mastercard-client-encryption 1.0.2 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ee1474b23b7bec011ba28254f5771a3ed89dd5995e4eed541d8382833d97429
-  data.tar.gz: 6fd5ef2ca4c9094744175dcdf4e297ea4f4cfd9ff4b22f32c6dffda8ebd46c37
+  metadata.gz: 498fe9a62ff880357316d0dd97d78d27dae85bca253702d905e2769087579ba2
+  data.tar.gz: 22a35a9afebde5f8f746067154c339ced42edd4b0d4ec0d6fa920963f1de5abd
 SHA512:
-  metadata.gz: 32064f9cf37511cc6d25e9922f25683ed522f472830ba1570212cc42c1e1cfb72c97f405114937b124d83ad8717eca828d4933089ab2ec266b411e6ba9816a71
-  data.tar.gz: aba8ffdc24a32e4af8cef5c9c3417b94e72922ce10a290cc026e4e9275a7e7ea92ed3787279cda55e966f956d1e1e157559f7142bdf4c5f6b5592986b1367254
+  metadata.gz: 3fe63908d6249e94fc6db683aefe97a82622ee4c8c59eca8e8a7cd21f7d79a96c0476f6efb6bc9362d2903eed8afc0a0d04a37b2b8a44ed438989560c5b47034
+  data.tar.gz: 879b24f693402374293b543d7a5bbacd4b05b12b23f4586a85ee2c078a3631fa16159051cc2acac2f07820fa48ddfdf6f1205dcd3419cf9cd2d6851af0ebb383

data/lib/mcapi/encryption/crypto/crypto.rb

@@ -20,11 +20,11 @@ module McAPI
       def initialize(config)
         valid_config?(config)
         @encoding = config['dataEncoding']
-        @cert = OpenSSL::X509::Certificate.new(File.read(config['encryptionCertificate']))
+        @cert = OpenSSL::X509::Certificate.new(IO.binread(config['encryptionCertificate']))
         if config['privateKey']
-          @private_key = OpenSSL::PKey.read(File.new(config['privateKey']))
+          @private_key = OpenSSL::PKey.read(IO.binread(config['privateKey']))
         elsif config['keyStore']
-          @private_key = OpenSSL::PKCS12.new(File.read(config['keyStore']), config['keyStorePassword']).key
+          @private_key = OpenSSL::PKCS12.new(IO.binread(config['keyStore']), config['keyStorePassword']).key
         end
         @oaep_hashing_alg = config['oaepPaddingDigestAlgorithm']
         @encrypted_value_field_name = config['encryptedValueFieldName']
@@ -37,8 +37,8 @@ module McAPI
       #
       # Generate encryption parameters.
       #
-      # @param [String] iv IV to use instead to generate a random IV
-      # @param [String] secret_key Secret Key to use instead to generate a random key
+      # @param [String,nil] iv IV to use instead to generate a random IV
+      # @param [String,nil] secret_key Secret Key to use instead to generate a random key
       #
       # @return [Hash] hash with the generated encryption parameters
       #
@@ -70,8 +70,8 @@ module McAPI
       # If +iv+, +secret_key+, +encryption_params+ and +encoding+ are not provided, randoms will be generated.
       #
       # @param [String] data json string to encrypt
-      # @param [String] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
-      # @param [String] (optional) encryption_params encryption parameters
+      # @param [String,nil] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
+      # @param [String,nil] (optional) encryption_params encryption parameters
       # @param [String] encoding encoding to use for the encrypted bytes (hex or base64)
       #
       # @return [String] encrypted data
@@ -103,11 +103,12 @@ module McAPI
       # @param [String] iv Initialization vector to use to create the Decipher
       # @param [String] encrypted_key Encrypted key to use to decrypt the data
       #                 (the key is the decrypted using the provided PrivateKey)
+      # @param [String] oaep_hashing_alg OAEP Algorithm to use
       #
       # @return [String] Decrypted JSON object
       #
-      def decrypt_data(encrypted_data, iv, encrypted_key)
-        md = Utils.create_message_digest(@oaep_hashing_alg)
+      def decrypt_data(encrypted_data, iv, encrypted_key, oaep_hashing_alg)
+        md = Utils.create_message_digest(oaep_hashing_alg)
         decrypted_key = @private_key.private_decrypt_oaep(Utils.decode(encrypted_key, @encoding), '', md, md)
         aes = OpenSSL::Cipher::AES.new(decrypted_key.size * 8, :CBC)
         aes.decrypt
@@ -121,7 +122,7 @@ module McAPI
       #
       # Compute the fingerprint for the provided public key
       #
-      # @param [String] type: +certificate+ or +publickey+
+      # @param [Hash] type: +certificate+ or +publickey+
       #
       # @return [String] the computed fingerprint encoded using the configured encoding
       #

data/lib/mcapi/encryption/crypto/jwe-crypto.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'openssl'
+require 'base64'
+require 'securerandom'
+require_relative '../utils/utils'
+require_relative '../utils/openssl_rsa_oaep'
+
+module McAPI
+  module Encryption
+    #
+    # JWE Crypto class provide RSA/AES encrypt/decrypt methods
+    #
+    class JweCrypto
+      #
+      # Create a new instance with the provided config
+      #
+      # @param [Hash] config configuration object
+      #
+      def initialize(config)
+        @encoding = config['dataEncoding']
+        @cert = OpenSSL::X509::Certificate.new(IO.binread(config['encryptionCertificate']))
+        if config['privateKey']
+          @private_key = OpenSSL::PKey.read(IO.binread(config['privateKey']))
+        elsif config['keyStore']
+          @private_key = OpenSSL::PKCS12.new(IO.binread(config['keyStore']), config['keyStorePassword']).key
+        end
+        @encrypted_value_field_name = config['encryptedValueFieldName'] || 'encryptedData'
+        @public_key_fingerprint = compute_public_fingerprint
+      end
+
+      #
+      # Perform data encryption:
+      #
+      # @param [String] data json string to encrypt
+      #
+      # @return [Hash] encrypted data
+      #
+      def encrypt_data(data:)
+        cek = SecureRandom.random_bytes(32)
+        iv = SecureRandom.random_bytes(12)
+
+        md = OpenSSL::Digest::SHA256
+        encrypted_key = @cert.public_key.public_encrypt_oaep(cek, '', md, md)
+
+        header = generate_header('RSA-OAEP-256', 'A256GCM')
+        json_hdr = header.to_json
+        auth_data = jwe_encode(json_hdr)
+
+        cipher = OpenSSL::Cipher.new('aes-256-gcm')
+        cipher.encrypt
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.padding = 0
+        cipher.auth_data = auth_data
+        cipher_text = cipher.update(data) + cipher.final
+
+        payload = generate_serialization(json_hdr, encrypted_key, cipher_text, iv, cipher.auth_tag)
+        {
+          @encrypted_value_field_name => payload
+        }
+      end
+
+      #
+      # Perform data decryption
+      #
+      # @param [String] encrypted_data encrypted data to decrypt
+      #
+      # @return [String] Decrypted JSON object
+      #
+      def decrypt_data(encrypted_data:)
+        parts = encrypted_data.split('.')
+        encrypted_header, encrypted_key, initialization_vector, cipher_text, authentication_tag = parts
+
+        jwe_header = jwe_decode(encrypted_header)
+        encrypted_key = jwe_decode(encrypted_key)
+        iv = jwe_decode(initialization_vector)
+        cipher_text = jwe_decode(cipher_text)
+        cipher_tag = jwe_decode(authentication_tag)
+
+        md = OpenSSL::Digest::SHA256
+        cek = @private_key.private_decrypt_oaep(encrypted_key, '', md, md)
+
+        enc_method = JSON.parse(jwe_header)['enc']
+
+        if enc_method == "A256GCM"
+          enc_string = "aes-256-gcm"
+        elsif enc_method == "A128CBC-HS256"
+          cek = cek.byteslice(16, cek.length)
+          enc_string = "aes-128-cbc"
+        else
+          raise Exception, "Encryption method '#{enc_method}' not supported."
+        end
+
+        cipher = OpenSSL::Cipher.new(enc_string)
+        cipher.decrypt
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.padding = 0
+        if enc_method == "A256GCM"
+          cipher.auth_data = encrypted_header
+          cipher.auth_tag = cipher_tag
+        end
+
+        cipher.update(cipher_text) + cipher.final
+      end
+
+      private
+
+      #
+      # Compute the fingerprint for the provided public key
+      #
+      # @return [String] the computed fingerprint encoded using the configured encoding
+      #
+      def compute_public_fingerprint
+        OpenSSL::Digest::SHA256.new(@cert.public_key.to_der).to_s
+      end
+
+      #
+      # Generate the JWE header for the provided encryption algorithm and encryption method
+      #
+      # @param [String] alg the cryptographic algorithm used to encrypt the value of the CEK
+      # @param [String] enc the content encryption algorithm used to perform authenticated encryption on the plaintext
+      #
+      # @return [Hash] the JWE header
+      #
+      def generate_header(alg, enc)
+        { alg: alg, enc: enc, kid: @public_key_fingerprint, cty: 'application/json' }
+      end
+
+      #
+      # URL safe Base64 encode the provided value
+      #
+      # @param [String] value to be encoded
+      #
+      # @return [String] URL safe Base64 encoded value
+      #
+      def jwe_encode(value)
+        ::Base64.urlsafe_encode64(value).delete('=')
+      end
+
+      #
+      # URL safe Base64 decode the provided value
+      #
+      # @param [String] value to be decoded
+      #
+      # @return [String] URL safe Base64 decoded value
+      #
+      def jwe_decode(value)
+        padlen = 4 - (value.length % 4)
+        if padlen < 4
+          pad = '=' * padlen
+          value += pad
+        end
+        ::Base64.urlsafe_decode64(value)
+      end
+
+      #
+      # Generate JWE compact payload from the provided values
+      #
+      # @param [String] hdr JWE header
+      # @param [String] cek content encryption key
+      # @param [String] content cipher text
+      # @param [String] iv initialization vector
+      # @param [String] tag cipher auth tag
+      #
+      # @return [String] URL safe Base64 decoded value
+      #
+      def generate_serialization(hdr, cek, content, iv, tag)
+        [hdr, cek, iv, content, tag].map { |piece| jwe_encode(piece) }.join '.'
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/field_level_encryption.rb

@@ -2,6 +2,7 @@
 
 require_relative 'crypto/crypto'
 require_relative 'utils/hash.ext'
+require_relative 'utils/utils'
 require 'json'
 
 module McAPI
@@ -13,7 +14,7 @@ module McAPI
       #
       # Create a new instance with the provided configuration
       #
-      # @param [Object] config Configuration object
+      # @param [Hash] config Configuration object
       #
       def initialize(config)
         @config = config
@@ -27,7 +28,7 @@ module McAPI
       # Encrypt parts of a HTTP request using the given config
       #
       # @param [String] endpoint HTTP URL for the current call
-      # @param [Object] header HTTP header
+      # @param [Object|nil] header HTTP header
       # @param [String,Hash] body HTTP body
       #
       # @return [Hash] Hash with two keys:
@@ -36,20 +37,21 @@ module McAPI
       #
       def encrypt(endpoint, header, body)
         body = JSON.parse(body) if body.is_a?(String)
-        config = config?(endpoint)
+        config = McAPI::Utils.config?(endpoint, @config)
+        body_map = body
         if config
           if !@is_with_header
-            config['toEncrypt'].each do |v|
+            body_map = config['toEncrypt'].map do |v|
               encrypt_with_body(v, body)
             end
           else
             enc_params = @crypto.new_encryption_params
-            config['toEncrypt'].each do |v|
+            body_map = config['toEncrypt'].map do |v|
               body = encrypt_with_header(v, enc_params, header, body)
             end
           end
         end
-        { header: header, body: body.json }
+        { header: header, body: config ? McAPI::Utils.compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
       end
 
       #
@@ -61,35 +63,42 @@ module McAPI
       #
       def decrypt(response)
         response = JSON.parse(response)
-        config = config?(response['request']['url'])
+        config = McAPI::Utils.config?(response['request']['url'], @config)
+        body_map = response
         if config
           if !@is_with_header
-            config['toDecrypt'].each do |v|
+            body_map = config['toDecrypt'].map do |v|
               decrypt_with_body(v, response['body'])
             end
           else
             config['toDecrypt'].each do |v|
-              elem = elem_from_path(v['obj'], response['body'])
+              elem = McAPI::Utils.elem_from_path(v['obj'], response['body'])
               decrypt_with_header(v, elem, response) if elem[:node][v['element']]
             end
           end
         end
+        response['body'] = McAPI::Utils.compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
         JSON.generate(response)
       end
 
       private
 
       def encrypt_with_body(path, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
-        McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
-        McAPI::Utils.delete_node(path['element'], body) if path['element'] != "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+        body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        unless McAPI::Utils.json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+          McAPI::Utils.delete_node(path['element'], body)
+        end
+        body
       end
 
       def encrypt_with_header(path, enc_params, header, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]), encryption_params: enc_params)
         body = { path['obj'] => { @config['encryptedValueFieldName'] => encrypted_data[@config['encryptedValueFieldName']] } }
         set_header(header, enc_params)
@@ -97,11 +106,13 @@ module McAPI
       end
 
       def decrypt_with_body(path, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         decrypted = @crypto.decrypt_data(elem[:node][@config['encryptedValueFieldName']],
-                                 elem[:node][@config['ivFieldName']],
-                                 elem[:node][@config['encryptedKeyFieldName']])
+                                         elem[:node][@config['ivFieldName']],
+                                         elem[:node][@config['encryptedKeyFieldName']],
+                                         elem[:node][@config['oaepHashingAlgorithmFieldName']])
         begin
           decrypted = JSON.parse(decrypted)
         rescue JSON::ParserError
@@ -116,29 +127,8 @@ module McAPI
         response['body'].clear
         response['body'] = JSON.parse(@crypto.decrypt_data(encrypted_data,
                                                            response['headers'][@config['ivHeaderName']][0],
-                                                           response['headers'][@config['encryptedKeyHeaderName']][0]))
-      end
-
-      def elem_from_path(path, obj)
-        parent = nil
-        paths = path.split('.')
-        if path && !paths.empty?
-          paths.each do |e|
-            parent = obj
-            obj = obj[e]
-          end
-        end
-        { node: obj, parent: parent }
-      rescue StandardError
-        nil
-      end
-
-      def config?(endpoint)
-        return unless endpoint
-
-        endpoint = endpoint.split('?').shift
-        conf = @config['paths'].select { |e| endpoint.match(e['path']) }
-        conf.empty? ? nil : conf[0]
+                                                           response['headers'][@config['encryptedKeyHeaderName']][0],
+                                                           response['headers'][@config['oaepHashingAlgorithmHeaderName']][0]))
       end
 
       def set_header(header, params)

data/lib/mcapi/encryption/jwe_encryption.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require_relative 'crypto/jwe-crypto'
+require_relative 'utils/hash.ext'
+require 'json'
+
+module McAPI
+  module Encryption
+    #
+    # Performs JWE encryption on HTTP payloads.
+    #
+    class JweEncryption
+      #
+      # Create a new instance with the provided configuration
+      #
+      # @param [Hash] config Configuration object
+      #
+      def initialize(config)
+        @config = config
+        @crypto = McAPI::Encryption::JweCrypto.new(config)
+      end
+
+      #
+      # Encrypt parts of a HTTP request using the given config
+      #
+      # @param [String] endpoint HTTP URL for the current call
+      # @param [Object|nil] header HTTP header
+      # @param [String,Hash] body HTTP body
+      #
+      # @return [Hash] Hash with two keys:
+      # * :header header with encrypted value (if configured with header)
+      # * :body encrypted body
+      #
+      def encrypt(endpoint, body)
+        body = JSON.parse(body) if body.is_a?(String)
+        config = McAPI::Utils.config?(endpoint, @config)
+        body_map = body
+        if config
+          body_map = config['toEncrypt'].map do |v|
+            encrypt_with_body(v, body)
+          end
+        end
+        { body: config ? McAPI::Utils.compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
+      end
+
+      #
+      # Decrypt part of the HTTP response using the given config
+      #
+      # @param [Object] response object as obtained from the http client
+      #
+      # @return [Object] response object with decrypted fields
+      #
+      def decrypt(response)
+        response = JSON.parse(response)
+        config = McAPI::Utils.config?(response['request']['url'], @config)
+        body_map = response
+        if config
+          body_map = config['toDecrypt'].map do |v|
+            decrypt_with_body(v, response['body'])
+          end
+        end
+        response['body'] = McAPI::Utils.compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
+        JSON.generate(response)
+      end
+
+      private
+
+      def encrypt_with_body(path, body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
+        body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        unless McAPI::Utils.json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+          McAPI::Utils.delete_node(path['element'], body)
+        end
+        body
+      end
+
+      def decrypt_with_body(path, body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        decrypted = @crypto.decrypt_data(encrypted_data: elem[:node][@config['encryptedValueFieldName']])
+        begin
+          decrypted = JSON.parse(decrypted)
+        rescue JSON::ParserError
+          # ignored
+        end
+
+        McAPI::Utils.mutate_obj_prop(path['obj'], decrypted, body, path['element'], @encryption_response_properties)
+      end
+    end
+  end
+end

data/lib/mcapi/encryption/openapi_interceptor.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative 'field_level_encryption'
+require_relative 'jwe_encryption'
 require_relative 'utils/utils'
 
 module McAPI
@@ -15,7 +16,7 @@ module McAPI
         # adding encryption/decryption capabilities for the request/response payload.
         #
         # @param [Object] swagger_client OpenAPI service client (it can be generated by the swagger code generator)
-        # @param [Object] config configuration object describing which field to enable encryption/decryption
+        # @param [Hash] config configuration object describing which field to enable encryption/decryption
         #
         def install_field_level_encryption(swagger_client, config)
           fle = McAPI::Encryption::FieldLevelEncryption.new(config)
@@ -27,14 +28,36 @@ module McAPI
           McAPI::Encryption::OpenAPIInterceptor.init_deserialize swagger_client
         end
 
+        #
+        # Install the JWE encryption in the OpenAPI HTTP client
+        # adding encryption/decryption capabilities for the request/response payload.
+        #
+        # @param [Object] swagger_client OpenAPI service client (it can be generated by the swagger code generator)
+        # @param [Hash] config configuration object describing which field to enable encryption/decryption
+        #
+        def install_jwe_encryption(swagger_client, config)
+          jwe = McAPI::Encryption::JweEncryption.new(config)
+          # Hooking ApiClient#call_api
+          hook_call_api jwe
+          # Hooking ApiClient#deserialize
+          hook_deserialize jwe
+          McAPI::Encryption::OpenAPIInterceptor.init_call_api swagger_client
+          McAPI::Encryption::OpenAPIInterceptor.init_deserialize swagger_client
+        end
+
         private
 
-        def hook_call_api(fle)
+        def hook_call_api(enc)
           self.class.send :define_method, :init_call_api do |client|
             client.define_singleton_method(:call_api) do |http_method, path, opts|
               if opts && opts[:body]
-                encrypted = fle.encrypt(path, opts[:header_params], opts[:body])
-                opts[:body] = JSON.generate(encrypted[:body])
+                if enc.instance_of? McAPI::Encryption::FieldLevelEncryption
+                  encrypted = enc.encrypt(path, opts[:header_params], opts[:body])
+                  opts[:body] = JSON.generate(encrypted[:body])
+                else
+                  encrypted = enc.encrypt(path, opts[:body])
+                  opts[:body] = JSON.generate(encrypted[:body])
+                end
               end
               # noinspection RubySuperCallWithoutSuperclassInspection
               super(http_method, path, opts)
@@ -42,15 +65,20 @@ module McAPI
           end
         end
 
-        def hook_deserialize(fle)
+        def hook_deserialize(enc)
           self.class.send :define_method, :init_deserialize do |client|
             client.define_singleton_method(:deserialize) do |response, return_type|
-              if response && response.body
+              if response&.body
                 endpoint = response.request.base_url.sub client.config.base_url, ''
-                to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
-                               request: { url: endpoint },
-                               body: JSON.parse(response.body) }
-                decrypted = fle.decrypt(JSON.generate(to_decrypt, symbolize_names: false))
+                if enc.instance_of? McAPI::Encryption::FieldLevelEncryption
+                  to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
+                                 request: { url: endpoint },
+                                 body: JSON.parse(response.body) }
+                else
+                  to_decrypt = { request: { url: endpoint },
+                                 body: JSON.parse(response.body) }
+                end
+                decrypted = enc.decrypt(JSON.generate(to_decrypt, symbolize_names: false))
                 body = JSON.generate(JSON.parse(decrypted)['body'])
                 response.options[:response_body] = JSON.generate(JSON.parse(body))
               end

data/lib/mcapi/encryption/utils/openssl_rsa_oaep.rb

@@ -51,7 +51,7 @@ module OpenSSL
       em = str.bytes
       raise OpenSSL::PKey::RSAError if em.size < 2 * mdlen + 2
 
-      # Keep constant calculation even if the text is invaid in order to avoid attacks.
+      # Keep constant calculation even if the text is invalid in order to avoid attacks.
       good = secure_byte_is_zero(em[0])
       masked_seed = em[1...1 + mdlen].pack('C*')
       masked_db = em[1 + mdlen...em.size].pack('C*')

data/lib/mcapi/encryption/utils/utils.rb

@@ -66,22 +66,27 @@ module McAPI
     def self.mutate_obj_prop(path, value, obj, src_path = nil, properties = [])
       tmp = obj
       prev = nil
-      return unless path
+      return obj unless path
 
       delete_node(src_path, obj, properties) if src_path
       paths = path.split('.')
-      paths.each do |e|
-        tmp[e] = {} unless tmp[e]
-        prev = tmp
-        tmp = tmp[e]
+      unless path == '$'
+        paths.each do |e|
+          tmp[e] = {} unless tmp[e]
+          prev = tmp
+          tmp = tmp[e]
+        end
       end
       elem = path.split('.').pop
-      if value.is_a?(Hash) && !value.is_a?(Array)
+      if elem == '$'
+        obj = value # replace root
+      elsif value.is_a?(Hash) && !value.is_a?(Array)
         prev[elem] = {} unless prev[elem].is_a?(Hash)
         override_props(prev[elem], value)
       else
         prev[elem] = value
       end
+      obj
     end
 
     def self.override_props(target, obj)
@@ -105,6 +110,7 @@ module McAPI
         obj = obj[e]
         prev.delete(to_delete) if obj && index == paths.size - 1
       end
+      obj.keys.each { |e| obj.delete(e) } if paths.length == 1 && paths[0] == '$'
       properties.each { |e| obj.delete(e) } if paths.empty?
     end
 
@@ -140,5 +146,45 @@ module McAPI
       end
       header
     end
+
+    #
+    # Get an element from the JSON path
+    #
+    def self.elem_from_path(path, obj)
+      parent = nil
+      paths = path.split('.')
+      if path && !paths.empty?
+        paths.each do |e|
+          parent = obj
+          obj = json_root?(e) ? obj : obj[e]
+        end
+      end
+      { node: obj, parent: parent }
+    rescue StandardError
+      nil
+    end
+
+    #
+    # Check whether the encryption/decryption path refers to the root element
+    #
+    def self.json_root?(elem)
+      elem == '$'
+    end
+
+    def self.config?(endpoint, config)
+      return unless endpoint
+
+      endpoint = endpoint.split('?').shift
+      conf = config['paths'].select { |e| endpoint.match(e['path']) }
+      conf.empty? ? nil : conf[0]
+    end
+
+    def self.compute_body(config_param, body_map)
+      encryption_param?(config_param, body_map) ? body_map[0] : yield
+    end
+
+    def self.encryption_param?(enc_param, body_map)
+      enc_param.length == 1 && body_map.length == 1
+    end
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: mastercard-client-encryption
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.2.0
 platform: ruby
 authors:
 - Mastercard
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-13 00:00:00.000000000 Z
+date: 2022-07-21 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: hamster
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -42,16 +56,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -73,7 +87,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/mcapi/encryption/crypto/crypto.rb
+- lib/mcapi/encryption/crypto/jwe-crypto.rb
 - lib/mcapi/encryption/field_level_encryption.rb
+- lib/mcapi/encryption/jwe_encryption.rb
 - lib/mcapi/encryption/openapi_interceptor.rb
 - lib/mcapi/encryption/utils/hash.ext.rb
 - lib/mcapi/encryption/utils/openssl_rsa_oaep.rb