kms_encrypted 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 48601fd1b07d25fafe4a14a508511bd3237ef486
-  data.tar.gz: 74add3ece85f95c4e1a2b5483b772c2075def8c4
+  metadata.gz: 1e8f9ae8d4c6e01a94c6daa2ae422b57ce4bcec1
+  data.tar.gz: fe2ad3ac82398c643ae60c5a88830c6108864c1c
 SHA512:
-  metadata.gz: 1461f4cbdd77bb98eba915832ee402d1467f8ed5b3578295010ece703864da16418cc7925f78fc64ffc6ed1176e34c07cc5912556fea8b2f6726b872b669e56b
-  data.tar.gz: 6268c77a1f065ce79ebf1a2cf954a7d36265d96135b54be8aeabec96d5b72828b8929f69dcc2778bbee3eda8247f1735747af22ed6a814fdf2428fa5d5510673
+  metadata.gz: aee2523daea0e3cc176606d845d94ed98ba8ca8a2a51beb90227c638e7d0f84e888639846d78585d446f5dae7371b41c5e98b603b50330423232c0e1e5fe1976
+  data.tar.gz: 841ec21de2384e5d062c6e3f69d3f4a12cabe8cb99f21f169d1bbb931191f21f9b42964dbb1d8f98015b349df931e41dfc0dcf958fc3cb736913918478de429b

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.1.4
+
+- Added `kms_keys` method to models
+- Reset data keys when record is reloaded
+- Added `kms_client`
+- Added ActiveSupport notifications
+
 ## 0.1.3
 
 - Added test key

data/README.md

@@ -37,7 +37,7 @@ add_column :users, :encrypted_email_iv, :text
 add_column :users, :encrypted_kms_key, :text
 ```
 
-Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you use other AWS services.
+Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
 
 Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
 
@@ -203,10 +203,12 @@ To encrypt the data, use a policy with:
 }
 ```
 
-If a system can only encrypt, you must clear out existing data keys before updates.
+If a system can only encrypt, you must clear out existing data and data keys before updates.
 
 ```ruby
-user.encrypted_kms_key = nil # before user.save
+user.encrypted_email = nil
+user.encrypted_kms_key = nil
+# before user.save or user.update
 ```
 
 To decrypt the data, use a policy with:

data/lib/kms_encrypted/log_subscriber.rb

@@ -0,0 +1,17 @@
+module KmsEncrypted
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def decrypt_data_key(event)
+      return unless logger.debug?
+
+      name = "Decrypt Data Key (#{event.duration.round(1)}ms)"
+      debug "  #{color(name, YELLOW, true)}  Context: #{event.payload[:context].inspect}"
+    end
+
+    def generate_data_key(event)
+      return unless logger.debug?
+
+      name = "Generate Data Key (#{event.duration.round(1)}ms)"
+      debug "  #{color(name, YELLOW, true)}  Context: #{event.payload[:context].inspect}"
+    end
+  end
+end

data/lib/kms_encrypted/model.rb

@@ -0,0 +1,114 @@
+module KmsEncrypted
+  module Model
+    def has_kms_key(legacy_key_id = nil, name: nil, key_id: nil)
+      key_id ||= legacy_key_id || ENV["KMS_KEY_ID"]
+
+      key_method = name ? "kms_key_#{name}" : "kms_key"
+
+      class_eval do
+        class << self
+          def kms_keys
+            @kms_keys ||= {}
+          end unless respond_to?(:kms_keys)
+        end
+        kms_keys[key_method.to_sym] = {key_id: key_id}
+
+        # same pattern as attr_encrypted reload
+        if method_defined?(:reload) && kms_keys.size == 1
+          alias_method :reload_without_kms_encrypted, :reload
+          def reload(*args, &block)
+            result = reload_without_kms_encrypted(*args, &block)
+            self.class.kms_keys.keys.each do |key_method|
+              instance_variable_set("@#{key_method}", nil)
+            end
+            result
+          end
+        end
+
+        define_method(key_method) do
+          raise ArgumentError, "Missing key id" unless key_id
+
+          instance_var = "@#{key_method}"
+
+          unless instance_variable_get(instance_var)
+            key_column = "encrypted_#{key_method}"
+            context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
+            context = respond_to?(context_method, true) ? send(context_method) : {}
+            default_encoding = "m"
+
+            unless send(key_column)
+              plaintext_key = nil
+              encrypted_key = nil
+
+              event = {
+                key_id: key_id,
+                context: context
+              }
+              ActiveSupport::Notifications.instrument("generate_data_key.kms_encrypted", event) do
+                if key_id == "insecure-test-key"
+                  encrypted_key = "insecure-data-key-#{rand(1_000_000_000_000)}"
+                  plaintext_key = "00000000000000000000000000000000"
+                else
+                  resp = KmsEncrypted.kms_client.generate_data_key(
+                    key_id: key_id,
+                    encryption_context: context,
+                    key_spec: "AES_256"
+                  )
+                  encrypted_key = [resp.ciphertext_blob].pack(default_encoding)
+                  plaintext_key = resp.plaintext
+                end
+              end
+
+              instance_variable_set(instance_var, plaintext_key)
+              self.send("#{key_column}=", encrypted_key)
+            end
+
+            unless instance_variable_get(instance_var)
+              encrypted_key = send(key_column)
+              plaintext_key = nil
+
+              event = {
+                key_id: key_id,
+                context: context
+              }
+              ActiveSupport::Notifications.instrument("decrypt_data_key.kms_encrypted", event) do
+                if key_id == "insecure-test-key"
+                  plaintext_key = "00000000000000000000000000000000"
+                else
+                  plaintext_key = KmsEncrypted.kms_client.decrypt(
+                    ciphertext_blob: encrypted_key.unpack(default_encoding).first,
+                    encryption_context: context
+                  ).plaintext
+                end
+              end
+
+              instance_variable_set(instance_var, plaintext_key)
+            end
+          end
+
+          instance_variable_get(instance_var)
+        end
+
+        define_method("rotate_#{key_method}!") do
+          # decrypt
+          plaintext_attributes = {}
+          self.class.encrypted_attributes.select { |_, v| v[:key] == key_method.to_sym }.keys.each do |key|
+            plaintext_attributes[key] = send(key)
+          end
+
+          # reset key
+          instance_variable_set("@#{key_method}", nil)
+          send("encrypted_#{key_method}=", nil)
+
+          # encrypt again
+          plaintext_attributes.each do |attr, value|
+            send("#{attr}=", value)
+          end
+
+          # update atomically
+          save!
+        end
+      end
+    end
+  end
+end

data/lib/kms_encrypted/version.rb

@@ -1,3 +1,3 @@
 module KmsEncrypted
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/lib/kms_encrypted.rb

@@ -1,91 +1,41 @@
-require "kms_encrypted/version"
+# dependencies
 require "active_support"
 require "aws-sdk-kms"
 
+# modules
+require "kms_encrypted/log_subscriber"
+require "kms_encrypted/model"
+require "kms_encrypted/version"
+
 module KmsEncrypted
   class << self
-    attr_accessor :client_options
+    attr_writer :kms_client
+
+    def kms_client
+      @kms_client ||= Aws::KMS::Client.new(client_options)
+    end
+    alias_method :kms, :kms_client
+
+    # deprecated, use kms_client instead
+    attr_reader :client_options
+
+    # deprecated, use kms_client instead
+    def client_options=(value)
+      @client_options = value
+      @kms_client = nil
+    end
   end
+
+  # deprecated, use kms_client instead
   self.client_options = {
     retry_limit: 2,
     http_open_timeout: 2,
     http_read_timeout: 2
   }
-
-  def self.kms
-    @kms ||= Aws::KMS::Client.new(client_options)
-  end
-
-  module Model
-    def has_kms_key(legacy_key_id = nil, name: nil, key_id: nil)
-      key_id ||= legacy_key_id || ENV["KMS_KEY_ID"]
-
-      key_method = name ? "kms_key_#{name}" : "kms_key"
-
-      class_eval do
-        define_method(key_method) do
-          raise ArgumentError, "Missing key id" unless key_id
-
-          instance_var = "@#{key_method}"
-
-          unless instance_variable_get(instance_var)
-            if key_id == "insecure-test-key"
-              instance_variable_set(instance_var, "00000000000000000000000000000000")
-            else
-              key_column = "encrypted_#{key_method}"
-              context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
-              context = respond_to?(context_method, true) ? send(context_method) : {}
-              default_encoding = "m"
-
-              unless send(key_column)
-                resp = KmsEncrypted.kms.generate_data_key(
-                  key_id: key_id,
-                  encryption_context: context,
-                  key_spec: "AES_256"
-                )
-                ciphertext = resp.ciphertext_blob
-                instance_variable_set(instance_var, resp.plaintext)
-                self.send("#{key_column}=", [resp.ciphertext_blob].pack(default_encoding))
-              end
-
-              unless instance_variable_get(instance_var)
-                ciphertext = send(key_column).unpack(default_encoding).first
-                resp = KmsEncrypted.kms.decrypt(
-                  ciphertext_blob: ciphertext,
-                  encryption_context: context
-                )
-                instance_variable_set(instance_var, resp.plaintext)
-              end
-            end
-          end
-
-          instance_variable_get(instance_var)
-        end
-
-        define_method("rotate_#{key_method}!") do
-          # decrypt
-          plaintext_attributes = {}
-          self.class.encrypted_attributes.select { |_, v| v[:key] == key_method.to_sym }.keys.each do |key|
-            plaintext_attributes[key] = send(key)
-          end
-
-          # reset key
-          instance_variable_set("@#{key_method}", nil)
-          send("encrypted_#{key_method}=", nil)
-
-          # encrypt again
-          plaintext_attributes.each do |attr, value|
-            send("#{attr}=", value)
-          end
-
-          # update atomically
-          save!
-        end
-      end
-    end
-  end
 end
 
 ActiveSupport.on_load(:active_record) do
   extend KmsEncrypted::Model
 end
+
+KmsEncrypted::LogSubscriber.attach_to :kms_encrypted

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kms_encrypted
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-12-02 00:00:00.000000000 Z
+date: 2017-12-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-kms
@@ -137,6 +137,8 @@ files:
 - Rakefile
 - kms_encrypted.gemspec
 - lib/kms_encrypted.rb
+- lib/kms_encrypted/log_subscriber.rb
+- lib/kms_encrypted/model.rb
 - lib/kms_encrypted/version.rb
 homepage: https://github.com/ankane/kms_encrypted
 licenses: []