daffy_lib 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,9 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'active_record'
4
+
5
+ class DaffyLib::ApplicationRecord < ActiveRecord::Base
6
+ include DaffyLib::HasGuid
7
+
8
+ self.abstract_class = true
9
+ end
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'daffy_lib/validators/string_validator'
4
+
5
+ class DaffyLib::EncryptionKey < DaffyLib::ApplicationRecord
6
+ include DaffyLib::HasGuid
7
+
8
+ has_guid 'dek'
9
+
10
+ validates :partition_guid, presence: true, allow_blank: false
11
+ validates :key_epoch, presence: true, allow_blank: false, uniqueness: { scope: :partition_guid }
12
+ validates :encrypted_data_encryption_key, presence: true, allow_blank: false
13
+ validates :version, presence: true, allow_blank: false
14
+
15
+ validates_with DaffyLib::StringValidator, fields: %i[guid partition_guid encrypted_data_encryption_key version]
16
+ end
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'daffy_lib'
4
+ require 'rails'
5
+
6
+ # :nocov:
7
+ class DaffyLib::Railtie < Rails::Railtie
8
+ rake_tasks do
9
+ load 'tasks/db_tasks.rake'
10
+ end
11
+ end
12
+ # :nocov:
@@ -0,0 +1,106 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'logger'
4
+
5
+ class DaffyLib::KeyManagementService
6
+ class KeyManagementServiceException < StandardError; end
7
+ class InvalidParameterException < KeyManagementServiceException; end
8
+ class KeyGenerationException < KeyManagementServiceException; end
9
+ class KeyCreateException < KeyManagementServiceException; end
10
+ class KeyRetrieveException < KeyManagementServiceException; end
11
+
12
+ KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE = :key_management_service
13
+ KEY_VERSION = 'KeyManagementService::V1'
14
+
15
+ RECORD_NOT_UNIQUE_REGEX = /has already been taken/.freeze
16
+
17
+ def initialize(partition_guid, expires_in, cmk_key_id)
18
+ raise InvalidParameterException unless partition_guid.present? && expires_in.present? && cmk_key_id.present?
19
+
20
+ @partition_guid = partition_guid
21
+ @expire_in = expires_in
22
+ @cmk_key_id = cmk_key_id
23
+ end
24
+
25
+ def self.encryption_key_epoch(datetime)
26
+ datetime.utc.beginning_of_year
27
+ end
28
+
29
+ def find_or_create_encryption_key(encryption_epoch)
30
+ find(encryption_epoch) || create(encryption_epoch)
31
+ end
32
+
33
+ def retrieve_plaintext_key(encryption_key)
34
+ raise InvalidParameterException unless encryption_key.present?
35
+
36
+ read_plaintext_key(encryption_key) || decrypt_encryption_key(encryption_key)
37
+ end
38
+
39
+ private
40
+
41
+ def read_plaintext_key(encryption_key)
42
+ Rails.cache.read(encryption_key.guid, namespace: KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE)
43
+ rescue Redis::BaseError => e
44
+ Rails.logger.error("Failed to read cache for encryption key #{encryption_key.guid}: #{e.message}")
45
+
46
+ nil
47
+ end
48
+
49
+ def decrypt_encryption_key(encryption_key)
50
+ decoded_key = Base64.decode64(encryption_key.encrypted_data_encryption_key)
51
+
52
+ plaintext_key = PorkyLib::Symmetric.instance.decrypt_data_encryption_key(decoded_key)
53
+
54
+ cache_plaintext_key(encryption_key, plaintext_key)
55
+
56
+ plaintext_key
57
+ rescue Aws::Errors::ServiceError => e
58
+ Rails.logger.error("Failed to decrypt data encryption key: #{e.message}")
59
+
60
+ raise KeyRetrieveException
61
+ end
62
+
63
+ def cache_plaintext_key(encryption_key, plaintext_key)
64
+ Rails.cache.write(encryption_key.guid, plaintext_key, namespace: KEY_MANAGEMENT_SERVICE_CACHE_NAMESPACE,
65
+ expires_in: @expires_in)
66
+ rescue Redis::BaseError => e
67
+ Rails.logger.error("Failed to cache encryption key: #{e.message}")
68
+ end
69
+
70
+ def create(encryption_epoch)
71
+ plaintext_key, data_encryption_key = PorkyLib::Symmetric.instance.generate_data_encryption_key(@cmk_key_id)
72
+
73
+ encoded_key = Base64.encode64(data_encryption_key)
74
+
75
+ key = DaffyLib::EncryptionKey.create!(partition_guid: @partition_guid, key_epoch: encryption_epoch,
76
+ encrypted_data_encryption_key: encoded_key, version: KEY_VERSION)
77
+
78
+ cache_plaintext_key(key, plaintext_key)
79
+
80
+ key
81
+ rescue Aws::Errors::ServiceError => e
82
+ Rails.logger.error("Failed to generate data encryption key: #{e.message}")
83
+
84
+ raise KeyGenerationException
85
+ rescue ActiveRecord::RecordInvalid => e
86
+ Rails.logger.error("Failed to save encryption key: #{e.message}")
87
+
88
+ raise KeyCreateException unless e.message.match?(RECORD_NOT_UNIQUE_REGEX)
89
+
90
+ Rails.logger.info('Retrying find after failed EncryptionKey create')
91
+
92
+ find(encryption_epoch)
93
+ rescue ActiveRecord::RecordNotUnique => e
94
+ Rails.logger.error("Failed to save encryption key, retrying find: #{e.message}")
95
+
96
+ find(encryption_epoch)
97
+ rescue ActiveRecord::ActiveRecordError => e
98
+ Rails.logger.error("Failed to save encryption key: #{e.message}")
99
+
100
+ raise KeyCreateException
101
+ end
102
+
103
+ def find(encryption_epoch)
104
+ DaffyLib::EncryptionKey.find_by(partition_guid: @partition_guid, key_epoch: encryption_epoch)
105
+ end
106
+ end
@@ -0,0 +1,18 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'active_model'
4
+ require 'action_controller'
5
+
6
+ class DaffyLib::StringValidator < ActiveModel::Validator
7
+ def validate(record)
8
+ return if options[:fields].blank?
9
+
10
+ options[:fields].each do |field|
11
+ return false unless record.errors.messages.blank?
12
+
13
+ sanitized_attr = ActionController::Base.helpers.sanitize(record[field])
14
+ decoded_attr = Nokogiri::HTML.parse(sanitized_attr.to_s)
15
+ record.errors[:field] << 'contains invalid characters...' unless record[field] == decoded_attr.text || record[field].blank?
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+
3
+ module DaffyLib
4
+ VERSION = "0.1.0"
5
+ end
@@ -0,0 +1,29 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'active_record'
4
+ require 'active_support'
5
+
6
+ namespace :db do
7
+ namespace :migrate do
8
+ desc "Migrates the database by adding partition_guid and encryption_epoch to the specified model (must specify :model)"
9
+ task :add_encryption_fields, [:model] => :environment do |_, args|
10
+ model = args[:model].camelize
11
+
12
+ abort 'Need to provide `model` as argument' if model.blank?
13
+
14
+ `rails generate migration AddEncryptionKeysTo#{model} partition_guid:string \\
15
+ encryption_epoch:datetime`
16
+ end
17
+
18
+ desc "Migrates the database by adding the encryption_keys table"
19
+ task :add_encryption_keys_table do
20
+ `rails generate migration CreateEncryptionKeys guid:string \\
21
+ partition_guid:string \\
22
+ key_epoch:datetime \\
23
+ encrypted_data_encryption_key:string \\
24
+ version:string \\
25
+ created_at:datetime \\
26
+ updated_at:datetime`
27
+ end
28
+ end
29
+ end
metadata ADDED
@@ -0,0 +1,362 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: daffy_lib
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Benoît Jeaurond, Weiyun Lu
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2020-01-15 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: attr_encrypted
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: bundler
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: bundler-audit
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ">="
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: codecov
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: factory_bot_rails
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: rake
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rspec
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ - !ruby/object:Gem::Dependency
112
+ name: rspec-collection_matchers
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - ">="
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
125
+ - !ruby/object:Gem::Dependency
126
+ name: rspec-mocks
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - ">="
130
+ - !ruby/object:Gem::Version
131
+ version: '0'
132
+ type: :development
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - ">="
137
+ - !ruby/object:Gem::Version
138
+ version: '0'
139
+ - !ruby/object:Gem::Dependency
140
+ name: rspec-rails
141
+ requirement: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - ">="
144
+ - !ruby/object:Gem::Version
145
+ version: '0'
146
+ type: :development
147
+ prerelease: false
148
+ version_requirements: !ruby/object:Gem::Requirement
149
+ requirements:
150
+ - - ">="
151
+ - !ruby/object:Gem::Version
152
+ version: '0'
153
+ - !ruby/object:Gem::Dependency
154
+ name: rspec_junit_formatter
155
+ requirement: !ruby/object:Gem::Requirement
156
+ requirements:
157
+ - - ">="
158
+ - !ruby/object:Gem::Version
159
+ version: '0'
160
+ type: :development
161
+ prerelease: false
162
+ version_requirements: !ruby/object:Gem::Requirement
163
+ requirements:
164
+ - - ">="
165
+ - !ruby/object:Gem::Version
166
+ version: '0'
167
+ - !ruby/object:Gem::Dependency
168
+ name: rubocop
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - ">="
172
+ - !ruby/object:Gem::Version
173
+ version: '0'
174
+ type: :development
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - ">="
179
+ - !ruby/object:Gem::Version
180
+ version: '0'
181
+ - !ruby/object:Gem::Dependency
182
+ name: rubocop-performance
183
+ requirement: !ruby/object:Gem::Requirement
184
+ requirements:
185
+ - - ">="
186
+ - !ruby/object:Gem::Version
187
+ version: '0'
188
+ type: :development
189
+ prerelease: false
190
+ version_requirements: !ruby/object:Gem::Requirement
191
+ requirements:
192
+ - - ">="
193
+ - !ruby/object:Gem::Version
194
+ version: '0'
195
+ - !ruby/object:Gem::Dependency
196
+ name: rubocop-rspec
197
+ requirement: !ruby/object:Gem::Requirement
198
+ requirements:
199
+ - - ">="
200
+ - !ruby/object:Gem::Version
201
+ version: '0'
202
+ type: :development
203
+ prerelease: false
204
+ version_requirements: !ruby/object:Gem::Requirement
205
+ requirements:
206
+ - - ">="
207
+ - !ruby/object:Gem::Version
208
+ version: '0'
209
+ - !ruby/object:Gem::Dependency
210
+ name: rubocop_runner
211
+ requirement: !ruby/object:Gem::Requirement
212
+ requirements:
213
+ - - ">="
214
+ - !ruby/object:Gem::Version
215
+ version: '0'
216
+ type: :development
217
+ prerelease: false
218
+ version_requirements: !ruby/object:Gem::Requirement
219
+ requirements:
220
+ - - ">="
221
+ - !ruby/object:Gem::Version
222
+ version: '0'
223
+ - !ruby/object:Gem::Dependency
224
+ name: simplecov
225
+ requirement: !ruby/object:Gem::Requirement
226
+ requirements:
227
+ - - ">="
228
+ - !ruby/object:Gem::Version
229
+ version: '0'
230
+ type: :development
231
+ prerelease: false
232
+ version_requirements: !ruby/object:Gem::Requirement
233
+ requirements:
234
+ - - ">="
235
+ - !ruby/object:Gem::Version
236
+ version: '0'
237
+ - !ruby/object:Gem::Dependency
238
+ name: sqlite3
239
+ requirement: !ruby/object:Gem::Requirement
240
+ requirements:
241
+ - - ">="
242
+ - !ruby/object:Gem::Version
243
+ version: '0'
244
+ type: :development
245
+ prerelease: false
246
+ version_requirements: !ruby/object:Gem::Requirement
247
+ requirements:
248
+ - - ">="
249
+ - !ruby/object:Gem::Version
250
+ version: '0'
251
+ - !ruby/object:Gem::Dependency
252
+ name: timecop
253
+ requirement: !ruby/object:Gem::Requirement
254
+ requirements:
255
+ - - ">="
256
+ - !ruby/object:Gem::Version
257
+ version: '0'
258
+ type: :development
259
+ prerelease: false
260
+ version_requirements: !ruby/object:Gem::Requirement
261
+ requirements:
262
+ - - ">="
263
+ - !ruby/object:Gem::Version
264
+ version: '0'
265
+ - !ruby/object:Gem::Dependency
266
+ name: porky_lib
267
+ requirement: !ruby/object:Gem::Requirement
268
+ requirements:
269
+ - - ">="
270
+ - !ruby/object:Gem::Version
271
+ version: '0'
272
+ type: :runtime
273
+ prerelease: false
274
+ version_requirements: !ruby/object:Gem::Requirement
275
+ requirements:
276
+ - - ">="
277
+ - !ruby/object:Gem::Version
278
+ version: '0'
279
+ - !ruby/object:Gem::Dependency
280
+ name: rails
281
+ requirement: !ruby/object:Gem::Requirement
282
+ requirements:
283
+ - - ">="
284
+ - !ruby/object:Gem::Version
285
+ version: '0'
286
+ type: :runtime
287
+ prerelease: false
288
+ version_requirements: !ruby/object:Gem::Requirement
289
+ requirements:
290
+ - - ">="
291
+ - !ruby/object:Gem::Version
292
+ version: '0'
293
+ - !ruby/object:Gem::Dependency
294
+ name: redis
295
+ requirement: !ruby/object:Gem::Requirement
296
+ requirements:
297
+ - - ">="
298
+ - !ruby/object:Gem::Version
299
+ version: '0'
300
+ type: :runtime
301
+ prerelease: false
302
+ version_requirements: !ruby/object:Gem::Requirement
303
+ requirements:
304
+ - - ">="
305
+ - !ruby/object:Gem::Version
306
+ version: '0'
307
+ description:
308
+ email:
309
+ - weiyun.lu@arioplatform.com
310
+ executables: []
311
+ extensions: []
312
+ extra_rdoc_files: []
313
+ files:
314
+ - ".circleci/config.yml"
315
+ - ".github/pull_request_template.md"
316
+ - ".gitignore"
317
+ - ".rspec"
318
+ - ".rubocop.yml"
319
+ - CODEOWNERS
320
+ - Gemfile
321
+ - Gemfile.lock
322
+ - README.md
323
+ - Rakefile
324
+ - SECURITY.MD
325
+ - bin/console
326
+ - bin/setup
327
+ - daffy_lib.gemspec
328
+ - lib/daffy_lib.rb
329
+ - lib/daffy_lib/caching_encryptor.rb
330
+ - lib/daffy_lib/concerns/has_encrypted_attributes.rb
331
+ - lib/daffy_lib/concerns/has_guid.rb
332
+ - lib/daffy_lib/concerns/partition_provider.rb
333
+ - lib/daffy_lib/models/application_record.rb
334
+ - lib/daffy_lib/models/encryption_key.rb
335
+ - lib/daffy_lib/railtie.rb
336
+ - lib/daffy_lib/services/key_management_service.rb
337
+ - lib/daffy_lib/validators/string_validator.rb
338
+ - lib/daffy_lib/version.rb
339
+ - lib/tasks/db_tasks.rake
340
+ homepage: https://github.com/Zetatango/daffy_lib
341
+ licenses: []
342
+ metadata: {}
343
+ post_install_message:
344
+ rdoc_options: []
345
+ require_paths:
346
+ - lib
347
+ required_ruby_version: !ruby/object:Gem::Requirement
348
+ requirements:
349
+ - - ">="
350
+ - !ruby/object:Gem::Version
351
+ version: '0'
352
+ required_rubygems_version: !ruby/object:Gem::Requirement
353
+ requirements:
354
+ - - ">="
355
+ - !ruby/object:Gem::Version
356
+ version: '0'
357
+ requirements: []
358
+ rubygems_version: 3.0.3
359
+ signing_key:
360
+ specification_version: 4
361
+ summary: A library for caching encryptor
362
+ test_files: []