slosilo 0.0.0

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/dev/Dockerfile.dev

@@ -0,0 +1,7 @@
+FROM ruby
+
+COPY ./ /src/
+
+WORKDIR /src
+
+RUN bundle

data/dev/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+  dev:
+    build:
+      context: ..
+      dockerfile: dev/Dockerfile.dev
+    volumes:
+      - ../:/src

data/lib/slosilo/adapters/abstract_adapter.rb

@@ -0,0 +1,23 @@
+require 'slosilo/attr_encrypted'
+
+module Slosilo
+  module Adapters
+    class AbstractAdapter
+      def get_key id
+        raise NotImplementedError
+      end
+      
+      def get_by_fingerprint fp
+        raise NotImplementedError
+      end
+
+      def put_key id, key
+        raise NotImplementedError
+      end
+      
+      def each
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/slosilo/adapters/file_adapter.rb

@@ -0,0 +1,42 @@
+require 'slosilo/adapters/abstract_adapter'
+
+module Slosilo
+  module Adapters
+    class FileAdapter < AbstractAdapter
+      attr_reader :dir
+      
+      def initialize(dir)
+        @dir = dir
+        @keys = {}
+        @fingerprints = {}
+        Dir[File.join(@dir, "*.key")].each do |f|
+          key = Slosilo::EncryptedAttributes.decrypt File.read(f)
+          id = File.basename(f, '.key')
+          key = @keys[id] = Slosilo::Key.new(key)
+          @fingerprints[key.fingerprint] = id
+        end
+      end
+      
+      def put_key id, value
+        raise "id should not contain a period" if id.index('.')
+        fname = File.join(dir, "#{id}.key")
+        File.write(fname, Slosilo::EncryptedAttributes.encrypt(value.to_der))
+        File.chmod(0400, fname)
+        @keys[id] = value
+      end
+      
+      def get_key id
+        @keys[id]
+      end
+
+      def get_by_fingerprint fp
+        id = @fingerprints[fp]
+        [@keys[id], id]
+      end
+      
+      def each(&block)
+        @keys.each(&block)
+      end
+    end
+  end
+end

data/lib/slosilo/adapters/memory_adapter.rb

@@ -0,0 +1,31 @@
+require 'slosilo/adapters/abstract_adapter'
+
+module Slosilo
+  module Adapters
+    class MemoryAdapter < AbstractAdapter
+      def initialize
+        @keys = {}
+        @fingerprints = {}
+      end
+      
+      def put_key id, key
+        key = Slosilo::Key.new(key) if key.is_a?(String)
+        @keys[id] = key
+        @fingerprints[key.fingerprint] = id
+      end
+      
+      def get_key id
+        @keys[id]
+      end
+
+      def get_by_fingerprint fp
+        id = @fingerprints[fp]
+        [@keys[id], id]
+      end
+      
+      def each(&block)
+        @keys.each(&block)
+      end
+    end
+  end
+end

data/lib/slosilo/adapters/mock_adapter.rb

@@ -0,0 +1,21 @@
+module Slosilo
+  module Adapters
+    class MockAdapter < Hash
+      def initialize
+        @fp = {}
+      end
+
+      def put_key id, key
+        @fp[key.fingerprint] = id
+        self[id] = key
+      end
+
+      alias :get_key :[]
+
+      def get_by_fingerprint fp
+        id = @fp[fp]
+        [self[id], id]
+      end
+    end
+  end
+end

data/lib/slosilo/adapters/sequel_adapter/migration.rb

@@ -0,0 +1,52 @@
+require 'sequel'
+
+module Slosilo
+  module Adapters::SequelAdapter::Migration
+    # The default name of the table to hold the keys
+    DEFAULT_KEYSTORE_TABLE = :slosilo_keystore
+
+    # Sets up default keystore table name
+    def self.extended(db)
+      db.keystore_table ||= DEFAULT_KEYSTORE_TABLE
+    end
+    
+    # Keystore table name. If changing this do it immediately after loading the extension.
+    attr_accessor :keystore_table
+
+    # Create the table for holding keys
+    def create_keystore_table
+      # docs say to not use create_table? in migration;
+      # but we really want this to be robust in case there are any previous installs
+      # and we can't use table_exists? because it rolls back
+      create_table? keystore_table do
+        String :id, primary_key: true
+        bytea :key, null: false
+        String :fingerprint, unique: true, null: false
+      end
+    end
+    
+    # Drop the table
+    def drop_keystore_table
+      drop_table keystore_table
+    end
+  end
+  
+  module Extension
+    def slosilo_keystore
+      extend Slosilo::Adapters::SequelAdapter::Migration
+    end
+  end
+  
+  Sequel::Database.send :include, Extension
+end
+
+Sequel.migration do
+  up do
+    slosilo_keystore
+    create_keystore_table
+  end
+  down do
+    slosilo_keystore
+    drop_keystore_table
+  end
+end

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -0,0 +1,96 @@
+require 'slosilo/adapters/abstract_adapter'
+
+module Slosilo
+  module Adapters
+    class SequelAdapter < AbstractAdapter
+      def model
+        @model ||= create_model
+      end
+
+      def secure?
+        !Slosilo.encryption_key.nil?
+      end
+      
+      def create_model
+        model = Sequel::Model(:slosilo_keystore)
+        model.unrestrict_primary_key
+        model.attr_encrypted(:key, aad: :id) if secure?
+        model
+      end
+      
+      def put_key id, value
+        fail Error::InsecureKeyStorage unless secure? || !value.private?
+
+        attrs = { id: id, key: value.to_der }
+        attrs[:fingerprint] = value.fingerprint if fingerprint_in_db?
+        model.create attrs
+      end
+      
+      def get_key id
+        stored = model[id]
+        return nil unless stored
+        Slosilo::Key.new stored.key
+      end
+
+      def get_by_fingerprint fp
+        if fingerprint_in_db?
+          stored = model[fingerprint: fp]
+          return nil unless stored
+          [Slosilo::Key.new(stored.key), stored.id]
+        else
+          warn "Please migrate to a new database schema using rake slosilo:migrate for efficient fingerprint lookups"
+          find_by_fingerprint fp
+        end
+      end
+
+      def each
+        model.each do |m|
+          yield m.id, Slosilo::Key.new(m.key)
+        end
+      end
+
+      def recalculate_fingerprints
+        # Use a transaction to ensure that all fingerprints are updated together. If any update fails,
+        # we want to rollback all updates.
+        model.db.transaction do
+          model.each do |m|
+            m.update fingerprint: Slosilo::Key.new(m.key).fingerprint
+          end
+        end
+      end
+
+
+      def migrate!
+        unless fingerprint_in_db?
+          model.db.transaction do
+            model.db.alter_table :slosilo_keystore do
+              add_column :fingerprint, String
+            end
+
+            # reload the schema
+            model.set_dataset model.dataset
+
+            recalculate_fingerprints
+
+            model.db.alter_table :slosilo_keystore do
+              set_column_not_null :fingerprint
+              add_unique_constraint :fingerprint
+            end
+          end
+        end
+      end
+
+      private
+
+      def fingerprint_in_db?
+        model.columns.include? :fingerprint
+      end
+
+      def find_by_fingerprint fp
+        each do |id, k|
+          return [k, id] if k.fingerprint == fp
+        end
+      end
+    end
+  end
+end

data/lib/slosilo/attr_encrypted.rb

@@ -0,0 +1,85 @@
+require 'slosilo/symmetric'
+
+module Slosilo
+  # we don't trust the database to keep all backups safe from the prying eyes
+  # so we encrypt sensitive attributes before storing them
+  module EncryptedAttributes
+    module ClassMethods
+
+      # @param options [Hash]
+      # @option :aad [#to_proc, #to_s]  Provide additional authenticated data for
+      #   encryption.  This should be something unique to the instance having
+      #   this attribute, such as a primary key; this will ensure that an attacker can't swap
+      #   values around -- trying to decrypt value with a different auth data will fail.
+      #   This means you have to be able to recover it in order to decrypt attributes.
+      #   The following values are accepted:
+      #
+      #   * Something proc-ish: will be called with self each time auth data is needed.
+      #   * Something stringish: will be to_s-d and used for all instances as auth data.
+      #     Note that this will only prevent swapping in data using another string.
+      #
+      #   The recommended way to use this option is to pass a proc-ish that identifies the record.
+      #   Note the proc-ish can be a simple method name; for example in case of a Sequel::Model:
+      #       attr_encrypted :secret, aad: :pk
+      def attr_encrypted *a
+        options = a.last.is_a?(Hash) ? a.pop : {}
+        aad = options[:aad]
+        # note nil.to_s is "", which is exactly the right thing
+        auth_data = aad.respond_to?(:to_proc) ? aad.to_proc : proc{ |_| aad.to_s }
+
+        # In ruby 3 .arity for #proc returns both 1 and 2, depends on internal #proc
+        # This method is also being called with aad which is string, in such case the arity is 1
+        raise ":aad proc must take two arguments" unless (auth_data.arity.abs == 2 || auth_data.arity.abs == 1)
+
+        # push a module onto the inheritance hierarchy
+        # this allows calling super in classes
+        include(accessors = Module.new)
+        accessors.module_eval do 
+          a.each do |attr|
+            define_method "#{attr}=" do |value|
+              super(EncryptedAttributes.encrypt(value, aad: auth_data[self]))
+            end
+            define_method attr do
+              EncryptedAttributes.decrypt(super(), aad: auth_data[self])
+            end
+          end
+        end
+      end
+
+    end
+    
+    def self.included base
+      base.extend ClassMethods
+    end
+
+    class << self
+      def encrypt value, opts={}
+        return nil unless value
+        cipher.encrypt value, key: key, aad: opts[:aad]
+      end
+      
+      def decrypt ctxt, opts={}
+        return nil unless ctxt
+        cipher.decrypt ctxt, key: key, aad: opts[:aad]
+      end
+
+      def key
+        Slosilo::encryption_key || (raise "Please set Slosilo::encryption_key")
+      end
+      
+      def cipher
+        @cipher ||= Slosilo::Symmetric.new
+      end
+    end
+  end
+  
+  class << self
+    attr_writer :encryption_key
+    
+    def encryption_key
+      @encryption_key
+    end
+  end
+end
+
+Object.send :include, Slosilo::EncryptedAttributes

data/lib/slosilo/errors.rb

@@ -0,0 +1,15 @@
+module Slosilo
+  class Error < RuntimeError
+    # An error thrown when attempting to store a private key in an unecrypted
+    # storage. Set Slosilo.encryption_key to secure the storage or make sure
+    # to store just the public keys (using Key#public).
+    class InsecureKeyStorage < Error
+      def initialize msg = "can't store a private key in a plaintext storage"
+        super
+      end
+    end
+
+    class TokenValidationError < Error
+    end
+  end
+end

data/lib/slosilo/jwt.rb

@@ -0,0 +1,122 @@
+require 'json'
+
+module Slosilo
+  # A JWT-formatted Slosilo token.
+  # @note This is not intended to be a general-purpose JWT implementation.
+  class JWT
+    # Create a new unsigned token with the given claims.
+    # @param claims [#to_h] claims to embed in this token.
+    def initialize claims = {}
+      @claims = JSONHash[claims]
+    end
+
+    # Parse a token in compact representation
+    def self.parse_compact raw
+      load *raw.split('.', 3).map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Parse a token in JSON representation.
+    # @note only single signature is currently supported.
+    def self.parse_json raw
+      raw = JSON.load raw unless raw.respond_to? :to_h
+      parts = raw.to_h.values_at(*%w(protected payload signature))
+      fail ArgumentError, "input not a complete JWT" unless parts.all?
+      load *parts.map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Add a signature.
+    # @note currently only a single signature is handled;
+    # the token will be frozen after this operation.
+    def add_signature header, &sign
+      @claims = canonicalize_claims.freeze
+      @header = JSONHash[header].freeze
+      @signature = sign[string_to_sign].freeze
+      freeze
+    end
+
+    def string_to_sign
+      [header, claims].map(&method(:encode)).join '.'
+    end
+
+    # Returns the JSON serialization of this JWT.
+    def to_json *a
+      {
+        protected: encode(header),
+        payload: encode(claims),
+        signature: encode(signature)
+      }.to_json *a
+    end
+
+    # Returns the compact serialization of this JWT.
+    def to_s
+      [header, claims, signature].map(&method(:encode)).join('.')
+    end
+
+    attr_accessor :claims, :header, :signature
+
+    private
+
+    # Create a JWT token object from existing header, payload, and signature strings.
+    # @param header [#to_s] URLbase64-encoded representation of the protected header
+    # @param payload [#to_s] URLbase64-encoded representation of the token payload
+    # @param signature [#to_s] URLbase64-encoded representation of the signature
+    def self.load header, payload, signature
+      self.new(JSONHash.load payload).tap do |token|
+        token.header = JSONHash.load header
+        token.signature = signature.to_s.freeze
+        token.freeze
+      end
+    end
+
+    def canonicalize_claims
+      claims[:iat] = Time.now unless claims.include? :iat
+      claims[:iat] = claims[:iat].to_time.to_i
+      claims[:exp] = claims[:exp].to_time.to_i if claims.include? :exp
+      JSONHash[claims.to_a]
+    end
+
+    # Convenience method to make the above code clearer.
+    # Converts to string and urlbase64-encodes.
+    def encode s
+      Base64.urlsafe_encode64 s.to_s
+    end
+
+    # a hash with a possibly frozen JSON stringification
+    class JSONHash < Hash
+      def to_s
+        @repr || to_json
+      end
+
+      def freeze
+        @repr = to_json.freeze
+        super
+      end
+
+      def self.load raw
+        self[JSON.load raw.to_s].tap do |h|
+          h.send :repr=, raw
+        end
+      end
+
+      private
+
+      def repr= raw
+        @repr = raw.freeze
+        freeze
+      end
+    end
+  end
+
+  # Try to convert by detecting token representation and parsing
+  def self.JWT raw
+    if raw.is_a? JWT
+      raw
+    elsif raw.respond_to?(:to_h) || raw =~ /\A\s*\{/
+      JWT.parse_json raw
+    else
+      JWT.parse_compact raw
+    end
+  rescue
+    raise ArgumentError, "invalid value for JWT(): #{raw.inspect}"
+  end
+end