RubyGems - kstor - Versions diffs - 0.4.0 - Mend

kstor 0.4.0

Files changed (25) hide show

checksums.yaml +7 -0
data/README.md +7 -0
data/bin/kstor +286 -0
data/bin/kstor-srv +26 -0
data/lib/kstor/config.rb +66 -0
data/lib/kstor/controller/authentication.rb +79 -0
data/lib/kstor/controller/secret.rb +201 -0
data/lib/kstor/controller/users.rb +62 -0
data/lib/kstor/controller.rb +80 -0
data/lib/kstor/crypto/ascii_armor.rb +27 -0
data/lib/kstor/crypto/keys.rb +116 -0
data/lib/kstor/crypto.rb +240 -0
data/lib/kstor/error.rb +85 -0
data/lib/kstor/log.rb +56 -0
data/lib/kstor/message.rb +132 -0
data/lib/kstor/model.rb +437 -0
data/lib/kstor/server.rb +51 -0
data/lib/kstor/session.rb +80 -0
data/lib/kstor/socket_server.rb +113 -0
data/lib/kstor/sql_connection.rb +74 -0
data/lib/kstor/store.rb +383 -0
data/lib/kstor/systemd.rb +25 -0
data/lib/kstor/version.rb +5 -0
data/lib/kstor.rb +10 -0
metadata +141 -0

data/lib/kstor/controller/users.rb ADDED Viewed

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+require 'kstor/store'
+require 'kstor/model'
+require 'kstor/crypto'
+require 'kstor/log'
+module KStor
+  module Controller
+    # Handle user and group related requests.
+    class User
+      def initialize(store)
+        @store = store
+      end
+      def handle_request(user, req)
+        case req.type
+        when /^group-create$/ then handle_group_create(user, req)
+        end
+      end
+      private
+      def handle_group_create(user, req)
+        unless req.args['name']
+          raise Error.for_code('REQ/MISSINGARG', 'name', req.type)
+        end
+        group = group_create(user, req.args['name'])
+        @groups = nil
+        Response.new(
+          'group.created',
+          'group_id' => group.id,
+          'group_name' => group.name,
+          'group_pubk' => group.pubk
+        )
+      end
+      def group_create(user, name)
+        pubk, privk = Crypto.generate_key_pair
+        group_id = @store.group_create(name, pubk)
+        encrypted_privk = Crypto.encrypt_group_privk(
+          user.pubk, privk
+        )
+        Log.debug("encrypted_privk = #{encrypted_privk}")
+        keychain_item_create(user, group_id, pubk, encrypted_privk)
+        Model::Group.new(id: group_id, name:, pubk:)
+      end
+      def keychain_item_create(user, group_id, pubk, encrypted_privk)
+        item = Model::KeychainItem.new(
+          group_id:,
+          group_pubk: pubk,
+          encrypted_privk:
+        )
+        user.keychain[item.group_id] = item
+        @store.keychain_item_create(user.id, group_id, encrypted_privk)
+      end
+    end
+  end
+end

data/lib/kstor/controller.rb ADDED Viewed

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+require 'kstor/error'
+require 'kstor/log'
+require 'kstor/store'
+require 'kstor/message'
+require 'kstor/controller/authentication'
+require 'kstor/controller/secret'
+require 'kstor/controller/users'
+module KStor
+  # Error: user was not allowed to access application.
+  class UserNotAllowed < Error
+    error_code 'AUTH/FORBIDDEN'
+    error_message 'User %s not allowed.'
+  end
+  # Error: invalid session ID
+  class InvalidSession < Error
+    error_code 'AUTH/BADSESSION'
+    error_message 'Invalid session ID %s'
+  end
+  class MissingLoginPassword < Error
+    error_code 'AUTH/MISSING'
+    error_message 'Missing login and password'
+  end
+  # Error: unknown request type.
+  class UnknownRequestType < Error
+    error_code 'REQ/UNKNOWN'
+    error_message 'Unknown request type %s'
+  end
+  # Error: missing request argument.
+  class MissingArgument < Error
+    error_code 'REQ/MISSINGARG'
+    error_message 'Missing argument %s for request type %s'
+  end
+  module Controller
+    # Request handler.
+    class RequestHandler
+      def initialize(store, session_store)
+        @auth = Controller::Authentication.new(store, session_store)
+        @secret = Controller::Secret.new(store)
+        @user = Controller::User.new(store)
+        @store = store
+      end
+      def handle_request(req)
+        user, sid = @auth.authenticate(req)
+        controller = controller_from_request_type(req)
+        resp = @store.transaction { controller.handle_request(user, req) }
+        user.lock
+        resp.session_id = sid
+        resp
+      rescue RbNaClError => e
+        Log.exception(e)
+        Error.for_code('CRYPTO/UNSPECIFIED').response
+      rescue Error => e
+        Log.info(e.message)
+        e.response
+      end
+      private
+      def controller_from_request_type(req)
+        case req.type
+        when /^secret-(create|delete|search|unlock|update-(meta|value)?)$/
+          @secret
+        when /^group-create$/
+          @user
+        else
+          raise Error.for_code('REQ/UNKNOWN', req.type)
+        end
+      end
+    end
+  end
+end

data/lib/kstor/crypto/ascii_armor.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+module KStor
+  # Cryptographic functions for KStor.
+  module Crypto
+    # Encode and decode binary data to ASCII.
+    module ASCIIArmor
+      class << self
+        # ASCII-armor a String of bytes.
+        #
+        # @param bytes [String] raw string
+        # @return [String] ASCII-armored string
+        def encode(bytes)
+          Base64.strict_encode64(bytes)
+        end
+        # Decode an ASCII-armored string back to raw data.
+        #
+        # @param str [String] ASCII-armored string
+        # @return [String] raw string
+        def decode(str)
+          Base64.strict_decode64(str)
+        end
+      end
+    end
+  end
+end

data/lib/kstor/crypto/keys.rb ADDED Viewed

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+require 'kstor/crypto/ascii_armor'
+module KStor
+  module Crypto
+    # Holds together a secret key value and the KDF associated parameters.
+    class SecretKey
+      # The secret key as an ASCII-armored String
+      attr_reader :value
+      # KDF parameters as an ASCII-armored String
+      attr_reader :kdf_params
+      # Create a SecretKey instance.
+      #
+      # @param [String] value ASCII-armored secret key derived from passphrase
+      # @param [String] kdf_params ASCII-armored key derivation parameters
+      # @return [SecretKey] the SecretKey object
+      def initialize(value, kdf_params)
+        @value = value
+        @kdf_params = kdf_params
+      end
+    end
+    # Holds together a public and private key pair.
+    class KeyPair
+      # ASCII-armored public key
+      attr_reader :pubk
+      # ASCII-armored private key
+      attr_reader :privk
+      # Create a KeyPair instance.
+      #
+      # @param [String] pubk ASCII-armored public key
+      # @param [String] privk ASCII-armored private key
+      def initialize(pubk, privk)
+        @pubk = pubk
+        @privk = privk
+      end
+    end
+    # Wrapper class for an ASCII-armored value.
+    class ArmoredValue
+      def initialize(value)
+        @value = value
+      end
+      def to_ascii
+        @value
+      end
+      alias to_s to_ascii
+      def to_binary
+        ASCIIArmor.decode(@value)
+      end
+      def self.from_binary(bin_str)
+        new(ASCIIArmor.encode(bin_str))
+      end
+    end
+    # A Hash.
+    class ArmoredHash < ArmoredValue
+      def self.from_hash(hash)
+        from_binary(hash.to_json)
+      end
+      def to_hash
+        JSON.parse(to_binary)
+      end
+      def [](key)
+        to_hash[key]
+      end
+      def []=(key, val)
+        h = to_hash
+        h[key] = val
+        @value = ASCIIArmor.encode(h.to_json)
+      end
+    end
+    # KDF parameters.
+    class KDFParams < ArmoredHash
+      def self.from_hash(hash)
+        hash['salt'] = ASCIIArmor.encode(hash['salt'])
+        hash['opslimit'] = hash['opslimit'].to_s
+        hash['memlimit'] = hash['memlimit'].to_s
+        super(hash)
+      end
+      def to_hash
+        hash = super
+        hash['salt'] = ASCIIArmor.decode(hash['salt'])
+        hash['opslimit'] = hash['opslimit'].to_sym
+        hash['memlimit'] = hash['memlimit'].to_sym
+        hash
+      end
+    end
+    # A private key.
+    class PrivateKey < ArmoredValue
+      def to_rbnacl
+        RbNaCl::PrivateKey.new(to_binary)
+      end
+    end
+    # A public key.
+    class PublicKey < ArmoredValue
+      def to_rbnacl
+        RbNaCl::PublicKey.new(to_binary)
+      end
+    end
+  end
+end

data/lib/kstor/crypto.rb ADDED Viewed

@@ -0,0 +1,240 @@
+# frozen_string_literal: true
+require 'rbnacl'
+require 'json'
+require 'base64'
+require 'kstor/error'
+require 'kstor/crypto/ascii_armor'
+require 'kstor/crypto/keys'
+module KStor
+  # Generic crypto error.
+  class CryptoError < Error
+    error_code 'CRYPTO/UNSPECIFIED'
+    error_message 'Cryptographic error.'
+  end
+  # Error in key derivation.
+  class RbNaClError < Error
+    error_code 'CRYPTO/RBNACL'
+    error_message 'RbNaCl error: %s'
+  end
+  # Cryptographic functions for KStor.
+  #
+  # @version 1.0
+  module Crypto
+    VERSION = 1
+    class << self
+      # Derive a secret key suitable for symetric encryption from a passphrase.
+      #
+      # Key derivation function can use previously stored parameters (as an
+      # opaque String) or pass nil to generate random parameters.
+      #
+      # @param passphrase [String] user passphrase as clear text
+      # @param params [KDFParams, nil] KDF parameters;
+      #   if nil, use defaults.
+      # @return [SecretKey] secret key and KDF parameters
+      def key_derive(passphrase, params = nil)
+        params ||= key_derive_params_generate
+        Log.debug("crypto: kdf params = #{params.to_hash}")
+        data = RbNaCl::PasswordHash.argon2(
+          passphrase, params['salt'],
+          params['opslimit'], params['memlimit'], params['digest_size']
+        )
+        SecretKey.new(ArmoredValue.from_binary(data), params)
+      rescue RbNaCl::CryptoError => e
+        raise Error.for_code('CRYPTO/RBNACL', e.message)
+      end
+      # Check if KDF params match current code in this library.
+      #
+      # If it is obsolete, you should generate a new secret key from the user's
+      # passphrase, and re-encrypt everything that was encrypted with the old
+      # secret key.
+      #
+      # @param params [String] KDF params as an opaque string.
+      # @return [Boolean] false if parameters match current library version.
+      def kdf_params_obsolete?(params)
+        return true if params_str.nil?
+        params['_version'] != VERSION
+      rescue RbNaCl::CryptoError => e
+        raise Error.for_code('CRYPTO/RBNACL', e.message)
+      end
+      # Generate new key pair.
+      #
+      # @return [Array<PublicKey, PrivateKey>] new key pair
+      def generate_key_pair
+        privk = RbNaCl::PrivateKey.generate
+        pubk = privk.public_key
+        [PublicKey.from_binary(pubk.to_bytes),
+         PrivateKey.from_binary(privk.to_bytes)]
+      end
+      # Encrypt user private key.
+      #
+      # @param [SecretKey] secret_key secret key derived from passphrase
+      # @param [PrivateKey] privk private key
+      # @return [ArmoredValue] encrypted user private key
+      def encrypt_user_privk(secret_key, privk)
+        box_secret_encrypt(secret_key, privk.to_binary)
+      end
+      # Decrypt user private key.
+      #
+      # @param [SecretKey] secret_key secret key derived from passphrase
+      # @param [ArmoredValue] ciphertext encrypted private key
+      # @return [PrivateKey] user private key
+      def decrypt_user_privk(secret_key, ciphertext)
+        privk_data = box_secret_decrypt(secret_key, ciphertext)
+        PrivateKey.from_binary(privk_data)
+      end
+      # Encrypt and sign group private key.
+      #
+      # @param [PublicKey] owner_pubk user public key
+      # @param [PrivateKey] group_privk group private key
+      # @return [ArmoredValue] encrypted group private key
+      def encrypt_group_privk(owner_pubk, group_privk)
+        box_pair_encrypt(owner_pubk, group_privk, group_privk.to_binary)
+      end
+      # Decrypt and verify group private key.
+      #
+      # @param [PublicKey] group_pubk group public key to verify signature
+      # @param [PrivateKey] owner_privk user private key
+      # @param [ArmoredValue] encrypted_group_privk encrypted group private key
+      # @return [PrivateKey] group private key
+      def decrypt_group_privk(group_pubk, owner_privk, encrypted_group_privk)
+        PrivateKey.from_binary(
+          box_pair_decrypt(group_pubk, owner_privk, encrypted_group_privk)
+        )
+      end
+      # Encrypt and sign secret value.
+      #
+      # @param [PublicKey] group_pubk group public key
+      # @param [PrivateKey] author_privk user private key
+      # @param [String] value secret value
+      # @return [ArmoredValue] ASCII-armored encrypted secret value
+      def encrypt_secret_value(group_pubk, author_privk, value)
+        box_pair_encrypt(group_pubk, author_privk, value)
+      end
+      # Decrypt and verify secret value.
+      #
+      # @param [PublicKey] author_pubk user secret key
+      # @param [PrivateKey] group_privk group private key
+      # @param [ArmoredValue] val encrypted secret value
+      # @return [String] original secret value
+      def decrypt_secret_value(author_pubk, group_privk, val)
+        box_pair_decrypt(author_pubk, group_privk, val)
+      end
+      # Encrypt and sign secret metadata.
+      #
+      # @param [PublicKey] group_pubk group public key
+      # @param [PrivateKey] author_privk user private key
+      # @param [Hash] metadata_as_hash Hash of keys and values
+      # @return [ArmoredValue] encrypted secret metadata
+      def encrypt_secret_metadata(group_pubk, author_privk, metadata_as_hash)
+        meta = ArmoredHash.from_hash(metadata_as_hash)
+        encrypt_secret_value(group_pubk, author_privk, meta.to_binary)
+      end
+      # Decrypt and verify secret metadata.
+      #
+      # @param [PublicKey] author_pubk user public key
+      # @param [PrivateKey] group_privk group private key
+      # @param [ArmoredValue] val encrypted secret metadata
+      # @return [Hash] Hash of keys and values
+      def decrypt_secret_metadata(author_pubk, group_privk, val)
+        bytes = decrypt_secret_value(author_pubk, group_privk, val)
+        ArmoredHash.from_binary(bytes).to_hash
+      end
+      private
+      # Encrypt raw data with a secret key.
+      #
+      # @param [SecretKey] secret_key secret key
+      # @param [String] bytes raw data to encrypt
+      # @return [ArmoredValue] ciphertext
+      def box_secret_encrypt(secret_key, bytes)
+        ciphertext = make_secret_box(secret_key).encrypt(bytes)
+        ArmoredValue.from_binary(ciphertext)
+      rescue RbNaCl::CryptoError => e
+        raise Error.for_code('CRYPTO/RBNACL', e.message)
+      end
+      # Decrypt data with a secret key.
+      #
+      # @param [SecretKey] secret_key secret key
+      # @param [ArmoredValue] val ciphertext to decrypt
+      # @return [String] raw decrypted plaintext
+      def box_secret_decrypt(secret_key, val)
+        make_secret_box(secret_key).decrypt(val.to_binary)
+      rescue RbNaCl::CryptoError => e
+        raise Error.for_code('CRYPTO/RBNACL', e.message)
+      end
+      # Encrypt and authenticate data with public-key crypto.
+      #
+      # @param [PublicKey] pubk public key
+      # @param [PrivateKey] privk private key
+      # @param [String] bytes raw data to encrypt
+      # @return [ArmoredValue] ciphertext
+      def box_pair_encrypt(pubk, privk, bytes)
+        ArmoredValue.from_binary(make_pair_box(pubk, privk).encrypt(bytes))
+      rescue RbNaCl::CryptoError => e
+        raise Error.for_code('CRYPTO/RBNACL', e.message)
+      end
+      # Decrypt and authentify data with public-key crypto.
+      #
+      # @param [PublicKey] pubk public key
+      # @param [PrivateKey] privk private key
+      # @param [ArmoredValue] val ciphertext to decrypt
+      # @return [String] raw decrypted plaintext
+      def box_pair_decrypt(pubk, privk, val)
+        make_pair_box(pubk, privk).decrypt(val.to_binary)
+      rescue RbNaCl::CryptoError => e
+        raise Error.for_code('CRYPTO/RBNACL', e.message)
+      end
+      # Make a SimpleBox for symetric crypto.
+      #
+      # @param secret_key [SecretKey] secret_key secret key
+      # @return [RbNaCl::SimpleBox] the box
+      def make_secret_box(secret_key)
+        RbNaCl::SimpleBox.from_secret_key(secret_key.value.to_binary)
+      end
+      # Make a SimpleBox for asymetric cypto.
+      #
+      # @param [PublicKey] pubk public key
+      # @param [PrivateKey] privk private key
+      # @return [RbNaCl::SimpleBox] the box
+      def make_pair_box(pubk, privk)
+        RbNaCl::SimpleBox.from_keypair(pubk.to_binary, privk.to_binary)
+      end
+      # Generate new parameters for the Key Derivation Function.
+      #
+      # @return [KDFParams] newly generated KDF parameters
+      def key_derive_params_generate
+        salt = RbNaCl::Random.random_bytes(
+          RbNaCl::PasswordHash::Argon2::SALTBYTES
+        )
+        h = { '_version' => VERSION, 'salt' => salt,
+              'opslimit' => :moderate, 'memlimit' => :moderate,
+              'digest_size' => RbNaCl::SecretBox.key_bytes }
+        KDFParams.from_hash(h)
+      end
+    end
+  end
+end

data/lib/kstor/error.rb ADDED Viewed

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require 'kstor/message'
+module KStor
+  # Base class of KStor errors.
+  #
+  # Each subclass declares a code and is stored in a global registry.
+  class Error < StandardError
+    class << self
+      attr_reader :code
+      attr_reader :message
+      attr_reader :registry
+      def error_code(str)
+        @code = str
+      end
+      def error_message(str)
+        @message = str
+      end
+      def for_code(code, *args)
+        @registry[code].new(*args)
+      end
+      def list
+        @registry.classes
+      end
+    end
+    def self.inherited(subclass)
+      super
+      Log.debug("#{subclass} inherits from Error")
+      @registry ||= ErrorRegistry.new
+      if @registry.key?(subclass.code)
+        code = subclass.code
+        klass = @registry[code]
+        raise "duplicate error code #{code} in #{subclass}, " \
+              "already defined in #{klass}"
+      end
+      @registry << subclass
+    end
+    def initialize(*args)
+      super(format("ERR/%s #{self.class.message}", self.class.code, *args))
+    end
+    def response
+      Response.new('error', 'code' => self.class.code, 'message' => message)
+    end
+  end
+  # @api private
+  class ErrorRegistry
+    def initialize
+      @error_classes = []
+      @index = nil
+    end
+    def classes
+      @error_classes.values
+    end
+    def <<(klass)
+      @error_classes << klass
+      @index = nil
+    end
+    def key?(code)
+      index.key?(code)
+    end
+    def [](code)
+      index[code]
+    end
+    private
+    def index
+      @index ||= @error_classes.to_h { |c| [c.code, c] }
+    end
+  end
+end

data/lib/kstor/log.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+require 'journald/logger'
+module KStor
+  # Central logging to systemd-journald.
+  module Log
+    class << self
+      def exception(exc)
+        logger.exception(exc)
+      end
+      def debug(msg)
+        logger.debug(msg)
+      end
+      def info(msg)
+        logger.info(msg)
+      end
+      def notice(msg)
+        logger.notice(msg)
+      end
+      def warn(msg)
+        logger.warn(msg)
+      end
+      def error(msg)
+        logger.error(msg)
+      end
+      def critical(msg)
+        logger.critical(msg)
+      end
+      def alert(msg)
+        logger.alert(msg)
+      end
+      def emergency(msg)
+        logger.emergency(msg)
+      end
+      def reporting_level=(lvl)
+        logger.min_priority = lvl
+      end
+      private
+      def logger
+        @logger ||= Journald::Logger.new('kstor')
+      end
+    end
+  end
+end