go_secure 0.62 → 0.70

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 23672006525e9b8d00c32febe3e51c7f0b7f622a
-  data.tar.gz: 9cf3d608a364304aa1f1f4d57be6d5e9d429b767
+SHA256:
+  metadata.gz: 6c1ac3e5ca4f3cec1163eaaf94c96aeecbf9d7598a0b36b0a88b62c02ce0fdf6
+  data.tar.gz: 8ed2bd8c670d7903aac0c7ae127f121d1e03d39d46aeb104d6d005141b6892d7
 SHA512:
-  metadata.gz: '019ef5cccca1afc672ce75c5370d63ee4135e1a584179a9eb7a056f54c3a4c9bd72cbdb2194e3e0dafb440aaebefbf867c9a928033a7110cc30af8abdc2aba27'
-  data.tar.gz: c01c6899abc3711302d987daa9d23a7f5666c6c95d142bdcfc0dbade4d3cbee33ca0d20ca57eecb9c9b1d2c31344a045cecee41074012c2f27409f3870555237
+  metadata.gz: '06197b6cc0e35b7ba5fe6547ad58b27fff19726fe6a2508af31595c059f8f0ce23c589111c77f8a22c4de50d952a7610ea9fdc6aa187ef4b481d2df2885d15e7'
+  data.tar.gz: 493403cce547664bf0f29bf581ca0ee68af32ddb8d70637d37fe33fa65ea95eed5a1071cba08b8a2642b6d53120da48424d38d7f7bc74d82176ec5f4abc76898

data/lib/go_secure.rb

@@ -13,17 +13,25 @@ module GoSecure
     digest = OpenSSL::Digest::SHA512.new(encryption_key || self.encryption_key)
     res = Base64.urlsafe_encode64(OpenSSL::PKCS5.pbkdf2_hmac(str.to_s, salt.to_s, 100000, digest.digest_length, digest))
   end
+
+  def self.lite_hmac(str, salt, level, encryption_key=nil)
+    raise "invalid level" unless level == 1
+    OpenSSL::HMAC.hexdigest('SHA512', OpenSSL::HMAC.hexdigest('SHA512', str.to_s, salt.to_s), encryption_key || self.encryption_key)
+  end
   
   def self.nonce(str)
     Digest::SHA512.hexdigest(str.to_s + Time.now.to_i.to_s + rand(999999).to_s + self.encryption_key)[0, 24]
   end
   
-  def self.encrypt(str, ref, encryption_key=nil)
+  def self.encrypt(str, ref, encryption_key=nil, iv=nil)
     require 'base64'
-    c = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+    c = OpenSSL::Cipher.new('aes-256-cbc')
     c.encrypt
-    c.key = Digest::SHA2.hexdigest(ref + "_" + (encryption_key || self.encryption_key))
-    c.iv = iv = c.random_iv
+    sha = Digest::SHA2.hexdigest(ref + "_" + (encryption_key || self.encryption_key))
+    c.key = sha[0..31]
+    raise "invalid iv" if iv && iv.length != 16
+    iv = iv || c.random_iv
+    c.iv = iv
     e = c.update(str)
     e << c.final
     res = [Base64.encode64(e), Base64.encode64(iv)]
@@ -32,10 +40,13 @@ module GoSecure
   
   def self.decrypt(str, salt, ref, encryption_key=nil)
     require 'base64'
-    c = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+    c = OpenSSL::Cipher.new('aes-256-cbc')
     c.decrypt
-    c.key = Digest::SHA2.hexdigest(ref + "_" + (encryption_key || self.encryption_key))
-    c.iv = Base64.decode64(salt)
+    sha = Digest::SHA2.hexdigest(ref + "_" + (encryption_key || self.encryption_key))
+    c.key = sha[0..31]
+    iv = Base64.decode64(salt)
+
+    c.iv = iv[0..15]
     d = c.update(Base64.decode64(str))
     d << c.final
     d.to_s
@@ -47,7 +58,7 @@ module GoSecure
 #     pw['hash_type'] = 'sha512'
 #     pw['hash_type'] = 'bcrypt'
     pw['hash_type'] = 'pbkdf2-sha256-2'
-    pw['salt'] = Digest::MD5.hexdigest(OpenSSL::Random.pseudo_bytes(4) + Time.now.to_i.to_s + self.encryption_key + "pw" + OpenSSL::Random.pseudo_bytes(16))
+    pw['salt'] = Digest::MD5.hexdigest(OpenSSL::Random.random_bytes(4) + Time.now.to_i.to_s + self.encryption_key + "pw" + OpenSSL::Random.random_bytes(16))
 #     pw['hashed_password'] = Digest::SHA512.hexdigest(self.encryption_key + pw['salt'] + password.to_s)
 #     salted = Digest::SHA256.hexdigest(self.encryption_key + pw['salt'] + password.to_s)
 #     pw['hashed_password'] = BCrypt::Password.create(salted)
@@ -109,7 +120,8 @@ module GoSecure
   
   def self.browser_token
     # TODO: checks around whether it's actually a web browser??
-    stamp = Time.now.strftime('%Y%j')
+    day = Time.now.strftime('%j')
+    stamp = "#{Time.now.year}#{(Time.now.yday / 366.0 * 100.0).to_i.to_s.rjust(2, '0')}"
     stamp += '-' + GoSecure.sha512(stamp, 'browser_token')
   end
   
@@ -121,7 +133,8 @@ module GoSecure
   def self.valid_browser_token?(token)
     return false if !token || token.length == 0 || !token.match(/-/)
     stamp, hash = token.split(/-/, 2)
-    if Time.now.strftime('%Y%j').to_i - stamp.to_i < 14 # 14 days?!
+    current_stamp = "#{Time.now.year}#{(Time.now.yday / 366.0 * 100.0).to_i.to_s.rjust(2, '0')}"
+    if current_stamp.to_i - stamp.to_i < (14/365.0*100.0) # 14 days?!
       return valid_browser_token_signature?(token)
     end
     false
@@ -135,10 +148,10 @@ module GoSecure
     def self.load(str)
       return nil unless str
       if str.match(/^\*\*/)
-        Oj.load(str[2..-1])
+        Oj.load(str[2..-1], mode: :compat)
       else
         salt, secret = str.split(/--/, 2)
-        Oj.load(GoSecure.decrypt(secret, salt, "secure_json"))
+        Oj.load(GoSecure.decrypt(secret, salt, "secure_json"), mode: :compat)
       end
     end
   
@@ -157,4 +170,95 @@ module GoSecure
       end
     end
   end
+
+  module SerializeInstanceMethods
+    def load_secure_object
+      @secure_object_json = nil.to_json
+      if self.id
+        attr = read_attribute(self.class.secure_column) || (!self.respond_to?(:secure_column_value) && self.send(self.class.secure_column)) || (@secure_object.is_a?(String) && @secure_object) || nil
+        if attr && attr.match(/\s*^{/)
+          @secure_object = JSON.parse(attr)
+        else
+          @secure_object = GoSecure::SecureJson.load(attr)
+        end
+        @secure_object_json = @secure_object.to_json
+        @loaded_secure_object = true
+      end
+      true
+    end
+    
+    # If the serialized data has changed since initialize and paper_trail
+    # is configured, then we need to manually mark the column as dirty
+    # to make sure a proper paper_trail is maintained
+    def mark_changed_secure_object_hash
+      if !send("#{self.class.secure_column}_changed?")
+        json = @secure_object.to_json
+        if json != @secure_object_json
+          send("#{self.class.secure_column}_will_change!")
+        end
+      end
+      true
+    end
+    
+    def persist_secure_object
+      self.class.more_before_saves ||= []
+      self.class.more_before_saves.each do |method|
+        res = send(method)
+        return false if res == false
+      end
+      mark_changed_secure_object_hash
+      if send("#{self.class.secure_column}_changed?")
+        secure = GoSecure::SecureJson.dump(@secure_object)
+        @secure_object = GoSecure::SecureJson.load(secure)
+        write_attribute(self.class.secure_column, secure)
+      end
+      true
+    end
+  end
+
+  module SerializeClassMethods
+    def secure_serialize(column)
+      raise "only one secure column per record! (yes I'm lazy)" if self.respond_to?(:secure_column) && self.secure_column
+      cattr_accessor :secure_column
+      cattr_accessor :more_before_saves
+      self.secure_column = column
+      prepend SecureSerializeHelpers
+
+      before_save :persist_secure_object
+      define_singleton_method(:before_save) do |*args|
+        raise "only simple before_save calls after secure_serialize: #{args.to_json}" unless args.length == 1 && args[0].is_a?(Symbol)
+        self.more_before_saves ||= []
+        self.more_before_saves << args[0]
+      end
+      define_method("secure_column_value") do
+        nil
+      end
+      define_method("#{column}") do
+        load_secure_object unless @loaded_secure_object 
+        @secure_object
+      end
+      define_method("#{column}=") do |val|
+        @loaded_secure_object = true
+        @secure_object = val
+      end
+      # Commented out because eager-loading an encrypted data column is not efficient
+      # after_initialize :load_secure_object
+    end
+  end
+
+  module SecureSerializeHelpers
+    def reload(*args)
+      res = super
+      load_secure_object
+      res
+    end
+    
+    def []=(*args)
+      if args[0].to_s == self.class.secure_column
+        send("#{self.class.secure_column}=", args[1])
+      else
+        super
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: go_secure
 version: !ruby/object:Gem::Version
-  version: '0.62'
+  version: '0.70'
 platform: ruby
 authors:
 - Brian Whitmer
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-05-14 00:00:00.000000000 Z
+date: 2020-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oj
@@ -66,7 +66,7 @@ homepage: https://github.com/CoughDrop/obf
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -81,9 +81,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2
-signing_key: 
+rubyforge_project:
+rubygems_version: 2.7.6
+signing_key:
 specification_version: 4
 summary: Go Secure
 test_files: []