kms_encrypted 1.2.2 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/LICENSE.txt +1 -1
- data/README.md +6 -14
- data/lib/kms_encrypted/clients/google.rb +28 -11
- data/lib/kms_encrypted/clients/vault.rb +3 -0
- data/lib/kms_encrypted/model.rb +1 -1
- data/lib/kms_encrypted/version.rb +1 -1
- data/lib/kms_encrypted.rb +18 -9
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 203e6f831854468ec07bc0aac59f0b51c68b9e767a20b5f94bb28e5437b93212
|
|
4
|
+
data.tar.gz: 226b05f2da94c4d6ddd5c67e92e7114f0f6e6b8c2cf9c0a67d9be519e3b987aa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ce6cd1b82a6ed5a961b88e87fec1115fccd6e569db32de9e84ec83a9f42c1eb948ac2796a99cc931be380cce25fe65868bc20caf4685a2c388017330060ee85c
|
|
7
|
+
data.tar.gz: 4c9909081f55fba296c6d183e3d871d50979b05594ae8a7519ffd8d6c9d58121a3cdf3d6f72d13623f2ce996698f91dd10acda116962d48e64e76dff90ed4d3e
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,19 @@
|
|
|
1
|
+
## 1.4.0 (2022-01-10)
|
|
2
|
+
|
|
3
|
+
- Dropped support for Ruby < 2.6 and Rails < 5.2
|
|
4
|
+
|
|
5
|
+
## 1.3.0 (2021-10-10)
|
|
6
|
+
|
|
7
|
+
- Added support for `google-cloud-kms` gem
|
|
8
|
+
|
|
9
|
+
## 1.2.4 (2021-06-20)
|
|
10
|
+
|
|
11
|
+
- Fixed another argument error with Google Cloud KMS and Ruby 3
|
|
12
|
+
|
|
13
|
+
## 1.2.3 (2021-06-02)
|
|
14
|
+
|
|
15
|
+
- Fixed argument error with Google Cloud KMS and Ruby 3
|
|
16
|
+
|
|
1
17
|
## 1.2.2 (2021-05-17)
|
|
2
18
|
|
|
3
19
|
- Added `key_id` method
|
data/LICENSE.txt
CHANGED
data/README.md
CHANGED
|
@@ -48,7 +48,7 @@ gem 'aws-sdk-kms'
|
|
|
48
48
|
|
|
49
49
|
Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
|
|
50
50
|
|
|
51
|
-
Create a [KMS master key](https://console.aws.amazon.com/
|
|
51
|
+
Create a [KMS master key](https://console.aws.amazon.com/kms/home#/kms/keys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
|
52
52
|
|
|
53
53
|
```sh
|
|
54
54
|
KMS_KEY_ID=arn:aws:kms:...
|
|
@@ -67,7 +67,7 @@ KMS_KEY_ID=alias/my-alias
|
|
|
67
67
|
Add this line to your application’s Gemfile:
|
|
68
68
|
|
|
69
69
|
```ruby
|
|
70
|
-
gem 'google-
|
|
70
|
+
gem 'google-cloud-kms'
|
|
71
71
|
```
|
|
72
72
|
|
|
73
73
|
Create a [Google Cloud Platform](https://cloud.google.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on GCP.
|
|
@@ -75,13 +75,7 @@ Create a [Google Cloud Platform](https://cloud.google.com/) account if you don
|
|
|
75
75
|
Create a [KMS key ring and key](https://console.cloud.google.com/iam-admin/kms) and set it in your environment along with your GCP credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
|
76
76
|
|
|
77
77
|
```sh
|
|
78
|
-
KMS_KEY_ID=projects
|
|
79
|
-
```
|
|
80
|
-
|
|
81
|
-
The Google API client logs requests by default. Be sure to turn off the logger in production or it will leak the plaintext.
|
|
82
|
-
|
|
83
|
-
```ruby
|
|
84
|
-
Google::Apis.logger = Logger.new(nil)
|
|
78
|
+
KMS_KEY_ID=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key
|
|
85
79
|
```
|
|
86
80
|
|
|
87
81
|
### Vault
|
|
@@ -345,11 +339,9 @@ KmsEncrypted.key_id = Rails.env.test? ? "insecure-test-key" : ENV["KMS_KEY_ID"]
|
|
|
345
339
|
|
|
346
340
|
Key management services allow you to rotate the master key without any code changes.
|
|
347
341
|
|
|
348
|
-
AWS KMS
|
|
349
|
-
|
|
350
|
-
For
|
|
351
|
-
|
|
352
|
-
For Vault, use:
|
|
342
|
+
- For AWS KMS, you can use [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
|
|
343
|
+
- For Google Cloud, use the Google Cloud Console or API
|
|
344
|
+
- For Vault, use:
|
|
353
345
|
|
|
354
346
|
```sh
|
|
355
347
|
vault write -f transit/keys/my-key/rotate
|
|
@@ -11,12 +11,18 @@ module KmsEncrypted
|
|
|
11
11
|
|
|
12
12
|
# ensure namespace gets loaded
|
|
13
13
|
client = KmsEncrypted.google_client
|
|
14
|
-
request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(options)
|
|
15
|
-
response = client.encrypt_crypto_key(key_id, request)
|
|
16
14
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
15
|
+
if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
|
|
16
|
+
request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(**options)
|
|
17
|
+
response = client.encrypt_crypto_key(key_id, request)
|
|
18
|
+
@last_key_version = response.name
|
|
19
|
+
response.ciphertext
|
|
20
|
+
else
|
|
21
|
+
options[:name] = key_id
|
|
22
|
+
response = client.encrypt(**options)
|
|
23
|
+
@last_key_version = response.name
|
|
24
|
+
response.ciphertext
|
|
25
|
+
end
|
|
20
26
|
end
|
|
21
27
|
|
|
22
28
|
def decrypt(ciphertext, context: nil)
|
|
@@ -27,12 +33,23 @@ module KmsEncrypted
|
|
|
27
33
|
|
|
28
34
|
# ensure namespace gets loaded
|
|
29
35
|
client = KmsEncrypted.google_client
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
+
|
|
37
|
+
if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
|
|
38
|
+
request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(**options)
|
|
39
|
+
begin
|
|
40
|
+
client.decrypt_crypto_key(key_id, request).plaintext
|
|
41
|
+
rescue ::Google::Apis::ClientError => e
|
|
42
|
+
decryption_failed! if e.message.include?("Decryption failed")
|
|
43
|
+
raise e
|
|
44
|
+
end
|
|
45
|
+
else
|
|
46
|
+
options[:name] = key_id
|
|
47
|
+
begin
|
|
48
|
+
client.decrypt(**options).plaintext
|
|
49
|
+
rescue ::Google::Cloud::InvalidArgumentError => e
|
|
50
|
+
decryption_failed! if e.message.include?("Decryption failed")
|
|
51
|
+
raise e
|
|
52
|
+
end
|
|
36
53
|
end
|
|
37
54
|
end
|
|
38
55
|
end
|
|
@@ -30,6 +30,9 @@ module KmsEncrypted
|
|
|
30
30
|
rescue ::Vault::HTTPClientError => e
|
|
31
31
|
decryption_failed! if e.message.include?("unable to decrypt")
|
|
32
32
|
raise e
|
|
33
|
+
rescue ::Vault::HTTPServerError => e
|
|
34
|
+
decryption_failed! if e.message.include?("message authentication failed")
|
|
35
|
+
raise e
|
|
33
36
|
rescue Encoding::UndefinedConversionError
|
|
34
37
|
decryption_failed!
|
|
35
38
|
end
|
data/lib/kms_encrypted/model.rb
CHANGED
|
@@ -123,7 +123,7 @@ module KmsEncrypted
|
|
|
123
123
|
|
|
124
124
|
# attr_encrypted
|
|
125
125
|
if self.class.respond_to?(:encrypted_attributes)
|
|
126
|
-
self.class.encrypted_attributes.each do |key, v|
|
|
126
|
+
self.class.encrypted_attributes.to_a.each do |key, v|
|
|
127
127
|
if v[:key] == key_method.to_sym
|
|
128
128
|
plaintext_attributes[key] = send(key)
|
|
129
129
|
elsif v[:key].respond_to?(:call)
|
data/lib/kms_encrypted.rb
CHANGED
|
@@ -39,15 +39,24 @@ module KmsEncrypted
|
|
|
39
39
|
|
|
40
40
|
def google_client
|
|
41
41
|
@google_client ||= begin
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
42
|
+
begin
|
|
43
|
+
require "google/apis/cloudkms_v1"
|
|
44
|
+
|
|
45
|
+
client = ::Google::Apis::CloudkmsV1::CloudKMSService.new
|
|
46
|
+
client.authorization = ::Google::Auth.get_application_default(
|
|
47
|
+
"https://www.googleapis.com/auth/cloud-platform"
|
|
48
|
+
)
|
|
49
|
+
client.client_options.log_http_requests = false
|
|
50
|
+
client.client_options.open_timeout_sec = 2
|
|
51
|
+
client.client_options.read_timeout_sec = 2
|
|
52
|
+
client
|
|
53
|
+
rescue LoadError
|
|
54
|
+
require "google/cloud/kms"
|
|
55
|
+
|
|
56
|
+
Google::Cloud::Kms.key_management_service do |config|
|
|
57
|
+
config.timeout = 2
|
|
58
|
+
end
|
|
59
|
+
end
|
|
51
60
|
end
|
|
52
61
|
end
|
|
53
62
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kms_encrypted
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Kane
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-01-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - ">="
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: '5'
|
|
19
|
+
version: '5.2'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '5'
|
|
26
|
+
version: '5.2'
|
|
27
27
|
description:
|
|
28
28
|
email: andrew@ankane.org
|
|
29
29
|
executables: []
|
|
@@ -57,14 +57,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
57
57
|
requirements:
|
|
58
58
|
- - ">="
|
|
59
59
|
- !ruby/object:Gem::Version
|
|
60
|
-
version: '2.
|
|
60
|
+
version: '2.6'
|
|
61
61
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
62
62
|
requirements:
|
|
63
63
|
- - ">="
|
|
64
64
|
- !ruby/object:Gem::Version
|
|
65
65
|
version: '0'
|
|
66
66
|
requirements: []
|
|
67
|
-
rubygems_version: 3.
|
|
67
|
+
rubygems_version: 3.3.3
|
|
68
68
|
signing_key:
|
|
69
69
|
specification_version: 4
|
|
70
70
|
summary: Simple, secure key management for Lockbox and attr_encrypted
|