sidekiq-encryptor 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fbf6216993306970a0046e788f4b033a8565db1e
-  data.tar.gz: db90b1555b00991e53aca580cb923872b5c5e99c
+  metadata.gz: cc401443775158ce8894d1474e2e68d9f72e0e3d
+  data.tar.gz: ad006a7f9a3b5969b524ac67e13b8e5b3657290f
 SHA512:
-  metadata.gz: 5dc4b9b01365ad77d9c833bedc238c64c7a5a4a7e6e25d4ba0660f573f891f8082bedc1991b8da88ac1a92ae95f37211d7c8e94f3486c439ffb091ead339853c
-  data.tar.gz: f7dc81e8b26fcd47c5d244a6fca04f23ae0ae34155140acbdf1a3e12a0a050af09142ce5d3beaad5670757a9791bbae6bcdedc85421d283409a9aa1ce500adff
+  metadata.gz: 6d8c9e5439e8223dc1c03ab4b7565520cad982f2707f8971dff14de3c0e748efa0874571c611a2381f1c66c124697ec499c85b432467837a6ffdc24c2a46397f
+  data.tar.gz: 1516b7eb16752e7526f4298ba6250cd104033ad777e1cb9edf7b92e8c8fa9d897319a5c8163269c3a3dbb2a665cb020dd166310e59c11986e6666a016d64f81c

data/.pryrc

@@ -4,7 +4,7 @@
 
 require 'pathname'
 $LOAD_PATH.unshift(Pathname.getwd.join('lib').to_s)
-require 'sidekiq/throttler'
+require 'sidekiq/encryptor'
 
 def reload!
   Dir["#{Dir.pwd}/lib/**/*.rb"].each { |f| load f }

data/.travis.yml

@@ -8,9 +8,7 @@ branches:
   only:
     - master
 notifications:
-  email:
-    recipients:
-      - gabe@ga.be
+  email: false
 matrix:
   allow_failures:
     - rvm: jruby-19mode

data/CHANGELOG.md

@@ -0,0 +1,28 @@
+# sidekiq-encryptor changelog
+
+## 0.1.0
+
+Backwards incompatible changes:
+
+* Protocol version change from 0 to 1. Jobs encrypted by previous
+  versions cannot be decrypted by this version.
+
+Changes:
+
+* Switch to Fernet 2.0
+* Use a distinct protocol version number
+* Support binary, hexadecimal, and base64 keys. Note that many ASCII
+  keys will be detected as base64. Base64 assumes RFC 2045.
+* Enforce 256 bit key length
+* Recommend 32 byte keys in README
+* Allow an optional `adapter` to be passed in. The adapter must follow
+  the following standards:
+  * Define a `encrypt` and `decrypt` class methods that accept two
+    arguments: `String key, String data`. `key` will always have length
+    32, `data` will be of arbitrary length.
+  * `encrypt` must return a String.
+  * `decrypt` must return a String or nil if the decryption fails.
+
+## 0.0.1
+
+Initial release

data/README.md

@@ -48,9 +48,18 @@ Sidekiq.configure_client do |config|
 end
 ```
 
+You should also set `SIDEKIQ_ENCRYPTION_KEY` to something sufficiently
+random. The `openssl` tool is a good choice for this:
+
+```sh
+echo SIDEKIQ_ENCRYPTION_KEY=$(openssl rand -base64 32) >>.env
+heroku config:set SIDEKIQ_ENCRYPTION_KEY=$(openssl rand -base64 32)
+```
+
 ## Contributing
 
-Pull requests gladly accepted. Please write tests for any code changes.
+Pull requests gladly accepted. Please write tests for any code changes,
+though I'll admit my test coverage is completely awful right now.
 
 ## License
 

data/lib/sidekiq/encryptor/version.rb

@@ -3,11 +3,13 @@ module Sidekiq
 
     module Version
       MAJOR = 0
-      MINOR = 0
-      PATCH = 1
+      MINOR = 1
+      PATCH = 0
       SUFFIX = ""
     end
 
+    PROTOCOL_VERSION = 1
+
     VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}#{Version::SUFFIX}"
 
   end

data/lib/sidekiq/encryptor.rb

@@ -1,7 +1,11 @@
+# stdlib
+require 'base64'
+
+# gems
 require 'sidekiq'
-require 'active_support/message_encryptor'
-require 'active_support/message_verifier'
+require 'fernet'
 
+# local files
 require 'sidekiq/encryptor/version'
 
 module Sidekiq
@@ -11,35 +15,125 @@ module Sidekiq
     DecryptionError = Class.new(Error)
     VersionChangeError = Class.new(DecryptionError)
 
+    module FernetAdapter
+      def self.encrypt(key, data)
+        Fernet.generate(Base64.urlsafe_encode64(key), data)
+      end
+
+      def self.decrypt(key, data)
+        verifier = Fernet::Verifier.new(
+          token: data,
+          secret: Base64.urlsafe_encode64(key),
+          enforce_ttl: false)
+        verifier.valid? ? verifier.message : nil
+      rescue OpenSSL::Cipher::CipherError
+        nil
+      end
+    end
+
     class Base
       def initialize(options = {})
-        @key = options[:key]
-        @encryptor = ActiveSupport::MessageEncryptor.new(@key) if @key
+        @key = validate_key(compact_key(options[:key]))
+        @adapter = options[:adapter] || FernetAdapter
+      end
+
+      def inspect
+        "#<#{self.class.inspect}> @key=[masked] @adapter=#{@adapter.inspect}>"
+      end
+      alias to_s inspect
+
+      def enabled?
+        !@key.nil?
+      end
+
+    private
+
+      def compact_key(key)
+        flat_key = key.to_s.delete("\r\n")
+        case flat_key
+        # empty
+        when ""
+          nil
+        # hexadecimal
+        when /^[\da-f]+$/i
+          [flat_key].pack('H*')
+        # base64
+        when /^[A-Za-z\d\+\/=]+$/
+          key.unpack('m*').first
+        # assume binary otherwise
+        else
+          key
+        end
       end
+
+      def validate_key(key)
+        if key.nil?
+          $stderr.puts '[sidekiq-encryptor] ERROR: no key provided, encryption disabled'
+        elsif key.length < 32
+          $stderr.puts '[sidekiq-encryptor] ERROR: key length less than 256 bits, encryption disabled'
+        else
+          key[0,32]
+        end
+      end
+
     end
 
     class Client < Base
       def call(worker, msg, queue)
-        return yield unless @key
-        msg['args'] = ['Sidekiq::Encryptor', Sidekiq::Encryptor::Version::MAJOR, @encryptor.encrypt_and_sign(Sidekiq.dump_json(msg['args']))]
+        return yield unless enabled?
+        msg['args'] = payload(msg['args'])
         yield
       end
+
+    private
+
+      def payload(input)
+        [
+          'Sidekiq::Encryptor',
+          Sidekiq::Encryptor::PROTOCOL_VERSION,
+          encrypt(input)
+        ]
+      end
+
+      def encrypt(input)
+        @adapter.encrypt(@key, Sidekiq.dump_json(input))
+      end
+
     end
 
     class Server < Base
       def call(worker, msg, queue)
-        return yield unless @key
-        if msg['args'][0] == 'Sidekiq::Encryptor'
-          if msg['args'][1] != Sidekiq::Encryptor::Version::MAJOR
+        return yield unless enabled?
+        msg['args'] = validate_and_decrypt(msg['args'])
+        yield
+      end
+
+    private
+
+      def validate_and_decrypt(payload)
+        if encrypted?(payload)
+          if version_changed?(payload)
             raise VersionChangeError, 'incompatible change detected'
           else
-            msg['args'] = Sidekiq.load_json(@encryptor.decrypt_and_verify(msg['args'][2]))
+            data = decrypt(payload) or
+              raise DecryptionError, 'key not identical or data was corrupted'
+            Sidekiq.load_json(data)
           end
         end
-        yield
-      rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
-        raise DecryptionError, 'key not identical or data was corrupted'
       end
+
+      def encrypted?(input)
+        input.is_a?(Array) && input.size == 3 && input.first == 'Sidekiq::Encryptor'
+      end
+
+      def version_changed?(input)
+        input[1] != Sidekiq::Encryptor::PROTOCOL_VERSION
+      end
+
+      def decrypt(input)
+        @adapter.decrypt(@key, input[2])
+      end
+
     end
 
   end # Encryptor

data/sidekiq-encryptor.gemspec

@@ -11,13 +11,14 @@ Gem::Specification.new do |gem|
   gem.description   = %q{Sidekiq middleware that encrypts your job data into and out of Redis.}
   gem.summary       = %q{Sidekiq::Encryptor is a middleware for Sidekiq that keeps your information safe by using 2-way encryption when storing and retrieving jobs from Redis.}
   gem.homepage      = 'https://github.com/wuputah/sidekiq-encryptor'
+  gem.license       = 'MIT'
 
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ['lib']
 
-  gem.add_dependency 'activesupport'
+  gem.add_dependency 'fernet', '>= 2.0rc1', '< 3.0'
   gem.add_dependency 'sidekiq', '>= 2.5', '< 3.0'
 
   gem.add_development_dependency 'rake'

data/spec/sidekiq/encryptor_spec.rb

@@ -1,31 +1,59 @@
 require 'spec_helper'
+require 'securerandom'
 
 [Sidekiq::Encryptor::Client, Sidekiq::Encryptor::Server].each do |klass|
 
   describe klass do
 
-    subject(:middleware) do
-      described_class.new
-    end
+    raw_key = SecureRandom.random_bytes(32)
 
-    let(:worker) do
-      RegularWorker.new
-    end
+    {
+      'base64' => [raw_key].pack('m*'),
+      'hex' => raw_key.unpack('H*').first,
+      'binary' => raw_key
+    }.each_pair do |key_type, key|
 
-    let(:message) do
-      {
-        args: 'Clint Eastwood'
-      }
-    end
+      describe "with #{key_type} key" do
 
-    let(:queue) do
-      'default'
-    end
+        subject(:middleware) do
+          described_class.new(key: key)
+        end
+
+        let(:worker) do
+          RegularWorker.new
+        end
+
+        let(:data) do
+          ['Clint Eastwood']
+        end
+
+        let(:args) do
+          {
+            Sidekiq::Encryptor::Client => data,
+            Sidekiq::Encryptor::Server => [
+              'Sidekiq::Encryptor',
+              1,
+              Fernet.generate(Base64.urlsafe_encode64(raw_key), JSON.dump(data))
+            ]
+          }
+        end
+
+        let(:message) do
+          { 'args' => args[klass] }
+        end
+
+        let(:queue) do
+          'default'
+        end
+
+        it { should be_enabled }
 
-    describe '#call' do
+        describe '#call' do
 
-      it 'yields' do
-        expect { |b| middleware.call(worker, message, queue, &b) }.to yield_with_no_args
+          it 'yields' do
+            expect { |b| middleware.call(worker, message, queue, &b) }.to yield_with_no_args
+          end
+        end
       end
     end
   end

data/spec/spec_helper.rb

@@ -19,7 +19,7 @@ require 'sidekiq/encryptor'
 # Autoload every worker for the test suite that sits in spec/app/workers
 Dir[File.join(WORKERS, '*.rb')].sort.each do |file|
   name = File.basename(file, '.rb')
-  autoload name.camelize.to_sym, name
+  require name
 end
 
 RSpec.configure do |config|

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: sidekiq-encryptor
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-08-20 00:00:00.000000000 Z
+date: 2013-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: activesupport
+  name: fernet
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0rc1
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0rc1
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: sidekiq
   requirement: !ruby/object:Gem::Requirement
@@ -265,6 +271,7 @@ files:
 - .pryrc
 - .travis.yml
 - .yardopts
+- CHANGELOG.md
 - Gemfile
 - Guardfile
 - LICENSE.txt
@@ -280,7 +287,8 @@ files:
 - spec/spec_helper.rb
 - spec/support/sidekiq.rb
 homepage: https://github.com/wuputah/sidekiq-encryptor
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []