edb 0.5 → 0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 114baabf1be97194abcb44cd5378b818242be763
-  data.tar.gz: c4dd125d24d41450cb99f1ab771d5bcec94be42c
+  metadata.gz: cf3bbfcc12b3ea9bf8b8d2da7e5acce50e69295f
+  data.tar.gz: cdd15ff978c970706a69c1dc0b7f3ca1fd20a9a1
 SHA512:
-  metadata.gz: 02bc9d1c1d8d974109f43b33295918bdbafafd0843954b264a2aaa949d95a3149c108437dbad3a7c0e80bb68e8c5a6a2ac1aa280c7936ee37e2366fe533e6139
-  data.tar.gz: 4391116b96b895acc789149fd42391618f96ef409cae31c38455a5d9ce3ad670d68f0fc35154092cc9093dc40ded9f90e40a5cfe38db574e576c1b8db4947799
+  metadata.gz: 427fafb18b6e04e331d689b1efc4a0fa7d3cd4b29afa9f380d5695d3ee6ae54066e27c95ce6d1aef430a90d187d8fb65a23dd1b62f182c4e824ed9fe93d78f1f
+  data.tar.gz: 14fbd57f7b9989d8ff27e8035aa3ebd79335b03bbcfcf46f6a82b324bf27b561c9873eddd60a1ac07d4983f4331f856cace405bf47c3aea773618d87a78d75a9

data/.gitignore

@@ -1,2 +1,3 @@
+.ruby-gemset
 *.gem
 *2015

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    edb (0.5)
+    edb (0.6)
       aws-sdk (= 1.59.1)
+      fast_secure_compare (~> 1.0)
       ftp_sync (~> 0.4)
       hkdf (~> 0.2)
 
@@ -15,6 +16,7 @@ GEM
       json (~> 1.4)
       nokogiri (>= 1.4.4)
     diff-lcs (1.2.5)
+    fast_secure_compare (1.0.1)
     ftp_sync (0.4.3)
       net-ftp-list (>= 2.1.1)
     hkdf (0.2.0)

data/README.md

@@ -11,10 +11,14 @@ The first one deals with the actual backup process of your database. The second
 `$ gem install edb`
 
 ## Run
-Setup and customize `example/edb.yml` (remember also to change the `secret` by running `edb -k`) and then:
+Customize `example/edb.yml` (remember also to change the `secret` by running `$ edb -k`) and then:
 
 `$ edb example/edb.yml`
 
+To decrypt the encrypted files:
+
+`$ edb example/edb.yml -d [FILE]`
+
 Consider also to add *EDB* to your cronjobs.
 
 ## Available modules
@@ -24,7 +28,7 @@ Consider also to add *EDB* to your cronjobs.
 
 ## FAQ
 **Q:** What if I want to dump two or three MySQL databases?   
-*A:* Just add a `:MySQL:` block for every database you need to dump.   
+*A:* Just add a `:MySQL:` block for every database you need to dump.
 
 
 **Q:** What if I want to save a database to S3 and another one into my local filesystem?   

data/Rakefile

@@ -13,7 +13,7 @@ end
 
 task :test do
   FileUtils.cd 'specs' do
-    Dir['*_spec.rb'].each do |spec|
+    Dir['./**/*_spec.rb'].each do |spec|
       sh "rspec #{spec} --backtrace --color --format doc"
     end
   end

data/bin/edb

@@ -1,4 +1,4 @@
-#! /usr/bin/env ruby
+#!/usr/bin/env ruby
 #--
 # Copyright(C) 2015 Giovanni Capuano <webmaster@giovannicapuano.net>
 #
@@ -26,9 +26,11 @@ require 'edb'
 require 'yaml'
 require 'optparse'
 
+@tasks = {}
+
 OptionParser.new do |opts|
   opts.version = EDB::VERSION
-  opts.banner  = "Usage: edb [-k] [file]"
+  opts.banner  = "Usage: edb [-kd] [CONFIG_FILE]"
 
   opts.on('-k', '--generate-key', 'Generate a random key of 32 characters') do
     require 'securerandom'
@@ -36,6 +38,10 @@ OptionParser.new do |opts|
     puts SecureRandom.hex(32)
     exit
   end
+
+  opts.on('-d', '--decrypt [FILE]', 'Decrypt given file') do |file|
+    @tasks[:decrypt] = { file_to_decrypt: File.expand_path(file) }
+  end
 end.parse!
 
 config_file = ARGV[0]
@@ -43,5 +49,11 @@ if !config_file || !config_file.end_with?('.yml') || !File.exists?(config_file)
   abort 'Please provide a valid configuration file.'
 end
 
-opts = YAML.load_file(config_file)
-EDB::Dumper.new(opts).run
+EDB.opts = YAML.load_file(config_file)
+
+if @tasks.has_key?(:decrypt)
+  ciphering_method = EDB.opts[:CRYPTOGRAPHY].first[0]
+  EDB::Cryptography.decrypt ciphering_method, @tasks[:decrypt][:file_to_decrypt]
+else
+  EDB::Dumper.new.run
+end

data/edb.gemspec

@@ -18,4 +18,5 @@ Gem::Specification.new { |s|
   s.add_dependency 'aws-sdk',  '1.59.1'
   s.add_dependency 'ftp_sync', '~> 0.4'
   s.add_dependency 'hkdf',     '~> 0.2'
+  s.add_dependency 'fast_secure_compare', '~> 1.0'
 }

data/lib/edb/cryptography.rb

@@ -28,14 +28,34 @@ module EDB
     class << self
       include ::EDB::IsModuleSupported
 
-      def encrypt(method, file)
-        this_module = to_module(method)
-        this_module.encrypt(file)
+      def encrypt(method, filename)
+        ::EDB::Logger.log(:info, "Encrypting #{filename}...")
+
+        ciphered_data = File.open(filename, 'rb') do |file|
+          data = file.read
+
+          this_module   = to_module(method)
+          ciphered_data = this_module.encrypt(data)
+        end
+
+        File.open(filename, 'wb') do |file|
+          file.write(ciphered_data)
+        end
       end
 
-      def decrypt(method, file)
-        this_module = to_module(method)
-        this_module.decrypt(file)
+      def decrypt(method, filename)
+        ::EDB::Logger.log(:info, "Decrypting #{filename}...")
+
+        data = File.open(filename, 'rb') do |file|
+          ciphered_data = file.read
+
+          this_module = to_module(method)
+          data        = this_module.decrypt(ciphered_data)
+        end
+
+        File.open("#{filename}.dec", 'wb') do |file|
+          file.write(data)
+        end
       end
 
       private

data/lib/edb/cryptography/aes_256_cbc.rb

@@ -23,52 +23,54 @@
 #++
 require 'openssl'
 require 'hkdf'
+require 'fast_secure_compare/fast_secure_compare'
 
 module EDB
   module Cryptography
     module AES_256_CBC
       class << self
-        def encrypt(source)
-          ::EDB::Logger.log(:info, "Encrypting #{source}...")
+        def encrypt(data)
+          raise "Cannot encrypt #{filename}: It's empty" if data.empty?
 
           cipher = OpenSSL::Cipher.new('AES-256-CBC')
           cipher.encrypt
-          cipher.key = hash_key(::EDB.opts[:CRYPTOGRAPHY][:AES_256_CBC][:secret])
-          cipher.iv  = iv = cipher.random_iv
 
-          contents = File.read(source)
-          raise "Cannot encrypt #{source}: It's empty" if contents.empty?
+          cipher.key, authentication_key = hash_keychain(::EDB.opts[:CRYPTOGRAPHY][:AES_256_CBC][:secret])
+          cipher.iv = iv = cipher.random_iv
 
-          File.open(source, 'wb') do |file|
-            ciphered_content = cipher.update(contents) + cipher.final
-            ciphered_content << iv
-            file.write(ciphered_content)
-          end
-        end
+          ciphered_data = cipher.update(data) + cipher.final
+          ciphered_data << iv
 
-        def decrypt(source, new_file = true)
-          ::EDB::Logger.log(:info, "Decrypting #{source}...")
+          authentication = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), authentication_key, ciphered_data)
+          ciphered_data << authentication
+        end
 
-          ciphered_content = File.read(source)
-          raise "Cannot decrypt #{source}: It's empty" if ciphered_content.empty?
-          ciphered_content_length = ciphered_content.length
+        def decrypt(ciphered_data)
+          raise "Cannot decrypt #{filename}: It's empty" if ciphered_data.length < 64
 
           decipher = OpenSSL::Cipher.new('AES-256-CBC')
           decipher.decrypt
 
-          decipher.key = hash_key(::EDB.opts[:CRYPTOGRAPHY][:AES_256_CBC][:secret])
-          decipher.iv  = iv = ciphered_content.slice!(ciphered_content_length - 16, ciphered_content_length)
+          authentication = slice_str!(ciphered_data, 32)
+          decipher.key, authentication_key = hash_keychain(::EDB.opts[:CRYPTOGRAPHY][:AES_256_CBC][:secret])
+
+          new_authentication = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), authentication_key, ciphered_data)
+          raise 'Authentication failed.' unless FastSecureCompare.compare(authentication, new_authentication)
 
-          new_source = new_file ? "#{source}.dec" : source
-          File.open(new_source, 'wb') do |file|
-            deciphered_content = decipher.update(ciphered_content) + decipher.final
-            file.write(deciphered_content)
-          end
+          decipher.iv = slice_str!(ciphered_data, 16)
+
+          deciphered_data = decipher.update(ciphered_data) + decipher.final
         end
 
         private
-        def hash_key(s)
-          HKDF.new(s).next_bytes(32)
+        def slice_str!(str, n)
+          len = str.length
+          str.slice!(len - n, len)
+        end
+
+        def hash_keychain(s)
+          hkdf = HKDF.new(s)
+          [ hkdf.next_bytes(64), hkdf.next_bytes(64) ]
         end
       end
     end

data/lib/edb/dbms/mysql.rb

@@ -43,7 +43,7 @@ module EDB
             #{db[:database]} > #{files[:dump]}
           }.join(' ')
 
-          system "#{mysqldump} #{args}"
+          Kernel.system "#{mysqldump} #{args}"
 
           files.values
         end

data/lib/edb/dbms/postgresql.rb

@@ -35,11 +35,11 @@ module EDB
 
           ::EDB::Logger.log(:info, "Dumping #{db[:database]}...")
           pg_dump = db[:binpath] && !db[:binpath].empty? ? File.join(db[:binpath], 'pg_dump') : 'pg_dump'
-          system "PGPASSWORD='#{db[:password]}' #{pg_dump} -h #{db[:host]} -p #{db[:port]} -U #{db[:username]} -F c -b -f '#{files[:dump]}' #{db[:database]}"
+          Kernel.system "PGPASSWORD='#{db[:password]}' #{pg_dump} -h #{db[:host]} -p #{db[:port]} -U #{db[:username]} -F c -b -f '#{files[:dump]}' #{db[:database]}"
 
           ::EDB::Logger.log(:info, 'Dumping the cluster...')
           pg_dumpall = db[:binpath] && !db[:binpath].empty? ? File.join(db[:binpath], 'pg_dumpall') : 'pg_dumpall'
-          system "PGPASSWORD='#{db[:password]}' #{pg_dumpall} -h #{db[:host]} -p #{db[:port]} -U #{db[:username]} -f '#{files[:cluster]}'"
+          Kernel.system "PGPASSWORD='#{db[:password]}' #{pg_dumpall} -h #{db[:host]} -p #{db[:port]} -U #{db[:username]} -f '#{files[:cluster]}'"
 
           files.values
         end

data/lib/edb/dumper.rb

@@ -26,8 +26,8 @@ module EDB
   class Dumper
     PATTERN = ->(time) { "#{time.day}_#{time.month}_#{time.year}" }
 
-    def initialize(opts)
-      ::EDB.opts = opts
+    def initialize(opts = nil)
+      ::EDB.opts ||= opts if opts
     end
 
     def run

data/lib/edb/version.rb

@@ -23,5 +23,5 @@
 #++
 
 module EDB
-  VERSION = '0.5'
+  VERSION = '0.6'
 end

data/specs/cryptography/aes_256_cbc_spec.rb

@@ -0,0 +1,57 @@
+require_relative '../spec_helper'
+
+describe EDB::Cryptography::AES_256_CBC do
+  describe '#encrypt' do
+    context 'given string is empty' do
+      it 'raises an exception' do
+        expect { EDB::Cryptography::AES_256_CBC.encrypt('') }.to raise_error
+      end
+    end
+
+    context 'non-empty string is given' do
+      let(:data)          { 'kanbaru is mai waifu' }
+      let(:ciphered_data) { EDB::Cryptography::AES_256_CBC.encrypt(data) }
+
+      it 'returns a valid AES-256-CBC ciphered string' do
+        expect(ciphered_data.length).to be 80
+      end
+    end
+  end
+
+  describe '#decrypt' do
+    context 'given data is less than 64 chars long' do
+      it 'raises an exception' do
+        expect { EDB::Cryptography::AES_256_CBC.decrypt('H' * 63) }.to raise_error
+      end
+    end
+
+    context 'valid data is given' do
+      let(:real_data)     { 'kanbaru is mai waifu' }
+      let(:ciphered_data) { EDB::Cryptography::AES_256_CBC.encrypt(real_data) }
+      let(:data)          { EDB::Cryptography::AES_256_CBC.decrypt(ciphered_data) }
+
+      it 'returns a string matching the original given one' do
+        expect(data).to eq real_data
+      end
+    end
+  end
+
+  describe '#slice_str!' do
+    let(:str)    { 'senjougahara' }
+    let(:sliced) { EDB::Cryptography::AES_256_CBC.instance_exec(str) { |str| slice_str!(str, 6) } }
+
+    it 'returns and remove the last n characters from given string' do
+      expect(sliced).to eq 'gahara'
+      expect(str).to    eq 'senjou'
+    end
+  end
+
+  describe '#hash_keychain' do
+    let(:keychain) { EDB::Cryptography::AES_256_CBC.instance_eval { hash_keychain('hitagi') } }
+
+    it 'returns an array with two 64 bytes long keys' do
+      expect(keychain[0].length).to be 64
+      expect(keychain[1].length).to be 64
+    end
+  end
+end

data/specs/dbms/mysql_spec.rb

@@ -0,0 +1,22 @@
+require_relative '../spec_helper'
+
+describe EDB::DBMS::MySQL do
+  describe '#backup' do
+    let(:dump) { '/Applications/MAMP/Library/bin/mysqldump --user=username --password=password --single-transaction sample_database > ./sample_database.sql' }
+
+    it 'calls mysqldump correctly' do
+      allow(Kernel).to receive(:system).and_wrap_original do |m, *args|
+        expect(args[0]).to eq dump
+      end
+
+      EDB::DBMS::MySQL.backup('.')
+    end
+
+    it 'returns the the files that have been created' do
+      allow(Kernel).to receive(:system).and_wrap_original {}
+
+      results = EDB::DBMS::MySQL.backup('.')
+      expect(results).to eq ['./sample_database.sql']
+    end
+  end
+end

data/specs/dbms/postgresql_spec.rb

@@ -0,0 +1,23 @@
+require_relative '../spec_helper'
+
+describe EDB::DBMS::PostgreSQL do
+  describe '#backup' do
+    let(:dump)    { "PGPASSWORD='password' /Applications/Postgres.app/Contents/Versions/9.3/bin/pg_dump -h localhost -p 5432 -U username -F c -b -f './sample_database.sql' sample_database" }
+    let(:cluster) { "PGPASSWORD='password' /Applications/Postgres.app/Contents/Versions/9.3/bin/pg_dumpall -h localhost -p 5432 -U username -f './cluster.sql'" }
+
+    it 'calls pg_dump correctly' do
+      allow(Kernel).to receive(:system).and_wrap_original do |m, *args|
+        expect(args[0]).to satisfy { |c| [dump, cluster].include?(c) }
+      end
+
+      EDB::DBMS::PostgreSQL.backup('.')
+    end
+
+    it 'returns the the files that have been created' do
+      allow(Kernel).to receive(:system).and_wrap_original {}
+
+      results = EDB::DBMS::PostgreSQL.backup('.')
+      expect(results).to eq ['./sample_database.sql', './cluster.sql']
+    end
+  end
+end

data/specs/dbms_spec.rb

@@ -1,16 +1,16 @@
 require_relative 'spec_helper'
 
-describe EDB::Storage do
+describe EDB::DBMS do
   describe '#supports?' do
-    context 'given storage device is supported' do
+    context 'given DBMS device is supported' do
       it 'returns true' do
-        expect(EDB::Storage.supports?('S3')).to be_truthy
+        expect(EDB::DBMS.supports?('MySQL')).to be_truthy
       end
     end
 
-    context 'given storage device is not supported' do
+    context 'given DBMS device is not supported' do
       it 'returns false' do
-        expect(EDB::Storage.supports?('CappellaAmbrosiana')).to be_falsy
+        expect(EDB::DBMS.supports?('CongoDB')).to be_falsy
       end
     end
   end

data/specs/spec_helper.rb

@@ -1 +1,4 @@
 require 'edb'
+require 'yaml'
+
+EDB.opts = YAML.load_file('../example/edb.yml')

data/specs/storage_spec.rb

@@ -2,15 +2,15 @@ require_relative 'spec_helper'
 
 describe EDB::Cryptography do
   describe '#supports?' do
-    context 'given algorithm is supported' do
+    context 'given storage device is supported' do
       it 'returns true' do
-        expect(EDB::Cryptography.supports?('AES_256_CBC')).to be_truthy
+        expect(EDB::Storage.supports?('S3')).to be_truthy
       end
     end
 
-    context 'given algorithm is not supported' do
+    context 'given storage device is not supported' do
       it 'returns false' do
-        expect(EDB::Cryptography.supports?('LOL_WUT_128')).to be_falsy
+        expect(EDB::Storage.supports?('CappellaAmbrosiana')).to be_falsy
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: edb
 version: !ruby/object:Gem::Version
-  version: '0.5'
+  version: '0.6'
 platform: ruby
 authors:
 - Giovanni Capuano
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-16 00:00:00.000000000 Z
+date: 2015-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: fast_secure_compare
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: EDB aims to be a framework to make and manage backups of your database.
 email: webmaster@giovannicapuano.net
 executables:
@@ -83,7 +97,10 @@ files:
 - lib/edb/storage/ftp.rb
 - lib/edb/storage/s3.rb
 - lib/edb/version.rb
+- specs/cryptography/aes_256_cbc_spec.rb
 - specs/cryptography_spec.rb
+- specs/dbms/mysql_spec.rb
+- specs/dbms/postgresql_spec.rb
 - specs/dbms_spec.rb
 - specs/spec_helper.rb
 - specs/storage_spec.rb