keystok 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9d3ce263f46ece47e3d9451f0c46b18df5064eb2
+  data.tar.gz: 2c9e6f747bc934a6cfbc4c3e24dc89426d512021
+SHA512:
+  metadata.gz: b553e40de08d9bc179121066bfd1d99b9952d9293283c1eedbcb9363a2e579a893a02f0926c242f1168db88a4b2d03f04e1fcea923ce489b9c34d76457540737
+  data.tar.gz: b7de1606a6be130ded57c50248b0f1f646c17cf69fc4a716cd91594d872d0ffdad7fa8da5321cfaa3ef8ec74d7bff9c44f7942bf4d1c8256950ccd61a7ddc3f7

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.idea
+.yardoc
+_yardoc
+coverage
+doc/
+Gemfile.lock
+InstalledFiles
+keystok_cache.data
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+rspec.xml

data/.rspec

@@ -0,0 +1,4 @@
+--color
+--format Fuubar
+--format RspecJunitFormatter
+--out rspec.xml

data/.rubocop.yml

@@ -0,0 +1,4 @@
+MethodLength:
+  Max: 30
+ClassLength:
+  Max: 250

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1 @@
+Copyright (c) 2014 GitDock Oy

data/README.md

@@ -0,0 +1,74 @@
+# Keystok
+
+![Build status](https://www.codeship.io/projects/65218fa0-9e09-0131-3f96-16b8a84518ac/status)
+
+## Installation
+
+    $ gem install keystok
+
+## Usage
+
+    require 'keystok'
+    require 'yaml' # Config is then easier
+    config = YAML.load_file('keystok.yml')
+    # or config can be just hash:
+    # config = { connection_string: 'das21312312_connection_string',
+    #            api_host: 'https://api_custom_domain.keystok.com'
+    #          }
+    keystok = Keystok::Client.new(config)
+    # get hash with all keys
+    keystok.keys
+    # get one key
+    keystok.get(key_id)
+
+### Rails integration
+
+Add keystok to Gemfile:
+
+    gem 'keystok'
+
+Keystok have generator that can create config, initializer and .gitignore entry for you
+
+    rails g keystok:install connection_string_value
+
+In Rails env Keystok will use Rails.logger. Without Rails it will default to logging to STDOUT.
+If you would like to define your own logger you can do it like:
+
+    Keystok.logger = your_logger
+
+## Config options description
+
+### api_host, auth_host
+
+Those values are not needed by default. It can be required if you are using separated Keystok servers
+
+### connection_string
+
+This value is visible in app page in Keystok service
+
+### eager_fetching
+
+When *true* client will fetch all keys from API even when one was requested. This will save time
+when another key will be requested, because client will not have to fetch it from API.
+However in some cases like huge amount of keys or when *volatile* is set,
+this option should be set to *false*. Default value is *true*
+
+### no_cache
+
+If you don't want to use cache functionality, you can disable cache writing by setting *no_cache* to *true* in config
+
+### tmp_dir
+
+This dir will be used to store encrypted cache which can be used when API can't be contacted
+
+### volatile
+
+Normally when asking about key that is in local store, SDK will not perform API request to provide quicker response.
+Request can be forced on per method call basis by second parameter set to *true* (default is *false*)
+
+    keystok.get('this_can_change_often', true)
+
+However if you want SDK to make request on every request without adding *true* to every *get* or *keys*,
+you can set *volatile* to *true* in config. This will force SDK to ask API on every request.
+Please note that this will may decrese performance of you app since it will require API request
+and cache writing on every *get* and *keys* call

data/Rakefile

@@ -0,0 +1,8 @@
+require 'bundler/gem_tasks'
+
+require 'rspec'
+require 'rspec/core/rake_task'
+
+desc 'Run all specs in spec directory'
+RSpec::Core::RakeTask.new(:spec) do |t|
+end

data/keystok.gemspec

@@ -0,0 +1,34 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'keystok/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'keystok'
+  spec.version       = Keystok::VERSION
+  spec.authors       = ['Piotr Sokolowski']
+  spec.email         = ['piotr@keystok.com']
+  spec.summary       = %q{Keystok API client}
+  spec.description   = <<-EOS
+Ruby client for Keystok service. https://keystok.com
+EOS
+  spec.homepage      = 'https://keystok.com'
+  spec.license       = 'GitDock Oy'
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'faraday'
+  spec.add_dependency 'oauth2'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'fuubar'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rails', '>= 3.0'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rspec_junit_formatter'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'webmock'
+end

data/lib/generators/keystok/install_generator.rb

@@ -0,0 +1,25 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+module Keystok
+  module Generators
+    # Generator that creates config file and initializer
+    # It also add config file to .gitignore
+    class InstallGenerator < Rails::Generators::Base
+      argument :connection_string,
+               type: :string,
+               banner: 'connection_string'
+
+      source_root File.expand_path('../templates', __FILE__)
+
+      desc 'Create initializer'
+
+      def create_initializer_and_config_file
+        template 'keystok.yml.erb', 'config/keystok.yml'
+        template 'keystok.rb',      'config/initializers/keystok.rb'
+      end
+    end
+  end
+end

data/lib/generators/keystok/templates/keystok.rb

@@ -0,0 +1,6 @@
+config_filepath = File.expand_path('../../keystok.yml', __FILE__)
+config_data = YAML.load_file(config_filepath)[Rails.env.to_sym]
+if config_data.nil?
+  fail "Config file error in #{Rails.env} (#{config_filepath})"
+end
+KEYSTOK = Keystok::Client.new(config_data)

data/lib/generators/keystok/templates/keystok.yml.erb

@@ -0,0 +1,10 @@
+---
+:production:
+  :connection_string: <%= connection_string %>
+  :tmp_dir: 'tmp'
+:development:
+  :connection_string: <%= connection_string %>
+  :tmp_dir: 'tmp'
+:test:
+  :connection_string: <%= connection_string %>
+  :tmp_dir: 'tmp'

data/lib/keystok/aes_crypto.rb

@@ -0,0 +1,49 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+require 'base64'
+require 'json'
+require 'openssl'
+
+module Keystok
+  # Module handling data encryption and decryption
+  # It also handles raw data from API unpacking
+  module AESCrypto
+    PREFIX = ':aes256:'
+
+    def cipher(plain_text, key, iv, key_size = 256, block_mode = :CBC)
+      cipher = OpenSSL::Cipher::AES.new(key_size, block_mode)
+      cipher.encrypt
+      cipher.key = key
+      cipher.iv = iv
+      cipher.update(plain_text) + cipher.final
+    end
+
+    def decipher(encrypted, key, iv, key_size = 256, block_mode = :CBC)
+      decipher = OpenSSL::Cipher::AES.new(key_size, block_mode)
+      decipher.decrypt
+      decipher.key = key
+      decipher.iv = iv
+      decipher.update(encrypted) + decipher.final
+    end
+
+    def decrypt_key(encrypted_key, config = nil)
+      config ||= @config || {}
+      fail Error::ConfigError, 'No decryption key in config' unless config[:dk]
+      unless encrypted_key.start_with?(PREFIX)
+        fail Error::UnsupportedDataFormat, 'Wrong encryption algorithm'
+      end
+      encrypted_data = Base64.decode64(encrypted_key.sub(/^:[^:]+:/, ''))
+      json_data = JSON.parse(encrypted_data)
+      key = OpenSSL::PKCS5.pbkdf2_hmac(config[:dk],
+                                       Base64.decode64(json_data['salt']),
+                                       json_data['iter'],
+                                       json_data['ks'] / 8,
+                                       OpenSSL::Digest::SHA1.new)
+      decipher(Base64.decode64(json_data['ct']), key,
+               Base64.decode64(json_data['iv']), json_data['ks'])
+    end
+  end
+end

data/lib/keystok/cache.rb

@@ -0,0 +1,40 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+module Keystok
+  # Module for handling cache write and read operations
+  module Cache
+    def cache_file_path(tmp_dir = nil)
+      tmp_dir ||= (@config && @config[:tmp_dir]) ? @config[:tmp_dir] : '.'
+      @cache_file_path ||= File.join(tmp_dir, 'keystok_cache.data')
+    end
+
+    def cache_file_exists?
+      File.exists?(cache_file_path)
+    end
+
+    def cache_stream(method = :read)
+      case method
+      when :write
+        mode = 'wb'
+      else
+        mode = 'r'
+      end
+      File.open(cache_file_path, mode)
+    end
+
+    def load_cache(iostream = nil)
+      Keystok.logger.warn('Loading data from cache')
+      iostream ||= cache_stream
+      iostream.read
+    end
+
+    def write_cache(cache_data, iostream = nil)
+      iostream ||= cache_stream(:write)
+      iostream.write(cache_data)
+      iostream.flush
+    end
+  end
+end

data/lib/keystok/client.rb

@@ -0,0 +1,198 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+require 'faraday'
+require 'json'
+require 'oauth2'
+
+require 'keystok/aes_crypto'
+require 'keystok/cache'
+
+module Keystok
+  # Keystok client class
+  class Client
+    include AESCrypto
+    include Cache
+
+    API_HOST = 'https://api.keystok.com'
+    AUTH_HOST = 'https://keystok.com'
+    DEFAULT_CONFIG = { eager_fetching: true }
+    REQUEST_TRY_COUNT = 3
+
+    def initialize(config = {})
+      @config = DEFAULT_CONFIG.merge(keys_to_symbols(decode_config(config)))
+      @keys_store = {}
+    end
+
+    def access_token
+      @access_token ||= begin
+        fail Error::ConfigError, 'SDK not configured' if @config[:rt].nil?
+        refresh_token = OAuth2::AccessToken.new(oauth_client, nil,
+                                                refresh_token:
+                                                  @config[:rt])
+        access_token = nil
+        REQUEST_TRY_COUNT.times do |try_count|
+          begin
+            access_token = refresh_token.refresh!
+            break
+          rescue Faraday::Error::ClientError => exception
+            Keystok.logger.warn(
+              "Exception during token refresh: #{exception.message}")
+            raise if try_count == (REQUEST_TRY_COUNT - 1)
+          end
+        end
+        access_token
+      end
+    end
+
+    def configured?
+      check_config
+      true
+    rescue Error::ConfigError
+      false
+    end
+
+    def get(key_name_or_symbol, force_reload = false)
+      key_name = key_name_or_symbol.to_s
+      if force_reload || @config[:volatile] || @keys_store[key_name].nil?
+        load_keys(key_name_or_symbol)
+      end
+      @keys_store[key_name]
+    end
+
+    def keys(force_reload = false)
+      load_keys if force_reload || @config[:volatile] || @keys_store.empty?
+      @keys_store
+    end
+
+    private
+
+    def check_config
+      %w(rt dk id).map(&:to_sym).each do |key|
+        if @config[key].nil?
+          fail Error::ConfigError, "Config key: #{key} is missing!"
+        end
+      end
+    end
+
+    def connection
+      @connection ||= Faraday.new(url: @config[:api_host] || API_HOST,
+                                  ssl: { verify: true })
+    end
+
+    def decode_config(connection_string)
+      config_hash = connection_string
+      case
+      when connection_string.kind_of?(Hash)
+      when connection_string.kind_of?(String)
+        config_hash = decode_string_config(connection_string)
+      else
+        fail Error::ConfigError, 'Unknown config format'
+      end
+      if config_hash[:connection_string]
+        decoded_hash = decode_string_config(config_hash[:connection_string])
+        config_hash.delete(:connection_string)
+        config_hash = decoded_hash.merge(config_hash)
+      end
+      config_hash
+    end
+
+    def decode_json_string_config(connection_string)
+      parsed_config = nil
+      begin
+        parsed_config = JSON.parse(connection_string)
+      # rubocop:disable HandleExceptions
+      rescue JSON::ParserError
+      # rubocop:enable HandleExceptions
+        # Whatever may fail, we don't want to raise it.
+      end
+      parsed_config
+    end
+
+    def decode_string_config(connection_string)
+      return {} if connection_string == ''
+      parsed_config = decode_json_string_config(connection_string)
+      unless parsed_config
+        decoded_string = Base64.decode64(connection_string)
+        parsed_config = decode_json_string_config(decoded_string)
+      end
+      fail Error::ConfigError, 'Unknown config format' unless parsed_config
+      parsed_config
+    end
+
+    def fetch_data(key = nil)
+      response = nil
+      if key.nil? || @config[:eager_fetching]
+        key_path_part = ''
+      else
+        key_path_part = "/#{key}"
+      end
+      REQUEST_TRY_COUNT.times do |try_count|
+        begin
+          response = connection.get do |request|
+            request.url ['/apps/', @config[:id],
+                         '/deploy', key_path_part,
+                         '?access_token=', access_token.token].join
+            request.options[:open_timeout] = 5
+            request.options[:timeout] = 5
+          end
+          if response.status == 200
+            break
+          else
+            Keystok.logger.warn(
+              "Keystok API response status: #{response.status}")
+            @access_token = nil
+          end
+        rescue Faraday::Error::ClientError => exception
+          Keystok.logger.warn(
+            "Exception during Keystok API data fetch: #{exception.message}")
+          raise if try_count == (REQUEST_TRY_COUNT - 1)
+        end
+      end
+      response
+    end
+
+    def keys_to_symbols(input_hash)
+      Hash[input_hash.map do |key, val|
+        [key.kind_of?(String) ? key.to_s.to_sym : key, val]
+      end]
+    end
+
+    def load_keys(key = nil)
+      begin
+        response = fetch_data(key)
+        if response.status == 200
+          response_data = response.body
+        elsif cache_file_exists?
+          response_data = load_cache
+        else
+          fail Keystok::Error::ConnectionError,
+               "No cache data and response code:\n" +
+                 "#{response.status} with body: #{response.body}"
+        end
+      rescue Faraday::Error::ClientError => exception
+        if cache_file_exists?
+          response_data = load_cache
+        else
+          raise Keystok::Error::ConnectionError,
+                "No cache data and connection error:\n" +
+                  "#{exception.class} with message: #{exception.message}"
+        end
+      end
+      @keys_store = {}
+      JSON.parse(response_data).each do |key_id, key_info|
+        @keys_store[key_id] = decrypt_key(key_info['key'])
+      end
+      write_cache(response_data) unless @config[:no_cache]
+      @keys_store
+    end
+
+    def oauth_client
+      @oauth_client ||= begin
+        OAuth2::Client.new(nil, nil, site: @config[:auth_host] || AUTH_HOST)
+      end
+    end
+  end
+end

data/lib/keystok/errors.rb

@@ -0,0 +1,20 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+module Keystok
+  module Error
+    class CacheCorrupted < StandardError
+    end
+
+    class ConfigError < StandardError
+    end
+
+    class ConnectionError < StandardError
+    end
+
+    class UnsupportedDataFormat < StandardError
+    end
+  end
+end

data/lib/keystok/railtie.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+module Keystok
+  # Class used to integrate with Rails
+  class Railtie < Rails::Railtie
+    initializer 'keystok.configure_rails_initialization' do
+      Keystok.logger = Rails.logger
+    end
+  end
+end

data/lib/keystok/version.rb

@@ -0,0 +1,9 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+#:nodoc:
+module Keystok
+  VERSION = '1.0.0'
+end

data/lib/keystok.rb

@@ -0,0 +1,26 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+require 'faraday'
+require 'json'
+require 'logger'
+require 'yaml'
+
+require 'keystok/version'
+require 'keystok/errors'
+require 'keystok/client'
+
+#:nodoc:
+module Keystok
+  class << self
+    attr_accessor :logger
+  end
+end
+
+if defined? Rails::Railtie
+  require 'keystok/railtie'
+else
+  Keystok.logger = Logger.new(STDOUT)
+end

data/spec/fixtures/encrypted_data_00.data

@@ -0,0 +1 @@
+:aes256:eyJpdiI6IkwyRGEzVFg5bnczMWswNVc0RnBpaFE9PSIsInYiOjEsIml0ZXIiOjEwMDAsImtzIjoyNTYsInRzIjo2NCwibW9kZSI6ImNiYyIsImFkYXRhIjoiIiwiY2lwaGVyIjoiYWVzIiwic2FsdCI6ImM0czhpZ3FIOFA0PSIsImN0IjoiZ0FWYVNNaDZINFIzdnl6TnNoelJ1Zz09In0=

data/spec/fixtures/response_data_00.data

@@ -0,0 +1,8 @@
+{
+    "key_1": {
+        "key": ":aes256:eyJpdiI6IkwyRGEzVFg5bnczMWswNVc0RnBpaFE9PSIsInYiOjEsIml0ZXIiOjEwMDAsImtzIjoyNTYsInRzIjo2NCwibW9kZSI6ImNiYyIsImFkYXRhIjoiIiwiY2lwaGVyIjoiYWVzIiwic2FsdCI6ImM0czhpZ3FIOFA0PSIsImN0IjoiZ0FWYVNNaDZINFIzdnl6TnNoelJ1Zz09In0="
+    },
+    "key_2": {
+        "key": ":aes256:eyJpdiI6Ijd0N1ArNGhEV2cwL2pZeVBqdTBQV3c9PSIsInYiOjEsIml0ZXIiOjEwMDAsImtzIjoyNTYsInRzIjo2NCwibW9kZSI6ImNiYyIsImFkYXRhIjoiIiwiY2lwaGVyIjoiYWVzIiwic2FsdCI6ImM0czhpZ3FIOFA0PSIsImN0IjoiL1h2ZXF4dlIwOU1kSmc4UGd3eHJoZz09In0="
+    }
+}

data/spec/functional/aes_crypto_spec.rb

@@ -0,0 +1,90 @@
+# encoding: utf-8
+# This file is distributed under GitDock Oy license terms.
+# See https://bitbucket.org/keystok/keystok-client-ruby/raw/master/LICENSE.txt
+# for details.
+
+require 'spec_helper'
+
+describe Keystok::AESCrypto do
+  let(:dummy_class) { Class.new { include Keystok::AESCrypto } }
+  let(:dummy) { dummy_class.new }
+
+  describe 'cipher' do
+    it 'works without any errors' do
+      dummy.cipher('plain text', 'key_' * 10, 'vector_' * 10, 256, :CBC)
+    end
+
+    it 'works without passing key_size and block_mode' do
+      dummy.cipher('plain text', 'key_' * 10, 'vector_' * 10)
+    end
+
+    it 'is passing OpenSSL exceptions' do
+      expect do
+        dummy.cipher('plain text', 'a', 'vector_' * 10)
+      end.to raise_error(OpenSSL::Cipher::CipherError)
+    end
+  end
+
+  describe 'decipher' do
+    let(:encrypted) { "A.\xFC\xDDW=\xB7\xCF\x02\x88\xE3:sA\x90S" }
+
+    it 'works without any errors' do
+      dummy.decipher(encrypted, 'key_' * 10, 'vector_' * 10, 256, :CBC)
+    end
+
+    it 'works without passing key_size and block_mode' do
+      dummy.decipher(encrypted, 'key_' * 10, 'vector_' * 10)
+    end
+
+    it 'is passing OpenSSL exceptions' do
+      expect do
+        dummy.decipher('encrypted', 'a', 'vector_' * 10)
+      end.to raise_error(OpenSSL::Cipher::CipherError, 'key length too short')
+    end
+  end
+
+  describe 'sanity check' do
+    it 'decryption of encrypted data returns proper value' do
+      plain_text = 'plain text'
+      encrypted = dummy.cipher(plain_text, 'key_' * 10, 'vector_' * 10)
+      decrypted_text = dummy.decipher(encrypted, 'key_' * 10, 'vector_' * 10)
+      expect(decrypted_text).to eq(plain_text)
+    end
+  end
+
+  describe 'decrypt_key' do
+    let(:encrypted_data) do
+      File.open(File.expand_path('../../fixtures/encrypted_data_00.data',
+                                 __FILE__)).read
+    end
+    let(:config) do
+      { dk:
+          '965391f2bba37b4586431b8690d7044d5cdc73adf7dda539f8dd3a60cb3e9b12' }
+    end
+
+    it 'properly decrypts data' do
+      expect(dummy.decrypt_key(encrypted_data, config)).to eq('Value 1')
+    end
+
+    it "raise UnsupportedDataFormat when data prefix is no ':aes256'" do
+      expect do
+        dummy.decrypt_key(encrypted_data.sub(':aes256:', ':cesar:'), config)
+      end.to raise_error(Keystok::Error::UnsupportedDataFormat,
+                         'Wrong encryption algorithm')
+    end
+
+    it 'raise ConfigError when no decryption key is provided' do
+      expect do
+        dummy.decrypt_key(encrypted_data, {})
+      end.to raise_error(Keystok::Error::ConfigError,
+                         'No decryption key in config')
+    end
+
+    it 'is passing OpenSSL exceptions' do
+      expect do
+        dummy.decrypt_key(encrypted_data, dk: 'a')
+      end.to raise_error(OpenSSL::Cipher::CipherError,
+                         'bad decrypt')
+    end
+  end
+end