slosilo 0.0.0 → 0.1.2

data/.gitignore

@@ -17,5 +17,3 @@ test/version_tmp
 tmp
 .rvmrc
 .project
-.kateproject.d
-.idea

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
+Copyright (c) 2012 Rafał Rzepecki
 
 MIT License
 
@@ -19,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,11 +1,7 @@
 # Slosilo
 
-Slosilo is providing a ruby interface to some cryptographic primitives:
-- symmetric encryption,
-- a mixin for easy encryption of object attributes,
-- asymmetric encryption and signing,
-- a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
-- a keystore in files.
+Slosilo is a keystore in the database. (Currently only works with postgres.)
+It allows easy storage and retrieval of keys.
 
 ## Installation
 
@@ -17,121 +13,6 @@ And then execute:
 
     $ bundle
 
-## Compatibility
-
-Version 3.0 introduced full transition to Ruby 3.
-Consumers who use slosilo in Ruby 2 projects, shall use slosilo V2.X.X.
-
-Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
-for authenticated encryption. It allows you to provide AAD on all symmetric
-encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
-
-This means you'll have to migrate all your existing data. There's no easy way to
-do this currently provided; it's recommended to create a database migration and
-put relevant code fragments in it directly. (This will also have the benefit of making
-the migration self-contained.)
-
-Since symmetric encryption is used in processing asymetrically encrypted messages,
-this incompatibility extends to those too.
-
-## Usage
-
-### Symmetric encryption
-
-```ruby
-sym = Slosilo::Symmetric.new
-key = sym.random_key
-# additional authenticated data
-message_id = "message 001"
-ciphertext = sym.encrypt "secret message", key: key, aad: message_id
-```
-
-```ruby
-sym = Slosilo::Symmetric.new
-message = sym.decrypt ciphertext, key: key, aad: message_id
-```
-
-### Encryption mixin
-
-```ruby
-require 'slosilo'
-
-class Foo
-  attr_accessor :foo
-  attr_encrypted :foo, aad: :id
-
-  def raw_foo
-    @foo
-  end
-
-  def id
-    "unique record id"
-  end
-end
-
-Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
-
-obj = Foo.new
-obj.foo = "bar"
-obj.raw_foo # => "\xC4\xEF\x87\xD3b\xEA\x12\xDF\xD0\xD4hk\xEDJ\v\x1Cr\xF2#\xA3\x11\xA4*k\xB7\x8F\x8F\xC2\xBD\xBB\xFF\xE3"
-obj.foo # => "bar"
-```
-
-You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
-
-### Asymmetric encryption and signing
-
-```ruby
-private_key = Slosilo::Key.new
-public_key = private_key.public
-```
-
-#### Key dumping
-```ruby
-k = public_key.to_s # => "-----BEGIN PUBLIC KEY----- ...
-(Slosilo::Key.new k) == public_key # => true
-```
-
-#### Encryption
-
-```ruby
-encrypted = public_key.encrypt_message "eagle one sees many clouds"
-# => "\xA3\x1A\xD2\xFC\xB0 ...
-
-public_key.decrypt_message encrypted
-# => OpenSSL::PKey::RSAError: private key needed.
-
-private_key.decrypt_message encrypted
-# => "eagle one sees many clouds"
-```
-
-#### Signing
-
-```ruby
-token = private_key.signed_token "missile launch not authorized"
-# => {"data"=>"missile launch not authorized", "timestamp"=>"2014-10-13 12:41:25 UTC", "signature"=>"bSImk...DzV3o", "key"=>"455f7ac42d2d483f750b4c380761821d"}
-
-public_key.token_valid? token # => true
-
-token["data"] = "missile launch authorized"
-public_key.token_valid? token # => false
-```
-
-### Keystore
-
-```ruby
-Slosilo::encryption_key = ENV['SLOSILO_KEY']
-Slosilo.adapter = Slosilo::Adapters::FileAdapter.new "~/.keys"
-
-Slosilo[:own] = Slosilo::Key.new
-Slosilo[:their] = Slosilo::Key.new File.read("foo.pem")
-
-msg = Slosilo[:their].encrypt_message 'bar'
-p Slosilo[:own].signed_token msg
-```
-
-### Keystore in database
-
 Add a migration to create the necessary table:
 
     require 'slosilo/adapters/sequel_adapter/migration'
@@ -140,13 +21,12 @@ Remember to migrate your database
 
     $ rake db:migrate
 
-Then
-```ruby
-Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
-```
+## Usage
 
 ## Contributing
 
-We welcome contributions of all kinds to this repository. For instructions on
-how to get started and descriptions of our development workflows, please see our
-[contributing guide](CONTRIBUTING.md).
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/lib/slosilo/adapters/abstract_adapter.rb

@@ -7,10 +7,6 @@ module Slosilo
         raise NotImplementedError
       end
       
-      def get_by_fingerprint fp
-        raise NotImplementedError
-      end
-
       def put_key id, key
         raise NotImplementedError
       end

data/lib/slosilo/adapters/mock_adapter.rb

@@ -1,21 +1,8 @@
 module Slosilo
   module Adapters
     class MockAdapter < Hash
-      def initialize
-        @fp = {}
-      end
-
-      def put_key id, key
-        @fp[key.fingerprint] = id
-        self[id] = key
-      end
-
+      alias :put_key :[]=
       alias :get_key :[]
-
-      def get_by_fingerprint fp
-        id = @fp[fp]
-        [self[id], id]
-      end
     end
   end
 end

data/lib/slosilo/adapters/sequel_adapter/migration.rb

@@ -15,13 +15,10 @@ module Slosilo
 
     # Create the table for holding keys
     def create_keystore_table
-      # docs say to not use create_table? in migration;
-      # but we really want this to be robust in case there are any previous installs
-      # and we can't use table_exists? because it rolls back
-      create_table? keystore_table do
+      create_table keystore_table do
         String :id, primary_key: true
+        # Note: currently only postgres is supported
         bytea :key, null: false
-        String :fingerprint, unique: true, null: false
       end
     end
     

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -6,89 +6,27 @@ module Slosilo
       def model
         @model ||= create_model
       end
-
-      def secure?
-        !Slosilo.encryption_key.nil?
-      end
       
       def create_model
         model = Sequel::Model(:slosilo_keystore)
         model.unrestrict_primary_key
-        model.attr_encrypted(:key, aad: :id) if secure?
+        model.attr_encrypted :key
         model
       end
       
       def put_key id, value
-        fail Error::InsecureKeyStorage unless secure? || !value.private?
-
-        attrs = { id: id, key: value.to_der }
-        attrs[:fingerprint] = value.fingerprint if fingerprint_in_db?
-        model.create attrs
+        model.create id: id, key: value
       end
       
       def get_key id
         stored = model[id]
         return nil unless stored
-        Slosilo::Key.new stored.key
-      end
-
-      def get_by_fingerprint fp
-        if fingerprint_in_db?
-          stored = model[fingerprint: fp]
-          return nil unless stored
-          [Slosilo::Key.new(stored.key), stored.id]
-        else
-          warn "Please migrate to a new database schema using rake slosilo:migrate for efficient fingerprint lookups"
-          find_by_fingerprint fp
-        end
+        stored.key
       end
-
+      
       def each
         model.each do |m|
-          yield m.id, Slosilo::Key.new(m.key)
-        end
-      end
-
-      def recalculate_fingerprints
-        # Use a transaction to ensure that all fingerprints are updated together. If any update fails,
-        # we want to rollback all updates.
-        model.db.transaction do
-          model.each do |m|
-            m.update fingerprint: Slosilo::Key.new(m.key).fingerprint
-          end
-        end
-      end
-
-
-      def migrate!
-        unless fingerprint_in_db?
-          model.db.transaction do
-            model.db.alter_table :slosilo_keystore do
-              add_column :fingerprint, String
-            end
-
-            # reload the schema
-            model.set_dataset model.dataset
-
-            recalculate_fingerprints
-
-            model.db.alter_table :slosilo_keystore do
-              set_column_not_null :fingerprint
-              add_unique_constraint :fingerprint
-            end
-          end
-        end
-      end
-
-      private
-
-      def fingerprint_in_db?
-        model.columns.include? :fingerprint
-      end
-
-      def find_by_fingerprint fp
-        each do |id, k|
-          return [k, id] if k.fingerprint == fp
+          yield m.id, m.key
         end
       end
     end

data/lib/slosilo/attr_encrypted.rb

@@ -5,47 +5,21 @@ module Slosilo
   # so we encrypt sensitive attributes before storing them
   module EncryptedAttributes
     module ClassMethods
-
-      # @param options [Hash]
-      # @option :aad [#to_proc, #to_s]  Provide additional authenticated data for
-      #   encryption.  This should be something unique to the instance having
-      #   this attribute, such as a primary key; this will ensure that an attacker can't swap
-      #   values around -- trying to decrypt value with a different auth data will fail.
-      #   This means you have to be able to recover it in order to decrypt attributes.
-      #   The following values are accepted:
-      #
-      #   * Something proc-ish: will be called with self each time auth data is needed.
-      #   * Something stringish: will be to_s-d and used for all instances as auth data.
-      #     Note that this will only prevent swapping in data using another string.
-      #
-      #   The recommended way to use this option is to pass a proc-ish that identifies the record.
-      #   Note the proc-ish can be a simple method name; for example in case of a Sequel::Model:
-      #       attr_encrypted :secret, aad: :pk
       def attr_encrypted *a
-        options = a.last.is_a?(Hash) ? a.pop : {}
-        aad = options[:aad]
-        # note nil.to_s is "", which is exactly the right thing
-        auth_data = aad.respond_to?(:to_proc) ? aad.to_proc : proc{ |_| aad.to_s }
-
-        # In ruby 3 .arity for #proc returns both 1 and 2, depends on internal #proc
-        # This method is also being called with aad which is string, in such case the arity is 1
-        raise ":aad proc must take two arguments" unless (auth_data.arity.abs == 2 || auth_data.arity.abs == 1)
-
         # push a module onto the inheritance hierarchy
         # this allows calling super in classes
         include(accessors = Module.new)
         accessors.module_eval do 
           a.each do |attr|
             define_method "#{attr}=" do |value|
-              super(EncryptedAttributes.encrypt(value, aad: auth_data[self]))
+              super(EncryptedAttributes.encrypt value)
             end
             define_method attr do
-              EncryptedAttributes.decrypt(super(), aad: auth_data[self])
+              EncryptedAttributes.decrypt(super())
             end
           end
         end
       end
-
     end
     
     def self.included base
@@ -53,14 +27,14 @@ module Slosilo
     end
 
     class << self
-      def encrypt value, opts={}
+      def encrypt value
         return nil unless value
-        cipher.encrypt value, key: key, aad: opts[:aad]
+        cipher.encrypt value, key: key
       end
       
-      def decrypt ctxt, opts={}
+      def decrypt ctxt
         return nil unless ctxt
-        cipher.decrypt ctxt, key: key, aad: opts[:aad]
+        cipher.decrypt ctxt, key: key
       end
 
       def key
@@ -82,4 +56,4 @@ module Slosilo
   end
 end
 
-Object.send :include, Slosilo::EncryptedAttributes
+Object.send:include, Slosilo::EncryptedAttributes

data/lib/slosilo/http_request.rb

@@ -0,0 +1,59 @@
+module Slosilo
+  # A mixin module which simplifies generating signed and encrypted requests.
+  # It's designed to be mixed into a standard Net::HTTPRequest object
+  # and ensures the request is signed and optionally encrypted before execution.
+  # Requests prepared this way will be recognized by Slosilo::Rack::Middleware.
+  #
+  # As an example, you can use it with RestClient like so:
+  #   RestClient.add_before_execution_proc do |req, params|
+  #     require 'slosilo'
+  #     req.extend Slosilo::HTTPRequest
+  #     req.keyname = :somekey
+  #   end
+  #
+  # The request won't be encrypted unless you set the destination keyname.
+  
+  module HTTPRequest
+    # Encrypt the request with key named @keyname from Slosilo::Keystore. 
+    # If calling this manually, make sure to encrypt before signing.
+    def encrypt!
+      return unless @keyname
+      return unless body && !body.empty?
+      self.body, key = Slosilo[@keyname].encrypt body
+      self['X-Slosilo-Key'] = Base64::urlsafe_encode64 key
+    end
+    
+    # Sign the request with :own key from Slosilo::Keystore. 
+    # If calling this manually, make sure to encrypt before signing.
+    def sign!
+      token = Slosilo[:own].signed_token signed_data
+      self['Timestamp'] = token["timestamp"]
+      self['X-Slosilo-Signature'] = token["signature"]
+    end
+    
+    # Build the data hash to sign.
+    def signed_data
+      data = { "path" => path, "body" => [body].pack('m0') }
+      if key = self['X-Slosilo-Key']
+        data["key"] = key
+      end
+      if authz = self['Authorization']
+        data["authorization"] = authz
+      end
+      data
+    end
+    
+    # Encrypt, sign and execute the request.
+    def exec *a
+      # we need to hook here because the body might be set
+      # in several ways and here it's hopefully finalized
+      encrypt!
+      sign!
+      super *a
+    end
+    
+    # Name of the key used to encrypt the request. 
+    # Use it to establish the identity of the receiver.
+    attr_accessor :keyname
+  end
+end

data/lib/slosilo/key.rb

@@ -3,8 +3,6 @@ require 'json'
 require 'base64'
 require 'time'
 
-require 'slosilo/errors'
-
 module Slosilo
   class Key
     def initialize raw_key = nil
@@ -15,10 +13,6 @@ module Slosilo
       else
         OpenSSL::PKey::RSA.new 2048
       end
-    rescue OpenSSL::PKey::PKeyError => e
-      # old openssl versions used to report ArgumentError
-      # which arguably makes more sense here, so reraise as that
-      raise ArgumentError, e, e.backtrace
     end
     
     attr_reader :key
@@ -33,28 +27,18 @@ module Slosilo
       key = @key.public_encrypt key
       [ctxt, key]
     end
-
-    def encrypt_message plaintext
-      c, k = encrypt plaintext
-      k + c
-    end
     
     def decrypt ciphertext, skey
       key = @key.private_decrypt skey
       cipher.decrypt ciphertext, key: key
     end
-
-    def decrypt_message ciphertext
-      k, c = ciphertext.unpack("A256A*")
-      decrypt c, k
-    end
     
     def to_s
       @key.public_key.to_pem
     end
     
     def to_der
-      @to_der ||= @key.to_der
+      @key.to_der
     end
     
     def sign value
@@ -74,119 +58,23 @@ module Slosilo
     def signed_token data
       token = { "data" => data, "timestamp" => Time.new.utc.to_s }
       token["signature"] = Base64::urlsafe_encode64(sign token)
-      token["key"] = fingerprint
       token
     end
-
-    JWT_ALGORITHM = 'conjur.org/slosilo/v2'.freeze
-
-    # Issue a JWT with the given claims.
-    # `iat` (issued at) claim is automatically added.
-    # Other interesting claims you can give are:
-    # - `sub` - token subject, for example a user name;
-    # - `exp` - expiration time (absolute);
-    # - `cidr` (Conjur extension) - array of CIDR masks that are accepted to
-    #   make requests that bear this token
-    def issue_jwt claims
-      token = Slosilo::JWT.new claims
-      token.add_signature \
-          alg: JWT_ALGORITHM,
-          kid: fingerprint,
-          &method(:sign)
-      token.freeze
-    end
-
-    DEFAULT_EXPIRATION = 8 * 60
     
-    def token_valid? token, expiry = DEFAULT_EXPIRATION
-      return jwt_valid? token if token.respond_to? :header
+    def token_valid? token, expiry = 8 * 60
       token = token.clone
-      expected_key = token.delete "key"
-      return false if (expected_key and (expected_key != fingerprint))
       signature = Base64::urlsafe_decode64(token.delete "signature")
       (Time.parse(token["timestamp"]) + expiry > Time.now) && verify_signature(token, signature)
     end
-
-    # Validate a JWT.
-    #
-    # Convenience method calling #validate_jwt and returning false if an
-    # exception is raised.
-    #
-    # @param token [JWT] pre-parsed token to verify
-    # @return [Boolean]
-    def jwt_valid? token
-      validate_jwt token
-      true
-    rescue
-      false
-    end
-
-    # Validate a JWT.
-    #
-    # First checks whether algorithm is 'conjur.org/slosilo/v2' and the key id
-    # matches this key's fingerprint. Then verifies if the token is not expired,
-    # as indicated by the `exp` claim; in its absence tokens are assumed to
-    # expire in `iat` + 8 minutes.
-    #
-    # If those checks pass, finally the signature is verified.
-    #
-    # @raises TokenValidationError if any of the checks fail.
-    #
-    # @note It's the responsibility of the caller to examine other claims
-    # included in the token; consideration needs to be given to handling
-    # unrecognized claims.
-    #
-    # @param token [JWT] pre-parsed token to verify
-    def validate_jwt token
-      def err msg
-        raise Error::TokenValidationError, msg, caller
-      end
-
-      header = token.header
-      err 'unrecognized algorithm' unless header['alg'] == JWT_ALGORITHM
-      err 'mismatched key' if (kid = header['kid']) && kid != fingerprint
-      iat = Time.at token.claims['iat'] || err('unknown issuing time')
-      exp = Time.at token.claims['exp'] || (iat + DEFAULT_EXPIRATION)
-      err 'token expired' if exp <= Time.now
-      err 'invalid signature' unless verify_signature token.string_to_sign, token.signature
-      true
-    end
     
     def sign_string value
-      salt = shake_salt
-      key.private_encrypt(hash_function.digest(salt + value)) + salt
-    end
-    
-    def fingerprint
-      @fingerprint ||= OpenSSL::Digest::SHA256.hexdigest key.public_key.to_der
-    end
-
-    def == other
-      to_der == other.to_der
-    end
-
-    alias_method :eql?, :==
-
-    def hash
-      to_der.hash
-    end
-
-    # return a new key with just the public part of this
-    def public
-      Key.new(@key.public_key)
-    end
-
-    # checks if the keypair contains a private key
-    def private?
-      @key.private?
+      _salt = salt
+      key.private_encrypt(hash_function.digest(_salt + value)) + _salt
     end
     
     private
-    
-    # Note that this is currently somewhat shallow stringification -- 
-    # to implement originating tokens we may need to make it deeper.
     def stringify value
-      string = case value
+      case value
       when Hash
         value.to_a.sort.to_json
       when String
@@ -194,20 +82,9 @@ module Slosilo
       else
         value.to_json
       end
-
-      # Make sure that the string is ascii_8bit (i.e. raw bytes), and represents
-      # the utf-8 encoding of the string.  This accomplishes two things: it normalizes
-      # the representation of the string at the byte level (so we don't have an error if
-      # one username is submitted as ISO-whatever, and the next as UTF-16), and it prevents
-      # an incompatible encoding error when we concatenate it with the salt.
-      if string.encoding != Encoding::ASCII_8BIT
-        string.encode(Encoding::UTF_8).force_encoding(Encoding::ASCII_8BIT)
-      else
-        string
-      end
     end
     
-    def shake_salt
+    def salt
       Slosilo::Random::salt
     end