asherah 0.1.0-arm64-darwin

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 742b45d250933b646d0172e1d4d3698f3dc15181f9a3e1252cd5f313fa4edb78
+  data.tar.gz: fd68e8f537dadf928ceea6116d624e507ee12be270bec5ad65c0a8d6906a6678
+SHA512:
+  metadata.gz: fa1732012bfa0c92e3a8586ca515124e9c928666b2ff30e82e30d3820b79c43a9351252cf3ab4dac0b64653a254129bad780485130194c27d31f3781f2683df6
+  data.tar.gz: ad68d90cac690279804a826cc8c48ec238bda64573d00db6b218cf9a00e6080d279a955c29aa62a28c459081b9f19a38f2127b7935e76418c5a02bee8a39a6cd

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,33 @@
+AllCops:
+  TargetRubyVersion: 2.5
+  NewCops: enable
+  SuggestExtensions: false
+  Exclude:
+    - 'vendor/**/*' # Github Actions
+
+Layout/LineLength:
+  Max: 120
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Style/WordArray:
+  Enabled: false
+
+Style/SymbolArray:
+  Enabled: false
+
+Style/MultilineBlockChain:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Style/GuardClause:
+  Enabled: false

data/.ruby-version

@@ -0,0 +1 @@
+3.1.0

data/CHANGELOG.md

@@ -0,0 +1,18 @@
+## [Unreleased]
+
+## [0.1.0] - 2022-03-14
+
+- First official release
+
+## [0.1.0.beta2] - 2022-03-14
+
+- Add smoke tests for native gems
+- Change to use `SetupJson` instead of `Setup`
+- Update config options to make them consistent with Asherah Go
+- Add `shutdown`
+- Add `encrypt_to_json` and `decrypt_from_json`
+- Add coverage report
+
+## [0.1.0.beta1] - 2022-03-07
+
+- Initial proof of concept

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,77 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at oss@godaddy.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq
+

data/CONTRIBUTING.md

@@ -0,0 +1,128 @@
+# Contributing
+
+Everyone is welcome to contribute to GoDaddy's Open Source Software.
+Contributing doesn’t just mean submitting pull requests. To get involved,
+you can report or triage bugs, and participate in discussions on the
+evolution of each project.
+
+No matter how you want to get involved, we ask that you first learn what’s
+expected of anyone who participates in the project by reading the Contribution
+Guidelines and our [Code of Conduct][coc].
+
+**Please Note:** GitHub is for bug reports and contributions primarily -
+if you have a support question head over to [GoDaddy's Open Source
+Software Slack channel][slack]. You can request an invite
+[here][invite].
+
+## Answering Questions
+
+One of the most important and immediate ways you can support this project is
+to answer questions on [Slack][slack] or [Github][issues]. Whether you’re
+helping a newcomer understand a feature or troubleshooting an edge case with a
+seasoned developer, your knowledge and experience with a programming language
+can go a long way to help others.
+
+## Reporting Bugs
+
+**Do not report potential security vulnerabilities here. Refer to
+[SECURITY.md](./SECURITY.md) for more details about the process of reporting
+security vulnerabilities.**
+
+Before submitting a ticket, please search our [Issue Tracker][issues] to make
+sure it does not already exist and have a simple replication of the behavior. If
+the issue is isolated to one of the dependencies of this project, please create
+a Github issue in that project. All dependencies should be open source software
+and can be found on Github.
+
+Submit a ticket for your issue, assuming one does not already exist:
+
+- Create it on the project's [issue Tracker][issues].
+- Clearly describe the issue by following the template layout
+  - Make sure to include steps to reproduce the bug.
+  - A reproducible (unit) test could be helpful in solving the bug.
+  - Describe the environment that (re)produced the problem.
+
+## Triaging bugs or contributing code
+
+If you're triaging a bug, first make sure that you can reproduce it. Once a bug
+can be reproduced, reduce it to the smallest amount of code possible. Reasoning
+about a sample or unit test that reproduces a bug in just a few lines of code
+is easier than reasoning about a longer sample.
+
+From a practical perspective, contributions are as simple as:
+
+1. Fork and clone the repo, [see Github's instructions if you need help.][fork]
+1. Create a branch for your PR with `git checkout -b pr/your-branch-name`
+1. Make changes on the branch of your forked repository.
+1. When committing, reference your issue (if present) and include a note about
+  the fix.
+1. Please also add/update unit tests for your changes.
+1. Push the changes to your fork and submit a pull request to the 'main
+   development branch' branch of the projects' repository.
+
+If you are interested in making a large change and feel unsure about its overall
+effect, start with opening an Issue in the project's [Issue Tracker][issues]
+with a high-level proposal and discuss it with the core contributors through
+Github comments or in [Slack][slack]. After reaching a consensus with core
+contributors about the change, discuss the best way to go about implementing it.
+
+> Tip: Keep your main branch pointing at the original repository and make
+> pull requests from branches on your fork. To do this, run:
+>
+>   ```sh
+> git remote add upstream https://github.com/godaddy/asherah-ruby.git
+> git fetch upstream
+> git branch --set-upstream-to=upstream/main main
+>   ```
+>
+> This will add the original repository as a "remote" called "upstream," Then
+> fetch the git information from that remote, then set your local main
+> branch to use the upstream main branch whenever you run git pull. Then you
+> can make all of your pull request branches based on this main branch.
+> Whenever you want to update your version of main, do a regular git pull.
+
+## Code Review
+
+Any open source project relies heavily on code review to improve software
+quality. All significant changes, by all developers, must be reviewed before
+they are committed to the repository. Code reviews are conducted on GitHub
+through comments on pull requests or commits. The developer responsible for a
+code change is also responsible for making all necessary review-related changes.
+
+Sometimes code reviews will take longer than you would hope for, especially for
+larger features. Here are some accepted ways to speed up review times for your
+patches:
+
+- Review other people’s changes. If you help out, others will more likely be
+willing to do the same for you.
+- Split your change into multiple smaller changes. The smaller your change,
+the higher the probability that somebody will take a quick look at it.
+- Mention the change on [Slack][slack]. If it is urgent, provide reasons why it
+is important to get this change landed. Remember that you are asking for valuable
+time from other professional developers.
+
+**Note that anyone is welcome to review and give feedback on a change, but only
+people with commit access to the repository can approve it.**
+
+## Attribution of Changes
+
+When contributors submit a change to this project, after that change is
+approved, other developers with commit access may commit it for the author. When
+doing so, it is important to retain correct attribution of the contribution.
+Generally speaking, Git handles attribution automatically.
+
+## Code Style and Documentation
+
+Ensure that your contribution follows the standards set by the project's style
+guide with respect to patterns, naming, documentation and testing.
+
+# Additional Resources
+
+- [General GitHub Documentation](https://help.github.com/)
+- [GitHub Pull Request documentation](https://help.github.com/send-pull-requests/)
+
+[issues]: https://github.com/godaddy/asherah-ruby/issues/
+[coc]: ./CODE_OF_CONDUCT.md
+[slack]: https://godaddy-oss.slack.com/
+[fork]: https://help.github.com/en/articles/fork-a-repo
+[invite]: https://godaddy-oss-slack.herokuapp.com

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in asherah.gemspec
+gemspec
+
+gem 'rake', '~> 13.0'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 GoDaddy Operating Company, LLC.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,83 @@
+# Asherah
+
+Asherah is a Ruby wrapper around [Asherah Go](https://github.com/godaddy/asherah) application-layer encryption SDK that provides advanced encryption features and defense in depth against compromise. It uses a technique known as "envelope encryption" and supports cloud-agnostic data storage and key management.
+
+Check out the following documentation to get more familiar with its concepts:
+
+- [Design and Architecture](https://github.com/godaddy/asherah/blob/master/docs/DesignAndArchitecture.md)
+- [Key Caching](https://github.com/godaddy/asherah/blob/master/docs/KeyCaching.md)
+- [Key Management Service](https://github.com/godaddy/asherah/blob/master/docs/KeyManagementService.md)
+- [Metastore](https://github.com/godaddy/asherah/blob/master/docs/Metastore.md)
+- [System Requirements](https://github.com/godaddy/asherah/blob/master/docs/SystemRequirements.md)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'asherah'
+```
+
+```bash
+bundle install
+```
+
+Or install it yourself as:
+
+```bash
+gem install asherah
+```
+
+## Usage
+
+Configure Asherah:
+
+```ruby
+Asherah.configure do |config|
+  config.kms_type = 'static'
+  config.metastore = 'memory'
+  config.service_name = 'gem'
+  config.product_id = 'sable'
+end
+```
+
+Encrypt some data for a `partition_id`
+
+```ruby
+partition_id = 'user_1'
+data = 'Some PII data'
+data_row_record = Asherah.encrypt(partition_id, data)
+p data_row_record
+```
+
+Decrypt `data_row_record`
+
+```ruby
+decrypted_data = Asherah.decrypt(partition_id, data_row_record)
+p decrypted_data
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/godaddy/asherah-ruby.
+
+## Releasing new gem version
+
+```
+# Create and push a version tag
+git tag -a v$(rake version) -m "Version $(rake version)"
+git push origin v$(rake version)
+
+# Create a release in Github to trigger .github/workflows/publish.yml workflow
+echo "Version $(rake version)"
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/Rakefile

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubygems/package'
+require 'open-uri'
+
+RSpec::Core::RakeTask.new(:spec)
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]
+
+DISTRIBUTIONS = {
+  'x86_64-linux' => ['libasherah-x64.so'],
+  'x86_64-darwin' => ['libasherah-x64.dylib'],
+  'aarch64-linux' => ['libasherah-arm64.so'],
+  'arm64-darwin' => ['libasherah-arm64.dylib']
+}.freeze
+
+def native_build(platform, native_files)
+  puts "Building gem for #{platform}"
+
+  pkg_dir = File.join(__dir__, 'pkg')
+  FileUtils.mkdir_p(pkg_dir)
+
+  tmp_gem_dir = File.join(__dir__, 'tmp', platform)
+  FileUtils.rm_rf(tmp_gem_dir, verbose: true)
+  FileUtils.mkdir_p(tmp_gem_dir, verbose: true)
+
+  # Copy files to tmp gem dir
+  gemspec = Bundler.load_gemspec('asherah.gemspec')
+  gemspec.files.each do |file|
+    dir = File.dirname(file)
+    filename = File.basename(file)
+    FileUtils.mkdir_p(File.join(tmp_gem_dir, dir))
+    FileUtils.copy_file(file, File.join(tmp_gem_dir, dir, filename))
+  end
+
+  # Set platform for native gem build and remove extentions
+  gemspec.platform = Gem::Platform.new(platform)
+
+  native_dir = 'lib/asherah/native'
+  FileUtils.cd(tmp_gem_dir, verbose: true) do
+    FileUtils.mkdir_p(native_dir)
+    native_files.each do |native_file|
+      native_file_path = File.join(native_dir, native_file)
+      gemspec.files << native_file_path
+
+      File.open(native_file_path, 'wb') do |file|
+        url = "https://github.com/godaddy/asherah-cobhan/releases/download/current/#{native_file}"
+        puts "Downloading #{url}"
+        file << URI.parse(url).open.read
+      end
+    end
+
+    package = Gem::Package.build gemspec
+    FileUtils.mv package, File.join(pkg_dir, package)
+  end
+end
+
+namespace :native do
+  desc 'Build all native gems'
+  task :build do
+    DISTRIBUTIONS.each do |platform, native_files|
+      native_build(platform, native_files)
+    end
+  end
+
+  namespace :build do
+    DISTRIBUTIONS.each do |platform, native_files|
+      desc "Build native gem for #{platform}"
+      task :"#{platform}" do
+        native_build(platform, native_files)
+      end
+    end
+  end
+
+  namespace :smoke do
+    require 'cobhan'
+
+    filename = Class.new.extend(Cobhan).library_file_name('libasherah')
+    platform, _files = DISTRIBUTIONS.detect { |_k, v| v.include?(filename) }
+
+    desc "Smoke test native gem on #{platform} platform"
+    task "#{platform}": :"build:#{platform}" do
+      gemspec = Bundler.load_gemspec('asherah.gemspec')
+      gemspec.platform = Gem::Platform.new(platform)
+
+      sh("gem install pkg/#{gemspec.file_name}")
+      sh('ruby spec/smoke_test.rb')
+    end
+  end
+end
+
+task :version do
+  puts Asherah::VERSION
+end

data/SECURITY.md

@@ -0,0 +1,19 @@
+# Reporting Security Issues
+
+We take security very seriously at GoDaddy. We appreciate your efforts to
+responsibly disclose your findings, and will make every effort to acknowledge
+your contributions.
+
+## Where should I report security issues?
+
+In order to give the community time to respond and upgrade, we strongly urge you
+report all security issues privately.
+
+To report a security issue in one of our Open Source projects email us directly
+at **oss@godaddy.com** and include the word "SECURITY" in the subject line.
+
+This mail is delivered to our Open Source Security team.
+
+After the initial reply to your report, the team will keep you informed of the
+progress being made towards a fix and announcement, and may ask for additional
+information or guidance.

data/asherah.gemspec

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require_relative 'lib/asherah/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'asherah'
+  spec.version = Asherah::VERSION
+  spec.authors = ['GoDaddy']
+  spec.email = ['oss@godaddy.com']
+
+  spec.summary = 'Application Layer Encryption SDK'
+  spec.description = <<~DESCRIPTION
+    Asherah is an application-layer encryption SDK that provides advanced
+    encryption features and defense in depth against compromise.
+  DESCRIPTION
+
+  spec.homepage = 'https://github.com/godaddy/asherah-ruby'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 2.5.0'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/godaddy/asherah-ruby'
+  spec.metadata['changelog_uri'] = 'https://github.com/godaddy/asherah-ruby/blob/main/CHANGELOG.md'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'cobhan', '~> 0.1.3'
+  spec.add_development_dependency 'dotenv', '~> 2.7.6'
+  spec.add_development_dependency 'rspec', '~> 3.10.0'
+  spec.add_development_dependency 'rubocop', '~> 1.7'
+  spec.add_development_dependency 'simplecov', '~> 0.21.2'
+  spec.add_development_dependency 'simplecov-console', '~> 0.9.1'
+end

data/lib/asherah/config.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Asherah
+  # @attr [String] service_name, The name of this service
+  # @attr [String] product_id, The name of the product that owns this service
+  # @attr [String] kms, The master key management service (static or aws)
+  # @attr [String] metastore, The type of metastore for persisting keys (rdbms, dynamodb, memory)
+  # @attr [String] connection_string, The database connection string (required when metastore is rdbms)
+  # @attr [String] replica_read_consistency, For Aurora sessions using write forwarding (eventual, global, session)
+  # @attr [String] dynamo_db_endpoint, An optional endpoint URL (for dynamodb metastore)
+  # @attr [String] dynamo_db_region, The AWS region for DynamoDB requests (for dynamodb metastore)
+  # @attr [String] dynamo_db_table_name, The table name for DynamoDB (for dynamodb metastore)
+  # @attr [Boolean] enable_region_suffix, Configure the metastore to use regional suffixes (for dynamodb metastore)
+  # @attr [String] region_map, List of key-value pairs in the form of REGION1=ARN1[,REGION2=ARN2] (required for aws kms)
+  # @attr [String] preferred_region, The preferred AWS region (required for aws kms)
+  # @attr [Integer] session_cache_max_size, The maximum number of sessions to cache
+  # @attr [Integer] session_cache_duration, The amount of time in seconds a session will remain cached
+  # @attr [Integer] expire_after, The amount of time in seconds a key is considered valid
+  # @attr [Integer] check_interval, The amount of time in seconds before cached keys are considered stale
+  # @attr [Boolean] enable_session_caching, Enable shared session caching
+  # @attr [Boolean] verbose, Enable verbose logging output
+  class Config
+    MAPPING = {
+      service_name: :ServiceName,
+      product_id: :ProductID,
+      kms: :KMS,
+      metastore: :Metastore,
+      connection_string: :ConnectionString,
+      replica_read_consistency: :ReplicaReadConsistency,
+      dynamo_db_endpoint: :DynamoDBEndpoint,
+      dynamo_db_region: :DynamoDBRegion,
+      dynamo_db_table_name: :DynamoDBTableName,
+      enable_region_suffix: :EnableRegionSuffix,
+      region_map: :RegionMap,
+      preferred_region: :PreferredRegion,
+      session_cache_max_size: :SessionCacheMaxSize,
+      session_cache_duration: :SessionCacheDuration,
+      enable_session_caching: :EnableSessionCaching,
+      expire_after: :ExpireAfter,
+      check_interval: :CheckInterval,
+      verbose: :Verbose
+    }.freeze
+
+    KMS_TYPES = ['static', 'aws'].freeze
+    METASTORE_TYPES = ['rdbms', 'dynamodb', 'memory'].freeze
+
+    attr_accessor(*MAPPING.keys)
+
+    def validate!
+      validate_service_name
+      validate_product_id
+      validate_kms
+      validate_metastore
+      validate_kms_attributes
+    end
+
+    def to_json(*args)
+      config = {}.tap do |c|
+        MAPPING.each_pair do |our_key, their_key|
+          value = public_send(our_key)
+          c[their_key] = value unless value.nil?
+        end
+      end
+
+      JSON.generate(config, *args)
+    end
+
+    private
+
+    def validate_service_name
+      raise Error::ConfigError, 'config.service_name not set' if service_name.nil?
+    end
+
+    def validate_product_id
+      raise Error::ConfigError, 'config.product_id not set' if product_id.nil?
+    end
+
+    def validate_kms
+      raise Error::ConfigError, 'config.kms not set' if kms.nil?
+      unless KMS_TYPES.include?(kms)
+        raise Error::ConfigError, "config.kms must be one of these: #{KMS_TYPES.join(', ')}"
+      end
+    end
+
+    def validate_metastore
+      raise Error::ConfigError, 'config.metastore not set' if metastore.nil?
+      unless METASTORE_TYPES.include?(metastore)
+        raise Error::ConfigError, "config.metastore must be one of these: #{METASTORE_TYPES.join(', ')}"
+      end
+    end
+
+    def validate_kms_attributes
+      if kms == 'aws'
+        raise Error::ConfigError, 'config.region_map not set' if region_map.nil?
+        raise Error::ConfigError, 'config.region_map must be a Hash' unless region_map.is_a?(Hash)
+        raise Error::ConfigError, 'config.preferred_region not set' if preferred_region.nil?
+      end
+    end
+  end
+end

data/lib/asherah/data_row_record.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Asherah
+  # DataRowRecord contains the encrypted key and data, as well as the information
+  # required to decrypt the key encryption key. This object data should be stored
+  # in your data persistence as it's required to decrypt data.
+  class DataRowRecord
+    attr_reader :data, :key
+
+    # Initializes a new DataRowRecord
+    #
+    # @param data [String]
+    # @param key [EnvelopeKeyRecord]
+    # @return DataRowRecord
+    def initialize(data:, key:)
+      @data = data
+      @key = key
+    end
+  end
+end

data/lib/asherah/envelope_key_record.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Asherah
+  # EnvelopeKeyRecord represents an encrypted key and is the data structure used
+  # to persist the key in the key table. It also contains the meta data
+  # of the key used to encrypt it.
+  class EnvelopeKeyRecord
+    attr_reader :encrypted_key, :created, :parent_key_meta
+
+    # Initializes a new EnvelopeKeyRecord
+    #
+    # @param encrypted_key [String]
+    # @param created [Integer]
+    # @param parent_key_meta [KeyMeta]
+    # @return EnvelopeKeyRecord
+    def initialize(encrypted_key:, created:, parent_key_meta:)
+      @encrypted_key = encrypted_key
+      @created = created
+      @parent_key_meta = parent_key_meta
+    end
+  end
+end

data/lib/asherah/error.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Asherah
+  # Asherah Error converts the error code to error message
+  module Error
+    ConfigError = Class.new(StandardError)
+    NotInitialized = Class.new(StandardError)
+    AlreadyInitialized = Class.new(StandardError)
+    GetSessionFailed = Class.new(StandardError)
+    EncryptFailed = Class.new(StandardError)
+    DecryptFailed = Class.new(StandardError)
+
+    CODES = {
+      -100 => NotInitialized,
+      -101 => AlreadyInitialized,
+      -102 => GetSessionFailed,
+      -103 => EncryptFailed,
+      -104 => DecryptFailed
+    }.freeze
+
+    def self.check_result!(result, message)
+      return unless result.negative?
+
+      error_class = Error::CODES.fetch(result, StandardError)
+      raise error_class, message
+    end
+  end
+end

data/lib/asherah/key_meta.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Asherah
+  # KeyMeta contains the `id` and `created` timestamp for an encryption key.
+  class KeyMeta
+    attr_reader :id, :created
+
+    # Initializes a new KeyMeta
+    #
+    # @param id [String]
+    # @param created [Integer]
+    # @return KeyMeta
+    def initialize(id:, created:)
+      @id = id
+      @created = created
+    end
+  end
+end

data/lib/asherah/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Asherah
+  VERSION = '0.1.0'
+end

data/lib/asherah.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+require_relative 'asherah/version'
+require 'asherah/config'
+require 'asherah/error'
+require 'asherah/key_meta'
+require 'asherah/data_row_record'
+require 'asherah/envelope_key_record'
+require 'cobhan'
+
+# Asherah is a Ruby wrapper around Asherah Go application-layer encryption SDK.
+module Asherah
+  extend Cobhan
+
+  LIB_ROOT_PATH = File.expand_path('asherah/native', __dir__)
+  load_library(LIB_ROOT_PATH, 'libasherah', [
+    [:SetupJson, [:pointer], :int32],
+    [:Encrypt, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int32],
+    [:Decrypt, [:pointer, :pointer, :pointer, :int64, :pointer, :int64, :pointer], :int32],
+    [:EncryptToJson, [:pointer, :pointer, :pointer], :int32],
+    [:DecryptFromJson, [:pointer, :pointer, :pointer], :int32],
+    [:Shutdown, [], :void]
+  ].freeze)
+
+  class << self
+    # Configures Asherah
+    #
+    # @yield [Config]
+    # @return [void]
+    def configure
+      config = Config.new
+      yield config
+      config.validate!
+
+      config_buffer = string_to_cbuffer(config.to_json)
+
+      result = SetupJson(config_buffer)
+      Error.check_result!(result, 'SetupJson failed')
+    end
+
+    # Encrypts data for a given partition_id and returns DataRowRecord
+    #
+    # @param partition_id [String]
+    # @param data [String]
+    # @return [DataRowRecord]
+    def encrypt(partition_id, data)
+      partition_id_buffer = string_to_cbuffer(partition_id)
+      data_buffer = string_to_cbuffer(data)
+      output_encrypted_data_buffer = allocate_cbuffer(data.length + 256)
+      output_encrypted_key_buffer = allocate_cbuffer(256)
+      output_created_buffer = int_to_buffer(0)
+      output_parent_key_id_buffer = allocate_cbuffer(256)
+      output_parent_key_created_buffer = int_to_buffer(0)
+
+      result = Encrypt(
+        partition_id_buffer,
+        data_buffer,
+        output_encrypted_data_buffer,
+        output_encrypted_key_buffer,
+        output_created_buffer,
+        output_parent_key_id_buffer,
+        output_parent_key_created_buffer
+      )
+      Error.check_result!(result, 'Encrypt failed')
+
+      parent_key_meta = KeyMeta.new(
+        id: cbuffer_to_string(output_parent_key_id_buffer),
+        created: buffer_to_int(output_parent_key_created_buffer)
+      )
+      envelope_key_record = EnvelopeKeyRecord.new(
+        encrypted_key: cbuffer_to_string(output_encrypted_key_buffer),
+        created: buffer_to_int(output_created_buffer),
+        parent_key_meta: parent_key_meta
+      )
+
+      DataRowRecord.new(
+        data: cbuffer_to_string(output_encrypted_data_buffer),
+        key: envelope_key_record
+      )
+    end
+
+    # Decrypts a data_row_record for a partition_id and returns decrypted data
+    #
+    # @param partition_id [String]
+    # @param data_row_record [DataRowRecord]
+    # @return [String], Decrypted data
+    def decrypt(partition_id, data_row_record)
+      partition_id_buffer = string_to_cbuffer(partition_id)
+      encrypted_data_buffer = string_to_cbuffer(data_row_record.data)
+      encrypted_key_buffer = string_to_cbuffer(data_row_record.key.encrypted_key)
+      created = data_row_record.key.created
+      parent_key_id_buffer = string_to_cbuffer(data_row_record.key.parent_key_meta.id)
+      parent_key_created = data_row_record.key.parent_key_meta.created
+
+      output_data_buffer = allocate_cbuffer(encrypted_data_buffer.size + 256)
+
+      result = Decrypt(
+        partition_id_buffer,
+        encrypted_data_buffer,
+        encrypted_key_buffer,
+        created,
+        parent_key_id_buffer,
+        parent_key_created,
+        output_data_buffer
+      )
+      Error.check_result!(result, 'Decrypt failed')
+
+      cbuffer_to_string(output_data_buffer)
+    end
+
+    def shutdown
+      Shutdown()
+    end
+
+    # Encrypts data for a given partition_id and returns DataRowRecord in JSON format
+    #
+    # @param partition_id [String]
+    # @param data [String]
+    # @return [String], DataRowRecord in JSON format
+    def encrypt_to_json(partition_id, data)
+      partition_id_buffer = string_to_cbuffer(partition_id)
+      data_buffer = string_to_cbuffer(data)
+      output_buffer = allocate_cbuffer(data.length + 256)
+
+      result = EncryptToJson(partition_id_buffer, data_buffer, output_buffer)
+      Error.check_result!(result, 'EncryptToJson failed')
+
+      cbuffer_to_string(output_buffer)
+    end
+
+    # Decrypts a DataRowRecord in JSON format for a partition_id and returns decrypted data
+    #
+    # @param partition_id [String]
+    # @param json [String], DataRowRecord in JSON format
+    # @return [String], Decrypted data
+    def decrypt_from_json(partition_id, json)
+      partition_id_buffer = string_to_cbuffer(partition_id)
+      data_buffer = string_to_cbuffer(json)
+      output_buffer = allocate_cbuffer(json.length + 256)
+
+      result = DecryptFromJson(partition_id_buffer, data_buffer, output_buffer)
+      Error.check_result!(result, 'DecryptFromJson failed')
+
+      cbuffer_to_string(output_buffer)
+    end
+  end
+end

metadata

@@ -0,0 +1,153 @@
+--- !ruby/object:Gem::Specification
+name: asherah
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: arm64-darwin
+authors:
+- GoDaddy
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2022-03-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cobhan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.3
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.6
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+description: |
+  Asherah is an application-layer encryption SDK that provides advanced
+  encryption features and defense in depth against compromise.
+email:
+- oss@godaddy.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- SECURITY.md
+- asherah.gemspec
+- lib/asherah.rb
+- lib/asherah/config.rb
+- lib/asherah/data_row_record.rb
+- lib/asherah/envelope_key_record.rb
+- lib/asherah/error.rb
+- lib/asherah/key_meta.rb
+- lib/asherah/native/libasherah-arm64.dylib
+- lib/asherah/version.rb
+homepage: https://github.com/godaddy/asherah-ruby
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/godaddy/asherah-ruby
+  source_code_uri: https://github.com/godaddy/asherah-ruby
+  changelog_uri: https://github.com/godaddy/asherah-ruby/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key: 
+specification_version: 4
+summary: Application Layer Encryption SDK
+test_files: []