enveloperb 0.0.0.1.ENOTAG-x86_64-linux

data/ext/enveloperb/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "enveloperb"
+version = "0.0.0"
+edition = "2021"
+
+[dependencies]
+envelopers = { version = "0.5.1", features = [ "tokio" ] }
+lazy_static = "^0.2.2"
+rb-sys = "0.8.0"
+rutie = { git = "https://github.com/mpalmer/rutie", branch = "rb_sys" }
+tokio = { version = "^1.17.0", features = [ "rt-multi-thread" ] }
+aws-config = "0.10.1"
+aws-sdk-kms = "0.10.1"
+aws-types = { version = "0.10.1", features = [ "hardcoded-credentials" ] }
+
+[lib]
+crate-type = ["cdylib"]

data/ext/enveloperb/extconf.rb

@@ -0,0 +1,4 @@
+require "mkmf"
+require "rb_sys/mkmf"
+
+create_rust_makefile("enveloperb/enveloperb")

data/ext/enveloperb/src/lib.rs

@@ -0,0 +1,195 @@
+#[macro_use]
+extern crate rutie;
+
+#[macro_use]
+extern crate lazy_static;
+
+// I have deliberately not used more-specific symbols inside the aws_* crates because the
+// names are quite generic, and in the near future when we have more providers, we'll
+// almost certainly end up with naming clashes.
+use aws_config;
+use aws_sdk_kms;
+use aws_types;
+use envelopers::{CacheOptions, EncryptedRecord, EnvelopeCipher, KMSKeyProvider, SimpleKeyProvider, CachingKeyWrapper};
+use std::borrow::Cow;
+use tokio::runtime::Runtime;
+use rutie::{Class, Encoding, Hash, Module, Object, RString, Symbol, VerifiedObject, VM};
+
+module!(Enveloperb);
+class!(EnveloperbSimple);
+class!(EnveloperbAWSKMS);
+class!(EnveloperbEncryptedRecord);
+
+impl VerifiedObject for EnveloperbEncryptedRecord {
+    fn is_correct_type<T: Object>(object: &T) -> bool {
+        let klass = Module::from_existing("Enveloperb").get_nested_class("EncryptedRecord");
+        klass.case_equals(object)
+    }
+
+    fn error_message() -> &'static str {
+        "Error converting to Enveloperb::EncryptedRecord"
+    }
+}
+
+pub struct SimpleCipher {
+    cipher: EnvelopeCipher<CachingKeyWrapper<SimpleKeyProvider>>,
+    runtime: Runtime,
+}
+
+pub struct AWSKMSCipher {
+    cipher: EnvelopeCipher<CachingKeyWrapper<KMSKeyProvider>>,
+    runtime: Runtime,
+}
+
+wrappable_struct!(SimpleCipher, SimpleCipherWrapper, SIMPLE_CIPHER_WRAPPER);
+wrappable_struct!(AWSKMSCipher, AWSKMSCipherWrapper, AWSKMS_CIPHER_WRAPPER);
+wrappable_struct!(EncryptedRecord, EncryptedRecordWrapper, ENCRYPTED_RECORD_WRAPPER);
+
+methods!(
+    EnveloperbSimple,
+    rbself,
+
+    fn enveloperb_simple_new(rbkey: RString) -> EnveloperbSimple {
+        let mut key: [u8; 16] = Default::default();
+
+        key.clone_from_slice(rbkey.unwrap().to_bytes_unchecked());
+
+        let provider = SimpleKeyProvider::init(key);
+        let cipher = EnvelopeCipher::init(CachingKeyWrapper::new(provider, CacheOptions::default()));
+
+        let klass = Module::from_existing("Enveloperb").get_nested_class("Simple");
+        return klass.wrap_data(SimpleCipher{ cipher: cipher, runtime: Runtime::new().unwrap() }, &*SIMPLE_CIPHER_WRAPPER);
+    }
+
+    fn enveloperb_simple_encrypt(rbtext: RString) -> EnveloperbEncryptedRecord {
+        let cipher = rbself.get_data(&*SIMPLE_CIPHER_WRAPPER);
+        let er_r = cipher.runtime.block_on(async {
+            cipher.cipher.encrypt(rbtext.unwrap().to_bytes_unchecked()).await
+        });
+        let er = er_r.map_err(|e| VM::raise(Class::from_existing("RuntimeError"), &format!("Failed to perform encryption: {:?}", e))).unwrap();
+
+        let klass = Module::from_existing("Enveloperb").get_nested_class("EncryptedRecord");
+        return klass.wrap_data(er, &*ENCRYPTED_RECORD_WRAPPER);
+    }
+
+    fn enveloperb_simple_decrypt(rbrecord: EnveloperbEncryptedRecord) -> RString {
+        let cipher = rbself.get_data(&*SIMPLE_CIPHER_WRAPPER);
+        let e_record = rbrecord.unwrap();
+        let record = e_record.get_data(&*ENCRYPTED_RECORD_WRAPPER);
+
+        let vec_r = cipher.runtime.block_on(async {
+            cipher.cipher.decrypt(record).await
+        });
+        let vec = vec_r.map_err(|e| VM::raise(Class::from_existing("RuntimeError"), &format!("Failed to perform decryption: {:?}", e))).unwrap();
+
+        return RString::from_bytes(&vec, &Encoding::find("BINARY").unwrap());
+    }
+);
+
+methods!(
+    EnveloperbAWSKMS,
+    rbself,
+
+    fn enveloperb_awskms_new(rbkey: RString, rbcreds: Hash) -> EnveloperbAWSKMS {
+        let raw_creds = rbcreds.unwrap();
+        let rt = Runtime::new().unwrap();
+
+        let kmsclient_config = if raw_creds.at(&Symbol::new("access_key_id")).is_nil() {
+            rt.block_on(async {
+                aws_config::load_from_env().await
+            })
+        } else {
+            let rbregion = raw_creds.at(&Symbol::new("region")).try_convert_to::<RString>().unwrap();
+            let region   = Some(aws_types::region::Region::new(rbregion.to_str().to_owned()));
+
+            let rbkey_id = raw_creds.at(&Symbol::new("access_key_id")).try_convert_to::<RString>().unwrap();
+            let key_id   = rbkey_id.to_str();
+
+            let rbsecret = raw_creds.at(&Symbol::new("secret_access_key")).try_convert_to::<RString>().unwrap();
+            let secret   = rbsecret.to_str();
+
+            let token = match raw_creds.at(&Symbol::new("session_token")).try_convert_to::<RString>() {
+                Ok(str) => Some(str.to_string()),
+                Err(_)  => None
+            };
+
+            let aws_creds = aws_types::Credentials::from_keys(key_id, secret, token);
+            let creds_provider = aws_types::credentials::SharedCredentialsProvider::new(aws_creds);
+
+            aws_types::sdk_config::SdkConfig::builder().region(region).credentials_provider(creds_provider).build()
+        };
+
+        let kmsclient = aws_sdk_kms::Client::new(&kmsclient_config);
+        let provider = KMSKeyProvider::new(kmsclient, rbkey.unwrap().to_string());
+        let cipher = EnvelopeCipher::init(CachingKeyWrapper::new(provider, CacheOptions::default().with_max_bytes(100_000)));
+
+        let klass = Module::from_existing("Enveloperb").get_nested_class("AWSKMS");
+        return klass.wrap_data(AWSKMSCipher{ cipher: cipher, runtime: rt }, &*AWSKMS_CIPHER_WRAPPER);
+    }
+
+    fn enveloperb_awskms_encrypt(rbtext: RString) -> EnveloperbEncryptedRecord {
+        let cipher = rbself.get_data(&*AWSKMS_CIPHER_WRAPPER);
+        let er_r = cipher.runtime.block_on(async {
+            cipher.cipher.encrypt(rbtext.unwrap().to_bytes_unchecked()).await
+        });
+        let er = er_r.map_err(|e| VM::raise(Class::from_existing("RuntimeError"), &format!("Failed to perform encryption: {:?}", e))).unwrap();
+
+        let klass = Module::from_existing("Enveloperb").get_nested_class("EncryptedRecord");
+        return klass.wrap_data(er, &*ENCRYPTED_RECORD_WRAPPER);
+    }
+
+    fn enveloperb_awskms_decrypt(rbrecord: EnveloperbEncryptedRecord) -> RString {
+        let cipher = rbself.get_data(&*AWSKMS_CIPHER_WRAPPER);
+        let e_record = rbrecord.unwrap();
+        let record = e_record.get_data(&*ENCRYPTED_RECORD_WRAPPER);
+
+        let vec_r = cipher.runtime.block_on(async {
+            cipher.cipher.decrypt(record).await
+        });
+        let vec = vec_r.map_err(|e| VM::raise(Class::from_existing("RuntimeError"), &format!("Failed to perform decryption: {:?}", e))).unwrap();
+
+        return RString::from_bytes(&vec, &Encoding::find("BINARY").unwrap());
+    }
+);
+
+methods!(
+    EnveloperbEncryptedRecord,
+    rbself,
+
+    fn enveloperb_encrypted_record_new(serialized_record: RString) -> EnveloperbEncryptedRecord {
+        let s = serialized_record.unwrap().to_vec_u8_unchecked();
+        let ct = EncryptedRecord::from_vec(s).map_err(|e| VM::raise(Class::from_existing("ArgumentError"), &format!("Failed to decode encrypted record: {:?}", e))).unwrap();
+
+        let klass = Module::from_existing("Enveloperb").get_nested_class("EncryptedRecord");
+        return klass.wrap_data(ct, &*ENCRYPTED_RECORD_WRAPPER);
+    }
+
+    fn enveloperb_encrypted_record_serialize() -> RString {
+        let record = rbself.get_data(&*ENCRYPTED_RECORD_WRAPPER);
+
+        return RString::from_bytes(&record.to_vec().map_err(|e| VM::raise(Class::from_existing("RuntimeError"), &format!("Failed to encode encrypted record: {:?}", e))).unwrap(), &Encoding::find("BINARY").unwrap());
+    }
+);
+
+#[allow(non_snake_case)]
+#[no_mangle]
+pub extern "C" fn Init_enveloperb() {
+    Module::from_existing("Enveloperb").define(|envmod| {
+        envmod.define_nested_class("Simple", None).define(|klass| {
+            klass.singleton_class().def_private("_new", enveloperb_simple_new);
+            klass.def_private("_encrypt", enveloperb_simple_encrypt);
+            klass.def_private("_decrypt", enveloperb_simple_decrypt);
+        });
+
+        envmod.define_nested_class("AWSKMS", None).define(|klass| {
+            klass.singleton_class().def_private("_new", enveloperb_awskms_new);
+            klass.def_private("_encrypt", enveloperb_awskms_encrypt);
+            klass.def_private("_decrypt", enveloperb_awskms_decrypt);
+        });
+
+        envmod.define_nested_class("EncryptedRecord", None).define(|klass| {
+            klass.singleton_class().def_private("_new", enveloperb_encrypted_record_new);
+            klass.def_private("_serialize", enveloperb_encrypted_record_serialize);
+        });
+    });
+}

data/lib/enveloperb/awskms.rb

@@ -0,0 +1,58 @@
+module Enveloperb
+  # An Enveloperb cryptography engine using AWS KMS as a wrapping key provider.
+  #
+  class AWSKMS
+    def self.new(keyid, aws_access_key_id: nil, aws_secret_access_key: nil, aws_session_token: nil, aws_region: nil)
+      unless keyid.is_a?(String) && keyid.encoding == Encoding::find("UTF-8") && keyid.valid_encoding?
+        raise ArgumentError, "Key ID must be a valid UTF-8 string"
+      end
+
+      unless aws_access_key_id.nil? && aws_secret_access_key.nil? && aws_session_token.nil? && aws_region.nil?
+        validate_string(aws_access_key_id, :aws_access_key_id)
+        validate_string(aws_secret_access_key, :aws_secret_access_key)
+        validate_string(aws_region, :aws_region)
+        validate_string(aws_session_token, :aws_session_token, allow_nil: true)
+      end
+
+      _new(
+        keyid,
+        {
+          access_key_id: aws_access_key_id,
+          secret_access_key: aws_secret_access_key,
+          session_token: aws_session_token,
+          region: aws_region,
+        }
+      )
+    end
+
+    def encrypt(s)
+      unless s.is_a?(String)
+        raise ArgumentError, "Can only encrypt strings"
+      end
+
+      _encrypt(s)
+    end
+
+    def decrypt(er)
+      unless er.is_a?(EncryptedRecord)
+        raise ArgumentError, "Can only decrypt EncryptedRecord objects; you can make one from a string with EncryptedRecord.new"
+      end
+
+      _decrypt(er)
+    end
+
+    class << self
+      private
+
+      def validate_string(s, var, allow_nil: false)
+        if s.nil? && !allow_nil
+          raise ArgumentError, "#{var.inspect} option to Enveloperb::AWSKMS.new() cannot be nil"
+        end
+
+        unless s.is_a?(String) && s.encoding == Encoding.find("UTF-8") && s.valid_encoding?
+          raise ArgumentError, "#{var.inspect} option passed to Enveloperb::AWSKMS.new() must be a valid UTF-8 string"
+        end
+      end
+    end
+  end
+end

data/lib/enveloperb/encrypted_record.rb

@@ -0,0 +1,31 @@
+module Enveloperb
+  # An envelope encrypted record.
+  class EncryptedRecord
+    # Create an encrypted record from a serialized form.
+    #
+    # Encrypted records can be serialized (using #to_s), and then deserialized by passing them into this constructor.
+    #
+    # @param s [String] the serialized encrypted record.
+    #   This must be a `BINARY` encoded string.
+    #
+    # @raises [ArgumentError] if something other than a binary string is provided, or if the string passed as the serialized encrypted record is not valid.
+    #
+    def self.new(s)
+      unless s.is_a?(String) && s.encoding == Encoding::BINARY
+        raise ArgumentError, "Serialized encrypted record must be a binary string"
+      end
+
+      _new(s)
+    end
+
+    # Serialize an encrypted record into a string.
+    #
+    # @return [String]
+    #
+    # @raise [RuntimeError] if something goes spectacularly wrong with the serialization process.
+    #
+    def to_s
+      _serialize
+    end
+  end
+end

data/lib/enveloperb/simple.rb

@@ -0,0 +1,33 @@
+module Enveloperb
+  # An Enveloperb cryptography engine using an unprotected string as the wrapping key.
+  #
+  class Simple
+    def self.new(k)
+      unless k.is_a?(String) && k.encoding == Encoding::BINARY
+        raise ArgumentError, "Key must be a binary string"
+      end
+
+      unless k.bytesize == 16
+        raise ArgumentError, "Key must be 16 bytes"
+      end
+
+      _new(k)
+    end
+
+    def encrypt(s)
+      unless s.is_a?(String)
+        raise ArgumentError, "Can only encrypt strings"
+      end
+
+      _encrypt(s)
+    end
+
+    def decrypt(er)
+      unless er.is_a?(EncryptedRecord)
+        raise ArgumentError, "Can only decrypt EncryptedRecord objects; you can make one from a string with EncryptedRecord.new"
+      end
+
+      _decrypt(er)
+    end
+  end
+end

data/lib/enveloperb.rb

@@ -0,0 +1,17 @@
+module Enveloperb
+end
+
+begin
+  RUBY_VERSION =~ /(\d+\.\d+)/
+  require_relative "./#{$1}/enveloperb"
+rescue LoadError
+  begin
+    require_relative "./enveloperb.#{RbConfig::CONFIG["DLEXT"]}"
+  rescue LoadError
+    raise LoadError, "Failed to load enveloperb.#{RbConfig::CONFIG["DLEXT"]}; either it hasn't been built, or was built incorrectly for your system"
+  end
+end
+
+require_relative "./enveloperb/encrypted_record"
+require_relative "./enveloperb/awskms"
+require_relative "./enveloperb/simple"

metadata

@@ -0,0 +1,237 @@
+--- !ruby/object:Gem::Specification
+name: enveloperb
+version: !ruby/object:Gem::Version
+  version: 0.0.0.1.ENOTAG
+platform: x86_64-linux
+authors:
+- Matt Palmer
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-12-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: github-release
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler-dock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rb-inotify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rb_sys
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- matt@cipherstash.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CODEOWNERS
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- LICENSE
+- README.md
+- enveloperb.gemspec
+- ext/enveloperb/.gitignore
+- ext/enveloperb/Cargo.lock
+- ext/enveloperb/Cargo.toml
+- ext/enveloperb/extconf.rb
+- ext/enveloperb/src/lib.rs
+- lib/2.7/enveloperb.so
+- lib/3.0/enveloperb.so
+- lib/3.1/enveloperb.so
+- lib/enveloperb.rb
+- lib/enveloperb/awskms.rb
+- lib/enveloperb/encrypted_record.rb
+- lib/enveloperb/simple.rb
+homepage: https://cipherstash.com
+licenses: []
+metadata:
+  homepage_uri: https://cipherstash.com
+  source_code_uri: https://github.com/cipherstash/enveloperb
+  changelog_uri: https://github.com/cipherstash/enveloperb/releases
+  bug_tracker_uri: https://github.com/cipherstash/enveloperb/issues
+  documentation_uri: https://rubydoc.info/gems/enveloperb
+  mailing_list_uri: https://discuss.cipherstash.com
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.7'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: 3.2.dev
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubygems_version: 3.3.22
+signing_key:
+specification_version: 4
+summary: Ruby bindings for the envelopers envelope encryption library
+test_files: []