daffy_lib 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,9 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'active_record'
4
+
5
+ class DaffyLib::ApplicationRecord < ActiveRecord::Base
6
+ include DaffyLib::HasGuid
7
+
8
+ self.abstract_class = true
9
+ end
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'daffy_lib/validators/string_validator'
4
+
5
+ class DaffyLib::EncryptionKey < DaffyLib::ApplicationRecord
6
+ include DaffyLib::HasGuid
7
+
8
+ has_guid 'dek'
9
+
10
+ validates :partition_guid, presence: true, allow_blank: false
11
+ validates :key_epoch, presence: true, allow_blank: false, uniqueness: { scope: :partition_guid }
12
+ validates :encrypted_data_encryption_key, presence: true, allow_blank: false
13
+ validates :version, presence: true, allow_blank: false
14
+
15
+ validates_with DaffyLib::StringValidator, fields: %i[guid partition_guid encrypted_data_encryption_key version]
16
+ end
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'daffy_lib'
4
+ require 'rails'
5
+
6
+ # :nocov:
7
+ class DaffyLib::Railtie < Rails::Railtie
8
+ rake_tasks do
9
+ load 'tasks/db_tasks.rake'
10
+ end
11
+ end
12
+ # :nocov:
@@ -0,0 +1,106 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'logger'
4
+
5
+ class DaffyLib::KeyManagementService
6
+ class KeyManagementServiceException < StandardError; end
7
+ class InvalidParameterException < KeyManagementServiceException; end
8
+ class KeyGenerationException < KeyManagementServiceException; end
9
+ class KeyCreateException < KeyManagementServiceException; end
10
+ class KeyRetrieveException < KeyManagementServiceException; end
11
+
12
+ KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE = :key_management_service
13
+ KEY_VERSION = 'KeyManagementService::V1'
14
+
15
+ RECORD_NOT_UNIQUE_REGEX = /has already been taken/.freeze
16
+
17
+ def initialize(partition_guid, expires_in, cmk_key_id)
18
+ raise InvalidParameterException unless partition_guid.present? && expires_in.present? && cmk_key_id.present?
19
+
20
+ @partition_guid = partition_guid
21
+ @expire_in = expires_in
22
+ @cmk_key_id = cmk_key_id
23
+ end
24
+
25
+ def self.encryption_key_epoch(datetime)
26
+ datetime.utc.beginning_of_year
27
+ end
28
+
29
+ def find_or_create_encryption_key(encryption_epoch)
30
+ find(encryption_epoch) || create(encryption_epoch)
31
+ end
32
+
33
+ def retrieve_plaintext_key(encryption_key)
34
+ raise InvalidParameterException unless encryption_key.present?
35
+
36
+ read_plaintext_key(encryption_key) || decrypt_encryption_key(encryption_key)
37
+ end
38
+
39
+ private
40
+
41
+ def read_plaintext_key(encryption_key)
42
+ Rails.cache.read(encryption_key.guid, namespace: KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE)
43
+ rescue Redis::BaseError => e
44
+ Rails.logger.error("Failed to read cache for encryption key #{encryption_key.guid}: #{e.message}")
45
+
46
+ nil
47
+ end
48
+
49
+ def decrypt_encryption_key(encryption_key)
50
+ decoded_key = Base64.decode64(encryption_key.encrypted_data_encryption_key)
51
+
52
+ plaintext_key = PorkyLib::Symmetric.instance.decrypt_data_encryption_key(decoded_key)
53
+
54
+ cache_plaintext_key(encryption_key, plaintext_key)
55
+
56
+ plaintext_key
57
+ rescue Aws::Errors::ServiceError => e
58
+ Rails.logger.error("Failed to decrypt data encryption key: #{e.message}")
59
+
60
+ raise KeyRetrieveException
61
+ end
62
+
63
+ def cache_plaintext_key(encryption_key, plaintext_key)
64
+ Rails.cache.write(encryption_key.guid, plaintext_key, namespace: KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE,
65
+ expires_in: @expires_in)
66
+ rescue Redis::BaseError => e
67
+ Rails.logger.error("Failed to cache encryption key: #{e.message}")
68
+ end
69
+
70
+ def create(encryption_epoch)
71
+ plaintext_key, data_encryption_key = PorkyLib::Symmetric.instance.generate_data_encryption_key(@cmk_key_id)
72
+
73
+ encoded_key = Base64.encode64(data_encryption_key)
74
+
75
+ key = DaffyLib::EncryptionKey.create!(partition_guid: @partition_guid, key_epoch: encryption_epoch,
76
+ encrypted_data_encryption_key: encoded_key, version: KEY_VERSION)
77
+
78
+ cache_plaintext_key(key, plaintext_key)
79
+
80
+ key
81
+ rescue Aws::Errors::ServiceError => e
82
+ Rails.logger.error("Failed to generate data encryption key: #{e.message}")
83
+
84
+ raise KeyGenerationException
85
+ rescue ActiveRecord::RecordInvalid => e
86
+ Rails.logger.error("Failed to save encryption key: #{e.message}")
87
+
88
+ raise KeyCreateException unless e.message.match?(RECORD_NOT_UNIQUE_REGEX)
89
+
90
+ Rails.logger.info('Retrying find after failed EncryptionKey create')
91
+
92
+ find(encryption_epoch)
93
+ rescue ActiveRecord::RecordNotUnique => e
94
+ Rails.logger.error("Failed to save encryption key, retrying find: #{e.message}")
95
+
96
+ find(encryption_epoch)
97
+ rescue ActiveRecord::ActiveRecordError => e
98
+ Rails.logger.error("Failed to save encryption key: #{e.message}")
99
+
100
+ raise KeyCreateException
101
+ end
102
+
103
+ def find(encryption_epoch)
104
+ DaffyLib::EncryptionKey.find_by(partition_guid: @partition_guid, key_epoch: encryption_epoch)
105
+ end
106
+ end
@@ -0,0 +1,18 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'active_model'
4
+ require 'action_controller'
5
+
6
+ class DaffyLib::StringValidator < ActiveModel::Validator
7
+ def validate(record)
8
+ return if options[:fields].blank?
9
+
10
+ options[:fields].each do |field|
11
+ return false unless record.errors.messages.blank?
12
+
13
+ sanitized_attr = ActionController::Base.helpers.sanitize(record[field])
14
+ decoded_attr = Nokogiri::HTML.parse(sanitized_attr.to_s)
15
+ record.errors[:field] << 'contains invalid characters...' unless record[field] == decoded_attr.text || record[field].blank?
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+
3
+ module DaffyLib
4
+ VERSION = "0.1.0"
5
+ end
@@ -0,0 +1,29 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'active_record'
4
+ require 'active_support'
5
+
6
+ namespace :db do
7
+ namespace :migrate do
8
+ desc "Migrates the database by adding partition_guid and encryption_epoch to the specified model (must specify :model)"
9
+ task :add_encryption_fields, [:model] => :environment do |_, args|
10
+ model = args[:model].camelize
11
+
12
+ abort 'Need to provide `model` as argument' if model.blank?
13
+
14
+ `rails generate migration AddEncryptionKeysTo#{model} partition_guid:string \\
15
+ encryption_epoch:datetime`
16
+ end
17
+
18
+ desc "Migrates the database by adding the encryption_keys table"
19
+ task :add_encryption_keys_table do
20
+ `rails generate migration CreateEncryptionKeys guid:string \\
21
+ partition_guid:string \\
22
+ key_epoch:datetime \\
23
+ encrypted_data_encryption_key:string \\
24
+ version:string \\
25
+ created_at:datetime \\
26
+ updated_at:datetime`
27
+ end
28
+ end
29
+ end
metadata ADDED
@@ -0,0 +1,362 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: daffy_lib
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Benoît Jeaurond, Weiyun Lu
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2020-01-15 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: attr_encrypted
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: bundler
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: bundler-audit
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: codecov
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: factory_bot_rails
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: rake
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rspec
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ - !ruby/object:Gem::Dependency
112
+ name: rspec-collection_matchers
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - ">="
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
125
+ - !ruby/object:Gem::Dependency
126
+ name: rspec-mocks
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - ">="
130
+ - !ruby/object:Gem::Version
131
+ version: '0'
132
+ type: :development
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - ">="
137
+ - !ruby/object:Gem::Version
138
+ version: '0'
139
+ - !ruby/object:Gem::Dependency
140
+ name: rspec-rails
141
+ requirement: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - ">="
144
+ - !ruby/object:Gem::Version
145
+ version: '0'
146
+ type: :development
147
+ prerelease: false
148
+ version_requirements: !ruby/object:Gem::Requirement
149
+ requirements:
150
+ - - ">="
151
+ - !ruby/object:Gem::Version
152
+ version: '0'
153
+ - !ruby/object:Gem::Dependency
154
+ name: rspec_junit_formatter
155
+ requirement: !ruby/object:Gem::Requirement
156
+ requirements:
157
+ - - ">="
158
+ - !ruby/object:Gem::Version
159
+ version: '0'
160
+ type: :development
161
+ prerelease: false
162
+ version_requirements: !ruby/object:Gem::Requirement
163
+ requirements:
164
+ - - ">="
165
+ - !ruby/object:Gem::Version
166
+ version: '0'
167
+ - !ruby/object:Gem::Dependency
168
+ name: rubocop
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - ">="
172
+ - !ruby/object:Gem::Version
173
+ version: '0'
174
+ type: :development
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - ">="
179
+ - !ruby/object:Gem::Version
180
+ version: '0'
181
+ - !ruby/object:Gem::Dependency
182
+ name: rubocop-performance
183
+ requirement: !ruby/object:Gem::Requirement
184
+ requirements:
185
+ - - ">="
186
+ - !ruby/object:Gem::Version
187
+ version: '0'
188
+ type: :development
189
+ prerelease: false
190
+ version_requirements: !ruby/object:Gem::Requirement
191
+ requirements:
192
+ - - ">="
193
+ - !ruby/object:Gem::Version
194
+ version: '0'
195
+ - !ruby/object:Gem::Dependency
196
+ name: rubocop-rspec
197
+ requirement: !ruby/object:Gem::Requirement
198
+ requirements:
199
+ - - ">="
200
+ - !ruby/object:Gem::Version
201
+ version: '0'
202
+ type: :development
203
+ prerelease: false
204
+ version_requirements: !ruby/object:Gem::Requirement
205
+ requirements:
206
+ - - ">="
207
+ - !ruby/object:Gem::Version
208
+ version: '0'
209
+ - !ruby/object:Gem::Dependency
210
+ name: rubocop_runner
211
+ requirement: !ruby/object:Gem::Requirement
212
+ requirements:
213
+ - - ">="
214
+ - !ruby/object:Gem::Version
215
+ version: '0'
216
+ type: :development
217
+ prerelease: false
218
+ version_requirements: !ruby/object:Gem::Requirement
219
+ requirements:
220
+ - - ">="
221
+ - !ruby/object:Gem::Version
222
+ version: '0'
223
+ - !ruby/object:Gem::Dependency
224
+ name: simplecov
225
+ requirement: !ruby/object:Gem::Requirement
226
+ requirements:
227
+ - - ">="
228
+ - !ruby/object:Gem::Version
229
+ version: '0'
230
+ type: :development
231
+ prerelease: false
232
+ version_requirements: !ruby/object:Gem::Requirement
233
+ requirements:
234
+ - - ">="
235
+ - !ruby/object:Gem::Version
236
+ version: '0'
237
+ - !ruby/object:Gem::Dependency
238
+ name: sqlite3
239
+ requirement: !ruby/object:Gem::Requirement
240
+ requirements:
241
+ - - ">="
242
+ - !ruby/object:Gem::Version
243
+ version: '0'
244
+ type: :development
245
+ prerelease: false
246
+ version_requirements: !ruby/object:Gem::Requirement
247
+ requirements:
248
+ - - ">="
249
+ - !ruby/object:Gem::Version
250
+ version: '0'
251
+ - !ruby/object:Gem::Dependency
252
+ name: timecop
253
+ requirement: !ruby/object:Gem::Requirement
254
+ requirements:
255
+ - - ">="
256
+ - !ruby/object:Gem::Version
257
+ version: '0'
258
+ type: :development
259
+ prerelease: false
260
+ version_requirements: !ruby/object:Gem::Requirement
261
+ requirements:
262
+ - - ">="
263
+ - !ruby/object:Gem::Version
264
+ version: '0'
265
+ - !ruby/object:Gem::Dependency
266
+ name: porky_lib
267
+ requirement: !ruby/object:Gem::Requirement
268
+ requirements:
269
+ - - ">="
270
+ - !ruby/object:Gem::Version
271
+ version: '0'
272
+ type: :runtime
273
+ prerelease: false
274
+ version_requirements: !ruby/object:Gem::Requirement
275
+ requirements:
276
+ - - ">="
277
+ - !ruby/object:Gem::Version
278
+ version: '0'
279
+ - !ruby/object:Gem::Dependency
280
+ name: rails
281
+ requirement: !ruby/object:Gem::Requirement
282
+ requirements:
283
+ - - ">="
284
+ - !ruby/object:Gem::Version
285
+ version: '0'
286
+ type: :runtime
287
+ prerelease: false
288
+ version_requirements: !ruby/object:Gem::Requirement
289
+ requirements:
290
+ - - ">="
291
+ - !ruby/object:Gem::Version
292
+ version: '0'
293
+ - !ruby/object:Gem::Dependency
294
+ name: redis
295
+ requirement: !ruby/object:Gem::Requirement
296
+ requirements:
297
+ - - ">="
298
+ - !ruby/object:Gem::Version
299
+ version: '0'
300
+ type: :runtime
301
+ prerelease: false
302
+ version_requirements: !ruby/object:Gem::Requirement
303
+ requirements:
304
+ - - ">="
305
+ - !ruby/object:Gem::Version
306
+ version: '0'
307
+ description:
308
+ email:
309
+ - weiyun.lu@arioplatform.com
310
+ executables: []
311
+ extensions: []
312
+ extra_rdoc_files: []
313
+ files:
314
+ - ".circleci/config.yml"
315
+ - ".github/pull_request_template.md"
316
+ - ".gitignore"
317
+ - ".rspec"
318
+ - ".rubocop.yml"
319
+ - CODEOWNERS
320
+ - Gemfile
321
+ - Gemfile.lock
322
+ - README.md
323
+ - Rakefile
324
+ - SECURITY.MD
325
+ - bin/console
326
+ - bin/setup
327
+ - daffy_lib.gemspec
328
+ - lib/daffy_lib.rb
329
+ - lib/daffy_lib/caching_encryptor.rb
330
+ - lib/daffy_lib/concerns/has_encrypted_attributes.rb
331
+ - lib/daffy_lib/concerns/has_guid.rb
332
+ - lib/daffy_lib/concerns/partition_provider.rb
333
+ - lib/daffy_lib/models/application_record.rb
334
+ - lib/daffy_lib/models/encryption_key.rb
335
+ - lib/daffy_lib/railtie.rb
336
+ - lib/daffy_lib/services/key_management_service.rb
337
+ - lib/daffy_lib/validators/string_validator.rb
338
+ - lib/daffy_lib/version.rb
339
+ - lib/tasks/db_tasks.rake
340
+ homepage: https://github.com/Zetatango/daffy_lib
341
+ licenses: []
342
+ metadata: {}
343
+ post_install_message:
344
+ rdoc_options: []
345
+ require_paths:
346
+ - lib
347
+ required_ruby_version: !ruby/object:Gem::Requirement
348
+ requirements:
349
+ - - ">="
350
+ - !ruby/object:Gem::Version
351
+ version: '0'
352
+ required_rubygems_version: !ruby/object:Gem::Requirement
353
+ requirements:
354
+ - - ">="
355
+ - !ruby/object:Gem::Version
356
+ version: '0'
357
+ requirements: []
358
+ rubygems_version: 3.0.3
359
+ signing_key:
360
+ specification_version: 4
361
+ summary: A library for caching encryptor
362
+ test_files: []