kms_encrypted 1.3.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/LICENSE.txt +1 -1
- data/README.md +10 -12
- data/lib/kms_encrypted/clients/vault.rb +1 -1
- data/lib/kms_encrypted/model.rb +8 -2
- data/lib/kms_encrypted/version.rb +1 -1
- data/lib/kms_encrypted.rb +11 -11
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c5e9d54c273ae3e76a7a1f7a531b72b06caf5e00379f38e0d163e26199a06e88
|
|
4
|
+
data.tar.gz: d52dfddfa8a212558a03a7471256f6eb9548f9d4f38c9cad94f4a3f9b83c8273
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 44ed5968f5922182764a922e8c915850e720b9909959ff0194c0f0451bb544986ea278b21380da539b30b203d8779304e01c8d4b04f407e67e623999c8456b1e
|
|
7
|
+
data.tar.gz: 4cf8569a4bae315bf269ae16dfb145cb5bf90f8680eeab7b886be9e486281e09b6426529d7254da93e0adb0060eee4be9f8674bc15ba0730105d20c4c1cc7423
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,12 @@
|
|
|
1
|
+
## 1.5.0 (2023-04-09)
|
|
2
|
+
|
|
3
|
+
- Added support for attr_encrypted 4
|
|
4
|
+
- Dropped support for Ruby < 3 and Rails < 6
|
|
5
|
+
|
|
6
|
+
## 1.4.0 (2022-01-10)
|
|
7
|
+
|
|
8
|
+
- Dropped support for Ruby < 2.6 and Rails < 5.2
|
|
9
|
+
|
|
1
10
|
## 1.3.0 (2021-10-10)
|
|
2
11
|
|
|
3
12
|
- Added support for `google-cloud-kms` gem
|
data/LICENSE.txt
CHANGED
data/README.md
CHANGED
|
@@ -29,7 +29,7 @@ To decrypt an attribute, we first decrypt the data key with the KMS. Once we hav
|
|
|
29
29
|
Add this line to your application’s Gemfile:
|
|
30
30
|
|
|
31
31
|
```ruby
|
|
32
|
-
gem
|
|
32
|
+
gem "kms_encrypted"
|
|
33
33
|
```
|
|
34
34
|
|
|
35
35
|
And follow the instructions for your key management service:
|
|
@@ -43,7 +43,7 @@ And follow the instructions for your key management service:
|
|
|
43
43
|
Add this line to your application’s Gemfile:
|
|
44
44
|
|
|
45
45
|
```ruby
|
|
46
|
-
gem
|
|
46
|
+
gem "aws-sdk-kms"
|
|
47
47
|
```
|
|
48
48
|
|
|
49
49
|
Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
|
|
@@ -67,7 +67,7 @@ KMS_KEY_ID=alias/my-alias
|
|
|
67
67
|
Add this line to your application’s Gemfile:
|
|
68
68
|
|
|
69
69
|
```ruby
|
|
70
|
-
gem
|
|
70
|
+
gem "google-cloud-kms"
|
|
71
71
|
```
|
|
72
72
|
|
|
73
73
|
Create a [Google Cloud Platform](https://cloud.google.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on GCP.
|
|
@@ -83,7 +83,7 @@ KMS_KEY_ID=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/
|
|
|
83
83
|
Add this line to your application’s Gemfile:
|
|
84
84
|
|
|
85
85
|
```ruby
|
|
86
|
-
gem
|
|
86
|
+
gem "vault"
|
|
87
87
|
```
|
|
88
88
|
|
|
89
89
|
Enable the [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) secrets engine
|
|
@@ -121,7 +121,7 @@ class User < ApplicationRecord
|
|
|
121
121
|
has_kms_key
|
|
122
122
|
|
|
123
123
|
# Lockbox fields
|
|
124
|
-
|
|
124
|
+
has_encrypted :email, key: :kms_key
|
|
125
125
|
|
|
126
126
|
# Lockbox files
|
|
127
127
|
encrypts_attached :license, key: :kms_key
|
|
@@ -339,11 +339,9 @@ KmsEncrypted.key_id = Rails.env.test? ? "insecure-test-key" : ENV["KMS_KEY_ID"]
|
|
|
339
339
|
|
|
340
340
|
Key management services allow you to rotate the master key without any code changes.
|
|
341
341
|
|
|
342
|
-
AWS KMS
|
|
343
|
-
|
|
344
|
-
For
|
|
345
|
-
|
|
346
|
-
For Vault, use:
|
|
342
|
+
- For AWS KMS, you can use [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
|
|
343
|
+
- For Google Cloud, use the Google Cloud Console or API
|
|
344
|
+
- For Vault, use:
|
|
347
345
|
|
|
348
346
|
```sh
|
|
349
347
|
vault write -f transit/keys/my-key/rotate
|
|
@@ -431,8 +429,8 @@ class User < ApplicationRecord
|
|
|
431
429
|
has_kms_key name: :phone, key_id: "..."
|
|
432
430
|
|
|
433
431
|
# Lockbox
|
|
434
|
-
|
|
435
|
-
|
|
432
|
+
has_encrypted :email, key: :kms_key
|
|
433
|
+
has_encrypted :phone, key: :kms_key_phone
|
|
436
434
|
|
|
437
435
|
# attr_encrypted
|
|
438
436
|
attr_encrypted :email, key: :kms_key
|
|
@@ -28,7 +28,7 @@ module KmsEncrypted
|
|
|
28
28
|
options
|
|
29
29
|
)
|
|
30
30
|
rescue ::Vault::HTTPClientError => e
|
|
31
|
-
decryption_failed! if e.message.include?("unable to decrypt")
|
|
31
|
+
decryption_failed! if e.message.include?("unable to decrypt") || e.message.include?("message authentication failed")
|
|
32
32
|
raise e
|
|
33
33
|
rescue ::Vault::HTTPServerError => e
|
|
34
34
|
decryption_failed! if e.message.include?("message authentication failed")
|
data/lib/kms_encrypted/model.rb
CHANGED
|
@@ -122,8 +122,14 @@ module KmsEncrypted
|
|
|
122
122
|
plaintext_attributes = {}
|
|
123
123
|
|
|
124
124
|
# attr_encrypted
|
|
125
|
-
|
|
126
|
-
|
|
125
|
+
encrypted_attributes_method =
|
|
126
|
+
if defined?(AttrEncrypted::Version::MAJOR) && AttrEncrypted::Version::MAJOR >= 4
|
|
127
|
+
:attr_encrypted_encrypted_attributes
|
|
128
|
+
else
|
|
129
|
+
:encrypted_attributes
|
|
130
|
+
end
|
|
131
|
+
if self.class.respond_to?(encrypted_attributes_method)
|
|
132
|
+
self.class.send(encrypted_attributes_method).to_a.each do |key, v|
|
|
127
133
|
if v[:key] == key_method.to_sym
|
|
128
134
|
plaintext_attributes[key] = send(key)
|
|
129
135
|
elsif v[:key].respond_to?(:call)
|
data/lib/kms_encrypted.rb
CHANGED
|
@@ -5,19 +5,19 @@ require "json"
|
|
|
5
5
|
require "securerandom"
|
|
6
6
|
|
|
7
7
|
# modules
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
8
|
+
require_relative "kms_encrypted/box"
|
|
9
|
+
require_relative "kms_encrypted/database"
|
|
10
|
+
require_relative "kms_encrypted/log_subscriber"
|
|
11
|
+
require_relative "kms_encrypted/model"
|
|
12
|
+
require_relative "kms_encrypted/version"
|
|
13
13
|
|
|
14
14
|
# clients
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
15
|
+
require_relative "kms_encrypted/client"
|
|
16
|
+
require_relative "kms_encrypted/clients/base"
|
|
17
|
+
require_relative "kms_encrypted/clients/aws"
|
|
18
|
+
require_relative "kms_encrypted/clients/google"
|
|
19
|
+
require_relative "kms_encrypted/clients/test"
|
|
20
|
+
require_relative "kms_encrypted/clients/vault"
|
|
21
21
|
|
|
22
22
|
module KmsEncrypted
|
|
23
23
|
class Error < StandardError; end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kms_encrypted
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Kane
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-04-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - ">="
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: '
|
|
19
|
+
version: '6'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - ">="
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '
|
|
26
|
+
version: '6'
|
|
27
27
|
description:
|
|
28
28
|
email: andrew@ankane.org
|
|
29
29
|
executables: []
|
|
@@ -57,14 +57,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
57
57
|
requirements:
|
|
58
58
|
- - ">="
|
|
59
59
|
- !ruby/object:Gem::Version
|
|
60
|
-
version: '
|
|
60
|
+
version: '3'
|
|
61
61
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
62
62
|
requirements:
|
|
63
63
|
- - ">="
|
|
64
64
|
- !ruby/object:Gem::Version
|
|
65
65
|
version: '0'
|
|
66
66
|
requirements: []
|
|
67
|
-
rubygems_version: 3.
|
|
67
|
+
rubygems_version: 3.4.10
|
|
68
68
|
signing_key:
|
|
69
69
|
specification_version: 4
|
|
70
70
|
summary: Simple, secure key management for Lockbox and attr_encrypted
|