RubyGems - sidekiq-field-encryptor - Versions diffs - 0.1.1 → 0.2.0 - Mend

sidekiq-field-encryptor 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +5 -5
data/lib/sidekiq-field-encryptor/encryptor.rb +44 -4
data/lib/sidekiq-field-encryptor/version.rb +1 -1
data/spec/sidekiq-field-encryptor/encryptor_spec.rb +36 -0
metadata +3 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d7b580f10f55bd99cc1b08a0d41157746562b155
-  data.tar.gz: d93bb7059b52325809a24f161c98ec4b705f9323
+SHA256:
+  metadata.gz: c11c669792764e011bd552df7369298eaa77961b1e83c55047c172db8bce861e
+  data.tar.gz: 2d3604aa814fc4baa6b2597a16231348de41b5bb36efe3946ee7b3b6cfe2cf47
 SHA512:
-  metadata.gz: 73208766812240af540b2fac93f98f4d585ffb0065dda731dbd47be7b01ee4d4b8eab048925c2254c465ce46ecaf0a775ffb6a6e010c1b52d429f04119992f02
-  data.tar.gz: 04f77a80f08b85d429c804a38b2244a4f5f564cd6a4a5e7704fb9727796261d7280a0fc47f80a4d3f593d9a6940be13f9b397c6d4f930a38eb294440012aa048
+  metadata.gz: 6d7468111be23b540a4a3e1ed44771097902bef7a591a3c67ae0ad9a6a609402567f299f575eff127f3862f35d191c7c959d8cd44c618bc33a116031cff5d224
+  data.tar.gz: fb7827f9988d5ec43d124fcc9f08481cb4ebda5bfd5ddf80836c03cbef64e7954ef1db6a3efb485c2cd18f1856d5866324fd06d0f2b2010c7ca6a3e121a8f7ce

data/lib/sidekiq-field-encryptor/encryptor.rb CHANGED

@@ -1,5 +1,6 @@
 require 'base64'
 require 'encryptor'
+require 'json'
 require 'sidekiq-field-encryptor/version'
 # This middleware configures encryption of any fields that can contain sensitive
@@ -21,30 +22,69 @@ require 'sidekiq-field-encryptor/version'
 # Will encrypt the values {'x' => 1} and 'b' when storing the job in Redis and
 # decrypt the values inside the client before the job is executed.
 module SidekiqFieldEncryptor
+  SERIALIZE_JSON = 'json'.freeze
+  SERIALIZE_MARHSALL = 'marshal'.freeze
   class Base
     def initialize(options = {})
       @encryption_key = options[:encryption_key]
       @encrypted_fields = options[:encrypted_fields] || {}
       @encryption_algorithm = options[:encryption_algorithm] || 'aes-256-gcm'
+      @serialization_method = options[:serialization_method] || SERIALIZE_JSON
+      @serialization_compat = options[:serialization_compat]
     end
     def assert_key_configured
       raise 'Encryption key not configured' if @encryption_key.nil?
     end
+    def serialize(value)
+      case @serialization_method
+      when SERIALIZE_JSON
+        JSON.generate(value, quirks_mode: true)
+      when SERIALIZE_MARHSALL
+        Marshal.dump(value)
+      else
+        raise "Invalid serialization_method: #{@serialization_method}"
+      end
+    end
+    def deserialize(method, value)
+      if !@serialization_compat && method != @serialization_method
+        raise "Invalid serialization_method received: #{method}"
+      end
+      case method
+      when SERIALIZE_JSON
+        JSON.parse(value, quirks_mode: true)
+      when SERIALIZE_MARHSALL, nil
+        # No method used to be Marshall, so we respect this here
+        Marshal.load(value)
+      else
+        raise "Invalid serialization_method: #{@serialization_method}"
+      end
+    end
     def encrypt(value)
-      plaintext = Marshal.dump(value)
+      plaintext = serialize(value)
       iv = OpenSSL::Cipher::Cipher.new(@encryption_algorithm).random_iv
       args = { key: @encryption_key, iv: iv, algorithm: @encryption_algorithm }
       ciphertext = ::Encryptor.encrypt(plaintext, **args)
-      [::Base64.encode64(ciphertext), ::Base64.encode64(iv)]
+      [
+        ::Base64.encode64(ciphertext),
+        ::Base64.encode64(iv),
+        @serialization_method
+      ]
     end
     def decrypt(encrypted)
-      ciphertext, iv = encrypted.map { |value| ::Base64.decode64(value) }
+      base64_ciphertext, base64_iv, serialization_method = encrypted
+      ciphertext = ::Base64.decode64(base64_ciphertext)
+      iv = ::Base64.decode64(base64_iv)
       args = { key: @encryption_key, iv: iv, algorithm: @encryption_algorithm }
       plaintext = ::Encryptor.decrypt(ciphertext, **args)
-      Marshal.load(plaintext)
+      deserialize(serialization_method, plaintext)
     end
     def process_message(message)

data/lib/sidekiq-field-encryptor/version.rb CHANGED

@@ -1,3 +1,3 @@
 module SidekiqFieldEncryptor
-  VERSION = '0.1.1'.freeze
+  VERSION = '0.2.0'.freeze
 end

data/spec/sidekiq-field-encryptor/encryptor_spec.rb CHANGED

@@ -117,5 +117,41 @@ describe SidekiqFieldEncryptor::Server do
       ok.call('FooJob', message, nil) {}
     end
+    it 'fails if the serialization methods are different' do
+      r = SidekiqFieldEncryptor::Server.new(
+        encryption_key: key,
+        encrypted_fields: { 'FooJob' => { 1 => true } },
+        serialization_method: SidekiqFieldEncryptor::SERIALIZE_JSON
+      )
+      e = SidekiqFieldEncryptor::Client.new(
+        encryption_key: key,
+        encrypted_fields: { 'FooJob' => { 1 => true } },
+        serialization_method: SidekiqFieldEncryptor::SERIALIZE_MARHSALL
+      )
+      message['args'][1] = e.encrypt(message['args'][1])
+      expect { r.call('FooJob', message, nil) {} }
+        .to raise_error(/invalid serialization_method/i)
+    end
+    it 'allows compat serialization' do
+      r = SidekiqFieldEncryptor::Server.new(
+        encryption_key: key,
+        encrypted_fields: { 'FooJob' => { 1 => true } },
+        serialization_method: SidekiqFieldEncryptor::SERIALIZE_JSON,
+        serialization_compat: true
+      )
+      e = SidekiqFieldEncryptor::Client.new(
+        encryption_key: key,
+        encrypted_fields: { 'FooJob' => { 1 => true } },
+        serialization_method: SidekiqFieldEncryptor::SERIALIZE_MARHSALL
+      )
+      message['args'][1] = e.encrypt(message['args'][1])
+      r.call('FooJob', message, nil) {}
+    end
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sidekiq-field-encryptor
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Blake Pettersson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-02 00:00:00.000000000 Z
+date: 2018-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -120,7 +120,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.5.1
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: Selectively encrypt fields sent into Sidekiq