encrypted-field 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7f4f73714ca33f397ac0ea28ca518ae864a813f559d111f96a074f573d493604
+  data.tar.gz: d080c07db99b099651022386aaa7c11ee573ce542cb418b63500e1bc39d6f1b7
+SHA512:
+  metadata.gz: 6f70eec7a623e4959fe8e20dbb08169ac82871f2b1875fae247b7de4c111698bd740ca8e752b105141faab1fa39a49a6155116cad94649574ac2d02949670244
+  data.tar.gz: 950af5feb6aa9e5ecff184ecd62f0ff5c9c712f899b70f96d31ed01b496b80e7e55511c723b478d5deff6530d455917d72cbf3195f345c89c1e51e4049eaf164

data/lib/encrypted-field.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'encrypted-field/config'
+require 'encrypted-field/encoder'
+require 'encrypted-field/field'
+require 'encrypted-field/base_policy'
+require 'encrypted-field/policy_with_iv'
+require 'encrypted-field/policy_without_iv'
+
+# EncryptedField is a library for obfuscating and simplifying the logic around encrypting/decrypting values from a DB
+module EncryptedField
+  def self.included(base)
+    base.extend ClassMethods
+  end
+
+  # no-doc
+  module ClassMethods
+    def encrypted_field(field_name, policy_name, encrypted_field_name = nil, fallback_policy_name = nil)
+      encrypted_field_name ||= "#{field_name}_encrypted"
+      Field.new(field_name, encrypted_field_name, policy_name, fallback_policy_name).add_methods(self)
+    end
+  end
+end

data/lib/encrypted-field/base_policy.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+
+module EncryptedField
+  # EncryptedField::BasePolicy abstract class for creating encryption policies
+  class BasePolicy
+    attr_reader :algorithm,
+                :options
+
+    def initialize(algorithm, secret_key, options = {})
+      @algorithm = algorithm
+      @secret_key = secret_key
+      @options = options
+    end
+
+    def prefix_with_policy_name?
+      options.fetch(:prefix_with_policy_name, true)
+    end
+
+    private
+
+    def encode_payload(str)
+      if options.key?(:encode_payload)
+        options[:encode_payload].call(str)
+      else
+        Base64.strict_encode64(str)
+      end
+    end
+
+    def decode_payload(str)
+      if options.key?(:decode_payload)
+        options[:decode_payload].call(str)
+      else
+        Base64.strict_decode64(str)
+      end
+    end
+
+    def encode_iv(str)
+      if options.key?(:encode_iv)
+        options[:encode_iv].call(str)
+      else
+        Base64.strict_encode64(str)
+      end
+    end
+
+    def decode_iv(str)
+      if options.key?(:decode_iv)
+        options[:decode_iv].call(str)
+      else
+        Base64.strict_decode64(str)
+      end
+    end
+
+    def create_cipher
+      OpenSSL::Cipher.new(algorithm)
+    end
+
+    def secret_key
+      case @secret_key
+      when Proc
+        @secret_key.call
+      when String
+        @secret_key
+      end
+    end
+  end
+end

data/lib/encrypted-field/config.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'singleton'
+
+module EncryptedField
+  # EncryptedField::Config keeps track of all policies and the policy separator
+  class Config
+    include Singleton
+
+    POLICY_DEFAULT_SEPARATOR = '.'
+
+    attr_reader :policy_separator
+
+    def policies
+      @policies ||= {}
+    end
+
+    def set_policy_separator(policy_separator)
+      @policy_separator = policy_separator
+    end
+
+    def policy_separator_or_default
+      policy_separator || POLICY_DEFAULT_SEPARATOR
+    end
+
+    def add_policy(policy_name, algorithm, secret_key, options = {})
+      add_custom_policy(policy_name, PolicyWithIV.new(algorithm, secret_key, options))
+    end
+
+    def add_policy_without_iv(policy_name, algorithm, secret_key, options = {})
+      add_custom_policy(policy_name, PolicyWithoutIV.new(algorithm, secret_key, options))
+    end
+
+    def add_custom_policy(policy_name, policy)
+      valid_policy_name!(policy_name)
+      policies[policy_name.to_s] = policy
+    end
+
+    def self.configure(&block)
+      instance.instance_eval(&block)
+    end
+
+    def reset!
+      @policies = nil
+      @policy_separator = nil
+    end
+
+    def valid_policy_name!(policy_name)
+      return unless policy_name.to_s.include?(policy_separator_or_default)
+
+      raise("policy name #{policy_name} can not include \"#{policy_separator_or_default}\"")
+    end
+  end
+end

data/lib/encrypted-field/encoder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module EncryptedField
+  # EncryptedField::Encoder prepends the policy name to the encrypted string
+  class Encoder
+    class << self
+      attr_writer :encoder
+
+      def encoder
+        @encoder ||= Encoder.new
+      end
+    end
+
+    def encrypt(str, policy_name)
+      policy = get_policy(policy_name)
+
+      if policy.prefix_with_policy_name?
+        policy_name.dup << policy_separator << policy.encrypt(str)
+      else
+        policy.encrypt(str)
+      end
+    end
+
+    def decrypt(encrypted_str_with_policy_name, fallback_policy_name = nil)
+      policy_name, encrypted_str = encrypted_str_with_policy_name.split(policy_separator, 2)
+      policy_name =
+        if policy?(policy_name) || fallback_policy_name.nil?
+          policy_name
+        else
+          encrypted_str = encrypted_str_with_policy_name
+          fallback_policy_name
+        end
+
+      get_policy(policy_name).decrypt(encrypted_str)
+    end
+
+    private
+
+    def config
+      Config.instance
+    end
+
+    def policy_separator
+      config.policy_separator_or_default
+    end
+
+    def get_policy(policy_name)
+      config.policies[policy_name] || raise("missing policy #{policy_name}")
+    end
+
+    def policy?(policy_name)
+      config.policies.key?(policy_name)
+    end
+  end
+end

data/lib/encrypted-field/field.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module EncryptedField
+  # EncryptedField::Field adds the plain text methods to the class.
+  # Useful for hard coding the policy_name to the field during class creation.
+  class Field
+    attr_reader :field_name,
+                :encrypted_field_name,
+                :policy_name,
+                :fallback_policy_name
+
+    def initialize(field_name, encrypted_field_name, policy_name, fallback_policy_name = nil)
+      @field_name = field_name
+      @encrypted_field_name = encrypted_field_name
+      @policy_name = policy_name.to_s
+      @fallback_policy_name = fallback_policy_name && fallback_policy_name.to_s
+    end
+
+    def add_methods(klass)
+      klass.class_eval <<METHODS, __FILE__, __LINE__ + 1
+def #{field_name}
+  #{encrypted_field_name} && ::EncryptedField::Encoder.encoder.decrypt(#{encrypted_field_name}, #{fallback_policy_name.inspect})
+end
+
+def #{field_name}=(v)
+  self.#{encrypted_field_name} = v && ::EncryptedField::Encoder.encoder.encrypt(v, #{policy_name.inspect})
+end
+METHODS
+    end
+  end
+end

data/lib/encrypted-field/policy_with_iv.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+
+module EncryptedField
+  # EncryptedField::PolicyWithIV all the logic required to encrypt/decrypt data using symmetric encryption.
+  class PolicyWithIV < BasePolicy
+    DEFAULT_SEPARATOR = '.'
+
+    def encrypt(str)
+      cipher = create_cipher.encrypt
+      cipher.key = secret_key
+      iv = cipher.random_iv
+      encrypted_str = cipher.update(str) << cipher.final
+      encode_iv(iv) << separator << encode_payload(encrypted_str)
+    end
+
+    def decrypt(encrypted_str)
+      iv, encrypted_str = encrypted_str.split(separator, 2)
+      cipher = create_cipher.decrypt
+      cipher.key = secret_key
+      cipher.iv = decode_iv(iv)
+      cipher.update(decode_payload(encrypted_str) << cipher.final)
+    end
+
+    def separator
+      options[:separator] || DEFAULT_SEPARATOR
+    end
+  end
+end

data/lib/encrypted-field/policy_without_iv.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+
+module EncryptedField
+  # EncryptedField::PolicyWithoutIV all the logic required to encrypt/decrypt data using symmetric encryption.
+  class PolicyWithoutIV < BasePolicy
+    def encrypt(str)
+      cipher = create_cipher.encrypt
+      cipher.key = secret_key
+      encode_payload(cipher.update(str) << cipher.final)
+    end
+
+    def decrypt(encrypted_str)
+      cipher = create_cipher.decrypt
+      cipher.key = secret_key
+      cipher.update(decode_payload(encrypted_str)) << cipher.final
+    end
+  end
+end

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification
+name: encrypted-field
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Doug Youch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-04-01 00:00:00.000000000 Z
+dependencies: []
+description: Encrypt data using policies, designed with key rotation in mind
+email: dougyouch@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/encrypted-field.rb
+- lib/encrypted-field/base_policy.rb
+- lib/encrypted-field/config.rb
+- lib/encrypted-field/encoder.rb
+- lib/encrypted-field/field.rb
+- lib/encrypted-field/policy_with_iv.rb
+- lib/encrypted-field/policy_without_iv.rb
+homepage: https://github.com/dougyouch/encrypted-field
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.8
+signing_key: 
+specification_version: 4
+summary: Creates a simple interface for encrypting fields
+test_files: []