portunus 0.3.2 → 0.3.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +4 -3
- data/README.md +19 -1
- data/lib/portunus/field_configurer.rb +0 -1
- data/lib/portunus/rotators/dek.rb +14 -10
- data/lib/portunus/tasks/rotate_keys.rake +13 -9
- data/lib/portunus/version.rb +1 -1
- metadata +3 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 55b4d7fa50d9b1784676c0cafbf30617b9eefa4fc441c2a6eb6db96b64b5a953
|
4
|
+
data.tar.gz: 647f2b1b543b9bd490d39e39d39d8178ab44a45f90a0b44aee1ffa7eacfa09ec
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b2bcd7c135f15758e05ebe0c94a3cd8b88b944db67440c0d2f535cb76af0aa8829ed89048e0b28fc9f354209b3235ffeb6679cf3ec4ede699a60861dd441934b
|
7
|
+
data.tar.gz: 1b16cfedbe5fa06809416e4f439612216ec9e08c221f44ca9c8b4af80d0a3b5729536d77e54486c8e53afd8fe7861d09381ccec361949c7a65fa46e39922cc5d
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
portunus (0.3.
|
4
|
+
portunus (0.3.5)
|
5
5
|
openssl (>= 2.1.0)
|
6
6
|
rails (>= 5.0.0)
|
7
7
|
|
@@ -79,7 +79,6 @@ GEM
|
|
79
79
|
activesupport (>= 4.2.0)
|
80
80
|
i18n (1.8.2)
|
81
81
|
concurrent-ruby (~> 1.0)
|
82
|
-
ipaddr (1.2.2)
|
83
82
|
json (2.3.0)
|
84
83
|
loofah (2.4.0)
|
85
84
|
crass (~> 1.0.2)
|
@@ -97,7 +96,6 @@ GEM
|
|
97
96
|
nokogiri (1.10.9)
|
98
97
|
mini_portile2 (~> 2.4.0)
|
99
98
|
openssl (2.1.2)
|
100
|
-
ipaddr
|
101
99
|
pry (0.12.2)
|
102
100
|
coderay (~> 1.1.0)
|
103
101
|
method_source (~> 0.9.0)
|
@@ -185,3 +183,6 @@ DEPENDENCIES
|
|
185
183
|
rspec
|
186
184
|
simplecov (~> 0.17.1)
|
187
185
|
sqlite3
|
186
|
+
|
187
|
+
BUNDLED WITH
|
188
|
+
2.1.4
|
data/README.md
CHANGED
@@ -54,13 +54,31 @@ include Portunus::Encryptable
|
|
54
54
|
```
|
55
55
|
|
56
56
|
### Set up your master keys
|
57
|
+
|
57
58
|
Portunus comes with two adaptors for your master keys, "credentials" and
|
58
59
|
"environment". This should cover the most common deploy scenarios. Before
|
59
60
|
Portunus can function, enabled master keys need to be added. There is a
|
60
61
|
generator to create the keys for you to then install in the proper
|
61
|
-
location.
|
62
|
+
location.
|
62
63
|
|
63
64
|
$ bundle exec rake portunus:generate_master_keys
|
65
|
+
|
66
|
+
If you are using the credentials adaptor (default), add the keys here.
|
67
|
+
Make sure to generate keys for each environment.
|
68
|
+
|
69
|
+
$ bundle exec rails credentials:edit --environment=development
|
70
|
+
|
71
|
+
#### Spring / Postgres / OSX
|
72
|
+
|
73
|
+
When using this combination a bug may arise that prompts a weird error message:
|
74
|
+
|
75
|
+
$ objc[4182]: +[__NSPlaceholderDictionary initialize] may have been in progress in another thread when fork() was called.
|
76
|
+
|
77
|
+
You can circumvent it by using the below command in High Sierra / Catalina. It
|
78
|
+
might not work in Mojave but I believe this issue unrelated to Portunus.
|
79
|
+
Alternatively just don't use spring.
|
80
|
+
|
81
|
+
$ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
|
64
82
|
|
65
83
|
### Additional devise notes
|
66
84
|
|
@@ -12,20 +12,24 @@ module Portunus
|
|
12
12
|
def rotate
|
13
13
|
encryptable = data_encryption_key.encryptable
|
14
14
|
|
15
|
-
|
16
|
-
|
17
|
-
|
15
|
+
Rails.logger.debug(
|
16
|
+
"Rotating Encryptable: #{encryptable.class}, id: #{encryptable.id}"
|
17
|
+
)
|
18
|
+
|
19
|
+
ActiveRecord::Base.transaction do
|
20
|
+
encryptable.class.encrypted_fields_list.map do |field_name|
|
21
|
+
field_value_map[field_name.to_sym] = encryptable.send(field_name.to_sym)
|
22
|
+
end
|
18
23
|
|
19
|
-
|
24
|
+
data_encryption_key.update(encrypted_key: new_encrypted_key)
|
25
|
+
encryptable.data_encryption_key.reload
|
20
26
|
|
21
|
-
|
22
|
-
|
23
|
-
|
27
|
+
field_value_map.map do |field_name, value|
|
28
|
+
encryptable.send("#{field_name}=".to_sym, value)
|
29
|
+
end
|
24
30
|
|
25
|
-
ActiveRecord::Base.transaction do
|
26
31
|
encryptable.save
|
27
|
-
data_encryption_key.last_dek_rotation
|
28
|
-
data_encryption_key.save
|
32
|
+
data_encryption_key.update(last_dek_rotation: DateTime.now)
|
29
33
|
end
|
30
34
|
|
31
35
|
true
|
@@ -1,12 +1,16 @@
|
|
1
1
|
namespace :portunus do
|
2
2
|
desc "Rotate KEK keys, reencrypt the deks"
|
3
3
|
task rotate_keks: :environment do
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
4
|
+
if ENV["FORCE"] == "true"
|
5
|
+
scope = ::Portunus::DataEncryptionKey.all
|
6
|
+
else
|
7
|
+
scope = ::Portunus::DataEncryptionKey.
|
8
|
+
where(
|
9
|
+
"last_kek_rotation < ? or (created_at < ? and last_kek_rotation is null)",
|
10
|
+
DateTime.now - ::Portunus.configuration.max_key_duration,
|
11
|
+
DateTime.now - ::Portunus.configuration.max_key_duration
|
12
|
+
)
|
13
|
+
end
|
10
14
|
|
11
15
|
scope.in_batches do |relation|
|
12
16
|
relation.map do |encryption_key|
|
@@ -22,9 +26,9 @@ namespace :portunus do
|
|
22
26
|
else
|
23
27
|
scope = ::Portunus::DataEncryptionKey.
|
24
28
|
where(
|
25
|
-
"last_dek_rotation < ? or (created_at < ? and last_dek_rotation is null",
|
26
|
-
::Portunus.configuration.max_key_duration,
|
27
|
-
::Portunus.configuration.max_key_duration
|
29
|
+
"last_dek_rotation < ? or (created_at < ? and last_dek_rotation is null)",
|
30
|
+
DateTime.now - ::Portunus.configuration.max_key_duration,
|
31
|
+
DateTime.now - ::Portunus.configuration.max_key_duration
|
28
32
|
)
|
29
33
|
end
|
30
34
|
scope.in_batches do |relation|
|
data/lib/portunus/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: portunus
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.7
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Colin Petruno
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-07-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -234,8 +234,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
234
234
|
- !ruby/object:Gem::Version
|
235
235
|
version: '0'
|
236
236
|
requirements: []
|
237
|
-
|
238
|
-
rubygems_version: 2.7.6.2
|
237
|
+
rubygems_version: 3.1.4
|
239
238
|
signing_key:
|
240
239
|
specification_version: 4
|
241
240
|
summary: DEK and KEK Encryption for Rails
|