daffy_lib 0.1.0

data/lib/daffy_lib/models/application_record.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'active_record'
+
+class DaffyLib::ApplicationRecord < ActiveRecord::Base
+  include DaffyLib::HasGuid
+
+  self.abstract_class = true
+end

data/lib/daffy_lib/models/encryption_key.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'daffy_lib/validators/string_validator'
+
+class DaffyLib::EncryptionKey < DaffyLib::ApplicationRecord
+  include DaffyLib::HasGuid
+
+  has_guid 'dek'
+
+  validates :partition_guid, presence: true, allow_blank: false
+  validates :key_epoch, presence: true, allow_blank: false, uniqueness: { scope: :partition_guid }
+  validates :encrypted_data_encryption_key, presence: true, allow_blank: false
+  validates :version, presence: true, allow_blank: false
+
+  validates_with DaffyLib::StringValidator, fields: %i[guid partition_guid encrypted_data_encryption_key version]
+end

data/lib/daffy_lib/railtie.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'daffy_lib'
+require 'rails'
+
+# :nocov:
+class DaffyLib::Railtie < Rails::Railtie
+  rake_tasks do
+    load 'tasks/db_tasks.rake'
+  end
+end
+# :nocov:

data/lib/daffy_lib/services/key_management_service.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+class DaffyLib::KeyManagementService
+  class KeyManagementServiceException < StandardError; end
+  class InvalidParameterException < KeyManagementServiceException; end
+  class KeyGenerationException < KeyManagementServiceException; end
+  class KeyCreateException < KeyManagementServiceException; end
+  class KeyRetrieveException < KeyManagementServiceException; end
+
+  KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE = :key_management_service
+  KEY_VERSION = 'KeyManagementService::V1'
+
+  RECORD_NOT_UNIQUE_REGEX = /has already been taken/.freeze
+
+  def initialize(partition_guid, expires_in, cmk_key_id)
+    raise InvalidParameterException unless partition_guid.present? && expires_in.present? && cmk_key_id.present?
+
+    @partition_guid = partition_guid
+    @expire_in = expires_in
+    @cmk_key_id = cmk_key_id
+  end
+
+  def self.encryption_key_epoch(datetime)
+    datetime.utc.beginning_of_year
+  end
+
+  def find_or_create_encryption_key(encryption_epoch)
+    find(encryption_epoch) || create(encryption_epoch)
+  end
+
+  def retrieve_plaintext_key(encryption_key)
+    raise InvalidParameterException unless encryption_key.present?
+
+    read_plaintext_key(encryption_key) || decrypt_encryption_key(encryption_key)
+  end
+
+  private
+
+  def read_plaintext_key(encryption_key)
+    Rails.cache.read(encryption_key.guid, namespace: KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE)
+  rescue Redis::BaseError => e
+    Rails.logger.error("Failed to read cache for encryption key #{encryption_key.guid}: #{e.message}")
+
+    nil
+  end
+
+  def decrypt_encryption_key(encryption_key)
+    decoded_key = Base64.decode64(encryption_key.encrypted_data_encryption_key)
+
+    plaintext_key = PorkyLib::Symmetric.instance.decrypt_data_encryption_key(decoded_key)
+
+    cache_plaintext_key(encryption_key, plaintext_key)
+
+    plaintext_key
+  rescue Aws::Errors::ServiceError => e
+    Rails.logger.error("Failed to decrypt data encryption key: #{e.message}")
+
+    raise KeyRetrieveException
+  end
+
+  def cache_plaintext_key(encryption_key, plaintext_key)
+    Rails.cache.write(encryption_key.guid, plaintext_key, namespace: KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE,
+                                                          expires_in: @expires_in)
+  rescue Redis::BaseError => e
+    Rails.logger.error("Failed to cache encryption key: #{e.message}")
+  end
+
+  def create(encryption_epoch)
+    plaintext_key, data_encryption_key = PorkyLib::Symmetric.instance.generate_data_encryption_key(@cmk_key_id)
+
+    encoded_key = Base64.encode64(data_encryption_key)
+
+    key = DaffyLib::EncryptionKey.create!(partition_guid: @partition_guid, key_epoch: encryption_epoch,
+                                          encrypted_data_encryption_key: encoded_key, version: KEY_VERSION)
+
+    cache_plaintext_key(key, plaintext_key)
+
+    key
+  rescue Aws::Errors::ServiceError => e
+    Rails.logger.error("Failed to generate data encryption key: #{e.message}")
+
+    raise KeyGenerationException
+  rescue ActiveRecord::RecordInvalid => e
+    Rails.logger.error("Failed to save encryption key: #{e.message}")
+
+    raise KeyCreateException unless e.message.match?(RECORD_NOT_UNIQUE_REGEX)
+
+    Rails.logger.info('Retrying find after failed EncryptionKey create')
+
+    find(encryption_epoch)
+  rescue ActiveRecord::RecordNotUnique => e
+    Rails.logger.error("Failed to save encryption key, retrying find: #{e.message}")
+
+    find(encryption_epoch)
+  rescue ActiveRecord::ActiveRecordError => e
+    Rails.logger.error("Failed to save encryption key: #{e.message}")
+
+    raise KeyCreateException
+  end
+
+  def find(encryption_epoch)
+    DaffyLib::EncryptionKey.find_by(partition_guid: @partition_guid, key_epoch: encryption_epoch)
+  end
+end

data/lib/daffy_lib/validators/string_validator.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'active_model'
+require 'action_controller'
+
+class DaffyLib::StringValidator < ActiveModel::Validator
+  def validate(record)
+    return if options[:fields].blank?
+
+    options[:fields].each do |field|
+      return false unless record.errors.messages.blank?
+
+      sanitized_attr = ActionController::Base.helpers.sanitize(record[field])
+      decoded_attr = Nokogiri::HTML.parse(sanitized_attr.to_s)
+      record.errors[:field] << 'contains invalid characters...' unless record[field] == decoded_attr.text || record[field].blank?
+    end
+  end
+end

data/lib/daffy_lib/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module DaffyLib
+  VERSION = "0.1.0"
+end

data/lib/tasks/db_tasks.rake

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'active_record'
+require 'active_support'
+
+namespace :db do
+  namespace :migrate do
+    desc "Migrates the database by adding partition_guid and encryption_epoch to the specified model (must specify :model)"
+    task :add_encryption_fields, [:model] => :environment do |_, args|
+      model = args[:model].camelize
+
+      abort 'Need to provide `model` as argument' if model.blank?
+
+      `rails generate migration AddEncryptionKeysTo#{model} partition_guid:string \\
+        encryption_epoch:datetime`
+    end
+
+    desc "Migrates the database by adding the encryption_keys table"
+    task :add_encryption_keys_table do
+      `rails generate migration CreateEncryptionKeys guid:string \\
+        partition_guid:string \\
+        key_epoch:datetime \\
+        encrypted_data_encryption_key:string \\
+        version:string \\
+        created_at:datetime \\
+        updated_at:datetime`
+    end
+  end
+end

metadata

@@ -0,0 +1,362 @@
+--- !ruby/object:Gem::Specification
+name: daffy_lib
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Benoît Jeaurond, Weiyun Lu
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-01-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: attr_encrypted
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: codecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: factory_bot_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-collection_matchers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop_runner
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: porky_lib
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- weiyun.lu@arioplatform.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".github/pull_request_template.md"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- CODEOWNERS
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- SECURITY.MD
+- bin/console
+- bin/setup
+- daffy_lib.gemspec
+- lib/daffy_lib.rb
+- lib/daffy_lib/caching_encryptor.rb
+- lib/daffy_lib/concerns/has_encrypted_attributes.rb
+- lib/daffy_lib/concerns/has_guid.rb
+- lib/daffy_lib/concerns/partition_provider.rb
+- lib/daffy_lib/models/application_record.rb
+- lib/daffy_lib/models/encryption_key.rb
+- lib/daffy_lib/railtie.rb
+- lib/daffy_lib/services/key_management_service.rb
+- lib/daffy_lib/validators/string_validator.rb
+- lib/daffy_lib/version.rb
+- lib/tasks/db_tasks.rake
+homepage: https://github.com/Zetatango/daffy_lib
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: A library for caching encryptor
+test_files: []