slosilo 0.1.2

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.rvmrc
+.project

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in slosilo.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Rafał Rzepecki
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,32 @@
+# Slosilo
+
+Slosilo is a keystore in the database. (Currently only works with postgres.)
+It allows easy storage and retrieval of keys.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'slosilo'
+
+And then execute:
+
+    $ bundle
+
+Add a migration to create the necessary table:
+
+    require 'slosilo/adapters/sequel_adapter/migration'
+
+Remember to migrate your database
+
+    $ rake db:migrate
+
+## Usage
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,17 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError
+  $stderr.puts "RSpec Rake tasks not available in environment #{ENV['RACK_ENV']}"
+end
+
+task :jenkins do
+  require 'ci/reporter/rake/rspec'
+  Rake::Task["ci:setup:rspec"].invoke
+  Rake::Task["spec"].invoke
+end
+
+task :default => :spec

data/lib/slosilo/adapters/abstract_adapter.rb

@@ -0,0 +1,19 @@
+require 'slosilo/attr_encrypted'
+
+module Slosilo
+  module Adapters
+    class AbstractAdapter
+      def get_key id
+        raise NotImplementedError
+      end
+      
+      def put_key id, key
+        raise NotImplementedError
+      end
+      
+      def each
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/slosilo/adapters/mock_adapter.rb

@@ -0,0 +1,8 @@
+module Slosilo
+  module Adapters
+    class MockAdapter < Hash
+      alias :put_key :[]=
+      alias :get_key :[]
+    end
+  end
+end

data/lib/slosilo/adapters/sequel_adapter/migration.rb

@@ -0,0 +1,49 @@
+require 'sequel'
+
+module Slosilo
+  module Adapters::SequelAdapter::Migration
+    # The default name of the table to hold the keys
+    DEFAULT_KEYSTORE_TABLE = :slosilo_keystore
+
+    # Sets up default keystore table name
+    def self.extended(db)
+      db.keystore_table ||= DEFAULT_KEYSTORE_TABLE
+    end
+    
+    # Keystore table name. If changing this do it immediately after loading the extension.
+    attr_accessor :keystore_table
+
+    # Create the table for holding keys
+    def create_keystore_table
+      create_table keystore_table do
+        String :id, primary_key: true
+        # Note: currently only postgres is supported
+        bytea :key, null: false
+      end
+    end
+    
+    # Drop the table
+    def drop_keystore_table
+      drop_table keystore_table
+    end
+  end
+  
+  module Extension
+    def slosilo_keystore
+      extend Slosilo::Adapters::SequelAdapter::Migration
+    end
+  end
+  
+  Sequel::Database.send :include, Extension
+end
+
+Sequel.migration do
+  up do
+    slosilo_keystore
+    create_keystore_table
+  end
+  down do
+    slosilo_keystore
+    drop_keystore_table
+  end
+end

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -0,0 +1,34 @@
+require 'slosilo/adapters/abstract_adapter'
+
+module Slosilo
+  module Adapters
+    class SequelAdapter < AbstractAdapter
+      def model
+        @model ||= create_model
+      end
+      
+      def create_model
+        model = Sequel::Model(:slosilo_keystore)
+        model.unrestrict_primary_key
+        model.attr_encrypted :key
+        model
+      end
+      
+      def put_key id, value
+        model.create id: id, key: value
+      end
+      
+      def get_key id
+        stored = model[id]
+        return nil unless stored
+        stored.key
+      end
+      
+      def each
+        model.each do |m|
+          yield m.id, m.key
+        end
+      end
+    end
+  end
+end

data/lib/slosilo/attr_encrypted.rb

@@ -0,0 +1,59 @@
+require 'slosilo/symmetric'
+
+module Slosilo
+  # we don't trust the database to keep all backups safe from the prying eyes
+  # so we encrypt sensitive attributes before storing them
+  module EncryptedAttributes
+    module ClassMethods
+      def attr_encrypted *a
+        # push a module onto the inheritance hierarchy
+        # this allows calling super in classes
+        include(accessors = Module.new)
+        accessors.module_eval do 
+          a.each do |attr|
+            define_method "#{attr}=" do |value|
+              super(EncryptedAttributes.encrypt value)
+            end
+            define_method attr do
+              EncryptedAttributes.decrypt(super())
+            end
+          end
+        end
+      end
+    end
+    
+    def self.included base
+      base.extend ClassMethods
+    end
+
+    class << self
+      def encrypt value
+        return nil unless value
+        cipher.encrypt value, key: key
+      end
+      
+      def decrypt ctxt
+        return nil unless ctxt
+        cipher.decrypt ctxt, key: key
+      end
+
+      def key
+        Slosilo::encryption_key || (raise "Please set Slosilo::encryption_key")
+      end
+      
+      def cipher
+        @cipher ||= Slosilo::Symmetric.new
+      end
+    end
+  end
+  
+  class << self
+    attr_writer :encryption_key
+    
+    def encryption_key
+      @encryption_key
+    end
+  end
+end
+
+Object.send:include, Slosilo::EncryptedAttributes

data/lib/slosilo/http_request.rb

@@ -0,0 +1,59 @@
+module Slosilo
+  # A mixin module which simplifies generating signed and encrypted requests.
+  # It's designed to be mixed into a standard Net::HTTPRequest object
+  # and ensures the request is signed and optionally encrypted before execution.
+  # Requests prepared this way will be recognized by Slosilo::Rack::Middleware.
+  #
+  # As an example, you can use it with RestClient like so:
+  #   RestClient.add_before_execution_proc do |req, params|
+  #     require 'slosilo'
+  #     req.extend Slosilo::HTTPRequest
+  #     req.keyname = :somekey
+  #   end
+  #
+  # The request won't be encrypted unless you set the destination keyname.
+  
+  module HTTPRequest
+    # Encrypt the request with key named @keyname from Slosilo::Keystore. 
+    # If calling this manually, make sure to encrypt before signing.
+    def encrypt!
+      return unless @keyname
+      return unless body && !body.empty?
+      self.body, key = Slosilo[@keyname].encrypt body
+      self['X-Slosilo-Key'] = Base64::urlsafe_encode64 key
+    end
+    
+    # Sign the request with :own key from Slosilo::Keystore. 
+    # If calling this manually, make sure to encrypt before signing.
+    def sign!
+      token = Slosilo[:own].signed_token signed_data
+      self['Timestamp'] = token["timestamp"]
+      self['X-Slosilo-Signature'] = token["signature"]
+    end
+    
+    # Build the data hash to sign.
+    def signed_data
+      data = { "path" => path, "body" => [body].pack('m0') }
+      if key = self['X-Slosilo-Key']
+        data["key"] = key
+      end
+      if authz = self['Authorization']
+        data["authorization"] = authz
+      end
+      data
+    end
+    
+    # Encrypt, sign and execute the request.
+    def exec *a
+      # we need to hook here because the body might be set
+      # in several ways and here it's hopefully finalized
+      encrypt!
+      sign!
+      super *a
+    end
+    
+    # Name of the key used to encrypt the request. 
+    # Use it to establish the identity of the receiver.
+    attr_accessor :keyname
+  end
+end

data/lib/slosilo/key.rb

@@ -0,0 +1,95 @@
+require 'openssl'
+require 'json'
+require 'base64'
+require 'time'
+
+module Slosilo
+  class Key
+    def initialize raw_key = nil
+      @key = if raw_key.is_a? OpenSSL::PKey::RSA
+        raw_key
+      elsif !raw_key.nil?
+        OpenSSL::PKey.read raw_key
+      else
+        OpenSSL::PKey::RSA.new 2048
+      end
+    end
+    
+    attr_reader :key
+    
+    def cipher
+      @cipher ||= Slosilo::Symmetric.new
+    end
+    
+    def encrypt plaintext
+      key = cipher.random_key
+      ctxt = cipher.encrypt plaintext, key: key
+      key = @key.public_encrypt key
+      [ctxt, key]
+    end
+    
+    def decrypt ciphertext, skey
+      key = @key.private_decrypt skey
+      cipher.decrypt ciphertext, key: key
+    end
+    
+    def to_s
+      @key.public_key.to_pem
+    end
+    
+    def to_der
+      @key.to_der
+    end
+    
+    def sign value
+      sign_string(stringify value)
+    end
+    
+    SIGNATURE_LEN = 256
+    
+    def verify_signature data, signature
+      signature, salt = signature.unpack("a#{SIGNATURE_LEN}a*")
+      key.public_decrypt(signature) == hash_function.digest(salt + stringify(data))
+    rescue
+      false
+    end
+
+    # create a new timestamped and signed token carrying data
+    def signed_token data
+      token = { "data" => data, "timestamp" => Time.new.utc.to_s }
+      token["signature"] = Base64::urlsafe_encode64(sign token)
+      token
+    end
+    
+    def token_valid? token, expiry = 8 * 60
+      token = token.clone
+      signature = Base64::urlsafe_decode64(token.delete "signature")
+      (Time.parse(token["timestamp"]) + expiry > Time.now) && verify_signature(token, signature)
+    end
+    
+    def sign_string value
+      _salt = salt
+      key.private_encrypt(hash_function.digest(_salt + value)) + _salt
+    end
+    
+    private
+    def stringify value
+      case value
+      when Hash
+        value.to_a.sort.to_json
+      when String
+        value
+      else
+        value.to_json
+      end
+    end
+    
+    def salt
+      Slosilo::Random::salt
+    end
+    
+    def hash_function
+      @hash_function ||= OpenSSL::Digest::SHA256
+    end
+  end
+end

data/lib/slosilo/keystore.rb

@@ -0,0 +1,61 @@
+require 'slosilo/key'
+
+module Slosilo
+  class Keystore
+    def adapter 
+      Slosilo::adapter or raise "No Slosilo adapter is configured or available"
+    end
+    
+    def put id, key
+      adapter.put_key id.to_s, key.to_der
+    end
+    
+    def get id
+      key = adapter.get_key(id.to_s)
+      key && Key.new(key)
+    end
+    
+    def each(&block)
+      adapter.each(&block)
+    end
+    
+    def any? &block
+      catch :found do
+        adapter.each do |id, k|
+          throw :found if block.call(Key.new(k))
+        end
+        return false
+      end
+      true
+    end
+  end
+  
+  class << self
+    def []= id, value
+      keystore.put id, value
+    end
+    
+    def [] id
+      keystore.get id
+    end
+    
+    def each(&block)
+      keystore.each(&block)
+    end
+    
+    def sign object
+      self[:own].sign object
+    end
+    
+    def token_valid? token
+      keystore.any? { |k| k.token_valid? token }
+    end
+    
+    attr_accessor :adapter
+    
+    private
+    def keystore
+      @keystore ||= Keystore.new
+    end
+  end
+end

data/lib/slosilo/rack/middleware.rb

@@ -0,0 +1,123 @@
+module Slosilo
+  module Rack
+    # Con perform verification of request signature and decryption of request body.
+    #
+    # Signature verification and body decryption are enabled with constructor switches and are 
+    # therefore performed (or not) for all requests.
+    #
+    # When signature verification is performed, the following elements are included in the 
+    # signature string:
+    # 
+    # 1. Request path and query string
+    # 2. base64 encoded request body
+    # 3. Request timestamp from HTTP_TIMESTAMP
+    # 4. Body encryption key from HTTP_X_SLOSILO_KEY (if present)
+    # 
+    # When body decryption is performed, an encryption key for the message body is encrypted
+    # with this service's public key and placed in HTTP_X_SLOSILO_KEY. This middleware
+    # decryps the key using our :own private key, and then decrypts the body using the decrypted key.
+    class Middleware
+      class EncryptionError < SecurityError
+      end
+      class SignatureError < SecurityError
+      end
+
+      def initialize app, opts = {}
+        @app = app
+        @encryption_required = opts[:encryption_required] || false
+        @signature_required = opts[:signature_required] || false
+      end
+      
+      def call env
+        @env = env
+        @body = env['rack.input'].read rescue ""
+        
+        begin
+          verify
+          decrypt
+        rescue EncryptionError
+          return error 403, $!.message
+        rescue SignatureError
+          return error 401, $!.message
+        end
+        
+        @app.call env
+      end
+      
+      private
+      def verify
+        if signature
+          raise SignatureError, "Bad signature" unless Slosilo.token_valid?(token)
+        else
+          raise SignatureError, "Signature required" if signature_required?
+        end
+      end
+      
+      attr_reader :env
+      
+      def token
+        return nil unless signature
+        t = { "data" => { "path" => path, "body" => [body].pack('m0') }, "timestamp" => timestamp, "signature" => signature }
+        t["data"]["key"] = encoded_key if encoded_key
+        t['data']['authorization'] = env['HTTP_AUTHORIZATION'] if env['HTTP_AUTHORIZATION']
+        t
+      end
+      
+      def path
+        env['SCRIPT_NAME'] + env['PATH_INFO'] + query_string
+      end
+      
+      def query_string
+        if env['QUERY_STRING'].empty?
+          ''
+        else
+          '?' + env['QUERY_STRING']
+        end
+      end
+
+      attr_reader :body
+      
+      def timestamp
+        env['HTTP_TIMESTAMP']
+      end
+      
+      def signature
+        env['HTTP_X_SLOSILO_SIGNATURE']
+      end
+      
+      def encoded_key
+        env['HTTP_X_SLOSILO_KEY']
+      end
+      
+      def key
+        if encoded_key
+          Base64::urlsafe_decode64(encoded_key)
+        else
+          raise EncryptionError, "Encryption required" if encryption_required?
+        end
+      end
+      
+      def decrypt
+        return unless key
+        plaintext = Slosilo[:own].decrypt body, key
+        env['rack.input'] = StringIO.new plaintext
+      rescue EncryptionError
+        raise unless body.empty? || body.nil?
+      rescue Exception => e
+        raise EncryptionError, "Bad encryption", e.backtrace
+      end
+      
+      def error status, message
+        [status, { 'Content-Type' => 'text/plain', 'Content-Length' => message.length.to_s }, [message] ]
+      end
+      
+      def encryption_required?
+        @encryption_required
+      end
+      
+      def signature_required?
+        @signature_required
+      end
+    end
+  end
+end

data/lib/slosilo/random.rb

@@ -0,0 +1,11 @@
+require 'openssl'
+
+module Slosilo
+  module Random
+    class << self
+      def salt
+        OpenSSL::Random::random_bytes 32
+      end
+    end
+  end
+end

data/lib/slosilo/symmetric.rb

@@ -0,0 +1,33 @@
+module Slosilo
+  class Symmetric
+    def initialize
+      @cipher = OpenSSL::Cipher.new 'AES-256-CBC'
+    end
+    
+    def encrypt plaintext, opts = {}
+      @cipher.reset
+      @cipher.encrypt
+      @cipher.key = opts[:key]
+      @cipher.iv = iv = random_iv
+      ctxt = @cipher.update(plaintext)
+      iv + ctxt + @cipher.final
+    end
+    
+    def decrypt ciphertext, opts = {}
+      @cipher.reset
+      @cipher.decrypt
+      @cipher.key = opts[:key]
+      @cipher.iv, ctxt = ciphertext.unpack("a#{@cipher.iv_len}a*")
+      ptxt = @cipher.update(ctxt)
+      ptxt + @cipher.final
+    end
+    
+    def random_iv
+      @cipher.random_iv
+    end
+    
+    def random_key
+      @cipher.random_key
+    end
+  end
+end

data/lib/slosilo/version.rb

@@ -0,0 +1,3 @@
+module Slosilo
+  VERSION = "0.1.2"
+end

data/lib/slosilo.rb

@@ -0,0 +1,13 @@
+require "slosilo/version"
+require "slosilo/keystore"
+require "slosilo/symmetric"
+require "slosilo/attr_encrypted"
+require "slosilo/random"
+require "slosilo/rack/middleware"
+require "slosilo/http_request"
+
+if defined? Sequel
+  require 'slosilo/adapters/sequel_adapter'
+  Slosilo::adapter = Slosilo::Adapters::SequelAdapter.new
+end
+Dir[File.join(File.dirname(__FILE__), 'tasks/*.rake')].each { |ext| load ext } if defined?(Rake)