RubyGems - kms_encrypted - Versions diffs - 1.0.0 → 1.0.1 - Mend

kms_encrypted 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/LICENSE.txt +1 -1
data/README.md +25 -1
data/lib/kms_encrypted.rb +1 -0
data/lib/kms_encrypted/box.rb +91 -0
data/lib/kms_encrypted/database.rb +26 -56
data/lib/kms_encrypted/model.rb +16 -6
data/lib/kms_encrypted/version.rb +1 -1
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11c711222f049df42c663c9e68a2822fb7e318d3f3fc02f6346801c998ead328
-  data.tar.gz: 98200a87d8bf02a7398b075aaa6d79dff706a4d15d850584ebd952329980520b
+  metadata.gz: edd8de63fd58086fa749186d51d6a99cd4343600c8f50827fbb019f1ec2d9788
+  data.tar.gz: 7f91126392f0ad2e0a4c8d48d1a2f3c3fe7fc257a4eaef2bf526acf1badb491d
 SHA512:
-  metadata.gz: 7b3d37f2739f1a869a8a34c62e9300c3b54b0e8b87b98377883fa252d161aaafcb387044049bf0bfb070e86d481034bcf5c19b0e83d21a4668a513b02f3da151
-  data.tar.gz: b5596bc03466ac15b09d72cd1e00093eda05e2dcd3ca17607484ff678da808647bb7d364be27b5cfc912cdcccb991cbb55b18fd94206a4cb4510d17eaeb4c0da
+  metadata.gz: 7e83a606cd2b3cacf47854a7425245b163bcdd267a07a501d0344cad3fe98513fbafed99ed6096f53dade5aa8c36be267766293d7639525159c0be3b635e90c3
+  data.tar.gz: 9649c83297b1562e973f83cfcc1b67541f0e08ae2ef05cc6decaef661bd7b9f65b32ea3f35ac2faf8d6c7c10c1110e92e3760cdc8792c98734135abd4f3a882c

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 1.0.1
+- Added support for encryption and decryption outside models
+- Added support for dynamic keys
+- Fixed issue with inheritance
 ## 1.0.0
 - Added versioning

data/LICENSE.txt CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2018 Andrew Kane
+Copyright (c) 2017-2019 Andrew Kane
 MIT License

data/README.md CHANGED Viewed

@@ -5,13 +5,15 @@ Simple, secure key management for [attr_encrypted](https://github.com/attr-encry
 With KMS Encrypted:
 - Master encryption keys are not on application servers
+- Encrypt and decrypt permissions can be granted separately
 - There’s an immutable audit log of all activity
 - Decryption can be disabled if an attack is detected
-- Encrypt and decrypt permissions can be granted separately
 - It’s easy to rotate keys
 Supports [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://cloud.google.com/kms/), and [Vault](https://www.vaultproject.io/)
+Check out [this post](https://ankane.org/sensitive-data-rails) for more info on securing sensitive data with Rails
 [![Build Status](https://travis-ci.org/ankane/kms_encrypted.svg?branch=master)](https://travis-ci.org/ankane/kms_encrypted)
 ## How It Works
@@ -30,6 +32,28 @@ Follow the instructions for your key management service:
 - [Google Cloud KMS](guides/Google.md)
 - [Vault](guides/Vault.md)
+## Outside Models
+To encrypt and decrypt outside of models, create a box:
+```ruby
+kms = KmsEncrypted::Box.new
+```
+You can pass `key_id`, `version`, and `previous_versions` if needed.
+Encrypt
+```ruby
+kms.encrypt(message, context: {model_name: "User", model_id: 123})
+```
+Decrypt
+```ruby
+kms.decrypt(ciphertext, context: {model_name: "User", model_id: 123})
+```
 ## Related Projects
 To securely search encrypted data, check out [Blind Index](https://github.com/ankane/blind_index).

data/lib/kms_encrypted.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require "json"
 require "securerandom"
 # modules
+require "kms_encrypted/box"
 require "kms_encrypted/database"
 require "kms_encrypted/log_subscriber"
 require "kms_encrypted/model"

data/lib/kms_encrypted/box.rb ADDED Viewed

@@ -0,0 +1,91 @@
+module KmsEncrypted
+  class Box
+    attr_reader :key_id, :version, :previous_versions
+    def initialize(key_id: nil, version: nil, previous_versions: nil)
+      @key_id = key_id || ENV["KMS_KEY_ID"]
+      @version = version || 1
+      @previous_versions = previous_versions || {}
+    end
+    def encrypt(plaintext, context: nil)
+      context = version_context(context, version)
+      key_id = version_key_id(version)
+      ciphertext = KmsEncrypted::Client.new(key_id: key_id, data_key: true).encrypt(plaintext, context: context)
+      "v#{version}:#{encode64(ciphertext)}"
+    end
+    def decrypt(ciphertext, context: nil)
+      m = /\Av(\d+):/.match(ciphertext)
+      if m
+        version = m[1].to_i
+        ciphertext = ciphertext.sub("v#{version}:", "")
+      else
+        version = 1
+        legacy_context = true
+        # legacy
+        if ciphertext.start_with?("$gc$")
+          _, _, short_key_id, ciphertext = ciphertext.split("$", 4)
+          # restore key, except for cryptoKeyVersion
+          stored_key_id = decode64(short_key_id).split("/")[0..3]
+          stored_key_id.insert(0, "projects")
+          stored_key_id.insert(2, "locations")
+          stored_key_id.insert(4, "keyRings")
+          stored_key_id.insert(6, "cryptoKeys")
+          key_id = stored_key_id.join("/")
+        elsif ciphertext.start_with?("vault:")
+          ciphertext = Base64.encode64(ciphertext)
+        end
+      end
+      key_id ||= version_key_id(version)
+      ciphertext = decode64(ciphertext)
+      context = version_context(context, version)
+      KmsEncrypted::Client.new(
+        key_id: key_id,
+        data_key: true,
+        legacy_context: legacy_context
+      ).decrypt(ciphertext, context: context)
+    end
+    private
+    def version_key_id(version)
+      key_id =
+        if previous_versions[version]
+          previous_versions[version][:key_id]
+        elsif self.version == version
+          self.key_id
+        else
+          raise KmsEncrypted::Error, "Version not active: #{version}"
+        end
+      raise ArgumentError, "Missing key id" unless key_id
+      key_id
+    end
+    def version_context(context, version)
+      if context.respond_to?(:call)
+        if context.arity == 0
+          context.call
+        else
+          context.call(version)
+        end
+      else
+        context
+      end
+    end
+    def encode64(bytes)
+      Base64.strict_encode64(bytes)
+    end
+    def decode64(bytes)
+      Base64.decode64(bytes)
+    end
+  end
+end

data/lib/kms_encrypted/database.rb CHANGED Viewed

@@ -8,32 +8,20 @@ module KmsEncrypted
       @options = record.class.kms_keys[key_method.to_sym]
     end
-    def name
-      options[:name]
+    def version
+      @version ||= evaluate_option(:version).to_i
     end
-    def current_version
-      @version ||= begin
-        version = options[:version]
-        version = record.instance_exec(&version) if version.respond_to?(:call)
-        version.to_i
-      end
+    def key_id
+      @key_id ||= evaluate_option(:key_id)
     end
-    def key_version(version)
-      versions = (options[:previous_versions] || {}).dup
-      versions[current_version] ||= options.slice(:key_id)
-      raise KmsEncrypted::Error, "Version not active: #{version}" unless versions[version]
-      key_id = versions[version][:key_id]
-      raise ArgumentError, "Missing key id" unless key_id
-      key_id
+    def previous_versions
+      @previous_versions ||= evaluate_option(:previous_versions)
     end
     def context(version)
+      name = options[:name]
       context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
       if record.method(context_method).arity == 0
         record.send(context_method)
@@ -43,51 +31,33 @@ module KmsEncrypted
     end
     def encrypt(plaintext)
-      key_id = key_version(current_version)
-      context = context(current_version)
-      ciphertext = KmsEncrypted::Client.new(key_id: key_id, data_key: true).encrypt(plaintext, context: context)
-      "v#{current_version}:#{encode64(ciphertext)}"
+      context = context(version)
+      KmsEncrypted::Box.new(
+        key_id: key_id,
+        version: version,
+        previous_versions: previous_versions
+      ).encrypt(plaintext, context: context)
     end
     def decrypt(ciphertext)
+      # determine version for context
       m = /\Av(\d+):/.match(ciphertext)
-      if m
-        version = m[1].to_i
-        ciphertext = ciphertext.sub("v#{version}:", "")
-      else
-        version = 1
-        context = {} if options[:upgrade_context]
-        legacy_context = true
-        # legacy
-        if ciphertext.start_with?("$gc$")
-          _, _, short_key_id, ciphertext = ciphertext.split("$", 4)
-          # restore key, except for cryptoKeyVersion
-          stored_key_id = decode64(short_key_id).split("/")[0..3]
-          stored_key_id.insert(0, "projects")
-          stored_key_id.insert(2, "locations")
-          stored_key_id.insert(4, "keyRings")
-          stored_key_id.insert(6, "cryptoKeys")
-          key_id = stored_key_id.join("/")
-        elsif ciphertext.start_with?("vault:")
-          ciphertext = Base64.encode64(ciphertext)
-        end
-      end
-      key_id ||= key_version(version)
-      context ||= context(version)
-      ciphertext = decode64(ciphertext)
+      version = m ? m[1].to_i : 1
+      context = (options[:upgrade_context] && !m) ? {} : context(version)
-      KmsEncrypted::Client.new(key_id: key_id, data_key: true, legacy_context: legacy_context).decrypt(ciphertext, context: context)
+      KmsEncrypted::Box.new(
+        key_id: key_id,
+        previous_versions: previous_versions
+      ).decrypt(ciphertext, context: context)
     end
-    def encode64(bytes)
-      Base64.strict_encode64(bytes)
-    end
+    private
-    def decode64(bytes)
-      Base64.decode64(bytes)
+    def evaluate_option(key)
+      opt = options[key]
+      opt = record.instance_exec(&opt) if opt.respond_to?(:call)
+      opt
     end
   end
 end

data/lib/kms_encrypted/model.rb CHANGED Viewed

@@ -8,12 +8,22 @@ module KmsEncrypted
       context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
       class_eval do
-        class << self
-          def kms_keys
-            @kms_keys ||= {}
-          end unless respond_to?(:kms_keys)
+        @kms_keys ||= {}
+        unless respond_to?(:kms_keys)
+          def self.kms_keys
+            parent_keys =
+              if superclass.respond_to?(:kms_keys)
+                superclass.kms_keys
+              else
+                {}
+              end
+            parent_keys.merge(@kms_keys || {})
+          end
         end
-        kms_keys[key_method.to_sym] = {
+        @kms_keys[key_method.to_sym] = {
           key_id: key_id,
           name: name,
           version: version,
@@ -21,7 +31,7 @@ module KmsEncrypted
           upgrade_context: upgrade_context
         }
-        if kms_keys.size == 1
+        if @kms_keys.size == 1
           after_save :encrypt_kms_keys
           # fetch all keys together so only need to update database once

data/lib/kms_encrypted/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module KmsEncrypted
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kms_encrypted
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-12-17 00:00:00.000000000 Z
+date: 2019-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '4.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '4.2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -160,6 +160,7 @@ files:
 - LICENSE.txt
 - README.md
 - lib/kms_encrypted.rb
+- lib/kms_encrypted/box.rb
 - lib/kms_encrypted/client.rb
 - lib/kms_encrypted/clients/aws.rb
 - lib/kms_encrypted/clients/base.rb