e3db 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8130f8d97af89a3b0dadd56a137f215950df2ff6
+  data.tar.gz: 1d8c7ea1c68e443417fe8426ae742e3546f3e378
+SHA512:
+  metadata.gz: 40e554e311c5c25c8ea9eeffb2a33c0a27073b9d852ae23895b2577f0d279e909c6401eccc60b0725c0e6a395f558b6059a80801b3a4c65566f4f14795c6ede4
+  data.tar.gz: ae4c58bacbeba5924d47a181b2d9e9f179bbdda47bc5987edc3a4baaa8e5b47dc19be87b206042d8832747bf813a9e2468c6414c3063715937a71629e2f591b6

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.integration-test.json

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.0.0
+before_install: gem install bundler -v 1.12.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in e3db.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (C) 2017, Tozny, LLC.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,142 @@
+
+# Introduction
+
+The Tozny End-to-End Encrypted Database (E3DB) is a storage platform
+with powerful sharing and consent management features.
+[Read more on our blog.](https://tozny.com/blog/announcing-project-e3db-the-end-to-end-encrypted-database/)
+
+E3DB provides a familiar JSON-based NoSQL-style API for reading, writing,
+and querying data stored securely in the cloud.
+
+# Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'e3db'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install e3db
+
+At runtime, you will need the `libsodium` cryptography library
+required by the native RbNaCl Ruby library. On most platforms
+a package is available by default:
+
+```shell
+$ brew install libsodium            (Mac OS X)
+$ apt-get install libsodium-dev     (Ubuntu)
+```
+
+For more information including libsodium installation instructions
+for Windows, see the [libsodium web site](https://download.libsodium.org/doc/installation/).
+
+_Windows Users:_ Make sure to download a recent "MSVC" build. Once downloaded, find the most recent `libsodium.dll` inside the ZIP file and copy it to somewhere in your `PATH`.
+
+## Registering a client
+
+1. Download and install the E3DB Command-Line interface (CLI) from our
+   [GitHub releases page](https://github.com/tozny/e3db-go/releases).
+
+2. Register an account using the CLI:
+
+   ```shell
+   $ e3db register me@mycompany.com
+   ```
+
+   This will create a new default configuration with a randomly
+   generated key pair and API credentials, saving it in `$HOME/.tozny/e3db.json`.
+
+## Loading configuration and creating a client
+
+Use the `E3DB::Config.default` class method to load the default
+client configuration, and pass it to the `E3DB::Client` constructor:
+
+```ruby
+require 'e3db'
+config = E3DB::Config.default
+client = E3DB::Client.new(config)
+```
+
+### Using profiles to manage multiple configurations
+
+The E3DB Command-Line Interface allows you to register and manage
+multiple keys and credentials using _profiles_. To register a new
+client under a different profile:
+
+```shell
+$ e3db register --profile=development developers@mycompany.com
+```
+
+You can then use `E3DB::Config.load_profile` to load a specific profile
+inside your Ruby application:
+
+```ruby
+config = E3DB::Config.load_profile('development')
+client = E3DB::Client.new(config)
+```
+
+## Writing a record
+
+To write new records to the database, first create a blank record
+of the correct type using `E3DB::Client#new_record`. Then fill in
+the fields of the record's `data` hash. Finally, write the record
+to the database with `E3DB::Client#write`, which returns the
+unique ID of the newly created record.
+
+```ruby
+record = client.new_record('contact')
+record.data[:first_name] = 'Jon'
+record.data[:last_name] = 'Snow'
+record.data[:phone] = '555-555-1212'
+record_id = client.write(record)
+printf("Wrote record %s\n", record_id)
+```
+
+## Querying Records
+
+E3DB supports many options for querying records based on the fields
+stored in record metadata. Refer to the API documentation for the
+complete set of options that can be passed to `E3DB::Client#query`.
+
+For example, to list all records of type `contact` and print a
+simple report containing names and phone numbers:
+
+```ruby
+client.query(type: 'contact') do |record|
+  fullname = record.data[:first_name] + ' ' + record.data[:last_name]
+  printf("%-40s %s\n", fullname, record.data[:phone])
+end
+```
+
+## Development
+
+Before running tests, register an `integration-test` profile using
+the E3DB command-line tool:
+
+```shell
+$ e3db -p integration-test register me+test@mycompany.com
+```
+
+After checking out the repo, run `bin/setup` to install dependencies. Then,
+run `rake spec` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+To release a new version, update the version number in `version.rb`, and
+then run `bundle exec rake release`, which will create a git tag for the
+version, push git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/tozny/e3db-ruby.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "e3db"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/e3db.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'e3db/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "e3db"
+  spec.version       = E3DB::VERSION
+  spec.authors       = ["Tozny, LLC"]
+  spec.email         = ["info@tozny.com"]
+
+  spec.summary       = %q{e3db client SDK}
+  spec.homepage      = "https://tozny.com/e3db"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'simplecov', '~> 0.14.1'
+
+  spec.add_dependency 'dry-struct', '~> 0.2.1'
+  spec.add_dependency 'lru_redux', '~> 1.1'
+  spec.add_dependency 'rbnacl', '~> 4.0', '>= 4.0.2'
+  spec.add_dependency 'net-http-persistent', '~> 2.9.4'
+  spec.add_dependency 'faraday_middleware', '~> 0.11.0.1'
+  spec.add_dependency 'oauth2', '~> 1.3', '>= 1.3.1'
+end

data/lib/e3db.rb

@@ -0,0 +1,20 @@
+#
+# e3db.rb
+#
+# Copyright (C) 2017, Tozny, LLC.
+# All Rights Reserved.
+#
+
+
+require 'e3db/version'
+require 'e3db/types'
+require 'e3db/config'
+require 'e3db/client'
+require 'e3db/crypto'
+
+# Ruby client library for the Tozny End-to-End Encrypted Database (E3DB) service.
+#
+# @author Tozny, LLC.
+# @version 1.0.0
+module E3DB
+end

data/lib/e3db/client.rb

@@ -0,0 +1,316 @@
+#
+# client.rb --- E3DB API client.
+#
+# Copyright (C) 2017, Tozny, LLC.
+# All Rights Reserved.
+#
+
+
+require 'faraday'
+require 'faraday_middleware'
+require 'oauth2'
+require 'rbnacl'
+require 'base64'
+require 'lru_redux'
+
+module E3DB
+  # Faraday middleware to automatically refresh authentication tokens and
+  # pass them to API requests.
+  class TokenHelper < Faraday::Middleware
+    def initialize(app, client)
+      super(app)
+      @client = client
+      @token = nil
+    end
+
+    def call(env)
+      if @token.nil? or @token.expired?
+        @token = @client.client_credentials.get_token
+      end
+
+      env[:request_headers]['Authorization'] ||= %(Bearer #{@token.token})
+      @app.call env
+    end
+  end
+
+  private_constant :TokenHelper
+
+  # A client's public key information.
+  #
+  # @!attribute curve25519
+  #   @return [String] a Base64URL Encoded Curve25519 public key
+  class PublicKey < Dry::Struct
+    attribute :curve25519, Types::Strict::String
+  end
+
+  # Information sent by the E3DB service about a client.
+  #
+  # @!attribute client_id
+  #   @return [String] the client's unique ID string
+  # @!attribute public_key
+  #   @return [PublicKey] the client's public key information
+  class ClientInfo < Dry::Struct
+    attribute :client_id, Types::Strict::String
+    attribute :public_key, PublicKey
+    attribute :validated, Types::Strict::Bool
+  end
+
+  # Meta-information about an E3DB record, such as who wrote it,
+  # when it was written, and the type of data stored.
+  #
+  # @!attribute record_id
+  #   @return [String,nil] the unique ID of this record, or nil if not yet written
+  # @!attribute writer_id
+  #   @return [String] the client ID that wrote this record
+  # @!attribute user_id
+  #   @return [String] the subject client ID (currently == writer_id)
+  # @!attribute type
+  #   @return [String] a free-form description of record content type
+  # @!attribute plain
+  #   @return [Hash<String, String>] this record's plaintext record metadata
+  # @!attribute created
+  #   @return [Time, nil] when this record was created, or nil if unavailable
+  # @!attribute last_modified
+  #   @return [Time, nil] when this record was last modified, or nil if unavailable
+  class Meta < Dry::Struct
+    attribute :record_id, Types::Strict::String.optional
+    attribute :writer_id, Types::Strict::String
+    attribute :user_id, Types::Strict::String
+    attribute :type, Types::Strict::String
+    attribute :plain, Types::Strict::Hash.default { Hash.new }
+    attribute :created, Types::Json::DateTime.optional
+    attribute :last_modified, Types::Json::DateTime.optional
+  end
+
+  # A E3DB record containing data and metadata. Records are
+  # a key/value mapping containing data serialized
+  # into strings. All records are encrypted prior to sending them
+  # to the server for storage, and decrypted in the client after
+  # they are read.
+  #
+  # The {Client#new_record} method should be used to create a
+  # new record that can be written to the database with
+  # {Client#write}.
+  #
+  # To read a record by their unique ID, use {Client#read}, or to
+  # query a set of records based on their attributes, use {Client#query}.
+  #
+  # @!attribute meta
+  #   @return [Meta] meta-information about this record
+  # @!attribute data
+  #   @return [Hash<String, String>] this record's application-specific data
+  class Record < Dry::Struct
+    attribute :meta, Meta
+    attribute :data, Types::Strict::Hash.default { Hash.new }
+  end
+
+  # A connection to the E3DB service used to perform database operations.
+  #
+  # @!attribute [r] config
+  #   @return [Config] the client configuration object
+  class Client
+    attr_reader :config
+
+    # Create a connection to the E3DB service given a configuration.
+    #
+    # @param config [Config] configuration and credentials to use
+    # @return [Client] a connection to the E3DB service
+    def initialize(config)
+      @config = config
+      @public_key = RbNaCl::PublicKey.new(Crypto.base64decode(@config.public_key))
+      @private_key = RbNaCl::PrivateKey.new(Crypto.base64decode(@config.private_key))
+
+      @ak_cache = LruRedux::ThreadSafeCache.new(1024)
+      @oauth_client = OAuth2::Client.new(
+          config.api_key_id,
+          config.api_secret,
+          :site => config.api_url,
+          :token_url => '/v1/auth/token',
+          :auth_scheme => :basic_auth,
+          :raise_errors => false)
+
+      if config.logging
+        @oauth_client.connection.response :logger, ::Logger.new($stdout)
+      end
+
+      @conn = Faraday.new(DEFAULT_API_URL) do |faraday|
+        faraday.use TokenHelper, @oauth_client
+        faraday.request :json
+        faraday.response :raise_error
+        if config.logging
+          faraday.response :logger, nil, :bodies => true
+        end
+        faraday.adapter :net_http_persistent
+      end
+    end
+
+    # Query the server for information about an E3DB client.
+    #
+    # @param client_id [String] client ID to look up
+    # @return [ClientInfo] information about this client
+    def client_info(client_id)
+      resp = @conn.get(get_url('v1', 'storage', 'clients', client_id))
+      ClientInfo.new(JSON.parse(resp.body, symbolize_names: true))
+    end
+
+    # Query the server for a client's public key.
+    #
+    # @param client_id [String] client ID to look up
+    # @return [RbNaCl::PublicKey] decoded Curve25519 public key
+    def client_key(client_id)
+      if client_id == @config.client_id
+        @public_key
+      else
+        Crypto.decode_public_key(client_info(client_id).public_key.curve25519)
+      end
+    end
+
+    # Read a single record by ID from E3DB and return it without
+    # decrypting the data fields.
+    #
+    # @param record_id [String] record ID to look up
+    # @return [Record] encrypted record object
+    def read_raw(record_id)
+      resp = @conn.get(get_url('v1', 'storage', 'records', record_id))
+      json = JSON.parse(resp.body, symbolize_names: true)
+      Record.new(json)
+    end
+
+    # Read a single record by ID from E3DB and return it.
+    #
+    # @param record_id [String] record ID to look up
+    # @return [Record] decrypted record object
+    def read(record_id)
+      decrypt_record(read_raw(record_id))
+    end
+
+    # Create a new, empty record that can be written to E3DB
+    # by calling {Client#write}.
+    #
+    # @param type [String] free-form content type of this record
+    # @return [Record] an empty record of `type`
+    def new_record(type)
+      id = @config.client_id
+      meta = Meta.new(record_id: nil, writer_id: id, user_id: id,
+                      type: type, plain: Hash.new, created: nil,
+                      last_modified: nil)
+      Record.new(meta: meta, data: Hash.new)
+    end
+
+    # Write a new record to the E3DB storage service.
+    #
+    # Create new records with {Client#new_record}.
+    #
+    # @param record [Record] record to write
+    # @return [String] the unique ID of the written record
+    def write(record)
+      url = get_url('v1', 'storage', 'records')
+      resp = @conn.post(url, encrypt_record(record).to_hash)
+      json = JSON.parse(resp.body, symbolize_names: true)
+      json[:meta][:record_id]
+    end
+
+    # Delete a record from the E3DB storage service.
+    #
+    # @param record_id [String] unique ID of record to delete
+    def delete(record_id)
+      resp = @conn.delete(get_url('v1', 'storage', 'records', record_id))
+    end
+
+    class Query < Dry::Struct
+      attribute :count,         Types::Int
+      attribute :include_data,  Types::Bool.optional
+      attribute :writer_ids,    Types::Coercible::Array.member(Types::String).optional
+      attribute :user_ids,      Types::Coercible::Array.member(Types::String).optional
+      attribute :record_ids,    Types::Coercible::Array.member(Types::String).optional
+      attribute :content_types, Types::Coercible::Array.member(Types::String).optional
+      attribute :plain,         Types::Hash.optional
+      attribute :after_index,   Types::Int.optional
+
+      def after_index=(index)
+        @after_index = index
+      end
+
+      def as_json
+        JSON.generate(to_hash.reject { |k, v| v.nil? })
+      end
+    end
+
+    private_constant :Query
+
+    DEFAULT_QUERY_COUNT = 100
+    private_constant :DEFAULT_QUERY_COUNT
+
+    # Query E3DB records according to a set of selection criteria.
+    #
+    # Each record (optionally including data) is yielded to the block
+    # argument.
+    #
+    # @param writer [String,Array<String>] select records written by these client IDs
+    # @param record [String,Array<String>] select records with these record IDs
+    # @param type [String,Array<string>] select records with these types
+    # @param plain [Hash] plaintext query expression to select
+    # @param data [Boolean] include data in records
+    # @param raw [Boolean] when true don't decrypt record data
+    def query(data: true, raw: false, writer: nil, record: nil, type: nil, plain: nil)
+      q = Query.new(after_index: 0, include_data: data, writer_ids: writer,
+                    record_ids: record, content_types: type, plain: plain,
+                    user_ids: nil, count: DEFAULT_QUERY_COUNT)
+      url = get_url('v1', 'storage', 'search')
+      loop do
+        resp = @conn.post(url, q.as_json)
+        json = JSON.parse(resp.body, symbolize_names: true)
+        results = json[:results]
+        results.each do |r|
+          record = Record.new(meta: r[:meta], data: r[:record_data] || Hash.new)
+          if data && !raw
+            record = decrypt_record(record)
+          end
+          yield record
+        end
+
+        if results.length < q.count
+          break
+        end
+
+        q.after_index = json[:last_index]
+      end
+    end
+
+    # Grant another E3DB client access to records of a particular type.
+    #
+    # @param type [String] type of records to share
+    # @param reader_id [String] client ID of reader to grant access to
+    def share(type, reader_id)
+      if reader_id == @config.client_id
+        return
+      end
+
+      id = @config.client_id
+      ak = get_access_key(id, id, id, type)
+      put_access_key(id, id, reader_id, type, ak)
+
+      url = get_url('v1', 'storage', 'policy', id, id, reader_id, type)
+      @conn.put(url, JSON.generate({:allow => [{:read => {}}]}))
+    end
+
+    # Revoke another E3DB client's access to records of a particular type.
+    #
+    # @param type [String] type of records to revoke access to
+    # @param reader_id [String] client ID of reader to revoke access from
+    def revoke(type, reader_id)
+      if reader_id == @config.client_id
+        return
+      end
+
+      id = @config.client_id
+      url = get_url('v1', 'storage', 'policy', id, id, reader_id, type)
+      @conn.put(url, JSON.generate({:deny => [{:read => {}}]}))
+    end
+
+    private
+    def get_url(*paths)
+      sprintf('%s/%s', @config.api_url.chomp('/'), paths.map { |x| URI.escape x }.join('/'))
+    end
+  end
+end

data/lib/e3db/config.rb

@@ -0,0 +1,87 @@
+#
+# config.rb --- E3DB configuration files.
+#
+# Copyright (C) 2017, Tozny, LLC.
+# All Rights Reserved.
+#
+
+
+module E3DB
+  DEFAULT_API_URL = 'https://dev.e3db.com/'
+
+  # Configuration and credentials for E3DB.
+  #
+  # Typically a configuration is loaded from a JSON file generated
+  # during registration via the E3DB administration console
+  # or command-line tool. To load a configuration from a JSON file,
+  # use {Config.load}.
+  #
+  # @!attribute version
+  #   @return [Int] the version number of the configuration format (currently 1)
+  # @!attribute client_id
+  #   @return [String] the client's unique client identifier
+  # @!attribute api_key_id
+  #   @return [String] the client's non-secret API key component
+  # @!attribute api_secret
+  #   @return [String] the client's confidential API key component
+  # @!attribute public_key
+  #   @return [String] the client's Base64URL encoded Curve25519 public key
+  # @!attribute private_key
+  #   @return [String] the client's Base64URL encoded Curve25519 private key
+  # @!attribute api_base_url
+  #   @return [String] the base URL for the E3DB API service
+  # @!attribute auth_base_url
+  #   @return [String] the base URL for the E3DB authentication service
+  # @!attribute logging
+  #   _Warning:_ Log output will contain confidential authentication
+  #   tokens---do not enable in production if log output isn't confidential!
+  #   @return [Boolean] a flag to enable HTTP logging when true
+  class Config < Dry::Struct
+    attribute :version, Types::Int
+    attribute :client_id, Types::String
+    attribute :api_key_id, Types::String
+    attribute :api_secret, Types::String
+    attribute :public_key, Types::String
+    attribute :private_key, Types::String
+    attribute :api_url, Types::String.default(DEFAULT_API_URL)
+    attribute :logging, Types::Bool
+
+    # Load configuration from a JSON file created during registration
+    # or with {Config.save}.
+    #
+    # The configuration file should contain a single JSON object
+    # with the following structure:
+    #
+    #   {
+    #     "version": 1,
+    #     "client_id": "UUID",
+    #     "api_key_id": "API_KEY",
+    #     "api_secret": "API_SECRET",
+    #     "public_key": "PUBLIC_KEY",
+    #     "private_key": "PRIVATE_KEY",
+    #     "api_url": "URL",
+    #  }
+    #
+    # @param filename [String] pathname of JSON configuration to load
+    # @return [Config] the configuration object loaded from the file
+    def self.load(filename)
+      json = JSON.parse(File.read(filename), symbolize_names: true)
+      if json[:version] != 1
+        raise StandardError, "Unsupported config version: #{json[:version]}"
+      end
+      Config.new(json.merge(:logging => false))
+    end
+
+    def self.default
+      return self.load(File.join(Dir.home, '.tozny', 'e3db.json'))
+    end
+
+    def self.load_profile(profile)
+      return self.load(File.join(Dir.home, '.tozny', profile, 'e3db.json'))
+    end
+
+    def logging=(value)
+      @logging = value
+    end
+  end
+end

data/lib/e3db/crypto.rb

@@ -0,0 +1,139 @@
+#
+# crypto.rb --- E3DB cryptographic operations.
+#
+# Copyright (C) 2017, Tozny, LLC.
+# All Rights Reserved.
+#
+
+
+module E3DB
+  class Client
+    private
+    def get_access_key(writer_id, user_id, reader_id, type)
+      ak_cache_key = [writer_id, user_id, type]
+      if @ak_cache.key? ak_cache_key
+        return @ak_cache[ak_cache_key]
+      end
+
+      url = get_url('v1', 'storage', 'access_keys', writer_id, user_id, reader_id, type)
+      resp = @conn.get(url)
+      json = JSON.parse(resp.body, symbolize_names: true)
+
+      k = json[:authorizer_public_key][:curve25519]
+      authorizer_pubkey = Crypto.decode_public_key(k)
+
+      fields     = json[:eak].split('.', 2)
+      ciphertext = Crypto.base64decode(fields[0])
+      nonce      = Crypto.base64decode(fields[1])
+      box        = RbNaCl::Box.new(authorizer_pubkey, @private_key)
+
+      ak = box.decrypt(nonce, ciphertext)
+      @ak_cache[ak_cache_key] = ak
+      ak
+    end
+
+    def put_access_key(writer_id, user_id, reader_id, type, ak)
+      ak_cache_key = [writer_id, user_id, type]
+      @ak_cache[ak_cache_key] = ak
+
+      reader_key = client_key(reader_id)
+      nonce = RbNaCl::Random.random_bytes(RbNaCl::Box.nonce_bytes)
+      eak   = RbNaCl::Box.new(reader_key, @private_key).encrypt(nonce, ak)
+
+      encoded_eak = sprintf('%s.%s', Crypto.base64encode(eak), Crypto.base64encode(nonce))
+
+      url = get_url('v1', 'storage', 'access_keys', writer_id, user_id, reader_id, type)
+      @conn.put(url, { :eak => encoded_eak })
+    end
+
+    def decrypt_record(encrypted_record)
+      record = Record.new(meta: encrypted_record.meta.clone, data: Hash.new)
+
+      writer_id = record.meta.writer_id
+      user_id = record.meta.user_id
+      type = record.meta.type
+      ak = get_access_key(writer_id, user_id, @config.client_id, type)
+
+      encrypted_record.data.each do |k, v|
+        fields = v.split('.', 4)
+
+        edk =  Crypto.base64decode(fields[0])
+        edkN = Crypto.base64decode(fields[1])
+        ef =   Crypto.base64decode(fields[2])
+        efN =  Crypto.base64decode(fields[3])
+
+        dk = RbNaCl::SecretBox.new(ak).decrypt(edkN, edk)
+        pv = RbNaCl::SecretBox.new(dk).decrypt(efN, ef)
+
+        record.data[k] = pv
+      end
+
+      record
+    end
+
+    def encrypt_record(plaintext_record)
+      record = Record.new(meta: plaintext_record.meta.clone, data: Hash.new)
+
+      writer_id = record.meta.writer_id
+      user_id   = record.meta.user_id
+      type      = record.meta.type
+
+      begin
+        ak = get_access_key(writer_id, user_id, @config.client_id, type)
+      rescue Faraday::ResourceNotFound
+        ak = RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes)
+        put_access_key(writer_id, user_id, @config.client_id, type, ak)
+      end
+
+      plaintext_record.data.each do |k, v|
+        dk =   Crypto.secret_box_random_key
+        efN =  Crypto.secret_box_random_nonce
+        ef =   RbNaCl::SecretBox.new(dk).encrypt(efN, v)
+        edkN = Crypto.secret_box_random_nonce
+        edk =  RbNaCl::SecretBox.new(ak).encrypt(edkN, dk)
+
+        record.data[k] = sprintf('%s.%s.%s.%s',
+                                 Crypto.base64encode(edk), Crypto.base64encode(edkN),
+                                 Crypto.base64encode(ef), Crypto.base64encode(efN))
+      end
+
+      record
+    end
+  end
+
+  class Crypto
+    def self.decode_public_key(s)
+      RbNaCl::PublicKey.new(base64decode(s))
+    end
+
+    def self.encode_public_key(k)
+      base64encode(k.to_bytes)
+    end
+
+    def self.decode_private_key(s)
+      RbNaCl::PrivateKey.new(base64decode(s))
+    end
+
+    def self.encode_private_key(k)
+      base64encode(k.to_bytes)
+    end
+
+    def self.secret_box_random_key
+      RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes)
+    end
+
+    def self.secret_box_random_nonce
+      RbNaCl::Random.random_bytes(RbNaCl::SecretBox.nonce_bytes)
+    end
+
+    def self.base64encode(x)
+      Base64.urlsafe_encode64(x, padding: false)
+    end
+
+    def self.base64decode(x)
+      Base64.urlsafe_decode64(x)
+    end
+  end
+
+  private_constant :Crypto
+end

data/lib/e3db/types.rb

@@ -0,0 +1,10 @@
+
+require 'dry-struct'
+
+module E3DB
+  module Types
+    include Dry::Types.module
+  end
+
+  private_constant :Types
+end

data/lib/e3db/version.rb

@@ -0,0 +1,3 @@
+module E3DB
+  VERSION = "1.0.0"
+end

metadata

@@ -0,0 +1,212 @@
+--- !ruby/object:Gem::Specification
+name: e3db
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Tozny, LLC
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-05-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.14.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.14.1
+- !ruby/object:Gem::Dependency
+  name: dry-struct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.2.1
+- !ruby/object:Gem::Dependency
+  name: lru_redux
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.0'
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 4.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.0'
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 4.0.2
+- !ruby/object:Gem::Dependency
+  name: net-http-persistent
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.9.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.9.4
+- !ruby/object:Gem::Dependency
+  name: faraday_middleware
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.11.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.11.0.1
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+description: 
+email:
+- info@tozny.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- e3db.gemspec
+- lib/e3db.rb
+- lib/e3db/client.rb
+- lib/e3db/config.rb
+- lib/e3db/crypto.rb
+- lib/e3db/types.rb
+- lib/e3db/version.rb
+homepage: https://tozny.com/e3db
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14.1
+signing_key: 
+specification_version: 4
+summary: e3db client SDK
+test_files: []