sequel_vault 0.4 → 0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/LICENSE +22 -0
  4. data/README.md +100 -5
  5. data/lib/sequel_vault.rb +3 -5
  6. data/sequel_vault.gemspec +1 -1
  7. metadata +2 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3049adb333bd60b77bf10308bd4b762c0fe5e074
4
- data.tar.gz: 942936b542ea08b4c968d85a000515da9cd1c4f0
3
+ metadata.gz: 5786aa527d01d7c5bd4df1a1782a5522337c27e2
4
+ data.tar.gz: dab2b2ca481ca80a15e670635f7267c29e76f931
5
5
  SHA512:
6
- metadata.gz: ffeab0fb22d2bdb46899ff54599574251b41a55080a8311e08571d7255dd671bed61193f34ce5fd94fceaccf2b962d6a8e597fa168fd6b287dca70338e88178b
7
- data.tar.gz: 1ee118a4925797d427da37de478e95e486ba1521f7b4ad06366127d4ecfe4c89e51222f16bccd70f97aaf1f7e3bd94b4bdba1c97e884c21b61b6387891dadfa5
6
+ metadata.gz: 922ebf91834853e1188f8973d8c655ef2e5d86352626701cd2406b439d45888183ab32c86cce2e41a0e5a71ff0705be0f15764896f8a25ceab1795ff87c3b658
7
+ data.tar.gz: 862f5d2cbe3ca630807e3cb444d35bbd1157e941130db4379067816fb0af770ed86401726d1c4e05b7ce60834088c1ca13a9fdd00cd481394c6401ce37b4becf
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- sequel_vault (0.3)
4
+ sequel_vault (0.4)
5
5
  fernet (~> 2.1, >= 2.1)
6
6
  sequel (~> 4.21, >= 4.21.0)
7
7
 
data/LICENSE ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2014-2015 Timothée Peignier <timothee.peignier@tryphon.org>
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md CHANGED
@@ -1,13 +1,108 @@
1
1
  # Sequel-vault
2
2
 
3
- Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database
3
+ Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database.
4
+
5
+ ## Installation
6
+
7
+ Install it directly using gem:
8
+
9
+ ```
10
+ gem install sequel_vault
11
+ ```
12
+
13
+ Or adding it to your ``Gemfile``:
14
+
15
+ ```
16
+ gem "sequel_vault"
17
+ ```
4
18
 
5
19
  ## Usage
6
20
 
21
+ ## Configure
22
+
23
+ A straightforward example, passing keys and columns that will be encrypted
24
+ transparently:
25
+
26
+ ```ruby
27
+ class Credential < Sequel::Model
28
+ plugin :vault, ['9cLL4qVO+bkEqGQtcvQX4Cz4uJ1ni9Nb83ipU/9klsw='], :token
29
+ end
30
+ ```
31
+
32
+ Along with a typical migration for this setup:
33
+
34
+ ```ruby
35
+ Sequel.migration do
36
+ change do
37
+ alter_table(:credentials) do
38
+ add_column(:token, :bytea)
39
+ add_column(:token_digest, :bytea)
40
+ add_column(:key_id, :smallint)
41
+ end
42
+ end
43
+ end
44
+ ```
45
+
46
+ ### Keys
47
+
48
+ Vault use [fernet](https://github.com/fernet/fernet-rb) behind the scene, the
49
+ keys should be 32 bytes of random data, base64-encoded.
50
+
51
+ To generate one you can use:
52
+
53
+ ```console
54
+ $ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
55
+ ```
56
+
57
+ You can specify more than one key to be used. The last keys of the array will
58
+ be used as the default for encryption.
59
+
60
+ ### Keys migration
61
+
62
+ If a ``key_id`` column is present, vault will set its value to the length of
63
+ the keys array. You can check if a key is still in use using:
64
+
65
+ ```ruby
66
+ Credential.where(key_id: 1).empty?
67
+ ```
68
+
69
+ You should avoid removing a key when using ``key_id``, unless you proceed to
70
+ migrate its value.
71
+
72
+ Here is a migration example to add a ``key_id`` column:
73
+
74
+ ```ruby
75
+ Sequel.migration do
76
+ change do
77
+ alter_table(:credentials) do
78
+ add_column(:key_id, :smallint)
79
+ end
80
+ end
81
+ end
82
+ ```
83
+
84
+ ### Digest lookup
85
+
86
+ To allow lookup by a know secret, vault allow an optional digest column for each
87
+ encrypted attribute, using the ``_digest`` suffix:
88
+
7
89
  ```ruby
8
- class AWSCreds < Sequel::Model
9
- # attrs :access_key_id, ::access_key_id_digest, :secret_access_key, :secret_access_key_digest :region, :name
10
- plugin :vault
11
- vault_attributes ['Fernet key','...'], :access_key_id, :secret_access_key
90
+ Sequel.migration do
91
+ change do
92
+ alter_table(:credentials) do
93
+ add_column(:token_digest, :bytea)
94
+ end
95
+ end
12
96
  end
13
97
  ```
98
+
99
+ You can then lookup using the provided dataset lookup:
100
+
101
+ ```ruby
102
+ Credential.token_lookup('secret')
103
+ ```
104
+
105
+ ### Unencrypted data
106
+
107
+ Vault will return plain-text data if none of the keys can successfully decrypt
108
+ the stored value, effectively allowing encrypt on write migration.
data/lib/sequel_vault.rb CHANGED
@@ -4,8 +4,6 @@ require "sequel"
4
4
  module Sequel
5
5
  module Plugins
6
6
  module Vault
7
- class InvalidCiphertext < Exception; end
8
-
9
7
  def self.apply(model, keys = [], *attrs)
10
8
  model.instance_eval do
11
9
  @vault_attrs = attrs
@@ -75,16 +73,16 @@ module Sequel
75
73
  next unless verifier.valid?
76
74
  return verifier.message
77
75
  end
78
- raise InvalidCiphertext, "Could not decrypt field"
76
+ cypher # Return cypher has it's probably just plain text
79
77
  end
80
78
  end
81
79
 
82
80
  module InstanceMethods
83
81
  def []=(attr, plain)
84
82
  if model.vault_attrs.include?(attr) && !plain.nil?
85
- send("#{attr}_digest=", self.class.digest(model.vault_keys, plain))
83
+ send("#{attr}_digest=", self.class.digest(model.vault_keys, plain)) if model.columns.include?(:"#{attr}_digest")
84
+ send("key_id=", model.vault_keys.length) if model.columns.include?(:key_id)
86
85
  value = self.class.encrypt(model.vault_keys, plain)
87
- super(:key_id, model.vault_keys.length) if model.columns.include?(:key_id)
88
86
  end
89
87
  super(attr, value || plain)
90
88
  end
data/sequel_vault.gemspec CHANGED
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
13
13
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
14
14
  gem.name = "sequel_vault"
15
15
  gem.require_paths = ["lib"]
16
- gem.version = '0.4'
16
+ gem.version = '0.5'
17
17
 
18
18
  gem.add_runtime_dependency 'sequel', '~> 4.21', '>= 4.21.0'
19
19
  gem.add_runtime_dependency 'fernet', '~> 2.1', '>= 2.1'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sequel_vault
3
3
  version: !ruby/object:Gem::Version
4
- version: '0.4'
4
+ version: '0.5'
5
5
  platform: ruby
6
6
  authors:
7
7
  - Timothée Peignier
@@ -116,6 +116,7 @@ files:
116
116
  - ".travis.yml"
117
117
  - Gemfile
118
118
  - Gemfile.lock
119
+ - LICENSE
119
120
  - README.md
120
121
  - lib/sequel_vault.rb
121
122
  - sequel_vault.gemspec