slosilo 0.0.0

data/lib/slosilo/key.rb

@@ -0,0 +1,218 @@
+require 'openssl'
+require 'json'
+require 'base64'
+require 'time'
+
+require 'slosilo/errors'
+
+module Slosilo
+  class Key
+    def initialize raw_key = nil
+      @key = if raw_key.is_a? OpenSSL::PKey::RSA
+        raw_key
+      elsif !raw_key.nil?
+        OpenSSL::PKey.read raw_key
+      else
+        OpenSSL::PKey::RSA.new 2048
+      end
+    rescue OpenSSL::PKey::PKeyError => e
+      # old openssl versions used to report ArgumentError
+      # which arguably makes more sense here, so reraise as that
+      raise ArgumentError, e, e.backtrace
+    end
+    
+    attr_reader :key
+    
+    def cipher
+      @cipher ||= Slosilo::Symmetric.new
+    end
+    
+    def encrypt plaintext
+      key = cipher.random_key
+      ctxt = cipher.encrypt plaintext, key: key
+      key = @key.public_encrypt key
+      [ctxt, key]
+    end
+
+    def encrypt_message plaintext
+      c, k = encrypt plaintext
+      k + c
+    end
+    
+    def decrypt ciphertext, skey
+      key = @key.private_decrypt skey
+      cipher.decrypt ciphertext, key: key
+    end
+
+    def decrypt_message ciphertext
+      k, c = ciphertext.unpack("A256A*")
+      decrypt c, k
+    end
+    
+    def to_s
+      @key.public_key.to_pem
+    end
+    
+    def to_der
+      @to_der ||= @key.to_der
+    end
+    
+    def sign value
+      sign_string(stringify value)
+    end
+    
+    SIGNATURE_LEN = 256
+    
+    def verify_signature data, signature
+      signature, salt = signature.unpack("a#{SIGNATURE_LEN}a*")
+      key.public_decrypt(signature) == hash_function.digest(salt + stringify(data))
+    rescue
+      false
+    end
+
+    # create a new timestamped and signed token carrying data
+    def signed_token data
+      token = { "data" => data, "timestamp" => Time.new.utc.to_s }
+      token["signature"] = Base64::urlsafe_encode64(sign token)
+      token["key"] = fingerprint
+      token
+    end
+
+    JWT_ALGORITHM = 'conjur.org/slosilo/v2'.freeze
+
+    # Issue a JWT with the given claims.
+    # `iat` (issued at) claim is automatically added.
+    # Other interesting claims you can give are:
+    # - `sub` - token subject, for example a user name;
+    # - `exp` - expiration time (absolute);
+    # - `cidr` (Conjur extension) - array of CIDR masks that are accepted to
+    #   make requests that bear this token
+    def issue_jwt claims
+      token = Slosilo::JWT.new claims
+      token.add_signature \
+          alg: JWT_ALGORITHM,
+          kid: fingerprint,
+          &method(:sign)
+      token.freeze
+    end
+
+    DEFAULT_EXPIRATION = 8 * 60
+    
+    def token_valid? token, expiry = DEFAULT_EXPIRATION
+      return jwt_valid? token if token.respond_to? :header
+      token = token.clone
+      expected_key = token.delete "key"
+      return false if (expected_key and (expected_key != fingerprint))
+      signature = Base64::urlsafe_decode64(token.delete "signature")
+      (Time.parse(token["timestamp"]) + expiry > Time.now) && verify_signature(token, signature)
+    end
+
+    # Validate a JWT.
+    #
+    # Convenience method calling #validate_jwt and returning false if an
+    # exception is raised.
+    #
+    # @param token [JWT] pre-parsed token to verify
+    # @return [Boolean]
+    def jwt_valid? token
+      validate_jwt token
+      true
+    rescue
+      false
+    end
+
+    # Validate a JWT.
+    #
+    # First checks whether algorithm is 'conjur.org/slosilo/v2' and the key id
+    # matches this key's fingerprint. Then verifies if the token is not expired,
+    # as indicated by the `exp` claim; in its absence tokens are assumed to
+    # expire in `iat` + 8 minutes.
+    #
+    # If those checks pass, finally the signature is verified.
+    #
+    # @raises TokenValidationError if any of the checks fail.
+    #
+    # @note It's the responsibility of the caller to examine other claims
+    # included in the token; consideration needs to be given to handling
+    # unrecognized claims.
+    #
+    # @param token [JWT] pre-parsed token to verify
+    def validate_jwt token
+      def err msg
+        raise Error::TokenValidationError, msg, caller
+      end
+
+      header = token.header
+      err 'unrecognized algorithm' unless header['alg'] == JWT_ALGORITHM
+      err 'mismatched key' if (kid = header['kid']) && kid != fingerprint
+      iat = Time.at token.claims['iat'] || err('unknown issuing time')
+      exp = Time.at token.claims['exp'] || (iat + DEFAULT_EXPIRATION)
+      err 'token expired' if exp <= Time.now
+      err 'invalid signature' unless verify_signature token.string_to_sign, token.signature
+      true
+    end
+    
+    def sign_string value
+      salt = shake_salt
+      key.private_encrypt(hash_function.digest(salt + value)) + salt
+    end
+    
+    def fingerprint
+      @fingerprint ||= OpenSSL::Digest::SHA256.hexdigest key.public_key.to_der
+    end
+
+    def == other
+      to_der == other.to_der
+    end
+
+    alias_method :eql?, :==
+
+    def hash
+      to_der.hash
+    end
+
+    # return a new key with just the public part of this
+    def public
+      Key.new(@key.public_key)
+    end
+
+    # checks if the keypair contains a private key
+    def private?
+      @key.private?
+    end
+    
+    private
+    
+    # Note that this is currently somewhat shallow stringification -- 
+    # to implement originating tokens we may need to make it deeper.
+    def stringify value
+      string = case value
+      when Hash
+        value.to_a.sort.to_json
+      when String
+        value
+      else
+        value.to_json
+      end
+
+      # Make sure that the string is ascii_8bit (i.e. raw bytes), and represents
+      # the utf-8 encoding of the string.  This accomplishes two things: it normalizes
+      # the representation of the string at the byte level (so we don't have an error if
+      # one username is submitted as ISO-whatever, and the next as UTF-16), and it prevents
+      # an incompatible encoding error when we concatenate it with the salt.
+      if string.encoding != Encoding::ASCII_8BIT
+        string.encode(Encoding::UTF_8).force_encoding(Encoding::ASCII_8BIT)
+      else
+        string
+      end
+    end
+    
+    def shake_salt
+      Slosilo::Random::salt
+    end
+    
+    def hash_function
+      @hash_function ||= OpenSSL::Digest::SHA256
+    end
+  end
+end

data/lib/slosilo/keystore.rb

@@ -0,0 +1,89 @@
+require 'slosilo/key'
+
+module Slosilo
+  class Keystore
+    def adapter 
+      Slosilo::adapter or raise "No Slosilo adapter is configured or available"
+    end
+    
+    def put id, key
+      id = id.to_s
+      fail ArgumentError, "id can't be empty" if id.empty?
+      adapter.put_key id, key
+    end
+    
+    def get opts
+      id, fingerprint = opts.is_a?(Hash) ? [nil, opts[:fingerprint]] : [opts, nil]
+      if id
+        key = adapter.get_key(id.to_s)
+      elsif fingerprint
+        key, _ = get_by_fingerprint(fingerprint)
+      end
+      key
+    end
+
+    def get_by_fingerprint fingerprint
+      adapter.get_by_fingerprint fingerprint
+    end
+    
+    def each &_
+      adapter.each { |k, v| yield k, v }
+    end
+    
+    def any? &block
+      each do |_, k|
+        return true if yield k
+      end
+      return false
+    end
+  end
+  
+  class << self
+    def []= id, value
+      keystore.put id, value
+    end
+    
+    def [] id
+      keystore.get id
+    end
+    
+    def each(&block)
+      keystore.each(&block)
+    end
+    
+    def sign object
+      self[:own].sign object
+    end
+    
+    def token_valid? token
+      keystore.any? { |k| k.token_valid? token }
+    end
+    
+    # Looks up the signer by public key fingerprint and checks the validity
+    # of the signature. If the token is JWT, exp and/or iat claims are also
+    # verified; the caller is responsible for validating any other claims.
+    def token_signer token
+      begin
+        # see if maybe it's a JWT
+        token = JWT token
+        fingerprint = token.header['kid']
+      rescue ArgumentError
+        fingerprint = token['key']
+      end
+
+      key, id = keystore.get_by_fingerprint fingerprint
+      if key && key.token_valid?(token)
+        return id
+      else
+        return nil
+      end
+    end
+
+    attr_accessor :adapter
+    
+    private
+    def keystore
+      @keystore ||= Keystore.new
+    end
+  end
+end

data/lib/slosilo/random.rb

@@ -0,0 +1,11 @@
+require 'openssl'
+
+module Slosilo
+  module Random
+    class << self
+      def salt
+        OpenSSL::Random::random_bytes 32
+      end
+    end
+  end
+end

data/lib/slosilo/symmetric.rb

@@ -0,0 +1,63 @@
+module Slosilo
+  class Symmetric
+    VERSION_MAGIC = 'G'
+    TAG_LENGTH = 16
+
+    def initialize
+      @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
+      @cipher_mutex = Mutex.new
+    end
+
+    # This lets us do a final sanity check in migrations from older encryption versions
+    def cipher_name
+      @cipher.name
+    end
+
+    def encrypt plaintext, opts = {}
+      # All of these operations in OpenSSL must occur atomically, so we
+      # synchronize their access to make this step thread-safe.
+      @cipher_mutex.synchronize do
+        @cipher.reset
+        @cipher.encrypt
+        @cipher.key = (opts[:key] or raise("missing :key option"))
+        @cipher.iv = iv = random_iv
+        @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
+        ctext = @cipher.update(plaintext) + @cipher.final
+        tag = @cipher.auth_tag(TAG_LENGTH)
+        "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
+      end
+    end
+
+    def decrypt ciphertext, opts = {}
+      version, tag, iv, ctext = unpack ciphertext
+
+      raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
+
+      # All of these operations in OpenSSL must occur atomically, so we
+      # synchronize their access to make this step thread-safe.
+      @cipher_mutex.synchronize do
+        @cipher.reset
+        @cipher.decrypt
+        @cipher.key = opts[:key]
+        @cipher.iv = iv
+        @cipher.auth_tag = tag
+        @cipher.auth_data = opts[:aad] || ""
+        @cipher.update(ctext) + @cipher.final
+      end
+    end
+
+    def random_iv
+      @cipher.random_iv
+    end
+
+    def random_key
+      @cipher.random_key
+    end
+
+    private
+    # return tag, iv, ctext
+    def unpack msg
+      msg.unpack "aa#{TAG_LENGTH}a#{@cipher.iv_len}a*"
+    end
+  end
+end

data/lib/slosilo/version.rb

@@ -0,0 +1,22 @@
+# Copyright 2013-2021 Conjur Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module Slosilo
+  VERSION = File.read(File.expand_path('../../VERSION', __dir__))
+end

data/lib/slosilo.rb

@@ -0,0 +1,13 @@
+require "slosilo/jwt"
+require "slosilo/version"
+require "slosilo/keystore"
+require "slosilo/symmetric"
+require "slosilo/attr_encrypted"
+require "slosilo/random"
+require "slosilo/errors"
+
+if defined? Sequel
+  require 'slosilo/adapters/sequel_adapter'
+  Slosilo::adapter = Slosilo::Adapters::SequelAdapter.new
+end
+Dir[File.join(File.dirname(__FILE__), 'tasks/*.rake')].each { |ext| load ext } if defined?(Rake)

data/lib/tasks/slosilo.rake

@@ -0,0 +1,32 @@
+namespace :slosilo do
+  desc "Dump a public key"
+  task :dump, [:name] => :environment do |t, args|
+    args.with_defaults(:name => :own)
+    puts Slosilo[args[:name]]
+  end
+  
+  desc "Enroll a key"
+  task :enroll, [:name] => :environment do |t, args|
+    key = Slosilo::Key.new STDIN.read
+    Slosilo[args[:name]] = key
+    puts key
+  end
+
+  desc "Generate a key pair"
+  task :generate, [:name] => :environment do |t, args|
+    args.with_defaults(:name => :own)
+    key = Slosilo::Key.new
+    Slosilo[args[:name]] = key
+    puts key
+  end
+
+  desc "Migrate to a new database schema"
+  task :migrate => :environment do |t|
+    Slosilo.adapter.migrate!
+  end
+
+  desc "Recalculate fingerprints in keystore"
+  task :recalculate_fingerprints => :environment do |t|
+    Slosilo.adapter.recalculate_fingerprints
+  end
+end

data/publish.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  publish-rubygem slosilo

data/secrets.yml

@@ -0,0 +1 @@
+RUBYGEMS_API_KEY: !var rubygems/api-key

data/slosilo.gemspec

@@ -0,0 +1,38 @@
+# -*- encoding: utf-8 -*-
+begin
+  require File.expand_path('lib/slosilo/version.rb', __FILE__)
+rescue LoadError
+  # so that bundle can be run without the app code
+  module Slosilo
+    VERSION = '0.0.0'
+  end
+end
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Rafa\305\202 Rzepecki"]
+  gem.email         = ["divided.mind@gmail.com"]
+  gem.description   = %q{This gem provides an easy way of storing and retrieving encryption keys in the database.}
+  gem.summary       = %q{Store SSL keys in a database}
+  gem.homepage      = "https://github.cyberng.com/Conjur-Enterprise/slosilo/"
+  gem.license       = "MIT"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "slosilo"
+  gem.require_paths = ["lib"]
+  gem.version       = Slosilo::VERSION
+  gem.required_ruby_version = '>= 3.0.0'
+
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec', '~> 3.0'
+  gem.add_development_dependency 'ci_reporter_rspec'
+  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'simplecov-cobertura'
+  gem.add_development_dependency 'io-grab', '~> 0.0.1'
+  gem.add_development_dependency 'sequel' # for sequel tests
+  gem.add_development_dependency 'sqlite3' # for sequel tests
+  gem.add_development_dependency 'bigdecimal' # for activesupport
+  gem.add_development_dependency 'activesupport' # for convenience in specs
+end
+

data/spec/encrypted_attributes_spec.rb

@@ -0,0 +1,114 @@
+require 'spec_helper'
+require 'slosilo/attr_encrypted'
+
+describe Slosilo::EncryptedAttributes do
+  before(:all) do
+    Slosilo::encryption_key = OpenSSL::Cipher.new("aes-256-gcm").random_key
+  end
+
+  let(:aad) { proc{ |_| "hithere" } }
+
+  let(:base){
+    Class.new do
+      attr_accessor :normal_ivar,:with_aad
+      def stupid_ivar
+        side_effect!
+        @_explicit
+      end
+      def stupid_ivar= e
+        side_effect!
+        @_explicit = e
+      end
+      def side_effect!
+
+      end
+    end
+  }
+
+  let(:sub){
+    Class.new(base) do
+      attr_encrypted :normal_ivar, :stupid_ivar
+    end
+  }
+
+  subject{ sub.new  }
+
+  context "when setting a normal ivar" do
+    let(:value){ "some value" }
+    it "stores an encrypted value in the ivar" do
+      subject.normal_ivar = value
+      expect(subject.instance_variable_get(:"@normal_ivar")).to_not eq(value)
+    end
+
+    it "recovers the value set" do
+      subject.normal_ivar = value
+      expect(subject.normal_ivar).to eq(value)
+    end
+  end
+
+  context "when setting an attribute with an implementation" do
+    it "calls the base class method" do
+      expect(subject).to receive_messages(:side_effect! => nil)
+      subject.stupid_ivar = "hi"
+      expect(subject.stupid_ivar).to eq("hi")
+    end
+  end
+
+  context "when given an :aad option" do
+
+    let(:cipher){ Slosilo::EncryptedAttributes.cipher }
+    let(:key){ Slosilo::EncryptedAttributes.key}
+    context "that is a string" do
+      let(:aad){ "hello there" }
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+      it "encrypts the value with the given string  for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad)
+        subject.with_aad = "hello"
+      end
+
+      it "decrypts the encrypted value" do
+        subject.with_aad = "foo"
+        expect(subject.with_aad).to eq("foo")
+      end
+    end
+
+    context "that is nil" do
+      let(:aad){ nil }
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+      it "encrypts the value with an empty string for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello",key: key, aad: "").and_call_original
+        subject.with_aad = "hello"
+      end
+
+      it "decrypts the encrypted value" do
+        subject.with_aad = "hello"
+        expect(subject.with_aad).to eq("hello")
+      end
+    end
+
+    context "that is a proc" do
+      let(:aad){
+        proc{ |o| "x" }
+      }
+
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+
+      it "calls the proc with the object being encrypted" do
+        expect(aad).to receive(:[]).with(subject).and_call_original
+        subject.with_aad = "hi"
+      end
+
+      it "encrypts the value with the string returned for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad[subject]).and_call_original
+        subject.with_aad = "hello"
+      end
+      it "decrypts the encrypted value" do
+        subject.with_aad = "hello"
+        expect(subject.with_aad).to eq("hello")
+      end
+    end
+
+  end
+
+
+end

data/spec/file_adapter_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+require 'tmpdir'
+
+require 'slosilo/adapters/file_adapter'
+
+describe Slosilo::Adapters::FileAdapter do
+  include_context "with example key"
+
+  let(:dir) { Dir.mktmpdir }
+  let(:adapter) { Slosilo::Adapters::FileAdapter.new dir }
+  subject { adapter }
+  
+  describe "#get_key" do
+    context "when given key does not exist" do
+      it "returns nil" do
+        expect(subject.get_key(:whatever)).not_to be
+      end
+    end
+  end
+  
+  describe "#put_key" do
+    context "unacceptable id" do
+      let(:id) { "foo.bar" }
+      it "isn't accepted" do
+        expect { subject.put_key id, key }.to raise_error /id should not contain a period/
+      end    
+    end
+    context "acceptable id" do
+      let(:id) { "id" }
+      let(:key_encrypted) { "encrypted key" }
+      let(:fname) { "#{dir}/#{id}.key" }
+      it "creates the key" do
+        expect(Slosilo::EncryptedAttributes).to receive(:encrypt).with(key.to_der).and_return key_encrypted
+        expect(File).to receive(:write).with(fname, key_encrypted)
+        expect(File).to receive(:chmod).with(0400, fname)
+        subject.put_key id, key
+        expect(subject.instance_variable_get("@keys")[id]).to eq(key)
+      end    
+    end
+  end
+  
+  describe "#each" do
+    before { adapter.instance_variable_set("@keys", one: :onek, two: :twok) }
+    
+    it "iterates over each key" do
+      results = []
+      adapter.each { |id,k| results << { id => k } }
+      expect(results).to eq([ { one: :onek}, {two: :twok } ])
+    end
+  end
+
+  context 'with real key store' do
+    let(:id) { 'some id' }
+
+    before do
+      Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
+      pre_adapter = Slosilo::Adapters::FileAdapter.new dir
+      pre_adapter.put_key(id, key)
+    end
+
+    describe '#get_key' do
+      it "loads and decrypts the key" do
+        expect(adapter.get_key(id)).to eq(key)
+      end
+    end
+
+    describe '#get_by_fingerprint' do
+      it "can look up a key by a fingerprint" do
+        expect(adapter.get_by_fingerprint(key_fingerprint)).to eq([key, id])
+      end
+    end
+    
+    describe '#each' do
+      it "enumerates the keys" do
+        results = []
+        adapter.each { |id,k| results << { id => k } }
+        expect(results).to eq([ { id => key } ])
+      end
+    end
+  end
+end