asherah 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e488eb972195bbc3f37253f2d71b54ad89d069c24260e7800de4602df9277ca5
+  data.tar.gz: c865721c410b6a887cbb89b425d64dd17bae9ceda8c2796ca68ff67537750bb9
+SHA512:
+  metadata.gz: 141ef3ec23e647f077372e3026dc68539609fec19b05b4ce683d06b30ba8d7b9253ec62beb38a2edec4adfe63e62d1596ed5694e9ffa6822bd37a4a231b220e6
+  data.tar.gz: d8ca23008b6146270b4d13cbc0a1d0c8d84d798fe4a45b54cddacefc351040b7667823c19321aef09f8b142b628b84b8b27f0ae8840e16db59eeb4f99266426e

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,34 @@
+AllCops:
+  TargetRubyVersion: 2.5
+  NewCops: enable
+  SuggestExtensions: false
+  Exclude:
+    - 'vendor/**/*' # Github Actions
+    - 'tmp/**/*'
+
+Layout/LineLength:
+  Max: 120
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Style/WordArray:
+  Enabled: false
+
+Style/SymbolArray:
+  Enabled: false
+
+Style/MultilineBlockChain:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Style/GuardClause:
+  Enabled: false

data/.ruby-version

@@ -0,0 +1 @@
+3.1.0

data/CHANGELOG.md

@@ -0,0 +1,37 @@
+## [Unreleased]
+
+## [0.4.0] - 2022-03-25
+
+- Download native file during gem install and verify checksum
+- Upgrade to use asherah-cobhan v0.4.11
+
+## [0.3.0] - 2022-03-22
+
+- Free up cobhan buffers after encrypt/decrypt to prevent growing heap memory
+- Use local `estimate_buffer` calculation instead of FFI call
+- Upgrade to use asherah-cobhan v0.4.3
+
+## [0.2.0] - 2022-03-21
+
+- Implement versioning for asherah-cobhan binaries
+- Upgrade to use asherah-cobhan v0.3.1
+- Add BadConfig error and expose error codes
+- Remove DRR methods and use JSON exclusively
+- Cross language testing using Asherah Go
+
+## [0.1.0] - 2022-03-14
+
+- First official release
+
+## [0.1.0.beta2] - 2022-03-14
+
+- Add smoke tests for native gems
+- Change to use `SetupJson` instead of `Setup`
+- Update config options to make them consistent with Asherah Go
+- Add `shutdown`
+- Add `encrypt_to_json` and `decrypt_from_json`
+- Add coverage report
+
+## [0.1.0.beta1] - 2022-03-07
+
+- Initial proof of concept

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,77 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at oss@godaddy.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq
+

data/CONTRIBUTING.md

@@ -0,0 +1,128 @@
+# Contributing
+
+Everyone is welcome to contribute to GoDaddy's Open Source Software.
+Contributing doesn’t just mean submitting pull requests. To get involved,
+you can report or triage bugs, and participate in discussions on the
+evolution of each project.
+
+No matter how you want to get involved, we ask that you first learn what’s
+expected of anyone who participates in the project by reading the Contribution
+Guidelines and our [Code of Conduct][coc].
+
+**Please Note:** GitHub is for bug reports and contributions primarily -
+if you have a support question head over to [GoDaddy's Open Source
+Software Slack channel][slack]. You can request an invite
+[here][invite].
+
+## Answering Questions
+
+One of the most important and immediate ways you can support this project is
+to answer questions on [Slack][slack] or [Github][issues]. Whether you’re
+helping a newcomer understand a feature or troubleshooting an edge case with a
+seasoned developer, your knowledge and experience with a programming language
+can go a long way to help others.
+
+## Reporting Bugs
+
+**Do not report potential security vulnerabilities here. Refer to
+[SECURITY.md](./SECURITY.md) for more details about the process of reporting
+security vulnerabilities.**
+
+Before submitting a ticket, please search our [Issue Tracker][issues] to make
+sure it does not already exist and have a simple replication of the behavior. If
+the issue is isolated to one of the dependencies of this project, please create
+a Github issue in that project. All dependencies should be open source software
+and can be found on Github.
+
+Submit a ticket for your issue, assuming one does not already exist:
+
+- Create it on the project's [issue Tracker][issues].
+- Clearly describe the issue by following the template layout
+  - Make sure to include steps to reproduce the bug.
+  - A reproducible (unit) test could be helpful in solving the bug.
+  - Describe the environment that (re)produced the problem.
+
+## Triaging bugs or contributing code
+
+If you're triaging a bug, first make sure that you can reproduce it. Once a bug
+can be reproduced, reduce it to the smallest amount of code possible. Reasoning
+about a sample or unit test that reproduces a bug in just a few lines of code
+is easier than reasoning about a longer sample.
+
+From a practical perspective, contributions are as simple as:
+
+1. Fork and clone the repo, [see Github's instructions if you need help.][fork]
+1. Create a branch for your PR with `git checkout -b pr/your-branch-name`
+1. Make changes on the branch of your forked repository.
+1. When committing, reference your issue (if present) and include a note about
+  the fix.
+1. Please also add/update unit tests for your changes.
+1. Push the changes to your fork and submit a pull request to the 'main
+   development branch' branch of the projects' repository.
+
+If you are interested in making a large change and feel unsure about its overall
+effect, start with opening an Issue in the project's [Issue Tracker][issues]
+with a high-level proposal and discuss it with the core contributors through
+Github comments or in [Slack][slack]. After reaching a consensus with core
+contributors about the change, discuss the best way to go about implementing it.
+
+> Tip: Keep your main branch pointing at the original repository and make
+> pull requests from branches on your fork. To do this, run:
+>
+>   ```sh
+> git remote add upstream https://github.com/godaddy/asherah-ruby.git
+> git fetch upstream
+> git branch --set-upstream-to=upstream/main main
+>   ```
+>
+> This will add the original repository as a "remote" called "upstream," Then
+> fetch the git information from that remote, then set your local main
+> branch to use the upstream main branch whenever you run git pull. Then you
+> can make all of your pull request branches based on this main branch.
+> Whenever you want to update your version of main, do a regular git pull.
+
+## Code Review
+
+Any open source project relies heavily on code review to improve software
+quality. All significant changes, by all developers, must be reviewed before
+they are committed to the repository. Code reviews are conducted on GitHub
+through comments on pull requests or commits. The developer responsible for a
+code change is also responsible for making all necessary review-related changes.
+
+Sometimes code reviews will take longer than you would hope for, especially for
+larger features. Here are some accepted ways to speed up review times for your
+patches:
+
+- Review other people’s changes. If you help out, others will more likely be
+willing to do the same for you.
+- Split your change into multiple smaller changes. The smaller your change,
+the higher the probability that somebody will take a quick look at it.
+- Mention the change on [Slack][slack]. If it is urgent, provide reasons why it
+is important to get this change landed. Remember that you are asking for valuable
+time from other professional developers.
+
+**Note that anyone is welcome to review and give feedback on a change, but only
+people with commit access to the repository can approve it.**
+
+## Attribution of Changes
+
+When contributors submit a change to this project, after that change is
+approved, other developers with commit access may commit it for the author. When
+doing so, it is important to retain correct attribution of the contribution.
+Generally speaking, Git handles attribution automatically.
+
+## Code Style and Documentation
+
+Ensure that your contribution follows the standards set by the project's style
+guide with respect to patterns, naming, documentation and testing.
+
+# Additional Resources
+
+- [General GitHub Documentation](https://help.github.com/)
+- [GitHub Pull Request documentation](https://help.github.com/send-pull-requests/)
+
+[issues]: https://github.com/godaddy/asherah-ruby/issues/
+[coc]: ./CODE_OF_CONDUCT.md
+[slack]: https://godaddy-oss.slack.com/
+[fork]: https://help.github.com/en/articles/fork-a-repo
+[invite]: https://godaddy-oss-slack.herokuapp.com

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in asherah.gemspec
+gemspec
+
+gem 'rake', '~> 13.0'
+
+gem 'cucumber', '~> 7.1.0'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 GoDaddy Operating Company, LLC.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,86 @@
+# Asherah
+
+Asherah is a Ruby FFI wrapper around Go version of [Asherah](https://github.com/godaddy/asherah) application-layer encryption SDK. Asherah provides advanced encryption features and defense in depth against compromise. It uses a technique known as "envelope encryption" and supports cloud-agnostic data storage and key management.
+
+Check out the following documentation to get more familiar with the concepts and configuration options:
+
+- [Design and Architecture](https://github.com/godaddy/asherah/blob/master/docs/DesignAndArchitecture.md)
+- [Key Caching](https://github.com/godaddy/asherah/blob/master/docs/KeyCaching.md)
+- [Key Management Service](https://github.com/godaddy/asherah/blob/master/docs/KeyManagementService.md)
+- [Metastore](https://github.com/godaddy/asherah/blob/master/docs/Metastore.md)
+- [System Requirements](https://github.com/godaddy/asherah/blob/master/docs/SystemRequirements.md)
+
+## Supported Platforms
+
+Currently supported platforms are Linux and Darwin operating systems for x64 and arm64 CPU architectures.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'asherah'
+```
+
+```bash
+bundle install
+```
+
+Or install it yourself as:
+
+```bash
+gem install asherah
+```
+
+## Usage
+
+Configure Asherah:
+
+```ruby
+Asherah.configure do |config|
+  config.kms = 'static'
+  config.metastore = 'memory'
+  config.service_name = 'service'
+  config.product_id = 'product'
+end
+```
+
+Encrypt some data for a `partition_id`
+
+```ruby
+partition_id = 'user_1'
+data = 'PII data'
+data_row_record_json = Asherah.encrypt(partition_id, data)
+puts data_row_record_json
+```
+
+Decrypt `data_row_record_json`
+
+```ruby
+decrypted_data = Asherah.decrypt(partition_id, data_row_record_json)
+puts decrypted_data
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `rake install`.
+
+To release a new version, update the version number in `version.rb`, create and push a version tag:
+
+```
+git tag -a v$(rake version) -m "Version $(rake version)"
+git push origin v$(rake version)
+```
+
+And then create a release in Github with title `echo "Version $(rake version)"` that will trigger `.github/workflows/publish.yml` workflow and push the `.gem` file to [rubygems.org](https://rubygems.org):
+
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/godaddy/asherah-ruby.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/Rakefile

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+desc 'Download the binary for the current platform'
+task :download do
+  tmp_dir = 'tmp'
+  FileUtils.mkdir_p(tmp_dir)
+  FileUtils.cd(tmp_dir, verbose: true) do
+    system('ruby ../ext/asherah/extconf.rb')
+  end
+end
+
+task default: %i[spec rubocop]
+task spec: :download
+
+desc 'Print current version'
+task :version do
+  puts Asherah::VERSION
+end

data/SECURITY.md

@@ -0,0 +1,19 @@
+# Reporting Security Issues
+
+We take security very seriously at GoDaddy. We appreciate your efforts to
+responsibly disclose your findings, and will make every effort to acknowledge
+your contributions.
+
+## Where should I report security issues?
+
+In order to give the community time to respond and upgrade, we strongly urge you
+report all security issues privately.
+
+To report a security issue in one of our Open Source projects email us directly
+at **oss@godaddy.com** and include the word "SECURITY" in the subject line.
+
+This mail is delivered to our Open Source Security team.
+
+After the initial reply to your report, the team will keep you informed of the
+progress being made towards a fix and announcement, and may ask for additional
+information or guidance.

data/asherah.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative 'lib/asherah/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'asherah'
+  spec.version = Asherah::VERSION
+  spec.authors = ['GoDaddy']
+  spec.email = ['oss@godaddy.com']
+
+  spec.summary = 'Application Layer Encryption SDK'
+  spec.description = <<~DESCRIPTION
+    Asherah is an application-layer encryption SDK that provides advanced
+    encryption features and defense in depth against compromise.
+  DESCRIPTION
+
+  spec.homepage = 'https://github.com/godaddy/asherah-ruby'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 2.5.0'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/godaddy/asherah-ruby'
+  spec.metadata['changelog_uri'] = 'https://github.com/godaddy/asherah-ruby/blob/main/CHANGELOG.md'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+  spec.extensions = ['ext/asherah/extconf.rb']
+
+  spec.add_dependency 'cobhan', '~> 0.2.0'
+  spec.add_development_dependency 'dotenv', '~> 2.7.6'
+  spec.add_development_dependency 'rspec', '~> 3.10.0'
+  spec.add_development_dependency 'rubocop', '~> 1.7'
+  spec.add_development_dependency 'simplecov', '~> 0.21.2'
+  spec.add_development_dependency 'simplecov-console', '~> 0.9.1'
+end

data/ext/asherah/checksums.yml

@@ -0,0 +1,5 @@
+version:                v0.4.11
+libasherah-arm64.so:    bc044b74453fc8fceca564fb127c9f2748aeac107791bd24c680ced1fcb7b816
+libasherah-x64.so:      82f10505ef11fba2c8e027668d9b5c89584f73eb1e53a9f5ff21d5705ecffb3a
+libasherah-arm64.dylib: 0b843d002212722c442c990d84e6ceac73c78e1663260be8c3f759a9a283b14a
+libasherah-x64.dylib:   fd0592ed4cdfbc7b3a2534b540c22301a9669c6c37dfb3d28f600ccc9ba975f8

data/ext/asherah/extconf.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'mkmf'
+create_makefile('asherah/asherah')
+
+require_relative 'native_file'
+NativeFile.download

data/ext/asherah/native_file.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'open-uri'
+require 'fileutils'
+require 'digest'
+require 'yaml'
+require 'cobhan'
+
+# Downloads native file and verifies checksum
+class NativeFile
+  LIB_NAME = 'libasherah'
+  ROOT_DIR = File.expand_path('../../', __dir__)
+  CHECKSUMS_FILE = File.expand_path('checksums.yml', __dir__)
+  CHECKSUMS = YAML.load_file(CHECKSUMS_FILE)
+  VERSION = CHECKSUMS.fetch('version')
+  RETRIES = 3
+  RETRY_DELAY = 1
+
+  class << self
+    def download
+      file_name = Class.new.extend(Cobhan).library_file_name(LIB_NAME)
+      lib_dir = File.join(ROOT_DIR, 'lib/asherah')
+      abort "#{lib_dir} does not exist" unless File.exist?(lib_dir)
+
+      native_dir = "#{lib_dir}/native"
+      FileUtils.mkdir_p(native_dir)
+
+      file_path = File.join(native_dir, file_name)
+      abort "#{file_path} already exists" if File.exist?(file_path)
+
+      checksum = CHECKSUMS.fetch(file_name) do
+        abort "Unsupported platform #{RUBY_PLATFORM}"
+      end
+
+      content = download_content(file_name)
+
+      sha256 = Digest::SHA256.hexdigest(content)
+      abort "Could not verify checksum of #{file_name}" if sha256 != checksum
+
+      File.binwrite(file_path, content)
+    end
+
+    private
+
+    def download_content(file_name)
+      tries = 0
+
+      begin
+        tries += 1
+        url = "https://github.com/godaddy/asherah-cobhan/releases/download/#{VERSION}/#{file_name}"
+        puts "Downloading #{url}"
+        URI.parse(url).open.read
+      rescue Net::OpenTimeout, Net::ReadTimeout => e
+        if tries <= RETRIES
+          puts "Got #{e.class}... retrying in #{RETRY_DELAY} seconds"
+          sleep RETRY_DELAY
+          retry
+        else
+          raise e
+        end
+      end
+    end
+  end
+end

data/lib/asherah/config.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Asherah
+  # @attr [String] service_name, The name of this service
+  # @attr [String] product_id, The name of the product that owns this service
+  # @attr [String] kms, The master key management service (static or aws)
+  # @attr [String] metastore, The type of metastore for persisting keys (rdbms, dynamodb, memory)
+  # @attr [String] connection_string, The database connection string (required when metastore is rdbms)
+  # @attr [String] replica_read_consistency, For Aurora sessions using write forwarding (eventual, global, session)
+  # @attr [String] dynamo_db_endpoint, An optional endpoint URL (for dynamodb metastore)
+  # @attr [String] dynamo_db_region, The AWS region for DynamoDB requests (for dynamodb metastore)
+  # @attr [String] dynamo_db_table_name, The table name for DynamoDB (for dynamodb metastore)
+  # @attr [Boolean] enable_region_suffix, Configure the metastore to use regional suffixes (for dynamodb metastore)
+  # @attr [String] region_map, List of key-value pairs in the form of REGION1=ARN1[,REGION2=ARN2] (required for aws kms)
+  # @attr [String] preferred_region, The preferred AWS region (required for aws kms)
+  # @attr [Integer] session_cache_max_size, The maximum number of sessions to cache
+  # @attr [Integer] session_cache_duration, The amount of time in seconds a session will remain cached
+  # @attr [Integer] expire_after, The amount of time in seconds a key is considered valid
+  # @attr [Integer] check_interval, The amount of time in seconds before cached keys are considered stale
+  # @attr [Boolean] enable_session_caching, Enable shared session caching
+  # @attr [Boolean] verbose, Enable verbose logging output
+  class Config
+    MAPPING = {
+      service_name: :ServiceName,
+      product_id: :ProductID,
+      kms: :KMS,
+      metastore: :Metastore,
+      connection_string: :ConnectionString,
+      replica_read_consistency: :ReplicaReadConsistency,
+      dynamo_db_endpoint: :DynamoDBEndpoint,
+      dynamo_db_region: :DynamoDBRegion,
+      dynamo_db_table_name: :DynamoDBTableName,
+      enable_region_suffix: :EnableRegionSuffix,
+      region_map: :RegionMap,
+      preferred_region: :PreferredRegion,
+      session_cache_max_size: :SessionCacheMaxSize,
+      session_cache_duration: :SessionCacheDuration,
+      enable_session_caching: :EnableSessionCaching,
+      expire_after: :ExpireAfter,
+      check_interval: :CheckInterval,
+      verbose: :Verbose
+    }.freeze
+
+    KMS_TYPES = ['static', 'aws'].freeze
+    METASTORE_TYPES = ['rdbms', 'dynamodb', 'memory'].freeze
+
+    attr_accessor(*MAPPING.keys)
+
+    def validate!
+      validate_service_name
+      validate_product_id
+      validate_kms
+      validate_metastore
+      validate_kms_attributes
+    end
+
+    def to_json(*args)
+      config = {}.tap do |c|
+        MAPPING.each_pair do |our_key, their_key|
+          value = public_send(our_key)
+          c[their_key] = value unless value.nil?
+        end
+      end
+
+      JSON.generate(config, *args)
+    end
+
+    private
+
+    def validate_service_name
+      raise Error::ConfigError, 'config.service_name not set' if service_name.nil?
+    end
+
+    def validate_product_id
+      raise Error::ConfigError, 'config.product_id not set' if product_id.nil?
+    end
+
+    def validate_kms
+      raise Error::ConfigError, 'config.kms not set' if kms.nil?
+      unless KMS_TYPES.include?(kms)
+        raise Error::ConfigError, "config.kms must be one of these: #{KMS_TYPES.join(', ')}"
+      end
+    end
+
+    def validate_metastore
+      raise Error::ConfigError, 'config.metastore not set' if metastore.nil?
+      unless METASTORE_TYPES.include?(metastore)
+        raise Error::ConfigError, "config.metastore must be one of these: #{METASTORE_TYPES.join(', ')}"
+      end
+    end
+
+    def validate_kms_attributes
+      if kms == 'aws'
+        raise Error::ConfigError, 'config.region_map not set' if region_map.nil?
+        raise Error::ConfigError, 'config.region_map must be a Hash' unless region_map.is_a?(Hash)
+        raise Error::ConfigError, 'config.preferred_region not set' if preferred_region.nil?
+      end
+    end
+  end
+end

data/lib/asherah/error.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Asherah
+  # Asherah Error converts the error code to error message
+  module Error
+    ConfigError = Class.new(StandardError)
+    NotInitialized = Class.new(StandardError)
+    AlreadyInitialized = Class.new(StandardError)
+    GetSessionFailed = Class.new(StandardError)
+    EncryptFailed = Class.new(StandardError)
+    DecryptFailed = Class.new(StandardError)
+    BadConfig = Class.new(StandardError)
+
+    CODES = {
+      -100 => NotInitialized,
+      -101 => AlreadyInitialized,
+      -102 => GetSessionFailed,
+      -103 => EncryptFailed,
+      -104 => DecryptFailed,
+      -105 => BadConfig
+    }.freeze
+
+    def self.check_result!(result, message)
+      return unless result.negative?
+
+      error_class = Error::CODES.fetch(result, StandardError)
+      raise error_class, "#{message} (#{result})"
+    end
+  end
+end

data/lib/asherah/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Asherah
+  VERSION = '0.4.0'
+end

data/lib/asherah.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require_relative 'asherah/version'
+require 'asherah/config'
+require 'asherah/error'
+require 'cobhan'
+
+# Asherah is a Ruby wrapper around Asherah Go application-layer encryption SDK.
+module Asherah
+  extend Cobhan
+
+  LIB_ROOT_PATH = File.expand_path('asherah/native', __dir__)
+  load_library(LIB_ROOT_PATH, 'libasherah', [
+    [:SetupJson, [:pointer], :int32],
+    [:EncryptToJson, [:pointer, :pointer, :pointer], :int32],
+    [:DecryptFromJson, [:pointer, :pointer, :pointer], :int32],
+    [:Shutdown, [], :void]
+  ].freeze)
+
+  ESTIMATED_ENCRYPTION_OVERHEAD = 48
+  ESTIMATED_ENVELOPE_OVERHEAD = 185
+  BASE64_OVERHEAD = 1.34
+
+  class << self
+    # Configures Asherah
+    #
+    # @yield [Config]
+    # @return [void]
+    def configure
+      config = Config.new
+      yield config
+      config.validate!
+      @intermediated_key_overhead_bytesize = config.product_id.bytesize + config.service_name.bytesize
+
+      config_buffer = string_to_cbuffer(config.to_json)
+
+      result = SetupJson(config_buffer)
+      Error.check_result!(result, 'SetupJson failed')
+    end
+
+    # Encrypts data for a given partition_id and returns DataRowRecord in JSON format.
+    #
+    # DataRowRecord contains the encrypted key and data, as well as the information
+    # required to decrypt the key encryption key. This object data should be stored
+    # in your data persistence as it's required to decrypt data.
+    #
+    # EnvelopeKeyRecord represents an encrypted key and is the data structure used
+    # to persist the key in the key table. It also contains the meta data
+    # of the key used to encrypt it.
+    #
+    # KeyMeta contains the `id` and `created` timestamp for an encryption key.
+    #
+    # @param partition_id [String]
+    # @param data [String]
+    # @return [String], DataRowRecord in JSON format
+    def encrypt(partition_id, data)
+      partition_id_buffer = string_to_cbuffer(partition_id)
+      data_buffer = string_to_cbuffer(data)
+      estimated_buffer_bytesize = estimate_buffer(data.bytesize, partition_id.bytesize)
+      output_buffer = allocate_cbuffer(estimated_buffer_bytesize)
+
+      result = EncryptToJson(partition_id_buffer, data_buffer, output_buffer)
+      Error.check_result!(result, 'EncryptToJson failed')
+
+      cbuffer_to_string(output_buffer)
+    ensure
+      [partition_id_buffer, data_buffer, output_buffer].map(&:free)
+    end
+
+    # Decrypts a DataRowRecord in JSON format for a partition_id and returns decrypted data.
+    #
+    # @param partition_id [String]
+    # @param json [String], DataRowRecord in JSON format
+    # @return [String], Decrypted data
+    def decrypt(partition_id, json)
+      partition_id_buffer = string_to_cbuffer(partition_id)
+      data_buffer = string_to_cbuffer(json)
+      output_buffer = allocate_cbuffer(json.bytesize)
+
+      result = DecryptFromJson(partition_id_buffer, data_buffer, output_buffer)
+      Error.check_result!(result, 'DecryptFromJson failed')
+
+      cbuffer_to_string(output_buffer)
+    ensure
+      [partition_id_buffer, data_buffer, output_buffer].map(&:free)
+    end
+
+    # Stop the Asherah instance
+    def shutdown
+      Shutdown()
+    end
+
+    private
+
+    def estimate_buffer(data_bytesize, partition_bytesize)
+      ESTIMATED_ENVELOPE_OVERHEAD +
+        @intermediated_key_overhead_bytesize +
+        partition_bytesize +
+        ((data_bytesize + ESTIMATED_ENCRYPTION_OVERHEAD) * BASE64_OVERHEAD)
+    end
+  end
+end

metadata

@@ -0,0 +1,153 @@
+--- !ruby/object:Gem::Specification
+name: asherah
+version: !ruby/object:Gem::Version
+  version: 0.4.0
+platform: ruby
+authors:
+- GoDaddy
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2022-03-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cobhan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.7.6
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+description: |
+  Asherah is an application-layer encryption SDK that provides advanced
+  encryption features and defense in depth against compromise.
+email:
+- oss@godaddy.com
+executables: []
+extensions:
+- ext/asherah/extconf.rb
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- SECURITY.md
+- asherah.gemspec
+- ext/asherah/checksums.yml
+- ext/asherah/extconf.rb
+- ext/asherah/native_file.rb
+- lib/asherah.rb
+- lib/asherah/config.rb
+- lib/asherah/error.rb
+- lib/asherah/version.rb
+homepage: https://github.com/godaddy/asherah-ruby
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/godaddy/asherah-ruby
+  source_code_uri: https://github.com/godaddy/asherah-ruby
+  changelog_uri: https://github.com/godaddy/asherah-ruby/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key: 
+specification_version: 4
+summary: Application Layer Encryption SDK
+test_files: []