asherah 0.1.0.beta.2-x86_64-darwin → 0.3.0-x86_64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e3e07fa915ec849dcddfa6a309ddb834baf0060bc420a3ea42e521b127b055ba
-  data.tar.gz: 6c91eb6493ad293f7a66d301d67abb392db99de28cd6254b3fc3ce136b3e6c77
+  metadata.gz: 19b2444c560043be159c67a8ce073d195efdc97621bf2bc83aa51ccf782e05cf
+  data.tar.gz: d8cc8af342fe2738ff2775f87ac2a5a708a3efc22fd1abc5c1ce31c75bb31abf
 SHA512:
-  metadata.gz: cef747ccb3d115a4a755e751961c8a2fb3b922f6d6166391332dc07bfa4c47db24aeaca0708100b61f6c6f2048d694786bf4b2bca347df1c9b8c62bc5e0ea517
-  data.tar.gz: 28d44374434998f0b2b4c4fdfc9a1006a60a6017c939fc6d58dd83b4fcbaa6e913eeba0d75fd4b85d7751fd6b36d40e936f1df3a91a825eceaa14d1ce94623b7
+  metadata.gz: e3306522c79aba79a641be8be76e8dd884717a229cad7ab1f880a3ff1918691e24c6e4021fdc73431446d9dbb8c60d389d260f2358bc07f728f88980609bdbdc
+  data.tar.gz: d3afd3c3a65aa26183328496a75a2e278764b4056516ea8a1fcd5121109aaf07078f8089ff43ed2e125532052dac3da9efa5c50ea826dd12273ed030acec36b6

data/.rubocop.yml

@@ -4,6 +4,7 @@ AllCops:
   SuggestExtensions: false
   Exclude:
     - 'vendor/**/*' # Github Actions
+    - 'tmp/**/*'
 
 Layout/LineLength:
   Max: 120

data/CHANGELOG.md

@@ -1,5 +1,22 @@
 ## [Unreleased]
 
+## [0.3.0] - 2022-03-22
+
+- Free up cobhan buffers after encrypt/decrypt to prevent growing heap memory
+- Use local `estimate_buffer` calculation instead of FFI call
+- Upgrade to use asherah-cobhan v0.4.3
+
+## [0.2.0] - 2022-03-21
+
+- Implement versioning for asherah-cobhan binaries
+- Upgrade to use asherah-cobhan v0.3.1
+- Add BadConfig error and expose error codes
+- Remove DRR methods and use JSON exclusively
+- Cross language testing using Asherah Go
+
+## [0.1.0] - 2022-03-14
+
+- First official release
 
 ## [0.1.0.beta2] - 2022-03-14
 

data/Gemfile

@@ -6,3 +6,5 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'rake', '~> 13.0'
+
+gem 'cucumber', '~> 7.1.0'

data/README.md

@@ -34,10 +34,10 @@ Configure Asherah:
 
 ```ruby
 Asherah.configure do |config|
-  config.kms_type = 'static'
+  config.kms = 'static'
   config.metastore = 'memory'
-  config.service_name = 'gem'
-  config.product_id = 'sable'
+  config.service_name = 'service'
+  config.product_id = 'product'
 end
 ```
 
@@ -46,15 +46,15 @@ Encrypt some data for a `partition_id`
 ```ruby
 partition_id = 'user_1'
 data = 'Some PII data'
-data_row_record = Asherah.encrypt(partition_id, data)
-p data_row_record
+data_row_record_json = Asherah.encrypt(partition_id, data)
+puts data_row_record_json
 ```
 
-Decrypt `data_row_record`
+Decrypt `data_row_record_json`
 
 ```ruby
-decrypted_data = Asherah.decrypt(partition_id, data_row_record)
-p decrypted_data
+decrypted_data = Asherah.decrypt(partition_id, data_row_record_json)
+puts decrypted_data
 ```
 
 ## Development
@@ -67,6 +67,17 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/godaddy/asherah-ruby.
 
+## Releasing new gem version
+
+```
+# Create and push a version tag
+git tag -a v$(rake version) -m "Version $(rake version)"
+git push origin v$(rake version)
+
+# Create a release in Github to trigger .github/workflows/publish.yml workflow
+echo "Version $(rake version)"
+```
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/Rakefile

@@ -3,7 +3,6 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 require 'rubygems/package'
-require 'open-uri'
 
 RSpec::Core::RakeTask.new(:spec)
 
@@ -13,6 +12,7 @@ RuboCop::RakeTask.new
 
 task default: %i[spec rubocop]
 
+ASHERAH_BIN = 'bin/download-asherah.sh'
 DISTRIBUTIONS = {
   'x86_64-linux' => ['libasherah-x64.so'],
   'x86_64-darwin' => ['libasherah-x64.dylib'],
@@ -20,6 +20,19 @@ DISTRIBUTIONS = {
   'arm64-darwin' => ['libasherah-arm64.dylib']
 }.freeze
 
+def current_filename
+  @current_filename ||=
+    begin
+      require 'cobhan'
+      Class.new.extend(Cobhan).library_file_name('libasherah')
+    end
+end
+
+def current_platform
+  @distribution ||= DISTRIBUTIONS.detect { |_k, v| v.include?(current_filename) }
+  @distribution.first
+end
+
 def native_build(platform, native_files)
   puts "Building gem for #{platform}"
 
@@ -32,14 +45,14 @@ def native_build(platform, native_files)
 
   # Copy files to tmp gem dir
   gemspec = Bundler.load_gemspec('asherah.gemspec')
-  gemspec.files.each do |file|
+  (gemspec.files + [ASHERAH_BIN]).each do |file|
     dir = File.dirname(file)
     filename = File.basename(file)
     FileUtils.mkdir_p(File.join(tmp_gem_dir, dir))
     FileUtils.copy_file(file, File.join(tmp_gem_dir, dir, filename))
   end
 
-  # Set platform for native gem build and remove extentions
+  # Set platform for native gem build
   gemspec.platform = Gem::Platform.new(platform)
 
   native_dir = 'lib/asherah/native'
@@ -47,16 +60,16 @@ def native_build(platform, native_files)
     FileUtils.mkdir_p(native_dir)
     native_files.each do |native_file|
       native_file_path = File.join(native_dir, native_file)
-      gemspec.files << native_file_path
 
-      File.open(native_file_path, 'wb') do |file|
-        url = "https://github.com/godaddy/asherah-cobhan/releases/download/current/#{native_file}"
-        puts "Downloading #{url}"
-        file << URI.parse(url).open.read
-      end
+      # Download native file
+      download_asherah_path = File.join(tmp_gem_dir, ASHERAH_BIN)
+      system("#{download_asherah_path} #{native_file}")
+
+      # Add native file in gemspec
+      gemspec.files << native_file_path
     end
 
-    package = Gem::Package.build gemspec
+    package = Gem::Package.build(gemspec)
     FileUtils.mv package, File.join(pkg_dir, package)
   end
 end
@@ -78,19 +91,31 @@ namespace :native do
     end
   end
 
-  namespace :smoke do
-    require 'cobhan'
+  namespace :current do
+    desc 'Download asherah binary for current platform'
+    task :download do
+      download_asherah_path = File.join(__dir__, ASHERAH_BIN)
+      system("#{download_asherah_path} #{current_filename}")
+    end
 
-    filename = Class.new.extend(Cobhan).library_file_name('libasherah')
-    platform, _files = DISTRIBUTIONS.detect { |_k, v| v.include?(filename) }
+    desc 'Build native gem for current platform'
+    task :build do
+      native_build(current_platform, DISTRIBUTIONS[current_platform])
+    end
 
-    desc "Smoke test native gem on #{platform} platform"
-    task "#{platform}": :"build:#{platform}" do
+    desc 'Smoke test native gem for current platform'
+    task smoke: :build do
+      platform = current_platform
       gemspec = Bundler.load_gemspec('asherah.gemspec')
       gemspec.platform = Gem::Platform.new(platform)
 
+      sh('gem uninstall asherah')
       sh("gem install pkg/#{gemspec.file_name}")
       sh('ruby spec/smoke_test.rb')
     end
   end
 end
+
+task :version do
+  puts Asherah::VERSION
+end

data/asherah.gemspec

@@ -34,7 +34,7 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'cobhan', '~> 0.1.2'
+  spec.add_dependency 'cobhan', '~> 0.2.0'
   spec.add_development_dependency 'dotenv', '~> 2.7.6'
   spec.add_development_dependency 'rspec', '~> 3.10.0'
   spec.add_development_dependency 'rubocop', '~> 1.7'

data/lib/asherah/error.rb

@@ -9,20 +9,22 @@ module Asherah
     GetSessionFailed = Class.new(StandardError)
     EncryptFailed = Class.new(StandardError)
     DecryptFailed = Class.new(StandardError)
+    BadConfig = Class.new(StandardError)
 
     CODES = {
       -100 => NotInitialized,
       -101 => AlreadyInitialized,
       -102 => GetSessionFailed,
       -103 => EncryptFailed,
-      -104 => DecryptFailed
+      -104 => DecryptFailed,
+      -105 => BadConfig
     }.freeze
 
     def self.check_result!(result, message)
       return unless result.negative?
 
       error_class = Error::CODES.fetch(result, StandardError)
-      raise error_class, message
+      raise error_class, "#{message} (#{result})"
     end
   end
 end

data/lib/asherah/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Asherah
-  VERSION = '0.1.0.beta.2'
+  VERSION = '0.3.0'
 end

data/lib/asherah.rb

@@ -3,9 +3,6 @@
 require_relative 'asherah/version'
 require 'asherah/config'
 require 'asherah/error'
-require 'asherah/key_meta'
-require 'asherah/data_row_record'
-require 'asherah/envelope_key_record'
 require 'cobhan'
 
 # Asherah is a Ruby wrapper around Asherah Go application-layer encryption SDK.
@@ -15,13 +12,15 @@ module Asherah
   LIB_ROOT_PATH = File.expand_path('asherah/native', __dir__)
   load_library(LIB_ROOT_PATH, 'libasherah', [
     [:SetupJson, [:pointer], :int32],
-    [:Encrypt, [:pointer, :pointer, :pointer, :pointer, :pointer, :pointer, :pointer], :int32],
-    [:Decrypt, [:pointer, :pointer, :pointer, :int64, :pointer, :int64, :pointer], :int32],
     [:EncryptToJson, [:pointer, :pointer, :pointer], :int32],
     [:DecryptFromJson, [:pointer, :pointer, :pointer], :int32],
     [:Shutdown, [], :void]
   ].freeze)
 
+  ESTIMATED_ENCRYPTION_OVERHEAD = 48
+  ESTIMATED_ENVELOPE_OVERHEAD = 185
+  BASE64_OVERHEAD = 1.34
+
   class << self
     # Configures Asherah
     #
@@ -31,6 +30,7 @@ module Asherah
       config = Config.new
       yield config
       config.validate!
+      @intermediated_key_overhead_bytesize = config.product_id.bytesize + config.service_name.bytesize
 
       config_buffer = string_to_cbuffer(config.to_json)
 
@@ -38,110 +38,65 @@ module Asherah
       Error.check_result!(result, 'SetupJson failed')
     end
 
-    # Encrypts data for a given partition_id and returns DataRowRecord
+    # Encrypts data for a given partition_id and returns DataRowRecord in JSON format.
     #
-    # @param partition_id [String]
-    # @param data [String]
-    # @return [DataRowRecord]
-    def encrypt(partition_id, data)
-      partition_id_buffer = string_to_cbuffer(partition_id)
-      data_buffer = string_to_cbuffer(data)
-      output_encrypted_data_buffer = allocate_cbuffer(data.length + 256)
-      output_encrypted_key_buffer = allocate_cbuffer(256)
-      output_created_buffer = int_to_buffer(0)
-      output_parent_key_id_buffer = allocate_cbuffer(256)
-      output_parent_key_created_buffer = int_to_buffer(0)
-
-      result = Encrypt(
-        partition_id_buffer,
-        data_buffer,
-        output_encrypted_data_buffer,
-        output_encrypted_key_buffer,
-        output_created_buffer,
-        output_parent_key_id_buffer,
-        output_parent_key_created_buffer
-      )
-      Error.check_result!(result, 'Encrypt failed')
-
-      parent_key_meta = KeyMeta.new(
-        id: cbuffer_to_string(output_parent_key_id_buffer),
-        created: buffer_to_int(output_parent_key_created_buffer)
-      )
-      envelope_key_record = EnvelopeKeyRecord.new(
-        encrypted_key: cbuffer_to_string(output_encrypted_key_buffer),
-        created: buffer_to_int(output_created_buffer),
-        parent_key_meta: parent_key_meta
-      )
-
-      DataRowRecord.new(
-        data: cbuffer_to_string(output_encrypted_data_buffer),
-        key: envelope_key_record
-      )
-    end
-
-    # Decrypts a data_row_record for a partition_id and returns decrypted data
+    # DataRowRecord contains the encrypted key and data, as well as the information
+    # required to decrypt the key encryption key. This object data should be stored
+    # in your data persistence as it's required to decrypt data.
     #
-    # @param partition_id [String]
-    # @param data_row_record [DataRowRecord]
-    # @return [String], Decrypted data
-    def decrypt(partition_id, data_row_record)
-      partition_id_buffer = string_to_cbuffer(partition_id)
-      encrypted_data_buffer = string_to_cbuffer(data_row_record.data)
-      encrypted_key_buffer = string_to_cbuffer(data_row_record.key.encrypted_key)
-      created = data_row_record.key.created
-      parent_key_id_buffer = string_to_cbuffer(data_row_record.key.parent_key_meta.id)
-      parent_key_created = data_row_record.key.parent_key_meta.created
-
-      output_data_buffer = allocate_cbuffer(encrypted_data_buffer.size + 256)
-
-      result = Decrypt(
-        partition_id_buffer,
-        encrypted_data_buffer,
-        encrypted_key_buffer,
-        created,
-        parent_key_id_buffer,
-        parent_key_created,
-        output_data_buffer
-      )
-      Error.check_result!(result, 'Decrypt failed')
-
-      cbuffer_to_string(output_data_buffer)
-    end
-
-    def shutdown
-      Shutdown()
-    end
-
-    # Encrypts data for a given partition_id and returns DataRowRecord in JSON format
+    # EnvelopeKeyRecord represents an encrypted key and is the data structure used
+    # to persist the key in the key table. It also contains the meta data
+    # of the key used to encrypt it.
+    #
+    # KeyMeta contains the `id` and `created` timestamp for an encryption key.
     #
     # @param partition_id [String]
     # @param data [String]
     # @return [String], DataRowRecord in JSON format
-    def encrypt_to_json(partition_id, data)
+    def encrypt(partition_id, data)
       partition_id_buffer = string_to_cbuffer(partition_id)
       data_buffer = string_to_cbuffer(data)
-      output_buffer = allocate_cbuffer(data.length + 256)
+      estimated_buffer_bytesize = estimate_buffer(data.bytesize, partition_id.bytesize)
+      output_buffer = allocate_cbuffer(estimated_buffer_bytesize)
 
       result = EncryptToJson(partition_id_buffer, data_buffer, output_buffer)
       Error.check_result!(result, 'EncryptToJson failed')
 
       cbuffer_to_string(output_buffer)
+    ensure
+      [partition_id_buffer, data_buffer, output_buffer].map(&:free)
     end
 
-    # Decrypts a DataRowRecord in JSON format for a partition_id and returns decrypted data
+    # Decrypts a DataRowRecord in JSON format for a partition_id and returns decrypted data.
     #
     # @param partition_id [String]
     # @param json [String], DataRowRecord in JSON format
     # @return [String], Decrypted data
-    def decrypt_from_json(partition_id, json)
+    def decrypt(partition_id, json)
       partition_id_buffer = string_to_cbuffer(partition_id)
       data_buffer = string_to_cbuffer(json)
-      output_buffer = allocate_cbuffer(json.length + 256)
+      output_buffer = allocate_cbuffer(json.bytesize)
 
       result = DecryptFromJson(partition_id_buffer, data_buffer, output_buffer)
       Error.check_result!(result, 'DecryptFromJson failed')
 
       cbuffer_to_string(output_buffer)
+    ensure
+      [partition_id_buffer, data_buffer, output_buffer].map(&:free)
+    end
+
+    # Stop the Asherah instance
+    def shutdown
+      Shutdown()
+    end
+
+    private
+
+    def estimate_buffer(data_bytesize, partition_bytesize)
+      ESTIMATED_ENVELOPE_OVERHEAD +
+        @intermediated_key_overhead_bytesize +
+        partition_bytesize +
+        ((data_bytesize + ESTIMATED_ENCRYPTION_OVERHEAD) * BASE64_OVERHEAD)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: asherah
 version: !ruby/object:Gem::Version
-  version: 0.1.0.beta.2
+  version: 0.3.0
 platform: x86_64-darwin
 authors:
 - GoDaddy
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-03-14 00:00:00.000000000 Z
+date: 2022-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cobhan
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: dotenv
   requirement: !ruby/object:Gem::Requirement
@@ -117,10 +117,7 @@ files:
 - asherah.gemspec
 - lib/asherah.rb
 - lib/asherah/config.rb
-- lib/asherah/data_row_record.rb
-- lib/asherah/envelope_key_record.rb
 - lib/asherah/error.rb
-- lib/asherah/key_meta.rb
 - lib/asherah/native/libasherah-x64.dylib
 - lib/asherah/version.rb
 homepage: https://github.com/godaddy/asherah-ruby
@@ -142,9 +139,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.3.7
 signing_key: 

data/lib/asherah/data_row_record.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-module Asherah
-  # DataRowRecord contains the encrypted key and data, as well as the information
-  # required to decrypt the key encryption key. This object data should be stored
-  # in your data persistence as it's required to decrypt data.
-  class DataRowRecord
-    attr_reader :data, :key
-
-    # Initializes a new DataRowRecord
-    #
-    # @param data [String]
-    # @param key [EnvelopeKeyRecord]
-    # @return DataRowRecord
-    def initialize(data:, key:)
-      @data = data
-      @key = key
-    end
-  end
-end

data/lib/asherah/envelope_key_record.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Asherah
-  # EnvelopeKeyRecord represents an encrypted key and is the data structure used
-  # to persist the key in the key table. It also contains the meta data
-  # of the key used to encrypt it.
-  class EnvelopeKeyRecord
-    attr_reader :encrypted_key, :created, :parent_key_meta
-
-    # Initializes a new EnvelopeKeyRecord
-    #
-    # @param encrypted_key [String]
-    # @param created [Integer]
-    # @param parent_key_meta [KeyMeta]
-    # @return EnvelopeKeyRecord
-    def initialize(encrypted_key:, created:, parent_key_meta:)
-      @encrypted_key = encrypted_key
-      @created = created
-      @parent_key_meta = parent_key_meta
-    end
-  end
-end

data/lib/asherah/key_meta.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-module Asherah
-  # KeyMeta contains the `id` and `created` timestamp for an encryption key.
-  class KeyMeta
-    attr_reader :id, :created
-
-    # Initializes a new KeyMeta
-    #
-    # @param id [String]
-    # @param created [Integer]
-    # @return KeyMeta
-    def initialize(id:, created:)
-      @id = id
-      @created = created
-    end
-  end
-end