inline_encryption 1.0.3 → 2.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8579ebc960ba6c9f084553a3f948c18aa15013c5ceda7d4ff9d84191b386defa
+  data.tar.gz: cbb00c55dadcfba3f757e90222aa04e5779037afd9fee2b0fddaf35937c06983
+SHA512:
+  metadata.gz: 9a4d667b844ce6bdd816022d4abd763a6488d89cec23e9e32680748e6f2a9eb6e5d489ae419c6a9eb5f1382ba7579e7997334aa8581fd144312293a23aea0f5f
+  data.tar.gz: 1adff188699044cf0e9facff5393e96a47f20393335b7ee45e5de761fa438ced3d8b3b5865d9b87755c8b5137f380b9771d08732d6ad28cac9201e54dcae6c95

data/.gitignore

@@ -19,4 +19,5 @@ test/version_tmp
 tmp
 .ruby-version
 vendor/
-.rspec
+.rspec
+.rbenv-gemsets

data/.pre-commit-config.yaml

@@ -0,0 +1,21 @@
+repos:
+-   hooks:
+    -   id: check-added-large-files
+    -   id: check-merge-conflict
+    -   id: check-yaml
+    -   id: detect-aws-credentials
+    -   id: detect-private-key
+    -   id: end-of-file-fixer
+    -   id: trailing-whitespace
+    repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+-   hooks:
+    -   id: commitizen
+        stages:
+        - commit-msg
+    repo: https://github.com/commitizen-tools/commitizen
+    rev: v2.20.3
+-   hooks:
+    -   id: rubocop
+    repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 2.1.5

data/.rubocop.yml

@@ -0,0 +1,12 @@
+inherit_from: .rubocop_todo.yml
+
+# The behavior of RuboCop can be controlled via the .rubocop.yml
+# configuration file. It makes it possible to enable/disable
+# certain cops (checks) and to alter their behavior if they accept
+# any parameters. The file can be placed either in your home
+# directory or in some project directory.
+#
+# RuboCop will start looking for the configuration file in the directory
+# where the inspected file is and continue its way up to the root directory.
+#
+# See https://docs.rubocop.org/rubocop/configuration

data/.rubocop_todo.yml

@@ -0,0 +1,20 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2022-01-11 17:25:54 UTC using RuboCop version 1.24.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: Include.
+# Include: **/*.gemspec
+Gemspec/RequiredRubyVersion:
+  Exclude:
+    - 'inline_encryption.gemspec'
+
+# Offense count: 4
+# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
+# IgnoredMethods: refine
+Metrics/BlockLength:
+  Max: 63

data/.tool-versions

@@ -0,0 +1,2 @@
+ruby 2.7.4
+pre-commit 2.15.0

data/.travis.yml

@@ -1,6 +1,8 @@
 language: ruby
 rvm:
-  - "1.9.3"
-  - "2.0.0"
-  - "2.1.0"
+  - '2.3.8'
+  - '2.4.4'
+  - '2.5.3'
+  - '2.7.4'
 script: bundle exec rspec spec
+bundler_args: --without development debugger

data/CHANGELOG.md

@@ -0,0 +1,32 @@
+# 2.0.1
+  - update test app to latest Rails 4 to satisfy automated security scan; future versions 
+    will probably drop the included test app
+  - updated travis to drop ruby 2.1, update 2.2 and 2.3 to latest; add ruby 2.4 and 2.5
+    
+# 2.0.0
+  - Major backwards compatible change.  A common if perhaps upspoken thought
+  of many good developers I have known is "I hate what I wrote yesterday"
+  Well, for whatever reason (that I cannot recall or even fathom) this gem was
+  originally written using a private key for encrypting a value, and a public
+  key to decrypt.  While that is not itself insecure, it's a terrible
+  practice and makes it easy for humans to make errors.
+  So starting in version 2.0.0 encrpyt methods will use public key and
+  decrypt will use private key, as is conventional
+  - raise on trying to decrypt with a public key
+  - code cleanup (style, remove spork remnant)
+  - bump travis ruby versions to secure versions
+
+# 1.0.5
+  - updated gem groups, updated travis to run without debugger and development groups
+# 1.0.4
+  - update version of Bundler to floor 1.7
+  - swapped byebug for debugger
+  - fixed a few style violations (single/double quotes)
+  - added Thor to runtime dependencies
+  - added explicit require for hashie/dash and hashie/extensions/dash/indifferent_access in config.rb
+    I think this is probably unnecessary but was getting unresolved name errors in some rubies
+  - added explicit require for base64 in base.rb ([Issue #2](https://github.com/rubyisbeautiful/inline_encryption/issues/2))
+  - drop 1.9.x and 2.0.x in travis testing
+  - updated to rspec 3 syntax
+  
+# 1.0.3

data/Gemfile

@@ -1,20 +1,28 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec
 
-gem 'bundler', '~> 1.3'
+gem 'bundler', '>= 2.2.33'
 gem 'hashie'
 gem 'i18n'
 gem 'thor'
 
-group :development, :test do
-  gem 'debugger'
+group :debugger do
+  gem 'byebug', '~> 11'
+end
+
+group :development do
   gem 'guard'
   gem 'guard-rspec'
-  gem 'guard-spork'
+  gem 'rubocop'
+end
+
+group :development, :test do
   gem 'rake'
   gem 'redcarpet'
   gem 'rspec'
   gem 'simplecov', require: false
   gem 'yard'
-end
+end

data/Guardfile

@@ -1,16 +1,11 @@
+# frozen_string_literal: true
+
 # A sample Guardfile
 # More info at https://github.com/guard/guard#readme
 
-guard 'rspec', all_after_pass: true, failed_mode: :focus, all_on_start: true, cmd: 'rspec spec --drb --debugger' do
+guard 'rspec', all_after_pass: true, failed_mode: :focus, all_on_start: true, cmd: 'rspec' do
   watch(%r{^spec/.+_spec\.rb$})
-  watch(%r{^lib/(.+)\.rb$}){ |m| "spec/lib/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb'){ "spec" }
-  watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
-end
-
-guard 'spork', :test_unit => false do
-  watch('Gemfile')
-  watch('Gemfile.lock')
-  watch('spec/spec_helper.rb') { :rspec }
+  watch(%r{^lib/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb') { 'spec' }
+  watch(%r{^spec/support/(.+)\.rb$}) { 'spec' }
 end
-

data/README.md

@@ -2,6 +2,15 @@
 
 Simple encryption relying on convention and designed to be used inline as string replacements.
 
+PLEASE upgrade to version 2.0 - previous versions lend themselves to making
+human errors which could lead to exploitation.
+
+## Upgrading from 1.0 to 2.0
+
+1. Recommended, but optional - generate a new RSA key pair
+2. For a properly configured production environment, simply configure with a private key
+3. Pass along the public key to any developers on the team that will need to encrypt new values
+
 ## Usage
 
 Imagine you have a file named `database.yml` that contains passwords.
@@ -17,3 +26,19 @@ After:
 ```ruby
 password: <%= InlineEncryption.decrypt(encrypted stuff goes here) %>
 ```
+
+To set up:
+
+```ruby
+InlineEncryption.config[:key] = '/some/rsa_key'
+```
+
+An example of different keys per environment:
+
+```ruby
+InlineEncryption.config[:key] = ENV['INLINE_ENCRYPTION_KEY']
+```
+
+
+If you've configured with a private key, you can both encrypt and decrypt.  If you've
+configured with a public key, you can only encrypt.

data/Rakefile

@@ -1,6 +1,8 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/bin/inline_encryption

@@ -1,4 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
+
 # -*- mode: ruby -*-
 require 'bundler'
 Bundler.setup

data/config/locales.yml

@@ -3,8 +3,10 @@ en:
   encrypted: 'Encrypted: %{data}'
   error:
     missing_key: "missing variable: 'key'"
+    pub_key_decrypt: "Tried to decrypt with a public key.  If you really need this ability, please use version ~> 1.0"
 es:
   target: 'Destino: %{data}'
   encrypted: 'Encriptado: %{data}'
   error:
     missing_key: "variable que falta: 'key'"
+    pub_key_decrypt: "Intentado decriptar con llave publica.  Si de veras necesitas esta capabilidad, favor de user version ~> 1.0"

data/inline_encryption.gemspec

@@ -1,29 +1,28 @@
-# -*- encoding: utf-8 -*-
-require 'base64'
-lib = File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+
+require 'English'
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'inline_encryption/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "inline_encryption"
+  spec.name          = 'inline_encryption'
   spec.version       = InlineEncryption::VERSION
   spec.authors       = ['rubyisbeautiful']
-  spec.email         = ['YmNwdGF5bG9yQGdtYWlsLmNvbQ==\n'].collect{ |foo| Base64.decode64(foo) }
-  spec.description   = %q{ A simple encryption tool based on common convention }
-  spec.summary       = %q{ A simple encryption tool based on common convention and designed as a drop in for Stringish things }
-  spec.homepage      = 'http://github.com/rubyisbeautiful/inline_encryption'
+  spec.email         = 'bcptaylor+github@gmail.com'
+  spec.description   = ' A simple encryption tool based on common convention '
+  spec.summary       = ' A drop-in simple encryption tool for stringish things '
+  spec.homepage      = 'https://github.com/rubyisbeautiful/inline_encryption'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files`.split($/)
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
-  spec.required_ruby_version = '>= 1.9.3'
+  spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.1.5'
 
-  spec.executables   = ['inline_encryption']
+  spec.executables = ['inline_encryption']
 
   spec.add_runtime_dependency 'hashie'
   spec.add_runtime_dependency 'i18n'
-
-
+  spec.add_runtime_dependency 'thor'
 end

data/lib/inline_encryption/base.rb

@@ -1,8 +1,10 @@
-module InlineEncryption
-
-  module Base
+# frozen_string_literal: true
 
+require 'base64'
 
+module InlineEncryption
+  # Base module including core functionality
+  module Base
     # @param [String] data encryption target
     # @return [String] encrypted target
     # @raise [EncryptionFailureError] couldn't encrypt the target
@@ -10,64 +12,58 @@ module InlineEncryption
       config.check_required_variables
 
       begin
-        encrypted = config.real_key.private_encrypt(data)
-        converted = Base64.encode64(encrypted)
-      rescue => e
+        encrypted = config.real_key.public_encrypt(data)
+        Base64.encode64(encrypted)
+      rescue StandardError
         err = EncryptionFailureError.exception I18n.t('target', data: data)
         raise err
       end
     end
 
-
     # @param [String] data encryption target
     # @return [String] encrypted target, or fail_text on error (default data)
-    def encrypt(data, fail_text=nil)
+    def encrypt(data, fail_text = nil)
       config.check_required_variables
 
       begin
         encrypt!(data)
-      rescue EncryptionFailureError => e
-        return fail_text.nil? ? data : fail_text.to_s
+      rescue EncryptionFailureError
+        fail_text.nil? ? data : fail_text.to_s
       end
     end
 
-
     # @param [String] data decryption target
     # @return [String] decrypted target
     # @raise [DecryptionFailureError] couldn't decrypt the target
     def decrypt!(data)
       config.check_required_variables
+      raise MisconfigurationError, I18n.t('error.pub_key_decrypt') unless config.real_key.private?
 
       begin
         converted = Base64.decode64(data)
-        this_key = config.real_key.private? ? config.real_key.public_key : config.real_key
-        decrypted = this_key.public_decrypt(converted)
-      rescue => e
-        err = DecryptionFailureError.exception I18n.t('encrypted', data)
+        config.real_key.private_decrypt(converted)
+      rescue StandardError
+        err = DecryptionFailureError.exception I18n.t('encrypted', data: data)
         raise err
       end
     end
 
-
     # @param [String] data decryption target
     # @param [String] fail_text text to be returned in the case of a decryption failure
     # @return [String] decrypted target
-    def decrypt(data, fail_text=nil)
+    def decrypt(data, fail_text = nil)
       config.check_required_variables
 
       begin
         decrypt!(data)
-      rescue DecryptionFailureError => e
-        return fail_text.nil? ? data : fail_text.to_s
+      rescue DecryptionFailureError
+        fail_text.nil? ? data : fail_text.to_s
       end
     end
 
-
     # @return [InlineEncryption::Config] the configuration instance
     def config
       @config ||= Config.new
     end
-
   end
-
-end
+end

data/lib/inline_encryption/cli.rb

@@ -1,31 +1,26 @@
+# frozen_string_literal: true
+
 require 'thor'
 
 module InlineEncryption
-
+  # CLI class for using on commandline
   class CLI < Thor
-
-    def initialize(args=[], opts=[], config={})
+    def initialize(args = [], opts = [], config = {})
       super(args, opts, config)
     end
 
-
     desc 'encrypt [DATA]', 'encrypt stuff'
-    class_option :require, :aliases => ['-r'], :type => :string
+    class_option :require, aliases: ['-r'], type: :string
     def encrypt(data)
       load_environment(options[:require]) if options[:require]
 
       puts InlineEncryption.encrypt(data)
     end
 
-
-
     protected
 
-
     def load_environment(file)
       require File.expand_path(file)
     end
-
   end
-
-end
+end

data/lib/inline_encryption/config.rb

@@ -1,9 +1,13 @@
+# frozen_string_literal: true
+
+require 'hashie/extensions/ruby_version_check'
 require 'hashie/extensions/indifferent_access'
 require 'hashie/extensions/method_access'
+require 'hashie/extensions/dash/indifferent_access'
+require 'hashie/dash'
 require 'openssl'
 
 module InlineEncryption
-
   # known configuration variables
   # key - a String containing the private key, a filename pointing to the private key, or an OpenSSL::PKey::RSA
   class Config < Hash
@@ -13,26 +17,30 @@ module InlineEncryption
     # checks required, currently only the 'key'
     # @raises [InlineEncryption::MissingRequiredVariableError] raise on a missing variable
     def check_required_variables
-      raise MissingRequiredVariableError.new(I18n.t('error.missing_key')) unless self.has_key?(:key)
+      raise MissingRequiredVariableError, I18n.t('error.missing_key') unless key?(:key)
     end
 
-
     # @return [OpenSSL::PKey::RSA] the OpenSSL key instance
     def real_key
       case self[:key]
-        when NilClass
-          nil
-        when String
-          if File.exists?(self[:key])
-            OpenSSL::PKey::RSA.new(File.read(self[:key]))
-          else
-            OpenSSL::PKey::RSA.new(self[:key])
-          end
-        when OpenSSL::PKey::RSA
-          self[:key]
+      when NilClass
+        nil
+      when String
+        load_or_use_key(self[:key])
+      when OpenSSL::PKey::RSA
+        self[:key]
       end
     end
-  end
 
+    private
 
-end
+    # @return OpenSSL::PKey::RSA
+    def load_or_use_key(str)
+      if File.exist?(str)
+        OpenSSL::PKey::RSA.new(File.read(str))
+      else
+        OpenSSL::PKey::RSA.new(str)
+      end
+    end
+  end
+end

data/lib/inline_encryption/errors.rb

@@ -1,7 +1,8 @@
-module InlineEncryption
+# frozen_string_literal: true
 
+module InlineEncryption
   class MissingRequiredVariableError < StandardError; end
   class DecryptionFailureError < StandardError; end
   class EncryptionFailureError < StandardError; end
-
-end
+  class MisconfigurationError < StandardError; end
+end

data/lib/inline_encryption/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module InlineEncryption
-  VERSION = '1.0.3'
+  VERSION = '2.1.0'
 end

data/lib/inline_encryption.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'i18n'
 require 'base64'
 require 'inline_encryption/version'
@@ -5,6 +7,7 @@ require 'inline_encryption/config'
 require 'inline_encryption/base'
 require 'inline_encryption/errors'
 
+# top level module InlineEncryption
 module InlineEncryption
   extend InlineEncryption::Base
 
@@ -14,6 +17,4 @@ module InlineEncryption
     I18n.enforce_available_locales = false
     @_i18n_initialized_for_ie = true
   end
-
-
 end

data/spec/inline_encryption/base_spec.rb

@@ -1,88 +1,87 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 require 'base64'
 
 describe InlineEncryption::Base do
-
   before :all do
     @default_key = OpenSSL::PKey::RSA.generate(2048)
   end
 
-  before :each do
-    InlineEncryption.config[:key] = @default_key
-  end
-
   describe 'encrypt' do
+    let(:str) { 'foo' }
 
-    let(:str){ 'foo' }
+    before :each do
+      InlineEncryption.config[:key] = @default_key
+    end
 
     it 'should encrypt' do
-      InlineEncryption.encrypt(str).should == Base64.encode64(@default_key.private_encrypt(str))
+      expect(InlineEncryption.encrypt(str)).not_to eq(str)
     end
 
     it 'should fail to encrpyt and return the target' do
-      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(32)
-      InlineEncryption.encrypt(str*2).should == str*2
+      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(2048)
+      expect(InlineEncryption.encrypt(nil)).to eq(nil)
     end
 
     it 'should fail to encrypt and return the fail_text' do
-      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(32)
-      InlineEncryption.encrypt(str*2, 'chunky').should == 'chunky'
+      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(2048)
+      expect(InlineEncryption.encrypt(nil, 'chunky')).to eq('chunky')
     end
-
   end
 
   describe 'encrypt!' do
-    let(:str){ 'foo' }
+    let(:str) { 'foo' }
+
+    before :each do
+      InlineEncryption.config[:key] = @default_key
+    end
 
     it 'should encrypt' do
-      InlineEncryption.encrypt!(str).should == Base64.encode64(@default_key.private_encrypt(str))
+      expect(InlineEncryption.encrypt!(str)).not_to eq(str)
     end
 
     it 'should fail to encrpyt and raise' do
-      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(32)
-      expect{ InlineEncryption.encrypt!(str*2) }.to raise_error(InlineEncryption::EncryptionFailureError)
+      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(2048)
+      expect { InlineEncryption.encrypt!(nil) }.to raise_error(InlineEncryption::EncryptionFailureError)
     end
-
   end
 
   describe 'decrypt' do
-
-    before :all do
-      @str = Base64.encode64(@default_key.private_encrypt('chunky'))
-    end
+    let(:str) { Base64.encode64(@default_key.public_encrypt('chunky')) }
 
     it 'should decrypt' do
-      InlineEncryption.decrypt(@str).should == 'chunky'
+      InlineEncryption.config[:key] = @default_key
+      expect(InlineEncryption.decrypt(str)).to eq('chunky')
     end
 
     it 'should fail to decrypt and return the target' do
-      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(32)
-      InlineEncryption.decrypt(@str).should == @str
+      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(2048)
+      expect(InlineEncryption.decrypt(str)).to eq(str)
     end
 
     it 'should fail to decrypt and return the fail_text' do
-      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(32)
-      InlineEncryption.decrypt(@str, 'chunky').should == 'chunky'
+      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(2048)
+      expect(InlineEncryption.decrypt(str, 'chunky')).to eq('chunky')
     end
 
+    it 'should fail to decrpyt and raise if using a public key to decrypt' do
+      InlineEncryption.config[:key] = @default_key.public_key
+      expect { InlineEncryption.decrypt('whatevs') }.to raise_error(InlineEncryption::MisconfigurationError)
+    end
   end
 
   describe 'decrypt!' do
-
-    before :all do
-      @str = Base64.encode64(@default_key.private_encrypt('chunky'))
-    end
+    let(:str) { Base64.encode64(@default_key.public_encrypt('chunky')) }
 
     it 'should decrypt' do
-      InlineEncryption.decrypt!(@str).should == 'chunky'
+      InlineEncryption.config[:key] = @default_key
+      expect(InlineEncryption.decrypt!(str)).to eq('chunky')
     end
 
     it 'should fail to decrpyt and raise' do
-      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(32)
-      expect{ InlineEncryption.decrypt!(@str) }.to raise_error(InlineEncryption::DecryptionFailureError)
+      InlineEncryption.config[:key] = OpenSSL::PKey::RSA.generate(2048)
+      expect { InlineEncryption.decrypt!(str) }.to raise_error(InlineEncryption::DecryptionFailureError)
     end
-
   end
-
 end
-