evervault 0.1.2 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e666a2b2b7d130e4221e2c25f963fdd6a3e7e986f08127be6f3937ab7f94e52
-  data.tar.gz: dbd8034681606769295e1a2678b019c02f7600b96918c6bb737a5ad0bb9f0616
+  metadata.gz: 2b06c4fd79f260d853fa0fd738ae225c9670c6b7561bc6cb66ffac99850f0576
+  data.tar.gz: 6f39d076798f8b52dc557c1ff3f3834f67abe21874ad530ff399f6404ea46842
 SHA512:
-  metadata.gz: 4830d141e96f9b47a65a581bd214a0cd4d86d440e6f2fdc6f70cd9abd7371f86ef331982d65d3850a19edbc56833994aec8463bc5d55fb0c4ea73c66b6d23abe
-  data.tar.gz: 6d22b0c92ea74e1679513b53431ac7ebe78ba79b215eaea9ebf84062cb2ec45ba4a6e99a1075e66c93a39f9d8c7b1305f0e717c2f9408f4270a7a74d34ab5ca3
+  metadata.gz: 862d87c3a14651f46d6efef35c9d679d0e42a79fc90adb619ff4501ac8e304fa3c55650875e6c9e24bf7cf95c8d9bfef304f6af5157b0eab726c93f35d4e3c89
+  data.tar.gz: f7074851247c1794960daa610c0360423a41631be458752ea24f7e09230c1e20a3b7d862b23e3fc85cfd4a6815f8aceef60e517d5e30229fd0a008e0b10eae6e

data/.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu, macos]
-        ruby: [2.5, 2.6, 2.7, jruby, jruby-head, truffleruby]
+        ruby: [2.5, 2.6, 2.7, 3.1, truffleruby]
     runs-on: ${{ matrix.os }}-latest
     continue-on-error: ${{ endsWith(matrix.ruby, 'head') || matrix.ruby == 'debug' }}
     steps:

data/.github/workflows/run-tests.yml

@@ -7,7 +7,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu, macos]
-        ruby: [2.5, 2.6, 2.7, jruby, jruby-head, truffleruby]
+        ruby: [2.5, 2.6, 2.7, 3.1, truffleruby]
     runs-on: ${{ matrix.os }}-latest
     continue-on-error: ${{ endsWith(matrix.ruby, 'head') || matrix.ruby == 'debug' }}
     steps:

data/Gemfile

@@ -9,3 +9,4 @@ gem "pry"
 gem "webmock"
 gem "gem-release"
 gem "faraday"
+gem "rexml"

data/README.md

@@ -1,94 +1,115 @@
-# Evervault
-<p align="center">
-  <img src="res/logo.svg">
-</p>
+[![Evervault](https://evervault.com/evervault.svg)](https://evervault.com/)
 
-<p align="center">
-  <a href="https://github.com/evervault/evervault-ruby/actions?query=workflow%3Aevervault-unit-tests"><img alt="Evervault unit tests status" src="https://github.com/evervault/evervault-ruby/workflows/evervault-unit-tests/badge.svg"></a>
-</p>
+[![Unit Tests Status](https://github.com/evervault/evervault-ruby/workflows/evervault-unit-tests/badge.svg)](https://github.com/evervault/evervault-ruby/actions?query=workflow%3Aevervault-unit-tests)
 
+# Evervault Ruby SDK
+
+The [Evervault](https://evervault.com) Ruby SDK is a toolkit for encrypting data as it enters your server, working with Cages, and proxying your outbound API requests to specific domains through [Outbound Relay](https://docs.evervault.com/concepts/relay/outbound-interception) to allow them to be decrypted before reaching their target.
 
 ## Getting Started
-Ruby SDK for [Evervault](https://evervault.com)
-### Prerequisites
 
-To get started with the Evervault Ruby SDK, you will need to have created a team on the evervault dashboard.
+Before starting with the Evervault Ruby SDK, you will need to [create an account](https://app.evervault.com/register) and a team.
+
+For full installation support, [book time here](https://calendly.com/evervault/cages-onboarding).
 
-We are currently in invite-only early access. You can apply for early access [here](https://evervault.com).
+## Documentation
+
+See the Evervault [Ruby SDK documentation](https://docs.evervault.com/ruby).
 
 ## Installation
 
-Add this line to your application's Gemfile:
+There are two ways to install the Ruby SDK.
+
+#### 1. With Gemfile
+
+Add this line to your application's `Gemfile`:
 
 ```ruby
 gem 'evervault'
 ```
 
-And then execute:
+Then, run:
+
 ```sh
-     bundle install
+bundle install
 ```
-Or install it yourself as:
+#### 2. By yourself
+
+Just run:
+
 ```sh
-     gem install evervault
+gem install evervault
 ```
 
 ## Setup
 
-Evervault can be initialized as a singleton throughout the lifecycle of your application.
+To make Evervault available for use in your app:
+
 ```ruby
 require "evervault"
 
-# Initialize the client with your team's api key
+# Initialize the client with your team's API key
 Evervault.api_key = <YOUR-API-KEY>
 
 # Encrypt your data and run a cage
-result = Evervault.encrypt_and_run(<CAGE-NAME>, { hello: 'World!' })
+encrypted_data = Evervault.encrypt({ hello: 'World!' })
+
+# Process the encrypted data in a Cage
+result = Evervault.run(<CAGE-NAME>, encrypted_data)
 ```
 
-It's recommended to re-use your Evervault client, to prevent additional overhead of loading keys at runtime, so the singleton pattern should be the go-to pattern for most use-cases.
+## Reference
 
-However, if you'd prefer to initialize different clients at different times, for example, if you have multiple teams and need to switch context, you can simply create a client:
-```ruby
-require "evervault"
+The Evervault Ruby SDK exposes eight methods.
 
-# Initialize the client with your team's api key
-evervault = Evervault::Client.new(api_key: <YOUR-API-KEY>)
+### Evervault.encrypt
 
-# Encrypt your data and run a cage
-result = evervault.encrypt_and_run(<CAGE-NAME>, { hello: 'World!' })
+`Evervault.encrypt` encrypts data for use in your [Evervault Cages](https://docs.evervault.com/tutorial). To encrypt data on your server, simply pass a supported value into the `Evervault.encrypt` method and then you can store the encrypted data in your database as normal.
+
+```ruby
+Evervault.encrypt(data = String | Number | Boolean | Hash | Array)
 ```
 
-## API Reference
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| data | `String`, `Number`, `Boolean`, `Hash`, `Array` | Data to be encrypted |
 
-### Evervault.encrypt
+### Evervault.relay
 
-Encrypt lets you encrypt data for use in any of your evervault cages. You can use it to store encrypted data to be used in a cage at another time.
+`Evervault.relay` specifies which domains should be proxied through outbound relay. See [Outbound Relay](https://docs.evervault.com/concepts/relay/outbound-interception) to learn more.  
 
 ```ruby
-Evervault.encrypt(data = Hash | String)
+Evervault.relay(decryption_domains = Array)
 ```
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| data | Hash or String | Data to be encrypted |
+| decryption_domains | `Array` | Requests sent to any of the domains listed will be proxied through outbound relay |
 
 ### Evervault.run
 
-Run lets you invoke your evervault cages with a given payload.
+`Evervault.run` invokes a Cage with a given payload.
 
 ```ruby
-Evervault.run(cage_name = String, data = Hash)
+Evervault.run(cage_name = String, data = Hash[, options = Hash])
 ```
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| cageName | String | Name of the cage to be run |
-| data | Hash | Payload for the cage |
+| cage_name | String | Name of the Cage to be run |
+| data | Hash | Payload for the Cage |
+| options | Hash | [Options for the Cage run](#Cage-Run-Options) |
+
+#### Cage Run Options
+
+| Option | Type | Default | Description |
+| ------ | ---- | ------- | ----------- |
+| `async` | `Boolean` | `false` | Run your Cage in async mode. Async Cage runs will be queued for processing. |
+| `version` | `Integer` | `nil` | Specify the version of your Cage to run. By default, the latest version will be run. |
 
 ### Evervault.encrypt_and_run
 
-Encrypt your data and use it as the payload to invoke the cage.
+Encrypt your data and use it as the payload to invoke the Cage.
 
 ```ruby
 Evervault.encrypt_and_run(cage_name = String, data = Hash)
@@ -96,9 +117,22 @@ Evervault.encrypt_and_run(cage_name = String, data = Hash)
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| cageName | String | Name of the cage to be run |
+| cage_name | String | Name of the Cage to be run |
 | data | dict | Data to be encrypted |
 
+### Evervault.create_run_token
+
+`Evervault.create_run_token` creates a single use, time bound token for invoking a cage.
+
+```ruby
+Evervault.create_run_token(cage_name = String, data = Hash)
+```
+
+| Parameter | Type   | Description                                          |
+| --------- | ------ | ---------------------------------------------------- |
+| cage_name | String | Name of the Cage the run token should be created for |
+| data      | Hash   | Payload that the token can be used with              |
+
 ### Evervault.cages
 
 Return a hash of your team's Cage objects in hash format, with cage-name as keys
@@ -129,7 +163,7 @@ Evervault.cages
 
 ### Evervault.cage_list
 
-Return a `CageList` object, containing a list of your team's cages
+Return a `CageList` object, containing a list of your team's Cages
 
 ```ruby
 Evervault.cage_list
@@ -167,7 +201,7 @@ Evervault.cage_list
 
 #### CageList.to_hash
 
-Converts a list of cages to a hash with keys of CageName => Cage Model
+Converts a list of Cages to a hash with keys of CageName => Cage Model
 
 ```ruby
 Evervault.cage_list.to_hash
@@ -210,9 +244,9 @@ Evervault.cage_list.to_hash
 
 ### Evervault::Models::Cage.run
 
-Each Cage model exposes a `run` method, which allows you to run that particular cage.
+Each Cage model exposes a `run` method, which allows you to run that particular Cage.
 
-*Note*: this does not encrypt data before running the cage
+*Note*: this does not encrypt data before running the Cage.
 ```ruby
 cage = Evervault.cage_list.cages[0]
 cage.run({'name': 'testing'})
@@ -221,7 +255,8 @@ cage.run({'name': 'testing'})
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| data | Hash | Payload for the cage |
+| data | Hash | Payload for the Cage |
+| options | Hash | [Options for the Cage run](#Cage-Run-Options) |
 
 ## Development
 
@@ -233,6 +268,9 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/evervault/evervault-ruby.
 
+## Feedback
+
+Questions or feedback? [Let us know](mailto:support@evervault.com).
 
 ## License
 

data/lib/evervault/client.rb

@@ -1,4 +1,6 @@
 require_relative "http/request"
+require_relative "http/request_handler"
+require_relative "http/request_intercept"
 require_relative "crypto/client"
 require_relative "models/cage_list"
 
@@ -9,33 +11,35 @@ module Evervault
     def initialize(
       api_key:,
       base_url: "https://api.evervault.com/",
-      cage_run_url: "https://cage.run/",
-      request_timeout: 30
+      cage_run_url: "https://run.evervault.com/",
+      relay_url: "https://relay.evervault.com:8443",
+      ca_host: "https://ca.evervault.com",
+      request_timeout: 30,
+      curve: 'prime256v1'
     )
-      @api_key = api_key
-      @base_url = base_url
-      @cage_run_url = cage_run_url
-      @request =
-        Evervault::Http::Request.new(
-          api_key: api_key,
-          timeout: request_timeout,
-          base_url: base_url,
-          cage_run_url: cage_run_url
+      @request = Evervault::Http::Request.new(timeout: request_timeout, api_key: api_key)
+      @intercept = Evervault::Http::RequestIntercept.new(
+        request: @request, ca_host: ca_host, api_key: api_key, relay_url: relay_url
+      )
+      @request_handler =
+        Evervault::Http::RequestHandler.new(
+          request: @request, base_url: base_url, cage_run_url: cage_run_url, cert: @intercept
         )
-      @crypto_client = Evervault::Crypto::Client.new(request: @request)
+      @crypto_client = Evervault::Crypto::Client.new(request_handler: @request_handler, curve: curve)
+      @intercept.setup()
     end
 
     def encrypt(data)
       @crypto_client.encrypt(data)
     end
 
-    def run(cage_name, encrypted_data)
-      @request.post(cage_name, encrypted_data, cage_run: true)
+    def run(cage_name, encrypted_data, options = {})
+      @request_handler.post(cage_name, encrypted_data, options: options, cage_run: true)
     end
 
-    def encrypt_and_run(cage_name, data)
+    def encrypt_and_run(cage_name, data, options = {})
       encrypted_data = encrypt(data)
-      run(cage_name, encrypted_data)
+      run(cage_name, encrypted_data, options)
     end
 
     def cages
@@ -43,8 +47,16 @@ module Evervault
     end
 
     def cage_list
-      cages = @request.get("cages")
+      cages = @request_handler.get("cages")
       @cage_list ||= Evervault::Models::CageList.new(cages: cages["cages"], request: @request)
     end
+
+    def relay(decryption_domains=[])
+      @intercept.setup_domains(decryption_domains)
+    end
+
+    def create_run_token(cage_name, data)
+      @request_handler.post("v2/functions/#{cage_name}/run-token", data)
+    end
   end
 end

data/lib/evervault/crypto/client.rb

@@ -1,5 +1,6 @@
 require_relative "../errors/errors"
-require_relative "key"
+require_relative "curves/p256"
+require_relative "../version"
 require "openssl"
 require "base64"
 require "json"
@@ -8,80 +9,106 @@ require "securerandom"
 module Evervault
   module Crypto
     class Client
-      attr_reader :request
-      def initialize(request:)
-        @request = request
+      attr_reader :request_handler
+      def initialize(request_handler:, curve:)
+        @curve = curve
+        @p256 = Evervault::Crypto::Curves::P256.new()
+        @ev_version = base_64_remove_padding(
+            Base64.strict_encode64(EV_VERSION[curve])
+        )
+        response = request_handler.get("cages/key")
+        key = @curve == 'secp256k1' ? 'ecdhKey' : 'ecdhP256Key'
+        @team_key = response[key]
       end
 
       def encrypt(data)
         raise Evervault::Errors::UndefinedDataError.new(
           "Data is required for encryption"
-        ) if data.nil? || data.empty?
+        ) if data.nil? || (data.instance_of?(String) && data.empty?)
+
+        raise Evervault::Errors::UnsupportedEncryptType.new(
+          "Encryption is not supported for #{data.class}"
+        ) if !(encryptable_data?(data) || data.instance_of?(Hash) || data.instance_of?(Array))
           
-        if data.instance_of? Hash
-          encrypt_hash(data)
-        elsif encryptable_data?(data)
-          encrypt_string(data)
-        end
+        traverse_and_encrypt(data)
       end
 
-      private def encrypt_string(data)
-        cipher = OpenSSL::Cipher::AES256.new(:GCM).encrypt
+      private def encrypt_string(data_to_encrypt)
+        cipher = OpenSSL::Cipher.new('aes-256-gcm').encrypt
+
+        shared_key = generate_shared_key()
+        cipher.key = shared_key
+
         iv = cipher.random_iv
-        root_key = cipher.random_key
-        cipher.key = root_key
         cipher.iv = iv
-        encrypted_data = cipher.update(data) + cipher.final
-        encrypted_buffer = encrypted_data + cipher.auth_tag
-        encrypted_key =
-          team_key.public_key.public_encrypt(
-            root_key,
-            OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
-          )
-        data = [encrypted_key, encrypted_buffer, iv].map { |val| Base64.strict_encode64(val) }
-        format(header_type(data), *data)
+
+        if (@curve == 'prime256v1')
+          cipher.auth_data = Base64.strict_decode64(@team_key)
+        end
+
+        encrypted_data = cipher.update(data_to_encrypt.to_s) + cipher.final + cipher.auth_tag
+
+        ephemeral_key_compressed_string = @ephemeral_public_key.to_octet_string(:compressed)
+
+        format(header_type(data_to_encrypt), Base64.strict_encode64(iv), Base64.strict_encode64(ephemeral_key_compressed_string), Base64.strict_encode64(encrypted_data))
       end
 
-      private def encrypt_hash(data)
+      private def traverse_and_encrypt(data)
         if encryptable_data?(data)
           return encrypt_string(data)
         elsif data.instance_of?(Hash)
           encrypted_data = {}
-          data.each { |key, value| encrypted_data[key] = encrypt_hash(value) }
+          data.each { |key, value| encrypted_data[key] = traverse_and_encrypt(value) }
+          return encrypted_data
+        elsif data.instance_of?(Array)
+          encrypted_data = data.map { |value| traverse_and_encrypt(value) }
           return encrypted_data
+        else
+          raise Evervault::Errors::UnsupportedEncryptType.new(
+            "Encryption is not supported for #{data.class}"
+          )
         end
         data
       end
 
       private def encryptable_data?(data)
-        data.instance_of?(String) || data.instance_of?(Array) ||
-          [true, false].include?(data) || data.instance_of?(Integer) ||
-          data.instance_of?(Float)
+        data.instance_of?(String) || [true, false].include?(data) ||
+        data.instance_of?(Integer) || data.instance_of?(Float)
       end
 
-      private def team_key
-        @team_key ||= Key.new(public_key: @request.get("cages/key")["key"])
+      private def generate_shared_key()
+        ec = OpenSSL::PKey::EC.new(@curve)
+        ec.generate_key
+        @ephemeral_public_key = ec.public_key
+
+        decoded_team_key = OpenSSL::BN.new(Base64.strict_decode64(@team_key), 2)
+        group_for_team_key = OpenSSL::PKey::EC::Group.new(@curve)
+        team_key_point = OpenSSL::PKey::EC::Point.new(group_for_team_key, decoded_team_key)
+
+        shared_key = ec.dh_compute_key(team_key_point)
+
+        if @curve == 'prime256v1'
+          # Perform KDF
+          encoded_ephemeral_key = @p256.encode(decompressed_key: @ephemeral_public_key.to_bn(:uncompressed).to_s(16)).to_der
+          hash_input = shared_key + [00, 00, 00, 01].pack('C*') + encoded_ephemeral_key
+          hash = OpenSSL::Digest::SHA256.new()
+          digest = hash.digest(hash_input)
+          return digest
+        end  
+
+        shared_key
       end
 
-      private def format(header, encrypted_key, encrypted_data, iv)
-        header =
-          utf8_to_base_64_url(
-            { iss: "evervault", version: 1, datatype: header }.to_json
-          )
-        payload =
-          utf8_to_base_64_url(
-            {
-              cageData: encrypted_key,
-              keyIv: iv,
-              sharedEncryptedData: encrypted_data
-            }.to_json
-          )
-        "#{header}.#{payload}.#{SecureRandom.uuid}"
+      private def format(datatype, iv, team_key, encrypted_data)
+        "ev:#{@ev_version}#{
+          datatype != 'string' ? ':' + datatype : ''
+        }:#{base_64_remove_padding(iv)}:#{base_64_remove_padding(
+          team_key
+        )}:#{base_64_remove_padding(encrypted_data)}:$"
       end
 
-      private def utf8_to_base_64_url(data)
-        b64_string = Base64.strict_encode64(data)
-        b64_string.gsub("+", "-").gsub("/", "_")
+      private def base_64_remove_padding(str)
+        str.gsub(/={1,2}$/, '');
       end
 
       private def header_type(data)

data/lib/evervault/crypto/curves/base.rb

@@ -0,0 +1,38 @@
+require "openssl"
+
+module Evervault
+  module Crypto
+    class CurveBase
+
+      def initialize(curve_name:, curve_values:)
+        @asn1Encoder = buildEncoder(curve_values: curve_values)
+      end
+
+      def encode(decompressed_key:)
+        @asn1Encoder.call(decompressed_key)
+      end
+
+      private def buildEncoder(curve_values:)
+        a = OpenSSL::ASN1::OctetString.new([curve_values::A].pack('H*'))
+        b = OpenSSL::ASN1::OctetString.new([curve_values::B].pack('H*'))
+        seed = OpenSSL::ASN1::BitString.new([curve_values::SEED].pack('H*'))
+        curve = OpenSSL::ASN1::Sequence.new([a, b, seed])
+
+        field_type = OpenSSL::ASN1::ObjectId.new("1.2.840.10045.1.1")
+        parameters = OpenSSL::ASN1::Integer.new(curve_values::P.to_i(16))
+        field_id = OpenSSL::ASN1::Sequence.new([field_type, parameters])
+
+        version = OpenSSL::ASN1::Integer.new(1)
+        base = OpenSSL::ASN1::OctetString.new([curve_values::GENERATOR].pack('H*'))
+        order = OpenSSL::ASN1::Integer.new(curve_values::N.to_i(16))
+        cofactor = OpenSSL::ASN1::Integer.new(curve_values::H.to_i(16))
+        ec_parameters = OpenSSL::ASN1::Sequence.new([version, field_id, curve, base, order, cofactor])
+
+        algorithm = OpenSSL::ASN1::ObjectId.new("1.2.840.10045.2.1")
+        algorithm_identifier = OpenSSL::ASN1::Sequence.new([algorithm, ec_parameters])
+
+        return lambda {|public_key| OpenSSL::ASN1::Sequence.new([algorithm_identifier, OpenSSL::ASN1::BitString.new([public_key].pack('H*'))])}
+      end
+    end
+  end
+end

data/lib/evervault/crypto/curves/p256.rb

@@ -0,0 +1,25 @@
+require_relative "base"
+
+# https://neuromancer.sk/std/x962/prime256v1
+
+module P256_CONSTANTS
+  A = "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"
+  B = "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"
+  SEED = "C49D360886E704936A6678E1139D26B7819F7E90"
+  P = "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"
+  GENERATOR = "046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"
+  N = "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"
+  H = "01"
+end
+
+module Evervault
+  module Crypto
+    module Curves
+      class P256 < CurveBase
+        def initialize()
+          super(curve_name: 'prime256v1', curve_values: P256_CONSTANTS)
+        end
+      end
+    end
+  end
+end

data/lib/evervault/errors/error_map.rb

@@ -3,7 +3,7 @@ require_relative "errors"
 module Evervault
   module Errors
     class ErrorMap
-      def self.raise_errors_on_failure(status_code, body)
+      def self.raise_errors_on_failure(status_code, body, headers)
         return if status_code < 400
         case status_code
         when 404
@@ -13,7 +13,11 @@ module Evervault
         when 401
           raise AuthenticationError.new("Unauthorized")
         when 403
-          raise AuthenticationError.new("Forbidden")
+          if (headers.include? "x-evervault-error-code") && (headers["x-evervault-error-code"] == "forbidden-ip-error")
+            raise ForbiddenIPError.new("IP is not present in Cage whitelist")
+          else
+            raise AuthenticationError.new("Forbidden")
+          end
         when 500
           raise ServerError.new("Server Error")
         when 502

data/lib/evervault/errors/errors.rb

@@ -23,5 +23,11 @@ module Evervault
     class InvalidPublicKeyError < EvervaultError; end
 
     class UnexpectedError < EvervaultError; end
+
+    class CertDownloadError < EvervaultError; end
+
+    class UnsupportedEncryptType < EvervaultError; end
+
+    class ForbiddenIPError < EvervaultError; end
   end
 end

data/lib/evervault/http/request.rb

@@ -6,51 +6,34 @@ require_relative "../errors/error_map"
 module Evervault
   module Http
     class Request
-      def initialize(api_key:, base_url:, cage_run_url:, timeout:)
-        @api_key = api_key
+      def initialize(timeout:, api_key:)
         @timeout = timeout
-        @base_url = base_url
-        @cage_run_url = cage_run_url
-      end
-
-      def get(path, params = nil)
-        execute(:get, build_url(path), params)
-      end
-
-      def put(path, params)
-        execute(:put, build_url(path), params)
-      end
-
-      def delete(path, params)
-        execute(:delete, build_url(path), params)
-      end
-
-      def post(path, params, cage_run: false)
-        execute(:post, build_url(path, cage_run), params)
-      end
-
-      private def build_url(path, cage_run = false)
-        return "#{@base_url}#{path}" unless cage_run
-        "#{@cage_run_url}#{path}"
+        @api_key = api_key
       end
 
-      def execute(method, url, params)
+      def execute(method, url, params, optional_headers = {}, is_ca = false)
         resp = Faraday.send(method, url) do |req|
             req.body = params.nil? || params.empty? ? nil : params.to_json
-            req.headers = build_headers
+            req.headers = build_headers(optional_headers)
+            req.options.timeout = @timeout
+        end
+        if resp.status >= 200 && resp.status <= 300
+          if is_ca
+            return resp.body
+          end
+          return JSON.parse(resp.body)
         end
-        return JSON.parse(resp.body) if resp.status >= 200 && resp.status <= 300
-        Evervault::Errors::ErrorMap.raise_errors_on_failure(resp.status, resp.body)
+        Evervault::Errors::ErrorMap.raise_errors_on_failure(resp.status, resp.body, resp.headers)
       end
 
-      private def build_headers
-        {
+      private def build_headers(optional_headers)
+        optional_headers.merge({
           "AcceptEncoding": "gzip, deflate",
           "Accept": "application/json",
           "Content-Type": "application/json",
           "User-Agent": "evervault-ruby/#{VERSION}",
-          "Api-Key": @api_key
-        }
+          "Api-Key": @api_key,
+        })
       end
     end
   end

data/lib/evervault/http/request_handler.rb

@@ -0,0 +1,68 @@
+require "faraday"
+require "json"
+require_relative "../version"
+require_relative "../errors/error_map"
+
+module Evervault
+  module Http
+    class RequestHandler
+      def initialize(request:, base_url:, cage_run_url:, cert:)
+        @request = request
+        @base_url = base_url
+        @cage_run_url = cage_run_url
+        @cert = cert
+      end
+
+      def get(path, params = nil)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:get, build_url(path), params)
+      end
+
+      def put(path, params)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:put, build_url(path), params)
+      end
+
+      def delete(path, params)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:delete, build_url(path), params)
+      end
+
+      def post(path, params, options: {}, cage_run: false)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:post, build_url(path, cage_run), params, build_cage_run_headers(options, cage_run))
+      end
+
+      private def build_url(path, cage_run = false)
+        return "#{@base_url}#{path}" unless cage_run
+        "#{@cage_run_url}#{path}"
+      end
+
+      private def build_cage_run_headers(options, cage_run = false)
+        optional_headers = {}
+        return optional_headers unless cage_run
+        if options.key?(:async)
+          if options[:async]
+            optional_headers["x-async"] = "true"
+          end
+          options.delete(:async)
+        end
+        if options.key?(:version)
+          if options[:version].is_a? Integer
+            optional_headers["x-version-id"] = options[:version].to_s
+          end
+          options.delete(:version)
+        end
+        optional_headers.merge(options)
+      end
+    end
+  end
+end

data/lib/evervault/http/request_intercept.rb

@@ -0,0 +1,135 @@
+require "faraday"
+require "json"
+require "tempfile"
+require "openssl"
+require 'net/http'
+require_relative "../version"
+require_relative "../errors/errors"
+
+module NetHTTPOverride
+  @@api_key = nil
+  @@relay_url = nil
+  @@relay_port = nil
+  @@cert = nil
+  @@decrypt_if_exact = []
+  @@decrypt_if_ends_with = []
+
+  def self.set_api_key(value)
+    @@api_key = value
+  end
+
+  def self.set_relay_url(value)
+    relay_address_and_port = value.gsub(/(^\w+:|^)\/\//, '').split(":")
+    @@relay_url = relay_address_and_port[0]
+    @@relay_port = relay_address_and_port[1]
+  end
+
+  def self.set_cert(value)
+    @@cert = value
+  end
+
+  def self.add_to_decrypt_if_exact(value)
+    @@decrypt_if_exact.append(value)
+  end
+
+  def self.add_to_decrypt_if_ends_with(value)
+    @@decrypt_if_ends_with.append(value)
+  end
+
+  def should_decrypt(domain)
+    return (@@decrypt_if_exact.include? domain) || (@@decrypt_if_ends_with.any? { |suffix| domain.end_with? suffix })
+  end
+
+  def connect
+    if should_decrypt(conn_address)
+      @cert_store = OpenSSL::X509::Store.new
+      @cert_store.add_cert(@@cert)
+      @proxy_from_env = false
+      @proxy_address = @@relay_url
+      @proxy_port = @@relay_port
+    end
+    super
+  end
+
+  def request(req, body = nil, &block)
+    should_decrypt = should_decrypt(@address)
+    if should_decrypt
+      req["Proxy-Authorization"] = @@api_key
+    end
+    super
+  end
+end
+
+Net::HTTP.send :prepend, NetHTTPOverride
+
+module Evervault
+  module Http
+    class RequestIntercept
+      def initialize(request:, ca_host:, api_key:, relay_url:)
+        NetHTTPOverride.set_api_key(api_key)
+        NetHTTPOverride.set_relay_url(relay_url)
+        
+        @request = request
+        @ca_host = ca_host
+        @expire_date = nil
+        @initial_date = nil
+      end
+
+      def is_certificate_expired()
+        if @expire_date
+          now = Time.now
+          if now > @expire_date || now < @initial_date
+            return true
+          end
+        end
+        return false
+      end
+
+      def setup_domains(decrypt_domains=[])
+        for domain in decrypt_domains
+          if domain.start_with?("www.")
+            domain = domain[4..-1]
+          end
+          NetHTTPOverride.add_to_decrypt_if_exact(domain)
+          NetHTTPOverride.add_to_decrypt_if_ends_with("." + domain)
+          NetHTTPOverride.add_to_decrypt_if_ends_with("@" + domain)
+        end
+      end
+
+      def setup
+        get_cert()
+      end
+
+      def get_cert()
+        ca_content = nil
+        i = 0
+
+        while !ca_content && i < 1
+          i += 1
+          begin
+            ca_content = @request.execute("get", @ca_host, nil, {}, is_ca: true)
+          rescue;
+          end
+        end
+
+        if !ca_content || ca_content == ""
+          raise Evervault::Errors::CertDownloadError.new("Unable to install the Evervault root certificate from #{@ca_host}")
+        end
+
+        cert = OpenSSL::X509::Certificate.new ca_content
+        set_cert_expire_date(cert)
+        NetHTTPOverride.set_cert(cert)
+      end
+
+      def set_cert_expire_date(cert)
+        begin
+          @expire_date = cert.not_after
+          @initial_date = cert.not_before
+        rescue => exception
+          @expire_date = nil
+        end
+      end
+    end
+  end
+end
+

data/lib/evervault/models/cage.rb

@@ -9,8 +9,8 @@ module Evervault
         @request = request
       end
 
-      def run(params)
-        @request.post(self.name, params, cage_run: true)
+      def run(params, options = {})
+        @request.post(self.name, params, options: options, cage_run: true)
       end
 
     end

data/lib/evervault/version.rb

@@ -1,3 +1,4 @@
 module Evervault
-  VERSION = "0.1.2"
+  VERSION = "1.1.0"
+  EV_VERSION = {"prime256v1" => "NOC", "secp256k1" => "DUB"}
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: evervault
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 1.1.0
 platform: ruby
 authors:
 - Jonny O'Mahony
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-04 00:00:00.000000000 Z
+date: 2022-09-05 00:00:00.000000000 Z
 dependencies: []
 description: 
 email:
@@ -24,7 +24,6 @@ files:
 - ".gitignore"
 - ".rspec"
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -34,10 +33,13 @@ files:
 - lib/evervault.rb
 - lib/evervault/client.rb
 - lib/evervault/crypto/client.rb
-- lib/evervault/crypto/key.rb
+- lib/evervault/crypto/curves/base.rb
+- lib/evervault/crypto/curves/p256.rb
 - lib/evervault/errors/error_map.rb
 - lib/evervault/errors/errors.rb
 - lib/evervault/http/request.rb
+- lib/evervault/http/request_handler.rb
+- lib/evervault/http/request_intercept.rb
 - lib/evervault/models/cage.rb
 - lib/evervault/models/cage_list.rb
 - lib/evervault/version.rb
@@ -65,7 +67,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Ruby SDK to run Evervault Cages

data/Gemfile.lock

@@ -1,58 +0,0 @@
-PATH
-  remote: .
-  specs:
-    evervault (0.1.1)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    coderay (1.1.3)
-    crack (0.4.4)
-    diff-lcs (1.4.4)
-    faraday (1.1.0)
-      multipart-post (>= 1.2, < 3)
-      ruby2_keywords
-    gem-release (2.2.0)
-    hashdiff (1.0.1)
-    method_source (1.0.0)
-    multipart-post (2.1.1)
-    pry (0.13.1)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-    public_suffix (4.0.6)
-    rake (12.3.3)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.3)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.3)
-    ruby2_keywords (0.0.2)
-    webmock (3.9.3)
-      addressable (>= 2.3.6)
-      crack (>= 0.3.2)
-      hashdiff (>= 0.4.0, < 2.0.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  evervault!
-  faraday
-  gem-release
-  pry
-  rake (~> 12.0)
-  rspec (~> 3.0)
-  webmock
-
-BUNDLED WITH
-   2.1.4

data/lib/evervault/crypto/key.rb

@@ -1,19 +0,0 @@
-require "openssl"
-
-module Evervault
-  module Crypto
-    class Key
-      attr_reader :public_key
-      def initialize(public_key:)
-        @public_key = OpenSSL::PKey::RSA.new(format_key(public_key))
-      end
-
-      private def format_key(key)
-        key_header = "-----BEGIN PUBLIC KEY-----\n"
-        key_footer = "-----END PUBLIC KEY-----"
-        return key if key.include?(key_header) && key.include?(key_footer)
-        "#{key_header}#{key.scan(/.{0,64}/).join("\n")}#{key_footer}"
-      end
-    end
-  end
-end