lockbox 0.4.9 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ad5a754772ecb9d5f0a480cab88a63de9ed2fcfd973eef25f286fcf13da7694
-  data.tar.gz: d38646c9d1aedee2bf12419a24064fa5b01e4ef4cb619e8cb48903c343ec67b1
+  metadata.gz: '00428f366a284e5e69806c18ef64a7bb66cdc0b2c1cb3e19528aa6bca99becea'
+  data.tar.gz: b5235c68771e0cb39653780dd4e08bdb27218f914b3889cecf959bc02efec3a8
 SHA512:
-  metadata.gz: 5f6e78e05cb6788ad8188314694846f70c438e3e43f48bdf1e8e6356ac94e64226a3790ebaab6369121d1083d551a7203281979731443cfdb1c611d52a617493
-  data.tar.gz: 30fc406d323dda8abdc0d5138880dc32b862abdd479e623180cf99c2531b466ef5a3be10620c975d0f2aee4b10e17b413cdc1cf21e03aa49ef5c6f0a7757cd82
+  metadata.gz: cd44c7b55ea270aa02fa5a4eda5aa38bde97eca39ce54093b6fc4907abe90e946827b4c12a8f5f43f21b6503ea9d1c713f505a86c9a6ea4075b1407b5630aeca
+  data.tar.gz: 0eba333d509de09a92cd1af74427cce30eca35d7eab41abddada5718227c5a1f3f013b3ad031f8015ca5e13c4b47f5aebe75c09d83f6bd91926ad7d55db6a1e4

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.5.0 (2020-11-22)
+
+- Improved error messages for hybrid cryptography
+- Changed warning to error when no attributes specified
+- Fixed issue with `pluck` when migrating
+- Fixed error with `key_table` and `key_attribute` options with `previous_versions`
+
 ## 0.4.9 (2020-10-01)
 
 - Added `key_table` and `key_attribute` options to `previous_versions`

data/README.md

@@ -1,14 +1,15 @@
 # Lockbox
 
-:package: Modern encryption for Rails
+:package: Modern encryption for Ruby and Rails
 
 - Works with database fields, files, and strings
 - Maximizes compatibility with existing code and libraries
 - Makes migrating existing data and key rotation easy
+- Has zero dependencies and many integrations
 
 Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails with Devise](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails).
 
-[![Build Status](https://travis-ci.org/ankane/lockbox.svg?branch=master)](https://travis-ci.org/ankane/lockbox)
+[![Build Status](https://github.com/ankane/lockbox/workflows/build/badge.svg?branch=master)](https://github.com/ankane/lockbox/actions)
 
 ## Installation
 
@@ -413,44 +414,58 @@ Finally, delete the unencrypted files and drop the column for the original uploa
 
 ## Shrine
 
-Generate a key
+#### Models
+
+Include the attachment as normal:
 
 ```ruby
-key = Lockbox.generate_key
+class User < ApplicationRecord
+  include LicenseUploader::Attachment(:license)
+end
 ```
 
-Create a lockbox
+And encrypt in a controller (or background job, etc) with:
 
 ```ruby
-lockbox = Lockbox.new(key: key)
+license = params.require(:user).fetch(:license)
+lockbox = Lockbox.new(key: Lockbox.attribute_key(table: "users", attribute: "license"))
+user.license = lockbox.encrypt_io(license)
 ```
 
-Encrypt files before passing them to Shrine
+To serve encrypted files, use a controller action.
 
 ```ruby
-LicenseUploader.upload(lockbox.encrypt_io(file), :store)
+def license
+  user = User.find(params[:id])
+  lockbox = Lockbox.new(key: Lockbox.attribute_key(table: "users", attribute: "license"))
+  send_data lockbox.decrypt(user.license.read), type: user.license.mime_type
+end
 ```
 
-And decrypt them after reading
+#### Non-Models
+
+Generate a key
 
 ```ruby
-lockbox.decrypt(uploaded_file.read)
+key = Lockbox.generate_key
 ```
 
-For models, encrypt with:
+Create a lockbox
 
 ```ruby
-license = params.require(:user).fetch(:license)
-user.license = lockbox.encrypt_io(license)
+lockbox = Lockbox.new(key: key)
 ```
 
-To serve encrypted files, use a controller action.
+Encrypt files before passing them to Shrine
 
 ```ruby
-def license
-  user = User.find(params[:id])
-  send_data lockbox.decrypt(user.license.read), type: user.license.mime_type
-end
+LicenseUploader.upload(lockbox.encrypt_io(file), :store)
+```
+
+And decrypt them after reading
+
+```ruby
+lockbox.decrypt(uploaded_file.read)
 ```
 
 ## Local Files
@@ -655,6 +670,8 @@ This is the default algorithm. It’s:
 - an IETF standard
 - fast thanks to a [dedicated instruction set](https://en.wikipedia.org/wiki/AES_instruction_set)
 
+Lockbox uses 256-bit keys.
+
 **For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
 
 ### XSalsa20
@@ -708,6 +725,22 @@ For Ubuntu 16.04, use:
 sudo apt-get install libsodium18
 ```
 
+##### GitHub Actions
+
+For Ubuntu 20.04 and 18.04, use:
+
+```yml
+    - name: Install Libsodium
+      run: sudo apt-get install libsodium23
+```
+
+For Ubuntu 16.04, use:
+
+```yml
+    - name: Install Libsodium
+      run: sudo apt-get install libsodium18
+```
+
 ##### Travis CI
 
 On Bionic, add to `.travis.yml`:
@@ -735,8 +768,7 @@ Add a step to `.circleci/config.yml`:
 ```yml
 - run:
     name: install Libsodium
-    command: |
-      sudo apt-get install -y libsodium18
+    command: sudo apt-get install -y libsodium18
 ```
 
 ## Hybrid Cryptography

data/lib/lockbox.rb

@@ -4,6 +4,7 @@ require "openssl"
 require "securerandom"
 
 # modules
+require "lockbox/aes_gcm"
 require "lockbox/box"
 require "lockbox/calculations"
 require "lockbox/encryptor"

data/lib/lockbox/aes_gcm.rb

@@ -43,11 +43,10 @@ module Lockbox
       cipher.auth_data = associated_data || ""
 
       begin
-        if ciphertext.to_s.empty?
-          cipher.final
-        else
-          cipher.update(ciphertext) + cipher.final
-        end
+        message = String.new
+        message << cipher.update(ciphertext) unless ciphertext.to_s.empty?
+        message << cipher.final
+        message
       rescue OpenSSL::Cipher::CipherError
         fail_decryption
       end

data/lib/lockbox/box.rb

@@ -1,7 +1,7 @@
 module Lockbox
   class Box
     def initialize(key: nil, algorithm: nil, encryption_key: nil, decryption_key: nil, padding: false)
-      raise ArgumentError, "Cannot pass both key and public/private key" if key && (encryption_key || decryption_key)
+      raise ArgumentError, "Cannot pass both key and encryption/decryption key" if key && (encryption_key || decryption_key)
 
       key = Lockbox::Utils.decode_key(key) if key
       encryption_key = Lockbox::Utils.decode_key(encryption_key, size: 64) if encryption_key
@@ -12,7 +12,6 @@ module Lockbox
       case algorithm
       when "aes-gcm"
         raise ArgumentError, "Missing key" unless key
-        require "lockbox/aes_gcm"
         @box = AES_GCM.new(key)
       when "xchacha20"
         raise ArgumentError, "Missing key" unless key
@@ -39,7 +38,7 @@ module Lockbox
       message = Lockbox.pad(message, size: @padding) if @padding
       case @algorithm
       when "hybrid"
-        raise ArgumentError, "No public key set" unless @encryption_box
+        raise ArgumentError, "No encryption key set" unless defined?(@encryption_box)
         raise ArgumentError, "Associated data not supported with this algorithm" if associated_data
         nonce = generate_nonce(@encryption_box)
         ciphertext = @encryption_box.encrypt(nonce, message)
@@ -58,7 +57,7 @@ module Lockbox
       message =
         case @algorithm
         when "hybrid"
-          raise ArgumentError, "No private key set" unless @decryption_box
+          raise ArgumentError, "No decryption key set" unless defined?(@decryption_box)
           raise ArgumentError, "Associated data not supported with this algorithm" if associated_data
           nonce, ciphertext = extract_nonce(@decryption_box, ciphertext)
           @decryption_box.decrypt(nonce, ciphertext)

data/lib/lockbox/calculations.rb

@@ -3,7 +3,8 @@ module Lockbox
     def pluck(*column_names)
       return super unless model.respond_to?(:lockbox_attributes)
 
-      lockbox_columns = column_names.map.with_index { |c, i| [model.lockbox_attributes[c.to_sym], i] }.select(&:first)
+      lockbox_columns = column_names.map.with_index { |c, i| [model.lockbox_attributes[c.to_sym], i] }.select { |la, _i| la && !la[:migrating] }
+
       return super unless lockbox_columns.any?
 
       # replace column with ciphertext column

data/lib/lockbox/model.rb

@@ -27,8 +27,7 @@ module Lockbox
       activerecord = defined?(ActiveRecord::Base) && self < ActiveRecord::Base
       raise ArgumentError, "Type not supported yet with Mongoid" if options[:type] && !activerecord
 
-      # TODO raise ArgumentError in 0.5.0
-      warn "[lockbox] WARNING: No attributes specified" if attributes.empty?
+      raise ArgumentError, "No attributes specified" if attributes.empty?
 
       raise ArgumentError, "Cannot use key_attribute with multiple attributes" if options[:key_attribute] && attributes.size > 1
 
@@ -353,7 +352,7 @@ module Lockbox
             table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
-              # TODO use attribute type class in 0.5.0
+              # TODO use attribute type class in 0.6.0
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
@@ -408,7 +407,7 @@ module Lockbox
               end
 
             unless message.nil?
-              # TODO use attribute type class in 0.5.0
+              # TODO use attribute type class in 0.6.0
               case options[:type]
               when :boolean
                 message = message == "t"

data/lib/lockbox/utils.rb

@@ -1,6 +1,7 @@
 module Lockbox
   class Utils
     def self.build_box(context, options, table, attribute)
+      # dup options (with except) since keys are sometimes changed or deleted
       options = options.except(:attribute, :encrypted_attribute, :migrating, :attached, :type)
       options[:encode] = false unless options.key?(:encode)
       options.each do |k, v|
@@ -26,9 +27,11 @@ module Lockbox
       end
 
       if options[:previous_versions].is_a?(Array)
-        options[:previous_versions] = options[:previous_versions].dup
+        # dup previous versions array (with map) since elements are updated
+        # dup each version (with dup) since keys are sometimes deleted
+        options[:previous_versions] = options[:previous_versions].map(&:dup)
         options[:previous_versions].each_with_index do |version, i|
-          if !(version[:key] || version[:encryption_key] || version[:decryption_key]) && version[:master_key]
+          if !(version[:key] || version[:encryption_key] || version[:decryption_key]) && (version[:master_key] || version[:key_table] || version[:key_attribute])
             # could also use key_table and key_attribute from options
             # when specified, but keep simple for now
             # also, this change isn't backward compatible
@@ -56,7 +59,7 @@ module Lockbox
         key = [key].pack("H*")
       end
 
-      raise Lockbox::Error, "#{name} must be 32 bytes (64 hex digits)" if key.bytesize != size
+      raise Lockbox::Error, "#{name} must be #{size} bytes (#{size * 2} hex digits)" if key.bytesize != size
       raise Lockbox::Error, "#{name} must use binary encoding" if key.encoding != Encoding::BINARY
 
       key
@@ -86,8 +89,7 @@ module Lockbox
           attachable = attachable.dup
           attachable[:io] = box.encrypt_io(io)
         else
-          # TODO raise ArgumentError
-          raise NotImplementedError, "Could not find or build blob: expected attachable, got #{attachable.inspect}"
+          raise ArgumentError, "Could not find or build blob: expected attachable, got #{attachable.inspect}"
         end
 
         # don't analyze encrypted data

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.4.9"
+  VERSION = "0.5.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.4.9
+  version: 0.5.0
 platform: ruby
 authors:
 - Andrew Kane
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-02 00:00:00.000000000 Z
+date: 2020-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -150,6 +150,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: shrine
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: shrine-mongoid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -164,7 +192,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email: andrew@chartkick.com
 executables: []
 extensions: []
@@ -197,7 +225,7 @@ homepage: https://github.com/ankane/lockbox
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -212,8 +240,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
-summary: Modern encryption for Rails
+summary: Modern encryption for Ruby and Rails
 test_files: []