legion-crypt 0.2.0 → 1.2.0

data/NOTICE.txt

@@ -0,0 +1,9 @@
+<Insert Project Name Here>
+Copyright 2020 Optum
+
+Project Description:
+====================
+<Short description of your project>
+
+Author(s):
+<List the names and GitHub IDs of the original project authors>

data/README.md

@@ -1,44 +1,56 @@
-# Legion::Crypt
+Legion::Crypt
+=====
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/legion/crypt`. To experiment with that code, run `bin/console` for an interactive prompt.
+Legion::Crypt is the class responsible for encryption, managing secrets and connecting with Vault
 
-TODO: Delete this and the text above, and describe your gem
+Supported Ruby versions and implementations
+------------------------------------------------
 
-## Installation
+Legion::Crypt should work identically on:
 
-Add this line to your application's Gemfile:
+* JRuby 9.2+
+* Ruby 2.4+
 
-```ruby
-gem 'legion-crypt'
-```
-
-And then execute:
-
-    $ bundle install
-
-Or install it yourself as:
-
-    $ gem install legion-crypt
 
-## Usage
+Installation and Usage
+------------------------
 
-Ciper class  
-1) check to see if connected to vault, if so, use that
-2) check to see if it was set via config
-3) request it from the cluster
-4) generate it
+You can verify your installation using this piece of code:
 
-## Development
-
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
-
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+```bash
+gem install legion-crypt
+```
 
-## Contributing
+```ruby
+require 'legion/crypt'
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/legion-crypt.
+Legion::Crypt.start
+Legion::Crypt.encrypt('this is my string')
+Legion::Crypt.decrypt(message)
+```
 
+Settings
+----------
+
+```json
+{
+  "vault": {
+    "enabled": false,
+    "protocol": "http",
+    "address": "localhost",
+    "port": 8200,
+    "token": null,
+    "connected": false
+  },
+  "cs_encrypt_ready": false,
+  "dynamic_keys": true,
+  "cluster_secret": null,
+  "save_private_key": false,
+  "read_private_key": false
+}
+```
 
-## License
+Authors
+----------
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+* [Matthew Iverson](https://github.com/Esity) - current maintainer

data/SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+To be added

data/attribution.txt

@@ -0,0 +1 @@
+Add attributions here.

data/legion-crypt.gemspec

@@ -3,37 +3,30 @@
 require_relative 'lib/legion/crypt/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = 'legion-crypt'
+  spec.name = 'legion-crypt'
   spec.version       = Legion::Crypt::VERSION
   spec.authors       = ['Esity']
-  spec.email         = ['matthewdiverson@gmail.com']
-
-  spec.summary       = 'Legion::Vault is used to keep things safe'
-  spec.description   = 'Integrates with Hashicorps vault and other encryption type things'
-  spec.homepage      = 'https://bitbucket.org/legion-io/legion-vault/'
-  spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
-
-  spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata['source_code_uri'] = 'https://bitbucket.org/legion-io/legion/'
-  spec.metadata['changelog_uri'] = 'https://bitbucket.org/legion-io/legion/src/master/CHANGELOG.md'
-
-  spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  end
-  spec.bindir        = 'exe'
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.email         = %w[matthewdiverson@gmail.com ruby@optum.com]
+  spec.summary       = 'Handles requests for encrypt, decrypting, connecting to Vault, among other things'
+  spec.description   = 'A gem used by the LegionIO framework for encryption'
+  spec.homepage      = 'https://github.com/Optum/legion-crypt'
+  spec.license       = 'Apache-2.0'
   spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.4'
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.test_files        = spec.files.select { |p| p =~ %r{^test/.*_test.rb} }
+  spec.extra_rdoc_files  = %w[README.md LICENSE CHANGELOG.md]
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/Optum/legion-crypt/issues',
+    'changelog_uri' => 'https://github.com/Optum/legion-crypt/src/main/CHANGELOG.md',
+    'documentation_uri' => 'https://github.com/Optum/legion-crypt',
+    'homepage_uri' => 'https://github.com/Optum/LegionIO',
+    'source_code_uri' => 'https://github.com/Optum/legion-crypt',
+    'wiki_uri' => 'https://github.com/Optum/legion-crypt/wiki'
+  }
 
-  spec.add_dependency 'rbnacl'
-  spec.add_dependency 'vault'
+  spec.add_dependency 'vault', '>= 0.15.0'
 
   spec.add_development_dependency 'legion-logging'
   spec.add_development_dependency 'legion-settings'
-  spec.add_development_dependency 'legion-transport'
-  # spec.add_development_dependency 'legionio'
-  spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'rspec'
-  spec.add_development_dependency 'rubocop'
-  # spec.add_development_dependency 'simplecov', '< 0.18.0'
 end

data/lib/legion/crypt.rb

@@ -1,14 +1,8 @@
-# frozen_string_literal: true
-
 require 'openssl'
+require 'base64'
 require 'legion/crypt/version'
 require 'legion/crypt/settings'
-require 'rbnacl'
-require 'base64'
-
-require 'legion/crypt/box'
 require 'legion/crypt/cipher'
-require 'legion/crypt/vault'
 
 module Legion
   module Crypt
@@ -16,13 +10,25 @@ module Legion
       attr_reader :sessions
 
       include Legion::Crypt::Cipher
-      include Legion::Crypt::Vault if Legion::Settings[:crypt][:vault][:enabled]
+
+      unless Gem::Specification.find_by_name('vault').nil?
+        require 'legion/crypt/vault'
+        include Legion::Crypt::Vault
+      end
 
       def start
         Legion::Logging.debug 'Legion::Crypt is running start'
-        # load_keys if Dir.exist?('./settings') && File.exist?('./settings/private.key') && File.exist?('./settings/public.key')
+        ::File.write('./legionio.key', private_key) if settings[:save_private_key]
+
+        connect_vault unless settings[:vault][:token].nil?
+      end
 
-        # connect_vault unless Legion::Settings[:crypt][:vault][:token].nil?
+      def settings
+        if Legion.const_defined?('Settings')
+          Legion::Settings[:crypt]
+        else
+          Legion::Crypt::Settings.default
+        end
       end
 
       def shutdown

data/lib/legion/crypt/cipher.rb

@@ -1,8 +1,11 @@
 require 'securerandom'
+require 'legion/crypt/cluster_secret'
 
 module Legion
   module Crypt
     module Cipher
+      include Legion::Crypt::ClusterSecret
+
       def encrypt(message)
         cipher = OpenSSL::Cipher.new('aes-256-cbc')
         cipher.encrypt
@@ -40,50 +43,11 @@ module Legion
       end
 
       def private_key
-        @private_key ||= OpenSSL::PKey::RSA.new 2048
-      end
-
-      def cs
-        @cs ||= Digest::SHA256.digest fetch_cs
-      end
-
-      def fetch_cs # rubocop:disable Metrics/AbcSize
-        if Legion::Settings[:crypt][:vault][:read_cluster_secret] && Legion::Settings[:crypt][:vault][:connected] && Legion::Crypt.exist?('crypt') # rubocop:disable Layout/LineLength
-          Legion::Crypt.get('crypt')[:cluster_secret]
-        elsif Legion::Settings[:crypt][:cluster_secret].is_a? String
-          Legion::Settings[:crypt][:cluster_secret]
-        elsif Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
-          Legion::Settings[:crypt][:cluster_secret] = generate_secure_random
-        elsif Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.positive?
-          require 'legion/transport/messages/request_cluster_secret'
-          Legion::Logging.info 'Requesting cluster secret via public key'
-          start = Time.now
-          Legion::Transport::Messages::RequestClusterSecret.new.publish
-          sleep_time = 0.001
-          until !Legion::Settings[:crypt][:cluster_secret].nil? || (Time.now - start) > Legion::Settings[:crypt][:cluster_secret_timeout]
-            sleep(sleep_time)
-            sleep_time *= 2 unless sleep_time > 0.5
-          end
-          unless Legion::Settings[:crypt][:cluster_secret].nil?
-            Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
-          end
-          Legion::Logging.warn 'Cluster secret is still nil' if Legion::Settings[:crypt][:cluster_secret].nil?
-        else
-          Legion::Settings[:crypt][:cluster_secret] = generate_secure_random
-        end
-        Legion::Settings[:crypt][:cs_encrypt_ready] = true
-        Legion::Settings[:crypt][:cluster_secret]
-      rescue StandardError => e
-        Legion::Logging.error(e.message)
-        Legion::Logging.error(e.backtrace)
-
-        Legion::Settings[:crypt][:cluster_secret] = generate_secure_random
-        Legion::Settings[:crypt][:cs_encrypt_ready] = true
-        Legion::Settings[:crypt][:cluster_secret]
-      end
-
-      def generate_secure_random
-        SecureRandom.alphanumeric(32)
+        @private_key ||= if Legion::Settings[:crypt][:read_private_key] && File.exist?('./legionio.key')
+                           OpenSSL::PKey::RSA.new File.read './legionio.key'
+                         else
+                           OpenSSL::PKey::RSA.new 2048
+                         end
       end
     end
   end

data/lib/legion/crypt/cluster_secret.rb

@@ -0,0 +1,121 @@
+require 'securerandom'
+
+module Legion
+  module Crypt
+    module ClusterSecret
+      def find_cluster_secret
+        %i[from_settings from_vault from_transport generate_secure_random].each do |method|
+          result = send(method)
+          next if result.nil?
+
+          unless validate_hex(result)
+            Legion::Logging.warn("Legion::Crypt.#{method} gave a value but it isn't a valid hex")
+            next
+          end
+
+          set_cluster_secret(result, method != :from_vault)
+          return result
+        end
+        return unless only_member?
+
+        key = generate_secure_random
+        set_cluster_secret(key)
+        key
+      end
+
+      def from_vault
+        return nil unless method_defined? :get
+        return nil unless Legion::Settings[:crypt][:vault][:read_cluster_secret]
+        return nil unless Legion::Settings[:crypt][:vault][:connected]
+        return nil unless Legion::Crypt.exist?('crypt')
+
+        get('crypt')[:cluster_secret]
+      rescue StandardError
+        nil
+      end
+
+      def from_settings
+        Legion::Settings[:crypt][:cluster_secret]
+      end
+      alias cluster_secret from_settings
+
+      def from_transport # rubocop:disable Metrics/AbcSize
+        return nil unless Legion::Settings[:transport][:connected]
+
+        require 'legion/transport/messages/request_cluster_secret'
+        Legion::Logging.info 'Requesting cluster secret via public key'
+        Legion::Logging.warn 'cluster_secret already set but we are requesting a new value' unless from_settings.nil?
+        start = Time.now
+        Legion::Transport::Messages::RequestClusterSecret.new.publish
+        sleep_time = 0.001
+        until !Legion::Settings[:crypt][:cluster_secret].nil? || (Time.now - start) > cluster_secret_timeout
+          sleep(sleep_time)
+          sleep_time *= 2 unless sleep_time > 0.5
+        end
+
+        unless from_settings.nil?
+          Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
+          from_settings
+        end
+
+        Legion::Logging.error 'Cluster secret is still unknown!'
+      rescue StandardError => e
+        Legion::Logging.error e.message
+        Legion::Logging.error e.backtrace[0..10]
+      end
+
+      def force_cluster_secret
+        Legion::Settings[:crypt][:force_cluster_secret] || true
+      end
+
+      def settings_push_vault
+        Legion::Settings[:crypt][:vault][:push_cs_to_vault] || true
+      end
+
+      def only_member?
+        Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
+      rescue StandardError
+        nil
+      end
+
+      def set_cluster_secret(value, push_to_vault = true) # rubocop:disable Style/OptionalBooleanParameter
+        raise TypeError unless value.to_i(32).to_s(32) == value.downcase
+
+        Legion::Settings[:crypt][:cs_encrypt_ready] = true
+        push_cs_to_vault if push_to_vault && settings_push_vault
+
+        Legion::Settings[:crypt][:cluster_secret] = value
+      end
+
+      def push_cs_to_vault
+        return false unless Legion::Settings[:crypt][:vault][:connected] && Legion::Settings[:crypt][:cluster_secret]
+
+        Legion::Logging.info 'Pushing Cluster Secret to Vault'
+        Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
+      end
+
+      def cluster_secret_timeout
+        Legion::Settings[:crypt][:cluster_secret_timeout] || 5
+      end
+
+      def secret_length
+        Legion::Settings[:crypt][:cluster_lenth] || 32
+      end
+
+      def generate_secure_random(length = secret_length)
+        SecureRandom.hex(length)
+      end
+
+      def cs
+        @cs ||= Digest::SHA256.digest(find_cluster_secret)
+      rescue StandardError => e
+        Legion::Logging.error e.message
+        Legion::Logging.error e.backtrace[0..10]
+      end
+
+      def validate_hex(value, length = secret_length)
+        value.to_i(length).to_s(length) == value.downcase
+      end
+    end
+  end
+end

data/lib/legion/crypt/settings.rb

@@ -3,28 +3,42 @@ module Legion
     module Settings
       def self.default
         {
-          vault:            vault,
+          vault: vault,
           cs_encrypt_ready: false,
-          dynamic_keys:     true
+          dynamic_keys: true,
+          cluster_secret: nil,
+          save_private_key: true,
+          read_private_key: true
         }
       end
 
       def self.vault
         {
-          enabled:             !Gem::Specification.find_by_name('vault').nil?,
-          protocol:            'http',
-          address:             'localhost',
-          port:                8200,
-          token:               ENV['VAULT_DEV_ROOT_TOKEN_ID'] || ENV['VAULT_TOKEN_ID'] || nil,
-          connected:           false,
-          renewer_time:        5,
-          renewer:             true,
+          enabled: !Gem::Specification.find_by_name('vault').nil?,
+          protocol: 'http',
+          address: 'localhost',
+          port: 8200,
+          token: ENV['VAULT_DEV_ROOT_TOKEN_ID'] || ENV['VAULT_TOKEN_ID'] || nil,
+          connected: false,
+          renewer_time: 5,
+          renewer: true,
           push_cluster_secret: true,
-          read_cluster_secret: true
+          read_cluster_secret: true,
+          kv_path: ENV['LEGION_VAULT_KV_PATH'] || 'legion'
         }
       end
     end
   end
 end
 
-Legion::Settings.merge_settings('crypt', Legion::Crypt::Settings.default) if Legion.const_defined?('Settings')
+begin
+  Legion::Settings.merge_settings('crypt', Legion::Crypt::Settings.default) if Legion.const_defined?('Settings')
+rescue StandardError => e
+  if Legion.const_defined?('Logging') && Legion::Logging.method_defined?(:fatal)
+    Legion::Logging.fatal(e.message)
+    Legion::Logging.fatal(e.backtrace)
+  else
+    puts e.message
+    puts e.backtrace
+  end
+end