kms_rails 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b602331795e9377a4577ae33690327a6b0a3b546
-  data.tar.gz: e2a58ec4c0807ac4728ce504a8d2492e69061012
+  metadata.gz: 694a99855a3a64a2d64d52297d4c1e49e7413838
+  data.tar.gz: 9bfa2bd4692f9279c547eabb840d2ac8a6729f24
 SHA512:
-  metadata.gz: 8fc6ecc47f154b1e20ee6d39c34e55520885826412c209623889f53cd7503a45978015ed8a4564c84a595750b305d5aec36c53f75ae65205dd9d5342375a07fd
-  data.tar.gz: 36050027f42c27c57266073607a40b2e9455709ea7c57ba868daf785960342cd78f4885cf1ad0ef58cddcd4edad414a972b4c1632df2a1e07b9357c12f162d0c
+  metadata.gz: cac9396f4b113594de45748b63f18e7142dbffd628d5374b22f93d565ba15de9cf05c3ef32d743db423fff3231b5845001480b420d73a4817451a1f853594a81
+  data.tar.gz: 2c5239e05de81a8a5dd27cf778cc6e5df2f1e31b844e501a52cbb025788053c0a1082bfa455963357cf92602b2755e13d9189fb262297371f664246436335962

data/README.md

@@ -75,14 +75,11 @@ Encryption is done when the job is seralized into the data store and is stored a
 The encryption is automatically reversed when the job is deserialized.
 
 ##Additional Options
-You can add encryption contexts as strings, method calls, or procs to kms_attr and kms_arg/args. Default is none.
+You can add encryption contexts as strings or procs to kms_attr and kms_arg/args. Default is none.
 ```ruby
 kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
   context_key: 'my context key', context_value: 'my context value'
 
-kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
-  context_key: :model_method_context_key, context_value: :model_method_context_value
-
 kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
   context_key: Proc.new { }, context_value: Proc.new { }
 ```
@@ -108,6 +105,22 @@ KmsRails.configure do |config|
 end
 ```
 
+## Alias prefixes
+
+You can use the `alias_prefix` configuration option to automatically add a prefix to the key_ids that you specify. For example;
+
+```ruby
+KmsRails.configure do |config|
+  config.alias_prefix = Rails.env + '/'
+end
+
+kms_attr :my_attribute, key_id: 'my-key-alias'
+```
+
+Will resolve 'my-key-alias' to 'alias/production/my-key-alias' in the production environment, and 'alias/staging/my-key-alias' in staging.
+
+Directly specifying a key_id as a UUID or with the `alias/` prefix explicitly declared will prevent this behaviour from occurring.
+
 ## Other stuff
 
 ### Notes

data/lib/kms_rails/active_record.rb

@@ -42,7 +42,7 @@ module KmsRails
           hash = get_hash(field)
           return nil unless hash
 
-          if retain && plaintext = get_retained(field)
+          if retain && (plaintext = get_retained(field))
             plaintext
           else
             plaintext = enc.decrypt(hash)

data/lib/kms_rails/configuration.rb

@@ -8,11 +8,16 @@ module KmsRails
     yield(configuration)
   end
 
+  def self.reset_config
+    self.configuration = Configuration.new
+  end
+
   class Configuration
-    attr_accessor :fake_kms_api
+    attr_accessor :fake_kms_api, :alias_prefix
 
     def initialize
       @fake_kms_api = false
+      @alias_prefix = ''
     end
   end
 end

data/lib/kms_rails/core.rb

@@ -5,8 +5,10 @@ require 'kms_rails/configuration'
 
 module KmsRails
   class Core
+    attr_reader :context_key, :context_value
+
     def initialize(key_id:, context_key: nil, context_value: nil)
-      @key_id = set_key_id(key_id)
+      @base_key_id = key_id
       @context_key = context_key
       @context_value = context_value
     end
@@ -14,7 +16,7 @@ module KmsRails
     def encrypt(data)
       return nil if data.nil?
 
-      data_key = aws_generate_data_key(@key_id)
+      data_key = aws_generate_data_key(key_id)
       encrypted = encrypt_attr(data, data_key.plaintext)
 
       self.class.shred_string(data_key.plaintext)
@@ -43,6 +45,21 @@ module KmsRails
       decrypt( data_obj.map { |k,v| [k, Base64.strict_decode64(v)] }.to_h )
     end
 
+    def key_id
+      case @base_key_id
+      when Proc
+        @base_key_id.call
+      when String
+        if @base_key_id =~ /\A\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\z/ || @base_key_id.start_with?('alias/') # if UUID or direct alias
+          @base_key_id 
+        else
+          'alias/' + KmsRails.configuration.alias_prefix + @base_key_id
+        end
+      else
+        raise RuntimeError, 'Only Proc and String arguments are supported'
+      end
+    end
+
     def self.shred_string(str)
       str.force_encoding('BINARY')
       str.tr!("\0-\xff".b, "\0".b)
@@ -60,14 +77,6 @@ module KmsRails
           value = value.call
         end
 
-        if key.is_a?(Symbol)
-          key = self.send(key)
-        end
-
-        if value.is_a?(Symbol)
-          value = self.send(value)
-        end
-
         if key.is_a?(String) && value.is_a?(String)
           args[:encryption_context] = {key => value}
         end
@@ -75,20 +84,6 @@ module KmsRails
       args
     end
 
-    def set_key_id(key_id)
-      if key_id.is_a?(Proc)
-        key_id = key_id.call
-      end
-
-      if key_id.is_a?(Symbol)
-        key_id = self.send(key_id)
-      end
-
-      if key_id.is_a?(String)
-        return key_id
-      end
-    end
-
     def decrypt_attr(data, key, iv)
       decipher = OpenSSL::Cipher.new('AES-256-CBC')
       decipher.decrypt

data/lib/kms_rails/version.rb

@@ -1,3 +1,3 @@
 module KmsRails
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kms_rails
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Ash Tyndall
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-11-29 00:00:00.000000000 Z
+date: 2016-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord