sequel_vault 0.4 → 0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/LICENSE +22 -0
- data/README.md +100 -5
- data/lib/sequel_vault.rb +3 -5
- data/sequel_vault.gemspec +1 -1
- metadata +2 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5786aa527d01d7c5bd4df1a1782a5522337c27e2
|
|
4
|
+
data.tar.gz: dab2b2ca481ca80a15e670635f7267c29e76f931
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 922ebf91834853e1188f8973d8c655ef2e5d86352626701cd2406b439d45888183ab32c86cce2e41a0e5a71ff0705be0f15764896f8a25ceab1795ff87c3b658
|
|
7
|
+
data.tar.gz: 862f5d2cbe3ca630807e3cb444d35bbd1157e941130db4379067816fb0af770ed86401726d1c4e05b7ce60834088c1ca13a9fdd00cd481394c6401ce37b4becf
|
data/Gemfile.lock
CHANGED
data/LICENSE
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
Copyright (c) 2014-2015 Timothée Peignier <timothee.peignier@tryphon.org>
|
|
2
|
+
|
|
3
|
+
MIT License
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
6
|
+
a copy of this software and associated documentation files (the
|
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
11
|
+
the following conditions:
|
|
12
|
+
|
|
13
|
+
The above copyright notice and this permission notice shall be
|
|
14
|
+
included in all copies or substantial portions of the Software.
|
|
15
|
+
|
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
CHANGED
|
@@ -1,13 +1,108 @@
|
|
|
1
1
|
# Sequel-vault
|
|
2
2
|
|
|
3
|
-
Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database
|
|
3
|
+
Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
Install it directly using gem:
|
|
8
|
+
|
|
9
|
+
```
|
|
10
|
+
gem install sequel_vault
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
Or adding it to your ``Gemfile``:
|
|
14
|
+
|
|
15
|
+
```
|
|
16
|
+
gem "sequel_vault"
|
|
17
|
+
```
|
|
4
18
|
|
|
5
19
|
## Usage
|
|
6
20
|
|
|
21
|
+
## Configure
|
|
22
|
+
|
|
23
|
+
A straightforward example, passing keys and columns that will be encrypted
|
|
24
|
+
transparently:
|
|
25
|
+
|
|
26
|
+
```ruby
|
|
27
|
+
class Credential < Sequel::Model
|
|
28
|
+
plugin :vault, ['9cLL4qVO+bkEqGQtcvQX4Cz4uJ1ni9Nb83ipU/9klsw='], :token
|
|
29
|
+
end
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Along with a typical migration for this setup:
|
|
33
|
+
|
|
34
|
+
```ruby
|
|
35
|
+
Sequel.migration do
|
|
36
|
+
change do
|
|
37
|
+
alter_table(:credentials) do
|
|
38
|
+
add_column(:token, :bytea)
|
|
39
|
+
add_column(:token_digest, :bytea)
|
|
40
|
+
add_column(:key_id, :smallint)
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
### Keys
|
|
47
|
+
|
|
48
|
+
Vault use [fernet](https://github.com/fernet/fernet-rb) behind the scene, the
|
|
49
|
+
keys should be 32 bytes of random data, base64-encoded.
|
|
50
|
+
|
|
51
|
+
To generate one you can use:
|
|
52
|
+
|
|
53
|
+
```console
|
|
54
|
+
$ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
You can specify more than one key to be used. The last keys of the array will
|
|
58
|
+
be used as the default for encryption.
|
|
59
|
+
|
|
60
|
+
### Keys migration
|
|
61
|
+
|
|
62
|
+
If a ``key_id`` column is present, vault will set its value to the length of
|
|
63
|
+
the keys array. You can check if a key is still in use using:
|
|
64
|
+
|
|
65
|
+
```ruby
|
|
66
|
+
Credential.where(key_id: 1).empty?
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
You should avoid removing a key when using ``key_id``, unless you proceed to
|
|
70
|
+
migrate its value.
|
|
71
|
+
|
|
72
|
+
Here is a migration example to add a ``key_id`` column:
|
|
73
|
+
|
|
74
|
+
```ruby
|
|
75
|
+
Sequel.migration do
|
|
76
|
+
change do
|
|
77
|
+
alter_table(:credentials) do
|
|
78
|
+
add_column(:key_id, :smallint)
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
### Digest lookup
|
|
85
|
+
|
|
86
|
+
To allow lookup by a know secret, vault allow an optional digest column for each
|
|
87
|
+
encrypted attribute, using the ``_digest`` suffix:
|
|
88
|
+
|
|
7
89
|
```ruby
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
90
|
+
Sequel.migration do
|
|
91
|
+
change do
|
|
92
|
+
alter_table(:credentials) do
|
|
93
|
+
add_column(:token_digest, :bytea)
|
|
94
|
+
end
|
|
95
|
+
end
|
|
12
96
|
end
|
|
13
97
|
```
|
|
98
|
+
|
|
99
|
+
You can then lookup using the provided dataset lookup:
|
|
100
|
+
|
|
101
|
+
```ruby
|
|
102
|
+
Credential.token_lookup('secret')
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### Unencrypted data
|
|
106
|
+
|
|
107
|
+
Vault will return plain-text data if none of the keys can successfully decrypt
|
|
108
|
+
the stored value, effectively allowing encrypt on write migration.
|
data/lib/sequel_vault.rb
CHANGED
|
@@ -4,8 +4,6 @@ require "sequel"
|
|
|
4
4
|
module Sequel
|
|
5
5
|
module Plugins
|
|
6
6
|
module Vault
|
|
7
|
-
class InvalidCiphertext < Exception; end
|
|
8
|
-
|
|
9
7
|
def self.apply(model, keys = [], *attrs)
|
|
10
8
|
model.instance_eval do
|
|
11
9
|
@vault_attrs = attrs
|
|
@@ -75,16 +73,16 @@ module Sequel
|
|
|
75
73
|
next unless verifier.valid?
|
|
76
74
|
return verifier.message
|
|
77
75
|
end
|
|
78
|
-
|
|
76
|
+
cypher # Return cypher has it's probably just plain text
|
|
79
77
|
end
|
|
80
78
|
end
|
|
81
79
|
|
|
82
80
|
module InstanceMethods
|
|
83
81
|
def []=(attr, plain)
|
|
84
82
|
if model.vault_attrs.include?(attr) && !plain.nil?
|
|
85
|
-
send("#{attr}_digest=", self.class.digest(model.vault_keys, plain))
|
|
83
|
+
send("#{attr}_digest=", self.class.digest(model.vault_keys, plain)) if model.columns.include?(:"#{attr}_digest")
|
|
84
|
+
send("key_id=", model.vault_keys.length) if model.columns.include?(:key_id)
|
|
86
85
|
value = self.class.encrypt(model.vault_keys, plain)
|
|
87
|
-
super(:key_id, model.vault_keys.length) if model.columns.include?(:key_id)
|
|
88
86
|
end
|
|
89
87
|
super(attr, value || plain)
|
|
90
88
|
end
|
data/sequel_vault.gemspec
CHANGED
|
@@ -13,7 +13,7 @@ Gem::Specification.new do |gem|
|
|
|
13
13
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
|
14
14
|
gem.name = "sequel_vault"
|
|
15
15
|
gem.require_paths = ["lib"]
|
|
16
|
-
gem.version = '0.
|
|
16
|
+
gem.version = '0.5'
|
|
17
17
|
|
|
18
18
|
gem.add_runtime_dependency 'sequel', '~> 4.21', '>= 4.21.0'
|
|
19
19
|
gem.add_runtime_dependency 'fernet', '~> 2.1', '>= 2.1'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sequel_vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: '0.
|
|
4
|
+
version: '0.5'
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Timothée Peignier
|
|
@@ -116,6 +116,7 @@ files:
|
|
|
116
116
|
- ".travis.yml"
|
|
117
117
|
- Gemfile
|
|
118
118
|
- Gemfile.lock
|
|
119
|
+
- LICENSE
|
|
119
120
|
- README.md
|
|
120
121
|
- lib/sequel_vault.rb
|
|
121
122
|
- sequel_vault.gemspec
|