kms_encrypted 0.3.0 → 1.0.0

data/lib/kms_encrypted/model.rb

@@ -1,9 +1,11 @@
 module KmsEncrypted
   module Model
-    def has_kms_key(legacy_key_id = nil, name: nil, key_id: nil)
-      key_id ||= legacy_key_id || ENV["KMS_KEY_ID"]
+    def has_kms_key(name: nil, key_id: nil, eager_encrypt: false, version: 1, previous_versions: nil, upgrade_context: false)
+      key_id ||= ENV["KMS_KEY_ID"]
 
       key_method = name ? "kms_key_#{name}" : "kms_key"
+      key_column = "encrypted_#{key_method}"
+      context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
 
       class_eval do
         class << self
@@ -11,143 +13,89 @@ module KmsEncrypted
             @kms_keys ||= {}
           end unless respond_to?(:kms_keys)
         end
-        kms_keys[key_method.to_sym] = {key_id: key_id}
-
-        # same pattern as attr_encrypted reload
-        if method_defined?(:reload) && kms_keys.size == 1
-          alias_method :reload_without_kms_encrypted, :reload
-          def reload(*args, &block)
-            result = reload_without_kms_encrypted(*args, &block)
-            self.class.kms_keys.keys.each do |key_method|
-              instance_variable_set("@#{key_method}", nil)
+        kms_keys[key_method.to_sym] = {
+          key_id: key_id,
+          name: name,
+          version: version,
+          previous_versions: previous_versions,
+          upgrade_context: upgrade_context
+        }
+
+        if kms_keys.size == 1
+          after_save :encrypt_kms_keys
+
+          # fetch all keys together so only need to update database once
+          def encrypt_kms_keys
+            updates = {}
+            self.class.kms_keys.each do |key_method, key|
+              instance_var = "@#{key_method}"
+              key_column = "encrypted_#{key_method}"
+              plaintext_key = instance_variable_get(instance_var)
+
+              if !send(key_column) && plaintext_key
+                updates[key_column] = KmsEncrypted::Database.new(self, key_method).encrypt(plaintext_key)
+              end
+            end
+            if updates.any?
+              current_time = current_time_from_proper_timezone
+              timestamp_attributes_for_update_in_model.each do |attr|
+                updates[attr] = current_time
+              end
+              update_columns(updates)
+            end
+          end
+
+          # same pattern as attr_encrypted reload
+          if method_defined?(:reload)
+            alias_method :reload_without_kms_encrypted, :reload
+            def reload(*args, &block)
+              result = reload_without_kms_encrypted(*args, &block)
+              self.class.kms_keys.keys.each do |key_method|
+                instance_variable_set("@#{key_method}", nil)
+              end
+              result
             end
-            result
           end
         end
 
         define_method(key_method) do
-          raise ArgumentError, "Missing key id" unless key_id
-
           instance_var = "@#{key_method}"
 
           unless instance_variable_get(instance_var)
-            key_column = "encrypted_#{key_method}"
-            context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
-            context = respond_to?(context_method, true) ? send(context_method) : {}
-            default_encoding = "m"
-
-            unless send(key_column)
-              plaintext_key = nil
-              encrypted_key = nil
-
-              event = {
-                key_id: key_id,
-                context: context
-              }
-              ActiveSupport::Notifications.instrument("generate_data_key.kms_encrypted", event) do
-                if key_id == "insecure-test-key"
-                  plaintext_key = "00000000000000000000000000000000"
-                  encrypted_key = "insecure-data-key-#{rand(1_000_000_000_000)}"
-                elsif key_id.start_with?("projects/")
-                  # generate random AES-256 key
-                  plaintext_key = OpenSSL::Random.random_bytes(32)
-
-                  # encrypt it
-                  # load client first to ensure namespace is loaded
-                  client = KmsEncrypted.google_client
-                  request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(
-                    plaintext: plaintext_key,
-                    additional_authenticated_data: context.to_json
-                  )
-                  response = client.encrypt_crypto_key(key_id, request)
-                  key_version = response.name
-
-                  # shorten key to save space
-                  short_key_id = Base64.encode64(key_version.split("/").select.with_index { |_, i| i.odd? }.join("/"))
-
-                  # build encrypted key
-                  # we reference the key in the field for easy rotation
-                  encrypted_key = "$gc$#{short_key_id}$#{[response.ciphertext].pack(default_encoding)}"
-                elsif key_id.start_with?("vault/")
-                  # generate random AES-256 key
-                  plaintext_key = OpenSSL::Random.random_bytes(32)
-
-                  # encrypt it
-                  response = KmsEncrypted.vault_client.logical.write(
-                    "transit/encrypt/#{key_id.sub("vault/", "")}",
-                    plaintext: Base64.encode64(plaintext_key),
-                    context: Base64.encode64(context.to_json)
-                  )
-
-                  encrypted_key = response.data[:ciphertext]
-                else
-                  # generate data key from API
-                  resp = KmsEncrypted.aws_client.generate_data_key(
-                    key_id: key_id,
-                    encryption_context: context,
-                    key_spec: "AES_256"
-                  )
-                  plaintext_key = resp.plaintext
-                  encrypted_key = [resp.ciphertext_blob].pack(default_encoding)
+            encrypted_key = send(key_column)
+            plaintext_key =
+              if encrypted_key
+                KmsEncrypted::Database.new(self, key_method).decrypt(encrypted_key)
+              else
+                key = SecureRandom.random_bytes(32)
+
+                if eager_encrypt == :fetch_id
+                  raise ArgumentError, ":fetch_id only works with Postgres" unless self.class.connection.adapter_name =~ /postg/i
+                  self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
                 end
-              end
 
-              instance_variable_set(instance_var, plaintext_key)
-              self.send("#{key_column}=", encrypted_key)
-            end
-
-            unless instance_variable_get(instance_var)
-              encrypted_key = send(key_column)
-              plaintext_key = nil
-
-              event = {
-                key_id: key_id,
-                context: context
-              }
-              ActiveSupport::Notifications.instrument("decrypt_data_key.kms_encrypted", event) do
-                if encrypted_key.start_with?("insecure-data-key-")
-                  plaintext_key = "00000000000000000000000000000000".encode("BINARY")
-                elsif encrypted_key.start_with?("$gc$")
-                  _, _, short_key_id, ciphertext = encrypted_key.split("$", 4)
-
-                  # restore key, except for cryptoKeyVersion
-                  stored_key_id = Base64.decode64(short_key_id).split("/")[0..3]
-                  stored_key_id.insert(0, "projects")
-                  stored_key_id.insert(2, "locations")
-                  stored_key_id.insert(4, "keyRings")
-                  stored_key_id.insert(6, "cryptoKeys")
-                  stored_key_id = stored_key_id.join("/")
-
-                  # load client first to ensure namespace is loaded
-                  client = KmsEncrypted.google_client
-                  request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(
-                    ciphertext: ciphertext.unpack(default_encoding).first,
-                    additional_authenticated_data: context.to_json
-                  )
-                  plaintext_key = client.decrypt_crypto_key(stored_key_id, request).plaintext
-                elsif encrypted_key.start_with?("vault:")
-                  response = KmsEncrypted.vault_client.logical.write(
-                    "transit/decrypt/#{key_id.sub("vault/", "")}",
-                    ciphertext: encrypted_key,
-                    context: Base64.encode64(context.to_json)
-                  )
-
-                  plaintext_key = Base64.decode64(response.data[:plaintext])
-                else
-                  plaintext_key = KmsEncrypted.aws_client.decrypt(
-                    ciphertext_blob: encrypted_key.unpack(default_encoding).first,
-                    encryption_context: context
-                  ).plaintext
+                if eager_encrypt == true || ([:try, :fetch_id].include?(eager_encrypt) && id)
+                  encrypted_key = KmsEncrypted::Database.new(self, key_method).encrypt(key)
+                  send("#{key_column}=", encrypted_key)
                 end
-              end
 
-              instance_variable_set(instance_var, plaintext_key)
-            end
+                key
+              end
+            instance_variable_set(instance_var, plaintext_key)
           end
 
           instance_variable_get(instance_var)
         end
 
+        define_method(context_method) do
+          raise KmsEncrypted::Error, "id needed for encryption context" unless id
+
+          {
+            model_name: model_name.to_s,
+            model_id: id
+          }
+        end
+
         define_method("rotate_#{key_method}!") do
           # decrypt
           plaintext_attributes = {}

data/lib/kms_encrypted/version.rb

@@ -1,3 +1,3 @@
 module KmsEncrypted
-  VERSION = "0.3.0"
+  VERSION = "1.0.0"
 end

data/lib/kms_encrypted.rb

@@ -1,12 +1,27 @@
 # dependencies
 require "active_support"
+require "base64"
+require "json"
+require "securerandom"
 
 # modules
+require "kms_encrypted/database"
 require "kms_encrypted/log_subscriber"
 require "kms_encrypted/model"
 require "kms_encrypted/version"
 
+# clients
+require "kms_encrypted/client"
+require "kms_encrypted/clients/base"
+require "kms_encrypted/clients/aws"
+require "kms_encrypted/clients/google"
+require "kms_encrypted/clients/test"
+require "kms_encrypted/clients/vault"
+
 module KmsEncrypted
+  class Error < StandardError; end
+  class DecryptionError < Error; end
+
   class << self
     attr_writer :aws_client
     attr_writer :google_client
@@ -14,7 +29,7 @@ module KmsEncrypted
 
     def aws_client
       @aws_client ||= Aws::KMS::Client.new(
-        retry_limit: 2,
+        retry_limit: 1,
         http_open_timeout: 2,
         http_read_timeout: 2
       )
@@ -27,12 +42,21 @@ module KmsEncrypted
         client.authorization = ::Google::Auth.get_application_default(
           "https://www.googleapis.com/auth/cloud-platform"
         )
+        client.client_options.log_http_requests = false
+        client.client_options.open_timeout_sec = 2
+        client.client_options.read_timeout_sec = 2
         client
       end
     end
 
     def vault_client
-      @vault_client ||= ::Vault
+      @vault_client ||= ::Vault::Client.new
+    end
+
+    # hash is independent of key, but specific to audit device
+    def context_hash(context, path:)
+      context = Base64.encode64(context.to_json)
+      vault_client.logical.write("sys/audit-hash/#{path}", input: context).data[:hash]
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kms_encrypted
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
-bindir: exe
+bindir: bin
 cert_chain: []
-date: 2018-11-11 00:00:00.000000000 Z
+date: 2018-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -151,24 +151,22 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 description: 
-email:
-- andrew@chartkick.com
+email: andrew@chartkick.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".travis.yml"
 - CHANGELOG.md
-- Gemfile
 - LICENSE.txt
 - README.md
-- Rakefile
-- guides/Amazon.md
-- guides/Google.md
-- guides/Vault.md
-- kms_encrypted.gemspec
 - lib/kms_encrypted.rb
+- lib/kms_encrypted/client.rb
+- lib/kms_encrypted/clients/aws.rb
+- lib/kms_encrypted/clients/base.rb
+- lib/kms_encrypted/clients/google.rb
+- lib/kms_encrypted/clients/test.rb
+- lib/kms_encrypted/clients/vault.rb
+- lib/kms_encrypted/database.rb
 - lib/kms_encrypted/log_subscriber.rb
 - lib/kms_encrypted/model.rb
 - lib/kms_encrypted/version.rb
@@ -184,7 +182,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -192,7 +190,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Simple, secure key management for attr_encrypted

data/.gitignore

@@ -1,9 +0,0 @@
-/.bundle/
-/.yardoc
-/Gemfile.lock
-/_yardoc/
-/coverage/
-/doc/
-/pkg/
-/spec/reports/
-/tmp/

data/.travis.yml

@@ -1,11 +0,0 @@
-language: ruby
-rvm: 2.4.2
-gemfile:
-  - Gemfile
-sudo: false
-before_install: gem install bundler
-script: bundle exec rake test
-notifications:
-  email:
-    on_success: never
-    on_failure: change

data/Gemfile

@@ -1,3 +0,0 @@
-source "https://rubygems.org"
-
-gemspec

data/Rakefile

@@ -1,11 +0,0 @@
-require "bundler/gem_tasks"
-require "rake/testtask"
-
-Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
-  t.test_files = FileList["test/**/*_test.rb"]
-  t.warning = false
-end
-
-task default: :test

data/guides/Amazon.md

@@ -1,262 +0,0 @@
-# Amazon KMS
-
-Add this line to your application’s Gemfile:
-
-```ruby
-gem 'aws-sdk-kms'
-gem 'kms_encrypted'
-```
-
-Add columns for the encrypted data and the encrypted KMS data keys
-
-```ruby
-add_column :users, :encrypted_email, :text
-add_column :users, :encrypted_email_iv, :text
-add_column :users, :encrypted_kms_key, :text
-```
-
-Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
-
-Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
-
-```sh
-KMS_KEY_ID=arn:aws:kms:...
-AWS_ACCESS_KEY_ID=...
-AWS_SECRET_ACCESS_KEY=...
-```
-
-You can also use the alias
-
-```sh
-KMS_KEY_ID=alias/my-alias
-```
-
-And update your model
-
-```ruby
-class User < ApplicationRecord
-  has_kms_key
-
-  attr_encrypted :email, key: :kms_key
-end
-```
-
-For each encrypted attribute, use the `kms_key` method for its key.
-
-## Auditing
-
-[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) logs all decryption calls. However, to know what data is being decrypted, you’ll need to add context.
-
-Add a `kms_encryption_context` method to your model.
-
-```ruby
-class User < ApplicationRecord
-  def kms_encryption_context
-    # some hash
-  end
-end
-```
-
-The context is used as part of the encryption and decryption process, so it must be a value that doesn’t change. Otherwise, you won’t be able to decrypt. Read more about [encryption context here](https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
-
-The primary key is a good choice, but auto-generated ids aren’t available until a record is created, and we need to encrypt before this. One solution is to preload the primary key. Here’s what it looks like with Postgres:
-
-```ruby
-class User < ApplicationRecord
-  def kms_encryption_context
-    self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
-    {"Record" => "#{model_name}/#{id}"}
-  end
-end
-```
-
-[Amazon Athena](https://aws.amazon.com/athena/) is great for querying CloudTrail logs. Create a table (thanks to [this post](http://www.1strategy.com/blog/2017/07/25/auditing-aws-activity-with-cloudtrail-and-athena/) for the table structure) with:
-
-```sql
-CREATE EXTERNAL TABLE cloudtrail_logs (
-    eventversion STRING,
-    userIdentity STRUCT<
-        type:STRING,
-        principalid:STRING,
-        arn:STRING,
-        accountid:STRING,
-        invokedby:STRING,
-        accesskeyid:STRING,
-        userName:String,
-        sessioncontext:STRUCT<
-            attributes:STRUCT<
-                mfaauthenticated:STRING,
-                creationdate:STRING>,
-            sessionIssuer:STRUCT<
-                type:STRING,
-                principalId:STRING,
-                arn:STRING,
-                accountId:STRING,
-                userName:STRING>>>,
-    eventTime STRING,
-    eventSource STRING,
-    eventName STRING,
-    awsRegion STRING,
-    sourceIpAddress STRING,
-    userAgent STRING,
-    errorCode STRING,
-    errorMessage STRING,
-    requestId  STRING,
-    eventId  STRING,
-    resources ARRAY<STRUCT<
-        ARN:STRING,
-        accountId:STRING,
-        type:STRING>>,
-    eventType STRING,
-    apiVersion  STRING,
-    readOnly BOOLEAN,
-    recipientAccountId STRING,
-    sharedEventID STRING,
-    vpcEndpointId STRING,
-    requestParameters STRING,
-    responseElements STRING,
-    additionalEventData STRING,
-    serviceEventDetails STRING
-)
-ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
-STORED  AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
-OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
-LOCATION  's3://my-cloudtrail-logs/'
-```
-
-Change the last line to point to your CloudTrail log bucket and query away
-
-```sql
-SELECT
-    eventTime,
-    userIdentity.userName,
-    requestParameters
-FROM
-    cloudtrail_logs
-WHERE
-    eventName = 'Decrypt'
-    AND resources[1].arn = 'arn:aws:kms:...'
-ORDER BY 1
-```
-
-There will also be `GenerateDataKey` events.
-
-## Alerting
-
-We recommend setting up alerts on suspicious behavior.
-
-## Key Rotation
-
-KMS supports [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). No action is required in this case.
-
-To manually rotate keys, replace the old KMS key id with the new key id in your model. Your app does not need the old key id to perform rotation (however, the key must still be enabled in your AWS account).
-
-```sh
-KMS_KEY_ID=arn:aws:kms:...
-```
-
-and run
-
-```ruby
-User.find_each do |user|
-  user.rotate_kms_key!
-end
-```
-
-## IAM Permissions
-
-A great feature of KMS is the ability to grant encryption and decryption permission separately.
-
-To encrypt the data, use a policy with:
-
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "EncryptData",
-            "Effect": "Allow",
-            "Action": "kms:GenerateDataKey",
-            "Resource": "arn:aws:kms:..."
-        }
-    ]
-}
-```
-
-If a system can only encrypt, you must clear out existing data and data keys before updates.
-
-```ruby
-user.encrypted_email = nil
-user.encrypted_kms_key = nil
-# before user.save or user.update
-```
-
-To decrypt the data, use a policy with:
-
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "DecryptData",
-            "Effect": "Allow",
-            "Action": "kms:Decrypt",
-            "Resource": "arn:aws:kms:..."
-        }
-    ]
-}
-```
-
-Be extremely selective of systems you allow to decrypt.
-
-## Testing
-
-For testing, you can prevent network calls to KMS by setting:
-
-```sh
-KMS_KEY_ID=insecure-test-key
-```
-
-## Multiple Keys Per Record
-
-You may want to protect different columns with different data keys (or even master keys).
-
-To do this, add more columns
-
-```ruby
-add_column :users, :encrypted_phone, :text
-add_column :users, :encrypted_phone_iv, :text
-add_column :users, :encrypted_kms_key_phone, :text
-```
-
-And update your model
-
-```ruby
-class User < ApplicationRecord
-  has_kms_key
-  has_kms_key name: :phone, key_id: "..."
-
-  attr_encrypted :email, key: :kms_key
-  attr_encrypted :phone, key: :kms_key_phone
-end
-```
-
-For context, use:
-
-```ruby
-class User < ApplicationRecord
-  def kms_encryption_context_phone
-    # some hash
-  end
-end
-```
-
-To rotate keys, use:
-
-```ruby
-user.rotate_kms_key_phone!
-```
-
-## File Uploads
-
-While outside the scope of this gem, you can also use KMS for sensitive file uploads. Check out [this guide](https://ankane.org/aws-client-side-encryption) to learn more.