slosilo-migration 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 64909ad58a9ef1d6154c78e9a7d8d94cca09a483
+  data.tar.gz: 8a015d51699e3233bc34962f42ed8105afcc0cee
+SHA512:
+  metadata.gz: c39d164804f28689a233d8deec6cd1b15d50408d0148590b0e527a2dddaf666a9af0f48363bdc938609366bab83a4ce17fd42cb0912b3086fc5efc6ff7ba0cf9
+  data.tar.gz: 758450fff2bb16ca35fe30bac0d3ed56de6c6fcd4ba823b18c91afad627b93e5768c0b522846923530c715e88b27e2d28d2049e427d37bc27cac5409580cc750

data/.gitignore

@@ -0,0 +1,23 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.idea

data/.project

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>slosilo-migration</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>com.aptana.ide.core.unifiedBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>com.aptana.ruby.core.rubynature</nature>
+		<nature>com.aptana.projects.webnature</nature>
+	</natures>
+</projectDescription>

data/.rspec

@@ -0,0 +1,3 @@
+--format progress
+--format RspecJunitFormatter
+--out spec-results.xml

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+#ruby=ruby-2.1.5
+#ruby-gemset=slosilo-migration
+
+# Specify your gem's dependencies in slosilo-migration.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Kevin Gilpin
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,30 @@
+# Slosilo::Migration
+
+Provides legacy `aes-256-cbc` encryption for purposes of migrating from
+[Slosilo](https://github.com/conjurinc/slosilo) 1.x to 2.x.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'slosilo-migration'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install slosilo-migration
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/slosilo-migration/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/lib/slosilo/migration.rb

@@ -0,0 +1,17 @@
+module Slosilo
+  unless defined? LEGACY_WARNED
+    puts """
+      WARNING!! You are loading compatibility Slosilo code. It has known potential
+      security problems and is deprecated; this code is ONLY meant to be used in
+      migrations and tests.
+
+      First loaded from:
+    """
+    puts caller.map{|s| "\t\t#{s}"}
+    LEGACY_WARNED = true
+  end
+end
+
+require 'slosilo/migration/symmetric'
+require 'slosilo/migration/migrate_keys'
+require 'slosilo/migration/attr_encrypted'

data/lib/slosilo/migration/attr_encrypted.rb

@@ -0,0 +1,49 @@
+require 'slosilo/migration'
+
+module Slosilo::Migration
+  # we don't trust the database to keep all backups safe from the prying eyes
+  # so we encrypt sensitive attributes before storing them
+  module EncryptedAttributes
+    module ClassMethods
+      def attr_encrypted *a
+        # push a module onto the inheritance hierarchy
+        # this allows calling super in classes
+        include(accessors = Module.new)
+        accessors.module_eval do 
+          a.each do |attr|
+            define_method "#{attr}=" do |value|
+              super(EncryptedAttributes.encrypt value)
+            end
+            define_method attr do
+              EncryptedAttributes.decrypt(super())
+            end
+          end
+        end
+      end
+    end
+    
+    def self.included base
+      base.extend ClassMethods
+    end
+
+    class << self
+      def encrypt value
+        return nil unless value
+        cipher.encrypt value, key: key
+      end
+      
+      def decrypt ctxt
+        return nil unless ctxt
+        cipher.decrypt ctxt, key: key
+      end
+
+      def key
+        Slosilo::encryption_key || (raise "Please set Slosilo::encryption_key")
+      end
+      
+      def cipher
+        @cipher ||= Slosilo::Migration::Symmetric.new
+      end
+    end
+  end
+end

data/lib/slosilo/migration/migrate_keys.rb

@@ -0,0 +1,76 @@
+# Make sure we show the warning
+require 'slosilo/migration'
+
+module Slosilo
+  module Migration
+    module MigrateKeys
+      DEFAULT_KEYSTORE_TABLE = :slosilo_keystore
+
+      attr_writer :keystore_table
+
+      def keystore_table
+        @keystore_table ||= DEFAULT_KEYSTORE_TABLE
+      end
+
+      def upgrade! db
+        keystore = db[keystore_table]
+        return unless keystore.count > 0
+
+        key = Slosilo::encryption_key
+        if key.nil?
+          warn "Slosilo::encryption_key not set, assuming unencrypted key store"
+          return
+        end
+
+
+        old_cipher = Slosilo::Migration::Symmetric.new
+        new_cipher = Slosilo::Symmetric.new
+
+
+        progress = progress_bar keystore.count
+
+        keystore.each  do |row|
+          begin
+            # try to decrypt using new cipher
+            new_cipher.decrypt row[:key], key: key, aad: row[:id]
+            # it worked, no need to update
+          rescue OpenSSL::Cipher::CipherError
+            # otherwise, needs to be upgraded.
+            ptext = old_cipher.decrypt row[:key], key: key
+            ctext = new_cipher.encrypt ptext, key: key, aad: row[:id]
+            keystore.where(id: row[:id]).update(key: Sequel.blob(ctext))
+          end
+          progress.increment
+        end
+      end
+
+
+      def progress_bar count
+        begin
+          require 'ruby-progressbar'
+          ProgressBar.create total: count, output: $stderr, format: '%t |%w>%i| %e'
+        rescue LoadError
+          Object.new.tap do |o|
+            def o.increment; $stderr << '.' end
+          end
+        end
+      end
+
+    end
+  end
+end
+
+# Usage:
+# require 'slosilo/migration/migrate_keys'
+# Sequel.migration do
+#    up do
+#     extend Slosilo::Migration::MigrateKeys
+#     self.keystore_table = :some_custom_table
+#     upgrade! self
+#   end
+#
+#   down do
+#     raise "Irreversible!"
+#   end
+# end
+#

data/lib/slosilo/migration/symmetric.rb

@@ -0,0 +1,38 @@
+module Slosilo::Migration
+  class Symmetric
+    def initialize
+      @cipher = OpenSSL::Cipher.new 'AES-256-CBC'
+    end
+
+    # This lets us do a final sanity check in migrations from older encryption versions
+    def cipher_name
+      @cipher.name
+    end
+
+    def encrypt plaintext, opts = {}
+      @cipher.reset
+      @cipher.encrypt
+      @cipher.key = opts[:key]
+      @cipher.iv = iv = random_iv
+      ctxt = @cipher.update(plaintext)
+      iv + ctxt + @cipher.final
+    end
+    
+    def decrypt ciphertext, opts = {}
+      @cipher.reset
+      @cipher.decrypt
+      @cipher.key = opts[:key]
+      @cipher.iv, ctxt = ciphertext.unpack("a#{@cipher.iv_len}a*")
+      ptxt = @cipher.update(ctxt)
+      ptxt + @cipher.final
+    end
+    
+    def random_iv
+      @cipher.random_iv
+    end
+    
+    def random_key
+      @cipher.random_key
+    end
+  end
+end

data/lib/slosilo/migration/version.rb

@@ -0,0 +1,5 @@
+module Slosilo
+  module Migration
+    VERSION = "1.1.0"
+  end
+end

data/slosilo-migration.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'slosilo/migration/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "slosilo-migration"
+  spec.version       = Slosilo::Migration::VERSION
+  spec.authors       = ["Kevin Gilpin"]
+  spec.email         = ["kgilpin@gmail.com"]
+  spec.summary       = %q{Slosilo v1-compatible migration helper.}
+  spec.homepage      = "https://github.com/conjurinc/slosilo-migration"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "ruby-progressbar"
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "slosilo"
+  spec.add_development_dependency 'rspec_junit_formatter'
+end

data/spec/migrate_keys_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+class Object
+  def metaclass
+    class << self; self; end
+  end
+end
+
+describe Slosilo::Migration::MigrateKeys do
+
+  subject { Class.new.extend(Slosilo::Migration::MigrateKeys) }
+
+  context 'for rows already encrypted properly' do
+
+    before(:each) { Slosilo::encryption_key = 'bed3033f87d71911a357cebe35ecb434' }
+
+    let (:row_id) { 'id' }
+    let (:db) {
+      encrypted_key = Slosilo::Symmetric.new.encrypt('foo', :key => Slosilo::encryption_key, :aad => row_id )
+      
+      # Match the shape of the keystore object expected by MigrateKeys#upgrade!
+      {
+        Slosilo::Migration::MigrateKeys::DEFAULT_KEYSTORE_TABLE => [
+          {:key => encrypted_key, :id => row_id }
+        ]
+      }
+    }
+  
+    it 'ignores them' do
+      expect { subject.upgrade!(db) }.not_to raise_exception
+    end
+
+  end
+  
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+require 'rspec'
+require 'slosilo'
+require 'slosilo/migration'

data/spec/symmetric_spec.rb

@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+describe Slosilo::Migration::Symmetric do
+  # TODO transform it to class methods only?
+  let(:plaintext) { "quick brown fox jumped over the lazy dog" }
+  let(:key) { "^\xBAIv\xDB1\x0Fi\x04\x11\xFD\x14\xA7\xCD\xDFf\x93\xFE\x93}\v\x01\x11\x98\x14\xE0;\xC1\xE2 v\xA5".force_encoding("ASCII-8BIT") }
+  let(:iv) { "\xA1\xFA#z\x16\x80R\xCC|\x0Fyc\xB7j\x17\xED".force_encoding("ASCII-8BIT") }
+  let(:ciphertext) { "\xA1\xFA#z\x16\x80R\xCC|\x0Fyc\xB7j\x17\xED\x15\xC9r\xC9\xEE\xB9\xBC5\xB7\ni\x0F\f\xC8X\x80 h\a\xF4\xA6\xE3\x15\x9D\xF1-\xE5\bs\xF6\x02Z\x0F\xCD|S\x1A\xAA\x9At\xEFT\x17\xA5lT\x8C\xF3".force_encoding("ASCII-8BIT") }
+  describe '#encrypt' do
+    it "encrypts with AES-256-CBC" do
+      allow(subject).to receive(:random_iv).and_return(iv)
+      expect(subject.encrypt(plaintext, key: key)).to eql(ciphertext)
+    end
+  end
+  
+  describe '#decrypt' do
+    it "decrypts with AES-256-CBC" do
+      expect(subject.decrypt(ciphertext, key: key)).to eq(plaintext)
+    end
+    
+    context "when ciphertext happens to end in a zero" do
+      let(:ciphertext) { "\x7F\xD6\xEAb\xE56\a\xD3\xC5\xF2J\n\x8C\x8Fg\xB7-\\\x8A\fh\x18\xC8\x91\xB9 \x97\xC9\x12\xE6\xA6\xAE\xB1I\x1E\x80\xAB\xD8\xDC\xBD\xB6\xCD\x9A\xA3MH\xA8\xB0\xC7\xDA\x87\xA7c\xD75,\xD2A\xB8\x9E\xE3o\x04\x00" }
+      let(:key) { "4pSuk1rAQyuHA5uUYaj0X0BsiPCFb9Nc8J03XA6V5/Y" }
+      it "works correctly" do
+        expect(subject.decrypt(ciphertext, key: key)).to eq("R6KNTQ4aUivojbaqhgAqj1I4PaF8h/5/YcENy4uNbfk=")
+      end
+    end
+
+    context "when the iv ends in space" do
+      let(:ciphertext) { "\xC0\xDA#\xE9\xE1\xFD\xEDJ\xADs4P\xA9\xD6\x92 \xF7\xF8_M\xF6\x16\xC2i$\x8BT^\b\xA1\xB2L&\xE9\x80\x02[]6i\x9B\xD3\xC3\xED\xA9\xD1\x94\xE8\x15\xFD\xDA\xFEUj\xC5upH*\xBF\x82\x15le" }
+      let(:key) { "4pSuk1rAQyuHA5uUYaj0X0BsiPCFb9Nc8J03XA6V5/Y" }
+      it "works correctly" do
+        expect(subject.decrypt(ciphertext, key: key)).to eq("zGptmL3vd4obi1vqSiWHt/Ias2k+6qDtuq9vdow8jNA=")
+      end
+    end
+  end
+  
+  describe '#random_iv' do
+    it "generates a random iv" do
+      expect_any_instance_of(OpenSSL::Cipher).to receive(:random_iv).and_return :iv
+      expect(subject.random_iv).to eq(:iv)
+    end
+  end
+
+  describe '#random_key' do
+    it "generates a random key" do
+      expect_any_instance_of(OpenSSL::Cipher).to receive(:random_key).and_return :key
+      expect(subject.random_key).to eq(:key)
+    end
+  end
+end

metadata

@@ -0,0 +1,147 @@
+--- !ruby/object:Gem::Specification
+name: slosilo-migration
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+platform: ruby
+authors:
+- Kevin Gilpin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-10-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby-progressbar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: slosilo
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- kgilpin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".project"
+- ".rspec"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/slosilo/migration.rb
+- lib/slosilo/migration/attr_encrypted.rb
+- lib/slosilo/migration/migrate_keys.rb
+- lib/slosilo/migration/symmetric.rb
+- lib/slosilo/migration/version.rb
+- slosilo-migration.gemspec
+- spec/migrate_keys_spec.rb
+- spec/spec_helper.rb
+- spec/symmetric_spec.rb
+homepage: https://github.com/conjurinc/slosilo-migration
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Slosilo v1-compatible migration helper.
+test_files:
+- spec/migrate_keys_spec.rb
+- spec/spec_helper.rb
+- spec/symmetric_spec.rb