kms_encrypted 1.2.2 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/LICENSE.txt +1 -1
- data/README.md +6 -14
- data/lib/kms_encrypted/clients/google.rb +28 -11
- data/lib/kms_encrypted/clients/vault.rb +3 -0
- data/lib/kms_encrypted/model.rb +1 -1
- data/lib/kms_encrypted/version.rb +1 -1
- data/lib/kms_encrypted.rb +18 -9
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 203e6f831854468ec07bc0aac59f0b51c68b9e767a20b5f94bb28e5437b93212
|
|
4
|
+
data.tar.gz: 226b05f2da94c4d6ddd5c67e92e7114f0f6e6b8c2cf9c0a67d9be519e3b987aa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ce6cd1b82a6ed5a961b88e87fec1115fccd6e569db32de9e84ec83a9f42c1eb948ac2796a99cc931be380cce25fe65868bc20caf4685a2c388017330060ee85c
|
|
7
|
+
data.tar.gz: 4c9909081f55fba296c6d183e3d871d50979b05594ae8a7519ffd8d6c9d58121a3cdf3d6f72d13623f2ce996698f91dd10acda116962d48e64e76dff90ed4d3e
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,19 @@
|
|
|
1
|
+
## 1.4.0 (2022-01-10)
|
|
2
|
+
|
|
3
|
+
- Dropped support for Ruby < 2.6 and Rails < 5.2
|
|
4
|
+
|
|
5
|
+
## 1.3.0 (2021-10-10)
|
|
6
|
+
|
|
7
|
+
- Added support for `google-cloud-kms` gem
|
|
8
|
+
|
|
9
|
+
## 1.2.4 (2021-06-20)
|
|
10
|
+
|
|
11
|
+
- Fixed another argument error with Google Cloud KMS and Ruby 3
|
|
12
|
+
|
|
13
|
+
## 1.2.3 (2021-06-02)
|
|
14
|
+
|
|
15
|
+
- Fixed argument error with Google Cloud KMS and Ruby 3
|
|
16
|
+
|
|
1
17
|
## 1.2.2 (2021-05-17)
|
|
2
18
|
|
|
3
19
|
- Added `key_id` method
|
data/LICENSE.txt
CHANGED
data/README.md
CHANGED
|
@@ -48,7 +48,7 @@ gem 'aws-sdk-kms'
|
|
|
48
48
|
|
|
49
49
|
Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
|
|
50
50
|
|
|
51
|
-
Create a [KMS master key](https://console.aws.amazon.com/
|
|
51
|
+
Create a [KMS master key](https://console.aws.amazon.com/kms/home#/kms/keys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
|
52
52
|
|
|
53
53
|
```sh
|
|
54
54
|
KMS_KEY_ID=arn:aws:kms:...
|
|
@@ -67,7 +67,7 @@ KMS_KEY_ID=alias/my-alias
|
|
|
67
67
|
Add this line to your application’s Gemfile:
|
|
68
68
|
|
|
69
69
|
```ruby
|
|
70
|
-
gem 'google-
|
|
70
|
+
gem 'google-cloud-kms'
|
|
71
71
|
```
|
|
72
72
|
|
|
73
73
|
Create a [Google Cloud Platform](https://cloud.google.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on GCP.
|
|
@@ -75,13 +75,7 @@ Create a [Google Cloud Platform](https://cloud.google.com/) account if you don
|
|
|
75
75
|
Create a [KMS key ring and key](https://console.cloud.google.com/iam-admin/kms) and set it in your environment along with your GCP credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
|
76
76
|
|
|
77
77
|
```sh
|
|
78
|
-
KMS_KEY_ID=projects
|
|
79
|
-
```
|
|
80
|
-
|
|
81
|
-
The Google API client logs requests by default. Be sure to turn off the logger in production or it will leak the plaintext.
|
|
82
|
-
|
|
83
|
-
```ruby
|
|
84
|
-
Google::Apis.logger = Logger.new(nil)
|
|
78
|
+
KMS_KEY_ID=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key
|
|
85
79
|
```
|
|
86
80
|
|
|
87
81
|
### Vault
|
|
@@ -345,11 +339,9 @@ KmsEncrypted.key_id = Rails.env.test? ? "insecure-test-key" : ENV["KMS_KEY_ID"]
|
|
|
345
339
|
|
|
346
340
|
Key management services allow you to rotate the master key without any code changes.
|
|
347
341
|
|
|
348
|
-
AWS KMS
|
|
349
|
-
|
|
350
|
-
For
|
|
351
|
-
|
|
352
|
-
For Vault, use:
|
|
342
|
+
- For AWS KMS, you can use [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
|
|
343
|
+
- For Google Cloud, use the Google Cloud Console or API
|
|
344
|
+
- For Vault, use:
|
|
353
345
|
|
|
354
346
|
```sh
|
|
355
347
|
vault write -f transit/keys/my-key/rotate
|
|
@@ -11,12 +11,18 @@ module KmsEncrypted
|
|
|
11
11
|
|
|
12
12
|
# ensure namespace gets loaded
|
|
13
13
|
client = KmsEncrypted.google_client
|
|
14
|
-
request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(options)
|
|
15
|
-
response = client.encrypt_crypto_key(key_id, request)
|
|
16
14
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
15
|
+
if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
|
|
16
|
+
request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(**options)
|
|
17
|
+
response = client.encrypt_crypto_key(key_id, request)
|
|
18
|
+
@last_key_version = response.name
|
|
19
|
+
response.ciphertext
|
|
20
|
+
else
|
|
21
|
+
options[:name] = key_id
|
|
22
|
+
response = client.encrypt(**options)
|
|
23
|
+
@last_key_version = response.name
|
|
24
|
+
response.ciphertext
|
|
25
|
+
end
|
|
20
26
|
end
|
|
21
27
|
|
|
22
28
|
def decrypt(ciphertext, context: nil)
|
|
@@ -27,12 +33,23 @@ module KmsEncrypted
|
|
|
27
33
|
|
|
28
34
|
# ensure namespace gets loaded
|
|
29
35
|
client = KmsEncrypted.google_client
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
+
|
|
37
|
+
if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
|
|
38
|
+
request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(**options)
|
|
39
|
+
begin
|
|
40
|
+
client.decrypt_crypto_key(key_id, request).plaintext
|
|
41
|
+
rescue ::Google::Apis::ClientError => e
|
|
42
|
+
decryption_failed! if e.message.include?("Decryption failed")
|
|
43
|
+
raise e
|
|
44
|
+
end
|
|
45
|
+
else
|
|
46
|
+
options[:name] = key_id
|
|
47
|
+
begin
|
|
48
|
+
client.decrypt(**options).plaintext
|
|
49
|
+
rescue ::Google::Cloud::InvalidArgumentError => e
|
|
50
|
+
decryption_failed! if e.message.include?("Decryption failed")
|
|
51
|
+
raise e
|
|
52
|
+
end
|
|
36
53
|
end
|
|
37
54
|
end
|
|
38
55
|
end
|
|
@@ -30,6 +30,9 @@ module KmsEncrypted
|
|
|
30
30
|
rescue ::Vault::HTTPClientError => e
|
|
31
31
|
decryption_failed! if e.message.include?("unable to decrypt")
|
|
32
32
|
raise e
|
|
33
|
+
rescue ::Vault::HTTPServerError => e
|
|
34
|
+
decryption_failed! if e.message.include?("message authentication failed")
|
|
35
|
+
raise e
|
|
33
36
|
rescue Encoding::UndefinedConversionError
|
|
34
37
|
decryption_failed!
|
|
35
38
|
end
|
data/lib/kms_encrypted/model.rb
CHANGED
|
@@ -123,7 +123,7 @@ module KmsEncrypted
|
|
|
123
123
|
|
|
124
124
|
# attr_encrypted
|
|
125
125
|
if self.class.respond_to?(:encrypted_attributes)
|
|
126
|
-
self.class.encrypted_attributes.each do |key, v|
|
|
126
|
+
self.class.encrypted_attributes.to_a.each do |key, v|
|
|
127
127
|
if v[:key] == key_method.to_sym
|
|
128
128
|
plaintext_attributes[key] = send(key)
|
|
129
129
|
elsif v[:key].respond_to?(:call)
|
data/lib/kms_encrypted.rb
CHANGED
|
@@ -39,15 +39,24 @@ module KmsEncrypted
|
|
|
39
39
|
|
|
40
40
|
def google_client
|
|
41
41
|
@google_client ||= begin
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
42
|
+
begin
|
|
43
|
+
require "google/apis/cloudkms_v1"
|
|
44
|
+
|
|
45
|
+
client = ::Google::Apis::CloudkmsV1::CloudKMSService.new
|
|
46
|
+
client.authorization = ::Google::Auth.get_application_default(
|
|
47
|
+
"https://www.googleapis.com/auth/cloud-platform"
|
|
48
|
+
)
|
|
49
|
+
client.client_options.log_http_requests = false
|
|
50
|
+
client.client_options.open_timeout_sec = 2
|
|
51
|
+
client.client_options.read_timeout_sec = 2
|
|
52
|
+
client
|
|
53
|
+
rescue LoadError
|
|
54
|
+
require "google/cloud/kms"
|
|
55
|
+
|
|
56
|
+
Google::Cloud::Kms.key_management_service do |config|
|
|
57
|
+
config.timeout = 2
|
|
58
|
+
end
|
|
59
|
+
end
|
|
51
60
|
end
|
|
52
61
|
end
|
|
53
62
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kms_encrypted
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Kane
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-01-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - ">="
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: '5'
|
|
19
|
+
version: '5.2'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '5'
|
|
26
|
+
version: '5.2'
|
|
27
27
|
description:
|
|
28
28
|
email: andrew@ankane.org
|
|
29
29
|
executables: []
|
|
@@ -57,14 +57,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
57
57
|
requirements:
|
|
58
58
|
- - ">="
|
|
59
59
|
- !ruby/object:Gem::Version
|
|
60
|
-
version: '2.
|
|
60
|
+
version: '2.6'
|
|
61
61
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
62
62
|
requirements:
|
|
63
63
|
- - ">="
|
|
64
64
|
- !ruby/object:Gem::Version
|
|
65
65
|
version: '0'
|
|
66
66
|
requirements: []
|
|
67
|
-
rubygems_version: 3.
|
|
67
|
+
rubygems_version: 3.3.3
|
|
68
68
|
signing_key:
|
|
69
69
|
specification_version: 4
|
|
70
70
|
summary: Simple, secure key management for Lockbox and attr_encrypted
|