sequel_vault 0.4 → 0.5

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3049adb333bd60b77bf10308bd4b762c0fe5e074
4
- data.tar.gz: 942936b542ea08b4c968d85a000515da9cd1c4f0
3
+ metadata.gz: 5786aa527d01d7c5bd4df1a1782a5522337c27e2
4
+ data.tar.gz: dab2b2ca481ca80a15e670635f7267c29e76f931
5
5
  SHA512:
6
- metadata.gz: ffeab0fb22d2bdb46899ff54599574251b41a55080a8311e08571d7255dd671bed61193f34ce5fd94fceaccf2b962d6a8e597fa168fd6b287dca70338e88178b
7
- data.tar.gz: 1ee118a4925797d427da37de478e95e486ba1521f7b4ad06366127d4ecfe4c89e51222f16bccd70f97aaf1f7e3bd94b4bdba1c97e884c21b61b6387891dadfa5
6
+ metadata.gz: 922ebf91834853e1188f8973d8c655ef2e5d86352626701cd2406b439d45888183ab32c86cce2e41a0e5a71ff0705be0f15764896f8a25ceab1795ff87c3b658
7
+ data.tar.gz: 862f5d2cbe3ca630807e3cb444d35bbd1157e941130db4379067816fb0af770ed86401726d1c4e05b7ce60834088c1ca13a9fdd00cd481394c6401ce37b4becf
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- sequel_vault (0.3)
4
+ sequel_vault (0.4)
5
5
  fernet (~> 2.1, >= 2.1)
6
6
  sequel (~> 4.21, >= 4.21.0)
7
7
 
data/LICENSE ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2014-2015 Timothée Peignier <timothee.peignier@tryphon.org>
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md CHANGED
@@ -1,13 +1,108 @@
1
1
  # Sequel-vault
2
2
 
3
- Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database
3
+ Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database.
4
+
5
+ ## Installation
6
+
7
+ Install it directly using gem:
8
+
9
+ ```
10
+ gem install sequel_vault
11
+ ```
12
+
13
+ Or adding it to your ``Gemfile``:
14
+
15
+ ```
16
+ gem "sequel_vault"
17
+ ```
4
18
 
5
19
  ## Usage
6
20
 
21
+ ## Configure
22
+
23
+ A straightforward example, passing keys and columns that will be encrypted
24
+ transparently:
25
+
26
+ ```ruby
27
+ class Credential < Sequel::Model
28
+ plugin :vault, ['9cLL4qVO+bkEqGQtcvQX4Cz4uJ1ni9Nb83ipU/9klsw='], :token
29
+ end
30
+ ```
31
+
32
+ Along with a typical migration for this setup:
33
+
34
+ ```ruby
35
+ Sequel.migration do
36
+ change do
37
+ alter_table(:credentials) do
38
+ add_column(:token, :bytea)
39
+ add_column(:token_digest, :bytea)
40
+ add_column(:key_id, :smallint)
41
+ end
42
+ end
43
+ end
44
+ ```
45
+
46
+ ### Keys
47
+
48
+ Vault use [fernet](https://github.com/fernet/fernet-rb) behind the scene, the
49
+ keys should be 32 bytes of random data, base64-encoded.
50
+
51
+ To generate one you can use:
52
+
53
+ ```console
54
+ $ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
55
+ ```
56
+
57
+ You can specify more than one key to be used. The last keys of the array will
58
+ be used as the default for encryption.
59
+
60
+ ### Keys migration
61
+
62
+ If a ``key_id`` column is present, vault will set its value to the length of
63
+ the keys array. You can check if a key is still in use using:
64
+
65
+ ```ruby
66
+ Credential.where(key_id: 1).empty?
67
+ ```
68
+
69
+ You should avoid removing a key when using ``key_id``, unless you proceed to
70
+ migrate its value.
71
+
72
+ Here is a migration example to add a ``key_id`` column:
73
+
74
+ ```ruby
75
+ Sequel.migration do
76
+ change do
77
+ alter_table(:credentials) do
78
+ add_column(:key_id, :smallint)
79
+ end
80
+ end
81
+ end
82
+ ```
83
+
84
+ ### Digest lookup
85
+
86
+ To allow lookup by a know secret, vault allow an optional digest column for each
87
+ encrypted attribute, using the ``_digest`` suffix:
88
+
7
89
  ```ruby
8
- class AWSCreds < Sequel::Model
9
- # attrs :access_key_id, ::access_key_id_digest, :secret_access_key, :secret_access_key_digest :region, :name
10
- plugin :vault
11
- vault_attributes ['Fernet key','...'], :access_key_id, :secret_access_key
90
+ Sequel.migration do
91
+ change do
92
+ alter_table(:credentials) do
93
+ add_column(:token_digest, :bytea)
94
+ end
95
+ end
12
96
  end
13
97
  ```
98
+
99
+ You can then lookup using the provided dataset lookup:
100
+
101
+ ```ruby
102
+ Credential.token_lookup('secret')
103
+ ```
104
+
105
+ ### Unencrypted data
106
+
107
+ Vault will return plain-text data if none of the keys can successfully decrypt
108
+ the stored value, effectively allowing encrypt on write migration.
data/lib/sequel_vault.rb CHANGED
@@ -4,8 +4,6 @@ require "sequel"
4
4
  module Sequel
5
5
  module Plugins
6
6
  module Vault
7
- class InvalidCiphertext < Exception; end
8
-
9
7
  def self.apply(model, keys = [], *attrs)
10
8
  model.instance_eval do
11
9
  @vault_attrs = attrs
@@ -75,16 +73,16 @@ module Sequel
75
73
  next unless verifier.valid?
76
74
  return verifier.message
77
75
  end
78
- raise InvalidCiphertext, "Could not decrypt field"
76
+ cypher # Return cypher has it's probably just plain text
79
77
  end
80
78
  end
81
79
 
82
80
  module InstanceMethods
83
81
  def []=(attr, plain)
84
82
  if model.vault_attrs.include?(attr) && !plain.nil?
85
- send("#{attr}_digest=", self.class.digest(model.vault_keys, plain))
83
+ send("#{attr}_digest=", self.class.digest(model.vault_keys, plain)) if model.columns.include?(:"#{attr}_digest")
84
+ send("key_id=", model.vault_keys.length) if model.columns.include?(:key_id)
86
85
  value = self.class.encrypt(model.vault_keys, plain)
87
- super(:key_id, model.vault_keys.length) if model.columns.include?(:key_id)
88
86
  end
89
87
  super(attr, value || plain)
90
88
  end
data/sequel_vault.gemspec CHANGED
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
13
13
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
14
14
  gem.name = "sequel_vault"
15
15
  gem.require_paths = ["lib"]
16
- gem.version = '0.4'
16
+ gem.version = '0.5'
17
17
 
18
18
  gem.add_runtime_dependency 'sequel', '~> 4.21', '>= 4.21.0'
19
19
  gem.add_runtime_dependency 'fernet', '~> 2.1', '>= 2.1'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sequel_vault
3
3
  version: !ruby/object:Gem::Version
4
- version: '0.4'
4
+ version: '0.5'
5
5
  platform: ruby
6
6
  authors:
7
7
  - Timothée Peignier
@@ -116,6 +116,7 @@ files:
116
116
  - ".travis.yml"
117
117
  - Gemfile
118
118
  - Gemfile.lock
119
+ - LICENSE
119
120
  - README.md
120
121
  - lib/sequel_vault.rb
121
122
  - sequel_vault.gemspec