kms_rails 0.0.9 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: c32a6946896948a35897141c29535c1138a5a788
-  data.tar.gz: 72b96ea275fc245e92b9a0ad2c18bb332e669689
+SHA256:
+  metadata.gz: 14388d5d9417cf639e4e2f0eea57d9a9f55dc5f6a4b6dcbf897444b07656ee83
+  data.tar.gz: 7d478fc20e396a995d8abc6affeb160b981eb397e4a5ec52e454323d961919c3
 SHA512:
-  metadata.gz: f6708eb1f9ef4d19312eee938c41367d55d1e6cc5239dcac3912f696166c6d4c4e08fcfe374fabe47b41623965692b49755479fd5c06dc2114a3322e2d8de889
-  data.tar.gz: 8632b1a8e2d59e4b62768a823a409eb2cfff9914fadc8013fa078009c30c17e34b3b9551da1a2c6d90d2ac8275149526e1f858fd044bc7e7b95fbee858888c08
+  metadata.gz: f3744365abe582e7b0420a692f3f893a14c461c51cdf61e779df2cdf4f5e37902e3c3d44fbd1a68d22d60edb4e1a67a6c600a77fd2541a0f3b6769e36eb45e93
+  data.tar.gz: 7b5b2038b49bcffdb35bfc9c600c06bde9de2ca83ca44438d2f60f7c353059225ba15a6e5f9d01af2e80b6704c7af173d2a3c5830799712a5f54a987c15eb25e

data/.travis.yml

@@ -1,17 +1,18 @@
+env:
+  global:
+    - CC_TEST_REPORTER_ID=156fab7dad33afa6dd4b24ab5721a01e5bbb41c3f07c380195695102b7363e0a
+
 language: ruby
 rvm:
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
   - 2.5
-  
-addons:
-  code_climate:
-    repo_token: 156fab7dad33afa6dd4b24ab5721a01e5bbb41c3f07c380195695102b7363e0a
+  - 2.6
+  - 2.7
 
-script: bundle exec rspec spec
-before_install:
- - gem update bundler
-after_success:
-  - bundle exec codeclimate-test-reporter
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+script:
+  - bundle exec rspec spec
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/README.md

@@ -117,7 +117,7 @@ or by using the documented AWS environmental variables.
 
 ## Test Mode
 
-A basic fake implementation of `Aws::KMS::Client` has been written, allowing kms_rails functionality to be used in test environments without making any web requests. The fake implementation emulates the functionality of the two API calls kms_rails issues to AWS and performs fake encryption (the key is 'encrypted' by reversing it). At this time, the fake implementation does not support contexts.
+A basic fake implementation of `Aws::KMS::Client` has been written, allowing kms_rails functionality to be used in test environments without making any web requests. The fake implementation emulates the functionality of the two API calls kms_rails issues to AWS and performs fake encryption (the key is 'encrypted' by reversing it).
 
 You can enable it in your Rails initializers with the following
 ```ruby
@@ -142,10 +142,28 @@ Will resolve 'my-key-alias' to 'alias/production/my-key-alias' in the production
 
 Directly specifying a key_id as a UUID or with the `alias/` prefix explicitly declared will prevent this behaviour from occurring.
 
+## ARN prefixes
+
+You can use the `arn_prefix` configuration option to specify that the keys you're referencing are located in a different AWS account or region than the default. For example;
+
+```ruby
+KmsRails.configure do |config|
+  config.arn_prefix = 'arn:aws:kms:ap-southeast-1:11111111111:'
+end
+
+kms_attr :my_attribute, key_id: 'my-key-alias'
+```
+
+Will resolve 'my-key-alias' to 'arn:aws:kms:ap-southeast-1:11111111111:alias/my-key-alias', which may be a key in a different region or AWS account.
+
+This works for aliases and UUID keys, but Proc based key_ids will not have the ARN prefixed.
+
+You can use this in combination with alias prefixes. A prefix like 'foo/' would result in a final key of 'arn:aws:kms:ap-southeast-1:11111111111:alias/foo/my-key-alias'.
+
 ## Other stuff
 
 ### Notes
-This gem has been developed against Ruby 2.3.1, Rails 4.2, and AWS SDK v2. Credit where credit is due, strongbox by spikex was used as an inspiration and guide when creating this. https://github.com/spikex/strongbox
+This gem has been developed against Ruby 2.3.1, Rails 4.2, and AWS SDK v3. Credit where credit is due, strongbox by spikex was used as an inspiration and guide when creating this. https://github.com/spikex/strongbox
 
 ### Disclaimer
 No claims are made about enhanced security when using this gem.

data/kms_rails.gemspec

@@ -4,35 +4,34 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'kms_rails/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "kms_rails"
+  spec.name          = 'kms_rails'
   spec.version       = KmsRails::VERSION
-  spec.authors       = ["Ash Tyndall", "Justin Ouellette"]
-  spec.email         = ["ash@appbot.co"]
+  spec.authors       = ['Ash Tyndall', 'Justin Ouellette']
+  spec.email         = ['ash@appbot.co']
 
   spec.summary       = %q{AWS KMS encryption for ActiveRecord & ActiveJob.}
   spec.description   = %q{Quickly add KMS encryption and decryption to your ActiveRecord model attributes and ActiveJob parameters. Improves upon kms_attrs with ActiveJob support, more efficient binary serialization and a test suite.}
-  spec.homepage      = "https://github.com/appbot/kms_rails"
-  spec.license       = "GPLv3"
+  spec.homepage      = 'https://github.com/appbot/kms_rails'
+  spec.license       = 'GPLv3'
 
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-  spec.required_ruby_version = '>= 2.1'
+  spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.5'
 
-  spec.add_runtime_dependency "activerecord", ">= 4"
-  spec.add_runtime_dependency "activejob", ">= 4"
-  spec.add_runtime_dependency "aws-sdk", "~> 2"
-  spec.add_runtime_dependency "msgpack"
+  spec.add_runtime_dependency 'activerecord', '>= 4'
+  spec.add_runtime_dependency 'activejob', '>= 4'
+  spec.add_runtime_dependency 'aws-sdk-kms', '~> 1'
+  spec.add_runtime_dependency 'msgpack'
 
-  spec.add_development_dependency "bundler", "~> 1.12"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec"
-  spec.add_development_dependency "rspec-mocks"
-  spec.add_development_dependency "simplecov"
-  spec.add_development_dependency "codeclimate-test-reporter"
-  spec.add_development_dependency "with_model"
-  spec.add_development_dependency "byebug"
-  spec.add_development_dependency "sqlite3"
-  spec.add_development_dependency "database_cleaner"
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rspec-mocks'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'with_model'
+  spec.add_development_dependency 'byebug'
+  spec.add_development_dependency 'sqlite3'
+  spec.add_development_dependency 'database_cleaner'
 end

data/lib/kms_rails/active_record.rb

@@ -14,11 +14,10 @@ module KmsRails
         include InstanceMethods
 
         real_field = "#{field}_enc"
-        raise RuntimeError, "Field '#{field}' must not be a real column, '#{real_field}' is the real column" if self.column_names.include?(field.to_s)
-        
-        enc = Core.new(key_id: key_id, msgpack: msgpack, context_key: context_key, context_value: context_value)
+        enc        = Core.new(key_id: key_id, msgpack: msgpack, context_key: context_key, context_value: context_value)
 
         define_method "#{field}=" do |data|
+          raise RuntimeError, "Field '#{field}' must not be a real column, '#{real_field}' is the real column" if self.class.column_names.include?(field.to_s)
           raise RuntimeError, "Field '#{real_field}' must exist to store encrypted data" unless self.class.column_names.include?(real_field)
 
           if data.blank? # Just set to nil if nil
@@ -35,11 +34,13 @@ module KmsRails
         end
 
         define_method "#{real_field}" do
+          raise RuntimeError, "Field '#{field}' must not be a real column, '#{real_field}' is the real column" if self.class.column_names.include?(field.to_s)
           raise RuntimeError, "Field '#{real_field}' must exist to retrieve encrypted data" unless self.class.column_names.include?(real_field)
           Core.to64( get_hash(field) )
         end
 
         define_method "#{field}" do
+          raise RuntimeError, "Field '#{field}' must not be a real column, '#{real_field}' is the real column" if self.class.column_names.include?(field.to_s)
           raise RuntimeError, "Field '#{real_field}' must exist to retrieve decrypted data" unless self.class.column_names.include?(real_field)
 
           hash = get_hash(field)

data/lib/kms_rails/configuration.rb

@@ -3,11 +3,12 @@ module KmsRails
     attr_writer :configuration
 
     class Configuration
-      attr_accessor :fake_kms_api, :alias_prefix
+      attr_accessor :fake_kms_api, :alias_prefix, :arn_prefix
 
       def initialize
         @fake_kms_api = false
         @alias_prefix = ''
+        @arn_prefix   = ''
       end
     end
 

data/lib/kms_rails/core.rb

@@ -1,7 +1,7 @@
 require 'base64'
 require 'openssl'
 require 'msgpack'
-require 'aws-sdk'
+require 'aws-sdk-kms'
 require 'kms_rails/configuration'
 
 module KmsRails
@@ -41,15 +41,15 @@ module KmsRails
       return nil if data_obj.nil?
 
       decrypted = decrypt_attr(
-        data_obj['blob'], 
+        data_obj['blob'],
         aws_decrypt_key(data_obj['key']),
         data_obj['iv']
       )
-      
+
       decrypted = MessagePack.unpack(decrypted) if @msgpack
       decrypted
     end
-    
+
     def decrypt64(data_obj)
       return nil if data_obj.nil?
       decrypt( self.class.from64(data_obj) )
@@ -61,9 +61,9 @@ module KmsRails
         @base_key_id.call
       when String
         if @base_key_id =~ /\A\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\z/ || @base_key_id.start_with?('alias/') # if UUID or direct alias
-          @base_key_id 
+          KmsRails.configuration.arn_prefix + @base_key_id
         else
-          'alias/' + KmsRails.configuration.alias_prefix + @base_key_id
+          KmsRails.configuration.arn_prefix + 'alias/' + KmsRails.configuration.alias_prefix + @base_key_id
         end
       else
         raise RuntimeError, 'Only Proc and String arguments are supported'
@@ -85,7 +85,7 @@ module KmsRails
       data_obj.map { |k,v| [k, Base64.strict_decode64(v)] }.to_h
     end
 
-    private 
+    private
 
     def apply_context(args, key, value)
       if key && value
@@ -123,7 +123,7 @@ module KmsRails
 
     def aws_decrypt_key(key)
       args = {ciphertext_blob: key}
-      aws_kms.decrypt(apply_context(args, @context_key, @context_value)).plaintext
+      aws_kms.decrypt(**apply_context(args, @context_key, @context_value)).plaintext
     end
 
     def aws_kms
@@ -133,7 +133,7 @@ module KmsRails
 
     def aws_generate_data_key(key_id)
       args = {key_id: key_id, key_spec: 'AES_256'}
-      aws_kms.generate_data_key(apply_context(args, @context_key, @context_value))
+      aws_kms.generate_data_key(**apply_context(args, @context_key, @context_value))
     end
   end
-end
+end

data/lib/kms_rails/kms_client_mock.rb

@@ -1,4 +1,4 @@
-require 'aws-sdk'
+require 'aws-sdk-kms'
 require 'msgpack'
 
 module KmsRails

data/lib/kms_rails/version.rb

@@ -1,3 +1,3 @@
 module KmsRails
-  VERSION = "0.0.9"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: kms_rails
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.3.0
 platform: ruby
 authors:
 - Ash Tyndall
 - Justin Ouellette
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-01-30 00:00:00.000000000 Z
+date: 2021-07-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -40,19 +40,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '4'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk
+  name: aws-sdk-kms
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: msgpack
   requirement: !ruby/object:Gem::Requirement
@@ -71,30 +71,30 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -137,20 +137,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: with_model
   requirement: !ruby/object:Gem::Requirement
@@ -238,7 +224,7 @@ homepage: https://github.com/appbot/kms_rails
 licenses:
 - GPLv3
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -246,16 +232,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: AWS KMS encryption for ActiveRecord & ActiveJob.
 test_files: []