attr_keyring 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/FUNDING.yml +3 -0
- data/.github/dependabot.yml +15 -0
- data/.github/workflows/tests.yml +65 -0
- data/.rubocop.yml +4 -1
- data/README.md +23 -20
- data/Rakefile +1 -1
- data/attr_keyring.gemspec +3 -4
- data/gemfiles/{5_2.gemfile → 7_0.gemfile} +1 -1
- data/lib/attr_keyring/version.rb +1 -1
- data/lib/attr_keyring.rb +1 -3
- data/lib/keyring/encryptor/aes.rb +1 -1
- data/lib/keyring/key.rb +2 -2
- metadata +11 -9
- data/.travis.yml +0 -25
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d02280da9cb28259980ea283b6030672957657ead8b895594176eef09d78382b
|
4
|
+
data.tar.gz: 88ddda0bb1d9a85869246e46ab49a8f4889bc0c398d616be9dd162eec239a177
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6a3108027fac7dbfee097e7afa3227f58f33560e540f19bc0f0b63cb4e482e8315ffafdbd4360bc31724426c9150109c6b9e46e9ecdf70526ca13cb34a8bee93
|
7
|
+
data.tar.gz: 16a5ca41d03b434dbf2eb4a5751af6595e7d00c93867159c3990a3e1d0a104d170dfd434580eff0420b1b966afe0877ec70362c6d66cad34e89e0f5fed8867d4
|
data/.github/FUNDING.yml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
# Documentation:
|
3
|
+
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
|
4
|
+
|
5
|
+
version: 2
|
6
|
+
updates:
|
7
|
+
- package-ecosystem: "github-actions"
|
8
|
+
directory: "/"
|
9
|
+
schedule:
|
10
|
+
interval: "daily"
|
11
|
+
|
12
|
+
- package-ecosystem: bundler
|
13
|
+
directory: "/"
|
14
|
+
schedule:
|
15
|
+
interval: "daily"
|
@@ -0,0 +1,65 @@
|
|
1
|
+
---
|
2
|
+
name: Tests
|
3
|
+
|
4
|
+
on:
|
5
|
+
pull_request:
|
6
|
+
push:
|
7
|
+
|
8
|
+
jobs:
|
9
|
+
build:
|
10
|
+
name: Tests with Ruby ${{ matrix.ruby }} with ${{ matrix.gemfile }}
|
11
|
+
runs-on: "ubuntu-latest"
|
12
|
+
strategy:
|
13
|
+
fail-fast: false
|
14
|
+
matrix:
|
15
|
+
ruby: ["2.7", "3.0"]
|
16
|
+
gemfile:
|
17
|
+
- gemfiles/7_0.gemfile
|
18
|
+
- gemfiles/6_0.gemfile
|
19
|
+
|
20
|
+
services:
|
21
|
+
postgres:
|
22
|
+
image: postgres:11.5
|
23
|
+
ports: ["5432:5432"]
|
24
|
+
options:
|
25
|
+
--health-cmd pg_isready --health-interval 10s --health-timeout 5s
|
26
|
+
--health-retries 5
|
27
|
+
|
28
|
+
steps:
|
29
|
+
- uses: actions/checkout@v1
|
30
|
+
|
31
|
+
- uses: actions/cache@v2
|
32
|
+
with:
|
33
|
+
path: vendor/bundle
|
34
|
+
key: >
|
35
|
+
${{ runner.os }}-${{ matrix.ruby }}-gems-${{
|
36
|
+
hashFiles('**/attr_keyring.gemspec') }}
|
37
|
+
restore-keys: >
|
38
|
+
${{ runner.os }}-${{ matrix.ruby }}-gems-${{
|
39
|
+
hashFiles('**/attr_keyring.gemspec') }}
|
40
|
+
|
41
|
+
- name: Set up Ruby
|
42
|
+
uses: ruby/setup-ruby@v1
|
43
|
+
with:
|
44
|
+
ruby-version: ${{ matrix.ruby }}
|
45
|
+
|
46
|
+
- name: Install PostgreSQL 11 client
|
47
|
+
run: |
|
48
|
+
sudo apt-get -yqq install libpq-dev
|
49
|
+
|
50
|
+
- name: Install gem dependencies
|
51
|
+
env:
|
52
|
+
BUNDLE_GEMFILE: ${{ matrix.gemfile }}
|
53
|
+
run: |
|
54
|
+
gem install bundler
|
55
|
+
bundle config path vendor/bundle
|
56
|
+
bundle update --jobs 4 --retry 3
|
57
|
+
|
58
|
+
- name: Run Tests
|
59
|
+
env:
|
60
|
+
PGHOST: localhost
|
61
|
+
PGUSER: postgres
|
62
|
+
BUNDLE_GEMFILE: ${{ matrix.gemfile }}
|
63
|
+
run: |
|
64
|
+
psql -U postgres -c "create database test"
|
65
|
+
bundle exec rake
|
data/.rubocop.yml
CHANGED
data/README.md
CHANGED
@@ -1,19 +1,21 @@
|
|
1
|
-
![attr_keyring: Simple encryption-at-rest with key rotation support for Ruby.](https://raw.githubusercontent.com/fnando/attr_keyring/
|
1
|
+
![attr_keyring: Simple encryption-at-rest with key rotation support for Ruby.](https://raw.githubusercontent.com/fnando/attr_keyring/main/attr_keyring.png)
|
2
2
|
|
3
3
|
<p align="center">
|
4
|
-
<a href="https://
|
4
|
+
<a href="https://github.com/fnando/attr_keyring/actions?query=workflow%3ATests"><img src="https://github.com/fnando/attr_keyring/workflows/Tests/badge.svg" alt="Tests"></a>
|
5
5
|
<a href="https://codeclimate.com/github/fnando/attr_keyring"><img src="https://codeclimate.com/github/fnando/attr_keyring/badges/gpa.svg" alt="Code Climate"></a>
|
6
|
-
<a href="https://codeclimate.com/github/fnando/attr_keyring/coverage"><img src="https://codeclimate.com/github/fnando/attr_keyring/badges/coverage.svg" alt="Test Coverage"></a>
|
7
6
|
<a href="https://rubygems.org/gems/attr_keyring"><img src="https://img.shields.io/gem/v/attr_keyring.svg" alt="Gem"></a>
|
8
7
|
<a href="https://rubygems.org/gems/attr_keyring"><img src="https://img.shields.io/gem/dt/attr_keyring.svg" alt="Gem"></a>
|
9
8
|
</p>
|
10
9
|
|
11
|
-
N.B.: attr_keyring is
|
10
|
+
N.B.: attr_keyring is not for encrypting passwords--for that, you should use
|
11
|
+
something like [bcrypt](https://github.com/codahale/bcrypt-ruby). It's meant for
|
12
|
+
encrypting sensitive data you will need to access in plain text (e.g. storing
|
13
|
+
OAuth token from users). Passwords do not fall in that category.
|
12
14
|
|
13
15
|
This library is heavily inspired by
|
14
16
|
[attr_vault](https://github.com/uhoh-itsmaciek/attr_vault), and can read
|
15
|
-
encrypted messages if you encode them in base64
|
16
|
-
|
17
|
+
encrypted messages if you encode them in base64 (e.g.
|
18
|
+
`Base64.strict_encode64(encrypted_by_attr_vault)`).
|
17
19
|
|
18
20
|
## Installation
|
19
21
|
|
@@ -67,7 +69,7 @@ example uses `AES-256-CBC`.
|
|
67
69
|
```ruby
|
68
70
|
keyring = Keyring.new(
|
69
71
|
"1" => "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M=",
|
70
|
-
encryptor: Keyring::Encryptor::AES256CBC,
|
72
|
+
encryptor: Keyring::Encryptor::AES::AES256CBC,
|
71
73
|
digest_salt: "<custom salt>"
|
72
74
|
)
|
73
75
|
```
|
@@ -179,11 +181,12 @@ contradictory that something has to be unpredictable and unique, but does not
|
|
179
181
|
have to be secret; it is important to remember that an attacker must not be able
|
180
182
|
to predict ahead of time what a given IV will be.
|
181
183
|
|
182
|
-
With that in mind, _attr_keyring_ uses
|
183
|
-
message) + unencrypted iv + encrypted message)`
|
184
|
-
planning to migrate from other encryption
|
185
|
-
from the database without using
|
186
|
-
|
184
|
+
With that in mind, _attr_keyring_ uses
|
185
|
+
`base64(hmac(unencrypted iv + encrypted message) + unencrypted iv + encrypted message)`
|
186
|
+
as the final message. If you're planning to migrate from other encryption
|
187
|
+
mechanisms or read encrypted values from the database without using
|
188
|
+
_attr_keyring_, make sure you account for this. The HMAC is 32-bytes long and
|
189
|
+
the IV is 16-bytes long.
|
187
190
|
|
188
191
|
### Keyring
|
189
192
|
|
@@ -204,13 +207,14 @@ encryption key.
|
|
204
207
|
|
205
208
|
#### Dynamically loading keyring
|
206
209
|
|
207
|
-
If you're using Rails 5.2+, you can use credentials to define your keyring.
|
208
|
-
|
210
|
+
If you're using Rails 5.2+, you can use credentials to define your keyring. Your
|
211
|
+
`credentials.yml` must be define like the following:
|
209
212
|
|
210
213
|
```yaml
|
214
|
+
---
|
211
215
|
user_keyring:
|
212
|
-
1: "QSXyoiRDPoJmfkJUZ4hJeQ=="
|
213
|
-
2: "r6AfOeilPDJomFsiOXLdfQ=="
|
216
|
+
"1": "QSXyoiRDPoJmfkJUZ4hJeQ=="
|
217
|
+
"2": "r6AfOeilPDJomFsiOXLdfQ=="
|
214
218
|
```
|
215
219
|
|
216
220
|
Then you can setup your model by using
|
@@ -330,12 +334,11 @@ The gem is available as open source under the terms of the
|
|
330
334
|
|
331
335
|
## Icon
|
332
336
|
|
333
|
-
Icon made by [Icongeek26](https://www.flaticon.com/authors/icongeek26)
|
334
|
-
|
335
|
-
3.0.
|
337
|
+
Icon made by [Icongeek26](https://www.flaticon.com/authors/icongeek26) from
|
338
|
+
[Flaticon](https://www.flaticon.com/) is licensed by Creative Commons BY 3.0.
|
336
339
|
|
337
340
|
## Code of Conduct
|
338
341
|
|
339
342
|
Everyone interacting in the attr_keyring project’s codebases, issue trackers,
|
340
343
|
chat rooms and mailing lists is expected to follow the
|
341
|
-
[code of conduct](https://github.com/fnando/attr_keyring/blob/
|
344
|
+
[code of conduct](https://github.com/fnando/attr_keyring/blob/main/CODE_OF_CONDUCT.md).
|
data/Rakefile
CHANGED
data/attr_keyring.gemspec
CHANGED
@@ -12,15 +12,14 @@ Gem::Specification.new do |spec|
|
|
12
12
|
spec.description = spec.summary
|
13
13
|
spec.homepage = "https://github.com/fnando/attr_keyring"
|
14
14
|
spec.license = "MIT"
|
15
|
+
spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
|
15
16
|
|
16
|
-
|
17
|
-
# The `git ls-files -z` loads the files in the RubyGem that have been added
|
18
|
-
# into git.
|
19
|
-
spec.files = Dir.chdir(File.expand_path(__dir__)) do
|
17
|
+
spec.files = Dir.chdir(File.expand_path(__dir__)) do
|
20
18
|
`git ls-files -z`
|
21
19
|
.split("\x0")
|
22
20
|
.reject {|f| f.match(%r{^(test|spec|features)/}) }
|
23
21
|
end
|
22
|
+
|
24
23
|
spec.bindir = "exe"
|
25
24
|
spec.executables = spec.files.grep(%r{^exe/}) {|f| File.basename(f) }
|
26
25
|
spec.require_paths = ["lib"]
|
data/lib/attr_keyring/version.rb
CHANGED
data/lib/attr_keyring.rb
CHANGED
@@ -20,9 +20,7 @@ module AttrKeyring
|
|
20
20
|
include InstanceMethods
|
21
21
|
|
22
22
|
class << self
|
23
|
-
attr_accessor :encrypted_attributes
|
24
|
-
attr_accessor :keyring
|
25
|
-
attr_accessor :keyring_column_name
|
23
|
+
attr_accessor :encrypted_attributes, :keyring, :keyring_column_name
|
26
24
|
end
|
27
25
|
|
28
26
|
self.encrypted_attributes = []
|
@@ -38,7 +38,7 @@ module Keyring
|
|
38
38
|
expected_hmac = hmac_digest(key.signing_key, encrypted_payload)
|
39
39
|
|
40
40
|
unless verify_signature(expected_hmac, hmac)
|
41
|
-
raise InvalidAuthentication, "Expected HMAC to be #{Base64.strict_encode64(expected_hmac)}; got #{Base64.strict_encode64(hmac)} instead" # rubocop:disable
|
41
|
+
raise InvalidAuthentication, "Expected HMAC to be #{Base64.strict_encode64(expected_hmac)}; got #{Base64.strict_encode64(hmac)} instead" # rubocop:disable Layout/LineLength
|
42
42
|
end
|
43
43
|
|
44
44
|
cipher.iv = iv
|
data/lib/keyring/key.rb
CHANGED
@@ -5,7 +5,7 @@ module Keyring
|
|
5
5
|
attr_reader :id, :signing_key, :encryption_key
|
6
6
|
|
7
7
|
def initialize(id, key, key_size)
|
8
|
-
@id = Integer(id)
|
8
|
+
@id = Integer(id.to_s)
|
9
9
|
@key_size = key_size
|
10
10
|
@encryption_key, @signing_key = parse_key(key)
|
11
11
|
end
|
@@ -20,7 +20,7 @@ module Keyring
|
|
20
20
|
secret = decode_key(key, expected_key_size)
|
21
21
|
|
22
22
|
unless secret.bytesize == expected_key_size
|
23
|
-
raise InvalidSecret, "Secret must be #{expected_key_size} bytes, instead got #{secret.bytesize}" # rubocop:disable
|
23
|
+
raise InvalidSecret, "Secret must be #{expected_key_size} bytes, instead got #{secret.bytesize}" # rubocop:disable Layout/LineLength
|
24
24
|
end
|
25
25
|
|
26
26
|
signing_key = secret[0...@key_size]
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: attr_keyring
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Nando Vieira
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-12-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activerecord
|
@@ -185,9 +185,11 @@ executables: []
|
|
185
185
|
extensions: []
|
186
186
|
extra_rdoc_files: []
|
187
187
|
files:
|
188
|
+
- ".github/FUNDING.yml"
|
189
|
+
- ".github/dependabot.yml"
|
190
|
+
- ".github/workflows/tests.yml"
|
188
191
|
- ".gitignore"
|
189
192
|
- ".rubocop.yml"
|
190
|
-
- ".travis.yml"
|
191
193
|
- CODE_OF_CONDUCT.md
|
192
194
|
- Gemfile
|
193
195
|
- LICENSE.txt
|
@@ -201,8 +203,8 @@ files:
|
|
201
203
|
- examples/active_record_sample.rb
|
202
204
|
- examples/keyring_sample.rb
|
203
205
|
- examples/sequel_sample.rb
|
204
|
-
- gemfiles/5_2.gemfile
|
205
206
|
- gemfiles/6_0.gemfile
|
207
|
+
- gemfiles/7_0.gemfile
|
206
208
|
- lib/attr_keyring.rb
|
207
209
|
- lib/attr_keyring/active_record.rb
|
208
210
|
- lib/attr_keyring/sequel.rb
|
@@ -214,7 +216,7 @@ homepage: https://github.com/fnando/attr_keyring
|
|
214
216
|
licenses:
|
215
217
|
- MIT
|
216
218
|
metadata: {}
|
217
|
-
post_install_message:
|
219
|
+
post_install_message:
|
218
220
|
rdoc_options: []
|
219
221
|
require_paths:
|
220
222
|
- lib
|
@@ -222,15 +224,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
222
224
|
requirements:
|
223
225
|
- - ">="
|
224
226
|
- !ruby/object:Gem::Version
|
225
|
-
version:
|
227
|
+
version: 2.5.0
|
226
228
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
227
229
|
requirements:
|
228
230
|
- - ">="
|
229
231
|
- !ruby/object:Gem::Version
|
230
232
|
version: '0'
|
231
233
|
requirements: []
|
232
|
-
rubygems_version: 3.
|
233
|
-
signing_key:
|
234
|
+
rubygems_version: 3.2.32
|
235
|
+
signing_key:
|
234
236
|
specification_version: 4
|
235
237
|
summary: Simple encryption-at-rest plugin for ActiveRecord.
|
236
238
|
test_files: []
|
data/.travis.yml
DELETED
@@ -1,25 +0,0 @@
|
|
1
|
-
---
|
2
|
-
|
3
|
-
language: ruby
|
4
|
-
cache: bundler
|
5
|
-
sudo: false
|
6
|
-
notifications:
|
7
|
-
email: false
|
8
|
-
rvm:
|
9
|
-
- 2.6.5
|
10
|
-
- 2.5.7
|
11
|
-
services:
|
12
|
-
- postgresql
|
13
|
-
gemfiles:
|
14
|
-
- gemfiles/6_0.gemfile
|
15
|
-
- gemfiles/5_2.gemfile
|
16
|
-
before_script:
|
17
|
-
- createdb test
|
18
|
-
- curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
|
19
|
-
- chmod +x ./cc-test-reporter
|
20
|
-
- "./cc-test-reporter before-build"
|
21
|
-
after_script:
|
22
|
-
- "./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT"
|
23
|
-
env:
|
24
|
-
global:
|
25
|
-
secure: c0y7opFgX78UQL0dVq2gciMr3Ca4y4Aw4cSbQMnUwGecwuzOPUhjV98yy4b6EpQ0bLVbVcSPtx/PCVV750nxJPQsz9tWS0yGxQPBXuh2w0AX+ErYJVYaF6+hTjovEiHB86Q9g8YCD29CIMLZs2yeUrB+ORJWQcuAn8fw475Zskk8d8BWqR8CDdonFKlwS0Bx6rOqkyVy0JiNbOM4+trV/RzrNC+dc1geqOo45ceTYiGzkkMU1XANjNhzl/v0DYtCWLF/Dj1s8da96btqU6msZDfsBM73zKWtu0KJMnzqa8Ba4Tjc39kd2ro6Zb22cELBdXOFBvNCAEjbmZIaJ2OC45fES1OGZnB66SjAScdVdxKy2jOWjlFvrRiHu3Zrbl5tFTEaJ/PMHueQn4AzneK1wU2kzjq5iCwBZtMp/iJtCvz0V6qBt77qJe65YuENhcj26cDMqQkhKd0QBTWNs8r02KY3HFKcprgM+2TXxVSvfDu2cbiMInvc3K+uFNnEbu/1piTyStKWGd64WHixV6CEFpHxLU04IUNB62mSvUZtZ6V782X9kawoRyUg6lWvXmnGUUvczdJdpSR5/3gVXOWHireYy/qA6Zqoup27PPoaNgnKCa/fWvN/aJDvrGJb9OWpiK8DGi6T35V5gtDF+vd8mVzyPnYJznlWLgA5m7FSzLg=
|