evervault 2.0.0 → 3.0.1

data/lib/evervault/client.rb

@@ -1,74 +1,91 @@
-require_relative "http/request"
-require_relative "http/request_handler"
-require_relative "http/request_intercept"
-require_relative "http/relay_outbound_config"
-require_relative "threading/repeated_timer"
-require_relative "crypto/client"
+# frozen_string_literal: true
+
+require_relative 'http/request'
+require_relative 'http/request_handler'
+require_relative 'http/request_intercept'
+require_relative 'http/relay_outbound_config'
+require_relative 'threading/repeated_timer'
+require_relative 'crypto/client'
 
 module Evervault
   class Client
+    attr_accessor :config
 
-    attr_accessor :function_run_url
-    def initialize(
-      app_uuid:,
-      api_key:,
-      base_url: "https://api.evervault.com/",
-      function_run_url: "https://run.evervault.com/",
-      relay_url: "https://relay.evervault.com:8443",
-      ca_host: "https://ca.evervault.com",
-      request_timeout: 30,
-      curve: 'prime256v1'
-    )
-      @function_run_url = function_run_url
-      @request = Evervault::Http::Request.new(timeout: request_timeout, app_uuid: app_uuid, api_key: api_key)
-      @intercept = Evervault::Http::RequestIntercept.new(
-        request: @request, ca_host: ca_host, api_key: api_key, base_url: base_url, relay_url: relay_url
-      )
-      @request_handler =
-        Evervault::Http::RequestHandler.new(
-          request: @request, base_url: base_url, cert: @intercept
-        )
-      @crypto_client = Evervault::Crypto::Client.new(request_handler: @request_handler, curve: curve)
-      @intercept.setup()
+    def initialize(app_uuid:, api_key:, **options, &block)
+      @config = Evervault::Config.new(app_id: app_uuid, api_key: api_key)
+      configure_via_options(**options) if options.any?
+      intercept.setup
+      configure(&block) if block_given?
     end
 
-    def encrypt(data)
-      @crypto_client.encrypt(data)
+    def encrypt(data, role = nil)
+      crypto_client.encrypt(data, role)
     end
 
     def decrypt(data)
       unless data.is_a?(String) || data.is_a?(Array) || data.is_a?(Hash)
-        raise Evervault::Errors::ArgumentError.new("data is of invalid type")
+        raise Evervault::Errors::EvervaultError, 'data is of invalid type'
       end
+
       payload = { data: data }
-      response = @request_handler.post("decrypt", payload, nil, nil, true)
-      response["data"]
+      response = request_handler.post('decrypt', payload, true, Evervault::Errors::ErrorMap)
+      response['data']
     end
 
-    def run(function_name, payload, options = {})
-      optional_headers = {}
-      if options.key?(:async)
-        if options[:async]
-          optional_headers["x-async"] = "true"
-        end
-      end
-      if options.key?(:version)
-        if options[:version].is_a? Integer
-          optional_headers["x-version-id"] = options[:version].to_s
-        end
-      end
-      @request_handler.post(function_name, payload, optional_headers, @function_run_url)
+    def create_token(action, data, expiry = nil)
+      payload = { payload: data, expiry: expiry, action: action }
+      request_handler.post('client-side-tokens', payload, true, Evervault::Errors::ErrorMap)
+    end
+
+    def run(function_name, payload)
+      payload = { payload: payload }
+      res = request_handler.post("functions/#{function_name}/runs", payload, true, Evervault::Errors::ErrorMap)
+
+      return res if res['status'] == 'success'
+
+      Evervault::Errors::ErrorMap.raise_function_error_on_failure(res)
     end
 
     def create_run_token(function_name, data = {})
-      @request_handler.post("v2/functions/#{function_name}/run-token", data)
+      request_handler.post("v2/functions/#{function_name}/run-token", data)
     end
 
     def enable_outbound_relay(decryption_domains = nil)
       if decryption_domains.nil?
-        @intercept.setup_outbound_relay_config
+        intercept.setup_outbound_relay_config
       else
-        @intercept.setup_decryption_domains(decryption_domains)
+        intercept.setup_decryption_domains(decryption_domains)
+      end
+    end
+
+    def configure
+      yield(config)
+    end
+
+    private
+
+    def request
+      @request || Evervault::Http::Request.new(config: config)
+    end
+
+    def intercept
+      @intercept || Evervault::Http::RequestIntercept.new(request: request, config: config)
+    end
+
+    def request_handler
+      @request_handler || Evervault::Http::RequestHandler.new(request: request, config: config, cert: intercept)
+    end
+
+    def crypto_client
+      @crypto_client || Evervault::Crypto::Client.new(request_handler: request_handler, config: config)
+    end
+
+    def configure_via_options(**options)
+      warn '[DEPRECATION] configuration via Evervault::Client.new arguments is deprecated. Pass a block or use the'\
+      '`.configure` instead.'
+
+      options.each do |key, value|
+        config.send("#{key}=", value)
       end
     end
   end

data/lib/evervault/config.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Evervault
+  class Config
+    attr_accessor :app_id, :api_key, :base_url, :relay_url, :ca_host, :request_timeout, :curve
+
+    def initialize(app_id:, api_key:)
+      @app_id = app_id
+      @api_key = api_key
+      @base_url = 'https://api.evervault.com/'
+      @relay_url = 'https://relay.evervault.com:8443'
+      @ca_host = 'https://ca.evervault.com'
+      @request_timeout = 30
+      @curve = 'prime256v1'
+    end
+  end
+end

data/lib/evervault/crypto/client.rb

@@ -1,126 +1,196 @@
-require_relative "../errors/errors"
-require_relative "curves/p256"
-require_relative "../version"
-require "openssl"
-require "base64"
-require "json"
-require "securerandom"
+# frozen_string_literal: true
+
+require_relative '../errors/errors'
+require_relative 'curves/p256'
+require_relative 'curves/koblitz'
+require_relative '../version'
+require 'openssl'
+require 'base64'
+require 'json'
+require 'securerandom'
+require 'time'
 
 module Evervault
   module Crypto
     class Client
-      attr_reader :request_handler
-      def initialize(request_handler:, curve:)
-        @curve = curve
-        @p256 = Evervault::Crypto::Curves::P256.new()
-        @ev_version = base_64_remove_padding(
-            Base64.strict_encode64(EV_VERSION[curve])
-        )
-        response = request_handler.get("cages/key")
-        key = @curve == 'secp256k1' ? 'ecdhKey' : 'ecdhP256Key'
+      attr_reader :config
+
+      def initialize(request_handler:, config: ::Evervault::Config.new)
+        @config = config
+        @p256 = Evervault::Crypto::Curves::P256.new
+        @koblitz = Evervault::Crypto::Curves::Koblitz.new
+        @ev_version = EV_VERSION[config.curve]
+        response = request_handler.get('cages/key')
+        key = config.curve == 'secp256k1' ? 'ecdhKey' : 'ecdhP256Key'
         @team_key = response[key]
       end
 
-      def encrypt(data)
-        raise Evervault::Errors::UndefinedDataError.new(
-          "Data is required for encryption"
-        ) if data.nil? || (data.instance_of?(String) && data.empty?)
+      def encrypt(data, role = nil)
+        if data.nil? || (data.instance_of?(String) && data.empty?)
+          raise Evervault::Errors::EvervaultError, 'Data is required for encryption'
+        end
+
+        unless encryptable_data?(data) || data.instance_of?(Hash) || data.instance_of?(Array)
+          raise Evervault::Errors::EvervaultError, "Encryption is not supported for #{data.class}"
+        end
+
+        traverse_and_encrypt(data, role)
+      end
+
+      def generate_metadata(role)
+        buffer = []
+
+        # Binary representation of a fixed map with 2 or 3 items, followed by the key-value pairs
+        buffer.push(0x80 | (role.nil? ? 2 : 3))
+
+        if role
+          # Binary representation for a fixed string of length 2, followed by `dr` (for "data role")
+          buffer.push(0xA2)
+          buffer.push(*'dr'.bytes)
+          # Binary representation for a fixed string of role name length, followed by the role name itself
+          buffer.push(0xA0 | role.length)
+          buffer.push(*role.bytes)
+        end
+
+        # Binary representation for a fixed string of length 2, followed by `eo` (for "encryption origin")
+        buffer.push(0xA2)
+        buffer.push(*'eo'.bytes)
+        # Binary representation for the integer 8 (Ruby SDK)
+        buffer.push(8)
+
+        # Binary representation for a fixed string of length 2, followed by `et` (for "encryption timestamp")
+        buffer.push(0xA2)
+        buffer.push(*'et'.bytes)
+        # Binary representation for a 4-byte unsigned integer (uint 32), followed by the epoch time (big-endian)
+        buffer.push(0xCE)
+        buffer.push(*[Time.now.to_i].pack('I!>').bytes)
+
+        buffer.pack('C*')
+      end
+
+      private
+
+      def create_v2_aad(data_type, ephemeral_public_key_bytes, app_public_key_bytes)
+        data_type_number = case data_type
+                           when 'number' then 1
+                           when 'boolean' then 2
+                           else 0 # Default to String
+                           end
+
+        version_number = case @ev_version
+                         when 'S0lS' then 0
+                         when 'QkTC' then 1
+                         end
+
+        raise 'This encryption version does not have a version number for AAD' if version_number.nil?
+
+        config_byte_size = 1
+        total_size = config_byte_size + ephemeral_public_key_bytes.bytesize + app_public_key_bytes.bytesize
+        aad = "\x00" * total_size # Create a binary string of zeros
+
+        # Set the configuration byte
+        b = 0x00 | (data_type_number << 4) | version_number
+        aad.setbyte(0, b)
+
+        # Copy ephemeral public key bytes into aad
+        aad[config_byte_size, ephemeral_public_key_bytes.bytesize] = ephemeral_public_key_bytes
+
+        # Copy application public key bytes into aad
+        start_index = config_byte_size + ephemeral_public_key_bytes.bytesize
+        aad[start_index, app_public_key_bytes.bytesize] = app_public_key_bytes
+
+        aad
+      end
+
+      def encryptable_data?(data)
+        data.instance_of?(String) || [true, false].include?(data) ||
+          data.instance_of?(Integer) || data.instance_of?(Float)
+      end
+
+      def generate_shared_key
+        ec = OpenSSL::PKey::EC.generate(@config.curve)
+        @ephemeral_public_key = ec.public_key
+
+        decoded_team_key = OpenSSL::BN.new(Base64.strict_decode64(@team_key), 2)
+        group_for_team_key = OpenSSL::PKey::EC::Group.new(config.curve)
+        team_key_point = OpenSSL::PKey::EC::Point.new(group_for_team_key, decoded_team_key)
+
+        shared_key = ec.dh_compute_key(team_key_point)
+
+        # Perform KDF
+        encoded_ephemeral_key = if config.curve == 'prime256v1'
+                                  @p256.encode(decompressed_key: @ephemeral_public_key
+                                    .to_bn(:uncompressed).to_s(16)).to_der
+                                else
+                                  @koblitz.encode(decompressed_key: @ephemeral_public_key
+                                    .to_bn(:uncompressed).to_s(16)).to_der
+                                end
+        hash_input = shared_key + [0o0, 0o0, 0o0, 0o1].pack('C*') + encoded_ephemeral_key
+        hash = OpenSSL::Digest.new('SHA256')
+        hash.digest(hash_input)
+      end
 
-        raise Evervault::Errors::UnsupportedEncryptType.new(
-          "Encryption is not supported for #{data.class}"
-        ) if !(encryptable_data?(data) || data.instance_of?(Hash) || data.instance_of?(Array))
-          
-        traverse_and_encrypt(data)
+      def base_64_remove_padding(str)
+        str.gsub(/={1,2}$/, '')
       end
 
-      private def encrypt_string(data_to_encrypt)
+      def encrypt_string(data_to_encrypt, role)
         cipher = OpenSSL::Cipher.new('aes-256-gcm').encrypt
 
-        shared_key = generate_shared_key()
+        shared_key = generate_shared_key
         cipher.key = shared_key
 
         iv = cipher.random_iv
         cipher.iv = iv
 
-        if (@curve == 'prime256v1')
-          cipher.auth_data = Base64.strict_decode64(@team_key)
-        end
+        header_type = header_type(data_to_encrypt)
+        cipher.auth_data = create_v2_aad(header_type, @ephemeral_public_key.to_octet_string(:compressed),
+                                         Base64.decode64(@team_key))
 
-        encrypted_data = cipher.update(data_to_encrypt.to_s) + cipher.final + cipher.auth_tag
+        metadata = generate_metadata(role)
+        metadata_offset = [metadata.length].pack('v') # 'v' specifies 16-bit unsigned little-endian
+        payload = metadata_offset + metadata + data_to_encrypt.to_s
+
+        encrypted_data = cipher.update(payload.to_s) + cipher.final + cipher.auth_tag
 
         ephemeral_key_compressed_string = @ephemeral_public_key.to_octet_string(:compressed)
 
-        format(header_type(data_to_encrypt), Base64.strict_encode64(iv), Base64.strict_encode64(ephemeral_key_compressed_string), Base64.strict_encode64(encrypted_data))
+        format(header_type(data_to_encrypt), Base64.strict_encode64(iv),
+               Base64.strict_encode64(ephemeral_key_compressed_string), Base64.strict_encode64(encrypted_data))
       end
 
-      private def traverse_and_encrypt(data)
+      def traverse_and_encrypt(data, role)
         if encryptable_data?(data)
-          return encrypt_string(data)
+          return encrypt_string(data, role)
         elsif data.instance_of?(Hash)
           encrypted_data = {}
-          data.each { |key, value| encrypted_data[key] = traverse_and_encrypt(value) }
+          data.each { |key, value| encrypted_data[key] = traverse_and_encrypt(value, role) }
           return encrypted_data
         elsif data.instance_of?(Array)
-          encrypted_data = data.map { |value| traverse_and_encrypt(value) }
+          encrypted_data = data.map { |value| traverse_and_encrypt(value, role) }
           return encrypted_data
         else
-          raise Evervault::Errors::UnsupportedEncryptType.new(
-            "Encryption is not supported for #{data.class}"
-          )
+          raise Evervault::Errors::EvervaultError, "Encryption is not supported for #{data.class}"
         end
-        data
-      end
 
-      private def encryptable_data?(data)
-        data.instance_of?(String) || [true, false].include?(data) ||
-        data.instance_of?(Integer) || data.instance_of?(Float)
-      end
-
-      private def generate_shared_key()
-        ec = OpenSSL::PKey::EC.generate(@curve)
-        @ephemeral_public_key = ec.public_key
-
-        decoded_team_key = OpenSSL::BN.new(Base64.strict_decode64(@team_key), 2)
-        group_for_team_key = OpenSSL::PKey::EC::Group.new(@curve)
-        team_key_point = OpenSSL::PKey::EC::Point.new(group_for_team_key, decoded_team_key)
-
-        shared_key = ec.dh_compute_key(team_key_point)
-
-        if @curve == 'prime256v1'
-          # Perform KDF
-          encoded_ephemeral_key = @p256.encode(decompressed_key: @ephemeral_public_key.to_bn(:uncompressed).to_s(16)).to_der
-          hash_input = shared_key + [00, 00, 00, 01].pack('C*') + encoded_ephemeral_key
-          hash = OpenSSL::Digest::SHA256.new()
-          digest = hash.digest(hash_input)
-          return digest
-        end  
-
-        shared_key
+        data
       end
 
-      private def format(datatype, iv, team_key, encrypted_data)
+      def format(datatype, iv, team_key, encrypted_data)
         "ev:#{@ev_version}#{
-          datatype != 'string' ? ':' + datatype : ''
+          datatype != 'string' ? ":#{datatype}" : ''
         }:#{base_64_remove_padding(iv)}:#{base_64_remove_padding(
           team_key
         )}:#{base_64_remove_padding(encrypted_data)}:$"
       end
 
-      private def base_64_remove_padding(str)
-        str.gsub(/={1,2}$/, '');
-      end
-
-      private def header_type(data)
-        if data.instance_of?(Array)
-          return "Array"
-        elsif [true, false].include?(data)
-          return "boolean"
-        elsif data.instance_of?(Hash)
-          return "object"
+      def header_type(data)
+        if [true, false].include?(data)
+          'boolean'
         elsif data.instance_of?(Float) || data.instance_of?(Integer)
-          return "number"
+          'number'
         elsif data.instance_of?(String)
-          return "string"
+          'string'
         end
       end
     end

data/lib/evervault/crypto/curves/base.rb

@@ -1,9 +1,10 @@
-require "openssl"
+# frozen_string_literal: true
+
+require 'openssl'
 
 module Evervault
   module Crypto
     class CurveBase
-
       def initialize(curve_name:, curve_values:)
         @asn1Encoder = buildEncoder(curve_values: curve_values)
       end
@@ -12,13 +13,19 @@ module Evervault
         @asn1Encoder.call(decompressed_key)
       end
 
-      private def buildEncoder(curve_values:)
+      private
+
+      def buildEncoder(curve_values:)
         a = OpenSSL::ASN1::OctetString.new([curve_values::A].pack('H*'))
         b = OpenSSL::ASN1::OctetString.new([curve_values::B].pack('H*'))
-        seed = OpenSSL::ASN1::BitString.new([curve_values::SEED].pack('H*'))
-        curve = OpenSSL::ASN1::Sequence.new([a, b, seed])
-
-        field_type = OpenSSL::ASN1::ObjectId.new("1.2.840.10045.1.1")
+        if !curve_values::SEED.nil?
+          seed = OpenSSL::ASN1::BitString.new([curve_values::SEED].pack('H*'))
+          curve = OpenSSL::ASN1::Sequence.new([a, b, seed])
+        else
+          curve = OpenSSL::ASN1::Sequence.new([a, b])
+        end
+
+        field_type = OpenSSL::ASN1::ObjectId.new('1.2.840.10045.1.1')
         parameters = OpenSSL::ASN1::Integer.new(curve_values::P.to_i(16))
         field_id = OpenSSL::ASN1::Sequence.new([field_type, parameters])
 
@@ -28,11 +35,14 @@ module Evervault
         cofactor = OpenSSL::ASN1::Integer.new(curve_values::H.to_i(16))
         ec_parameters = OpenSSL::ASN1::Sequence.new([version, field_id, curve, base, order, cofactor])
 
-        algorithm = OpenSSL::ASN1::ObjectId.new("1.2.840.10045.2.1")
+        algorithm = OpenSSL::ASN1::ObjectId.new('1.2.840.10045.2.1')
         algorithm_identifier = OpenSSL::ASN1::Sequence.new([algorithm, ec_parameters])
 
-        return lambda {|public_key| OpenSSL::ASN1::Sequence.new([algorithm_identifier, OpenSSL::ASN1::BitString.new([public_key].pack('H*'))])}
+        lambda { |public_key|
+          OpenSSL::ASN1::Sequence.new([algorithm_identifier,
+                                       OpenSSL::ASN1::BitString.new([public_key].pack('H*'))])
+        }
       end
     end
   end
-end
+end

data/lib/evervault/crypto/curves/koblitz.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+
+module KOBLITZ_CONSTANTS
+  A = '0000000000000000000000000000000000000000000000000000000000000000'
+  B = '0000000000000000000000000000000000000000000000000000000000000007'
+  SEED = nil
+  P = 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F'
+  GENERATOR = '0479BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798483ADA7726A3C4655DA4FBFC0E1108A8FD17B'\
+    '448A68554199C47D08FFB10D4B8'
+  N = 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141'
+  H = '01'
+end
+
+module Evervault
+  module Crypto
+    module Curves
+      class Koblitz < CurveBase
+        def initialize
+          super(curve_name: 'secp256k1', curve_values: KOBLITZ_CONSTANTS)
+        end
+      end
+    end
+  end
+end

data/lib/evervault/crypto/curves/p256.rb

@@ -1,22 +1,25 @@
-require_relative "base"
+# frozen_string_literal: true
+
+require_relative 'base'
 
 # https://neuromancer.sk/std/x962/prime256v1
 
 module P256_CONSTANTS
-  A = "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"
-  B = "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"
-  SEED = "C49D360886E704936A6678E1139D26B7819F7E90"
-  P = "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"
-  GENERATOR = "046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"
-  N = "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"
-  H = "01"
+  A = 'FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC'
+  B = '5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B'
+  SEED = 'C49D360886E704936A6678E1139D26B7819F7E90'
+  P = 'FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF'
+  GENERATOR = '046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE3'\
+    '3576B315ECECBB6406837BF51F5'
+  N = 'FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551'
+  H = '01'
 end
 
 module Evervault
   module Crypto
     module Curves
       class P256 < CurveBase
-        def initialize()
+        def initialize
           super(curve_name: 'prime256v1', curve_values: P256_CONSTANTS)
         end
       end

data/lib/evervault/errors/error_map.rb

@@ -1,47 +1,35 @@
-require_relative "errors"
+# frozen_string_literal: true
+
+require_relative 'errors'
 
 module Evervault
   module Errors
     class ErrorMap
-      def self.raise_errors_on_failure(status_code, body, headers)
-        return if status_code < 400
-        case status_code
-        when 404
-          raise ResourceNotFoundError.new("Resource Not Found")
-        when 400
-          raise BadRequestError.new("Bad request")
-        when 401
-          raise AuthenticationError.new("Unauthorized")
-        when 403
-          if (headers.include? "x-evervault-error-code") && (headers["x-evervault-error-code"] == "forbidden-ip-error")
-            raise ForbiddenIPError.new("IP is not present in Cage whitelist")
-          else
-            raise AuthenticationError.new("Forbidden")
-          end
-        when 500
-          raise ServerError.new("Server Error")
-        when 502
-          raise BadGatewayError.new("Bad Gateway Error")
-        when 503
-          raise ServiceUnavailableError.new("Service Unavailable")
+      def self.raise_errors_on_failure(_status_code, body, _headers)
+        parsed_body = JSON.parse(body)
+        code = parsed_body['code']
+        detail = parsed_body['detail']
+
+        case code
+        when 'functions/request-timeout'
+          raise FunctionTimeoutError, detail
+        when 'functions/function-not-ready'
+          raise FunctionNotReadyError, detail
+        when 'functions/forbidden-ip'
+          raise ForbiddenIPError, detail
         else
-          raise UnexpectedError.new(
-                  self.message_for_unexpected_error_without_type(body)
-                )
+          raise EvervaultError, detail
         end
       end
 
-      private def message_for_unexpected_error_without_type(error_details)
-        if error_details.nil?
-          return(
-            "An unexpected error occurred without message or status code. Please contact Evervault support"
-          )
-        end
-        message = error_details["message"]
-        status_code = error_details["statusCode"]
-        "An unexpected error occured. It occurred with the message: #{
-          message
-        } and http_code: '#{status_code}'. Please contact Evervault support"
+      def self.raise_function_error_on_failure(body)
+        error = body['error']
+        raise EvervaultError, 'An unexpected error occurred. Please contact Evervault support' unless error
+
+        message = error['message']
+        stack = error['stack']
+        id = body['id']
+        raise FunctionRuntimeError.new(message, stack, id)
       end
     end
   end