asherah 0.1.0.beta.1-aarch64-linux → 0.3.0-aarch64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 34d923ebd19903e064dbb021dc188b42a20e3ea26dfc387b8eebd27faecf8124
-  data.tar.gz: 9ef0178a5b6d440a40ce470097e73b4c88b286ed5ef5743b14438554da56ced2
+  metadata.gz: ef6d062e4ed676c66a72dba500d4376801b33199da28e69eb2e62f34dae62a40
+  data.tar.gz: 2909ca407f9d1954e68232122373baa30c3a33095d65b890d996061902bcc136
 SHA512:
-  metadata.gz: 2a66d75b94988ec99bae8c7f9563dbfa3be4ec811926758a51f878b584efe971986c1cb5ac37b42bd54724491d343541ac9da64686b64d09fd4500a193109093
-  data.tar.gz: b408f29b7332e26fdb42d38486048a66769f0ff0fa2972a11eabf9f68f59b367cf108f3430f8f73cb4a198f9e0333ae4f999cc9d4f4e7b81af022e4f5a725cb8
+  metadata.gz: 888f1d7c7534919bd79c70def643abd712e01b06808a78b4fc7017e0a0e0e841c267921635cf8beacf0bc7e99b986aa64e7258d2313728c02784c878d0cc5502
+  data.tar.gz: 18d76b1c06ed638fa06f15dbfbed49cca82c2ae19d31d0c5ff1968da854dce4b43b724cc267638e422c02db0b1692fd255deb360531418ac571e30b7a91a6d07

data/.rubocop.yml

@@ -4,6 +4,7 @@ AllCops:
   SuggestExtensions: false
   Exclude:
     - 'vendor/**/*' # Github Actions
+    - 'tmp/**/*'
 
 Layout/LineLength:
   Max: 120
@@ -26,14 +27,8 @@ Style/MultilineBlockChain:
 Style/BlockDelimiters:
   Enabled: false
 
-Style/HashAsLastArrayItem:
-  Enabled: false
-
 Metrics/AbcSize:
   Enabled: false
 
-Metrics/ParameterLists:
-  Enabled: false
-
-Metrics/ModuleLength:
+Style/GuardClause:
   Enabled: false

data/CHANGELOG.md

@@ -1,5 +1,32 @@
 ## [Unreleased]
 
-## [0.1.0] - 2022-03-02
+## [0.3.0] - 2022-03-22
 
-- Initial release
+- Free up cobhan buffers after encrypt/decrypt to prevent growing heap memory
+- Use local `estimate_buffer` calculation instead of FFI call
+- Upgrade to use asherah-cobhan v0.4.3
+
+## [0.2.0] - 2022-03-21
+
+- Implement versioning for asherah-cobhan binaries
+- Upgrade to use asherah-cobhan v0.3.1
+- Add BadConfig error and expose error codes
+- Remove DRR methods and use JSON exclusively
+- Cross language testing using Asherah Go
+
+## [0.1.0] - 2022-03-14
+
+- First official release
+
+## [0.1.0.beta2] - 2022-03-14
+
+- Add smoke tests for native gems
+- Change to use `SetupJson` instead of `Setup`
+- Update config options to make them consistent with Asherah Go
+- Add `shutdown`
+- Add `encrypt_to_json` and `decrypt_from_json`
+- Add coverage report
+
+## [0.1.0.beta1] - 2022-03-07
+
+- Initial proof of concept

data/Gemfile

@@ -7,6 +7,4 @@ gemspec
 
 gem 'rake', '~> 13.0'
 
-gem 'rspec', '~> 3.0'
-
-gem 'rubocop', '~> 1.21'
+gem 'cucumber', '~> 7.1.0'

data/README.md

@@ -1,8 +1,14 @@
 # Asherah
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/asherah`. To experiment with that code, run `bin/console` for an interactive prompt.
+Asherah is a Ruby wrapper around [Asherah Go](https://github.com/godaddy/asherah) application-layer encryption SDK that provides advanced encryption features and defense in depth against compromise. It uses a technique known as "envelope encryption" and supports cloud-agnostic data storage and key management.
 
-TODO: Delete this and the text above, and describe your gem
+Check out the following documentation to get more familiar with its concepts:
+
+- [Design and Architecture](https://github.com/godaddy/asherah/blob/master/docs/DesignAndArchitecture.md)
+- [Key Caching](https://github.com/godaddy/asherah/blob/master/docs/KeyCaching.md)
+- [Key Management Service](https://github.com/godaddy/asherah/blob/master/docs/KeyManagementService.md)
+- [Metastore](https://github.com/godaddy/asherah/blob/master/docs/Metastore.md)
+- [System Requirements](https://github.com/godaddy/asherah/blob/master/docs/SystemRequirements.md)
 
 ## Installation
 
@@ -12,17 +18,44 @@ Add this line to your application's Gemfile:
 gem 'asherah'
 ```
 
-And then execute:
-
-    $ bundle install
+```bash
+bundle install
+```
 
 Or install it yourself as:
 
-    $ gem install asherah
+```bash
+gem install asherah
+```
 
 ## Usage
 
-TODO: Write usage instructions here
+Configure Asherah:
+
+```ruby
+Asherah.configure do |config|
+  config.kms = 'static'
+  config.metastore = 'memory'
+  config.service_name = 'service'
+  config.product_id = 'product'
+end
+```
+
+Encrypt some data for a `partition_id`
+
+```ruby
+partition_id = 'user_1'
+data = 'Some PII data'
+data_row_record_json = Asherah.encrypt(partition_id, data)
+puts data_row_record_json
+```
+
+Decrypt `data_row_record_json`
+
+```ruby
+decrypted_data = Asherah.decrypt(partition_id, data_row_record_json)
+puts decrypted_data
+```
 
 ## Development
 
@@ -32,8 +65,19 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/asherah.
+Bug reports and pull requests are welcome on GitHub at https://github.com/godaddy/asherah-ruby.
+
+## Releasing new gem version
+
+```
+# Create and push a version tag
+git tag -a v$(rake version) -m "Version $(rake version)"
+git push origin v$(rake version)
+
+# Create a release in Github to trigger .github/workflows/publish.yml workflow
+echo "Version $(rake version)"
+```
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/Rakefile

@@ -3,7 +3,6 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rubygems/package'
-require "open-uri"
 
 RSpec::Core::RakeTask.new(:spec)
 
@@ -13,12 +12,26 @@ RuboCop::RakeTask.new
 
 task default: %i[spec rubocop]
 
+ASHERAH_BIN = 'bin/download-asherah.sh'
 DISTRIBUTIONS = {
   'x86_64-linux' => ['libasherah-x64.so'],
   'x86_64-darwin' => ['libasherah-x64.dylib'],
   'aarch64-linux' => ['libasherah-arm64.so'],
   'arm64-darwin' => ['libasherah-arm64.dylib']
-}
+}.freeze
+
+def current_filename
+  @current_filename ||=
+    begin
+      require 'cobhan'
+      Class.new.extend(Cobhan).library_file_name('libasherah')
+    end
+end
+
+def current_platform
+  @distribution ||= DISTRIBUTIONS.detect { |_k, v| v.include?(current_filename) }
+  @distribution.first
+end
 
 def native_build(platform, native_files)
   puts "Building gem for #{platform}"
@@ -32,14 +45,14 @@ def native_build(platform, native_files)
 
   # Copy files to tmp gem dir
   gemspec = Bundler.load_gemspec('asherah.gemspec')
-  gemspec.files.each do |file|
+  (gemspec.files + [ASHERAH_BIN]).each do |file|
     dir = File.dirname(file)
     filename = File.basename(file)
     FileUtils.mkdir_p(File.join(tmp_gem_dir, dir))
     FileUtils.copy_file(file, File.join(tmp_gem_dir, dir, filename))
   end
 
-  # Set platform for native gem build and remove extentions
+  # Set platform for native gem build
   gemspec.platform = Gem::Platform.new(platform)
 
   native_dir = 'lib/asherah/native'
@@ -47,30 +60,29 @@ def native_build(platform, native_files)
     FileUtils.mkdir_p(native_dir)
     native_files.each do |native_file|
       native_file_path = File.join(native_dir, native_file)
-      gemspec.files << native_file_path
 
-      URI.open(native_file_path, 'wb') do |file|
-        url = "https://github.com/godaddy/asherah-cobhan/releases/download/current/#{native_file}"
-        puts "Downloading #{url}"
-        file << URI.open(url).read
-      end
+      # Download native file
+      download_asherah_path = File.join(tmp_gem_dir, ASHERAH_BIN)
+      system("#{download_asherah_path} #{native_file}")
+
+      # Add native file in gemspec
+      gemspec.files << native_file_path
     end
 
-    package = Gem::Package.build gemspec
+    package = Gem::Package.build(gemspec)
     FileUtils.mv package, File.join(pkg_dir, package)
   end
 end
 
-
 namespace :native do
-  namespace :build do
-    desc "Build all native gems"
-    task :all do
-      DISTRIBUTIONS.each do |platform, native_files|
-        native_build(platform, native_files)
-      end
+  desc 'Build all native gems'
+  task :build do
+    DISTRIBUTIONS.each do |platform, native_files|
+      native_build(platform, native_files)
     end
+  end
 
+  namespace :build do
     DISTRIBUTIONS.each do |platform, native_files|
       desc "Build native gem for #{platform}"
       task :"#{platform}" do
@@ -79,19 +91,31 @@ namespace :native do
     end
   end
 
-  namespace :smoke do
-    require 'cobhan'
+  namespace :current do
+    desc 'Download asherah binary for current platform'
+    task :download do
+      download_asherah_path = File.join(__dir__, ASHERAH_BIN)
+      system("#{download_asherah_path} #{current_filename}")
+    end
 
-    filename = Class.new.extend(Cobhan).library_file_name('libasherah')
-    platform, _ = DISTRIBUTIONS.detect { |k, v| v.include?(filename) }
+    desc 'Build native gem for current platform'
+    task :build do
+      native_build(current_platform, DISTRIBUTIONS[current_platform])
+    end
 
-    desc "Smoke test native gem on #{platform} platform"
-    task :"#{platform}" => :"build:#{platform}" do
+    desc 'Smoke test native gem for current platform'
+    task smoke: :build do
+      platform = current_platform
       gemspec = Bundler.load_gemspec('asherah.gemspec')
       gemspec.platform = Gem::Platform.new(platform)
 
+      sh('gem uninstall asherah')
       sh("gem install pkg/#{gemspec.file_name}")
-      sh("ruby spec/smoke_test.rb")
+      sh('ruby spec/smoke_test.rb')
     end
   end
 end
+
+task :version do
+  puts Asherah::VERSION
+end

data/asherah.gemspec

@@ -34,5 +34,10 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'cobhan', '~> 0.1.2'
+  spec.add_dependency 'cobhan', '~> 0.2.0'
+  spec.add_development_dependency 'dotenv', '~> 2.7.6'
+  spec.add_development_dependency 'rspec', '~> 3.10.0'
+  spec.add_development_dependency 'rubocop', '~> 1.7'
+  spec.add_development_dependency 'simplecov', '~> 0.21.2'
+  spec.add_development_dependency 'simplecov-console', '~> 0.9.1'
 end

data/lib/asherah/config.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Asherah
+  # @attr [String] service_name, The name of this service
+  # @attr [String] product_id, The name of the product that owns this service
+  # @attr [String] kms, The master key management service (static or aws)
+  # @attr [String] metastore, The type of metastore for persisting keys (rdbms, dynamodb, memory)
+  # @attr [String] connection_string, The database connection string (required when metastore is rdbms)
+  # @attr [String] replica_read_consistency, For Aurora sessions using write forwarding (eventual, global, session)
+  # @attr [String] dynamo_db_endpoint, An optional endpoint URL (for dynamodb metastore)
+  # @attr [String] dynamo_db_region, The AWS region for DynamoDB requests (for dynamodb metastore)
+  # @attr [String] dynamo_db_table_name, The table name for DynamoDB (for dynamodb metastore)
+  # @attr [Boolean] enable_region_suffix, Configure the metastore to use regional suffixes (for dynamodb metastore)
+  # @attr [String] region_map, List of key-value pairs in the form of REGION1=ARN1[,REGION2=ARN2] (required for aws kms)
+  # @attr [String] preferred_region, The preferred AWS region (required for aws kms)
+  # @attr [Integer] session_cache_max_size, The maximum number of sessions to cache
+  # @attr [Integer] session_cache_duration, The amount of time in seconds a session will remain cached
+  # @attr [Integer] expire_after, The amount of time in seconds a key is considered valid
+  # @attr [Integer] check_interval, The amount of time in seconds before cached keys are considered stale
+  # @attr [Boolean] enable_session_caching, Enable shared session caching
+  # @attr [Boolean] verbose, Enable verbose logging output
+  class Config
+    MAPPING = {
+      service_name: :ServiceName,
+      product_id: :ProductID,
+      kms: :KMS,
+      metastore: :Metastore,
+      connection_string: :ConnectionString,
+      replica_read_consistency: :ReplicaReadConsistency,
+      dynamo_db_endpoint: :DynamoDBEndpoint,
+      dynamo_db_region: :DynamoDBRegion,
+      dynamo_db_table_name: :DynamoDBTableName,
+      enable_region_suffix: :EnableRegionSuffix,
+      region_map: :RegionMap,
+      preferred_region: :PreferredRegion,
+      session_cache_max_size: :SessionCacheMaxSize,
+      session_cache_duration: :SessionCacheDuration,
+      enable_session_caching: :EnableSessionCaching,
+      expire_after: :ExpireAfter,
+      check_interval: :CheckInterval,
+      verbose: :Verbose
+    }.freeze
+
+    KMS_TYPES = ['static', 'aws'].freeze
+    METASTORE_TYPES = ['rdbms', 'dynamodb', 'memory'].freeze
+
+    attr_accessor(*MAPPING.keys)
+
+    def validate!
+      validate_service_name
+      validate_product_id
+      validate_kms
+      validate_metastore
+      validate_kms_attributes
+    end
+
+    def to_json(*args)
+      config = {}.tap do |c|
+        MAPPING.each_pair do |our_key, their_key|
+          value = public_send(our_key)
+          c[their_key] = value unless value.nil?
+        end
+      end
+
+      JSON.generate(config, *args)
+    end
+
+    private
+
+    def validate_service_name
+      raise Error::ConfigError, 'config.service_name not set' if service_name.nil?
+    end
+
+    def validate_product_id
+      raise Error::ConfigError, 'config.product_id not set' if product_id.nil?
+    end
+
+    def validate_kms
+      raise Error::ConfigError, 'config.kms not set' if kms.nil?
+      unless KMS_TYPES.include?(kms)
+        raise Error::ConfigError, "config.kms must be one of these: #{KMS_TYPES.join(', ')}"
+      end
+    end
+
+    def validate_metastore
+      raise Error::ConfigError, 'config.metastore not set' if metastore.nil?
+      unless METASTORE_TYPES.include?(metastore)
+        raise Error::ConfigError, "config.metastore must be one of these: #{METASTORE_TYPES.join(', ')}"
+      end
+    end
+
+    def validate_kms_attributes
+      if kms == 'aws'
+        raise Error::ConfigError, 'config.region_map not set' if region_map.nil?
+        raise Error::ConfigError, 'config.region_map must be a Hash' unless region_map.is_a?(Hash)
+        raise Error::ConfigError, 'config.preferred_region not set' if preferred_region.nil?
+      end
+    end
+  end
+end

data/lib/asherah/error.rb

@@ -1,21 +1,30 @@
+# frozen_string_literal: true
 
 module Asherah
+  # Asherah Error converts the error code to error message
   module Error
-    ResultError = Class.new(StandardError)
+    ConfigError = Class.new(StandardError)
+    NotInitialized = Class.new(StandardError)
+    AlreadyInitialized = Class.new(StandardError)
+    GetSessionFailed = Class.new(StandardError)
+    EncryptFailed = Class.new(StandardError)
+    DecryptFailed = Class.new(StandardError)
+    BadConfig = Class.new(StandardError)
 
     CODES = {
-      -100 => 'not initialized',
-      -101 => 'already initialized',
-      -102 => 'get session failed',
-      -103 => 'encrypt failed',
-      -104 => 'eecrypt failed'
-    }
+      -100 => NotInitialized,
+      -101 => AlreadyInitialized,
+      -102 => GetSessionFailed,
+      -103 => EncryptFailed,
+      -104 => DecryptFailed,
+      -105 => BadConfig
+    }.freeze
 
-    def self.check_result!(scope, result)
-      if result.negative?
-        error_message = Error::CODES.fetch(result) { 'unrecognized' }
-        raise Error::ResultError.new("#{scope} failed: #{error_message}")
-      end
+    def self.check_result!(result, message)
+      return unless result.negative?
+
+      error_class = Error::CODES.fetch(result, StandardError)
+      raise error_class, "#{message} (#{result})"
     end
   end
 end

data/lib/asherah/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Asherah
-  VERSION = '0.1.0.beta.1'
+  VERSION = '0.3.0'
 end

data/lib/asherah.rb

@@ -1,187 +1,102 @@
 # frozen_string_literal: true
 
 require_relative 'asherah/version'
+require 'asherah/config'
 require 'asherah/error'
 require 'cobhan'
 
-# Asherah uses the following data structures: `data_row_record`, `envelope_key_record`, and `key_meta`.
-#
-# `data_row_record` contains the encrypted key and provided data, as well as the information
-# required to decrypt the key encryption key. This struct should be stored in your
-# data persistence as it's required to decrypt data.
-#
-# data_row_record [Hash]
-#   key [Hash], envelope_key_record
-#   data [String]
-#
-# `envelope_key_record` represents an encrypted key and is the data structure used
-# to persist the key in our key table. It also contains the meta data
-# of the key used to encrypt it.
-#
-# envelope_key_record [Hash]
-#   created [Integer]
-#   encrypted_key [String]
-#   parent_key_meta [Hash], key_meta
-#
-# `key_meta` contains the `id` and `created` timestamp for an encryption key.
-#
-# key_meta [Hash]
-#   id [String]
-#   created [Integer]
+# Asherah is a Ruby wrapper around Asherah Go application-layer encryption SDK.
 module Asherah
   extend Cobhan
 
   LIB_ROOT_PATH = File.expand_path('asherah/native', __dir__)
   load_library(LIB_ROOT_PATH, 'libasherah', [
-    [
-      :Setup,
-      [
-        :pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :int32,
-        :pointer, :pointer, :pointer, :pointer, :int32, :int32, :int32
-      ],
-      :int32
-    ],
-    [:Encrypt, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int32],
-    [:Decrypt, [:pointer, :pointer, :pointer, :int64, :pointer, :int64, :pointer], :int32]
+    [:SetupJson, [:pointer], :int32],
+    [:EncryptToJson, [:pointer, :pointer, :pointer], :int32],
+    [:DecryptFromJson, [:pointer, :pointer, :pointer], :int32],
+    [:Shutdown, [], :void]
   ].freeze)
 
+  ESTIMATED_ENCRYPTION_OVERHEAD = 48
+  ESTIMATED_ENVELOPE_OVERHEAD = 185
+  BASE64_OVERHEAD = 1.34
+
   class << self
-    # Initializes Asherah encryption session
+    # Configures Asherah
     #
-    # @param kms_type [String]
-    # @param metastore [String]
-    # @param service_name [String]
-    # @param product_id [String]
-    # @param rdbms_connection_string [String]
-    # @param dynamo_db_endpoint [String]
-    # @param dynamo_db_region [String]
-    # @param dynamo_db_table_name [String]
-    # @param enable_region_suffix [Boolean]
-    # @param preferred_region [String]
-    # @param region_map [String]
-    # @param verbose [Boolean]
-    # @param session_cache [Boolean]
-    # @param debug_output [Boolean]
-    def setup(
-      kms_type:,
-      metastore:,
-      service_name:,
-      product_id:,
-      rdbms_connection_string: '',
-      dynamo_db_endpoint: '',
-      dynamo_db_region: '',
-      dynamo_db_table_name: '',
-      enable_region_suffix: false,
-      preferred_region: '',
-      region_map: '',
-      verbose: false,
-      session_cache: false,
-      debug_output: false
-    )
-      kms_type_buffer = string_to_cbuffer(kms_type)
-      metastore_buffer = string_to_cbuffer(metastore)
-      rdbms_connection_string_buffer = string_to_cbuffer(rdbms_connection_string)
-      dynamo_db_endpoint_buffer = string_to_cbuffer(dynamo_db_endpoint)
-      dynamo_db_region_buffer = string_to_cbuffer(dynamo_db_region)
-      dynamo_db_table_name_buffer = string_to_cbuffer(dynamo_db_table_name)
-      enable_region_suffix_int = enable_region_suffix ? 1 : 0
-      service_name_buffer = string_to_cbuffer(service_name)
-      product_id_buffer = string_to_cbuffer(product_id)
-      preferred_region_buffer = string_to_cbuffer(preferred_region)
-      region_map_buffer = string_to_cbuffer(region_map)
-      verbose_int = verbose ? 1 : 0
-      session_cache_int = session_cache ? 1 : 0
-      debug_output_int = debug_output ? 1 : 0
-
-      result = Setup(
-        kms_type_buffer,
-        metastore_buffer,
-        rdbms_connection_string_buffer,
-        dynamo_db_endpoint_buffer,
-        dynamo_db_region_buffer,
-        dynamo_db_table_name_buffer,
-        enable_region_suffix_int,
-        service_name_buffer,
-        product_id_buffer,
-        preferred_region_buffer,
-        region_map_buffer,
-        verbose_int,
-        session_cache_int,
-        debug_output_int
-      )
-
-      Error.check_result!('setup', result)
+    # @yield [Config]
+    # @return [void]
+    def configure
+      config = Config.new
+      yield config
+      config.validate!
+      @intermediated_key_overhead_bytesize = config.product_id.bytesize + config.service_name.bytesize
+
+      config_buffer = string_to_cbuffer(config.to_json)
+
+      result = SetupJson(config_buffer)
+      Error.check_result!(result, 'SetupJson failed')
     end
 
-    # Encrypts data for a given partition_id
+    # Encrypts data for a given partition_id and returns DataRowRecord in JSON format.
+    #
+    # DataRowRecord contains the encrypted key and data, as well as the information
+    # required to decrypt the key encryption key. This object data should be stored
+    # in your data persistence as it's required to decrypt data.
+    #
+    # EnvelopeKeyRecord represents an encrypted key and is the data structure used
+    # to persist the key in the key table. It also contains the meta data
+    # of the key used to encrypt it.
+    #
+    # KeyMeta contains the `id` and `created` timestamp for an encryption key.
     #
     # @param partition_id [String]
     # @param data [String]
-    # @return [Hash], data_row_record
+    # @return [String], DataRowRecord in JSON format
     def encrypt(partition_id, data)
       partition_id_buffer = string_to_cbuffer(partition_id)
       data_buffer = string_to_cbuffer(data)
-      output_encrypted_data_buffer = allocate_cbuffer(data.length + 256)
-      output_encrypted_key_buffer = allocate_cbuffer(256)
-      output_created_buffer = int_to_buffer(0)
-      output_parent_key_id_buffer = allocate_cbuffer(256)
-      output_parent_key_created_buffer = int_to_buffer(0)
-
-      result = Encrypt(
-        partition_id_buffer,
-        data_buffer,
-        output_encrypted_data_buffer,
-        output_encrypted_key_buffer,
-        output_created_buffer,
-        output_parent_key_id_buffer,
-        output_parent_key_created_buffer
-      )
-
-      Error.check_result!('encrypt', result)
-
-      parent_key_id = cbuffer_to_string(output_parent_key_id_buffer)
-
-      {
-        data: cbuffer_to_string(output_encrypted_data_buffer),
-        key: {
-          encrypted_key: cbuffer_to_string(output_encrypted_key_buffer),
-          created: buffer_to_int(output_created_buffer),
-          parent_key_meta: {
-            id: parent_key_id,
-            created: buffer_to_int(output_parent_key_created_buffer)
-          }
-        }
-      }
+      estimated_buffer_bytesize = estimate_buffer(data.bytesize, partition_id.bytesize)
+      output_buffer = allocate_cbuffer(estimated_buffer_bytesize)
+
+      result = EncryptToJson(partition_id_buffer, data_buffer, output_buffer)
+      Error.check_result!(result, 'EncryptToJson failed')
+
+      cbuffer_to_string(output_buffer)
+    ensure
+      [partition_id_buffer, data_buffer, output_buffer].map(&:free)
     end
 
-    # Decrypts a data_row_record for a partition_id
+    # Decrypts a DataRowRecord in JSON format for a partition_id and returns decrypted data.
     #
     # @param partition_id [String]
-    # @param data_row_record [Hash], data_row_record
-    # @return [String]
-    def decrypt(partition_id, data_row_record)
+    # @param json [String], DataRowRecord in JSON format
+    # @return [String], Decrypted data
+    def decrypt(partition_id, json)
       partition_id_buffer = string_to_cbuffer(partition_id)
-      encrypted_data_buffer = string_to_cbuffer(data_row_record[:data])
-      encrypted_key_buffer = string_to_cbuffer(data_row_record[:key][:encrypted_key])
-      created = data_row_record[:key][:created]
-      parent_key_id_buffer = string_to_cbuffer(data_row_record[:key][:parent_key_meta][:id])
-      parent_key_created = data_row_record[:key][:parent_key_meta][:created]
-
-      output_data_buffer = allocate_cbuffer(encrypted_data_buffer.size + 256)
-
-      result = Decrypt(
-        partition_id_buffer,
-        encrypted_data_buffer,
-        encrypted_key_buffer,
-        created,
-        parent_key_id_buffer,
-        parent_key_created,
-        output_data_buffer
-      )
-
-      Error.check_result!('decrypt', result)
-
-      cbuffer_to_string(output_data_buffer)
+      data_buffer = string_to_cbuffer(json)
+      output_buffer = allocate_cbuffer(json.bytesize)
+
+      result = DecryptFromJson(partition_id_buffer, data_buffer, output_buffer)
+      Error.check_result!(result, 'DecryptFromJson failed')
+
+      cbuffer_to_string(output_buffer)
+    ensure
+      [partition_id_buffer, data_buffer, output_buffer].map(&:free)
+    end
+
+    # Stop the Asherah instance
+    def shutdown
+      Shutdown()
+    end
+
+    private
+
+    def estimate_buffer(data_bytesize, partition_bytesize)
+      ESTIMATED_ENVELOPE_OVERHEAD +
+        @intermediated_key_overhead_bytesize +
+        partition_bytesize +
+        ((data_bytesize + ESTIMATED_ENCRYPTION_OVERHEAD) * BASE64_OVERHEAD)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: asherah
 version: !ruby/object:Gem::Version
-  version: 0.1.0.beta.1
+  version: 0.3.0
 platform: aarch64-linux
 authors:
 - GoDaddy
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-07 00:00:00.000000000 Z
+date: 2022-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cobhan
@@ -16,14 +16,84 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.6
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
 description: |
   Asherah is an application-layer encryption SDK that provides advanced
   encryption features and defense in depth against compromise.
@@ -46,6 +116,7 @@ files:
 - SECURITY.md
 - asherah.gemspec
 - lib/asherah.rb
+- lib/asherah/config.rb
 - lib/asherah/error.rb
 - lib/asherah/native/libasherah-arm64.so
 - lib/asherah/version.rb
@@ -57,7 +128,7 @@ metadata:
   source_code_uri: https://github.com/godaddy/asherah-ruby
   changelog_uri: https://github.com/godaddy/asherah-ruby/blob/main/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -68,12 +139,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubygems_version: 3.3.3
-signing_key:
+rubygems_version: 3.3.7
+signing_key: 
 specification_version: 4
 summary: Application Layer Encryption SDK
 test_files: []