mastercard-client-encryption 1.0.3 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9426fa736ec3824895a9bc3a03f71bc99fb3ad26b965203a35b404965428668
-  data.tar.gz: 1fb1aeda422b4536eb993767d2ae1ed6a8be4fe34eb821f76bc9baa3e69691fa
+  metadata.gz: b77cd2d8a1ded5e2456a290e91add5537e3de8ce397e02c049b58a23c4d93f79
+  data.tar.gz: 82350cf1e7aafc602f7efccdf94b271ef218b77fa26b90be3bd7baac18855c27
 SHA512:
-  metadata.gz: 478919fe88592526cb8172e47173411fe866c0b35bd885eb3a19842908ea0924d2314a0ec56e064d42ae1c8ccdfaa8aa1336ce5605bc705507a730b74d0ecccb
-  data.tar.gz: ddca20378a92bc44019a40abcf03ef548fe8278229c106161377aa3b52df21b5d2fa68631b8c618bfefd6ef64aa8ac2503f71519bbf14026934754cbd21f78f1
+  metadata.gz: a56bec98e3a1ed10af314ecf1c318abbf88b36a39dab24f3f888ed2a05d8767befde6fc807022a57ae1d33d6a50c163903bb436f52de480683be9d59f2044c43
+  data.tar.gz: cf09bf8da562269a9f481bea48662cf44c0381cdbfed88945436d627bea23cc8bb3b4fb63247042f7c3fbffc87ece128109ec128b832a868588f7db478a52012

data/lib/mcapi/encryption/crypto/crypto.rb

@@ -37,8 +37,8 @@ module McAPI
       #
       # Generate encryption parameters.
       #
-      # @param [String] iv IV to use instead to generate a random IV
-      # @param [String] secret_key Secret Key to use instead to generate a random key
+      # @param [String,nil] iv IV to use instead to generate a random IV
+      # @param [String,nil] secret_key Secret Key to use instead to generate a random key
       #
       # @return [Hash] hash with the generated encryption parameters
       #
@@ -70,8 +70,8 @@ module McAPI
       # If +iv+, +secret_key+, +encryption_params+ and +encoding+ are not provided, randoms will be generated.
       #
       # @param [String] data json string to encrypt
-      # @param [String] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
-      # @param [String] (optional) encryption_params encryption parameters
+      # @param [String,nil] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
+      # @param [String,nil] (optional) encryption_params encryption parameters
       # @param [String] encoding encoding to use for the encrypted bytes (hex or base64)
       #
       # @return [String] encrypted data
@@ -103,11 +103,12 @@ module McAPI
       # @param [String] iv Initialization vector to use to create the Decipher
       # @param [String] encrypted_key Encrypted key to use to decrypt the data
       #                 (the key is the decrypted using the provided PrivateKey)
+      # @param [String] oaep_hashing_alg OAEP Algorithm to use
       #
       # @return [String] Decrypted JSON object
       #
-      def decrypt_data(encrypted_data, iv, encrypted_key)
-        md = Utils.create_message_digest(@oaep_hashing_alg)
+      def decrypt_data(encrypted_data, iv, encrypted_key, oaep_hashing_alg)
+        md = Utils.create_message_digest(oaep_hashing_alg)
         decrypted_key = @private_key.private_decrypt_oaep(Utils.decode(encrypted_key, @encoding), '', md, md)
         aes = OpenSSL::Cipher::AES.new(decrypted_key.size * 8, :CBC)
         aes.decrypt
@@ -121,7 +122,7 @@ module McAPI
       #
       # Compute the fingerprint for the provided public key
       #
-      # @param [String] type: +certificate+ or +publickey+
+      # @param [Hash] type: +certificate+ or +publickey+
       #
       # @return [String] the computed fingerprint encoded using the configured encoding
       #

data/lib/mcapi/encryption/field_level_encryption.rb

@@ -13,7 +13,7 @@ module McAPI
       #
       # Create a new instance with the provided configuration
       #
-      # @param [Object] config Configuration object
+      # @param [Hash] config Configuration object
       #
       def initialize(config)
         @config = config
@@ -27,7 +27,7 @@ module McAPI
       # Encrypt parts of a HTTP request using the given config
       #
       # @param [String] endpoint HTTP URL for the current call
-      # @param [Object] header HTTP header
+      # @param [Object|nil] header HTTP header
       # @param [String,Hash] body HTTP body
       #
       # @return [Hash] Hash with two keys:
@@ -37,19 +37,20 @@ module McAPI
       def encrypt(endpoint, header, body)
         body = JSON.parse(body) if body.is_a?(String)
         config = config?(endpoint)
+        body_map = body
         if config
           if !@is_with_header
-            config['toEncrypt'].each do |v|
+            body_map = config['toEncrypt'].map do |v|
               encrypt_with_body(v, body)
             end
           else
             enc_params = @crypto.new_encryption_params
-            config['toEncrypt'].each do |v|
+            body_map = config['toEncrypt'].map do |v|
               body = encrypt_with_header(v, enc_params, header, body)
             end
           end
         end
-        { header: header, body: body.json }
+        { header: header, body: config ? compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
       end
 
       #
@@ -62,9 +63,10 @@ module McAPI
       def decrypt(response)
         response = JSON.parse(response)
         config = config?(response['request']['url'])
+        body_map = response
         if config
           if !@is_with_header
-            config['toDecrypt'].each do |v|
+            body_map = config['toDecrypt'].map do |v|
               decrypt_with_body(v, response['body'])
             end
           else
@@ -74,6 +76,7 @@ module McAPI
             end
           end
         end
+        response['body'] = compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
         JSON.generate(response)
       end
 
@@ -82,14 +85,19 @@ module McAPI
       def encrypt_with_body(path, body)
         elem = elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
-        McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
-        McAPI::Utils.delete_node(path['element'], body) if path['element'] != "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+        body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        unless json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+          McAPI::Utils.delete_node(path['element'], body)
+        end
+        body
       end
 
       def encrypt_with_header(path, enc_params, header, body)
         elem = elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]), encryption_params: enc_params)
         body = { path['obj'] => { @config['encryptedValueFieldName'] => encrypted_data[@config['encryptedValueFieldName']] } }
         set_header(header, enc_params)
@@ -99,9 +107,11 @@ module McAPI
       def decrypt_with_body(path, body)
         elem = elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         decrypted = @crypto.decrypt_data(elem[:node][@config['encryptedValueFieldName']],
-                                 elem[:node][@config['ivFieldName']],
-                                 elem[:node][@config['encryptedKeyFieldName']])
+                                         elem[:node][@config['ivFieldName']],
+                                         elem[:node][@config['encryptedKeyFieldName']],
+                                         elem[:node][@config['oaepHashingAlgorithmFieldName']])
         begin
           decrypted = JSON.parse(decrypted)
         rescue JSON::ParserError
@@ -116,7 +126,8 @@ module McAPI
         response['body'].clear
         response['body'] = JSON.parse(@crypto.decrypt_data(encrypted_data,
                                                            response['headers'][@config['ivHeaderName']][0],
-                                                           response['headers'][@config['encryptedKeyHeaderName']][0]))
+                                                           response['headers'][@config['encryptedKeyHeaderName']][0],
+                                                           response['headers'][@config['oaepHashingAlgorithmHeaderName']][0]))
       end
 
       def elem_from_path(path, obj)
@@ -125,7 +136,7 @@ module McAPI
         if path && !paths.empty?
           paths.each do |e|
             parent = obj
-            obj = obj[e]
+            obj = json_root?(e) ? obj : obj[e]
           end
         end
         { node: obj, parent: parent }
@@ -147,6 +158,18 @@ module McAPI
         header[@config['oaepHashingAlgorithmHeaderName']] = params[:oaepHashingAlgorithm].sub('-', '')
         header[@config['publicKeyFingerprintHeaderName']] = params[:publicKeyFingerprint]
       end
+
+      def json_root?(elem)
+        elem == '$'
+      end
+
+      def compute_body(config_param, body_map)
+        encryption_param?(config_param, body_map) ? body_map[0] : yield
+      end
+
+      def encryption_param?(enc_param, body_map)
+        enc_param.length == 1 && body_map.length == 1
+      end
     end
   end
 end

data/lib/mcapi/encryption/openapi_interceptor.rb

@@ -15,7 +15,7 @@ module McAPI
         # adding encryption/decryption capabilities for the request/response payload.
         #
         # @param [Object] swagger_client OpenAPI service client (it can be generated by the swagger code generator)
-        # @param [Object] config configuration object describing which field to enable encryption/decryption
+        # @param [Hash] config configuration object describing which field to enable encryption/decryption
         #
         def install_field_level_encryption(swagger_client, config)
           fle = McAPI::Encryption::FieldLevelEncryption.new(config)
@@ -45,7 +45,7 @@ module McAPI
         def hook_deserialize(fle)
           self.class.send :define_method, :init_deserialize do |client|
             client.define_singleton_method(:deserialize) do |response, return_type|
-              if response && response.body
+              if response&.body
                 endpoint = response.request.base_url.sub client.config.base_url, ''
                 to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
                                request: { url: endpoint },

data/lib/mcapi/encryption/utils/openssl_rsa_oaep.rb

@@ -51,7 +51,7 @@ module OpenSSL
       em = str.bytes
       raise OpenSSL::PKey::RSAError if em.size < 2 * mdlen + 2
 
-      # Keep constant calculation even if the text is invaid in order to avoid attacks.
+      # Keep constant calculation even if the text is invalid in order to avoid attacks.
       good = secure_byte_is_zero(em[0])
       masked_seed = em[1...1 + mdlen].pack('C*')
       masked_db = em[1 + mdlen...em.size].pack('C*')

data/lib/mcapi/encryption/utils/utils.rb

@@ -66,22 +66,27 @@ module McAPI
     def self.mutate_obj_prop(path, value, obj, src_path = nil, properties = [])
       tmp = obj
       prev = nil
-      return unless path
+      return obj unless path
 
       delete_node(src_path, obj, properties) if src_path
       paths = path.split('.')
-      paths.each do |e|
-        tmp[e] = {} unless tmp[e]
-        prev = tmp
-        tmp = tmp[e]
+      unless path == '$'
+        paths.each do |e|
+          tmp[e] = {} unless tmp[e]
+          prev = tmp
+          tmp = tmp[e]
+        end
       end
       elem = path.split('.').pop
-      if value.is_a?(Hash) && !value.is_a?(Array)
+      if elem == '$'
+        obj = value # replace root
+      elsif value.is_a?(Hash) && !value.is_a?(Array)
         prev[elem] = {} unless prev[elem].is_a?(Hash)
         override_props(prev[elem], value)
       else
         prev[elem] = value
       end
+      obj
     end
 
     def self.override_props(target, obj)
@@ -105,6 +110,7 @@ module McAPI
         obj = obj[e]
         prev.delete(to_delete) if obj && index == paths.size - 1
       end
+      obj.keys.each { |e| obj.delete(e) } if paths.length == 1 && paths[0] == '$'
       properties.each { |e| obj.delete(e) } if paths.empty?
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mastercard-client-encryption
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.1.0
 platform: ruby
 authors:
 - Mastercard
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-18 00:00:00.000000000 Z
+date: 2021-09-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler