keeper_secrets_manager 17.0.4 → 17.1.0

data/lib/keeper_secrets_manager/crypto.rb

@@ -8,7 +8,7 @@ module KeeperSecretsManager
     GCM_IV_LENGTH = 12
     GCM_TAG_LENGTH = 16
     AES_KEY_LENGTH = 32
-    
+
     # Block size for padding
     BLOCK_SIZE = 16
 
@@ -50,38 +50,40 @@ module KeeperSecretsManager
         # Generate private key bytes
         private_key_bytes = generate_encryption_key_bytes
         private_key_str = bytes_to_url_safe_str(private_key_bytes)
-        
+
         # Create EC key from private key bytes
         private_key_bn = OpenSSL::BN.new(private_key_bytes, 2)
-        
+
         # OpenSSL 3.0 compatibility - use ASN1 sequence to create key
         group = OpenSSL::PKey::EC::Group.new('prime256v1')
-        
+
         # Generate public key point
         public_key_point = group.generator.mul(private_key_bn)
-        
+
         # Create ASN1 sequence for the key
         asn1 = OpenSSL::ASN1::Sequence([
-          OpenSSL::ASN1::Integer(1),
-          OpenSSL::ASN1::OctetString(private_key_bytes),
-          OpenSSL::ASN1::ObjectId('prime256v1', 0, :EXPLICIT),
-          OpenSSL::ASN1::BitString(public_key_point.to_octet_string(:uncompressed), 1, :EXPLICIT)
-        ])
-        
+                                         OpenSSL::ASN1::Integer(1),
+                                         OpenSSL::ASN1::OctetString(private_key_bytes),
+                                         OpenSSL::ASN1::ObjectId('prime256v1', 0, :EXPLICIT),
+                                         OpenSSL::ASN1::BitString(public_key_point.to_octet_string(:uncompressed), 1,
+                                                                  :EXPLICIT)
+                                       ])
+
         # Create key from DER
         key = OpenSSL::PKey::EC.new(asn1.to_der)
-        
+
         # Get public key bytes (uncompressed format)
         public_key_bytes = key.public_key.to_octet_string(:uncompressed)
         public_key_str = bytes_to_url_safe_str(public_key_bytes)
-        
+
         # Also store the EC key in DER format for compatibility
         private_key_der = key.to_der
-        
+
         {
           private_key_str: private_key_str,
           public_key_str: public_key_str,
-          private_key_bytes: private_key_der,  # Store DER format
+          private_key_bytes: private_key_bytes,  # Use raw 32 bytes
+          private_key_der: private_key_der,      # Also provide DER format
           public_key_bytes: public_key_bytes,
           private_key_obj: key
         }
@@ -89,63 +91,59 @@ module KeeperSecretsManager
 
       # Encrypt with AES-GCM or fallback to CBC
       def encrypt_aes_gcm(data, key)
-        begin
-          cipher = OpenSSL::Cipher.new('AES-256-GCM')
-          cipher.encrypt
-          
-          # Generate random IV
-          iv = generate_random_bytes(GCM_IV_LENGTH)
-          cipher.iv = iv
-          cipher.key = key
-          
-          # Encrypt data
-          encrypted = cipher.update(data) + cipher.final
-          
-          # Get authentication tag
-          tag = cipher.auth_tag(GCM_TAG_LENGTH)
-          
-          # Combine IV + encrypted + tag
-          iv + encrypted + tag
-        rescue RuntimeError => e
-          if e.message.include?('unsupported cipher')
-            # Fallback to AES-CBC for older Ruby/OpenSSL
-            encrypt_aes_cbc(data, key)
-          else
-            raise e
-          end
+        cipher = OpenSSL::Cipher.new('AES-256-GCM')
+        cipher.encrypt
+
+        # Generate random IV
+        iv = generate_random_bytes(GCM_IV_LENGTH)
+        cipher.iv = iv
+        cipher.key = key
+
+        # Encrypt data
+        encrypted = cipher.update(data) + cipher.final
+
+        # Get authentication tag
+        tag = cipher.auth_tag(GCM_TAG_LENGTH)
+
+        # Combine IV + encrypted + tag
+        iv + encrypted + tag
+      rescue RuntimeError => e
+        if e.message.include?('unsupported cipher')
+          # Fallback to AES-CBC for older Ruby/OpenSSL
+          encrypt_aes_cbc(data, key)
+        else
+          raise e
         end
       end
 
       # Decrypt with AES-GCM or fallback to CBC
       def decrypt_aes_gcm(encrypted_data, key)
+        # Try GCM first
+        # Extract components
+        iv = encrypted_data[0...GCM_IV_LENGTH]
+        tag = encrypted_data[-GCM_TAG_LENGTH..]
+        ciphertext = encrypted_data[GCM_IV_LENGTH...-GCM_TAG_LENGTH]
+
+        cipher = OpenSSL::Cipher.new('AES-256-GCM')
+        cipher.decrypt
+        cipher.iv = iv
+        cipher.key = key
+        cipher.auth_tag = tag
+
+        cipher.update(ciphertext) + cipher.final
+      rescue RuntimeError => e
+        if e.message.include?('unsupported cipher')
+          # Fallback to AES-CBC
+          decrypt_aes_cbc(encrypted_data, key)
+        else
+          raise e
+        end
+      rescue OpenSSL::Cipher::CipherError => e
+        # Maybe it's CBC encrypted?
         begin
-          # Try GCM first
-          # Extract components
-          iv = encrypted_data[0...GCM_IV_LENGTH]
-          tag = encrypted_data[-GCM_TAG_LENGTH..]
-          ciphertext = encrypted_data[GCM_IV_LENGTH...-GCM_TAG_LENGTH]
-          
-          cipher = OpenSSL::Cipher.new('AES-256-GCM')
-          cipher.decrypt
-          cipher.iv = iv
-          cipher.key = key
-          cipher.auth_tag = tag
-          
-          cipher.update(ciphertext) + cipher.final
-        rescue RuntimeError => e
-          if e.message.include?('unsupported cipher')
-            # Fallback to AES-CBC
-            decrypt_aes_cbc(encrypted_data, key)
-          else
-            raise e
-          end
-        rescue OpenSSL::Cipher::CipherError => e
-          # Maybe it's CBC encrypted?
-          begin
-            decrypt_aes_cbc(encrypted_data, key)
-          rescue
-            raise DecryptionError, "Failed to decrypt data: #{e.message}"
-          end
+          decrypt_aes_cbc(encrypted_data, key)
+        rescue StandardError
+          raise DecryptionError, "Failed to decrypt data: #{e.message}"
         end
       end
 
@@ -153,15 +151,14 @@ module KeeperSecretsManager
       def encrypt_aes_cbc(data, key, iv = nil)
         cipher = OpenSSL::Cipher.new('AES-256-CBC')
         cipher.encrypt
-        
+
         iv ||= generate_random_bytes(BLOCK_SIZE)
         cipher.iv = iv
         cipher.key = key
-        
-        # Apply PKCS7 padding
-        padded_data = pad_data(data)
-        encrypted = cipher.update(padded_data) + cipher.final
-        
+
+        # OpenSSL handles PKCS7 padding automatically in cipher.final
+        encrypted = cipher.update(data) + cipher.final
+
         # Return IV + encrypted
         iv + encrypted
       end
@@ -171,16 +168,16 @@ module KeeperSecretsManager
         # Extract IV
         iv = encrypted_data[0...BLOCK_SIZE]
         ciphertext = encrypted_data[BLOCK_SIZE..]
-        
+
         cipher = OpenSSL::Cipher.new('AES-256-CBC')
         cipher.decrypt
         cipher.iv = iv
         cipher.key = key
-        
+
+        # OpenSSL handles PKCS7 padding removal automatically in cipher.final
         decrypted = cipher.update(ciphertext) + cipher.final
-        
-        # Remove padding
-        unpad_data(decrypted)
+
+        decrypted
       rescue OpenSSL::Cipher::CipherError => e
         raise DecryptionError, "Failed to decrypt data: #{e.message}"
       end
@@ -195,18 +192,16 @@ module KeeperSecretsManager
       # Remove PKCS7 padding
       def unpad_data(data)
         return data if data.empty?
-        
+
         pad_len = data[-1].ord
-        
+
         # Validate padding
         if pad_len > 0 && pad_len <= BLOCK_SIZE && pad_len <= data.length
           # Check if all padding bytes are the same
           padding = data[-pad_len..]
-          if padding.bytes.all? { |b| b == pad_len }
-            return data[0...-pad_len]
-          end
+          return data[0...-pad_len] if padding.bytes.all? { |b| b == pad_len }
         end
-        
+
         data
       end
 
@@ -214,21 +209,21 @@ module KeeperSecretsManager
       def generate_hmac(key, data)
         OpenSSL::HMAC.digest('SHA512', key, data)
       end
-      
+
       # Generate ECDSA signature
       def sign_ec(data, private_key)
         # Use SHA256 for ECDSA signature
-        digest = OpenSSL::Digest::SHA256.new
+        digest = OpenSSL::Digest.new('SHA256')
         private_key.sign(digest, data)
       end
 
       # Verify HMAC signature
       def verify_hmac(key, data, signature)
         expected = generate_hmac(key, data)
-        
+
         # Constant time comparison
         return false unless expected.bytesize == signature.bytesize
-        
+
         result = 0
         expected.bytes.zip(signature.bytes) { |a, b| result |= a ^ b }
         result == 0
@@ -237,14 +232,14 @@ module KeeperSecretsManager
       # Load private key from DER format
       def load_private_key_der(der_bytes, password = nil)
         OpenSSL::PKey.read(der_bytes, password)
-      rescue => e
+      rescue StandardError => e
         raise CryptoError, "Failed to load private key: #{e.message}"
       end
 
       # Load public key from DER format
       def load_public_key_der(der_bytes)
         OpenSSL::PKey.read(der_bytes)
-      rescue => e
+      rescue StandardError => e
         raise CryptoError, "Failed to load public key: #{e.message}"
       end
 
@@ -262,20 +257,20 @@ module KeeperSecretsManager
       def encrypt_ec(data, public_key_bytes)
         # Load public key
         public_key = load_ec_public_key(public_key_bytes)
-        
+
         # Generate ephemeral key pair
         ephemeral = OpenSSL::PKey::EC.generate('prime256v1')
-        
+
         # Perform ECDH to get shared secret
         # The shared secret is computed using ECDH between ephemeral private key and server public key
         shared_secret = ephemeral.dh_compute_key(public_key.public_key)
-        
+
         # Derive encryption key using SHA256
         encryption_key = OpenSSL::Digest::SHA256.digest(shared_secret)
-        
+
         # Encrypt data with AES-GCM
         encrypted_data = encrypt_aes_gcm(data, encryption_key)
-        
+
         # Return ephemeral public key + encrypted data
         ephemeral_public = ephemeral.public_key.to_octet_string(:uncompressed)
         ephemeral_public + encrypted_data
@@ -286,17 +281,17 @@ module KeeperSecretsManager
         # Extract ephemeral public key (65 bytes for uncompressed)
         ephemeral_public_bytes = encrypted_data[0...65]
         ciphertext = encrypted_data[65..]
-        
+
         # Create EC key with ephemeral public key
         group = OpenSSL::PKey::EC::Group.new('prime256v1')
         ephemeral_point = OpenSSL::PKey::EC::Point.new(group, ephemeral_public_bytes)
-        
+
         # Compute shared secret using ECDH
         shared_secret = private_key.dh_compute_key(ephemeral_point)
-        
+
         # Derive decryption key
         decryption_key = OpenSSL::Digest::SHA256.digest(shared_secret)
-        
+
         # Decrypt data
         decrypt_aes_gcm(ciphertext, decryption_key)
       end
@@ -307,31 +302,29 @@ module KeeperSecretsManager
       def load_ec_public_key(public_key_bytes)
         # If the bytes are longer than 65, it might be DER encoded
         # Extract the raw point bytes (last 65 bytes)
-        if public_key_bytes.bytesize > 65
-          public_key_bytes = public_key_bytes[-65..-1]
-        end
-        
+        public_key_bytes = public_key_bytes[-65..-1] if public_key_bytes.bytesize > 65
+
         # For OpenSSL 3.0+, we need to create the key differently
         begin
           # Try the OpenSSL 3.0+ way first
           group = OpenSSL::PKey::EC::Group.new('prime256v1')
           point = OpenSSL::PKey::EC::Point.new(group, public_key_bytes)
-          
+
           # Create key from point directly using ASN1
           asn1 = OpenSSL::ASN1::Sequence([
-            OpenSSL::ASN1::Sequence([
-              OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
-              OpenSSL::ASN1::ObjectId("prime256v1")
-            ]),
-            OpenSSL::ASN1::BitString(public_key_bytes)
-          ])
-          
+                                           OpenSSL::ASN1::Sequence([
+                                                                     OpenSSL::ASN1::ObjectId('id-ecPublicKey'),
+                                                                     OpenSSL::ASN1::ObjectId('prime256v1')
+                                                                   ]),
+                                           OpenSSL::ASN1::BitString(public_key_bytes)
+                                         ])
+
           OpenSSL::PKey::EC.new(asn1.to_der)
-        rescue => e
+        rescue StandardError => e
           # Fall back to old method for older OpenSSL
           group = OpenSSL::PKey::EC::Group.new('prime256v1')
           point = OpenSSL::PKey::EC::Point.new(group, public_key_bytes)
-          
+
           key = OpenSSL::PKey::EC.new(group)
           key.public_key = point
           key
@@ -345,4 +338,4 @@ module KeeperSecretsManager
       end
     end
   end
-end
+end

data/lib/keeper_secrets_manager/dto/payload.rb

@@ -20,7 +20,7 @@ module KeeperSecretsManager
         instance_variables.each do |var|
           key = var.to_s.delete('@')
           value = instance_variable_get(var)
-          
+
           # Convert Ruby snake_case to camelCase for API
           api_key = Utils.snake_to_camel(key)
           hash[api_key] = value unless value.nil?
@@ -47,7 +47,7 @@ module KeeperSecretsManager
 
     # Create record payload
     class CreatePayload < BasePayload
-      attr_accessor :record_uid, :record_key, :folder_uid, :folder_key, 
+      attr_accessor :record_uid, :record_key, :folder_uid, :folder_key,
                     :data, :sub_folder_uid
 
       def initialize
@@ -87,7 +87,7 @@ module KeeperSecretsManager
     # File upload payload
     class FileUploadPayload < BasePayload
       attr_accessor :file_record_uid, :file_record_key, :file_record_data,
-                    :owner_record_uid, :owner_record_data, :link_key, :file_size
+                    :owner_record_uid, :owner_record_data, :owner_record_revision, :link_key, :file_size
 
       def initialize
         super()
@@ -149,4 +149,4 @@ module KeeperSecretsManager
       end
     end
   end
-end
+end

data/lib/keeper_secrets_manager/dto.rb

@@ -7,6 +7,7 @@ module KeeperSecretsManager
     # Base class for dynamic record handling
     class KeeperRecord
       attr_accessor :uid, :title, :type, :fields, :custom, :notes, :folder_uid, :data, :revision, :files
+      attr_reader :record_key  # Internal - stores decrypted record key (bytes) for file upload operations
 
       def initialize(attrs = {})
         if attrs.is_a?(Hash)
@@ -14,7 +15,7 @@ module KeeperSecretsManager
           @uid = attrs['recordUid'] || attrs['uid'] || attrs[:uid]
           @folder_uid = attrs['folderUid'] || attrs['folder_uid'] || attrs[:folder_uid]
           @revision = attrs['revision'] || attrs[:revision] || 0
-          
+
           # Handle encrypted data or direct attributes
           if attrs['data']
             data = attrs['data'].is_a?(String) ? JSON.parse(attrs['data']) : attrs['data']
@@ -30,70 +31,87 @@ module KeeperSecretsManager
             @custom = attrs['custom'] || attrs[:custom] || []
             @notes = attrs['notes'] || attrs[:notes] || ''
           end
-          
+
           @files = attrs['files'] || attrs[:files] || []
           @data = attrs
         end
-        
+
         # Ensure fields are always arrays of hashes
         normalize_fields!
       end
 
       # Convert to hash for API submission
+      # This should match the structure of the decrypted 'data' field from server
+      # (does NOT include uid, revision, folder_uid - those are in the outer payload)
       def to_h
-        {
-          'uid' => uid,
+        result = {
           'title' => title,
           'type' => type,
-          'fields' => fields,
-          'custom' => custom,
-          'notes' => notes,
-          'folder_uid' => folder_uid
-        }.compact
+          'fields' => fields
+        }
+
+        # Only include custom if it has entries (server doesn't send empty arrays)
+        result['custom'] = custom if custom && !custom.empty?
+
+        # Only include notes if present
+        result['notes'] = notes if notes && !notes.empty?
+
+        result
       end
 
-      # Find field by type or label
-      def get_field(type_or_label, custom_field = false)
-        field_array = custom_field ? custom : fields
-        field_array.find { |f| f['type'] == type_or_label || f['label'] == type_or_label }
+      # Find field by type or label (searches both fields and custom arrays)
+      def get_field(type_or_label)
+        # Search in fields first
+        field = fields.find { |f| f['type'] == type_or_label || f['label'] == type_or_label }
+        return field if field
+
+        # Search in custom fields
+        custom.find { |f| f['type'] == type_or_label || f['label'] == type_or_label }
       end
 
       # Get field value (always returns array)
-      def get_field_value(type_or_label, custom_field = false)
-        field = get_field(type_or_label, custom_field)
+      def get_field_value(type_or_label)
+        field = get_field(type_or_label)
         field ? field['value'] || [] : []
       end
 
       # Get single field value (first element)
-      def get_field_value_single(type_or_label, custom_field = false)
-        values = get_field_value(type_or_label, custom_field)
+      def get_field_value_single(type_or_label)
+        values = get_field_value(type_or_label)
         values.first
       end
 
       # Add or update field
-      def set_field(type, value, label = nil, custom_field = false)
-        field_array = custom_field ? @custom : @fields
-        
+      def set_field(type, value, label = nil)
         # Ensure value is an array
         value = [value] unless value.is_a?(Array)
-        
-        # Find existing field
-        existing = field_array.find { |f| f['type'] == type || (label && f['label'] == label) }
-        
+
+        # Find existing field in both arrays
+        existing = @fields.find { |f| f['type'] == type || (label && f['label'] == label) }
+        existing ||= @custom.find { |f| f['type'] == type || (label && f['label'] == label) }
+
         if existing
           existing['value'] = value
           existing['label'] = label if label
         else
           new_field = { 'type' => type, 'value' => value }
           new_field['label'] = label if label
-          field_array << new_field
+
+          # Decide which array to add to:
+          # - If it has a label, it's a custom field
+          # - If it's not a common field type, it's likely custom
+          if label || !common_field_types.include?(type)
+            @custom << new_field
+          else
+            @fields << new_field
+          end
         end
       end
 
       # Dynamic field access methods
       def method_missing(method, *args, &block)
         method_name = method.to_s
-        
+
         # Handle setters
         if method_name.end_with?('=')
           field_name = method_name.chomp('=')
@@ -120,18 +138,18 @@ module KeeperSecretsManager
 
       def normalize_field_array(fields)
         return [] unless fields.is_a?(Array)
-        
+
         fields.map do |field|
           next field if field.is_a?(Hash)
-          
+
           # Convert to hash if needed
           field.to_h
         end
       end
 
       def common_field_types
-        %w[login password url fileRef oneTimeCode name phone email address 
-           paymentCard bankAccount birthDate secureNote sshKey host 
+        %w[login password url fileRef oneTimeCode name phone email address
+           paymentCard bankAccount birthDate secureNote sshKey host
            databaseType script passkey]
       end
     end
@@ -218,4 +236,4 @@ module KeeperSecretsManager
       end
     end
   end
-end
+end

data/lib/keeper_secrets_manager/errors.rb

@@ -7,6 +7,7 @@ module KeeperSecretsManager
 
   # Authentication/authorization errors
   class AuthenticationError < Error; end
+
   class AccessDeniedError < AuthenticationError; end
 
   # API/network errors
@@ -22,7 +23,9 @@ module KeeperSecretsManager
 
   # Crypto errors
   class CryptoError < Error; end
+
   class DecryptionError < CryptoError; end
+
   class EncryptionError < CryptoError; end
 
   # Notation errors
@@ -30,7 +33,9 @@ module KeeperSecretsManager
 
   # Record errors
   class RecordError < Error; end
+
   class RecordNotFoundError < RecordError; end
+
   class RecordValidationError < RecordError; end
 
   # Server errors
@@ -46,13 +51,19 @@ module KeeperSecretsManager
 
   # Specific server error types
   class InvalidClientVersionError < ServerError; end
+
   class InvalidTokenError < ServerError; end
+
   class BadRequestError < ServerError; end
+
   class RecordUidNotFoundError < ServerError; end
+
   class FolderUidNotFoundError < ServerError; end
+
   class AccessViolationError < ServerError; end
+
   class ThrottledError < ServerError; end
-  
+
   # Error factory
   class ErrorFactory
     def self.from_server_response(result_code, message = nil)
@@ -76,4 +87,4 @@ module KeeperSecretsManager
       end
     end
   end
-end
+end

data/lib/keeper_secrets_manager/field_types.rb

@@ -9,7 +9,7 @@ module KeeperSecretsManager
         @label = label
         @required = required
         @privacy_screen = privacy_screen
-        
+
         # Ensure value is always an array
         @value = value.is_a?(Array) ? value : [value]
       end
@@ -103,7 +103,7 @@ module KeeperSecretsManager
                     when String
                       (Date.parse(date).to_time.to_f * 1000).to_i
                     else
-                      raise ArgumentError, "Invalid date format"
+                      raise ArgumentError, 'Invalid date format'
                     end
         Field.new(type: 'birthDate', value: timestamp, label: label)
       end
@@ -149,4 +149,4 @@ module KeeperSecretsManager
       end
     end
   end
-end
+end