slosilo 0.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (46) hide show
  1. checksums.yaml +7 -0
  2. data/.github/CODEOWNERS +10 -0
  3. data/.gitignore +21 -0
  4. data/.gitleaks.toml +221 -0
  5. data/.kateproject +4 -0
  6. data/CHANGELOG.md +50 -0
  7. data/CONTRIBUTING.md +16 -0
  8. data/Gemfile +4 -0
  9. data/Jenkinsfile +132 -0
  10. data/LICENSE +22 -0
  11. data/README.md +152 -0
  12. data/Rakefile +17 -0
  13. data/SECURITY.md +42 -0
  14. data/dev/Dockerfile.dev +7 -0
  15. data/dev/docker-compose.yml +8 -0
  16. data/lib/slosilo/adapters/abstract_adapter.rb +23 -0
  17. data/lib/slosilo/adapters/file_adapter.rb +42 -0
  18. data/lib/slosilo/adapters/memory_adapter.rb +31 -0
  19. data/lib/slosilo/adapters/mock_adapter.rb +21 -0
  20. data/lib/slosilo/adapters/sequel_adapter/migration.rb +52 -0
  21. data/lib/slosilo/adapters/sequel_adapter.rb +96 -0
  22. data/lib/slosilo/attr_encrypted.rb +85 -0
  23. data/lib/slosilo/errors.rb +15 -0
  24. data/lib/slosilo/jwt.rb +122 -0
  25. data/lib/slosilo/key.rb +218 -0
  26. data/lib/slosilo/keystore.rb +89 -0
  27. data/lib/slosilo/random.rb +11 -0
  28. data/lib/slosilo/symmetric.rb +63 -0
  29. data/lib/slosilo/version.rb +22 -0
  30. data/lib/slosilo.rb +13 -0
  31. data/lib/tasks/slosilo.rake +32 -0
  32. data/publish.sh +5 -0
  33. data/secrets.yml +1 -0
  34. data/slosilo.gemspec +38 -0
  35. data/spec/encrypted_attributes_spec.rb +114 -0
  36. data/spec/file_adapter_spec.rb +81 -0
  37. data/spec/jwt_spec.rb +102 -0
  38. data/spec/key_spec.rb +258 -0
  39. data/spec/keystore_spec.rb +26 -0
  40. data/spec/random_spec.rb +19 -0
  41. data/spec/sequel_adapter_spec.rb +171 -0
  42. data/spec/slosilo_spec.rb +124 -0
  43. data/spec/spec_helper.rb +84 -0
  44. data/spec/symmetric_spec.rb +94 -0
  45. data/test.sh +8 -0
  46. metadata +238 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: c502ebb0a07b26d44dc5761d60efe6e0287031c7705fea7d6b41e9958b1c8280
4
+ data.tar.gz: e4b042d59298a7df94407881e319e35c62257ae705e9151b39f9664fd561f30e
5
+ SHA512:
6
+ metadata.gz: c21146818734f623efc4c81e283627e72a85ac5265b5a48f68e100881de30877ea23380ecdc16b67597f65ef7831afa6f0acaf310396415d5b03f7603c74f2ef
7
+ data.tar.gz: 06311b28a0a5b35e021988c99881a13005cd5d6343f85ebeaa78805c7f91e51df1ca084254ebbd2c980be866572d31d237e46fa163a6bd16300cfd2789e02850
@@ -0,0 +1,10 @@
1
+ * @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team @conjur-enterprise/community-and-integrations
2
+
3
+ # Changes to .trivyignore require Security Architect approval
4
+ .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security
5
+
6
+ # Changes to .codeclimate.yml require Quality Architect approval
7
+ .codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects @conjur-enterprise/conjur-quality
8
+
9
+ # Changes to SECURITY.md require Security Architect approval
10
+ SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security
data/.gitignore ADDED
@@ -0,0 +1,21 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
18
+ .rvmrc
19
+ .project
20
+ .kateproject.d
21
+ .idea
data/.gitleaks.toml ADDED
@@ -0,0 +1,221 @@
1
+ title = "Secretless Broker gitleaks config"
2
+
3
+ # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
4
+ # If GITLEAKS_CONFIG environment variable
5
+ # is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
6
+ # configurations from that path. Gitleaks does not whitelist anything by default.
7
+ # - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
8
+ # - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
9
+ [[rules]]
10
+ description = "AWS Client ID"
11
+ regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
12
+ tags = ["key", "AWS"]
13
+
14
+ [[rules]]
15
+ description = "AWS Secret Key"
16
+ regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
17
+ tags = ["key", "AWS"]
18
+
19
+ [[rules]]
20
+ description = "AWS MWS key"
21
+ regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
22
+ tags = ["key", "AWS", "MWS"]
23
+
24
+ [[rules]]
25
+ description = "PKCS8"
26
+ regex = '''-----BEGIN PRIVATE KEY-----'''
27
+ tags = ["key", "PKCS8"]
28
+
29
+ [[rules]]
30
+ description = "RSA"
31
+ regex = '''-----BEGIN RSA PRIVATE KEY-----'''
32
+ tags = ["key", "RSA"]
33
+
34
+ [[rules]]
35
+ description = "SSH"
36
+ regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
37
+ tags = ["key", "SSH"]
38
+
39
+ [[rules]]
40
+ description = "PGP"
41
+ regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
42
+ tags = ["key", "PGP"]
43
+
44
+ [[rules]]
45
+ description = "Facebook Secret Key"
46
+ regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
47
+ tags = ["key", "Facebook"]
48
+
49
+ [[rules]]
50
+ description = "Facebook Client ID"
51
+ regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
52
+ tags = ["key", "Facebook"]
53
+
54
+ [[rules]]
55
+ description = "Facebook access token"
56
+ regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
57
+ tags = ["key", "Facebook"]
58
+
59
+ [[rules]]
60
+ description = "Twitter Secret Key"
61
+ regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
62
+ tags = ["key", "Twitter"]
63
+
64
+ [[rules]]
65
+ description = "Twitter Client ID"
66
+ regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
67
+ tags = ["client", "Twitter"]
68
+
69
+ [[rules]]
70
+ description = "Github"
71
+ regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
72
+ tags = ["key", "Github"]
73
+
74
+ [[rules]]
75
+ description = "LinkedIn Client ID"
76
+ regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
77
+ tags = ["client", "Twitter"]
78
+
79
+ [[rules]]
80
+ description = "LinkedIn Secret Key"
81
+ regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
82
+ tags = ["secret", "Twitter"]
83
+
84
+ [[rules]]
85
+ description = "Slack"
86
+ regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
87
+ tags = ["key", "Slack"]
88
+
89
+ [[rules]]
90
+ description = "EC"
91
+ regex = '''-----BEGIN EC PRIVATE KEY-----'''
92
+ tags = ["key", "EC"]
93
+
94
+ [[rules]]
95
+ description = "Generic API key"
96
+ regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
97
+ tags = ["key", "API", "generic"]
98
+
99
+ [[rules]]
100
+ description = "Generic Secret"
101
+ regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
102
+ tags = ["key", "Secret", "generic"]
103
+
104
+ [[rules]]
105
+ description = "Google API key"
106
+ regex = '''AIza[0-9A-Za-z\\-_]{35}'''
107
+ tags = ["key", "Google"]
108
+
109
+ [[rules]]
110
+ description = "Google Cloud Platform API key"
111
+ regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
112
+ tags = ["key", "Google", "GCP"]
113
+
114
+ [[rules]]
115
+ description = "Google OAuth"
116
+ regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
117
+ tags = ["key", "Google", "OAuth"]
118
+
119
+ [[rules]]
120
+ description = "Google OAuth access token"
121
+ regex = '''ya29\.[0-9A-Za-z\-_]+'''
122
+ tags = ["key", "Google", "OAuth"]
123
+
124
+ [[rules]]
125
+ description = "Heroku API key"
126
+ regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
127
+ tags = ["key", "Heroku"]
128
+
129
+ [[rules]]
130
+ description = "MailChimp API key"
131
+ regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
132
+ tags = ["key", "Mailchimp"]
133
+
134
+ [[rules]]
135
+ description = "Mailgun API key"
136
+ regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
137
+ tags = ["key", "Mailgun"]
138
+
139
+ [[rules]]
140
+ description = "Password in URL"
141
+ regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
142
+ tags = ["key", "URL", "generic"]
143
+
144
+ [[rules]]
145
+ description = "PayPal Braintree access token"
146
+ regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
147
+ tags = ["key", "Paypal"]
148
+
149
+ [[rules]]
150
+ description = "Picatic API key"
151
+ regex = '''sk_live_[0-9a-z]{32}'''
152
+ tags = ["key", "Picatic"]
153
+
154
+ [[rules]]
155
+ description = "Slack Webhook"
156
+ regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
157
+ tags = ["key", "slack"]
158
+
159
+ [[rules]]
160
+ description = "Stripe API key"
161
+ regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
162
+ tags = ["key", "Stripe"]
163
+
164
+ [[rules]]
165
+ description = "Square access token"
166
+ regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
167
+ tags = ["key", "square"]
168
+
169
+ [[rules]]
170
+ description = "Square OAuth secret"
171
+ regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
172
+ tags = ["key", "square"]
173
+
174
+ [[rules]]
175
+ description = "Twilio API key"
176
+ regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
177
+ tags = ["key", "twilio"]
178
+
179
+ [whitelist]
180
+ files = [
181
+ "(.*?)(jpg|gif|doc|pdf|bin)$",
182
+ ".gitleaks.toml"
183
+ ]
184
+ regexes = [
185
+ ]
186
+ commits = [
187
+ "3a496cef2d737f69038630f3c884a159f783bd06", # old commit to add test data
188
+ "047e58e40c87f9d19d68c21a533b706616ab1ef2", # old commit to add test data
189
+ "5345e49e7d63589fc637c2b0c7156bf97e9c72b8", # old commit to add test data
190
+ "9c31229cedceedd75e06c381fe7218571a03c26d" # old commit to add test data
191
+ ]
192
+
193
+ # Additional Examples
194
+
195
+ # [[rules]]
196
+ # description = "Generic Key"
197
+ # regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
198
+ # entropies = [
199
+ # "4.1-4.3",
200
+ # "5.5-6.3",
201
+ # ]
202
+ # entropyROI = "line"
203
+ # filetypes = [".go", ".py", ".c"]
204
+ # tags = ["key"]
205
+ # severity = "8"
206
+ #
207
+ #
208
+ # [[rules]]
209
+ # description = "Generic Key"
210
+ # regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
211
+ # entropies = ["4.1-4.3"]
212
+ # filetypes = [".gee"]
213
+ # entropyROI = "line"
214
+ # tags = ["key"]
215
+ # severity = "medium"
216
+
217
+ # [[rules]]
218
+ # description = "Any pem file"
219
+ # filetypes = [".key"]
220
+ # tags = ["pem"]
221
+ # severity = "high"
data/.kateproject ADDED
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "Slosilo"
3
+ , "files": [ { "git": 1 } ]
4
+ }
data/CHANGELOG.md ADDED
@@ -0,0 +1,50 @@
1
+ # Changelog
2
+ All notable changes to this project will be documented in this file.
3
+
4
+ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
5
+ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
6
+
7
+ ## [3.0.2] - 2023-11-14
8
+
9
+ ### Changed
10
+
11
+ - Moved slosilo to Github Enterprise.
12
+ - Updated to use Ruby 3+ and conjur-enterprise/release-tools' publish-rubygem.
13
+
14
+ ## [3.0.1] - 2023-02-10
15
+
16
+ ### Fixed
17
+
18
+ - The symmetric cipher class now encrypts and decrypts in a thread-safe manner.
19
+ [cyberark/slosilo#31](https://github.com/cyberark/slosilo/pull/31)
20
+
21
+ ## [3.0.0] - 2022-02-01
22
+
23
+ ### Changed
24
+
25
+ - Transition to Ruby 3. Consuming projects based on Ruby 2 shall use slosilo V2.X.X.
26
+
27
+ ## [2.2.2] - 2014-01-01
28
+
29
+ ## Added
30
+
31
+ - Add rake task `slosilo:recalculate_fingerprints` which rehashes the fingerprints in the keystore.
32
+ **Note**: After migrating the slosilo keystore, run the above rake task to ensure the fingerprints are correctly hashed.
33
+
34
+ ## [2.2.1] - 2014-01-01
35
+
36
+ ### Changed
37
+
38
+ - Use SHA256 algorithm instead of MD5 for public key fingerprints.
39
+
40
+ ## [2.1.1] - 2014-01-01
41
+
42
+ ### Added
43
+
44
+ - Add support for JWT-formatted tokens, with arbitrary expiration.
45
+
46
+ ## [2.0.1] - 2014-01-01
47
+
48
+ ### Fixed
49
+
50
+ - Fixes a bug that occurs when signing tokens containing Unicode data
data/CONTRIBUTING.md ADDED
@@ -0,0 +1,16 @@
1
+ # Contributing
2
+
3
+ For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
4
+
5
+ ## Contributing Workflow
6
+
7
+ 1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
8
+ 2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
9
+ 3. Make local changes to your fork by editing files
10
+ 3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
11
+ 4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
12
+ 5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
13
+
14
+ From here your pull request will be reviewed and once you've responded to all
15
+ feedback it will be merged into the project. Congratulations, you're a
16
+ contributor!
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in slosilo.gemspec
4
+ gemspec
data/Jenkinsfile ADDED
@@ -0,0 +1,132 @@
1
+ #!/usr/bin/env groovy
2
+ @Library("product-pipelines-shared-library") _
3
+
4
+ // Automated release, promotion and dependencies
5
+ properties([
6
+ // Include the automated release parameters for the build
7
+ release.addParams(),
8
+ // Dependencies of the project that should trigger builds
9
+ dependencies([])
10
+ ])
11
+
12
+ // Performs release promotion. No other stages will be run
13
+ if (params.MODE == "PROMOTE") {
14
+ release.promote(params.VERSION_TO_PROMOTE) { infrapool, sourceVersion, targetVersion, assetDirectory ->
15
+ // Any assets from sourceVersion Github release are available in assetDirectory
16
+ // Any version number updates from sourceVersion to targetVersion occur here
17
+ // Any publishing of targetVersion artifacts occur here
18
+ // Anything added to assetDirectory will be attached to the Github Release
19
+
20
+ //Note: assetDirectory is on the infrapool agent, not the local Jenkins agent.
21
+
22
+ // Publish container images to internal registry
23
+ //INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "summon --yaml 'RUBYGEMS_API_KEY: !var rubygems/api-key' ${toolsDirectory}/bin/publish-rubygem slosilo"
24
+
25
+ INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "./publish.sh"
26
+
27
+ INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "cp slosilo*.gem ${assetDirectory}"
28
+ }
29
+ release.copyEnterpriseRelease(params.VERSION_TO_PROMOTE)
30
+ return
31
+ }
32
+
33
+ pipeline {
34
+ agent { label 'conjur-enterprise-common-agent' }
35
+
36
+ triggers {
37
+ cron(getDailyCronString())
38
+ }
39
+
40
+ environment {
41
+ // Sets the MODE to the specified or autocalculated value as appropriate
42
+ MODE = release.canonicalizeMode()
43
+ }
44
+
45
+ options {
46
+ timestamps()
47
+ buildDiscarder(logRotator(daysToKeepStr: '30'))
48
+ }
49
+
50
+ stages {
51
+ stage('Get InfraPool Agent') {
52
+ steps {
53
+ script {
54
+ INFRAPOOL_EXECUTORV2_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2", quantity: 1, duration: 1)[0]
55
+ INFRAPOOL_EXECUTORV2_RHEL_EE_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2RHELEE", quantity: 1, duration: 1)[0]
56
+ }
57
+ }
58
+ }
59
+
60
+ // Generates a VERSION file based on the current build number and latest version in CHANGELOG.md
61
+ stage('Validate Changelog and set version') {
62
+ steps {
63
+ script {
64
+ updateVersion(INFRAPOOL_EXECUTORV2_AGENT_0, "CHANGELOG.md", "${BUILD_NUMBER}")
65
+ }
66
+ }
67
+ }
68
+
69
+ stage('Test') {
70
+ parallel {
71
+
72
+ stage('Run tests on EE') {
73
+ steps {
74
+ script {
75
+ INFRAPOOL_EXECUTORV2_RHEL_EE_AGENT_0.agentSh './test.sh'
76
+ }
77
+ }
78
+ post { always {
79
+ script {
80
+ INFRAPOOL_EXECUTORV2_RHEL_EE_AGENT_0.agentStash name: 'eeTestResults', includes: 'spec/reports/*.xml', allowEmpty:true
81
+ }
82
+ }}
83
+ }
84
+
85
+ stage('Run tests') {
86
+ steps {
87
+ script {
88
+ INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './test.sh'
89
+ INFRAPOOL_EXECUTORV2_AGENT_0.agentStash name: 'TestResults', includes: 'spec/coverage/*.xml', allowEmpty:true
90
+ }
91
+ }
92
+ }
93
+
94
+ }
95
+ }
96
+
97
+ stage('Release') {
98
+ when {
99
+ expression {
100
+ MODE == "RELEASE"
101
+ }
102
+ }
103
+
104
+ steps {
105
+ script {
106
+ release(INFRAPOOL_EXECUTORV2_AGENT_0) { billOfMaterialsDirectory, assetDirectory, toolsDirectory ->
107
+ // Publish release artifacts to all the appropriate locations
108
+ // Copy any artifacts to assetDirectory to attach them to the Github release
109
+
110
+ // Publish container images to internal registry
111
+ INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "summon ${toolsDirectory}/bin/publish-rubygem slosilo"
112
+
113
+ INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "cp slosilo*.gem ${assetDirectory}"
114
+ }
115
+ }
116
+ }
117
+ }
118
+ }
119
+
120
+ post {
121
+ always {
122
+ dir('ee-results'){
123
+ unstash 'eeTestResults'
124
+ }
125
+ unstash 'TestResults'
126
+ junit 'spec/reports/*.xml, ee-results/spec/reports/*.xml'
127
+ cobertura coberturaReportFile: 'spec/coverage/coverage.xml'
128
+ codacy action: 'reportCoverage', filePath: "spec/coverage/coverage.xml"
129
+ releaseInfraPoolAgent(".infrapool/release_agents")
130
+ }
131
+ }
132
+ }
data/LICENSE ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,152 @@
1
+ # Slosilo
2
+
3
+ Slosilo is providing a ruby interface to some cryptographic primitives:
4
+ - symmetric encryption,
5
+ - a mixin for easy encryption of object attributes,
6
+ - asymmetric encryption and signing,
7
+ - a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
8
+ - a keystore in files.
9
+
10
+ ## Installation
11
+
12
+ Add this line to your application's Gemfile:
13
+
14
+ gem 'slosilo'
15
+
16
+ And then execute:
17
+
18
+ $ bundle
19
+
20
+ ## Compatibility
21
+
22
+ Version 3.0 introduced full transition to Ruby 3.
23
+ Consumers who use slosilo in Ruby 2 projects, shall use slosilo V2.X.X.
24
+
25
+ Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
26
+ for authenticated encryption. It allows you to provide AAD on all symmetric
27
+ encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
28
+
29
+ This means you'll have to migrate all your existing data. There's no easy way to
30
+ do this currently provided; it's recommended to create a database migration and
31
+ put relevant code fragments in it directly. (This will also have the benefit of making
32
+ the migration self-contained.)
33
+
34
+ Since symmetric encryption is used in processing asymetrically encrypted messages,
35
+ this incompatibility extends to those too.
36
+
37
+ ## Usage
38
+
39
+ ### Symmetric encryption
40
+
41
+ ```ruby
42
+ sym = Slosilo::Symmetric.new
43
+ key = sym.random_key
44
+ # additional authenticated data
45
+ message_id = "message 001"
46
+ ciphertext = sym.encrypt "secret message", key: key, aad: message_id
47
+ ```
48
+
49
+ ```ruby
50
+ sym = Slosilo::Symmetric.new
51
+ message = sym.decrypt ciphertext, key: key, aad: message_id
52
+ ```
53
+
54
+ ### Encryption mixin
55
+
56
+ ```ruby
57
+ require 'slosilo'
58
+
59
+ class Foo
60
+ attr_accessor :foo
61
+ attr_encrypted :foo, aad: :id
62
+
63
+ def raw_foo
64
+ @foo
65
+ end
66
+
67
+ def id
68
+ "unique record id"
69
+ end
70
+ end
71
+
72
+ Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
73
+
74
+ obj = Foo.new
75
+ obj.foo = "bar"
76
+ obj.raw_foo # => "\xC4\xEF\x87\xD3b\xEA\x12\xDF\xD0\xD4hk\xEDJ\v\x1Cr\xF2#\xA3\x11\xA4*k\xB7\x8F\x8F\xC2\xBD\xBB\xFF\xE3"
77
+ obj.foo # => "bar"
78
+ ```
79
+
80
+ You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
81
+
82
+ ### Asymmetric encryption and signing
83
+
84
+ ```ruby
85
+ private_key = Slosilo::Key.new
86
+ public_key = private_key.public
87
+ ```
88
+
89
+ #### Key dumping
90
+ ```ruby
91
+ k = public_key.to_s # => "-----BEGIN PUBLIC KEY----- ...
92
+ (Slosilo::Key.new k) == public_key # => true
93
+ ```
94
+
95
+ #### Encryption
96
+
97
+ ```ruby
98
+ encrypted = public_key.encrypt_message "eagle one sees many clouds"
99
+ # => "\xA3\x1A\xD2\xFC\xB0 ...
100
+
101
+ public_key.decrypt_message encrypted
102
+ # => OpenSSL::PKey::RSAError: private key needed.
103
+
104
+ private_key.decrypt_message encrypted
105
+ # => "eagle one sees many clouds"
106
+ ```
107
+
108
+ #### Signing
109
+
110
+ ```ruby
111
+ token = private_key.signed_token "missile launch not authorized"
112
+ # => {"data"=>"missile launch not authorized", "timestamp"=>"2014-10-13 12:41:25 UTC", "signature"=>"bSImk...DzV3o", "key"=>"455f7ac42d2d483f750b4c380761821d"}
113
+
114
+ public_key.token_valid? token # => true
115
+
116
+ token["data"] = "missile launch authorized"
117
+ public_key.token_valid? token # => false
118
+ ```
119
+
120
+ ### Keystore
121
+
122
+ ```ruby
123
+ Slosilo::encryption_key = ENV['SLOSILO_KEY']
124
+ Slosilo.adapter = Slosilo::Adapters::FileAdapter.new "~/.keys"
125
+
126
+ Slosilo[:own] = Slosilo::Key.new
127
+ Slosilo[:their] = Slosilo::Key.new File.read("foo.pem")
128
+
129
+ msg = Slosilo[:their].encrypt_message 'bar'
130
+ p Slosilo[:own].signed_token msg
131
+ ```
132
+
133
+ ### Keystore in database
134
+
135
+ Add a migration to create the necessary table:
136
+
137
+ require 'slosilo/adapters/sequel_adapter/migration'
138
+
139
+ Remember to migrate your database
140
+
141
+ $ rake db:migrate
142
+
143
+ Then
144
+ ```ruby
145
+ Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
146
+ ```
147
+
148
+ ## Contributing
149
+
150
+ We welcome contributions of all kinds to this repository. For instructions on
151
+ how to get started and descriptions of our development workflows, please see our
152
+ [contributing guide](CONTRIBUTING.md).
data/Rakefile ADDED
@@ -0,0 +1,17 @@
1
+ #!/usr/bin/env rake
2
+ require "bundler/gem_tasks"
3
+
4
+ begin
5
+ require 'rspec/core/rake_task'
6
+ RSpec::Core::RakeTask.new(:spec)
7
+ rescue LoadError
8
+ $stderr.puts "RSpec Rake tasks not available in environment #{ENV['RACK_ENV']}"
9
+ end
10
+
11
+ task :jenkins do
12
+ require 'ci/reporter/rake/rspec'
13
+ Rake::Task["ci:setup:rspec"].invoke
14
+ Rake::Task["spec"].invoke
15
+ end
16
+
17
+ task :default => :spec