legion-crypt 0.3.0 → 1.2.0

data/NOTICE.txt

@@ -0,0 +1,9 @@
+<Insert Project Name Here>
+Copyright 2020 Optum
+
+Project Description:
+====================
+<Short description of your project>
+
+Author(s):
+<List the names and GitHub IDs of the original project authors>

data/README.md

@@ -1,3 +1,56 @@
-# Legion::Crypt
+Legion::Crypt
+=====
 
-The Legion encryption module
+Legion::Crypt is the class responsible for encryption, managing secrets and connecting with Vault
+
+Supported Ruby versions and implementations
+------------------------------------------------
+
+Legion::Crypt should work identically on:
+
+* JRuby 9.2+
+* Ruby 2.4+
+
+
+Installation and Usage
+------------------------
+
+You can verify your installation using this piece of code:
+
+```bash
+gem install legion-crypt
+```
+
+```ruby
+require 'legion/crypt'
+
+Legion::Crypt.start
+Legion::Crypt.encrypt('this is my string')
+Legion::Crypt.decrypt(message)
+```
+
+Settings
+----------
+
+```json
+{
+  "vault": {
+    "enabled": false,
+    "protocol": "http",
+    "address": "localhost",
+    "port": 8200,
+    "token": null,
+    "connected": false
+  },
+  "cs_encrypt_ready": false,
+  "dynamic_keys": true,
+  "cluster_secret": null,
+  "save_private_key": false,
+  "read_private_key": false
+}
+```
+
+Authors
+----------
+
+* [Matthew Iverson](https://github.com/Esity) - current maintainer

data/SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+To be added

data/attribution.txt

@@ -0,0 +1 @@
+Add attributions here.

data/legion-crypt.gemspec

@@ -3,37 +3,30 @@
 require_relative 'lib/legion/crypt/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = 'legion-crypt'
+  spec.name = 'legion-crypt'
   spec.version       = Legion::Crypt::VERSION
   spec.authors       = ['Esity']
-  spec.email         = ['matthewdiverson@gmail.com']
-
-  spec.summary       = 'Legion::Vault is used to keep things safe'
-  spec.description   = 'Integrates with Hashicorps vault and other encryption type things'
-  spec.homepage      = 'https://bitbucket.org/legion-io/legion-vault/'
-  spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
-
-  spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata['source_code_uri'] = 'https://bitbucket.org/legion-io/legion/'
-  spec.metadata['changelog_uri'] = 'https://bitbucket.org/legion-io/legion/src/master/CHANGELOG.md'
-  spec.metadata['wiki_uri'] = 'https://bitbucket.org/legion-io/legion-crypt/wiki'
-  spec.metadata['bug_tracker_uri'] = 'https://bitbucket.org/legion-io/legion-crypt/issues'
-
-  spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  end
+  spec.email         = %w[matthewdiverson@gmail.com ruby@optum.com]
+  spec.summary       = 'Handles requests for encrypt, decrypting, connecting to Vault, among other things'
+  spec.description   = 'A gem used by the LegionIO framework for encryption'
+  spec.homepage      = 'https://github.com/Optum/legion-crypt'
+  spec.license       = 'Apache-2.0'
   spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.4'
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.test_files        = spec.files.select { |p| p =~ %r{^test/.*_test.rb} }
+  spec.extra_rdoc_files  = %w[README.md LICENSE CHANGELOG.md]
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/Optum/legion-crypt/issues',
+    'changelog_uri' => 'https://github.com/Optum/legion-crypt/src/main/CHANGELOG.md',
+    'documentation_uri' => 'https://github.com/Optum/legion-crypt',
+    'homepage_uri' => 'https://github.com/Optum/LegionIO',
+    'source_code_uri' => 'https://github.com/Optum/legion-crypt',
+    'wiki_uri' => 'https://github.com/Optum/legion-crypt/wiki'
+  }
 
   spec.add_dependency 'vault', '>= 0.15.0'
 
-  spec.add_development_dependency 'legionio'
   spec.add_development_dependency 'legion-logging'
   spec.add_development_dependency 'legion-settings'
-  spec.add_development_dependency 'legion-transport'
-  spec.add_development_dependency 'rspec'
-  spec.add_development_dependency 'rspec_junit_formatter'
-  spec.add_development_dependency 'rubocop'
-  spec.add_development_dependency 'simplecov', '< 0.18.0'
-  spec.add_development_dependency 'simplecov_json_formatter'
 end

data/lib/legion/crypt.rb

@@ -1,10 +1,7 @@
-# frozen_string_literal: true
-
 require 'openssl'
 require 'base64'
 require 'legion/crypt/version'
 require 'legion/crypt/settings'
-
 require 'legion/crypt/cipher'
 
 module Legion

data/lib/legion/crypt/cipher.rb

@@ -1,8 +1,11 @@
 require 'securerandom'
+require 'legion/crypt/cluster_secret'
 
 module Legion
   module Crypt
     module Cipher
+      include Legion::Crypt::ClusterSecret
+
       def encrypt(message)
         cipher = OpenSSL::Cipher.new('aes-256-cbc')
         cipher.encrypt
@@ -46,58 +49,6 @@ module Legion
                            OpenSSL::PKey::RSA.new 2048
                          end
       end
-
-      def cs
-        @cs ||= Digest::SHA256.digest(fetch_cs)
-      end
-
-      def fetch_cs # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity
-        if Legion::Settings[:crypt][:vault][:read_cluster_secret] && Legion::Settings[:crypt][:vault][:connected] && Legion::Crypt.exist?('crypt') # rubocop:disable Layout/LineLength
-          Legion::Crypt.get('crypt')[:cluster_secret]
-        elsif Legion::Settings[:crypt][:cluster_secret].is_a? String
-          Legion::Settings[:crypt][:cluster_secret]
-        elsif Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
-          Legion::Settings[:crypt][:cluster_secret] = generate_secure_random
-        elsif Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.positive?
-          require 'legion/transport/messages/request_cluster_secret'
-          Legion::Logging.info 'Requesting cluster secret via public key'
-          start = Time.now
-          Legion::Transport::Messages::RequestClusterSecret.new.publish
-          sleep_time = 0.001
-          until !Legion::Settings[:crypt][:cluster_secret].nil? || (Time.now - start) > Legion::Settings[:crypt][:cluster_secret_timeout]
-            sleep(sleep_time)
-            sleep_time *= 2 unless sleep_time > 0.5
-          end
-
-          if Legion::Settings[:crypt][:cluster_secret].nil?
-            Legion::Logging.warn 'Cluster secret is still nil'
-          else
-            Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
-          end
-        end
-      rescue StandardError => e
-        Legion::Logging.error(e.message)
-        Legion::Logging.error(e.backtrace)
-      ensure
-        Legion::Settings[:crypt][:cluster_secret] = generate_secure_random unless Legion::Settings[:crypt].key? :cluster_secret
-        nil if Legion::Settings[:crypt][:cluster_secret].nil?
-
-        Legion::Settings[:crypt][:cs_encrypt_ready] = true
-        push_cs_to_vault if Legion::Settings[:crypt][:vault][:push_cs_to_vault]
-
-        return Legion::Settings[:crypt][:cluster_secret] # rubocop:disable Lint/EnsureReturn
-      end
-
-      def push_cs_to_vault
-        return false unless Legion::Settings[:crypt][:vault][:connected] && Legion::Settings[:crypt][:cluster_secret]
-
-        Legion::Logging.info 'Pushing Cluster Secret to Vault'
-        Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
-      end
-
-      def generate_secure_random
-        SecureRandom.uuid
-      end
     end
   end
 end

data/lib/legion/crypt/cluster_secret.rb

@@ -0,0 +1,121 @@
+require 'securerandom'
+
+module Legion
+  module Crypt
+    module ClusterSecret
+      def find_cluster_secret
+        %i[from_settings from_vault from_transport generate_secure_random].each do |method|
+          result = send(method)
+          next if result.nil?
+
+          unless validate_hex(result)
+            Legion::Logging.warn("Legion::Crypt.#{method} gave a value but it isn't a valid hex")
+            next
+          end
+
+          set_cluster_secret(result, method != :from_vault)
+          return result
+        end
+        return unless only_member?
+
+        key = generate_secure_random
+        set_cluster_secret(key)
+        key
+      end
+
+      def from_vault
+        return nil unless method_defined? :get
+        return nil unless Legion::Settings[:crypt][:vault][:read_cluster_secret]
+        return nil unless Legion::Settings[:crypt][:vault][:connected]
+        return nil unless Legion::Crypt.exist?('crypt')
+
+        get('crypt')[:cluster_secret]
+      rescue StandardError
+        nil
+      end
+
+      def from_settings
+        Legion::Settings[:crypt][:cluster_secret]
+      end
+      alias cluster_secret from_settings
+
+      def from_transport # rubocop:disable Metrics/AbcSize
+        return nil unless Legion::Settings[:transport][:connected]
+
+        require 'legion/transport/messages/request_cluster_secret'
+        Legion::Logging.info 'Requesting cluster secret via public key'
+        Legion::Logging.warn 'cluster_secret already set but we are requesting a new value' unless from_settings.nil?
+        start = Time.now
+        Legion::Transport::Messages::RequestClusterSecret.new.publish
+        sleep_time = 0.001
+        until !Legion::Settings[:crypt][:cluster_secret].nil? || (Time.now - start) > cluster_secret_timeout
+          sleep(sleep_time)
+          sleep_time *= 2 unless sleep_time > 0.5
+        end
+
+        unless from_settings.nil?
+          Legion::Logging.info "Received cluster secret in #{((Time.new - start) * 1000.0).round}ms"
+          from_settings
+        end
+
+        Legion::Logging.error 'Cluster secret is still unknown!'
+      rescue StandardError => e
+        Legion::Logging.error e.message
+        Legion::Logging.error e.backtrace[0..10]
+      end
+
+      def force_cluster_secret
+        Legion::Settings[:crypt][:force_cluster_secret] || true
+      end
+
+      def settings_push_vault
+        Legion::Settings[:crypt][:vault][:push_cs_to_vault] || true
+      end
+
+      def only_member?
+        Legion::Transport::Queue.new('node.crypt', passive: true).consumer_count.zero?
+      rescue StandardError
+        nil
+      end
+
+      def set_cluster_secret(value, push_to_vault = true) # rubocop:disable Style/OptionalBooleanParameter
+        raise TypeError unless value.to_i(32).to_s(32) == value.downcase
+
+        Legion::Settings[:crypt][:cs_encrypt_ready] = true
+        push_cs_to_vault if push_to_vault && settings_push_vault
+
+        Legion::Settings[:crypt][:cluster_secret] = value
+      end
+
+      def push_cs_to_vault
+        return false unless Legion::Settings[:crypt][:vault][:connected] && Legion::Settings[:crypt][:cluster_secret]
+
+        Legion::Logging.info 'Pushing Cluster Secret to Vault'
+        Legion::Crypt.write('cluster', secret: Legion::Settings[:crypt][:cluster_secret])
+      end
+
+      def cluster_secret_timeout
+        Legion::Settings[:crypt][:cluster_secret_timeout] || 5
+      end
+
+      def secret_length
+        Legion::Settings[:crypt][:cluster_lenth] || 32
+      end
+
+      def generate_secure_random(length = secret_length)
+        SecureRandom.hex(length)
+      end
+
+      def cs
+        @cs ||= Digest::SHA256.digest(find_cluster_secret)
+      rescue StandardError => e
+        Legion::Logging.error e.message
+        Legion::Logging.error e.backtrace[0..10]
+      end
+
+      def validate_hex(value, length = secret_length)
+        value.to_i(length).to_s(length) == value.downcase
+      end
+    end
+  end
+end

data/lib/legion/crypt/version.rb

@@ -2,6 +2,6 @@
 
 module Legion
   module Crypt
-    VERSION = '0.3.0'
+    VERSION = '1.2.0'
   end
 end

data/sourcehawk.yml

@@ -0,0 +1,4 @@
+
+config-locations:
+  - https://raw.githubusercontent.com/optum/.github/main/sourcehawk.yml
+  

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: legion-crypt
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Esity
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2021-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: vault
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.15.0
-- !ruby/object:Gem::Dependency
-  name: legionio
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: legion-logging
   requirement: !ruby/object:Gem::Requirement
@@ -66,125 +52,51 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: legion-transport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rspec_junit_formatter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 0.18.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 0.18.0
-- !ruby/object:Gem::Dependency
-  name: simplecov_json_formatter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Integrates with Hashicorps vault and other encryption type things
+description: A gem used by the LegionIO framework for encryption
 email:
 - matthewdiverson@gmail.com
+- ruby@optum.com
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- README.md
+- LICENSE
+- CHANGELOG.md
 files:
-- ".circleci/config.yml"
+- ".github/workflows/rubocop-analysis.yml"
+- ".github/workflows/sourcehawk-scan.yml"
 - ".gitignore"
-- ".rspec"
 - ".rubocop.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
-- Gemfile.lock
-- LICENSE.txt
+- INDIVIDUAL_CONTRIBUTOR_LICENSE.md
+- LICENSE
+- NOTICE.txt
 - README.md
-- Rakefile
-- bitbucket-pipelines.yml
+- SECURITY.md
+- attribution.txt
 - legion-crypt.gemspec
 - lib/legion/crypt.rb
 - lib/legion/crypt/cipher.rb
+- lib/legion/crypt/cluster_secret.rb
 - lib/legion/crypt/settings.rb
 - lib/legion/crypt/vault.rb
 - lib/legion/crypt/vault_renewer.rb
 - lib/legion/crypt/version.rb
-- settings/transport.json
 - sonar-project.properties
-homepage: https://bitbucket.org/legion-io/legion-vault/
+- sourcehawk.yml
+homepage: https://github.com/Optum/legion-crypt
 licenses:
-- MIT
+- Apache-2.0
 metadata:
-  homepage_uri: https://bitbucket.org/legion-io/legion-vault/
-  source_code_uri: https://bitbucket.org/legion-io/legion/
-  changelog_uri: https://bitbucket.org/legion-io/legion/src/master/CHANGELOG.md
-  wiki_uri: https://bitbucket.org/legion-io/legion-crypt/wiki
-  bug_tracker_uri: https://bitbucket.org/legion-io/legion-crypt/issues
+  bug_tracker_uri: https://github.com/Optum/legion-crypt/issues
+  changelog_uri: https://github.com/Optum/legion-crypt/src/main/CHANGELOG.md
+  documentation_uri: https://github.com/Optum/legion-crypt
+  homepage_uri: https://github.com/Optum/LegionIO
+  source_code_uri: https://github.com/Optum/legion-crypt
+  wiki_uri: https://github.com/Optum/legion-crypt/wiki
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -193,15 +105,16 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.6
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
-summary: Legion::Vault is used to keep things safe
+summary: Handles requests for encrypt, decrypting, connecting to Vault, among other
+  things
 test_files: []