porky_lib 0.1.5 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9ea558fc6faee130daa48e2d3c5bec7d0803773c
-  data.tar.gz: 0de735f7b91d041d9522cb37ff19f35df1cdbb3a
+  metadata.gz: 46e66e6a979326e1996e6e72466d805b81db819f
+  data.tar.gz: 357cec74b604085e0452a2b6ae9ecd94f07b288e
 SHA512:
-  metadata.gz: 61a58989c93c0ae920e22dd4c05f1ed8385d51c6702ae862450ae37da5f3c5d62f28ba5b133b078b44283810633e5c6f018e7f8fcc9a532fe1dfa078f1787a7d
-  data.tar.gz: 41e1b3b123a21340c2005e7183a487f47fe31a3b031095b18682cd342cefae2e71d8c9db07dde98f2da37c5f1f3509a0e2270447732c4ff7b88ee20689489292
+  metadata.gz: 3dd9de7ff39b6bba06957262223e244f221c0241ceb816cce9718a0a5d20cb4f5771a69564f563fb60ce5fa4a5cd06162f02f76803d80e8776e1792adad350a9
+  data.tar.gz: 3212f9cbd316bc2e4ff635ef357ebe77cca6c6a91989d2d1fc5dd196cb40b2c968a5499a1756084a697431f72ae203da1f8a06057e44e0fffd0ee9862bb7db74

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    porky_lib (0.1.5)
+    porky_lib (0.2.0)
       aws-sdk-kms
+      aws-sdk-s3
       msgpack
       rbnacl-libsodium
 
@@ -11,14 +12,18 @@ GEM
   specs:
     ast (2.4.0)
     aws-eventstream (1.0.1)
-    aws-partitions (1.102.0)
-    aws-sdk-core (3.25.0)
+    aws-partitions (1.104.0)
+    aws-sdk-core (3.27.0)
       aws-eventstream (~> 1.0)
       aws-partitions (~> 1.0)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-kms (1.7.0)
-      aws-sdk-core (~> 3)
+    aws-sdk-kms (1.9.0)
+      aws-sdk-core (~> 3, >= 3.26.0)
+      aws-sigv4 (~> 1.0)
+    aws-sdk-s3 (1.19.0)
+      aws-sdk-core (~> 3, >= 3.26.0)
+      aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.0)
     aws-sigv4 (1.0.3)
     bundler-audit (0.6.0)
@@ -37,7 +42,7 @@ GEM
     json (2.1.0)
     msgpack (1.2.4)
     parallel (1.12.1)
-    parser (2.5.1.0)
+    parser (2.5.1.2)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     rainbow (3.0.0)
@@ -46,35 +51,35 @@ GEM
       ffi
     rbnacl-libsodium (1.0.16)
       rbnacl (>= 3.0.1)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
     rspec-collection_matchers (1.1.3)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
     rspec_junit_formatter (0.4.1)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (0.57.2)
+    rubocop (0.59.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5)
+      parser (>= 2.5, != 2.5.1.1)
       powerpack (~> 0.1)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.0, >= 1.0.1)
-    rubocop-rspec (1.27.0)
-      rubocop (>= 0.56.0)
+    rubocop-rspec (1.29.1)
+      rubocop (>= 0.58.0)
     rubocop_runner (2.1.0)
-    ruby-progressbar (1.9.0)
+    ruby-progressbar (1.10.0)
     simplecov (0.16.1)
       docile (~> 1.1)
       json (>= 1.8, < 3)

data/README.md

@@ -116,6 +116,22 @@ To verify whether an alias exists or not:
 alias_exists = PorkyLib::Symmetric.instance.cmk_alias_exists?(key_alias) 
 ```
 
+### To Read From AWS S3
+```ruby
+# Where bucket_name is the name of the S3 bucket to read from
+# file_key is file identifier of the file/data that was written to S3.
+file_data = PorkyLib::FileService.read(bucket_name, file_key)
+```
+
+### To Write To AWS S3
+```ruby
+# Where file is the data to encrypt and upload to S3 (can be raw data or path to a file on disk)
+# bucket_name is the name of the S3 bucket to write to
+# key_id is the ID of the CMK to use to generate a data encryption key to encrypt the file data
+# options is an optional parameter for specifying optional metadata about the file
+file_key = PorkyLib::FileService.write(file, bucket_name, key_id, options)
+```
+
 ## Development
 
 Development on this project should occur on separate feature branches and pull requests should be submitted. When submitting a

data/lib/porky_lib.rb

@@ -2,6 +2,8 @@
 
 module PorkyLib
   require 'porky_lib/config'
+  require 'porky_lib/file_service'
   require 'porky_lib/symmetric'
   require 'porky_lib/version'
+  require 'porky_lib/aws/kms/client'
 end

data/lib/porky_lib/config.rb

@@ -5,12 +5,14 @@ class PorkyLib::Config
   @aws_key_id = ''
   @aws_key_secret = ''
   @aws_client_mock = false
+  @max_file_size = 0
 
   @config = {
     aws_region: @aws_region,
     aws_key_id: @aws_key_id,
     aws_key_secret: @aws_key_secret,
-    aws_client_mock: @aws_client_mock
+    aws_client_mock: @aws_client_mock,
+    max_file_size: @max_file_size
   }
 
   @allowed_config_keys = @config.keys

data/lib/porky_lib/file_service.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'aws-sdk-s3'
+require 'singleton'
+
+class PorkyLib::FileService
+  include Singleton
+
+  class FileServiceError < StandardError; end
+  class FileSizeTooLargeError < StandardError; end
+
+  def read(bucket_name, file_key, options = {})
+    tempfile = Tempfile.new
+
+    begin
+      object = s3.bucket(bucket_name).object(file_key)
+      raise FileSizeTooLargeError, "File size is larger than maximum allowed size of #{max_file_size}" if object.content_length > max_size
+
+      object.download_file(tempfile.path, options)
+    rescue Aws::Errors::ServiceError => e
+      raise FileServiceError, "Attempt to download a file from S3 failed.\n#{e.message}"
+    end
+
+    decrypt_file_contents(tempfile)
+  end
+
+  def write(file, bucket_name, key_id, options = {})
+    raise FileServiceError, 'Invalid input. One or more input values is nil' if input_invalid?(file, bucket_name, key_id)
+    raise FileSizeTooLargeError, "File size is larger than maximum allowed size of #{max_file_size}" if file_size_invalid?(file)
+
+    data = file_data(file)
+    file_key = SecureRandom.uuid
+    tempfile = encrypt_file_contents(data, key_id, file_key)
+
+    begin
+      perform_upload(bucket_name, file_key, tempfile, options)
+    rescue Aws::Errors::ServiceError => e
+      raise FileServiceError, "Attempt to upload a file to S3 failed.\n#{e.message}"
+    end
+
+    # Remove tempfile from disk
+    tempfile.unlink
+    file_key
+  end
+
+  private
+
+  def input_invalid?(file, bucket_name, key_id)
+    file.nil? || bucket_name.nil? || key_id.nil?
+  end
+
+  def file_size_invalid?(file)
+    file.bytesize > max_size || (File.file?(file) && File.size(file) > max_size)
+  end
+
+  def file_data(file)
+    File.file?(file) ? File.read(file) : file
+  end
+
+  def max_size
+    PorkyLib::Config.config[:max_file_size]
+  end
+
+  def max_file_size
+    {
+      B: 1024,
+      KB: 1024 * 1024,
+      MB: 1024 * 1024 * 1024,
+      GB: 1024 * 1024 * 1024 * 1024
+    }.each_pair { |symbol, bytes| return "#{(max_size.to_f / (bytes / 1024)).round(2)}#{symbol}" if max_size < bytes }
+  end
+
+  def perform_upload(bucket_name, file_key, tempfile, options)
+    obj = s3.bucket(bucket_name).object(file_key)
+    if options.key?(:metadata)
+      obj.upload_file(tempfile.path, options[:metadata])
+    else
+      obj.upload_file(tempfile.path)
+    end
+  end
+
+  def decrypt_file_contents(tempfile)
+    file_contents = tempfile.read
+
+    # Remove tempfile from disk
+    tempfile.unlink
+
+    ciphertext_data = JSON.parse(file_contents, symbolize_names: true)
+    ciphertext_key = Base64.urlsafe_decode64(ciphertext_data[:key])
+    ciphertext = Base64.urlsafe_decode64(ciphertext_data[:data])
+    nonce = Base64.urlsafe_decode64(ciphertext_data[:nonce])
+
+    PorkyLib::Symmetric.instance.decrypt(ciphertext_key, ciphertext, nonce)
+  end
+
+  def encrypt_file_contents(file, key_id, file_key)
+    ciphertext_key, ciphertext, nonce = PorkyLib::Symmetric.instance.encrypt(file, key_id)
+
+    file_contents = {
+      key: Base64.urlsafe_encode64(ciphertext_key),
+      data: Base64.urlsafe_encode64(ciphertext),
+      nonce: Base64.urlsafe_encode64(nonce)
+    }.to_json
+
+    write_tempfile(file_contents, file_key)
+  end
+
+  def write_tempfile(file_contents, file_key)
+    tempfile = Tempfile.new(file_key)
+    tempfile << file_contents
+    tempfile.close
+
+    tempfile
+  end
+
+  def s3
+    @s3 ||= Aws::S3::Resource.new
+  end
+end

data/lib/porky_lib/symmetric.rb

@@ -56,6 +56,7 @@ class PorkyLib::Symmetric
 
   def decrypt_data_encryption_key(ciphertext_key, encryption_context = nil)
     return client.decrypt(ciphertext_blob: ciphertext_key, encryption_context: encryption_context).to_h[:plaintext] if encryption_context
+
     client.decrypt(ciphertext_blob: ciphertext_key).to_h[:plaintext]
   end
 
@@ -94,8 +95,7 @@ class PorkyLib::Symmetric
     # Securely delete the plaintext value from memory
     plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize))
 
-    result = secret_box.decrypt(nonce, ciphertext)
-    result
+    secret_box.decrypt(nonce, ciphertext)
   end
 
   def secure_delete_plaintext_key(length)

data/lib/porky_lib/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PorkyLib
-  VERSION = "0.1.5"
+  VERSION = "0.2.0"
 end

data/porky_lib.gemspec

@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'timecop'
 
   spec.add_dependency 'aws-sdk-kms'
+  spec.add_dependency 'aws-sdk-s3'
   spec.add_dependency 'msgpack'
   spec.add_dependency 'rbnacl-libsodium'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: porky_lib
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.0
 platform: ruby
 authors:
 - Greg Fletcher
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-08-30 00:00:00.000000000 Z
+date: 2018-09-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -220,6 +220,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-s3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: msgpack
   requirement: !ruby/object:Gem::Requirement
@@ -269,6 +283,7 @@ files:
 - lib/porky_lib.rb
 - lib/porky_lib/aws/kms/client.rb
 - lib/porky_lib/config.rb
+- lib/porky_lib/file_service.rb
 - lib/porky_lib/symmetric.rb
 - lib/porky_lib/version.rb
 - porky_lib.gemspec