slosilo 0.0.0 → 0.1.2

data/lib/slosilo/keystore.rb

@@ -7,34 +7,26 @@ module Slosilo
     end
     
     def put id, key
-      id = id.to_s
-      fail ArgumentError, "id can't be empty" if id.empty?
-      adapter.put_key id, key
+      adapter.put_key id.to_s, key.to_der
     end
     
-    def get opts
-      id, fingerprint = opts.is_a?(Hash) ? [nil, opts[:fingerprint]] : [opts, nil]
-      if id
-        key = adapter.get_key(id.to_s)
-      elsif fingerprint
-        key, _ = get_by_fingerprint(fingerprint)
-      end
-      key
-    end
-
-    def get_by_fingerprint fingerprint
-      adapter.get_by_fingerprint fingerprint
+    def get id
+      key = adapter.get_key(id.to_s)
+      key && Key.new(key)
     end
     
-    def each &_
-      adapter.each { |k, v| yield k, v }
+    def each(&block)
+      adapter.each(&block)
     end
     
     def any? &block
-      each do |_, k|
-        return true if yield k
+      catch :found do
+        adapter.each do |id, k|
+          throw :found if block.call(Key.new(k))
+        end
+        return false
       end
-      return false
+      true
     end
   end
   
@@ -59,26 +51,6 @@ module Slosilo
       keystore.any? { |k| k.token_valid? token }
     end
     
-    # Looks up the signer by public key fingerprint and checks the validity
-    # of the signature. If the token is JWT, exp and/or iat claims are also
-    # verified; the caller is responsible for validating any other claims.
-    def token_signer token
-      begin
-        # see if maybe it's a JWT
-        token = JWT token
-        fingerprint = token.header['kid']
-      rescue ArgumentError
-        fingerprint = token['key']
-      end
-
-      key, id = keystore.get_by_fingerprint fingerprint
-      if key && key.token_valid?(token)
-        return id
-      else
-        return nil
-      end
-    end
-
     attr_accessor :adapter
     
     private

data/lib/slosilo/rack/middleware.rb

@@ -0,0 +1,123 @@
+module Slosilo
+  module Rack
+    # Con perform verification of request signature and decryption of request body.
+    #
+    # Signature verification and body decryption are enabled with constructor switches and are 
+    # therefore performed (or not) for all requests.
+    #
+    # When signature verification is performed, the following elements are included in the 
+    # signature string:
+    # 
+    # 1. Request path and query string
+    # 2. base64 encoded request body
+    # 3. Request timestamp from HTTP_TIMESTAMP
+    # 4. Body encryption key from HTTP_X_SLOSILO_KEY (if present)
+    # 
+    # When body decryption is performed, an encryption key for the message body is encrypted
+    # with this service's public key and placed in HTTP_X_SLOSILO_KEY. This middleware
+    # decryps the key using our :own private key, and then decrypts the body using the decrypted key.
+    class Middleware
+      class EncryptionError < SecurityError
+      end
+      class SignatureError < SecurityError
+      end
+
+      def initialize app, opts = {}
+        @app = app
+        @encryption_required = opts[:encryption_required] || false
+        @signature_required = opts[:signature_required] || false
+      end
+      
+      def call env
+        @env = env
+        @body = env['rack.input'].read rescue ""
+        
+        begin
+          verify
+          decrypt
+        rescue EncryptionError
+          return error 403, $!.message
+        rescue SignatureError
+          return error 401, $!.message
+        end
+        
+        @app.call env
+      end
+      
+      private
+      def verify
+        if signature
+          raise SignatureError, "Bad signature" unless Slosilo.token_valid?(token)
+        else
+          raise SignatureError, "Signature required" if signature_required?
+        end
+      end
+      
+      attr_reader :env
+      
+      def token
+        return nil unless signature
+        t = { "data" => { "path" => path, "body" => [body].pack('m0') }, "timestamp" => timestamp, "signature" => signature }
+        t["data"]["key"] = encoded_key if encoded_key
+        t['data']['authorization'] = env['HTTP_AUTHORIZATION'] if env['HTTP_AUTHORIZATION']
+        t
+      end
+      
+      def path
+        env['SCRIPT_NAME'] + env['PATH_INFO'] + query_string
+      end
+      
+      def query_string
+        if env['QUERY_STRING'].empty?
+          ''
+        else
+          '?' + env['QUERY_STRING']
+        end
+      end
+
+      attr_reader :body
+      
+      def timestamp
+        env['HTTP_TIMESTAMP']
+      end
+      
+      def signature
+        env['HTTP_X_SLOSILO_SIGNATURE']
+      end
+      
+      def encoded_key
+        env['HTTP_X_SLOSILO_KEY']
+      end
+      
+      def key
+        if encoded_key
+          Base64::urlsafe_decode64(encoded_key)
+        else
+          raise EncryptionError, "Encryption required" if encryption_required?
+        end
+      end
+      
+      def decrypt
+        return unless key
+        plaintext = Slosilo[:own].decrypt body, key
+        env['rack.input'] = StringIO.new plaintext
+      rescue EncryptionError
+        raise unless body.empty? || body.nil?
+      rescue Exception => e
+        raise EncryptionError, "Bad encryption", e.backtrace
+      end
+      
+      def error status, message
+        [status, { 'Content-Type' => 'text/plain', 'Content-Length' => message.length.to_s }, [message] ]
+      end
+      
+      def encryption_required?
+        @encryption_required
+      end
+      
+      def signature_required?
+        @signature_required
+      end
+    end
+  end
+end

data/lib/slosilo/symmetric.rb

@@ -1,63 +1,33 @@
 module Slosilo
   class Symmetric
-    VERSION_MAGIC = 'G'
-    TAG_LENGTH = 16
-
     def initialize
-      @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
-      @cipher_mutex = Mutex.new
+      @cipher = OpenSSL::Cipher.new 'AES-256-CBC'
     end
-
-    # This lets us do a final sanity check in migrations from older encryption versions
-    def cipher_name
-      @cipher.name
-    end
-
+    
     def encrypt plaintext, opts = {}
-      # All of these operations in OpenSSL must occur atomically, so we
-      # synchronize their access to make this step thread-safe.
-      @cipher_mutex.synchronize do
-        @cipher.reset
-        @cipher.encrypt
-        @cipher.key = (opts[:key] or raise("missing :key option"))
-        @cipher.iv = iv = random_iv
-        @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
-        ctext = @cipher.update(plaintext) + @cipher.final
-        tag = @cipher.auth_tag(TAG_LENGTH)
-        "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
-      end
+      @cipher.reset
+      @cipher.encrypt
+      @cipher.key = opts[:key]
+      @cipher.iv = iv = random_iv
+      ctxt = @cipher.update(plaintext)
+      iv + ctxt + @cipher.final
     end
-
+    
     def decrypt ciphertext, opts = {}
-      version, tag, iv, ctext = unpack ciphertext
-
-      raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
-
-      # All of these operations in OpenSSL must occur atomically, so we
-      # synchronize their access to make this step thread-safe.
-      @cipher_mutex.synchronize do
-        @cipher.reset
-        @cipher.decrypt
-        @cipher.key = opts[:key]
-        @cipher.iv = iv
-        @cipher.auth_tag = tag
-        @cipher.auth_data = opts[:aad] || ""
-        @cipher.update(ctext) + @cipher.final
-      end
+      @cipher.reset
+      @cipher.decrypt
+      @cipher.key = opts[:key]
+      @cipher.iv, ctxt = ciphertext.unpack("a#{@cipher.iv_len}a*")
+      ptxt = @cipher.update(ctxt)
+      ptxt + @cipher.final
     end
-
+    
     def random_iv
       @cipher.random_iv
     end
-
+    
     def random_key
       @cipher.random_key
     end
-
-    private
-    # return tag, iv, ctext
-    def unpack msg
-      msg.unpack "aa#{TAG_LENGTH}a#{@cipher.iv_len}a*"
-    end
   end
 end

data/lib/slosilo/version.rb

@@ -1,22 +1,3 @@
-# Copyright 2013-2021 Conjur Inc.
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 module Slosilo
-  VERSION = File.read(File.expand_path('../../VERSION', __dir__))
-end
+  VERSION = "0.1.2"
+end

data/lib/slosilo.rb

@@ -1,10 +1,10 @@
-require "slosilo/jwt"
 require "slosilo/version"
 require "slosilo/keystore"
 require "slosilo/symmetric"
 require "slosilo/attr_encrypted"
 require "slosilo/random"
-require "slosilo/errors"
+require "slosilo/rack/middleware"
+require "slosilo/http_request"
 
 if defined? Sequel
   require 'slosilo/adapters/sequel_adapter'

data/lib/tasks/slosilo.rake

@@ -19,14 +19,4 @@ namespace :slosilo do
     Slosilo[args[:name]] = key
     puts key
   end
-
-  desc "Migrate to a new database schema"
-  task :migrate => :environment do |t|
-    Slosilo.adapter.migrate!
-  end
-
-  desc "Recalculate fingerprints in keystore"
-  task :recalculate_fingerprints => :environment do |t|
-    Slosilo.adapter.recalculate_fingerprints
-  end
 end

data/slosilo.gemspec

@@ -1,20 +1,12 @@
 # -*- encoding: utf-8 -*-
-begin
-  require File.expand_path('lib/slosilo/version.rb', __FILE__)
-rescue LoadError
-  # so that bundle can be run without the app code
-  module Slosilo
-    VERSION = '0.0.0'
-  end
-end
+require File.expand_path('../lib/slosilo/version', __FILE__)
 
 Gem::Specification.new do |gem|
   gem.authors       = ["Rafa\305\202 Rzepecki"]
   gem.email         = ["divided.mind@gmail.com"]
   gem.description   = %q{This gem provides an easy way of storing and retrieving encryption keys in the database.}
   gem.summary       = %q{Store SSL keys in a database}
-  gem.homepage      = "https://github.cyberng.com/Conjur-Enterprise/slosilo/"
-  gem.license       = "MIT"
+  gem.homepage      = ""
 
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
@@ -22,17 +14,12 @@ Gem::Specification.new do |gem|
   gem.name          = "slosilo"
   gem.require_paths = ["lib"]
   gem.version       = Slosilo::VERSION
-  gem.required_ruby_version = '>= 3.0.0'
-
+  gem.required_ruby_version = '~> 1.9.3'
+  
   gem.add_development_dependency 'rake'
-  gem.add_development_dependency 'rspec', '~> 3.0'
-  gem.add_development_dependency 'ci_reporter_rspec'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'ci_reporter'
   gem.add_development_dependency 'simplecov'
-  gem.add_development_dependency 'simplecov-cobertura'
-  gem.add_development_dependency 'io-grab', '~> 0.0.1'
   gem.add_development_dependency 'sequel' # for sequel tests
   gem.add_development_dependency 'sqlite3' # for sequel tests
-  gem.add_development_dependency 'bigdecimal' # for activesupport
-  gem.add_development_dependency 'activesupport' # for convenience in specs
 end
-

data/spec/http_request_spec.rb

@@ -0,0 +1,107 @@
+require 'spec_helper'
+
+describe Slosilo::HTTPRequest do
+  let(:keyname) { :bacon }
+  let(:encrypt) { subject.encrypt! }
+  subject { Hash.new }
+  before do 
+    subject.extend Slosilo::HTTPRequest
+    subject.keyname = keyname
+  end
+  
+  describe "#sign!" do
+    let(:own_key) { double "own key" }
+    before { Slosilo.stub(:[]).with(:own).and_return own_key }
+    
+    let(:signed_data) { "this is the truest truth" }
+    before { subject.stub signed_data: signed_data }
+    let(:timestamp) { "long time ago" }
+    let(:signature) { "seal of approval" }
+    let(:token) { { "data" => signed_data, "timestamp" => timestamp, "signature" => signature } }
+    
+    it "makes a token out of the data to sign and inserts headers" do
+      own_key.stub(:signed_token).with(signed_data).and_return token
+      subject.should_receive(:[]=).with 'Timestamp', timestamp
+      subject.should_receive(:[]=).with 'X-Slosilo-Signature', signature
+      subject.sign!
+    end
+  end
+  
+  describe "#signed_data" do
+    before { subject.stub path: :path, body: 'body' }
+    context "when X-Slosilo-Key not present" do
+      its(:signed_data) { should == { "path" => :path, "body" => "Ym9keQ==" } }
+    end
+    
+    context "when X-Slosilo-Key is present" do
+      before { subject.merge! 'X-Slosilo-Key' => :key } 
+      its(:signed_data) { should == { "path" => :path, "body" => "Ym9keQ==", "key" => :key } }
+    end
+  end
+  
+  describe "#encrypt!" do
+    context "when key not set" do
+      before { subject.keyname = nil }
+      it "does nothing" do
+        subject.should_not_receive(:body=)
+        encrypt
+      end
+    end
+    
+    context "when requested key does not exist" do
+      before { Slosilo.stub(:[]).and_return nil }
+      it "raises error" do
+        expect{ encrypt }.to raise_error
+      end
+    end
+    
+    context "when the key exists" do
+      let(:key) { double "key" }
+      context "when the body is not empty" do
+        let(:plaintext) { "Keep your solutions close, and your problems closer." }
+        let(:ciphertext) { "And, when you want something, all the universe conspires in helping you to achieve it." }
+        let(:skey) { "make me sound like a fool instead" }
+        before do 
+          subject.stub body: plaintext
+          key.stub(:encrypt).with(plaintext).and_return([ciphertext, skey])
+          Slosilo.stub(:[]).with(keyname).and_return key
+        end
+        
+        it "encrypts the message body and adds the X-Slosilo-Key header" do
+          subject.should_receive(:body=).with ciphertext
+          subject.should_receive(:[]=).with 'X-Slosilo-Key', Base64::urlsafe_encode64(skey)
+          encrypt
+        end
+      end
+      
+      context "when the body is empty" do
+        before { subject.stub body: "" }
+        it "doesn't set the key header" do
+          subject.should_not_receive(:[]=).with 'X-Slosilo-Key'
+          encrypt
+        end
+      end
+    end
+  end
+  
+  describe "#exec" do
+    class Subject
+      def exec *a
+        "ok, got it"
+      end
+
+      def initialize keyname
+        extend Slosilo::HTTPRequest
+        self.keyname = keyname
+      end
+    end
+    
+    subject { Subject.new keyname }
+
+    it "encrypts, then signs and delegates to the superclass" do
+      subject.should_receive(:encrypt!).once.ordered
+      subject.should_receive(:sign!).once.ordered
+      subject.exec(:foo).should == "ok, got it"
+    end
+  end
+end

data/spec/http_stack_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe "http request stack" do
+  include_context "with example key"
+  include_context "with mock adapter"
+  before { Slosilo[:own] = key }
+
+  class MockRequest < Hash
+    def exec *a
+    end
+    
+    def [] name
+      name = name.sub(/^HTTP_/,'').gsub('_', '-').split(/(\W)/).map(&:capitalize).join
+      result = super name
+    end
+    
+    def initialize
+      extend Slosilo::HTTPRequest
+      self['Authorization'] = "Simon says it's fine"
+    end
+  end
+  
+  subject { MockRequest.new }
+  let(:path) { '/some/path' }
+
+  context "with authorization header" do
+    it "works" do
+      mw = Slosilo::Rack::Middleware.new lambda{|_|:ok}, signature_required: true
+      subject.stub path: path, body: ''
+      mw.stub path: path
+      subject.send :exec
+      mw.call(subject).should == :ok
+    end
+    
+    it "detects tampering" do
+      mw = Slosilo::Rack::Middleware.new lambda{|_|:ok}, signature_required: true
+      subject.stub path: path, body: ''
+      mw.stub path: path
+      subject.send :exec
+      subject['Authorization'] = "Simon changed his mind"
+      mw.call(subject).should_not == :ok
+    end
+  end
+end