kms-tools 0.0.1

data/lib/kms-tools/version.rb

@@ -0,0 +1,3 @@
+module KmsTools
+  VERSION = "0.0.1"
+end

data/spec/kms-tools/aws_mocks.rb

@@ -0,0 +1,37 @@
+RSpec.shared_context "aws mocks" do
+  before do
+    mock_kms = Aws::KMS::Client.new(stub_responses: true)
+
+    mock_kms.stub_responses(:list_aliases,
+                              aliases:[
+                                {alias_name: "alias/aws/ec2"},
+                                {alias_name: "alias/aws/rds"},
+                                {alias_name: "alias/test/test1"},
+                                {alias_name: "alias/test/test2"}
+                              ])
+
+    mock_kms.stub_responses(:describe_key,
+                              key_metadata:{
+                                aws_account_id: "123456789012",
+                                key_id: "12345678-1234-1234-1234-123456789012",
+                                arn: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+                              })
+
+    mock_kms.stub_responses(:encrypt,
+                            {ciphertext_blob: KmsTools::TestData.encrypted_string,
+                             key_id: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+                            })
+
+    mock_kms.stub_responses(:decrypt,
+                            {plaintext: "some super secret test data for testing",
+                             key_id: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+                            })
+
+    mock_kms.stub_responses(:generate_data_key,
+                            {ciphertext_blob: '\n \xF5\xA5\xB4\x96\x98?{=y\x92\"-\xE1~\x13\x9EA\xF6*\x8C\x94\xE5\t',
+                             key_id: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+                            })
+
+    allow(Aws::KMS::Client).to receive(:new).and_return(mock_kms)
+  end
+end

data/spec/kms-tools/base_spec.rb

@@ -0,0 +1,83 @@
+require "spec_helper"
+require "kms-tools"
+require "kms-tools/test_data"
+
+module KmsTools
+  describe "With mocked AWS response" do
+    include_context "aws mocks"
+
+    describe Base do
+      subject(:base_without_params) { Base.new }
+      subject(:base_with_params) { Base.new({:region => 'us-west-1', :master_key => "alias/test/test1", :profile => 'test'}) }
+      context "#available_aliases" do
+        it "should return all custom key aliases" do
+          expect(base_without_params.available_aliases).to include("alias/test/test1", "alias/test/test2")
+        end
+        it "should filter out built-in AWS key aliases" do
+          expect(base_without_params.available_aliases).not_to include("alias/aws/ec2", "alias/aws/rds")
+        end
+      end
+
+      context " #use_key_alias=" do
+        it "should not allow assignment of a key that's not available" do
+          expect{ base_without_params.use_key_alias = "alias/not/allowed" }.to raise_error(RuntimeError, "Requested key alias not available with current credentials!")
+        end
+        it "should set the master_key for the object when a valid alias is provided" do
+          base_without_params.use_key_alias = "alias/test/test1"
+          expect(base_without_params.master_key).to eql("alias/test/test1")
+        end
+      end
+
+      context "#master_key" do
+        it "should return nil when no key has been set" do
+          expect(base_without_params.master_key).to eql(nil)
+        end
+        it "should return the current key after being explicitly set" do
+          base_without_params.use_key_alias = "alias/test/test1"
+          expect(base_without_params.master_key).to eql("alias/test/test1")
+        end
+        it "should return the current key without being set if present at initialize" do
+          expect(base_with_params.master_key).to eql("alias/test/test1")
+        end
+      end
+
+      context "#master_key_arn" do
+        it "should return nil when no key has been set" do
+          expect(base_without_params.master_key_arn).to eql(nil)
+        end
+        it "should return the ARN of the current master_key after master key is explicitly set" do
+          base_without_params.use_key_alias = "alias/test/test1"
+          expect(base_without_params.master_key_arn).to eql("arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012")
+        end
+        it "should return the ARN of the current master_key without master_key being set if present at initialize" do
+          expect(base_with_params.master_key_arn).to eql("arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012")
+        end
+      end
+
+      context "#master_key_id" do
+        it "should return nil when no key has been set" do
+          expect(base_without_params.master_key_id).to eql(nil)
+        end
+        it "should return the ID of the current master_key when a master key is set" do
+          base_without_params.use_key_alias = "alias/test/test1"
+          expect(base_without_params.master_key_id).to eql("12345678-1234-1234-1234-123456789012")
+        end
+        it "should return the ID of the current master_key without master_key being set if present at initialize" do
+          expect(base_with_params.master_key_id).to eql("12345678-1234-1234-1234-123456789012")
+        end
+      end
+
+      context "#region" do
+        it "should return the default region when no other region is set" do
+          expect(base_without_params.region).to eq(KmsTools::Base::DEFAULT_REGION)
+        end
+        it "should return the region set in the options if present at initialize" do
+          expect(base_with_params.region).to eq('us-west-1')
+        end
+      end
+
+    end
+  end
+end
+
+

data/spec/kms-tools/decrypter_spec.rb

@@ -0,0 +1,95 @@
+require "spec_helper"
+require "kms-tools"
+require "kms-tools/test_data"
+
+module KmsTools
+  describe "With mocked AWS response" do
+    include_context "aws mocks"
+
+    describe Decrypter do
+      subject(:dec) { Decrypter.new }
+      context "#decrypt_string" do
+        it "should return an plaintext string when called with a base64 encoded string" do
+          expect(dec.decrypt_string("base64encodedciphertext")).to eql("some super secret test data for testing")
+        end
+        it "should fail when called with a non-string" do
+          expect{ dec.decrypt_string(Object.new) }.to raise_error(NoMethodError)
+          expect{ dec.decrypt_string([1,2,3]) }.to raise_error(NoMethodError)
+          expect{ dec.decrypt_string(something: "wrong", something_else: "wrong") }.to raise_error(NoMethodError)
+        end
+      end
+
+      context "#decrypt_with_data_key" do
+        it "should properly decrypt data when all required params are present" do
+          decrypted_test = dec.decrypt_with_data_key({
+                 cipher: KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                 encrypted_key: "Encrypted Key",
+                 encrypted_iv: "Encrypted IV",
+                 encrypted_data: KmsTools::TestData.encrypted_local_data,
+                 checksum: "0028efdfd0b942ab64bb0ab40d49ec62c6a0d83f"
+             })
+          expect(decrypted_test).to eql(KmsTools::TestData.plaintext_local_data)
+        end
+        it "should fail to decrypt when checksum verification fails" do
+          expect{ dec.decrypt_with_data_key({
+                  cipher: KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                  encrypted_key: "Encrypted Key",
+                  encrypted_iv: "Encrypted IV",
+                  encrypted_data: KmsTools::TestData.encrypted_local_data,
+                  checksum: "badchecksum"
+             }) }.to raise_error(RuntimeError, "File integrity check failed!")
+        end
+      end
+
+      context "#stream_encrypt_with_data_key" do
+        before do
+          require 'stringio'
+          allow(File).to receive(:open).with('some/in/file', 'rb').and_return(StringIO.new KmsTools::TestData.encrypted_local_data, "r")
+          allow(File).to receive(:open).with('some/padded/in/file', 'rb').and_return(StringIO.new "0000" + KmsTools::TestData.encrypted_local_data, "r")
+          allow(File).to receive(:open).with('some/out/file', 'wb+').and_return(StringIO.new)
+        end
+        it "should properly decrypt streaming data when all required params are present" do
+          infile = File.open('some/in/file', 'rb')
+          outfile = File.open('some/out/file', 'wb+')
+          dec.stream_decrypt_with_data_key({
+                 in: infile,
+                 out: outfile,
+                 cipher: KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                 encrypted_key: "Encrypted Key",
+                 encrypted_iv: "Encrypted IV",
+                 checksum: "0028efdfd0b942ab64bb0ab40d49ec62c6a0d83f"
+             })
+          expect(outfile.string).to eql(KmsTools::TestData.plaintext_local_data)
+        end
+        it "should fail to decrypt when checksum verification fails" do
+          infile = File.open('some/in/file', 'rb')
+          outfile = File.open('some/out/file', 'wb+')
+          expect{ dec.stream_decrypt_with_data_key({in: infile,
+                 out: outfile,
+                 cipher: KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                 encrypted_key: "Encrypted Key",
+                 encrypted_iv: "Encrypted IV",
+                 checksum: "badchecksum"
+             }) }.to raise_error(RuntimeError, "Decrypted data stream failed checksum verification!")
+        end
+        it "should properly decrypt streaming data when given a padded stream and a seek position is provided" do
+           infile = File.open('some/padded/in/file', 'rb')
+          outfile = File.open('some/out/file', 'wb+')
+          dec.stream_decrypt_with_data_key({
+                 in: infile,
+                 out: outfile,
+                 position: 4,
+                 cipher: KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                 encrypted_key: "Encrypted Key",
+                 encrypted_iv: "Encrypted IV",
+                 checksum: "0028efdfd0b942ab64bb0ab40d49ec62c6a0d83f"
+             })
+          expect(outfile.string).to eql(KmsTools::TestData.plaintext_local_data)
+        end
+      end
+
+    end
+  end
+end
+
+

data/spec/kms-tools/encrypted_file_spec.rb

@@ -0,0 +1,14 @@
+require "spec_helper"
+require "kms-tools"
+
+module KmsTools
+  describe "With mocked AWS response" do
+    include_context "aws mocks"
+
+    before do
+
+    end
+
+  end
+end
+

data/spec/kms-tools/encrypter_spec.rb

@@ -0,0 +1,91 @@
+require "spec_helper"
+require "kms-tools"
+require "kms-tools/test_data"
+
+module KmsTools
+  describe "With mocked AWS response" do
+    include_context "aws mocks"
+
+    describe Encrypter do
+      subject(:enc) { Encrypter.new }
+      context "#encrypt_string" do
+        it "should fail if called before a key has been set" do
+          expect{ enc.encrypt_string("something") }.to raise_error(ArgumentError)
+        end
+        it "should return a base64 encoded encrypted string when called after a key has been set" do
+          enc.use_key_alias = "alias/test/test1"
+          expect(enc.encrypt_string("some test data")).to eql(Base64.strict_encode64(KmsTools::TestData.encrypted_string))
+        end
+      end
+
+      context "#kms_encrypt" do
+        it "should fail if called before a key has been set" do
+          expect{ enc.kms_encrypt("something") }.to raise_error(ArgumentError)
+        end
+        it "should return an Aws::KMS::Types::EncryptResponse when called after a key has been set" do
+          enc.use_key_alias = "alias/test/test1"
+          expect(enc.kms_encrypt("something").ciphertext_blob).to be_a(String)
+          expect(enc.kms_encrypt("something").key_id).to be_a(String)
+        end
+      end
+
+      context "#encrypt_with_data_key" do
+        it "should properly encrypt data when all required params are present" do
+           encrypted_test = enc.encrypt_with_data_key({
+                 :cipher => KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                 :encrypted_key => "Encrypted Key",
+                 :encrypted_iv => "Encrypted IV",
+                 :data => KmsTools::TestData.plaintext_local_data
+             })
+           expect(encrypted_test).to eql(KmsTools::TestData.encrypted_local_data)
+        end
+      end
+
+      context "#stream_encrypt_with_data_key" do
+        before do
+          require 'stringio'
+          allow(File).to receive(:open).with('some/in/file', 'rb').and_return(StringIO.new KmsTools::TestData.plaintext_local_data, "r")
+          allow(File).to receive(:open).with('some/out/file', 'wb+').and_return(StringIO.new)
+        end
+        it "should properly encrypt streaming data when all required params are present" do
+          infile = File.open('some/in/file', 'rb')
+          outfile = File.open('some/out/file', 'wb+')
+          enc.stream_encrypt_with_data_key({
+                 :in => infile,
+                 :out => outfile,
+                 :cipher => KmsTools::EncryptedFile::DEFAULT_CIPHER,
+                 :encrypted_key => "Encrypted Key",
+                 :encrypted_iv => "Encrypted IV",
+             })
+          # The raw binary can actually be different for this and still be valid so we have to compare Base64, sigh
+          expect(Base64.strict_encode64(outfile.string)).to eql(Base64.strict_encode64(KmsTools::TestData.encrypted_local_data))
+        end
+      end
+
+      context "#new_key" do
+        it "should fail if called before a key has been set" do
+          expect{ enc.new_key }.to raise_error(ArgumentError)
+        end
+        it "should return an Aws::KMS::Types::GenerateDataKeyResponse when called after a key has been set" do
+          enc.use_key_alias = "alias/test/test1"
+          expect(enc.new_key.ciphertext_blob).to be_a(String)
+          expect(enc.new_key.key_id).to be_a(String)
+        end
+      end
+
+      context "#new_encrypted_key" do
+        it "should fail if called before a key has been set" do
+          expect{ enc.new_encrypted_key }.to raise_error(ArgumentError)
+        end
+        it "should return a base64 encoded encrypted data key string" do
+          enc.use_key_alias = "alias/test/test1"
+          expect(enc.new_encrypted_key).to be_a(String)
+        end
+
+      end
+
+    end
+  end
+end
+
+

data/spec/kms-tools/test_data.rb

@@ -0,0 +1,11 @@
+require 'base64'
+require 'ostruct'
+
+module KmsTools
+  TestData = OpenStruct.new(
+    :plaintext_string => "some super secret test data for testing",
+    :encrypted_string => Base64.decode64("CiD1pbSWmD97PXmSIi3hfhOeQfYqjJTlCY0K73RygjvymxKVAQEBAgB49aW0lpg/ez15kiIt4X4TnkH2KoyU5QmNCu90coI78psAAABsMGoGCSqGSIb3DQEHBqBdMFsCAQAwVgYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzCOoe4Fw9k62RTPfUCARCAKczfxQvZLoSYcTLgubrWTc9JPXy972PusseX0D1G1apF4HH1fWeRDhwW"),
+    :plaintext_local_data => "some super secret test data to locally encrypt",
+    :encrypted_local_data => Base64.decode64("9nqpUQ63ALqOOAD8/HdVhg5z0dT+m4fDkEu93LDk3G5Vzuc73FVxtvZulxkQuENJ"),
+  )
+end

data/spec/spec_helper.rb

@@ -0,0 +1,26 @@
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+  config.example_status_persistence_file_path = "spec/examples.txt"
+  config.disable_monkey_patching!
+  #config.profile_examples = 10
+  config.order = :random
+  Kernel.srand config.seed
+  config.expose_dsl_globally = true
+  if config.files_to_run.one?
+    config.default_formatter = 'doc'
+  end
+
+  #load mocked AWS responses since this whole gem relies on AWS
+  require File.dirname(__FILE__) + '/kms-tools/aws_mocks.rb'
+
+end
+

metadata

@@ -0,0 +1,202 @@
+--- !ruby/object:Gem::Specification
+name: kms-tools
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Matt Krieger
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-05-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: hashdiff
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: gli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.13.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.13.4
+description: 
+email: matt.krieger@sportngin.com
+executables:
+- kms-tools
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".octopolo.yml"
+- ".soyuz.yml"
+- ".travis.yml"
+- CHANGELOG.markdown
+- Gemfile
+- README.md
+- Rakefile
+- bin/kms-tools
+- kms-tools.gemspec
+- lib/kms-cli.rb
+- lib/kms-tools.rb
+- lib/kms-tools/base.rb
+- lib/kms-tools/cli/commands/decrypt.rb
+- lib/kms-tools/cli/commands/encrypt.rb
+- lib/kms-tools/cli/commands/list_aliases.rb
+- lib/kms-tools/cli/decrypt.rb
+- lib/kms-tools/cli/encrypt.rb
+- lib/kms-tools/cli/helpers.rb
+- lib/kms-tools/cli/output.rb
+- lib/kms-tools/decrypter.rb
+- lib/kms-tools/encrypted_file.rb
+- lib/kms-tools/encrypter.rb
+- lib/kms-tools/version.rb
+- spec/kms-tools/aws_mocks.rb
+- spec/kms-tools/base_spec.rb
+- spec/kms-tools/decrypter_spec.rb
+- spec/kms-tools/encrypted_file_spec.rb
+- spec/kms-tools/encrypter_spec.rb
+- spec/kms-tools/test_data.rb
+- spec/spec_helper.rb
+homepage: http://www.sportngin.com
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: CLI for encrypting and decrypting data using Amazon KMS
+test_files: []
+has_rdoc: yard