chintala-strongbox 0.6.1

data/rails/init.rb

@@ -0,0 +1 @@
+require File.join(File.dirname(__FILE__),'../init.rb')

data/strongbox.gemspec

@@ -0,0 +1,23 @@
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+require 'strongbox'
+
+Gem::Specification.new do |s|
+  s.name = "chintala-strongbox"
+  s.version = Strongbox::VERSION
+  s.summary = "Secures ActiveRecord fields with public key encryption."
+  s.authors = ["Spike Ilacqua"]
+  s.email = "spike@stuff-things.net"
+  s.description = <<-EOF
+    Strongbox provides Public Key Encryption for ActiveRecord. By using a
+    public key sensitive information can be encrypted and stored automatically.
+    Once stored a password is required to access the information. dependencies
+    are specified in standard Ruby syntax.
+  EOF
+  s.homepage = "http://stuff-things.net/strongbox"
+  s.files = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
+  s.add_runtime_dependency 'activerecord'
+  s.add_development_dependency 'thoughtbot-shoulda'
+  s.add_development_dependency 'sqlite3'
+end

data/test/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+

data/test/fixtures/keypair.pem

@@ -0,0 +1,24 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,317921A00FB0882F
+
+f+GWBkcLJLsBUElOEKhqrtYgT1X4nixaZHD5x0VhmW2FrREz4vcqXrxwLTaRQJK/
+vHFJ/7IVmEHScwEognSfw/wX2HMIHczoQT3ugsa29Nt7t1VLGy9jvN1+1f+g90xe
+02jC7CYEKUJ3agZPox49i0/UN9OCIgdtKfecdDHYWyziob8yYTsUdDGyAXlPv0Kx
+0MPSCRDtEh4UJ2PIFyw2HowkYeNss6uIte9rxJGINI11D9vmXR0pH0XyCwHQn+2T
+ScHWg8BJ1rkBKydbKQ4vnfhGMjG+bZyrJXrJSoazXroseuhHu8QRUONm5Kl/zW1f
+GP1CjIfTCQQZECYIa2tXTFdL9y2ZOCn8xit57SwEpmJMvZC58PkQX5+/aHPcOXhl
+YrF+6FEfNpdBz9PUmv4Af2kTa88xZqm1Q3GtTOk7wsJpfeTMhU71KjA1pL9xNPrT
+DnKhtfLGvcgo8Z9BGOiLFe9uQvhhprX7isc1XdysbMigsVIWLvZp9RxRp/zAn7fy
+y56C6mc3tUwcq89RcxAn+bC75gwZO/hyVrnkhManOMfHTEiZXVybU9Ril3SZ+ry6
+8AxMid0ZWbbtCHdDc5rHfXsGeFhJZxBbg/WtMxBPGHNByqs8sWUM9Z8YoK8WMYxV
+GvC9RB4m0jgA4S3MEOMmKOXDuJxa7IgTgApVmLPl+sDOHGK3xAItYJJawJqOZQ1f
+r+x/8g19CuehuflCxDo+D4/RJMqkOEq+0FGUqI8lHv6vR6+YpkGdrQQXUohBy67f
+3Qym1ztZ8ygsttgJwnhwAfMh8FdIrVJc7NZ8pDiBZbg=
+-----END RSA PRIVATE KEY-----
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9F1ipsLL+V68bGSJFqFLQKgXq
+Glyyplx0s9KxgLbmbDICXpV7DceKaIBUkPZDx2DrlvjZmG+rG5ehdWNI7q/hupao
+NF0WzEiOp+30gISeyl81Z/NAmhcwcOnZpbS9nl4JLaWrN7iGC1geNBNDo+lVbsm1
+O2+Tlt8rjHsNjzgIzQIDAQAB
+-----END PUBLIC KEY-----

data/test/method_key_test.rb

@@ -0,0 +1,77 @@
+require 'test/test_helper'
+
+class MethodKeyTest < Test::Unit::TestCase
+  context 'With an attribute containing a string for the key pair' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => :key_pair_attribute
+      Dummy.class_eval do
+        attr_accessor :key_pair_attribute
+      end
+
+      @dummy = Dummy.new
+      @dummy.key_pair_attribute = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With a methods returning the key pair' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => :key_pair_method
+      Dummy.class_eval do
+        def key_pair_method
+          File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+        end
+      end
+
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With attributes containing strings for the keys' do
+    setup do
+      @password = 'boost facile'
+      rsa_key = OpenSSL::PKey::RSA.new(2048)
+      cipher =  OpenSSL::Cipher::Cipher.new('des3')
+      rebuild_model :public_key => :public_key_attribute,
+                    :private_key => :private_key_attribute
+      Dummy.class_eval do
+        attr_accessor :public_key_attribute, :private_key_attribute
+      end
+      @dummy = Dummy.new
+      @dummy.public_key_attribute = rsa_key.public_key.to_pem
+      @dummy.private_key_attribute = rsa_key.to_pem(cipher,@password)
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With methods returning the keys' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :public_key => :public_key_method,
+                    :private_key => :private_key_method
+      Dummy.class_eval do
+        def public_key_method
+          File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+        end
+
+        def private_key_method
+          File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+        end
+      end
+
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+end

data/test/missing_attributes_test.rb

@@ -0,0 +1,77 @@
+require 'test/test_helper'
+
+class MissingAttribuesTest < Test::Unit::TestCase
+  context 'A Class with a secured field without a matching database column' do
+    setup do
+      ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+        table.string :in_the_clear
+      end
+      rebuild_class {}
+    end
+
+    should 'raise' do
+      assert_raise(Strongbox::StrongboxError) do
+        Dummy.class_eval do
+          encrypt_with_public_key :secret, :key_pair =>
+            File.join(FIXTURES_DIR,'keypair.pem')
+        end
+        @dummy = Dummy.new
+        @dummy.secret = 'Shhhh'
+      end
+    end
+
+    teardown do
+      rebuild_model
+    end
+  end
+
+  context 'A Class with a secured field missing symmetric database columns' do
+    setup do
+      ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+        table.string :in_the_clear
+        table.string :secret
+      end
+      rebuild_class {}
+    end
+
+    should 'raise' do
+      assert_raise(Strongbox::StrongboxError) do
+        Dummy.class_eval do
+          encrypt_with_public_key :secret, :key_pair =>
+            File.join(FIXTURES_DIR,'keypair.pem')
+        end
+        @dummy = Dummy.new
+        @dummy.secret = 'Shhhh'
+      end
+    end
+
+    teardown do
+      rebuild_model
+    end
+  end
+
+  context 'A Class with a secured field without a matching database column told not to check columns' do
+    setup do
+      ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+        table.string :in_the_clear
+      end
+      rebuild_class {}
+    end
+
+    should 'not raise' do
+      assert_nothing_raised do
+        Dummy.class_eval do
+          encrypt_with_public_key(:secret,
+                                  :key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                                  :ensure_required_columns => false)
+        end
+        @dummy = Dummy.new
+        @dummy.secret = 'Shhhh'
+      end
+    end
+
+    teardown do
+      rebuild_model
+    end
+  end
+end

data/test/proc_key_test.rb

@@ -0,0 +1,57 @@
+require 'test/test_helper'
+
+class ProcKeyTest < Test::Unit::TestCase
+  context 'With a Proc returning a string for a key pair' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => Proc.new {
+        File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      }
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With a Proc returning a key object' do
+    setup do
+      @password = 'boost facile'
+      @private_key = OpenSSL::PKey::RSA.new(2048)
+      rebuild_model :key_pair => Proc.new { @private_key }
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With Procs returning public and private key strings' do
+    setup do
+      @password = 'boost facile'
+      @key_pair = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+
+      rebuild_model :public_key => Proc.new { @key_pair },
+                    :private_key => Proc.new { @key_pair } 
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With Procs returning public and private key objects' do
+    setup do
+      @password = 'boost facile'
+      @private_key = OpenSSL::PKey::RSA.new(2048)
+      @public_key = @private_key.public_key
+
+      rebuild_model :public_key => Proc.new { @public_key },
+                    :private_key => Proc.new { @private_key } 
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+end

data/test/strongbox_multiply_test.rb

@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+require 'test/test_helper'
+
+class StrongboxMultiPlyTest < Test::Unit::TestCase
+  context 'A Class with two secured fields' do
+    setup do
+      @password = 'boost facile'
+      key_pair = File.join(FIXTURES_DIR,'keypair.pem')
+      Dummy.class_eval do
+        encrypt_with_public_key :secret, :segreto, :key_pair => key_pair
+      end
+    end
+
+    context 'that is valid' do
+      setup do
+        @dummy = Dummy.new
+        @dummy.secret = 'I have a secret...'
+      end
+
+      should 'return "*encrypted*" when the record is locked'  do
+        assert_equal '*encrypted*', @dummy.secret.decrypt
+      end
+
+       should 'return the secrets when unlocked'  do
+         assert_equal 'I have a secret...', @dummy.secret.decrypt(@password)
+       end
+
+    end
+  end
+
+  context 'Using strings for keys' do
+    setup do
+      @password = 'boost facile'
+      key_pair = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      public_key = OpenSSL::PKey::RSA.new(key_pair,"")
+      private_key = OpenSSL::PKey::RSA.new(key_pair,@password)
+      Dummy.class_eval do
+        encrypt_with_public_key :secret, :public_key => public_key, :private_key => private_key
+      end
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should 'return "*encrypted*" when locked'  do
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+
+    should 'return secret when unlocked'  do
+      assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+    end
+  end
+end

data/test/strongbox_test.rb

@@ -0,0 +1,252 @@
+# -*- coding: utf-8 -*-
+require 'test/test_helper'
+
+class StrongboxTest < Test::Unit::TestCase
+  context 'A Class with a secured field' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => File.join(FIXTURES_DIR,'keypair.pem')
+    end
+
+    should 'not error when trying to also create a secure field' do
+      assert_nothing_raised do
+        Dummy.class_eval do
+          encrypt_with_public_key :secret
+        end
+      end
+    end
+
+     context 'that is valid' do
+       setup do
+         @dummy = Dummy.new
+         @dummy.secret = 'Shhhh'
+         @dummy.in_the_clear = 'Hey you guys!'
+       end
+
+       should 'not change unencrypted fields' do
+         assert_equal 'Hey you guys!', @dummy.in_the_clear
+       end
+
+       should 'return "*encrypted*" when locked'  do
+         assert_equal '*encrypted*', @dummy.secret.decrypt
+       end
+
+       should 'return secret when unlocked'  do
+         assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+       end
+
+       should 'generate and store symmetric encryption key and IV' do
+         assert_not_nil @dummy.attributes['secret_key']
+         assert_not_nil @dummy.attributes['secret_iv']
+       end
+
+       should 'raise on bad password' do
+         assert_raises(OpenSSL::PKey::RSAError) do
+           @dummy.secret.decrypt('letmein')
+         end
+       end
+
+       should 'impliment to_json' do
+        assert_nothing_raised do
+          @dummy.secret.to_json
+        end
+       end
+
+       context 'updating unencrypted fields' do
+         setup do
+           @dummy.in_the_clear = 'I see you...'
+           @dummy.save
+         end
+
+         should 'not effect the secret' do
+           assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+         end
+       end
+
+       context 'updating the secret' do
+         setup do
+           @dummy.secret = @new_secret = 'Don\'t tell'
+           @dummy.save
+         end
+
+         should 'update the secret' do
+           assert_equal @new_secret, @dummy.secret.decrypt(@password)
+         end
+       end
+
+       context 'with symmetric encryption disabled' do
+         setup do
+           rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                         :symmetric => :never)
+           @dummy = Dummy.new
+           @dummy.secret = 'Shhhh'
+         end
+
+         should 'return "*encrypted*" when locked'  do
+           assert_equal '*encrypted*', @dummy.secret.decrypt
+         end
+
+         should 'return secret when unlocked'  do
+           assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+         end
+
+         should 'allow decryption of other strings encrypted with the same key' do
+           encrypted_text = File.read(File.join(FIXTURES_DIR,'encrypted'))
+           assert_equal 'Setec Astronomy', @dummy.secret.decrypt(@password, encrypted_text)
+         end
+
+         should 'not generate and store symmetric encryption key and IV' do
+           assert_nil @dummy.attributes['secret_key']
+           assert_nil @dummy.attributes['secret_iv']
+         end
+
+       end
+
+       context 'with Base64 encoding enabled' do
+         setup do
+           rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                         :base64 => true)
+           @dummy = Dummy.new
+           @dummy.secret = 'Shhhh'
+         end
+
+         should 'Base64 encode the ciphertext' do
+           # Base64 encoded text is limited to the charaters A–Z, a–z, and 0–9,
+           # and is padded with 0 to 2 equal-signs
+           assert_match /^[0-9A-Za-z+\/]+={0,2}$/, @dummy.attributes['secret']
+           assert_match /^[0-9A-Za-z+\/]+={0,2}$/, @dummy.attributes['secret_key']
+           assert_match /^[0-9A-Za-z+\/]+={0,2}$/, @dummy.attributes['secret_iv']
+         end
+
+         should 'encrypt the data'  do
+           assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+           assert_equal '*encrypted*', @dummy.secret.decrypt
+           assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+         end
+       end
+     end
+
+     context 'using blowfish cipher instead of AES' do
+       setup do
+         rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                       :symmetric_cipher => 'bf-cbc')
+         @dummy = Dummy.new
+         @dummy.secret = 'Shhhh'
+       end
+
+       should 'encrypt the data'  do
+         assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+         assert_equal '*encrypted*', @dummy.secret.decrypt
+         assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+       end
+     end
+  end
+
+  context 'when a public key is not provided' do
+    setup do
+      rebuild_class
+      @dummy = Dummy.new
+    end
+
+    should 'raise on encrypt' do
+      assert_raises(Strongbox::StrongboxError) do
+        @dummy.secret = 'Shhhh'
+      end
+    end
+  end
+
+  context 'when a private key is not provided' do
+     setup do
+      @password = 'boost facile'
+      rebuild_class(:public_key => File.join(FIXTURES_DIR,'keypair.pem'))
+      @dummy = Dummy.new(:secret => 'Shhhh')
+     end
+
+    should 'raise on decrypt with a password' do
+      assert_raises(Strongbox::StrongboxError) do
+        @dummy.secret.decrypt(@password)
+      end
+    end
+
+    should 'return "*encrypted*" when still locked' do
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+  end
+
+  context "when an unencrypted public key is used" do
+     setup do
+      rebuild_class(:public_key => generate_key_pair.public_key)
+      @dummy = Dummy.new(:secret => 'Shhhh')
+     end
+
+    should "encrypt the data"  do
+      assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+  end
+
+  context "when an unencrypted key pair is used" do
+     setup do
+      rebuild_class(:key_pair => generate_key_pair)
+      @dummy = Dummy.new(:secret => 'Shhhh')
+     end
+
+    should "encrypt the data"  do
+      assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+      assert_equal "Shhhh", @dummy.secret.decrypt('')
+    end
+  end
+
+  context 'A Class with two secured fields' do
+    setup do
+      @password = 'boost facile'
+      key_pair = File.join(FIXTURES_DIR,'keypair.pem')
+      Dummy.class_eval do
+        encrypt_with_public_key :secret, :key_pair => key_pair
+        encrypt_with_public_key :segreto, :key_pair => key_pair,
+                                          :symmetric => :never
+      end
+    end
+
+    context 'that is valid' do
+      setup do
+        @dummy = Dummy.new
+        @dummy.secret = 'I have a secret...'
+        @dummy.segreto = 'Ho un segreto...'
+      end
+
+      should 'return "*encrypted*" when the record is locked'  do
+        assert_equal '*encrypted*', @dummy.secret.decrypt
+        assert_equal '*encrypted*', @dummy.segreto.decrypt
+      end
+
+       should 'return the secrets when unlocked'  do
+         assert_equal 'I have a secret...', @dummy.secret.decrypt(@password)
+         assert_equal 'Ho un segreto...', @dummy.segreto.decrypt(@password)
+       end
+
+    end
+  end
+
+  context 'Using strings for keys' do
+    setup do
+      @password = 'boost facile'
+      key_pair = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      public_key = OpenSSL::PKey::RSA.new(key_pair,"")
+      private_key = OpenSSL::PKey::RSA.new(key_pair,@password)
+      Dummy.class_eval do
+        encrypt_with_public_key :secret, :public_key => public_key, :private_key => private_key
+      end
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should 'return "*encrypted*" when locked'  do
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+
+    should 'return secret when unlocked'  do
+      assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+    end
+  end
+end