sidekiq-field-encryptor 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +18 -0
- data/.rspec +2 -0
- data/.travis.yml +4 -0
- data/Gemfile +4 -0
- data/LICENSE.md +22 -0
- data/README.md +32 -0
- data/Rakefile +4 -0
- data/lib/sidekiq-field-encryptor.rb +2 -0
- data/lib/sidekiq-field-encryptor/encryptor.rb +64 -0
- data/lib/sidekiq-field-encryptor/version.rb +3 -0
- data/sidekiq-field-encryptor.gemspec +28 -0
- data/spec/sidekiq-field-encryptor/encryptor_spec.rb +75 -0
- data/spec/spec_helper.rb +10 -0
- metadata +129 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 204c8e1c027462e1fd8b44117a1e2a7953f3f793
|
4
|
+
data.tar.gz: 5d0f753a7031408d647d9508def52146c4d8609a
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 86b140ff56fc6cb4d3baf1901fb42b8f34a2bc2f0955280b497b3956c83d6505ae00df0da5057aa8d75ff7dc32952cb8b09baa24317320e03744252d80f2762f
|
7
|
+
data.tar.gz: 9904d3395415ad5c0697e86c238273a17d85dda7717f7de28e53878edf59038960b7dfba9b9c7b954b3c6dffac054f7406c0887f39bcec344927bb79da3ce563
|
data/.gitignore
ADDED
data/.rspec
ADDED
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/LICENSE.md
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2015 Aptible, Inc.
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,32 @@
|
|
1
|
+
#  Sidekiq::Field::Encryptor
|
2
|
+
|
3
|
+
[](https://rubygems.org/gems/sidekiq-field-encryptor)
|
4
|
+
[](https://travis-ci.org/aptible/sidekiq-field-encryptor)
|
5
|
+
[](https://gemnasium.com/aptible/sidekiq-field-encryptor)
|
6
|
+
|
7
|
+
TODO: Add description.
|
8
|
+
|
9
|
+
## Installation
|
10
|
+
|
11
|
+
Add the following line to your application's Gemfile.
|
12
|
+
|
13
|
+
gem 'sidekiq-field-encryptor'
|
14
|
+
|
15
|
+
And then run `bundle install`.
|
16
|
+
|
17
|
+
## Usage
|
18
|
+
|
19
|
+
TODO: Add usage notes.
|
20
|
+
|
21
|
+
## Contributing
|
22
|
+
|
23
|
+
1. Fork the project.
|
24
|
+
1. Commit your changes, with specs.
|
25
|
+
1. Ensure that your code passes specs (`rake spec`) and meets Aptible's Ruby style guide (`rake rubocop`).
|
26
|
+
1. Create a new pull request on GitHub.
|
27
|
+
|
28
|
+
## Copyright and License
|
29
|
+
|
30
|
+
MIT License, see [LICENSE](LICENSE.md) for details.
|
31
|
+
|
32
|
+
Copyright (c) 2015 [Aptible](https://www.aptible.com), Blake Pettersson, and contributors.
|
data/Rakefile
ADDED
@@ -0,0 +1,64 @@
|
|
1
|
+
require 'base64'
|
2
|
+
require 'encryptor'
|
3
|
+
require 'sidekiq-field-encryptor/version'
|
4
|
+
|
5
|
+
module SidekiqFieldEncryptor
|
6
|
+
class Base
|
7
|
+
def initialize(options = {})
|
8
|
+
@encryption_key = options[:encryption_key]
|
9
|
+
@encrypted_fields = options[:encrypted_fields] || {}
|
10
|
+
end
|
11
|
+
|
12
|
+
def assert_key_configured
|
13
|
+
fail 'Encryption key not configured' if @encryption_key.nil?
|
14
|
+
end
|
15
|
+
|
16
|
+
def encrypt(value)
|
17
|
+
plaintext = Marshal.dump(value)
|
18
|
+
iv = OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
|
19
|
+
args = { key: @encryption_key, iv: iv }
|
20
|
+
ciphertext = ::Encryptor.encrypt(plaintext, **args)
|
21
|
+
[::Base64.encode64(ciphertext), ::Base64.encode64(iv)]
|
22
|
+
end
|
23
|
+
|
24
|
+
def decrypt(encrypted)
|
25
|
+
ciphertext, iv = encrypted.map { |value| ::Base64.decode64(value) }
|
26
|
+
args = { key: @encryption_key, iv: iv }
|
27
|
+
plaintext = ::Encryptor.decrypt(ciphertext, **args)
|
28
|
+
Marshal.load(plaintext)
|
29
|
+
end
|
30
|
+
|
31
|
+
def process_message(message)
|
32
|
+
fields = @encrypted_fields[message['class']]
|
33
|
+
return unless fields
|
34
|
+
assert_key_configured
|
35
|
+
message['args'].size.times.each do |arg_index|
|
36
|
+
to_encrypt = fields[arg_index]
|
37
|
+
next unless to_encrypt
|
38
|
+
raw_value = message['args'][arg_index]
|
39
|
+
if to_encrypt == true
|
40
|
+
message['args'][arg_index] = yield(raw_value)
|
41
|
+
elsif to_encrypt.is_a?(Array) && raw_value.is_a?(Hash)
|
42
|
+
message['args'][arg_index] = Hash[raw_value.map do |key, value|
|
43
|
+
value = yield(value) if to_encrypt.member?(key.to_s)
|
44
|
+
[key, value]
|
45
|
+
end]
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
class Client < Base
|
52
|
+
def call(_, message, _, _)
|
53
|
+
process_message(message) { |value| encrypt(value) }
|
54
|
+
yield
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
class Server < Base
|
59
|
+
def call(_, message, _)
|
60
|
+
process_message(message) { |value| decrypt(value) }
|
61
|
+
yield
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
|
5
|
+
require 'English'
|
6
|
+
require 'sidekiq-field-encryptor/version'
|
7
|
+
|
8
|
+
Gem::Specification.new do |spec|
|
9
|
+
spec.name = 'sidekiq-field-encryptor'
|
10
|
+
spec.version = SidekiqFieldEncryptor::VERSION
|
11
|
+
spec.authors = ['Blake Pettersson']
|
12
|
+
spec.email = ['blake@aptible.com']
|
13
|
+
spec.description = 'Selectively encrypt fields in Sidekiq'
|
14
|
+
spec.summary = 'Selectively encrypt fields sent into Sidekiq'
|
15
|
+
spec.homepage = 'https://github.com/aptible/sidekiq-field-encryptor'
|
16
|
+
spec.license = 'MIT'
|
17
|
+
|
18
|
+
spec.files = `git ls-files`.split($RS)
|
19
|
+
spec.test_files = spec.files.grep(%r{^spec/})
|
20
|
+
spec.require_paths = ['lib']
|
21
|
+
|
22
|
+
spec.add_dependency 'encryptor'
|
23
|
+
|
24
|
+
spec.add_development_dependency 'bundler'
|
25
|
+
spec.add_development_dependency 'aptible-tasks'
|
26
|
+
spec.add_development_dependency 'rake'
|
27
|
+
spec.add_development_dependency 'rspec'
|
28
|
+
end
|
@@ -0,0 +1,75 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe SidekiqFieldEncryptor::Client do
|
4
|
+
let(:key) { OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_key }
|
5
|
+
let(:message) do
|
6
|
+
{ 'class' => 'FooJob', 'args' => [1, 2, { 'a' => 'A', 'b' => 'B' }] }
|
7
|
+
end
|
8
|
+
|
9
|
+
describe 'with no encryption key' do
|
10
|
+
it "doesn't fail when encryption isn't attempted" do
|
11
|
+
subject.call('FooJob', message, nil, nil) {}
|
12
|
+
end
|
13
|
+
it 'fails when encryption is attempted' do
|
14
|
+
client = SidekiqFieldEncryptor::Client.new(
|
15
|
+
encrypted_fields: { 'FooJob' => { 1 => true } })
|
16
|
+
expect { client.call('FooJob', message, nil, nil) {} }
|
17
|
+
.to raise_error('Encryption key not configured')
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe 'with an encryption key' do
|
22
|
+
subject do
|
23
|
+
SidekiqFieldEncryptor::Client.new(
|
24
|
+
encryption_key: key,
|
25
|
+
encrypted_fields: {
|
26
|
+
'FooJob' => { 1 => true, 2 => %w(b d) }
|
27
|
+
})
|
28
|
+
end
|
29
|
+
|
30
|
+
it 'encrypts only fields specified by the encryption config' do
|
31
|
+
subject.call('FooJob', message, nil, nil) {}
|
32
|
+
expect(message['args'][0]).to eq(1)
|
33
|
+
expect(subject.decrypt(message['args'][1])).to eq(2)
|
34
|
+
expect(message['args'][2]['a']).to eq('A')
|
35
|
+
expect(subject.decrypt(message['args'][2]['b'])).to eq('B')
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
describe SidekiqFieldEncryptor::Server do
|
41
|
+
let(:key) { OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_key }
|
42
|
+
let(:message) do
|
43
|
+
{ 'class' => 'FooJob', 'args' => [1, 2, { 'a' => 'A', 'b' => 'B' }] }
|
44
|
+
end
|
45
|
+
|
46
|
+
describe 'with no encryption key' do
|
47
|
+
it "doesn't fail when decryption isn't attempted" do
|
48
|
+
subject.call('FooJob', message, nil) {}
|
49
|
+
end
|
50
|
+
it 'fails when decryption is attempted' do
|
51
|
+
server = SidekiqFieldEncryptor::Server.new(
|
52
|
+
encrypted_fields: { 'FooJob' => { 1 => true } })
|
53
|
+
expect { server.call('FooJob', message, nil) {} }
|
54
|
+
.to raise_error('Encryption key not configured')
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
describe 'with an encryption key' do
|
59
|
+
subject do
|
60
|
+
SidekiqFieldEncryptor::Server.new(
|
61
|
+
encryption_key: key,
|
62
|
+
encrypted_fields: {
|
63
|
+
'FooJob' => { 1 => true, 2 => %w(b d) }
|
64
|
+
})
|
65
|
+
end
|
66
|
+
|
67
|
+
it 'decrypts all fields specified by the encryption config' do
|
68
|
+
original_message = message.dup
|
69
|
+
message['args'][1] = subject.encrypt(message['args'][1])
|
70
|
+
message['args'][2]['b'] = subject.encrypt(message['args'][2]['b'])
|
71
|
+
subject.call('FooJob', message, nil) {}
|
72
|
+
expect(message).to eq(original_message)
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
2
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
3
|
+
|
4
|
+
# Load shared spec files
|
5
|
+
Dir["#{File.dirname(__FILE__)}/shared/**/*.rb"].each do |file|
|
6
|
+
require file
|
7
|
+
end
|
8
|
+
|
9
|
+
# Require library up front
|
10
|
+
require 'sidekiq-field-encryptor/encryptor'
|
metadata
ADDED
@@ -0,0 +1,129 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: sidekiq-field-encryptor
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Blake Pettersson
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2015-09-01 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: encryptor
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - '>='
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '0'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - '>='
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: bundler
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - '>='
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - '>='
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: aptible-tasks
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - '>='
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - '>='
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: rake
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - '>='
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0'
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - '>='
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '0'
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: rspec
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - '>='
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '0'
|
76
|
+
type: :development
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - '>='
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '0'
|
83
|
+
description: Selectively encrypt fields in Sidekiq
|
84
|
+
email:
|
85
|
+
- blake@aptible.com
|
86
|
+
executables: []
|
87
|
+
extensions: []
|
88
|
+
extra_rdoc_files: []
|
89
|
+
files:
|
90
|
+
- .gitignore
|
91
|
+
- .rspec
|
92
|
+
- .travis.yml
|
93
|
+
- Gemfile
|
94
|
+
- LICENSE.md
|
95
|
+
- README.md
|
96
|
+
- Rakefile
|
97
|
+
- lib/sidekiq-field-encryptor.rb
|
98
|
+
- lib/sidekiq-field-encryptor/encryptor.rb
|
99
|
+
- lib/sidekiq-field-encryptor/version.rb
|
100
|
+
- sidekiq-field-encryptor.gemspec
|
101
|
+
- spec/sidekiq-field-encryptor/encryptor_spec.rb
|
102
|
+
- spec/spec_helper.rb
|
103
|
+
homepage: https://github.com/aptible/sidekiq-field-encryptor
|
104
|
+
licenses:
|
105
|
+
- MIT
|
106
|
+
metadata: {}
|
107
|
+
post_install_message:
|
108
|
+
rdoc_options: []
|
109
|
+
require_paths:
|
110
|
+
- lib
|
111
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
112
|
+
requirements:
|
113
|
+
- - '>='
|
114
|
+
- !ruby/object:Gem::Version
|
115
|
+
version: '0'
|
116
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
117
|
+
requirements:
|
118
|
+
- - '>='
|
119
|
+
- !ruby/object:Gem::Version
|
120
|
+
version: '0'
|
121
|
+
requirements: []
|
122
|
+
rubyforge_project:
|
123
|
+
rubygems_version: 2.4.5
|
124
|
+
signing_key:
|
125
|
+
specification_version: 4
|
126
|
+
summary: Selectively encrypt fields sent into Sidekiq
|
127
|
+
test_files:
|
128
|
+
- spec/sidekiq-field-encryptor/encryptor_spec.rb
|
129
|
+
- spec/spec_helper.rb
|