portunus 0.3.0

data/lib/generators/templates/create_portunus.rb.erb

@@ -0,0 +1,28 @@
+class CreatePortunus < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :portunus_data_encryption_keys do |t|
+      t.string :encrypted_key, null: false
+      t.string :master_keyname, null: false
+      t.string :encryptable_type, null: false
+      t.integer :encryptable_id, null: false
+      t.datetime :last_dek_rotation
+      t.datetime :last_kek_rotation
+      t.timestamps
+    end
+
+    add_index(
+      :portunus_data_encryption_keys,
+      [:encryptable_id, :encryptable_type],
+      unique: true,
+      name: "portunus_dek_on_encryptable_id_and_encryptable_type"
+    )
+    add_index(
+      :portunus_data_encryption_keys,
+      :last_dek_rotation
+    )
+    add_index(
+      :portunus_data_encryption_keys,
+      :last_kek_rotation
+    )
+  end
+end

data/lib/portunus/configuration.rb

@@ -0,0 +1,49 @@
+module Portunus
+  class Configuration
+    attr_accessor :storage_adaptor, :encrypter, :max_key_duration
+
+    def initialize
+      @storage_adaptor = ::Portunus::StorageAdaptors::Credentials
+      @encrypter = ::Portunus::Encrypters::OpenSslAes
+      @keys_loaded = false
+      @master_key_names = []
+      @max_key_duration = 6.months
+    end
+
+    def load_keys
+      storage_adaptor.load
+      @keys_loaded = true
+    end
+
+    def add_key(key_name)
+      @master_key_names.push(key_name)
+      # we want to load all the names of the keys in the storage
+      # adaptor. Because we might need to search through an environment
+      # that has quite a few keys often for every key we want to load
+      # the valid keys
+    end
+
+    def keys_loaded?
+      @keys_loaded
+    end
+
+    def reset_master_keys
+      # Clear all master keys to empty, used for testing
+      @master_key_names = []
+      @keys_loaded = false
+    end
+
+    def reload_master_keys
+      # Perform a reload on the master keys. This is used in tests and to
+      # add new keys into the environment without rebooting the app.
+      @master_key_names = []
+      load_keys
+    end
+
+    def master_key_names
+      load_keys unless keys_loaded?
+
+      @master_key_names
+    end
+  end
+end

data/lib/portunus/data_encryption_key.rb

@@ -0,0 +1,25 @@
+module Portunus
+  class DataEncryptionKey < ::ActiveRecord::Base
+    belongs_to :encryptable, polymorphic: true
+
+    def key
+      ::Portunus.configuration.encrypter.decrypt(
+        key: master_encryption_key.value,
+        value: encrypted_key
+      )
+    end
+
+    def master_keyname=(new_key_value)
+      @_master_encryption_key = nil
+      super(new_key_value)
+    end
+
+    private
+
+    def master_encryption_key
+      @_master_encryption_key ||= Portunus.configuration.storage_adaptor.lookup(
+        master_keyname.to_sym
+      )
+    end
+  end
+end

data/lib/portunus/data_key_generator.rb

@@ -0,0 +1,55 @@
+module Portunus
+  class DataKeyGenerator
+    def self.generate(encrypted_object)
+      new(encrypted_object: encrypted_object).generate
+    end
+
+    def initialize(
+      encrypted_object:,
+      encrypter: ::Portunus.configuration.encrypter,
+      key_finder: Portunus.configuration.storage_adaptor
+    )
+      @encrypter = encrypter
+      @key_finder = key_finder
+      @encrypted_object = encrypted_object
+    end
+
+    def generate
+      dek = encrypted_object.build_data_encryption_key(
+        encrypted_key: new_encrypted_key,
+        master_keyname: master_keyname
+      )
+
+      if dek.key != new_plaintext_key
+        raise ::Portunus::Error.new(
+          "Dek Key creation failed: Decrypted key does not match the original"
+        )
+      end
+
+      dek
+    end
+
+    private
+
+    attr_reader :encrypted_object, :encrypter, :key_finder
+
+    def new_encrypted_key
+      @_new_encrypted_key ||= encrypter.encrypt(
+        key: master_encryption_key.value, value: new_plaintext_key
+      )
+    end
+
+    def new_plaintext_key
+      # this will be a base64 encoded key
+      @_new_key ||= encrypter.generate_key
+    end
+
+    def master_keyname
+      @_master_keyname ||= key_finder.list.sample
+    end
+
+    def master_encryption_key
+      @_master_encryption_key = key_finder.lookup(master_keyname)
+    end
+  end
+end

data/lib/portunus/encryptable.rb

@@ -0,0 +1,42 @@
+module Portunus
+  module Encryptable
+    extend ActiveSupport::Concern
+
+    class_methods do
+      def encrypted_fields_list
+        @_encrypted_fields_list ||= []
+      end
+
+      def encrypted_fields(*fields)
+        fields.map do |field|
+          ::Portunus::FieldConfigurer.for(self, field)
+        end
+      end
+    end
+
+    included do
+      before_validation :hash_encrypted_fields
+
+      has_one(
+        :data_encryption_key,
+        as: :encryptable,
+        class_name: "::Portunus::DataEncryptionKey"
+      )
+    end
+
+    private
+
+    def hash_encrypted_fields
+      self.class.encrypted_fields_list.each do |field|
+        hashed_field_name = "hashed_#{field}".to_sym
+
+        if respond_to?(hashed_field_name)
+          write_attribute(
+            hashed_field_name,
+            ::Portunus::Hasher.for(send(field.to_sym))
+          )
+        end
+      end
+    end
+  end
+end

data/lib/portunus/encrypters/open_ssl_aes.rb

@@ -0,0 +1,58 @@
+module Portunus
+  module Encrypters
+    class OpenSslAes
+      def self.encrypt(key:, value:)
+        new(key: key, value: value).encrypt
+      end
+
+      def self.generate_key
+        cipher = OpenSSL::Cipher::AES256.new :CBC
+        cipher.encrypt
+        Base64.strict_encode64(cipher.random_key)
+      end
+
+      def self.decrypt(key:, value:)
+        new(key: key, value: value).decrypt
+      end
+
+      def initialize(key:, value:)
+        @key = Base64.strict_decode64(key)
+        @value = value
+      end
+
+      def encrypt
+        cipher = OpenSSL::Cipher::AES256.new :CBC
+        cipher.encrypt
+        iv = cipher.random_iv
+
+        cipher.key = key
+        cipher.iv = iv
+
+        encrypted_output = cipher.update(value) + cipher.final
+
+        [
+          Base64.strict_encode64(iv),
+          Base64.strict_encode64(encrypted_output)
+        ].join("$")
+      end
+
+      def decrypt
+        iv, encrypted_text = value.split("$")
+
+        decipher = OpenSSL::Cipher::AES256.new :CBC
+        decipher.decrypt
+
+        decipher.iv = Base64.strict_decode64(iv) # previously saved
+        decipher.key = key
+
+        output = decipher.update(Base64.strict_decode64(encrypted_text)) + decipher.final
+
+        output
+      end
+
+      private
+
+      attr_reader :key, :value
+    end
+  end
+end

data/lib/portunus/encrypters/time.rb

@@ -0,0 +1 @@
+# DELETE ME, USE DATETIME AND NOT TIME CLASS

data/lib/portunus/field_configurer.rb

@@ -0,0 +1,157 @@
+module Portunus
+  class FieldConfigurer
+    def self.for(object, field)
+      new(object: object, field: field).setup
+    end
+
+    def initialize(object:, field:)
+      require "pry"
+      @object = object
+
+      if field.is_a?(Hash)
+        @field = field.keys.first.to_sym
+        @field_options = default_field_options.merge(field[field.keys.first])
+      else
+        @field = field
+        @field_options = default_field_options
+      end
+    end
+
+    def setup
+      # add the field to a configuration so we can easily determine if it's
+      # a field we need to attempt to encrypt and decrypt. We need this in
+      # the `field_before_typecast` method since the normal accessors are
+      # not used after a validation fail
+      register_field
+
+      # setup the methods on the model itself
+      define_instance_methods
+    end
+
+    private
+
+    attr_accessor :field, :field_options, :object
+
+    def default_field_options
+      {
+        type: :string
+      }
+    end
+
+    def instance_methods_for_model
+      [
+        :define_getter,
+        :define_setter,
+        :define_before_type_cast,
+        :define_association
+      ]
+    end
+
+    def define_instance_methods
+      instance_methods_for_model.map do |method|
+        send(method)
+      end
+    end
+
+    def define_setter
+      l_field_options = field_options
+
+      # Override the setter of the field to do the encryption
+      object.define_method "#{field}=" do |value, &block|
+        if value.present?
+          dek = data_encryption_key
+
+          encrypted_value = ::Portunus.
+            configuration.
+            encrypter.
+            encrypt(
+              value: Portunus::TypeCaster.cast(
+                value: value,
+                type: l_field_options[:type]
+              ),
+              key: dek.key
+            )
+        end
+
+        super(encrypted_value)
+      end
+    end
+
+    def define_getter
+      # This is required to force the proper scope in this context.
+      l_field = field
+      l_field_options = field_options
+
+      object.define_method(l_field.to_sym) do
+        value = read_attribute(l_field.to_sym)
+
+        if value.present?
+          dek = data_encryption_key
+
+          decrypted_value = ::Portunus.
+            configuration.
+            encrypter.
+            decrypt(value: value, key: dek.key)
+
+          Portunus::TypeCaster.uncast(
+            value: decrypted_value,
+            type: l_field_options[:type]
+          )
+        else
+          nil
+        end
+      end
+    end
+
+    def define_before_type_cast
+      l_field = field
+      l_field_options = field_options
+
+      object.define_method "#{l_field}_before_type_cast" do
+        value = super()
+        encrypted = self.class.encrypted_fields_list.include?(l_field.to_sym)
+
+        if encrypted && value.present?
+          dek = data_encryption_key
+          decrypted_value = ::Portunus.
+            configuration.
+            encrypter.
+            decrypt(value: value, key: dek.key)
+
+          value = ::Portunus::TypeCaster.uncast(
+            value: decrypted_value,
+            type: l_field_options[:type]
+          )
+        end
+
+        return value
+      end
+    end
+
+    def define_association
+      # setup a lazy instantiaion of the DEK so that we don't need to worry
+      # about building it for every type of model
+      object.define_method :data_encryption_key do
+        # this is to determine if a data encryption key is present
+        # if not it will lazily create one and fill out the attribute
+        # field on the model containing the key
+        result = super()
+
+        if result.blank?
+          # self here is the model including encryptable. We pass this
+          # so we can call the rails build_data_encryption_key on the
+          # model and set up polymorphic columns automatically
+          dek = ::Portunus::DataKeyGenerator.generate(self)
+          dek
+        else
+          result
+        end
+      end
+    end
+
+    def register_field
+      # Register the field so we can look it up later
+      object.encrypted_fields_list << field
+    end
+  end
+end

data/lib/portunus/hasher.rb

@@ -0,0 +1,9 @@
+module Portunus
+  class Hasher
+    def self.for(input)
+      return nil if input.blank?
+
+      Digest::SHA2.new(512).hexdigest(input)
+    end
+  end
+end

data/lib/portunus/master_key.rb

@@ -0,0 +1,15 @@
+module Portunus
+  class MasterKey
+    include ActiveModel::Model
+
+    attr_accessor :name, :value, :enabled, :created_at
+
+    def self.load
+      Portunus.configuration.storage_adaptor.load
+    end
+
+    def self.lookup(key_name)
+      Portunus.configuration.storage_adaptor.lookup(key_name)
+    end
+  end
+end

data/lib/portunus/railtie.rb

@@ -0,0 +1,14 @@
+# lib/railtie.rb
+require "portunus"
+require "rails"
+
+module Portunus
+  class Railtie < Rails::Railtie
+    railtie_name :portunus
+
+    rake_tasks do
+      path = File.expand_path(__dir__)
+      Dir.glob("#{path}/tasks/**/*.rake").each { |f| load f }
+    end
+  end
+end

data/lib/portunus/rotators/dek.rb

@@ -0,0 +1,69 @@
+module Portunus
+  module Rotators
+    class Dek
+      def self.for(data_encryption_key)
+        new(data_encryption_key).rotate
+      end
+
+      def initialize(data_encryption_key)
+        @data_encryption_key = data_encryption_key
+      end
+
+      def rotate
+        encryptable = data_encryption_key.encryptable
+
+        encryptable.class.encrypted_fields_list.map do |field_name|
+          field_value_map[field_name.to_sym] = encryptable.send(field_name.to_sym)
+        end
+
+        data_encryption_key.encrypted_key = new_encrypted_key
+
+        field_value_map.map do |field_name, value|
+          encryptable.send("#{field_name}=".to_sym, value)
+        end
+
+        ActiveRecord::Base.transaction do
+          encryptable.save
+          data_encryption_key.last_dek_rotation = DateTime.now
+          data_encryption_key.save
+        end
+
+        true
+      rescue StandardError => error
+        raise ::Portunus::Error.new(
+          "Rotating DEK failed: #{error.full_message}"
+        )
+      end
+
+      private
+
+      attr_reader :data_encryption_key
+
+      def storage_adaptor
+        ::Portunus.configuration.storage_adaptor
+      end
+
+      def encrypter
+        ::Portunus.configuration.encrypter
+      end
+
+      def field_value_map
+        @_field_value_map ||= {}
+      end
+
+      def master_key
+        storage_adaptor.lookup(data_encryption_key.master_keyname)
+      end
+
+      def new_plaintext_key
+        @_new_plaintext_key ||= encrypter.generate_key
+      end
+
+      def new_encrypted_key
+        encrypter.encrypt(
+          key: master_key.value, value: new_plaintext_key
+        )
+      end
+    end
+  end
+end

data/lib/portunus/rotators/kek.rb

@@ -0,0 +1,51 @@
+module Portunus
+  module Rotators
+    class Kek
+      def self.for(data_encryption_key)
+        new(data_encryption_key).rotate
+      end
+
+      def initialize(data_encryption_key)
+        @data_encryption_key = data_encryption_key
+        @unencrypted_dek = data_encryption_key.key
+      end
+
+      def rotate
+        data_encryption_key.master_keyname = new_master_key_name
+        data_encryption_key.encrypted_key = encrypted_dek_with_new_master
+        data_encryption_key.last_kek_rotation = DateTime.now
+        data_encryption_key.save!
+      end
+
+      private
+
+      attr_reader :data_encryption_key, :unencrypted_dek
+
+      def encrypted_dek_with_new_master
+        Portunus.configuration.encrypter.encrypt(
+          key: new_master_key.value,
+          value: unencrypted_dek
+        )
+      end
+
+      def new_master_key
+        @_new_master_key ||= ::Portunus.configuration.storage_adaptor.lookup(
+          new_master_key_name.to_sym
+        )
+      end
+
+      def wrapped_current_master_key
+        [data_encryption_key.master_keyname]
+      end
+
+      def master_keys
+        Portunus.configuration.storage_adaptor.list
+      end
+
+      def new_master_key_name
+        @_new_master_key_name ||= (master_keys - wrapped_current_master_key).
+          sample
+      end
+    end
+  end
+end

data/lib/portunus/storage_adaptors/credentials.rb

@@ -0,0 +1,48 @@
+module Portunus
+  module StorageAdaptors
+    class Credentials
+      def self.for(data_encryption_key)
+        self.lookup(data_encryption_key.master_keyname)
+      end
+
+      def self.load
+        key_names = Rails.application.credentials.portunus.keys
+
+        key_names.map do |key_name|
+          ::Portunus.configuration.add_key(key_name)
+        end
+      end
+
+      # Required method
+      def self.lookup(key_name)
+        master_key = Rails.application.credentials.portunus[key_name.to_sym]
+
+        MasterKey.new(
+          enabled: master_key[:enabled],
+          name: key_name,
+          value: master_key[:key],
+          created_at: master_key[:created_at]
+        )
+      rescue StandardError
+        raise ::Portunus::Error.new("Portunus: Master key not found")
+      end
+
+      # Required method
+      def self.list
+        key_names = Rails.application.credentials.portunus.keys
+        # reject any disabled keys so we no longer utilize them for new
+        # deks
+        key_names.reject! do |key_name|
+          Rails.application.credentials.portunus[key_name][:enabled] == false
+        end
+
+        if key_names.length == 0
+          raise ::Portunus::Error.new("No valid master keys configured")
+        end
+
+        key_names
+      end
+    end
+  end
+end
+

data/lib/portunus/storage_adaptors/environment.rb

@@ -0,0 +1,67 @@
+module Portunus
+  module StorageAdaptors
+    class Environment
+      def self.for(data_encryption_key)
+        self.lookup(data_encryption_key.master_keyname)
+      end
+
+      def self.key_map
+        @@key_map ||= {}
+      end
+
+      def self.reset_key_map
+        @@key_map = {}
+      end
+
+      def self.load
+        key_names = ENV.keys.select { |key| key.start_with?("PORTUNUS_") }
+
+        key_names.map do |name|
+          _portunus, key_name, key_type  = name.split("_")
+
+          if self.key_map[key_name.to_sym].blank?
+            self.key_map[key_name.to_sym] = {}
+          end
+
+          self.key_map[key_name.to_sym][key_type.to_sym] = ENV.fetch(name)
+        end
+
+        true
+      rescue StandardError => error
+        raise ::Portunus::Error.new(
+          "Portunus: Master keys failed to load: #{error.full_message}"
+        )
+      end
+
+      def self.lookup(key_name)
+        master_key = self.key_map[key_name.to_sym]
+
+        MasterKey.new(
+          enabled: master_key[:ENABLED],
+          name: key_name,
+          value: master_key[:KEY],
+          created_at: master_key[:CREATED]
+        )
+      rescue StandardError
+        raise ::Portunus::Error.new("Portunus: Master key not found")
+      end
+
+      def self.list
+        # Select only enabled keys
+        key_names = self.key_map.keys.map do |keyname|
+          keyname if self.key_map[keyname][:ENABLED] == "true"
+        end.compact
+
+        if key_names.length == 0
+          raise ::Portunus::Error.new("No valid master keys configured")
+        end
+
+        key_names
+      end
+
+      private
+
+      attr_reader :data_encryption_key
+    end
+  end
+end