pluginaweek-encrypted_strings 0.3.2

data/lib/encrypted_strings/cipher.rb

@@ -0,0 +1,17 @@
+module EncryptedStrings
+  # Represents the base class for all ciphers.  By default, all ciphers are
+  # assumed to be able to decrypt strings.  Note, however, that certain
+  # encryption algorithms do not allow decryption.
+  class Cipher
+    # Can this string be decrypted?  Default is true.
+    def can_decrypt?
+      true
+    end
+    
+    # Attempts to decrypt the given data using the current configuration.  By
+    # default, decryption is not implemented.
+    def decrypt(data)
+      raise NotImplementedError, "Decryption is not supported using a(n) #{self.class.name}"
+    end
+  end
+end

data/lib/encrypted_strings/extensions/string.rb

@@ -0,0 +1,205 @@
+module EncryptedStrings
+  module Extensions #:nodoc:
+    # Adds support for in-place encryption/decryption of strings
+    module String
+      def self.included(base) #:nodoc:
+        base.class_eval do
+          attr_accessor :cipher
+          
+          alias_method :equals_without_encryption, :==
+          alias_method :==, :equals_with_encryption
+        end
+      end
+      
+      # Encrypts the current string using the specified cipher.  The default
+      # cipher is sha.
+      # 
+      # Configuration options are cipher-specific.  See each individual cipher
+      # class to find out the options available.
+      # 
+      # == Example
+      # 
+      # The following uses an SHA cipher to encrypt the string:
+      # 
+      #   password = 'shhhh'
+      #   password.encrypt  # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      # 
+      # == Custom encryption mode
+      # 
+      # The following uses Symmetric cipher (with a default password) to
+      # encrypt the string:
+      # 
+      #   EncryptedStrings::SymmetricCipher.default_password = 'secret'
+      #   password = 'shhhh'
+      #   password.encrypt(:symmetric)  # => "jDACXI5hMPI=\n"
+      # 
+      # == Custom encryption options
+      # 
+      # Some encryption modes also support additional configuration options
+      # that determine how to encrypt the string.  For example, SHA supports
+      # a salt which seeds the algorithm:
+      # 
+      #   password = 'shhhh'
+      #   password.encrypt(:sha, :salt => 'secret') # => "3b22cbe4acde873c3efc82681096f3ae69aff828"
+      def encrypt(*args)
+        cipher = cipher_from_args(*args)
+        encrypted_string = cipher.encrypt(self)
+        encrypted_string.cipher = cipher
+        
+        encrypted_string
+      end
+      
+      # Encrypts this string and replaces it with the encrypted value.  This
+      # takes the same parameters as #encrypt, but returns the same string
+      # instead of a different one.
+      # 
+      # == Example
+      # 
+      #   password = 'shhhh'
+      #   password.encrypt!(:symmetric, :password => 'secret')  # => "qSg8vOo6QfU=\n"
+      #   password                                              # => "qSg8vOo6QfU=\n"
+      def encrypt!(*args)
+        encrypted_string = encrypt(*args)
+        self.cipher = encrypted_string.cipher
+        
+        replace(encrypted_string)
+      end
+      
+      # Is this string encrypted?  This will return true if the string is the
+      # result of a call to #encrypt or #encrypt!.
+      # 
+      # == Example
+      # 
+      #   password = 'shhhh'
+      #   password.encrypted? # => false
+      #   password.encrypt!   # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      #   password.encrypted? # => true
+      def encrypted?
+        !cipher.nil?
+      end
+      
+      # Decrypts this string.  If this is not a string that was previously
+      # encrypted, the cipher must be specified in the same way that it is
+      # when encrypting a string.
+      # 
+      # == Example
+      # 
+      # Without being previously encrypted:
+      # 
+      #   password = "qSg8vOo6QfU=\n"
+      #   password.decrypt(:symmetric, :password => 'secret')   # => "shhhh"
+      # 
+      # After being previously encrypted:
+      # 
+      #   password = 'shhhh'
+      #   password.encrypt!(:symmetric, :password => 'secret')  # => "qSg8vOo6QfU=\n"
+      #   password.decrypt                                      # => "shhhh"
+      def decrypt(*args)
+        raise ArgumentError, 'Cipher cannot be inferred: must specify it as an argument' if args.empty? && !encrypted?
+        
+        cipher = args.empty? && self.cipher || cipher_from_args(*args)
+        encrypted_string = cipher.decrypt(self)
+        encrypted_string.cipher = nil
+        
+        encrypted_string
+      end
+      
+      # Decrypts this string and replaces it with the decrypted value  This
+      # takes the same parameters as #decrypt, but returns the same string
+      # instead of a different one.
+      # 
+      # For example,
+      # 
+      #   password = "qSg8vOo6QfU=\n"
+      #   password.decrypt!(:symmetric, :password => 'secret')  # => "shhhh"
+      #   password                                              # => "shhhh"
+      def decrypt!(*args)
+        value = replace(decrypt(*args))
+        self.cipher = nil
+        value
+      end
+      
+      # Can this string be decrypted?  Strings can only be decrypted if they
+      # have previously been decrypted *and* the cipher supports decryption.
+      # To determine whether or not the cipher supports decryption, see the
+      # api for the cipher.
+      def can_decrypt?
+        encrypted? && cipher.can_decrypt?
+      end
+      
+      # Tests whether the other object is equal to this one.  Encrypted strings
+      # will be tested not only on their encrypted strings, but also by
+      # decrypting them and running tests against the decrypted value.
+      # 
+      # == Equality with strings
+      # 
+      #   password = 'shhhh'
+      #   password.encrypt!   # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      #   password            # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      #   password == "shhhh" # => true
+      # 
+      # == Equality with encrypted strings
+      # 
+      #   password = 'shhhh'
+      #   password.encrypt!             # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      #   password                      # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      #   password == 'shhhh'           # => true
+      #   
+      #   another_password = 'shhhh'
+      #   another_password.encrypt!     # => "66c85d26dadde7e1db27e15a0776c921e27143bd"
+      #   password == another_password  # => true
+      def equals_with_encryption(other)
+        if !(is_equal = equals_without_encryption(other)) && String === other
+          if encrypted?
+            if other.encrypted?
+              # We're both encrypted, so check if:
+              # (1) The other string is the encrypted value of this string
+              # (2) This string is the encrypted value of the other string
+              # (3) The other string is the encrypted value of this string, decrypted
+              # (4) This string is the encrypted value of the other string, decrypted
+              is_string_equal?(self, other) || is_string_equal?(other, self) || self.can_decrypt? && is_string_equal?(self.decrypt, other) || other.can_decrypt? && is_string_equal?(other.decrypt, self)
+            else
+              # Only we're encrypted
+              is_string_equal?(other, self)
+            end
+          else
+            if other.encrypted?
+              # Only the other string is encrypted
+              is_string_equal?(self, other)
+            else
+              # Neither are encrypted and equality test didn't work before, so
+              # they can't be equal
+              false
+            end
+          end
+        else
+          # The other value wasn't a string, so we can't check encryption equality
+          is_equal
+        end
+      end
+      
+      private
+        def is_string_equal?(value, encrypted_value) #:nodoc:
+          # If the encrypted value can be decrypted, then test against the decrypted value
+          if encrypted_value.can_decrypt?
+            encrypted_value.decrypt.equals_without_encryption(value)
+          else
+            # Otherwise encrypt this value based on the cipher used on the encrypted value
+            # and test the equality of those strings
+            encrypted_value.equals_without_encryption(encrypted_value.cipher.encrypt(value))
+          end
+        end
+        
+        # Builds the cipher to use from the given arguments
+        def cipher_from_args(*args) #:nodoc:
+          options = args.last.is_a?(Hash) ? args.pop : {}
+          name = (args.first || :sha).to_s.gsub(/(?:^|_)(.)/) {$1.upcase}
+          EncryptedStrings.const_get("#{name}Cipher").new(options)
+        end
+    end
+  end
+end
+
+::String.class_eval do
+  include EncryptedStrings::Extensions::String
+end

data/lib/encrypted_strings/sha_cipher.rb

@@ -0,0 +1,67 @@
+require 'digest/sha1'
+
+module EncryptedStrings
+  # Encrypts a string using a Secure Hash Algorithm (SHA), specifically SHA-1.
+  # 
+  # == Encrypting
+  # 
+  # To encrypt a string using an SHA cipher, the salt used to seed the
+  # algorithm must be specified.  You can define the default for this value
+  # like so:
+  # 
+  #   EncryptedStrings::ShaCipher.default_salt = 'secret'
+  # 
+  # If these configuration options are not passed in to #encrypt, then the
+  # default values will be used.  You can override the default values like so:
+  # 
+  #   password = 'shhhh'
+  #   password.encrypt(:sha, :salt => 'secret')  # => "ae645b35bb5dfea6c9133ac872e6adfa92a3c2bd"
+  # 
+  # == Decrypting
+  # 
+  # SHA-encrypted strings cannot be decrypted.  The only way to determine
+  # whether an unencrypted value is equal to an SHA-encrypted string is to
+  # encrypt the value with the same salt.  For example,
+  # 
+  #   password = 'shhhh'.encrypt(:sha, :salt => 'secret') # => "3b22cbe4acde873c3efc82681096f3ae69aff828"
+  #   input = 'shhhh'.encrypt(:sha, :salt => 'secret')    # => "3b22cbe4acde873c3efc82681096f3ae69aff828"
+  #   password == input                                   # => true
+  class ShaCipher < Cipher
+    class << self
+      # The default salt value to use during encryption
+      attr_accessor :default_salt
+    end
+    
+    # Set defaults
+    @default_salt = 'salt'
+    
+    # The salt value to use for encryption
+    attr_accessor :salt
+    
+    # Creates a new cipher that uses an SHA encryption strategy.
+    # 
+    # Configuration options:
+    # * <tt>:salt</tt> - Random bytes used as one of the inputs for generating
+    #   the encrypted string
+    def initialize(options = {})
+      invalid_options = options.keys - [:salt]
+      raise ArgumentError, "Unknown key(s): #{invalid_options.join(", ")}" unless invalid_options.empty?
+      
+      options = {:salt => ShaCipher.default_salt}.merge(options)
+      
+      self.salt = options[:salt].to_s
+      
+      super()
+    end
+    
+    # Decryption is not supported
+    def can_decrypt?
+      false
+    end
+    
+    # Returns the encrypted value of the data
+    def encrypt(data)
+      Digest::SHA1.hexdigest(data + salt)
+    end
+  end
+end

data/lib/encrypted_strings/symmetric_cipher.rb

@@ -0,0 +1,101 @@
+module EncryptedStrings
+  # Indicates no password was specified for the symmetric cipher
+  class NoPasswordError < StandardError
+  end
+  
+  # Symmetric encryption uses a specific algorithm and password to encrypt
+  # the string.  As long as the algorithm and password are known, the string
+  # can be decrypted.
+  # 
+  # Source: http://support.microsoft.com/kb/246071
+  # 
+  # == Encrypting 
+  # 
+  # To encrypt a string using a symmetric cipher, the algorithm and password
+  # must be specified.  You can define the defaults for these values like so:
+  # 
+  #   EncryptedStrings::SymmetricCipher.default_algorithm = 'des-ecb'
+  #   EncryptedStrings::SymmetricCipher.default_password = 'secret'
+  # 
+  # If these configuration options are not passed in to #encrypt, then the
+  # default values will be used.  You can override the default values like so:
+  # 
+  #   password = 'shhhh'
+  #   password.encrypt(:symmetric, :algorithm => 'des-ecb', :password => 'secret')  # => "S/sEkViX3v4=\n"
+  # 
+  # An exception will be raised if no password is specified.
+  # 
+  # == Decrypting
+  # 
+  # To decrypt a string using an symmetric cipher, the algorithm and password
+  # must be specified.  Defaults for these values can be defined as show above.
+  # 
+  # If these configuration options are not passed in to #decrypt, then the
+  # default values will be used.  You can override the default values like so:
+  # 
+  #   password = "S/sEkViX3v4=\n"
+  #   password.decrypt(:symmetric, :algorithm => 'des-ecb', :password => 'secret') # => "shhhh"
+  # 
+  # An exception will be raised if no password is specified.
+  class SymmetricCipher < Cipher
+    class << self
+      # The default algorithm to use for encryption.  Default is DES-EDE3-CBC.
+      attr_accessor :default_algorithm
+      
+      # The default password to use for generating the key and initialization
+      # vector.  Default is nil.
+      attr_accessor :default_password
+    end
+    
+    # Set default values
+    @default_algorithm = 'DES-EDE3-CBC'
+    
+    # The algorithm to use for encryption/decryption
+    attr_accessor :algorithm
+    
+    # The password that generates the key/initialization vector for the
+    # algorithm
+    attr_accessor :password
+    
+    # Creates a new cipher that uses a symmetric encryption strategy.
+    # 
+    # Configuration options:
+    # * <tt>:algorithm</tt> - The algorithm to use for generating the encrypted string
+    # * <tt>:password</tt> - The secret value to use for generating the
+    #   key/initialization vector for the algorithm
+    def initialize(options = {})
+      invalid_options = options.keys - [:algorithm, :password]
+      raise ArgumentError, "Unknown key(s): #{invalid_options.join(", ")}" unless invalid_options.empty?
+      
+      options = {
+        :algorithm => SymmetricCipher.default_algorithm,
+        :password => SymmetricCipher.default_password
+      }.merge(options)
+      
+      self.algorithm = options[:algorithm]
+      self.password = options[:password]
+      raise NoPasswordError if password.nil?
+      
+      super()
+    end
+    
+    # Decrypts the current string using the current key and algorithm specified
+    def decrypt(data)
+      cipher = build_cipher(:decrypt)
+      cipher.update(data.unpack('m')[0]) + cipher.final
+    end
+    
+    # Encrypts the current string using the current key and algorithm specified
+    def encrypt(data)
+      cipher = build_cipher(:encrypt)
+      [cipher.update(data) + cipher.final].pack('m')
+    end
+    
+    private
+      def build_cipher(type) #:nodoc:
+        cipher = OpenSSL::Cipher::Cipher.new(algorithm).send(type)
+        cipher.pkcs5_keyivgen(password)
+        cipher
+      end
+  end
+end

data/test/asymmetric_cipher_test.rb

@@ -0,0 +1,183 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class NoPrivateKeyErrorTest < Test::Unit::TestCase
+  def test_should_exist
+    assert_not_nil EncryptedStrings::NoPrivateKeyError
+  end
+end
+
+class NoPublicKeyErrorTest < Test::Unit::TestCase
+  def test_should_exist
+    assert_not_nil EncryptedStrings::NoPublicKeyError
+  end
+end
+
+class AsymmetricCipherByDefaultTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:public_key_file => File.dirname(__FILE__) + '/keys/public')
+  end
+  
+  def test_should_raise_an_exception
+    assert_raise(ArgumentError) {EncryptedStrings::AsymmetricCipher.new}
+  end
+  
+  def test_should_not_have_a_public_key_file
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:private_key_file => File.dirname(__FILE__) + '/keys/private')
+    assert_nil @asymmetric_cipher.public_key_file
+  end
+  
+  def test_should_not_have_a_private_key_file
+    assert_nil @asymmetric_cipher.private_key_file
+  end
+  
+  def test_should_not_have_an_algorithm
+    assert_nil @asymmetric_cipher.algorithm
+  end
+  
+  def test_should_not_have_a_password
+    assert_nil @asymmetric_cipher.password
+  end
+end
+
+class AsymmetricCipherWithCustomDefaultsTest < Test::Unit::TestCase
+  def setup
+    @original_default_public_key_file = EncryptedStrings::AsymmetricCipher.default_public_key_file
+    @original_default_private_key_file = EncryptedStrings::AsymmetricCipher.default_private_key_file
+    
+    EncryptedStrings::AsymmetricCipher.default_public_key_file = File.dirname(__FILE__) + '/keys/public'
+    EncryptedStrings::AsymmetricCipher.default_private_key_file = File.dirname(__FILE__) + '/keys/private'
+    
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new
+  end
+  
+  def test_should_use_default_public_key_file
+    assert_equal File.dirname(__FILE__) + '/keys/public', @asymmetric_cipher.public_key_file
+  end
+  
+  def test_should_use_default_private_key_file
+    assert_equal File.dirname(__FILE__) + '/keys/private', @asymmetric_cipher.private_key_file
+  end
+  
+  def test_should_not_have_an_algorithm
+    assert_nil @asymmetric_cipher.algorithm
+  end
+  
+  def test_should_not_have_a_password
+    assert_nil @asymmetric_cipher.password
+  end
+  
+  def teardown
+    EncryptedStrings::AsymmetricCipher.default_public_key_file = @original_default_public_key_file
+    EncryptedStrings::AsymmetricCipher.default_private_key_file = @original_default_private_key_file
+  end
+end
+
+class AsymmetricCipherWithInvalidOptionsTest < Test::Unit::TestCase
+  def test_should_throw_an_exception
+    assert_raise(ArgumentError) {EncryptedStrings::AsymmetricCipher.new(:invalid => true)}
+  end
+end
+
+class AsymmetricCipherTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:public_key_file => File.dirname(__FILE__) + '/keys/public')
+  end
+  
+  def test_should_be_able_to_decrypt
+    assert @asymmetric_cipher.can_decrypt?
+  end
+end
+
+class AsymmetricCipherWithoutPublicKeyTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:public_key_file => nil, :private_key_file => File.dirname(__FILE__) + '/keys/private')
+  end
+  
+  def test_should_not_be_public
+    assert !@asymmetric_cipher.public?
+  end
+  
+  def test_should_not_be_able_to_encrypt
+    assert_raise(EncryptedStrings::NoPublicKeyError) {@asymmetric_cipher.encrypt('test')}
+  end
+end
+
+class AsymmetricCipherWithPublicKeyTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:public_key_file => File.dirname(__FILE__) + '/keys/public')
+  end
+  
+  def test_should_be_public
+    assert @asymmetric_cipher.public?
+  end
+  
+  def test_should_not_be_private
+    assert !@asymmetric_cipher.private?
+  end
+  
+  def test_should_be_able_to_encrypt
+    assert_equal 90, @asymmetric_cipher.encrypt('test').length
+  end
+  
+  def test_should_not_be_able_to_decrypt
+    assert_raise(EncryptedStrings::NoPrivateKeyError) {@asymmetric_cipher.decrypt("HbEh0Hwri26S7SWYqO26DBbzfhR1h/0pXYLjSKUpxF5DOaOCtD9oRN748+Na\nrfNaVN5Eg7RUhbRFZE+UnNHo6Q==\n")}
+  end
+end
+
+class AsymmetricCipherWithoutPrivateKeyTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:private_key_file => nil, :public_key_file => File.dirname(__FILE__) + '/keys/public')
+  end
+  
+  def test_should_not_be_private
+    assert !@asymmetric_cipher.private?
+  end
+  
+  def test_should_not_be_able_to_decrypt
+    assert_raise(EncryptedStrings::NoPrivateKeyError) {@asymmetric_cipher.decrypt("HbEh0Hwri26S7SWYqO26DBbzfhR1h/0pXYLjSKUpxF5DOaOCtD9oRN748+Na\nrfNaVN5Eg7RUhbRFZE+UnNHo6Q==\n")}
+  end
+end
+
+class AsymmetricCipherWithPrivateKeyTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:private_key_file => File.dirname(__FILE__) + '/keys/private')
+  end
+  
+  def test_should_not_be_public
+    assert !@asymmetric_cipher.public?
+  end
+  
+  def test_should_be_private
+    assert @asymmetric_cipher.private?
+  end
+  
+  def test_not_should_be_able_to_encrypt
+    assert_raise(EncryptedStrings::NoPublicKeyError) {@asymmetric_cipher.encrypt('test')}
+  end
+  
+  def test_should_be_able_to_decrypt
+    assert_equal 'test', @asymmetric_cipher.decrypt("HbEh0Hwri26S7SWYqO26DBbzfhR1h/0pXYLjSKUpxF5DOaOCtD9oRN748+Na\nrfNaVN5Eg7RUhbRFZE+UnNHo6Q==\n")
+  end
+end
+
+class AsymmetricCipherWithEncryptedPrivateKeyTest < Test::Unit::TestCase
+  def setup
+    @asymmetric_cipher = EncryptedStrings::AsymmetricCipher.new(:private_key_file => File.dirname(__FILE__) + '/keys/encrypted_private', :algorithm => 'DES-EDE3-CBC', :password => 'secret')
+  end
+  
+  def test_should_not_be_public
+    assert !@asymmetric_cipher.public?
+  end
+  
+  def test_should_be_private
+    assert @asymmetric_cipher.private?
+  end
+  
+  def test_should_not_be_able_to_encrypt
+    assert_raise(EncryptedStrings::NoPublicKeyError) {@asymmetric_cipher.encrypt('test')}
+  end
+  
+  def test_should_be_able_to_decrypt
+    assert_equal 'test', @asymmetric_cipher.decrypt("HbEh0Hwri26S7SWYqO26DBbzfhR1h/0pXYLjSKUpxF5DOaOCtD9oRN748+Na\nrfNaVN5Eg7RUhbRFZE+UnNHo6Q==\n")
+  end
+end