ripple-encryption 0.0.3

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in ripple-contrib.gemspec
+gemspec
+
+gem 'riak-client', '~> 1.1.1'
+gem 'ripple', :git => 'git://github.com/basho/ripple.git', :ref => '913806aa2942db5a3b61d1432d2c9be200338f50'
+
+group :development, :test do
+  gem 'linecache19', :git => 'git://github.com/mark-moseley/linecache'
+  gem 'ruby-debug-base19x', '~> 0.11.30.pre4'
+  gem "ruby-debug19", "0.11.6"
+end

data/Gemfile.lock

@@ -0,0 +1,80 @@
+GIT
+  remote: git://github.com/basho/ripple.git
+  revision: 913806aa2942db5a3b61d1432d2c9be200338f50
+  ref: 913806aa2942db5a3b61d1432d2c9be200338f50
+  specs:
+    ripple (1.0.0.beta2)
+      activemodel (>= 3.0.0, < 3.3.0)
+      activesupport (>= 3.0.0, < 3.3.0)
+      riak-client (~> 1.1.0)
+      tzinfo
+
+GIT
+  remote: git://github.com/mark-moseley/linecache
+  revision: 869c6a65155068415925067e480741bd0a71527e
+  specs:
+    linecache19 (0.5.12)
+      ruby_core_source (>= 0.1.4)
+
+PATH
+  remote: .
+  specs:
+    ripple-encryption (0.0.3)
+      riak-client
+      ripple
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (3.2.12)
+      activesupport (= 3.2.12)
+      builder (~> 3.0.0)
+    activesupport (3.2.12)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    archive-tar-minitar (0.5.2)
+    beefcake (0.3.7)
+    builder (3.0.4)
+    columnize (0.3.6)
+    i18n (0.6.4)
+    innertube (1.0.2)
+    mini_shoulda (0.5.0)
+      minitest (> 2.1.0)
+    minitest (3.3.0)
+    multi_json (1.6.1)
+    rake (0.9.2.2)
+    riak-client (1.1.1)
+      beefcake (~> 0.3.7)
+      builder (>= 2.1.2)
+      i18n (>= 0.4.0)
+      innertube (~> 1.0.2)
+      multi_json (~> 1.0)
+    ruby-debug-base19 (0.11.25)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      ruby_core_source (>= 0.1.4)
+    ruby-debug-base19x (0.11.30.pre10)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      rake (>= 0.8.1)
+      ruby_core_source (>= 0.1.4)
+    ruby-debug19 (0.11.6)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      ruby-debug-base19 (>= 0.11.19)
+    ruby_core_source (0.1.5)
+      archive-tar-minitar (>= 0.5.2)
+    tzinfo (0.3.35)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  linecache19!
+  mini_shoulda
+  rake
+  riak-client (~> 1.1.1)
+  ripple!
+  ripple-encryption!
+  ruby-debug-base19x (~> 0.11.30.pre4)
+  ruby-debug19 (= 0.11.6)

data/LICENSE

@@ -0,0 +1,16 @@
+Copyright (c) 2012 Basho Technologies, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+All of the files in this project are under the project-wide license
+unless they are otherwise marked.

data/README.md

@@ -0,0 +1,67 @@
+# Ripple::Encryption
+
+The ripple-encryption gem provides encryption and decryption for Ripple documents.
+[riak-ruby](https://github.com/basho/riak-ruby-client) [ripple](https://github.com/basho/ripple)
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'ripple-encryption'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install ripple-encryption
+
+## Overview
+
+You call the activation, which initializes a global serializer within
+Ripple.  Any object that gets saved with content-type 'application/x-json-encrypted'
+then goes through the Encryption::Serializer, which loads or unloads the
+data from Riak through the JsonDocument and EncryptedJsonDocument,
+respectively.  Both of these have a dependency on Encryption::Encrypter,
+which makes the actual calls to OpenSSL.
+
+JsonDocument stores the encrypted data wrapped in JSON encapsulation so
+that you can still introspect the Riak object and see which version of
+this gem was used to encrypt it.
+
+There is also a Rake file to convert between encrypted and decrypted
+JSON objects.
+
+## Usage
+
+Include the gem in your Gemfile.  Activate it somewhere in your
+application initialization by pointing it to your encryption config file
+like so:
+
+    Ripple::Encryption.activate PATH_TO_CONFIG_FILE
+
+Then include the Ripple::Encryption module in your document class:
+
+    class SomeDocument
+      include Ripple::Document
+      include Ripple::Encryption
+      property :message, String
+    end
+
+These documents will now be stored encrypted.
+
+## Running the Tests
+
+Adjust the 'test/fixtures/ripple.yml' to point to a test riak database.
+
+    bundle exec rake
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,32 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/**/test_*.rb']
+  t.verbose = true
+end
+
+namespace :test do
+  desc "Test everything"
+  task :all => [:test]
+end
+
+task :default => :test
+
+# Connect to Riak and test the client connection.
+
+namespace :migrate do
+  desc "Read in all unencrypted files, and save them to encrypted encoding."
+  task :encrypt do
+    Ripple::Encrytion::Migrate.new.convert(:encrypt)
+  end
+
+  desc "Read in all encrypted files, and save them unencrypted."
+  task :decrypt do
+    Ripple::Encrytion::Migrate.new.convert(:decrypt)
+  end
+end

data/config/encryption.yml.example

@@ -0,0 +1,20 @@
+# AES-256-CBC requires a 32-byte key and 16 byte iv
+
+# remove iv if a random generated iv is desired
+
+development:
+  cipher: AES-256-CBC
+  key: fantasticobscurekeygoesherenowty
+  iv: !binary |
+    ABYLnUHWE/fIwE2gKYC6hg==
+
+test:
+  cipher: AES-256-CBC
+  key: fantasticobscurekeygoesherenowty
+  iv: !binary |
+    ABYLnUHWE/fIwE2gKYC6hg==
+
+prod:
+  cipher: AES-256-CBC
+  key: fantasticobscurekeygoesherenowty
+  base64: true

data/config/ripple.yml.example

@@ -0,0 +1,9 @@
+development:
+  host: 127.0.0.1
+  http_port: 8098
+  namespace: local_ns~
+
+test:
+  host: 127.0.0.1
+  http_port: 9000
+  namespace: test_ns~

data/lib/rake/migrate.rb

@@ -0,0 +1,82 @@
+module Ripple
+  module Encryption
+    class Migration
+      # create log files in the tmp dir
+      def initialize
+        relative_root = File.expand_path(File.join('..','..','..'),__FILE__)
+        require File.join(relative_root,'lib','ripple-encryption.rb')
+        tmp_dir = File.join(relative_root,'tmp')
+        output_dir = File.join(tmp_dir,Time.now.strftime("%m-%d-%Y-%I%M%p"))
+        Dir.mkdir(tmp_dir) unless File.exists?(tmp_dir)
+        Dir.mkdir(output_dir) unless File.exists?(output_dir)
+        @fetched_file = File.open(File.join(output_dir,'fetched.log'),'w')
+        @stored_file  = File.open(File.join(output_dir,'stored.log'),'w')
+        @error_file   = File.open(File.join(output_dir,'error.log'),'w')
+      end
+
+      # finde only the encryptable models
+      def models
+        Objects.constants.map{|c| "#{c}".constantize}.select{|c| c.include?(Ripple::Encryption)}
+      end
+
+      # cycle through all objects and save them
+      def convert(type)
+        # the difference between encryption or decryption is
+        # simply changing the content-type of the object so
+        # that ripple knows what way to serialize it
+        case type
+        when :encrypt
+          content_type = 'application/x-json-encrypted'
+        when :decrypt
+          content_type = 'application/json'
+        end
+
+        # we don't need no stinking warnings :-)
+        Riak.disable_list_keys_warnings = true
+
+        # cycle through each key in the database and
+        # read it, then save it
+        print 'Processing buckets: '
+        models.each do |model|
+          success = nil
+          count = 0
+          bucket_name = model.bucket_name
+          model.bucket.keys do |streaming_keys|
+            streaming_keys.each do |key|
+              begin
+                object = model.find key
+                log :fetched, "/buckets/#{bucket_name}/keys/#{key}"
+                object.robject.content_type = content_type
+                object.save!
+                log :stored, "/buckets/#{bucket_name}/keys/#{key}"
+                count += 1
+              rescue => e
+                log :error, "/buckets/#{bucket_name}/keys/#{key} #{e}".force_encoding('UTF-8')
+                success = 'E, '
+              end
+            end
+          end
+          print success || "#{count}, "
+        end
+        puts ' Done.'
+
+        # warn us. please. :-)
+        Riak.disable_list_keys_warnings = false
+      end
+
+      # log the object action
+      def log(type, object, error=nil)
+        case type
+        when :fetched
+          @fetched_file.puts object
+        when :stored
+          @stored_file.puts object
+        when :error
+          @error_file.write object
+          @error_file.write error
+          @error_file.write "\n"
+        end
+      end
+    end
+  end
+end

data/lib/ripple-encryption.rb

@@ -0,0 +1,10 @@
+require 'openssl'
+require 'ripple'
+
+module Ripple
+  module Encryption
+  end
+end
+
+# Include all of the support files.
+FileList[File.expand_path(File.join('..','ripple-encryption','*.rb'),__FILE__)].each{|f| require f}

data/lib/ripple-encryption/activation.rb

@@ -0,0 +1,75 @@
+require 'openssl'
+require 'ripple'
+
+module Ripple
+  module Encryption
+
+    # When mixed into a Ripple::Document class, this will encrypt the
+    # serialized form before it is stored in Riak.  You must register
+    # a serializer that will perform the encryption.
+    # @see Serializer
+      extend ActiveSupport::Concern
+
+      @@is_activated = false
+
+      included do
+        @@encrypted_content_type = self.encrypted_content_type = 'application/x-json-encrypted'
+      end
+
+      module ClassMethods
+        # @return [String] the content type to be used to indicate the
+        #     proper encryption scheme. Defaults to 'application/x-json-encrypted'
+        attr_accessor :encrypted_content_type
+      end
+
+      # Overrides the internal method to set the content-type to be
+      # encrypted.
+      def update_robject
+        super
+        if @@is_activated
+          robject.content_type = @@encrypted_content_type
+        end
+      end
+
+      def self.activate(path)
+        encryptor = nil
+        unless Riak::Serializers['application/x-json-encrypted']
+          begin
+            config = YAML.load_file(path)[ENV['RACK_ENV']]
+            encryptor = Ripple::Encryption::Serializer.new(OpenSSL::Cipher.new(config['cipher']), 'application/x-json-encrypted', path)
+          rescue Exception => e
+            handle_invalid_encryption_config(e.message, e.backtrace)
+          end
+          encryptor.key = config['key'] if config['key']
+          encryptor.iv = config['iv'] if config['iv']
+          Riak::Serializers['application/x-json-encrypted'] = encryptor
+          @@is_activated = true
+        end
+        encryptor
+      end
+
+      def self.activated
+        @@is_activated
+      end
+
+  end
+end
+
+def handle_invalid_encryption_config(msg, trace)
+  puts <<eos
+
+    The file "config/encryption.yml" is missing or incorrect. You will
+    need to create this file and populate it with a valid cipher,
+    initialization vector and secret key.
+
+    An example is provided in "config/encryption.yml.example".
+eos
+
+  puts "Error Message: " + msg
+  puts "Error Trace:"
+  trace.each do |line|
+    puts line
+  end
+
+  exit 1
+end

data/lib/ripple-encryption/config.rb

@@ -0,0 +1,43 @@
+require 'openssl'
+
+module Ripple
+  module Encryption
+    # Generic error class for Config
+    class ConfigError < StandardError; end
+
+    # Handles the configuration information for the Encryptor.
+    #
+    # Example usage:
+    #     Ripple::Encryption::Config.defaults
+    #     Ripple::Encryption::Config.new(:iv => "SOMEIV").to_h
+    class Config
+      # Initializes the config from our yml file.
+      # @param [String] path to yml file
+      def initialize(path)
+        validate_path(path)
+        @config = YAML.load_file(path)[ENV['RACK_ENV']]
+      end
+
+      # Return the options in the hash expected by Encryptor.
+      def to_h
+        @config
+      end
+
+      # Return either the default initialization vector, or create a new one.
+      def activate
+        @config['iv'] ||= OpenSSL::Random.random_bytes(16)
+      end
+
+      def validate_path(path)
+        if !File.exists? path
+          raise Ripple::Encryption::ConfigError, <<MISSINGFILE
+The file "config/encryption.yml" is missing or incorrect. You will
+need to create this file and populate it with a valid cipher,
+initialization vector and secret key.  An example is provided in 
+"config/encryption.yml.example".
+MISSINGFILE
+        end
+      end
+    end
+  end
+end

data/lib/ripple-encryption/encrypted_json_document.rb

@@ -0,0 +1,29 @@
+module Ripple
+  module Encryption
+    # Generic error class for Encryptor
+    class EncryptedJsonDocumentError < StandardError; end
+
+    # Interprets a encapsulation in JSON for encrypted Ripple documents.
+    #
+    # Example usage:
+    #     Ripple::Encryption::JsonDocument.new(@document).encrypt
+    class EncryptedJsonDocument
+      # Creates an object that is prepared to decrypt its contents.
+      # @param [String] data json string that was stored in Riak
+      def initialize(config, data)
+        @config = config.to_h.clone
+        @json = JSON.parse data
+        raise(EncryptedJsonDocumentError, "Missing 'iv' for decryption") unless @json['iv']
+        iv = Base64.decode64 @json['iv']
+        @config.merge!('iv' => iv)
+
+        @decryptor = Ripple::Encryption::Encryptor.new @config
+      end
+
+      # Returns the original data from the stored encrypted format
+      def decrypt
+        JSON.load @decryptor.decrypt Base64.decode64 @json['data']
+      end
+    end
+  end
+end

data/lib/ripple-encryption/encryptor.rb

@@ -0,0 +1,48 @@
+module Ripple
+  module Encryption
+    # Generic error class for Encryptor
+    class EncryptorConfigError < StandardError; end
+
+    # Implements a simple object that can either encrypt or decrypt arbitrary data.
+    #
+    # Example usage:
+    #     encryptor = Ripple::Encryption::Encryptor.new Ripple::Encryption::Config.defaults
+    #     encryptor.encrypt stuff
+    #     encryptor.decrypt stuff
+    class Encryptor
+      # Creates an Encryptor that is prepared to encrypt/decrypt a blob.
+      # @param [Hash] config the key/cipher/iv needed to initialize OpenSSL
+      def initialize(config)
+        # ensure that we have the required configuration keys
+        %w(cipher key iv).each do |option|
+          raise(Ripple::Encryption::EncryptorConfigError, "Missing configuration option '#{option}'.") if config[option].nil?
+        end
+        @config = config
+        @cipher = OpenSSL::Cipher.new(@config['cipher'])
+      end
+
+      # Encrypt stuff.
+      # @param [Object] blob the data to encrypt
+      def encrypt(blob)
+        initialize_cipher_for :encrypt
+        "#{@cipher.update blob}#{@cipher.final}"
+      end
+
+      # Decrypt stuff.
+      # @param [Object] blob the encrypted data to decrypt
+      def decrypt(blob)
+        initialize_cipher_for :decrypt
+        "#{@cipher.update blob}#{@cipher.final}"
+      end
+
+      private
+      # This sets the mode so OpenSSL knows to encrypt or decrypt, etc.
+      # @param [Symbol] mode either :encrypt or :decrypt
+      def initialize_cipher_for(mode)
+        @cipher.send mode
+        @cipher.key = @config['key']
+        @cipher.iv  = @config['iv']
+      end
+    end
+  end
+end

data/lib/ripple-encryption/json_document.rb

@@ -0,0 +1,24 @@
+module Ripple
+  module Encryption
+    # Implements an encapsulation in JSON for encrypted Ripple documents.
+    #
+    # Example usage:
+    #     Ripple::Encryption::JsonDocument.new(@document).encrypt
+    class JsonDocument
+      # Creates an object that is prepared to encrypt its contents.
+      # @param [String] data object to store
+      def initialize(config, data)
+        config.activate
+        @config = config.to_h
+        @data = JSON.dump(data)
+        @encryptor = Ripple::Encryption::Encryptor.new @config
+      end
+
+      # Converts the data into the encrypted format
+      def encrypt
+        encrypted_data = @encryptor.encrypt @data
+        JSON.dump({:version => Ripple::Encryption::VERSION, :iv => Base64.encode64(@config['iv']), :data => Base64.encode64(encrypted_data)})
+      end
+    end
+  end
+end

data/lib/ripple-encryption/serializer.rb

@@ -0,0 +1,117 @@
+module Ripple
+  module Encryption
+    # Implements the {Riak::Serializer} API for the purpose of
+    # encrypting/decrypting Ripple documents.
+    #
+    # Example usage:
+    #     ::Riak::Serializers['application/x-json-encrypted'] = EncryptedSerializer.new(OpenSSL::Cipher.new("AES-256"))
+    #     class MyDocument
+    #       include Ripple::Document
+    #       include Riak::Encryption
+    #     end
+    #
+    # @see Encryption
+    class Serializer
+      # @return [String] The Content-Type of the internal format,
+      #      generally "application/json"
+      attr_accessor :content_type
+
+      # @return [OpenSSL::Cipher, OpenSSL::PKey::*] the cipher used to encrypt the object
+      attr_accessor :cipher
+
+      # Cipher-specific settings
+      # @see OpenSSL::Cipher
+      attr_accessor :key, :iv, :key_length, :padding
+
+      # Serialization Options
+      # @return [true, false] Is the encrypted text also base64 encoded?
+      attr_accessor :base64
+
+      # Creates a serializer using the provided cipher and internal
+      # content type. Be sure to set the {#key}, {#iv}, {#key_length},
+      # {#padding} as appropriate for the cipher before attempting
+      # (de-)serialization.
+      # @param [OpenSSL::Cipher] cipher the desired
+      #     encryption/decryption algorithm
+      # @param [String] content_type the Content-Type of the
+      #     unencrypted contents
+      def initialize(cipher, content_type='application/json', path)
+        @cipher, @content_type = cipher, content_type
+        @config = Ripple::Encryption::Config.new(path)
+      end
+
+      # Serializes and encrypts the Ruby object using the assigned
+      # cipher and Content-Type.
+      # @param [Object] object the Ruby object to serialize/encrypt
+      # @return [String] the serialized, encrypted form of the object
+      def dump(object)
+        JsonDocument.new(@config, object).encrypt
+      end
+
+      # Decrypts and deserializes the blob using the assigned cipher
+      # and Content-Type.
+      # @param [String] blob the original content from Riak
+      # @return [Object] the decrypted and deserialized object
+      def load(object)
+        # try the v1 way first
+        begin
+          internal = decrypt(object)
+          return ::Riak::Serializers.deserialize('application/json', internal)
+        # if that doesn't work, try the v2 way
+        rescue OpenSSL::Cipher::CipherError, MultiJson::DecodeError
+          return EncryptedJsonDocument.new(@config, object).decrypt
+        end
+      end
+
+      private
+
+      # generates a new iv each call unless a static (less secure)
+      # iv is used.
+      def encrypt(object)
+        old_version = '0.0.1'
+        result = ''
+        if cipher.respond_to?(:iv=) and @iv == nil
+          iv = OpenSSL::Random.random_bytes(cipher.iv_len)
+          cipher.iv = iv
+          result << old_version << iv
+        end
+
+        if cipher.respond_to?(:public_encrypt)
+          result << cipher.public_encrypt(object)
+        else
+          cipher_setup :encrypt
+          result << cipher.update(object) << cipher.final
+          cipher.reset
+        end
+        return result
+      end
+
+      def decrypt(cipher_text)
+        old_version = '0.0.1'
+
+        if cipher.respond_to?(:iv=) and @iv == nil
+          version = cipher_text.slice(0, old_version.length)
+          cipher.iv = cipher_text.slice(old_version.length, cipher.iv_len)
+          cipher_text = cipher_text.slice(old_version.length + cipher.iv_len, cipher_text.length)
+        end
+
+        if cipher.respond_to?(:private_decrypt)
+          cipher.private_decrypt(cipher_text)
+        else
+          cipher_setup :decrypt
+          result = cipher.update(cipher_text) << cipher.final
+          cipher.reset
+          result
+        end
+      end
+
+      def cipher_setup(mode)
+        cipher.send mode
+        cipher.key        = key        if key
+        cipher.iv         = iv         if iv
+        cipher.key_length = key_length if key_length
+        cipher.padding    = padding    if padding
+      end
+    end
+  end
+end

data/lib/ripple-encryption/version.rb

@@ -0,0 +1,5 @@
+module Ripple
+  module Encryption
+    VERSION = "0.0.3"
+  end
+end

data/ripple-encryption.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/ripple-encryption/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Randy Secrist", "Casey Rosenthal"]
+  gem.email         = ["rsecrist@basho.com", "casey@basho.com"]
+  gem.description   = %q{Easily encrypt data at rest with minimal changes to existing ripple models.}
+  gem.summary       = %q{A simple encryption library for objects stored in riak.}
+  gem.homepage      = "http://github.com/basho/ripple-encryption"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "ripple-encryption"
+  gem.require_paths = ["lib"]
+  gem.version       = Ripple::Encryption::VERSION
+
+  gem.add_dependency 'riak-client'
+  gem.add_dependency 'ripple'
+
+  # Test Dependencies
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'mini_shoulda'
+end

data/test/fixtures/encryption.yml

@@ -0,0 +1,5 @@
+test:
+  cipher: AES-256-CBC
+  key: fantasticobscurekeygoesherenowty
+  iv: !binary |
+    ABYLnUHWE/fIwE2gKYC6hg==

data/test/fixtures/encryption_no_iv.yml

@@ -0,0 +1,3 @@
+test:
+  cipher: AES-256-CBC
+  key: fantasticobscurekeygoesherenowty

data/test/fixtures/ripple.yml

@@ -0,0 +1,4 @@
+test:
+  host: 127.0.0.1
+  http_port: 8098
+  namespace: test_ns~

data/test/fixtures/test_document/some_data.unencrypted.riak

@@ -0,0 +1 @@
+{"message":"this is unencrypted data", "_type":"TestDocument"}

data/test/fixtures/test_document/some_other_data.encrypted.riak

@@ -0,0 +1 @@
+{"version":"0.0.3","iv":"ABYLnUHWE/fIwE2gKYC6hg==\n","data":"KYtsnoDZ85AMR/eZAVBtEXe88gB/UNagMpl4oV7FLxUgtqw5BvPCbLChrmdg\nsRQas2VZ8/FkIx5CiMeJYoi9Ag==\n"}

data/test/fixtures/test_document/v0_doc.riak

@@ -0,0 +1 @@
+{"message":"this is unencrypted data", "_type":"TestDocument"}

data/test/fixtures/test_document/v1_doc.riak

@@ -0,0 +1 @@
+0��d�>^��

data/test/fixtures/test_document/v2_doc.riak

@@ -0,0 +1 @@
+{"version":"0.0.2","iv":"ABYLnUHWE/fIwE2gKYC6hg==\n","data":"MK0LuGThPhde4t0NfKSbhAvPjTuFmykhWVGNxPG++40=\n"}

data/test/helper.rb

@@ -0,0 +1,53 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+require 'minitest/autorun'
+require 'mini_shoulda'
+
+require 'ripple-encryption'
+
+ENV['RACK_ENV']   = 'test'
+ENV['RIPPLE']     = File.expand_path(File.join('..','fixtures','ripple.yml'),__FILE__)
+ENV['ENCRYPTION'] = File.expand_path(File.join('..','fixtures','encryption.yml'),__FILE__)
+
+# connect to a local Riak test node
+begin
+  Ripple.load_configuration ENV['RIPPLE'], ['test']
+  riak_config = Hash[YAML.load_file(ENV['RIPPLE'])['test'].map{|k,v| [k.to_sym, v]}]
+  client = Riak::Client.new(:nodes => [riak_config])
+  bucket = client.bucket("#{riak_config[:namespace].to_s}test") 
+  object = bucket.get_or_new("test") 
+rescue RuntimeError
+  raise RuntimeError, "Could not connect to the Riak test node."
+end
+# define test Ripple Documents
+Ripple::Encryption.activate ENV['ENCRYPTION']
+class TestDocument
+  include Ripple::Document
+  include Ripple::Encryption
+  property :message, String
+
+  def self.bucket_name
+    "#{Ripple.config[:namespace]}#{super}"
+  end
+end
+
+TestDocument.bucket.get_index('$bucket', '_').each {|k| TestDocument.bucket.delete(k)}
+
+# load Riak fixtures
+FileList[File.expand_path(File.join('..','fixtures','*'),__FILE__)].each do |f|
+  if Dir.exists? f
+    fixture_type = File.basename(f)
+    begin
+      klass = fixture_type.classify.constantize
+    rescue NameError
+      raise NameError, "Is a Ripple Document of type '#{fixture_type.classify}' defined for that fixture file?"
+    end
+    FileList[File.join(f,'*.riak')].each do |r|
+      key = File.basename(r,'.riak')
+      content_type = (key == 'v0_doc' ? 'application/json' : 'application/x-json-encrypted')
+      `curl -s -H 'content-type: #{content_type}' -XPUT http://#{Ripple.config[:host]}:#{Ripple.config[:http_port]}/buckets/#{Ripple.config[:namespace]}#{fixture_type.pluralize}/keys/#{key} --data-binary @#{r}`
+    end
+  end
+end
+

data/test/test_config.rb

@@ -0,0 +1,11 @@
+require 'helper'
+
+class TestConfig < MiniTest::Spec
+  context "Ripple::Encryption::Config" do
+    should "raise heck if the config file isn't found" do
+      assert_raises Ripple::Encryption::ConfigError do
+        config = Ripple::Encryption::Config.new('nowhere')
+      end
+    end
+  end
+end

data/test/test_encryptor.rb

@@ -0,0 +1,42 @@
+require 'helper'
+
+class TestEncryptor < MiniTest::Spec
+  context "Ripple::Encryption::Encryptor" do
+    setup do
+      config     = Ripple::Encryption::Config.new ENV['ENCRYPTION']
+      @encryptor = Ripple::Encryption::Encryptor.new config.to_h
+      # example text
+      @text      = "This is some nifty text."
+      # this is the example text encrypted
+      @blob      = "Vfn\xC3\xF1a\xB9\x89\x16\xCA\xD4w\xC4\xAF\x16\xA0c\xF7\xD0\x88\xA3;d\xC8Y\x91\xA8\x05W+)\xC8"
+    end
+
+    should "convert text to an encrypted blob" do
+      assert_equal @blob, @encryptor.encrypt(@text), "Encryption failed."
+    end
+
+    should "convert encrypted blob to text" do
+      assert_equal @text, @encryptor.decrypt(@blob), "Decryption failed."
+    end
+  end
+
+  context "Ripple::Encryption::Encryptor with missing parameter" do
+    should "raise an error if key is missing" do
+      assert_raises Ripple::Encryption::EncryptorConfigError do
+        Ripple::Encryption::Encryptor.new(:iv => 'iv', :cipher => 'AES-256-CBC')
+      end
+    end
+
+    should "raise an error if iv is missing" do
+      assert_raises Ripple::Encryption::EncryptorConfigError do
+        Ripple::Encryption::Encryptor.new(:key => 'key', :cipher => 'AES-256-CBC')
+      end
+    end
+
+    should "raise an error if cipher is missing" do
+      assert_raises Ripple::Encryption::EncryptorConfigError do
+        Ripple::Encryption::Encryptor.new(:key => 'key', :iv => 'iv')
+      end
+    end
+  end
+end

data/test/test_json_document.rb

@@ -0,0 +1,42 @@
+require 'helper'
+
+class TestJsonDocument < MiniTest::Spec
+  context "Ripple::Encryption::JsonDocument" do
+    setup do
+      # get some encryption going
+      @config    = Ripple::Encryption::Config.new ENV['ENCRYPTION']
+      encryptor = Ripple::Encryption::Encryptor.new @config.to_h
+
+      # this is the data package that we want
+      @document = {'some' => 'data goes here'}
+
+      # this is how we want that data package to actually be stored
+      encrypted_value = encryptor.encrypt JSON.dump @document
+      @encrypted_document = JSON.dump({:version => Ripple::Encryption::VERSION, :iv => Base64.encode64(@config.to_h['iv']), :data => Base64.encode64(encrypted_value)})
+    end
+
+    should "convert a document to our desired JSON format" do
+      assert_equal @encrypted_document, Ripple::Encryption::JsonDocument.new(@config, @document).encrypt, 'Did not get the JSON format expected.'
+    end
+
+    should "interpret our JSON format into a document" do
+      assert_equal @document, Ripple::Encryption::EncryptedJsonDocument.new(@config, @encrypted_document).decrypt, 'Did not get the JSON format expected.'
+    end
+  end
+
+  context "Ripple::Encryption::JsonDocument with no initialization vector" do
+    setup do
+      # this is the data package that we want
+      @document = {'some' => 'data goes here'}
+
+      # rig a JsonDocument without an iv
+      @config        = Ripple::Encryption::Config.new File.expand_path(File.join('..','fixtures','encryption_no_iv.yml'),__FILE__)
+      @json_document = Ripple::Encryption::JsonDocument.new(@config, @document)
+    end
+
+    should "convert a document to our desired JSON format and back again" do
+      encrypted_document = @json_document.encrypt
+      assert_equal @document, Ripple::Encryption::EncryptedJsonDocument.new(@config, encrypted_document).decrypt, 'Did not get the JSON format expected.'
+    end
+  end
+end

data/test/test_ripple.rb

@@ -0,0 +1,27 @@
+require 'helper'
+
+class TestRipple < MiniTest::Spec
+  context "TestDocument" do
+    should "write the ripple document" do
+      document = TestDocument.new
+      document.message = 'here is some new data'
+      document.save
+      same_document = TestDocument.find(document.key)
+      assert_equal document.message, same_document.message
+
+      # read the document back out
+      read_doc = TestDocument.find(document.key)
+      assert_equal 'here is some new data', read_doc.message
+    end
+
+    should "write the ripple document raw confirmation" do
+      document = TestDocument.new
+      document.message = 'here is some new data'
+      document.save
+      expected_data = 'VpQTfX23xKdMK4Kprp/xgwDh4UFFSYC8q4OeOhK2zPn0l5huFO+vsoBrq8pT\nd5Z3EdgPx3k8VpL0QNH1FM6m4g==\n'
+      expected_doc_data = "{\"version\":\"#{Ripple::Encryption::VERSION}\",\"iv\":\"ABYLnUHWE/fIwE2gKYC6hg==\\n\",\"data\":\"#{expected_data}\"}"
+      raw_data = `curl -s http://#{Ripple.config[:host]}:#{Ripple.config[:http_port]}/buckets/#{TestDocument.bucket_name}/keys/#{document.key}`
+      assert_equal expected_doc_data, raw_data
+    end
+  end
+end

data/test/test_unencrypted_document.rb

@@ -0,0 +1,24 @@
+require 'helper'
+
+class TestMigrationV1ToV2 < MiniTest::Spec
+  context "unencrypted GenericModel" do
+    setup do
+    end
+
+    should "read unencrypted document type" do
+      assert v0 = TestDocument.find('v0_doc')
+      assert_equal 'this is unencrypted data', v0.message
+    end
+
+    should "write unencrypted document type when content-type is plain" do
+      document = TestDocument.new
+      document.message = 'here is some new data'
+      Ripple::Encryption.class_variable_set(:@@is_activated, false)
+      document.robject.content_type = 'application/json'
+      document.save
+      expected_v2_data = '{"message":"here is some new data","_type":"TestDocument"}'
+      raw_data = `curl -s -XGET http://#{Ripple.config[:host]}:#{Ripple.config[:http_port]}/buckets/#{TestDocument.bucket_name}/keys/#{document.key}`
+      assert_equal expected_v2_data, raw_data
+    end
+  end
+end

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification
+name: ripple-encryption
+version: !ruby/object:Gem::Version
+  version: 0.0.3
+  prerelease: 
+platform: ruby
+authors:
+- Randy Secrist
+- Casey Rosenthal
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-03-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: riak-client
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ripple
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mini_shoulda
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Easily encrypt data at rest with minimal changes to existing ripple models.
+email:
+- rsecrist@basho.com
+- casey@basho.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- config/encryption.yml.example
+- config/ripple.yml.example
+- lib/rake/migrate.rb
+- lib/ripple-encryption.rb
+- lib/ripple-encryption/activation.rb
+- lib/ripple-encryption/config.rb
+- lib/ripple-encryption/encrypted_json_document.rb
+- lib/ripple-encryption/encryptor.rb
+- lib/ripple-encryption/json_document.rb
+- lib/ripple-encryption/serializer.rb
+- lib/ripple-encryption/version.rb
+- ripple-encryption.gemspec
+- test/fixtures/encryption.yml
+- test/fixtures/encryption_no_iv.yml
+- test/fixtures/ripple.yml
+- test/fixtures/test_document/some_data.unencrypted.riak
+- test/fixtures/test_document/some_other_data.encrypted.riak
+- test/fixtures/test_document/v0_doc.riak
+- test/fixtures/test_document/v1_doc.riak
+- test/fixtures/test_document/v2_doc.riak
+- test/helper.rb
+- test/test_config.rb
+- test/test_encryptor.rb
+- test/test_json_document.rb
+- test/test_ripple.rb
+- test/test_unencrypted_document.rb
+homepage: http://github.com/basho/ripple-encryption
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: A simple encryption library for objects stored in riak.
+test_files:
+- test/fixtures/encryption.yml
+- test/fixtures/encryption_no_iv.yml
+- test/fixtures/ripple.yml
+- test/fixtures/test_document/some_data.unencrypted.riak
+- test/fixtures/test_document/some_other_data.encrypted.riak
+- test/fixtures/test_document/v0_doc.riak
+- test/fixtures/test_document/v1_doc.riak
+- test/fixtures/test_document/v2_doc.riak
+- test/helper.rb
+- test/test_config.rb
+- test/test_encryptor.rb
+- test/test_json_document.rb
+- test/test_ripple.rb
+- test/test_unencrypted_document.rb