RubyGems - kms_encrypted - Versions diffs - 1.2.1 → 1.3.0 - Mend

kms_encrypted 1.2.1 → 1.3.0

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/LICENSE.txt +1 -1
data/README.md +11 -11
data/lib/kms_encrypted/box.rb +1 -1
data/lib/kms_encrypted/client.rb +1 -3
data/lib/kms_encrypted/clients/google.rb +28 -11
data/lib/kms_encrypted/clients/test.rb +2 -0
data/lib/kms_encrypted/clients/vault.rb +3 -0
data/lib/kms_encrypted/model.rb +1 -1
data/lib/kms_encrypted/version.rb +1 -1
data/lib/kms_encrypted.rb +23 -9
metadata +8 -162

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d6182ffbaae6402f3cfd620f93242fe457a37aeda8609362d7eb08572f020e0
-  data.tar.gz: e2241d145e0407fcc6238e94ae653dc98de17538b95b4ee7df8c8ff48a94cbf3
+  metadata.gz: 67d1e3fb931f190e380e35875f1c6346025ebbdd101cdef33ed028d57f2e1b9d
+  data.tar.gz: fe2286f23847db1ee9314cd505fb00478574682a6edd9c7e754e2ce231926e4c
 SHA512:
-  metadata.gz: b696faad41fce6bba45b23f981ec1eb1e557b9048e7e7bc79ebb4f70ee090a0bf0b8dbc68ef9226db88c2d75f3e13a1e04feabba5002a43466b845f9abb30b3c
-  data.tar.gz: 569fc18fcb7d7c7751735310867efd5a8411f1756f539cc2073ed3360ea1ca05a761ef3d67694427ee810f3c556d4ef1c7ea122a88ff9ddb763c480ba60f9b61
+  metadata.gz: 9c651b9fad6d49d6ae4d2a6006ac34d65f7d0f2072446f7cb622c1f48c2c050fc7d70fc6baa0c8883fbe86e34c0ce4e0a00e1b6907d6577209b3389dd94cbced
+  data.tar.gz: 21eeadd0dbb9ed008ca9d2feb34bd43b5dee9c0527aa56b3a1a8a318535ef4707f3690acf504af6091837ec52a81abf1041e7166ef3a2a110cfa35824adebcde

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,19 @@
+## 1.3.0 (2021-10-10)
+- Added support for `google-cloud-kms` gem
+## 1.2.4 (2021-06-20)
+- Fixed another argument error with Google Cloud KMS and Ruby 3
+## 1.2.3 (2021-06-02)
+- Fixed argument error with Google Cloud KMS and Ruby 3
+## 1.2.2 (2021-05-17)
+- Added `key_id` method
 ## 1.2.1 (2020-09-28)
 - Fixed `Version not active` error when switching keys

data/LICENSE.txt CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2020 Andrew Kane
+Copyright (c) 2017-2021 Andrew Kane
 MIT License

data/README.md CHANGED Viewed

@@ -14,7 +14,7 @@ Supports [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://clou
 Check out [this post](https://ankane.org/sensitive-data-rails) for more info on securing sensitive data with Rails
-[![Build Status](https://travis-ci.org/ankane/kms_encrypted.svg?branch=master)](https://travis-ci.org/ankane/kms_encrypted)
+[![Build Status](https://github.com/ankane/kms_encrypted/workflows/build/badge.svg?branch=master)](https://github.com/ankane/kms_encrypted/actions)
 ## How It Works
@@ -48,7 +48,7 @@ gem 'aws-sdk-kms'
 Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
-Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
+Create a [KMS master key](https://console.aws.amazon.com/kms/home#/kms/keys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
 ```sh
 KMS_KEY_ID=arn:aws:kms:...
@@ -67,7 +67,7 @@ KMS_KEY_ID=alias/my-alias
 Add this line to your application’s Gemfile:
 ```ruby
-gem 'google-api-client'
+gem 'google-cloud-kms'
 ```
 Create a [Google Cloud Platform](https://cloud.google.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on GCP.
@@ -75,13 +75,7 @@ Create a [Google Cloud Platform](https://cloud.google.com/) account if you don
 Create a [KMS key ring and key](https://console.cloud.google.com/iam-admin/kms) and set it in your environment along with your GCP credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
 ```sh
-KMS_KEY_ID=projects/.../locations/.../keyRings/.../cryptoKeys/...
-```
-The Google API client logs requests by default. Be sure to turn off the logger in production or it will leak the plaintext.
-```ruby
-Google::Apis.logger = Logger.new(nil)
+KMS_KEY_ID=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key
 ```
 ### Vault
@@ -335,9 +329,15 @@ For testing, you can prevent network calls to KMS by setting:
 KMS_KEY_ID=insecure-test-key
 ```
+In a Rails application, you can also create `config/initializers/kms_encrypted.rb` with:
+```ruby
+KmsEncrypted.key_id = Rails.env.test? ? "insecure-test-key" : ENV["KMS_KEY_ID"]
+```
 ## Key Rotation
-Key management services allow you to rotate the master key.
+Key management services allow you to rotate the master key without any code changes.
 AWS KMS supports [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html).

data/lib/kms_encrypted/box.rb CHANGED Viewed

@@ -3,7 +3,7 @@ module KmsEncrypted
     attr_reader :key_id, :version, :previous_versions
     def initialize(key_id: nil, version: nil, previous_versions: nil)
-      @key_id = key_id || ENV["KMS_KEY_ID"]
+      @key_id = key_id || KmsEncrypted.key_id
       @version = version || 1
       @previous_versions = previous_versions || {}
     end

data/lib/kms_encrypted/client.rb CHANGED Viewed

@@ -1,11 +1,9 @@
 module KmsEncrypted
   class Client
-    delegate :encrypt, :decrypt, to: :client
     attr_reader :key_id, :data_key
     def initialize(key_id: nil, legacy_context: false, data_key: false)
-      @key_id = key_id || ENV["KMS_KEY_ID"]
+      @key_id = key_id || KmsEncrypted.key_id
       @legacy_context = legacy_context
       @data_key = data_key
     end

data/lib/kms_encrypted/clients/google.rb CHANGED Viewed

@@ -11,12 +11,18 @@ module KmsEncrypted
         # ensure namespace gets loaded
         client = KmsEncrypted.google_client
-        request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(options)
-        response = client.encrypt_crypto_key(key_id, request)
-        @last_key_version = response.name
-        response.ciphertext
+        if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
+          request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(**options)
+          response = client.encrypt_crypto_key(key_id, request)
+          @last_key_version = response.name
+          response.ciphertext
+        else
+          options[:name] = key_id
+          response = client.encrypt(**options)
+          @last_key_version = response.name
+          response.ciphertext
+        end
       end
       def decrypt(ciphertext, context: nil)
@@ -27,12 +33,23 @@ module KmsEncrypted
         # ensure namespace gets loaded
         client = KmsEncrypted.google_client
-        request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(options)
-        begin
-          client.decrypt_crypto_key(key_id, request).plaintext
-        rescue ::Google::Apis::ClientError => e
-          decryption_failed! if e.message.include?("Decryption failed")
-          raise e
+        if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
+          request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(**options)
+          begin
+            client.decrypt_crypto_key(key_id, request).plaintext
+          rescue ::Google::Apis::ClientError => e
+            decryption_failed! if e.message.include?("Decryption failed")
+            raise e
+          end
+        else
+          options[:name] = key_id
+          begin
+            client.decrypt(**options).plaintext
+          rescue ::Google::Cloud::InvalidArgumentError => e
+            decryption_failed! if e.message.include?("Decryption failed")
+            raise e
+          end
         end
       end
     end

data/lib/kms_encrypted/clients/test.rb CHANGED Viewed

@@ -12,6 +12,8 @@ module KmsEncrypted
       def decrypt(ciphertext, context: nil)
         prefix, plaintext, stored_context = ciphertext.split(":")
+        decryption_failed! if prefix != PREFIX
         context = generate_context(context) if context
         decryption_failed! if context != stored_context

data/lib/kms_encrypted/clients/vault.rb CHANGED Viewed

@@ -30,6 +30,9 @@ module KmsEncrypted
           rescue ::Vault::HTTPClientError => e
             decryption_failed! if e.message.include?("unable to decrypt")
             raise e
+          rescue ::Vault::HTTPServerError => e
+            decryption_failed! if e.message.include?("message authentication failed")
+            raise e
           rescue Encoding::UndefinedConversionError
             decryption_failed!
           end

data/lib/kms_encrypted/model.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module KmsEncrypted
   module Model
     def has_kms_key(name: nil, key_id: nil, eager_encrypt: false, version: 1, previous_versions: nil, upgrade_context: false)
-      key_id ||= ENV["KMS_KEY_ID"]
+      key_id ||= KmsEncrypted.key_id
       key_method = name ? "kms_key_#{name}" : "kms_key"
       key_column = "encrypted_#{key_method}"

data/lib/kms_encrypted/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module KmsEncrypted
-  VERSION = "1.2.1"
+  VERSION = "1.3.0"
 end

data/lib/kms_encrypted.rb CHANGED Viewed

@@ -27,6 +27,7 @@ module KmsEncrypted
     attr_writer :aws_client
     attr_writer :google_client
     attr_writer :vault_client
+    attr_writer :key_id
     def aws_client
       @aws_client ||= Aws::KMS::Client.new(
@@ -38,15 +39,24 @@ module KmsEncrypted
     def google_client
       @google_client ||= begin
-        require "google/apis/cloudkms_v1"
-        client = ::Google::Apis::CloudkmsV1::CloudKMSService.new
-        client.authorization = ::Google::Auth.get_application_default(
-          "https://www.googleapis.com/auth/cloud-platform"
-        )
-        client.client_options.log_http_requests = false
-        client.client_options.open_timeout_sec = 2
-        client.client_options.read_timeout_sec = 2
-        client
+        begin
+          require "google/apis/cloudkms_v1"
+          client = ::Google::Apis::CloudkmsV1::CloudKMSService.new
+          client.authorization = ::Google::Auth.get_application_default(
+            "https://www.googleapis.com/auth/cloud-platform"
+          )
+          client.client_options.log_http_requests = false
+          client.client_options.open_timeout_sec = 2
+          client.client_options.read_timeout_sec = 2
+          client
+        rescue LoadError
+          require "google/cloud/kms"
+          Google::Cloud::Kms.key_management_service do |config|
+            config.timeout = 2
+          end
+        end
       end
     end
@@ -54,6 +64,10 @@ module KmsEncrypted
       @vault_client ||= ::Vault::Client.new
     end
+    def key_id
+      @key_id ||= ENV["KMS_KEY_ID"]
+    end
     # hash is independent of key, but specific to audit device
     def context_hash(context, path:)
       context = Base64.encode64(context.to_json)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kms_encrypted
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Andrew Kane
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-28 00:00:00.000000000 Z
+date: 2021-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,162 +24,8 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: activerecord
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: attr_encrypted
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: lockbox
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.4.7
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 0.4.7
-- !ruby/object:Gem::Dependency
-  name: aws-sdk-kms
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: google-api-client
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: vault
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: carrierwave
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description:
-email: andrew@chartkick.com
+description:
+email: andrew@ankane.org
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -203,7 +49,7 @@ homepage: https://github.com/ankane/kms_encrypted
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -218,8 +64,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key:
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: Simple, secure key management for Lockbox and attr_encrypted
 test_files: []