kms_rails 0.0.7 → 0.0.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +5 -1
- data/lib/kms_rails/active_job.rb +5 -4
- data/lib/kms_rails/active_record.rb +1 -4
- data/lib/kms_rails/core.rb +9 -2
- data/lib/kms_rails/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ae0381169d042f13aa2ca831dd25119dacd0c997
|
|
4
|
+
data.tar.gz: 3712b105091faaa86de705e9b3f650ad6499e42f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c82db1ac70270f44ca500ccdf2ca6cbcc1951264acd8a1084881868fbaf5c1153b26e0a1cab3ad25bacaa0250ac16c49b50b118aa438ca6956f6d70446e671af
|
|
7
|
+
data.tar.gz: 1c7eb6c7afaa2241dde30efd65a43526ff396f00679a316ed3a31572db72dd55d3d2ce617616b69812770e5c3ed831e182c57622ec419d388ccbb9eb0a88b674
|
data/README.md
CHANGED
|
@@ -78,9 +78,13 @@ Encryption is done when the job is seralized into the data store and is stored a
|
|
|
78
78
|
|
|
79
79
|
The encryption is automatically reversed when the job is deserialized.
|
|
80
80
|
|
|
81
|
+
### Data Serialization
|
|
82
|
+
|
|
83
|
+
Like kms_attr above, by default your encrypted kms_args values are converted to and from strings. Similarly, you can set `msgpack: true` to enable msgpack serialization and deserialization for arguments instead.
|
|
84
|
+
|
|
81
85
|
### Already encrypted parameters
|
|
82
86
|
|
|
83
|
-
You also have the option of passing the value from your ActiveRecord encrypted field directly into the ActiveJob. If you do this, the value will not be encrypted twice. However, if you do this, you must ensure that the encryption key ID is the same for both the ActiveRecord attribute and ActiveJob parameter.
|
|
87
|
+
You also have the option of passing the value from your ActiveRecord encrypted field directly into the ActiveJob. If you do this, the value will not be encrypted twice. However, if you do this, you must ensure that the encryption key ID is the same for both the ActiveRecord attribute and ActiveJob parameter. It is also wise to use the same `msgpack: ` configuration options for both instances to ensure it is correctly decoded.
|
|
84
88
|
|
|
85
89
|
For instance, if you want to enqueue an encrypted value into a job on a node that cannot decrypt that value, you could do something like this;
|
|
86
90
|
|
data/lib/kms_rails/active_job.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
require 'msgpack'
|
|
1
2
|
require 'active_job'
|
|
2
3
|
require 'kms_rails/core'
|
|
3
4
|
|
|
@@ -10,12 +11,12 @@ module KmsRails
|
|
|
10
11
|
end
|
|
11
12
|
|
|
12
13
|
module ClassMethods
|
|
13
|
-
def kms_arg(field_number, key_id:, context_key: nil, context_value: nil)
|
|
14
|
-
kms_args([field_number], key_id: key_id, context_key: context_key, context_value: context_value)
|
|
14
|
+
def kms_arg(field_number, key_id:, msgpack: false, context_key: nil, context_value: nil)
|
|
15
|
+
kms_args([field_number], key_id: key_id, msgpack: msgpack, context_key: context_key, context_value: context_value)
|
|
15
16
|
end
|
|
16
17
|
|
|
17
|
-
def kms_args(field_numbers, key_id:, context_key: nil, context_value: nil)
|
|
18
|
-
enc = Core.new(key_id: key_id, context_key: context_key, context_value: context_value)
|
|
18
|
+
def kms_args(field_numbers, key_id:, msgpack: false, context_key: nil, context_value: nil)
|
|
19
|
+
enc = Core.new(key_id: key_id, context_key: context_key, msgpack: msgpack, context_value: context_value)
|
|
19
20
|
|
|
20
21
|
define_method 'serialize_arguments' do |args|
|
|
21
22
|
args = args.dup
|
|
@@ -17,7 +17,7 @@ module KmsRails
|
|
|
17
17
|
raise RuntimeError, "Field '#{real_field}' must exist to store encrypted data" unless self.column_names.include?(real_field)
|
|
18
18
|
raise RuntimeError, "Field '#{field}' must not be a real column, '#{real_field}' is the real column" if self.column_names.include?(field)
|
|
19
19
|
|
|
20
|
-
enc = Core.new(key_id: key_id, context_key: context_key, context_value: context_value)
|
|
20
|
+
enc = Core.new(key_id: key_id, msgpack: msgpack, context_key: context_key, context_value: context_value)
|
|
21
21
|
|
|
22
22
|
define_method "#{field}=" do |data|
|
|
23
23
|
if data.nil? # Just set to nil if nil
|
|
@@ -27,8 +27,6 @@ module KmsRails
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
set_retained(field, data) if retain
|
|
30
|
-
data = data.to_msgpack if msgpack
|
|
31
|
-
|
|
32
30
|
encrypted_data = enc.encrypt(data)
|
|
33
31
|
data = nil
|
|
34
32
|
|
|
@@ -47,7 +45,6 @@ module KmsRails
|
|
|
47
45
|
plaintext
|
|
48
46
|
else
|
|
49
47
|
plaintext = enc.decrypt(hash)
|
|
50
|
-
plaintext = MessagePack.unpack(plaintext) if msgpack
|
|
51
48
|
set_retained(field, plaintext) if retain
|
|
52
49
|
plaintext
|
|
53
50
|
end
|
data/lib/kms_rails/core.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'base64'
|
|
2
2
|
require 'openssl'
|
|
3
|
+
require 'msgpack'
|
|
3
4
|
require 'aws-sdk'
|
|
4
5
|
require 'kms_rails/configuration'
|
|
5
6
|
|
|
@@ -7,16 +8,18 @@ module KmsRails
|
|
|
7
8
|
class Core
|
|
8
9
|
attr_reader :context_key, :context_value
|
|
9
10
|
|
|
10
|
-
def initialize(key_id:, context_key: nil, context_value: nil)
|
|
11
|
+
def initialize(key_id:, msgpack: false, context_key: nil, context_value: nil)
|
|
11
12
|
@base_key_id = key_id
|
|
12
13
|
@context_key = context_key
|
|
13
14
|
@context_value = context_value
|
|
15
|
+
@msgpack = msgpack
|
|
14
16
|
end
|
|
15
17
|
|
|
16
18
|
def encrypt(data)
|
|
17
19
|
return nil if data.nil?
|
|
18
20
|
|
|
19
21
|
data_key = aws_generate_data_key(key_id)
|
|
22
|
+
data = data.to_msgpack if @msgpack
|
|
20
23
|
encrypted = encrypt_attr(data, data_key.plaintext)
|
|
21
24
|
|
|
22
25
|
self.class.shred_string(data_key.plaintext)
|
|
@@ -36,11 +39,15 @@ module KmsRails
|
|
|
36
39
|
|
|
37
40
|
def decrypt(data_obj)
|
|
38
41
|
return nil if data_obj.nil?
|
|
39
|
-
|
|
42
|
+
|
|
43
|
+
decrypted = decrypt_attr(
|
|
40
44
|
data_obj['blob'],
|
|
41
45
|
aws_decrypt_key(data_obj['key']),
|
|
42
46
|
data_obj['iv']
|
|
43
47
|
)
|
|
48
|
+
|
|
49
|
+
decrypted = MessagePack.unpack(decrypted) if @msgpack
|
|
50
|
+
decrypted
|
|
44
51
|
end
|
|
45
52
|
|
|
46
53
|
def decrypt64(data_obj)
|
data/lib/kms_rails/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kms_rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ash Tyndall
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2016-12-
|
|
12
|
+
date: 2016-12-22 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: activerecord
|