slosilo 1.0.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d243023c094f7eaec65752017e2550d57030d13a
-  data.tar.gz: f99b144884f5f3bf351fe4190e06c99f076b961f
+SHA256:
+  metadata.gz: 8723a6eff81a1e81b1e8f8a3b4998c202b4a36b042d2c3b33d830232f800e45e
+  data.tar.gz: 22abadf8b5edca4b2ad971be894e54a906e9b84f166098a95fbfa8cf8401a046
 SHA512:
-  metadata.gz: 3b2b0a71040bedaf6e15da8c6fdf6bca34fec490fe41f8834c72ba170ab22cbe7bd8d1d1b93dcfd24855acbf4ad634aa342cdb0374d562277ac9d4df493c6e7a
-  data.tar.gz: 8f4741e1f0f4a00cb0b466e6776445830efc11f66947cac7533fc2d65d0060a0116f7b0239c130ff3866e24e628323170bf684ee2285dc1020e21e2a36106663
+  metadata.gz: 937190eaf606924682f14850313aeedf6b852f7cc0e88669451d6b0d147fcd61a485d4089ccdce35bb188fc057a750c82f01bd43118da104735efc264386caa7
+  data.tar.gz: 6e3b22a70e85c036932bb15b309e45d28d4b9f2eeaa59cdd2aa9f3db5b580b9d23e3844eaf71a59667acc99706b55e2100d1e4a1f6f0b70bafae117459babff3

data/.dockerignore

@@ -0,0 +1,2 @@
+/Gemfile.lock
+/spec/reports

data/.gitleaks.toml

@@ -0,0 +1,221 @@
+title = "Secretless Broker gitleaks config"
+
+# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
+[[rules]]
+description = "AWS Client ID"
+regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS MWS key"
+regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+description = "PKCS8"
+regex = '''-----BEGIN PRIVATE KEY-----'''
+tags = ["key", "PKCS8"]
+
+[[rules]]
+description = "RSA"
+regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+tags = ["key", "RSA"]
+
+[[rules]]
+description = "SSH"
+regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+tags = ["key", "SSH"]
+
+[[rules]]
+description = "PGP"
+regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook Secret Key"
+regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook Client ID"
+regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook access token"
+regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter Secret Key"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Twitter Client ID"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "LinkedIn Client ID"
+regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "LinkedIn Secret Key"
+regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+tags = ["secret", "Twitter"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
+
+[[rules]]
+description = "EC"
+regex = '''-----BEGIN EC PRIVATE KEY-----'''
+tags = ["key", "EC"]
+
+[[rules]]
+description = "Generic API key"
+regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "API", "generic"]
+
+[[rules]]
+description = "Generic Secret"
+regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "Secret", "generic"]
+
+[[rules]]
+description = "Google API key"
+regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+tags = ["key", "Google"]
+
+[[rules]]
+description = "Google Cloud Platform API key"
+regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
+tags = ["key", "Google", "GCP"]
+
+[[rules]]
+description = "Google OAuth"
+regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Google OAuth access token"
+regex = '''ya29\.[0-9A-Za-z\-_]+'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Heroku API key"
+regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+tags = ["key", "Heroku"]
+
+[[rules]]
+description = "MailChimp API key"
+regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+tags = ["key", "Mailchimp"]
+
+[[rules]]
+description = "Mailgun API key"
+regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+tags = ["key", "Mailgun"]
+
+[[rules]]
+description = "Password in URL"
+regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
+tags = ["key", "URL", "generic"]
+
+[[rules]]
+description = "PayPal Braintree access token"
+regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+tags = ["key", "Paypal"]
+
+[[rules]]
+description = "Picatic API key"
+regex = '''sk_live_[0-9a-z]{32}'''
+tags = ["key", "Picatic"]
+
+[[rules]]
+description = "Slack Webhook"
+regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+tags = ["key", "slack"]
+
+[[rules]]
+description = "Stripe API key"
+regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+tags = ["key", "Stripe"]
+
+[[rules]]
+description = "Square access token"
+regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Square OAuth secret"
+regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Twilio API key"
+regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "twilio"]
+
+[whitelist]
+files = [
+  "(.*?)(jpg|gif|doc|pdf|bin)$",
+  ".gitleaks.toml"
+]
+regexes = [
+]
+commits = [
+  "3a496cef2d737f69038630f3c884a159f783bd06", # old commit to add test data
+  "047e58e40c87f9d19d68c21a533b706616ab1ef2", # old commit to add test data
+  "5345e49e7d63589fc637c2b0c7156bf97e9c72b8", # old commit to add test data
+  "9c31229cedceedd75e06c381fe7218571a03c26d" # old commit to add test data
+]
+
+# Additional Examples
+
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = [
+#     "4.1-4.3",
+#     "5.5-6.3",
+# ]
+# entropyROI = "line"
+# filetypes = [".go", ".py", ".c"]
+# tags = ["key"]
+# severity = "8"
+#
+#
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# filetypes = [".gee"]
+# entropyROI = "line"
+# tags = ["key"]
+# severity = "medium"
+
+# [[rules]]
+# description = "Any pem file"
+# filetypes = [".key"]
+# tags = ["pem"]
+# severity = "high"

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+# v2.2.1
+
+* Use SHA256 algorithm instead of MD5 for public key fingerprints.
+
+# v2.1.1
+
+* Add support for JWT-formatted tokens, with arbitrary expiration.
+
+# v2.0.1
+
+* Fixes a bug that occurs when signing tokens containing Unicode data

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+  
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing Workflow
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Jenkinsfile

@@ -0,0 +1,55 @@
+#!/usr/bin/env groovy
+
+pipeline {
+  agent { label 'executor-v2' }
+
+  options {
+    timestamps()
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
+  }
+
+  stages {
+    stage('Test') {
+      steps {
+        sh './test.sh'
+
+        junit 'spec/reports/*.xml'
+      }
+    }
+
+    stage('Publish to RubyGems') {
+      agent { label 'releaser-v2' }
+      when {
+        allOf {
+          branch 'master'
+          expression {
+            boolean publish = false
+
+            try {
+              timeout(time: 5, unit: 'MINUTES') {
+                input(message: 'Publish to RubyGems?')
+                publish = true
+              }
+            } catch (final ignore) {
+              publish = false
+            }
+
+            return publish
+          }
+        }
+      }
+
+      steps {
+        checkout scm
+        sh './publish-rubygem.sh'
+        deleteDir()
+      }
+    }
+  }
+
+  post {
+    always {
+      cleanupAndNotify(currentBuild.currentResult)
+    }
+  }
+}

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2012 Conjur Inc
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 
 MIT License
 
@@ -19,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,7 +1,11 @@
 # Slosilo
 
-Slosilo is a keystore in the database. (Currently only works with postgres.)
-It allows easy storage and retrieval of keys.
+Slosilo is providing a ruby interface to some cryptographic primitives:
+- symmetric encryption,
+- a mixin for easy encryption of object attributes,
+- asymmetric encryption and signing,
+- a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
+- a keystore in files.
 
 ## Installation
 
@@ -13,6 +17,118 @@ And then execute:
 
     $ bundle
 
+## Compatibility
+
+Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
+for authenticated encryption. It allows you to provide AAD on all symmetric
+encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
+
+This means you'll have to migrate all your existing data. There's no easy way to
+do this currently provided; it's recommended to create a database migration and
+put relevant code fragments in it directly. (This will also have the benefit of making
+the migration self-contained.)
+
+Since symmetric encryption is used in processing asymetrically encrypted messages,
+this incompatibility extends to those too.
+
+## Usage
+
+### Symmetric encryption
+
+```ruby
+sym = Slosilo::Symmetric.new
+key = sym.random_key
+# additional authenticated data
+message_id = "message 001"
+ciphertext = sym.encrypt "secret message", key: key, aad: message_id
+```
+
+```ruby
+sym = Slosilo::Symmetric.new
+message = sym.decrypt ciphertext, key: key, aad: message_id
+```
+
+### Encryption mixin
+
+```ruby
+require 'slosilo'
+
+class Foo
+  attr_accessor :foo
+  attr_encrypted :foo, aad: :id
+
+  def raw_foo
+    @foo
+  end
+
+  def id
+    "unique record id"
+  end
+end
+
+Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
+
+obj = Foo.new
+obj.foo = "bar"
+obj.raw_foo # => "\xC4\xEF\x87\xD3b\xEA\x12\xDF\xD0\xD4hk\xEDJ\v\x1Cr\xF2#\xA3\x11\xA4*k\xB7\x8F\x8F\xC2\xBD\xBB\xFF\xE3"
+obj.foo # => "bar"
+```
+
+You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
+
+### Asymmetric encryption and signing
+
+```ruby
+private_key = Slosilo::Key.new
+public_key = private_key.public
+```
+
+#### Key dumping
+```ruby
+k = public_key.to_s # => "-----BEGIN PUBLIC KEY----- ...
+(Slosilo::Key.new k) == public_key # => true
+```
+
+#### Encryption
+
+```ruby
+encrypted = public_key.encrypt_message "eagle one sees many clouds"
+# => "\xA3\x1A\xD2\xFC\xB0 ...
+
+public_key.decrypt_message encrypted
+# => OpenSSL::PKey::RSAError: private key needed.
+
+private_key.decrypt_message encrypted
+# => "eagle one sees many clouds"
+```
+
+#### Signing
+
+```ruby
+token = private_key.signed_token "missile launch not authorized"
+# => {"data"=>"missile launch not authorized", "timestamp"=>"2014-10-13 12:41:25 UTC", "signature"=>"bSImk...DzV3o", "key"=>"455f7ac42d2d483f750b4c380761821d"}
+
+public_key.token_valid? token # => true
+
+token["data"] = "missile launch authorized"
+public_key.token_valid? token # => false
+```
+
+### Keystore
+
+```ruby
+Slosilo::encryption_key = ENV['SLOSILO_KEY']
+Slosilo.adapter = Slosilo::Adapters::FileAdapter.new "~/.keys"
+
+Slosilo[:own] = Slosilo::Key.new
+Slosilo[:their] = Slosilo::Key.new File.read("foo.pem")
+
+msg = Slosilo[:their].encrypt_message 'bar'
+p Slosilo[:own].signed_token msg
+```
+
+### Keystore in database
+
 Add a migration to create the necessary table:
 
     require 'slosilo/adapters/sequel_adapter/migration'
@@ -21,12 +137,13 @@ Remember to migrate your database
 
     $ rake db:migrate
 
-## Usage
+Then
+```ruby
+Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
+```
 
 ## Contributing
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+We welcome contributions of all kinds to this repository. For instructions on
+how to get started and descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).