portunus 0.3.2 → 0.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +4 -3
- data/README.md +19 -1
- data/lib/portunus/field_configurer.rb +0 -1
- data/lib/portunus/rotators/dek.rb +14 -10
- data/lib/portunus/tasks/rotate_keys.rake +13 -9
- data/lib/portunus/version.rb +1 -1
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 55b4d7fa50d9b1784676c0cafbf30617b9eefa4fc441c2a6eb6db96b64b5a953
|
|
4
|
+
data.tar.gz: 647f2b1b543b9bd490d39e39d39d8178ab44a45f90a0b44aee1ffa7eacfa09ec
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b2bcd7c135f15758e05ebe0c94a3cd8b88b944db67440c0d2f535cb76af0aa8829ed89048e0b28fc9f354209b3235ffeb6679cf3ec4ede699a60861dd441934b
|
|
7
|
+
data.tar.gz: 1b16cfedbe5fa06809416e4f439612216ec9e08c221f44ca9c8b4af80d0a3b5729536d77e54486c8e53afd8fe7861d09381ccec361949c7a65fa46e39922cc5d
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
portunus (0.3.
|
|
4
|
+
portunus (0.3.5)
|
|
5
5
|
openssl (>= 2.1.0)
|
|
6
6
|
rails (>= 5.0.0)
|
|
7
7
|
|
|
@@ -79,7 +79,6 @@ GEM
|
|
|
79
79
|
activesupport (>= 4.2.0)
|
|
80
80
|
i18n (1.8.2)
|
|
81
81
|
concurrent-ruby (~> 1.0)
|
|
82
|
-
ipaddr (1.2.2)
|
|
83
82
|
json (2.3.0)
|
|
84
83
|
loofah (2.4.0)
|
|
85
84
|
crass (~> 1.0.2)
|
|
@@ -97,7 +96,6 @@ GEM
|
|
|
97
96
|
nokogiri (1.10.9)
|
|
98
97
|
mini_portile2 (~> 2.4.0)
|
|
99
98
|
openssl (2.1.2)
|
|
100
|
-
ipaddr
|
|
101
99
|
pry (0.12.2)
|
|
102
100
|
coderay (~> 1.1.0)
|
|
103
101
|
method_source (~> 0.9.0)
|
|
@@ -185,3 +183,6 @@ DEPENDENCIES
|
|
|
185
183
|
rspec
|
|
186
184
|
simplecov (~> 0.17.1)
|
|
187
185
|
sqlite3
|
|
186
|
+
|
|
187
|
+
BUNDLED WITH
|
|
188
|
+
2.1.4
|
data/README.md
CHANGED
|
@@ -54,13 +54,31 @@ include Portunus::Encryptable
|
|
|
54
54
|
```
|
|
55
55
|
|
|
56
56
|
### Set up your master keys
|
|
57
|
+
|
|
57
58
|
Portunus comes with two adaptors for your master keys, "credentials" and
|
|
58
59
|
"environment". This should cover the most common deploy scenarios. Before
|
|
59
60
|
Portunus can function, enabled master keys need to be added. There is a
|
|
60
61
|
generator to create the keys for you to then install in the proper
|
|
61
|
-
location.
|
|
62
|
+
location.
|
|
62
63
|
|
|
63
64
|
$ bundle exec rake portunus:generate_master_keys
|
|
65
|
+
|
|
66
|
+
If you are using the credentials adaptor (default), add the keys here.
|
|
67
|
+
Make sure to generate keys for each environment.
|
|
68
|
+
|
|
69
|
+
$ bundle exec rails credentials:edit --environment=development
|
|
70
|
+
|
|
71
|
+
#### Spring / Postgres / OSX
|
|
72
|
+
|
|
73
|
+
When using this combination a bug may arise that prompts a weird error message:
|
|
74
|
+
|
|
75
|
+
$ objc[4182]: +[__NSPlaceholderDictionary initialize] may have been in progress in another thread when fork() was called.
|
|
76
|
+
|
|
77
|
+
You can circumvent it by using the below command in High Sierra / Catalina. It
|
|
78
|
+
might not work in Mojave but I believe this issue unrelated to Portunus.
|
|
79
|
+
Alternatively just don't use spring.
|
|
80
|
+
|
|
81
|
+
$ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
|
|
64
82
|
|
|
65
83
|
### Additional devise notes
|
|
66
84
|
|
|
@@ -12,20 +12,24 @@ module Portunus
|
|
|
12
12
|
def rotate
|
|
13
13
|
encryptable = data_encryption_key.encryptable
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
15
|
+
Rails.logger.debug(
|
|
16
|
+
"Rotating Encryptable: #{encryptable.class}, id: #{encryptable.id}"
|
|
17
|
+
)
|
|
18
|
+
|
|
19
|
+
ActiveRecord::Base.transaction do
|
|
20
|
+
encryptable.class.encrypted_fields_list.map do |field_name|
|
|
21
|
+
field_value_map[field_name.to_sym] = encryptable.send(field_name.to_sym)
|
|
22
|
+
end
|
|
18
23
|
|
|
19
|
-
|
|
24
|
+
data_encryption_key.update(encrypted_key: new_encrypted_key)
|
|
25
|
+
encryptable.data_encryption_key.reload
|
|
20
26
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
27
|
+
field_value_map.map do |field_name, value|
|
|
28
|
+
encryptable.send("#{field_name}=".to_sym, value)
|
|
29
|
+
end
|
|
24
30
|
|
|
25
|
-
ActiveRecord::Base.transaction do
|
|
26
31
|
encryptable.save
|
|
27
|
-
data_encryption_key.last_dek_rotation
|
|
28
|
-
data_encryption_key.save
|
|
32
|
+
data_encryption_key.update(last_dek_rotation: DateTime.now)
|
|
29
33
|
end
|
|
30
34
|
|
|
31
35
|
true
|
|
@@ -1,12 +1,16 @@
|
|
|
1
1
|
namespace :portunus do
|
|
2
2
|
desc "Rotate KEK keys, reencrypt the deks"
|
|
3
3
|
task rotate_keks: :environment do
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
4
|
+
if ENV["FORCE"] == "true"
|
|
5
|
+
scope = ::Portunus::DataEncryptionKey.all
|
|
6
|
+
else
|
|
7
|
+
scope = ::Portunus::DataEncryptionKey.
|
|
8
|
+
where(
|
|
9
|
+
"last_kek_rotation < ? or (created_at < ? and last_kek_rotation is null)",
|
|
10
|
+
DateTime.now - ::Portunus.configuration.max_key_duration,
|
|
11
|
+
DateTime.now - ::Portunus.configuration.max_key_duration
|
|
12
|
+
)
|
|
13
|
+
end
|
|
10
14
|
|
|
11
15
|
scope.in_batches do |relation|
|
|
12
16
|
relation.map do |encryption_key|
|
|
@@ -22,9 +26,9 @@ namespace :portunus do
|
|
|
22
26
|
else
|
|
23
27
|
scope = ::Portunus::DataEncryptionKey.
|
|
24
28
|
where(
|
|
25
|
-
"last_dek_rotation < ? or (created_at < ? and last_dek_rotation is null",
|
|
26
|
-
::Portunus.configuration.max_key_duration,
|
|
27
|
-
::Portunus.configuration.max_key_duration
|
|
29
|
+
"last_dek_rotation < ? or (created_at < ? and last_dek_rotation is null)",
|
|
30
|
+
DateTime.now - ::Portunus.configuration.max_key_duration,
|
|
31
|
+
DateTime.now - ::Portunus.configuration.max_key_duration
|
|
28
32
|
)
|
|
29
33
|
end
|
|
30
34
|
scope.in_batches do |relation|
|
data/lib/portunus/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: portunus
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Colin Petruno
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-07-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -234,8 +234,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
234
234
|
- !ruby/object:Gem::Version
|
|
235
235
|
version: '0'
|
|
236
236
|
requirements: []
|
|
237
|
-
|
|
238
|
-
rubygems_version: 2.7.6.2
|
|
237
|
+
rubygems_version: 3.1.4
|
|
239
238
|
signing_key:
|
|
240
239
|
specification_version: 4
|
|
241
240
|
summary: DEK and KEK Encryption for Rails
|