encoded_api_key = Base64.strict_encode64('foo:bar')
 
-        it "should set authorization" do
-          plugin.register
-          client = plugin.send(:get_client).client
-          auth_header = extract_transport(client).options[:transport_options][:headers]['Authorization']
+        scenarios = {
+          'with non-encoded api-key' => LogStash::Util::Password.new('foo:bar'),
+          'with encoded api-key' => LogStash::Util::Password.new(encoded_api_key)
+        }
+
+        scenarios.each do |description, api_key_value|
+          context description do
+            let(:config) { super().merge('api_key' => api_key_value) }
 
-          expect( auth_header ).to eql "ApiKey #{Base64.strict_encode64('foo:bar')}"
+            it "should set authorization" do
+              plugin.register
+              client= plugin.send(:get_client).client
+              auth_header = extract_transport(client).options[:transport_options][:headers]['Authorization']
+
+              expect(auth_header).to eql "ApiKey #{encoded_api_key}"
+            end
+          end
         end
 
         context 'user also set' do
