attr_vault 0.0.4 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 18e01d8e9bbd38cbd41cce47d4c7dd5650ec976f
-  data.tar.gz: ff870a7ba7ec9eacc172b21bf33db9ffb0644af1
+  metadata.gz: 51257ff03a337f75042850857d0f468a7b55b6c7
+  data.tar.gz: d57fad1f79b934d11ff0e087e80b0e6acc04ea27
 SHA512:
-  metadata.gz: 1251126d7b737797573a7450f519c3eaf7c381830c95585dfe630652b5b9a37c1fd154e5e2f7611dcc2f647fe646a27401ca837cda225d4220b2355b9309d2bd
-  data.tar.gz: e9fcc3d3fb1706049626c493f40ea4be889f1acbec73fc3ac832083f3ff1dd86a4ecfa3748bb8ceea1918b7568d61d5ecef0c6f26dff139db8b1bcbc33f53060
+  metadata.gz: d5e950284be5139fc7596f8eb6ace59132eaa2046245079fa5d421a0f41ae668a984dd546f4ced3004a28142af4fb93cb9596b7a02c6d57d4cbd1a7d72e1e722
+  data.tar.gz: 49c6168c1f49ce9ec1a78f596db759beb8b65aeb967a6853154e6c1fd65684972767da413b1bb0dc12d176e013506c887cc6eaef52a218d09cebcee404defff1

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    attr_vault (0.0.3)
+    attr_vault (0.0.6)
 
 GEM
   remote: https://rubygems.org/

data/lib/attr_vault/cryptor.rb

@@ -1,8 +1,7 @@
 module AttrVault
   module Cryptor
     def self.encrypt(value, key)
-      return [nil, nil] if value.nil?
-      return ['', ''] if value.empty?
+      return value if value.nil? || value.empty?
 
       secret = AttrVault::Secret.new(key)
 
@@ -13,21 +12,22 @@ module AttrVault
 
       encrypted_payload = iv + encrypted_message
       mac = OpenSSL::HMAC.digest('sha256', secret.signing_key, encrypted_payload)
-      [ encrypted_payload, mac ]
+      Sequel.blob(mac + encrypted_payload)
     end
 
-    def self.decrypt(encrypted_payload, hmac, key)
-      return nil if encrypted_payload.nil? && hmac.nil?
-      return '' if encrypted_payload.empty? && hmac.empty?
+    def self.decrypt(encrypted, key)
+      return encrypted if encrypted.nil? || encrypted.empty?
 
       secret = AttrVault::Secret.new(key)
 
+      hmac, encrypted_payload = encrypted[0...32], encrypted[32..-1]
+
       expected_hmac = Encryption.hmac_digest(secret.signing_key, encrypted_payload)
       unless verify_signature(expected_hmac, hmac)
         raise InvalidCiphertext, "Expected hmac #{expected_hmac} for this value; got #{hmac}"
       end
 
-      iv, encrypted_message = encrypted_payload[0..16], encrypted_payload[16..-1]
+      iv, encrypted_message = encrypted_payload[0...16], encrypted_payload[16..-1]
 
       block_size = Encryption::AES_BLOCK_SIZE
       unless (encrypted_message.size % block_size).zero?

data/lib/attr_vault/version.rb

@@ -1,3 +1,3 @@
 module AttrVault
-  VERSION = "0.0.4"
+  VERSION = "0.0.6"
 end

data/lib/attr_vault.rb

@@ -3,6 +3,7 @@ require 'attr_vault/keyring'
 require 'attr_vault/secret'
 require 'attr_vault/encryption'
 require 'attr_vault/cryptor'
+require 'digest/sha1'
 
 module AttrVault
   def self.included(base)
@@ -44,17 +45,16 @@ module AttrVault
         next unless @vault_dirty_attrs.has_key? attr.name
 
         value = @vault_dirty_attrs[attr.name]
-        encrypted, hmac = Cryptor.encrypt(value, current_key.value)
-
-        unless encrypted.nil?
-          encrypted = Sequel.blob(encrypted)
-        end
-        unless hmac.nil?
-          hmac = Sequel.blob(hmac)
-        end
+        encrypted = Cryptor.encrypt(value, current_key.value)
 
         self[attr.encrypted_field] = encrypted
-        self[attr.hmac_field] = hmac
+        unless attr.digest_field.nil?
+          if value.nil?
+            self[attr.digest_field] = nil
+          else
+            self[attr.digest_field] = Digest::SHA1.hexdigest(value)
+          end
+        end
       end
       self[self.class.vault_key_field] = current_key.id
       @vault_dirty_attrs = {}
@@ -73,6 +73,7 @@ module AttrVault
       self.vault_attrs << attr
 
       define_method(name) do
+        @vault_dirty_attrs ||= {}
         if @vault_dirty_attrs.has_key? name
           return @vault_dirty_attrs[name]
         end
@@ -92,9 +93,8 @@ module AttrVault
         record_key = self.class.vault_keys.fetch(key_id)
 
         encrypted_value = self[attr.encrypted_field]
-        hmac =  self[attr.hmac_field]
         # TODO: cache decrypted value
-        Cryptor.decrypt(encrypted_value, hmac, record_key.value)
+        Cryptor.decrypt(encrypted_value, record_key.value)
       end
 
       define_method("#{name}=") do |value|
@@ -104,7 +104,9 @@ module AttrVault
         # be updated--otherwise, the object is never saved,
         # #before_save is never called, and we never store the update
         self.modified! attr.encrypted_field
-        self.modified! attr.hmac_field
+        unless attr.digest_field.nil?
+          self.modified! attr.digest_field
+        end
       end
     end
 
@@ -122,16 +124,16 @@ module AttrVault
   end
 
   class VaultAttr
-    attr_reader :name, :encrypted_field, :hmac_field, :plaintext_source_field
+    attr_reader :name, :encrypted_field, :plaintext_source_field, :digest_field
 
     def initialize(name,
                    encrypted_field: "#{name}_encrypted",
-                   hmac_field: "#{name}_hmac",
-                   plaintext_source_field: nil)
+                   plaintext_source_field: nil,
+                   digest_field: nil)
       @name = name
       @encrypted_field = encrypted_field.to_sym
-      @hmac_field = hmac_field.to_sym
       @plaintext_source_field = plaintext_source_field.to_sym unless plaintext_source_field.nil?
+      @digest_field = digest_field.to_sym unless digest_field.nil?
     end
   end
 end

data/spec/attr_vault_spec.rb

@@ -205,7 +205,6 @@ describe AttrVault do
       expect(record.secret).to eq secret1
 
       old_secret_encrypted = record.secret_encrypted
-      old_secret_hmac = record.secret_hmac
 
       new_key_record = item2[record.id]
       new_key_record.update(secret: secret2)
@@ -214,7 +213,6 @@ describe AttrVault do
       expect(new_key_record.key_id).to eq key2_id
       expect(new_key_record.secret).to eq secret2
       expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
-      expect(new_key_record.secret_hmac).not_to eq old_secret_hmac
     end
 
     it "rewrites the items using the current key even if they are not updated" do
@@ -225,7 +223,6 @@ describe AttrVault do
       expect(record.secret).to eq secret1
 
       old_secret_encrypted = record.secret_encrypted
-      old_secret_hmac = record.secret_hmac
 
       new_key_record = item2[record.id]
       new_key_record.update(other: secret2)
@@ -234,7 +231,6 @@ describe AttrVault do
       expect(new_key_record.key_id).to eq key2_id
       expect(new_key_record.secret).to eq secret1
       expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
-      expect(new_key_record.secret_hmac).not_to eq old_secret_hmac
       expect(new_key_record.other).to eq secret2
     end
   end
@@ -301,14 +297,13 @@ describe AttrVault do
         created_at: Time.now }].to_json
     }
 
-    it "supports renaming the encrypted and hmac fields" do
+    it "supports renaming the encrypted field" do
       k = key_data
       item = Class.new(Sequel::Model(:items)) do
         include AttrVault
         vault_keyring k
         vault_attr :classified_info,
-          encrypted_field: :secret_encrypted,
-          hmac_field: :secret_hmac
+          encrypted_field: :secret_encrypted
       end
 
       secret = "we've secretly replaced the fine coffee they usually serve with Folgers Crystals"
@@ -316,7 +311,6 @@ describe AttrVault do
       s.reload
       expect(s.classified_info).to eq secret
       expect(s.secret_encrypted).not_to eq secret
-      expect(s.secret_hmac).not_to be_nil
     end
 
     it "supports renaming the key id field" do
@@ -332,9 +326,56 @@ describe AttrVault do
       s.reload
       expect(s.secret).to eq secret
       expect(s.secret_encrypted).not_to eq secret
-      expect(s.secret_hmac).not_to be_nil
       expect(s.alt_key_id).not_to be_nil
       expect(s.key_id).to be_nil
     end
   end
+
+  context "with a digest field" do
+    let(:key_id)   { '80a8571b-dc8a-44da-9b89-caee87e41ce2' }
+    let(:key_data) {
+      [{
+        id: key_id,
+        value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+        created_at: Time.now }].to_json
+    }
+    let(:item)   {
+      # the let form can't be evaluated inside the class definition
+      # because Ruby scoping rules were written by H.P. Lovecraft, so
+      # we create a local here to work around that
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret, digest_field: :secret_digest
+        vault_attr :other, digest_field: :other_digest
+      end
+    }
+
+    it "records the sha1 of the plaintext value" do
+      secret = 'snape kills dumbledore'
+      s = item.create(secret: secret)
+      expect(s.secret_digest).to eq(Digest::SHA1.hexdigest(secret))
+    end
+
+    it "can record multiple digest fields" do
+      secret = 'joffrey kills ned'
+      other_secret = '"gomer pyle" lawrence kills himself'
+      s = item.create(secret: secret, other: other_secret)
+      expect(s.secret_digest).to eq(Digest::SHA1.hexdigest(secret))
+      expect(s.other_digest).to eq(Digest::SHA1.hexdigest(other_secret))
+    end
+
+    it "records the digest for an empty field" do
+      s = item.create(secret: '', other: '')
+      expect(s.secret_digest).to eq(Digest::SHA1.hexdigest(''))
+      expect(s.other_digest).to eq(Digest::SHA1.hexdigest(''))
+    end
+
+    it "records the digest of a nil field" do
+      s = item.create
+      expect(s.secret_digest).to be_nil
+      expect(s.other_digest).to be_nil
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -20,9 +20,9 @@ conn.run <<-EOF
       key_id uuid,
       alt_key_id uuid,
       secret_encrypted bytea,
-      secret_hmac bytea,
+      secret_digest text,
       other_encrypted bytea,
-      other_hmac bytea,
+      other_digest text,
       not_secret text,
       other_not_secret text
     )

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: attr_vault
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.6
 platform: ruby
 authors:
 - Maciek Sakrejda