attr_vault 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 93ec67ae603b025fd34c27c9b769cdfd6d6814c8
+  data.tar.gz: 3c7af4318feb415e45dba7cb176612ba9db59c28
+SHA512:
+  metadata.gz: a77d9447d153c91af3f033e4dce072eaa08e5189d150cf2cde0715592493fafc899020e6299c0c0f7e70042a8906ceb6b77c9855dba9ce43d4a7924aab7f5fe2
+  data.tar.gz: a9ae10282b3f5a21ecce80f2a70602995fb13ccce26c7fb7c758446f2b54069ed108f1619f6bdb8f6e30b76e16ab69386141848b5906a89aeee7e34c13ec87b9

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+ruby '2.1.2'
+
+# Specify your gem's dependencies in attr_vault.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,36 @@
+PATH
+  remote: .
+  specs:
+    attr_vault (0.0.1)
+      fernet (~> 2.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    fernet (2.1)
+      valcro (= 0.1)
+    pg (0.17.1)
+    rspec (3.1.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+    rspec-core (3.1.7)
+      rspec-support (~> 3.1.0)
+    rspec-expectations (3.1.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.1.0)
+    rspec-mocks (3.1.3)
+      rspec-support (~> 3.1.0)
+    rspec-support (3.1.2)
+    sequel (4.13.0)
+    valcro (0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  attr_vault!
+  pg
+  rspec (~> 3.0)
+  sequel (~> 4.13.0)

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Maciek Sakrejda
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/attr_vault.gemspec

@@ -0,0 +1,23 @@
+require File.expand_path('../lib/attr_vault/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Maciek Sakrejda"]
+  gem.email         = ["m.sakrejda@gmail.com"]
+  gem.description   = %q{Encryption at rest made easy}
+  gem.summary       = %q{Sequel plugin for encryption at rest}
+  gem.homepage      = "https://github.com/deafbybeheading/attr_vault"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "attr_vault"
+  gem.require_paths = ["lib"]
+  gem.version       = AttrVault::VERSION
+  gem.license       = "MIT"
+
+  gem.add_runtime_dependency 'fernet', '~> 2.1'
+
+  gem.add_development_dependency "rspec", '~> 3.0'
+  gem.add_development_dependency "pg", '~> 0'
+  gem.add_development_dependency "sequel", '~> 4.13'
+end

data/lib/attr_vault/cryptor.rb

@@ -0,0 +1,57 @@
+module AttrVault
+  module Cryptor
+    def self.encrypt(value, key)
+      return [nil, nil] if value.nil?
+      return ['', ''] if value.empty?
+
+      secret = AttrVault::Secret.new(key)
+
+      encrypted_message, iv = Encryption.encrypt(
+        key:     secret.encryption_key,
+        message: value
+      )
+
+      encrypted_payload = iv + encrypted_message
+      mac = OpenSSL::HMAC.digest('sha256', secret.signing_key, encrypted_payload)
+      [ encrypted_payload, mac ]
+    end
+
+    def self.decrypt(encrypted_payload, hmac, key)
+      return nil if encrypted_payload.nil? && hmac.nil?
+      return '' if encrypted_payload.empty? && hmac.empty?
+
+      secret = AttrVault::Secret.new(key)
+
+      expected_hmac = Encryption.hmac_digest(secret.signing_key, encrypted_payload)
+      unless verify_signature(expected_hmac, hmac)
+        raise InvalidCiphertext, "Expected hmac #{expected_hmac} for this value; got #{hmac}"
+      end
+
+      iv, encrypted_message = encrypted_payload[0..16], encrypted_payload[16..-1]
+
+      block_size = Encryption::AES_BLOCK_SIZE
+      unless (encrypted_message.size % block_size).zero?
+        raise InvalidCiphertext,
+          "Expected message size to be multiple of #{block_size}; got #{encrypted_message.size}"
+      end
+
+      begin
+        Encryption.decrypt(key: secret.encryption_key,
+                           ciphertext: encrypted_message,
+                           iv: iv)
+      rescue OpenSSL::Cipher::CipherError
+        raise InvalidCiphertext, "Could not decrypt field"
+      end
+    end
+
+    private
+
+    def self.verify_signature(expected, actual)
+      expected_bytes = expected.bytes.to_a
+      actual_bytes = actual.bytes.to_a
+      actual_bytes.inject(0) do |accum, byte|
+        accum |= byte ^ expected_bytes.shift
+      end.zero?
+    end
+  end
+end

data/lib/attr_vault/encryption.rb

@@ -0,0 +1,70 @@
+require 'openssl'
+
+module AttrVault
+  # borrowed wholesale from Fernet
+
+  # Internal: Encapsulates encryption and signing primitives
+  module Encryption
+    AES_BLOCK_SIZE  = 16.freeze
+
+    # Internal: Encrypts the provided message using a AES-128-CBC cipher with a
+    #   random IV and the provided encryption key
+    #
+    # Arguments:
+    #
+    # * message - the message to encrypt
+    # * key     - the encryption key
+    # * iv      - override for the random IV, only used for testing
+    #
+    # Examples
+    #
+    #   ciphertext, iv = AttrVault::Encryption.encrypt(
+    #     message: 'this is a secret', key: encryption_key
+    #   )
+    #
+    # Returns a two-element array containing the ciphertext and the random IV
+    def self.encrypt(key:, message:, iv: nil)
+      cipher = OpenSSL::Cipher.new('AES-128-CBC')
+      cipher.encrypt
+      iv ||= cipher.random_iv
+      cipher.iv  = iv
+      cipher.key = key
+      [cipher.update(message) + cipher.final, iv]
+    end
+
+    # Internal: Decrypts the provided ciphertext using a AES-128-CBC cipher with a
+    #   the provided IV and encryption key
+    #
+    # Arguments:
+    #
+    # * ciphertext - encrypted message
+    # * key        - encryption key used to encrypt the message
+    # * iv         - initialization vector used in the ciphertext's cipher
+    #
+    # Examples
+    #
+    #   ciphertext, iv = AttrVault::Encryption.encrypt(
+    #     message: 'this is a secret', key: encryption_key
+    #   )
+    #
+    # Returns a two-element array containing the ciphertext and the random IV
+    def self.decrypt(key:, ciphertext:, iv:)
+      decipher = OpenSSL::Cipher.new('AES-128-CBC')
+      decipher.decrypt
+      decipher.iv  = iv
+      decipher.key = key
+      decipher.update(ciphertext) + decipher.final
+    end
+
+    # Internal: Creates an HMAC signature (sha256 hashing) of the given bytes
+    #   with the provided signing key
+    #
+    # key   - the signing key
+    # bytes - blob of bytes to sign
+    #
+    # Returns the HMAC signature as a string
+    def self.hmac_digest(key, bytes)
+      OpenSSL::HMAC.digest('sha256', key, bytes)
+    end
+  end
+end

data/lib/attr_vault/errors.rb

@@ -0,0 +1,22 @@
+module AttrVault
+  # Base class for AttrVault errors
+  class Error < StandardError; end
+  class InvalidSecret < AttrVault::Error; end
+  class InvalidKey < AttrVault::Error; end
+  class InvalidKeyring < AttrVault::Error; end
+  class KeyringEmpty < AttrVault::Error; end
+  class UnknownKey < AttrVault::Error
+    def initialize(key_id)
+      @key_id = key_id
+    end
+    def message
+      formatted_id = if @key_id.nil?
+                       '<nil>'
+                     else
+                       @key_id
+                     end
+      "No key with id #{formatted_id} found in keyring"
+    end
+  end
+  class InvalidCiphertext < AttrVault::Error; end
+end

data/lib/attr_vault/keyring.rb

@@ -0,0 +1,85 @@
+module AttrVault
+  class Key
+    attr_reader :id, :value, :created_at
+
+    def initialize(id, value, created_at)
+      if id.nil?
+        raise InvalidKey, "key id required"
+      end
+      if value.nil?
+        raise InvalidKey, "key value required"
+      end
+      if created_at.nil?
+        raise InvalidKey, "key created_at required"
+      end
+
+      @id = id
+      @value = value
+      @created_at = created_at
+    end
+
+    def to_json(*args)
+      { id: id, value: value, created_at: created_at }.to_json
+    end
+  end
+
+  class Keyring
+    attr_reader :keys
+
+    def self.load(keyring_data)
+      keyring = Keyring.new
+      begin
+        candidate_keys = JSON.parse(keyring_data)
+        unless candidate_keys.respond_to? :each
+          raise InvalidKeyring, "does not respond to each"
+        end
+        candidate_keys.each_with_index do |k|
+          created_at = unless k["created_at"].nil?
+                         Time.parse(k["created_at"])
+                       end
+          keyring.add_key(Key.new(k["id"], k["value"], created_at || Time.now))
+        end
+      rescue StandardError => e
+        raise InvalidKeyring, e.message
+      end
+      keyring
+    end
+
+    def initialize
+      @keys = []
+    end
+
+    def add_key(k)
+      @keys << k
+    end
+
+    def drop_key(id_or_key)
+      id = if id_or_key.is_a? Key
+             id_or_key.id
+           else
+             id_or_key
+           end
+      @keys.reject! { |k| k.id == id }
+    end
+
+    def fetch(id)
+      @keys.find { |k| k.id == id } or raise UnknownKey, id
+    end
+
+    def has_key?(id)
+      !@keys.find { |k| k.id == id }.nil?
+    end
+
+    def current_key
+      k = @keys.sort_by(&:created_at).last
+      if k.nil?
+        raise KeyringEmpty, "No keys in keyring"
+      end
+      k
+    end
+
+    def to_json
+      @keys.to_json
+    end
+  end
+end

data/lib/attr_vault/secret.rb

@@ -0,0 +1,48 @@
+require 'base64'
+
+module AttrVault
+  # borrowed wholesale from Fernet
+
+  # Internal: Encapsulates a secret key, a 32-byte sequence consisting
+  #   of an encryption and a signing key.
+  class Secret
+    # Internal - Initialize a Secret
+    #
+    # secret - the secret, optionally encoded with either standard or
+    #          URL safe variants of Base64 encoding
+    #
+    # Raises AttrVault::Secret::InvalidSecret if it cannot be decoded or is
+    #   not of the expected length
+    def initialize(secret)
+      if secret.bytesize == 32
+        @secret = secret
+      else
+        begin
+          @secret = Base64.urlsafe_decode64(secret)
+        rescue ArgumentError
+          @secret = Base64.decode64(secret)
+        end
+        unless @secret.bytesize == 32
+          raise InvalidSecret,
+            "Secret must be 32 bytes, instead got #{@secret.bytesize}"
+        end
+      end
+    end
+
+    # Internal: Returns the portion of the secret token used for encryption
+    def encryption_key
+      @secret.slice(16, 16)
+    end
+
+    # Internal: Returns the portion of the secret token used for signing
+    def signing_key
+      @secret.slice(0, 16)
+    end
+
+    # Public: String representation of this secret, masks to avoid leaks.
+    def to_s
+      "<AttrVault::Secret [masked]>"
+    end
+    alias to_s inspect
+  end
+end

data/lib/attr_vault/version.rb

@@ -0,0 +1,3 @@
+module AttrVault
+  VERSION = "0.0.1"
+end

data/lib/attr_vault.rb

@@ -0,0 +1,129 @@
+require 'attr_vault/errors'
+require 'attr_vault/keyring'
+require 'attr_vault/secret'
+require 'attr_vault/encryption'
+require 'attr_vault/cryptor'
+
+module AttrVault
+  def self.included(base)
+    base.extend(ClassMethods)
+    base.include(InstanceMethods)
+  end
+
+  module InstanceMethods
+    def before_save
+      keyring = self.class.vault_keys
+      current_key = keyring.current_key
+      key_id = self[self.class.vault_key_field]
+      record_key = self.class.vault_keys.fetch(key_id) unless key_id.nil?
+
+      @vault_dirty_attrs ||= {}
+      if !record_key.nil? && current_key != record_key
+        # If the record key is not nil and not current, flag *all*
+        # attrs as dirty, since we want to rewrite them all in order
+        # to use the latest key. Note that when the record key is nil,
+        # we're dealing with a new record, so there are no existing
+        # vault attributes to rewrite. We only write these out when
+        # they're set explicitly in a new record, in which case they
+        # will be in the dirty attrs already and are handled below.
+        self.class.vault_attrs.each do |attr|
+          next if @vault_dirty_attrs.has_key? attr.name
+          @vault_dirty_attrs[attr.name] = self.send(attr.name)
+        end
+      end
+      # If any attr has plaintext_source_field and the plaintext field
+      # has a value set, flag the attr as dirty using the plaintext
+      # source value, then nil out the plaintext field.
+      self.class.vault_attrs.reject { |attr| attr.plaintext_source_field.nil? }.each do |attr|
+        unless self[attr.plaintext_source_field].nil?
+          @vault_dirty_attrs[attr.name] = self[attr.plaintext_source_field]
+          self[attr.plaintext_source_field] = nil
+        end
+      end
+      self.class.vault_attrs.each do |attr|
+        next unless @vault_dirty_attrs.has_key? attr.name
+
+        value = @vault_dirty_attrs[attr.name]
+        encrypted, hmac = Cryptor.encrypt(value, current_key.value)
+
+        unless encrypted.nil?
+          encrypted = Sequel.blob(encrypted)
+        end
+        unless hmac.nil?
+          hmac = Sequel.blob(hmac)
+        end
+
+        self[attr.encrypted_field] = encrypted
+        self[attr.hmac_field] = hmac
+      end
+      self[self.class.vault_key_field] = current_key.id
+      @vault_dirty_attrs = {}
+      super
+    end
+  end
+
+  module ClassMethods
+    def vault_keyring(keyring_data, key_field: :key_id)
+      @key_field = key_field.to_sym
+      @keyring = Keyring.load(keyring_data)
+    end
+
+    def vault_attr(name, opts={})
+      attr = VaultAttr.new(name, opts)
+      self.vault_attrs << attr
+
+      define_method(name) do
+        # if there is a plaintext source field, use that and ignore
+        # the encrypted field
+        if !attr.plaintext_source_field.nil? && !self[attr.plaintext_source_field].nil?
+          return self[attr.plaintext_source_field]
+        end
+
+        keyring = self.class.vault_keys
+        key_id = self[self.class.vault_key_field]
+        record_key = self.class.vault_keys.fetch(key_id)
+
+        encrypted_value = self[attr.encrypted_field]
+        hmac =  self[attr.hmac_field]
+        # TODO: cache decrypted value
+        Cryptor.decrypt(encrypted_value, hmac, record_key.value)
+      end
+
+      define_method("#{name}=") do |value|
+        @vault_dirty_attrs ||= {}
+        @vault_dirty_attrs[name] = value
+        # ensure that Sequel knows that this is in fact dirty and must
+        # be updated--otherwise, the object is never saved,
+        # #before_save is never called, and we never store the update
+        self.modified! attr.encrypted_field
+        self.modified! attr.hmac_field
+      end
+    end
+
+    def vault_attrs
+      @vault_attrs ||= []
+    end
+
+    def vault_key_field
+      @key_field
+    end
+
+    def vault_keys
+      @keyring
+    end
+  end
+
+  class VaultAttr
+    attr_reader :name, :encrypted_field, :hmac_field, :plaintext_source_field
+
+    def initialize(name,
+                   encrypted_field: "#{name}_encrypted",
+                   hmac_field: "#{name}_hmac",
+                   plaintext_source_field: nil)
+      @name = name
+      @encrypted_field = encrypted_field.to_sym
+      @hmac_field = hmac_field.to_sym
+      @plaintext_source_field = plaintext_source_field.to_sym unless plaintext_source_field.nil?
+    end
+  end
+end

data/spec/attr_vault/keyring_spec.rb

@@ -0,0 +1,184 @@
+require "spec_helper"
+require "json"
+
+module AttrVault
+  describe Keyring do
+
+    describe ".load" do
+      let(:key_data) {
+        [
+         { id: SecureRandom.uuid, value: SecureRandom.base64(32), created_at: Time.now },
+         { id: SecureRandom.uuid, value: SecureRandom.base64(32), created_at: Time.now }
+        ]
+      }
+
+      it "loads a valid keyring string" do
+        keyring = Keyring.load(key_data.to_json)
+        expect(keyring).to be_a Keyring
+        expect(keyring.keys.count).to eq 2
+        (0..1).each do |i|
+          expect(keyring.keys[i].id).to eq key_data[i][:id]
+          expect(keyring.keys[i].value).to eq key_data[i][:value]
+          expect(keyring.keys[i].created_at).to be_within(60).of(key_data[i][:created_at])
+        end
+      end
+
+      it "rejects unexpected JSON" do
+        expect { Keyring.load('hello') }.to raise_error(InvalidKeyring)
+      end
+
+      it "rejects unknown formats" do
+        keys = key_data.map do |k|
+          "<key id='#{k[:id]}' value='#{k[:value]}' created_at='#{k[:created_at]}'/>"
+        end
+        expect { Keyring.load("<keys>#{keys}</keys>") }.to raise_error(InvalidKeyring)
+      end
+
+      it "rejects keys with missing ids" do
+        key_data[0].delete :id
+        expect { Keyring.load(key_data) }.to raise_error(InvalidKeyring)
+      end
+
+      it "rejects keys with missing values" do
+        key_data[0].delete :value
+        expect { Keyring.load(key_data) }.to raise_error(InvalidKeyring)
+      end
+    end
+  end
+
+  describe "#keys" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    before do
+      keyring.add_key(k1)
+      keyring.add_key(k2)
+    end
+
+    it "lists all keys" do
+      expect(keyring.keys).to include(k1)
+      expect(keyring.keys).to include(k2)
+    end
+  end
+
+  describe "#fetch" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    before do
+      keyring.add_key(k1)
+      keyring.add_key(k2)
+    end
+
+    it "finds the right key by its id" do
+      expect(keyring.fetch(k1.id)).to be k1
+      expect(keyring.fetch(k2.id)).to be k2
+    end
+
+    it "raises for an unknown id" do
+      expect { keyring.fetch('867344d2-ac73-493b-9a9e-5fa688ba25ef') }
+        .to raise_error(UnknownKey)
+    end
+  end
+
+  describe "#has_key?" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    before do
+      keyring.add_key(k1)
+      keyring.add_key(k2)
+    end
+
+    it "is true if the keyring has a key with the given id" do
+      expect(keyring.has_key?(k1.id)).to be true
+      expect(keyring.has_key?(k2.id)).to be true
+    end
+
+    it "is false if no such key is present" do
+      expect(keyring.has_key?('867344d2-ac73-493b-9a9e-5fa688ba25ef')).to be false
+    end
+  end
+
+  describe "#add_key" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    it "adds keys" do
+      expect(keyring.keys).to be_empty
+      expect { keyring.add_key(k1) }.to change { keyring.keys.count }.by 1
+      expect(keyring.keys[0]).to be k1
+    end
+  end
+
+  describe "#drop_key" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    before do
+      keyring.add_key(k1)
+      keyring.add_key(k2)
+    end
+
+    it "drops keys by identity" do
+      expect(keyring.keys.count).to eq 2
+      expect { keyring.drop_key(k1) }.to change { keyring.keys.count }.by -1
+      expect(keyring.keys.count).to eq 1
+      expect(keyring.keys[0]).to be k2
+    end
+
+    it "drops keys by identifier" do
+      expect(keyring.keys.count).to eq 2
+      expect { keyring.drop_key(k1.id) }.to change { keyring.keys.count }.by -1
+      expect(keyring.keys.count).to eq 1
+      expect(keyring.keys[0]).to be k2
+    end
+  end
+
+  describe "#to_json" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    before do
+      keyring.add_key(k1)
+      keyring.add_key(k2)
+    end
+
+    it "serializes the keyring to an expected format" do
+      keyring_data = keyring.to_json
+      reparsed = JSON.parse(keyring_data)
+      expect(reparsed[0]["id"]).to eq k1.id
+      expect(reparsed[0]["value"]).to eq k1.value
+      expect(reparsed[0]["created_at"]).to eq k1.created_at.to_s
+
+      expect(reparsed[1]["id"]).to eq k2.id
+      expect(reparsed[1]["value"]).to eq k2.value
+      expect(reparsed[1]["created_at"]).to eq k2.created_at.to_s
+    end
+  end
+
+  describe "#current_key" do
+    let(:keyring) { Keyring.new }
+    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now - 3) }
+    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+
+    before do
+      keyring.add_key(k1)
+      keyring.add_key(k2)
+    end
+
+    it "returns the newest key" do
+      expect(keyring.current_key).to eq k2
+    end
+
+    it "raise if no keys are registered" do
+      other_keyring = Keyring.new
+      expect { other_keyring.current_key }.to raise_error(KeyringEmpty)
+    end
+  end
+end

data/spec/attr_vault/secret_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+describe AttrVault::Secret do
+  it "can resolve a URL safe base64 encoded 32 byte string" do
+    resolves_input(Base64.urlsafe_encode64("A"*16 + "B"*16))
+  end
+
+  it "can resolve a base64 encoded 32 byte string" do
+    resolves_input(Base64.encode64("A"*16 + "B"*16))
+  end
+
+  it "can resolve a 32 byte string without encoding" do
+    resolves_input("A"*16 + "B"*16)
+  end
+
+  it "fails loudly when an invalid secret is provided" do
+    secret = Base64.urlsafe_encode64("bad")
+    expect do
+      AttrVault::Secret.new(secret)
+    end.to raise_error(AttrVault::InvalidSecret)
+  end
+
+  def resolves_input(input)
+    secret = AttrVault::Secret.new(input)
+
+    expect(
+      secret.signing_key
+    ).to eq("A"*16)
+
+    expect(
+      secret.encryption_key
+    ).to eq("B"*16)
+  end
+end

data/spec/attr_vault_spec.rb

@@ -0,0 +1,328 @@
+require 'spec_helper'
+require 'json'
+
+describe AttrVault do
+  context "with a single encrypted column" do
+    let(:key_id)   { '80a8571b-dc8a-44da-9b89-caee87e41ce2' }
+    let(:key_data) {
+      [{
+        id: key_id,
+        value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+        created_at: Time.now }].to_json
+    }
+    let(:item)   {
+      # the let form can't be evaluated inside the class definition
+      # because Ruby scoping rules were written by H.P. Lovecraft, so
+      # we create a local here to work around that
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+      end
+    }
+
+    context "with a new object" do
+      it "does not affect other attributes" do
+        not_secret = 'jimi hendrix was rather talented'
+        s = item.create(not_secret: not_secret)
+        s.reload
+        expect(s.not_secret).to eq(not_secret)
+        expect(s.this.where(not_secret: not_secret).count).to eq 1
+      end
+
+      it "encrypts non-empty values" do
+        secret = 'lady gaga? also rather talented'
+        s = item.create(secret: secret)
+        s.reload
+        expect(s.secret).to eq(secret)
+        s.columns.each do |col|
+          expect(s.this.where(Sequel.cast(Sequel.cast(col, :text), :bytea) => secret).count).to eq 0
+        end
+      end
+
+      it "stores empty values as empty" do
+        secret = ''
+        s = item.create(secret: secret)
+        s.reload
+        expect(s.secret).to eq('')
+        expect(s.secret_encrypted).to eq('')
+      end
+
+      it "stores nil values as nil" do
+        s = item.create(secret: nil)
+        s.reload
+        expect(s.secret).to be_nil
+        expect(s.secret_encrypted).to be_nil
+      end
+
+      it "stores the key id" do
+        secret = 'it was professor plum with the wrench in the library'
+        s = item.create(secret: secret)
+        s.reload
+        expect(s.key_id).to eq(key_id)
+      end
+    end
+
+    context "with an existing object" do
+      it "does not affect other attributes" do
+        not_secret = 'soylent is not especially tasty'
+        s = item.create
+        s.update(not_secret: not_secret)
+        s.reload
+        expect(s.not_secret).to eq(not_secret)
+        expect(s.this.where(not_secret: not_secret).count).to eq 1
+      end
+
+      it "encrypts non-empty values" do
+        secret = 'soylent green is made of people'
+        s = item.create
+        s.update(secret: secret)
+        s.reload
+        expect(s.secret).to eq(secret)
+        s.columns.each do |col|
+          expect(s.this.where(Sequel.cast(Sequel.cast(col, :text), :bytea) => secret).count).to eq 0
+        end
+      end
+
+      it "stores empty values as empty" do
+        s = item.create(secret: "darth vader is luke's father")
+        s.update(secret: '')
+        s.reload
+        expect(s.secret).to eq('')
+        expect(s.secret_encrypted).to eq('')
+      end
+
+      it "leaves nil values as nil" do
+        s = item.create(secret: "dr. crowe was dead all along")
+        s.update(secret: nil)
+        s.reload
+        expect(s.secret).to be_nil
+        expect(s.secret_encrypted).to be_nil
+      end
+
+      it "stores the key id" do
+        secret = 'animal style'
+        s = item.create
+        s.update(secret: secret)
+        s.reload
+        expect(s.key_id).to eq(key_id)
+      end
+    end
+  end
+
+  context "with multiple encrypted columns" do
+    let(:key_data) {
+      [{
+        id: '80a8571b-dc8a-44da-9b89-caee87e41ce2',
+        value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+        created_at: Time.now }].to_json
+    }
+    let(:item)   {
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    }
+
+    it "does not clobber other attributes" do
+      secret1 = "superman is really mild-mannered reporter clark kent"
+      secret2 = "batman is really millionaire playboy bruce wayne"
+      s = item.create(secret: secret1)
+      s.reload
+      expect(s.secret).to eq secret1
+      s.update(other: secret2)
+      s.reload
+      expect(s.secret).to eq secret1
+      expect(s.other).to eq secret2
+    end
+  end
+
+  context "with items encrypted with an older key" do
+    let(:key1_id)  { '80a8571b-dc8a-44da-9b89-caee87e41ce2' }
+    let(:key1)     {
+      {
+       id: key1_id,
+       value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+       created_at: Time.new(2014, 1, 1, 0, 0, 0)
+      }
+    }
+
+    let(:key2_id)  { '0a85781b-d8ac-4a4d-89b9-acee874e1ec2' }
+    let(:key2)     {
+      {
+       id: key2_id,
+       value: 'hUL1orBBRckZOuSuptRXYMV9lx5Qp54zwFUVwpwTpdk=',
+       created_at: Time.new(2014, 2, 1, 0, 0, 0)
+      }
+    }
+    let(:partial_keyring) {
+      [key1].to_json
+    }
+
+    let(:full_keyring) {
+      [key1, key2].to_json
+    }
+    let(:item1) {
+      k = partial_keyring
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    }
+    let(:item2) {
+      k = full_keyring
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    }
+
+    it "rewrites the items using the current key" do
+      secret1 = 'mrs. doubtfire is really a man'
+      secret2 = 'tootsie? also a man'
+      record = item1.create(secret: secret1)
+      expect(record.key_id).to eq key1_id
+      expect(record.secret).to eq secret1
+
+      old_secret_encrypted = record.secret_encrypted
+      old_secret_hmac = record.secret_hmac
+
+      new_key_record = item2[record.id]
+      new_key_record.update(secret: secret2)
+      new_key_record.reload
+
+      expect(new_key_record.key_id).to eq key2_id
+      expect(new_key_record.secret).to eq secret2
+      expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
+      expect(new_key_record.secret_hmac).not_to eq old_secret_hmac
+    end
+
+    it "rewrites the items using the current key even if they are not updated" do
+      secret1 = 'the planet of the apes is really earth'
+      secret2 = 'the answer is 42'
+      record = item1.create(secret: secret1)
+      expect(record.key_id).to eq key1_id
+      expect(record.secret).to eq secret1
+
+      old_secret_encrypted = record.secret_encrypted
+      old_secret_hmac = record.secret_hmac
+
+      new_key_record = item2[record.id]
+      new_key_record.update(other: secret2)
+      new_key_record.reload
+
+      expect(new_key_record.key_id).to eq key2_id
+      expect(new_key_record.secret).to eq secret1
+      expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
+      expect(new_key_record.secret_hmac).not_to eq old_secret_hmac
+      expect(new_key_record.other).to eq secret2
+    end
+  end
+
+  context "with plaintext source fields" do
+    let(:key_id)   { '80a8571b-dc8a-44da-9b89-caee87e41ce2' }
+    let(:key_data) {
+      [{
+        id: key_id,
+        value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+        created_at: Time.now }].to_json
+    }
+    let(:item1) {
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    }
+    let(:item2) {
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret, plaintext_source_field: :not_secret
+        vault_attr :other, plaintext_source_field: :other_not_secret
+      end
+    }
+
+    it "copies a plaintext field to an encrypted field when saving the object" do
+      becomes_secret = 'the location of the lost continent of atlantis'
+      s = item1.create(not_secret: becomes_secret)
+      reloaded = item2[s.id]
+      expect(reloaded.not_secret).to eq becomes_secret
+      reloaded.save
+      reloaded.reload
+      expect(reloaded.not_secret).to be_nil
+      expect(reloaded.secret).to eq becomes_secret
+    end
+
+    it "supports converting multiple fields" do
+      becomes_secret1 = 'the location of the fountain of youth'
+      becomes_secret2 = 'the location of the lost city of el dorado'
+      s = item1.create(not_secret: becomes_secret1, other_not_secret: becomes_secret2)
+      reloaded = item2[s.id]
+      expect(reloaded.not_secret).to eq becomes_secret1
+      expect(reloaded.other_not_secret).to eq becomes_secret2
+      reloaded.save
+      reloaded.reload
+      expect(reloaded.not_secret).to be_nil
+      expect(reloaded.secret).to eq becomes_secret1
+      expect(reloaded.other_not_secret).to be_nil
+      expect(reloaded.other).to eq becomes_secret2
+    end
+  end
+
+  context "with renamed database fields" do
+    let(:key_data) {
+      [{
+        id: '80a8571b-dc8a-44da-9b89-caee87e41ce2',
+        value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+        created_at: Time.now }].to_json
+    }
+
+    it "supports renaming the encrypted and hmac fields" do
+      k = key_data
+      item = Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :classified_info,
+          encrypted_field: :secret_encrypted,
+          hmac_field: :secret_hmac
+      end
+
+      secret = "we've secretly replaced the fine coffee they usually serve with Folgers Crystals"
+      s = item.create(classified_info: secret)
+      s.reload
+      expect(s.classified_info).to eq secret
+      expect(s.secret_encrypted).not_to eq secret
+      expect(s.secret_hmac).not_to be_nil
+    end
+
+    it "supports renaming the key id field" do
+      k = key_data
+      item = Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k, key_field: :alt_key_id
+        vault_attr :secret
+      end
+
+      secret = "up up down down left right left right b a"
+      s = item.create(secret: secret)
+      s.reload
+      expect(s.secret).to eq secret
+      expect(s.secret_encrypted).not_to eq secret
+      expect(s.secret_hmac).not_to be_nil
+      expect(s.alt_key_id).not_to be_nil
+      expect(s.key_id).to be_nil
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,49 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+require 'bundler'
+require 'attr_vault'
+
+require 'pg'
+require 'sequel'
+
+conn = Sequel.connect(ENV['DATABASE_URL'])
+conn.run 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp"'
+conn.run 'DROP TABLE IF EXISTS items'
+conn.run <<-EOF
+    CREATE TABLE items(
+      id serial primary key,
+      key_id uuid,
+      alt_key_id uuid,
+      secret_encrypted bytea,
+      secret_hmac bytea,
+      other_encrypted bytea,
+      other_hmac bytea,
+      not_secret text,
+      other_not_secret text
+    )
+  EOF
+
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  config.before(:example) do
+    conn.run 'TRUNCATE items'
+  end
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end
+

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: attr_vault
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Maciek Sakrejda
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-10-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fernet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sequel
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.13'
+description: Encryption at rest made easy
+email:
+- m.sakrejda@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- attr_vault.gemspec
+- lib/attr_vault.rb
+- lib/attr_vault/cryptor.rb
+- lib/attr_vault/encryption.rb
+- lib/attr_vault/errors.rb
+- lib/attr_vault/keyring.rb
+- lib/attr_vault/secret.rb
+- lib/attr_vault/version.rb
+- spec/attr_vault/keyring_spec.rb
+- spec/attr_vault/secret_spec.rb
+- spec/attr_vault_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/deafbybeheading/attr_vault
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Sequel plugin for encryption at rest
+test_files:
+- spec/attr_vault/keyring_spec.rb
+- spec/attr_vault/secret_spec.rb
+- spec/attr_vault_spec.rb
+- spec/spec_helper.rb
+has_rdoc: