kms_rails 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +17 -4
- data/lib/kms_rails/active_record.rb +1 -1
- data/lib/kms_rails/configuration.rb +6 -1
- data/lib/kms_rails/core.rb +19 -24
- data/lib/kms_rails/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 694a99855a3a64a2d64d52297d4c1e49e7413838
|
4
|
+
data.tar.gz: 9bfa2bd4692f9279c547eabb840d2ac8a6729f24
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cac9396f4b113594de45748b63f18e7142dbffd628d5374b22f93d565ba15de9cf05c3ef32d743db423fff3231b5845001480b420d73a4817451a1f853594a81
|
7
|
+
data.tar.gz: 2c5239e05de81a8a5dd27cf778cc6e5df2f1e31b844e501a52cbb025788053c0a1082bfa455963357cf92602b2755e13d9189fb262297371f664246436335962
|
data/README.md
CHANGED
@@ -75,14 +75,11 @@ Encryption is done when the job is seralized into the data store and is stored a
|
|
75
75
|
The encryption is automatically reversed when the job is deserialized.
|
76
76
|
|
77
77
|
##Additional Options
|
78
|
-
You can add encryption contexts as strings
|
78
|
+
You can add encryption contexts as strings or procs to kms_attr and kms_arg/args. Default is none.
|
79
79
|
```ruby
|
80
80
|
kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
|
81
81
|
context_key: 'my context key', context_value: 'my context value'
|
82
82
|
|
83
|
-
kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
|
84
|
-
context_key: :model_method_context_key, context_value: :model_method_context_value
|
85
|
-
|
86
83
|
kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
|
87
84
|
context_key: Proc.new { }, context_value: Proc.new { }
|
88
85
|
```
|
@@ -108,6 +105,22 @@ KmsRails.configure do |config|
|
|
108
105
|
end
|
109
106
|
```
|
110
107
|
|
108
|
+
## Alias prefixes
|
109
|
+
|
110
|
+
You can use the `alias_prefix` configuration option to automatically add a prefix to the key_ids that you specify. For example;
|
111
|
+
|
112
|
+
```ruby
|
113
|
+
KmsRails.configure do |config|
|
114
|
+
config.alias_prefix = Rails.env + '/'
|
115
|
+
end
|
116
|
+
|
117
|
+
kms_attr :my_attribute, key_id: 'my-key-alias'
|
118
|
+
```
|
119
|
+
|
120
|
+
Will resolve 'my-key-alias' to 'alias/production/my-key-alias' in the production environment, and 'alias/staging/my-key-alias' in staging.
|
121
|
+
|
122
|
+
Directly specifying a key_id as a UUID or with the `alias/` prefix explicitly declared will prevent this behaviour from occurring.
|
123
|
+
|
111
124
|
## Other stuff
|
112
125
|
|
113
126
|
### Notes
|
@@ -8,11 +8,16 @@ module KmsRails
|
|
8
8
|
yield(configuration)
|
9
9
|
end
|
10
10
|
|
11
|
+
def self.reset_config
|
12
|
+
self.configuration = Configuration.new
|
13
|
+
end
|
14
|
+
|
11
15
|
class Configuration
|
12
|
-
attr_accessor :fake_kms_api
|
16
|
+
attr_accessor :fake_kms_api, :alias_prefix
|
13
17
|
|
14
18
|
def initialize
|
15
19
|
@fake_kms_api = false
|
20
|
+
@alias_prefix = ''
|
16
21
|
end
|
17
22
|
end
|
18
23
|
end
|
data/lib/kms_rails/core.rb
CHANGED
@@ -5,8 +5,10 @@ require 'kms_rails/configuration'
|
|
5
5
|
|
6
6
|
module KmsRails
|
7
7
|
class Core
|
8
|
+
attr_reader :context_key, :context_value
|
9
|
+
|
8
10
|
def initialize(key_id:, context_key: nil, context_value: nil)
|
9
|
-
@
|
11
|
+
@base_key_id = key_id
|
10
12
|
@context_key = context_key
|
11
13
|
@context_value = context_value
|
12
14
|
end
|
@@ -14,7 +16,7 @@ module KmsRails
|
|
14
16
|
def encrypt(data)
|
15
17
|
return nil if data.nil?
|
16
18
|
|
17
|
-
data_key = aws_generate_data_key(
|
19
|
+
data_key = aws_generate_data_key(key_id)
|
18
20
|
encrypted = encrypt_attr(data, data_key.plaintext)
|
19
21
|
|
20
22
|
self.class.shred_string(data_key.plaintext)
|
@@ -43,6 +45,21 @@ module KmsRails
|
|
43
45
|
decrypt( data_obj.map { |k,v| [k, Base64.strict_decode64(v)] }.to_h )
|
44
46
|
end
|
45
47
|
|
48
|
+
def key_id
|
49
|
+
case @base_key_id
|
50
|
+
when Proc
|
51
|
+
@base_key_id.call
|
52
|
+
when String
|
53
|
+
if @base_key_id =~ /\A\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\z/ || @base_key_id.start_with?('alias/') # if UUID or direct alias
|
54
|
+
@base_key_id
|
55
|
+
else
|
56
|
+
'alias/' + KmsRails.configuration.alias_prefix + @base_key_id
|
57
|
+
end
|
58
|
+
else
|
59
|
+
raise RuntimeError, 'Only Proc and String arguments are supported'
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
46
63
|
def self.shred_string(str)
|
47
64
|
str.force_encoding('BINARY')
|
48
65
|
str.tr!("\0-\xff".b, "\0".b)
|
@@ -60,14 +77,6 @@ module KmsRails
|
|
60
77
|
value = value.call
|
61
78
|
end
|
62
79
|
|
63
|
-
if key.is_a?(Symbol)
|
64
|
-
key = self.send(key)
|
65
|
-
end
|
66
|
-
|
67
|
-
if value.is_a?(Symbol)
|
68
|
-
value = self.send(value)
|
69
|
-
end
|
70
|
-
|
71
80
|
if key.is_a?(String) && value.is_a?(String)
|
72
81
|
args[:encryption_context] = {key => value}
|
73
82
|
end
|
@@ -75,20 +84,6 @@ module KmsRails
|
|
75
84
|
args
|
76
85
|
end
|
77
86
|
|
78
|
-
def set_key_id(key_id)
|
79
|
-
if key_id.is_a?(Proc)
|
80
|
-
key_id = key_id.call
|
81
|
-
end
|
82
|
-
|
83
|
-
if key_id.is_a?(Symbol)
|
84
|
-
key_id = self.send(key_id)
|
85
|
-
end
|
86
|
-
|
87
|
-
if key_id.is_a?(String)
|
88
|
-
return key_id
|
89
|
-
end
|
90
|
-
end
|
91
|
-
|
92
87
|
def decrypt_attr(data, key, iv)
|
93
88
|
decipher = OpenSSL::Cipher.new('AES-256-CBC')
|
94
89
|
decipher.decrypt
|
data/lib/kms_rails/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kms_rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ash Tyndall
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: exe
|
11
11
|
cert_chain: []
|
12
|
-
date: 2016-
|
12
|
+
date: 2016-12-02 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: activerecord
|