slosilo 1.1.0 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 19532fb817cc0d993257331452fd6fc36be49da8
-  data.tar.gz: 63c9b867b4e125aff0e5680e21a9a31605629716
+SHA256:
+  metadata.gz: eee5855bf8948e460edebcc7e04399ad32ea9085f101860ddddb4687139a0bf8
+  data.tar.gz: 415fa1a618fbffda2ebf1dcb59abc42285d11d01afbc4697299708bbe3bd01fb
 SHA512:
-  metadata.gz: 799000b32ea19b4b5ca3fb63901007e16c659af8ea383f3d469ed4a91a1c23b10529eeffda3167b73e0bf67043258622c997b68fefd110cf5fb96cedc8b3769c
-  data.tar.gz: c017465fd76fd4aa9812924ead3c3342d66d3f87f222cd94c0f08c0eadd2dd66c7088e3bc5333ae6d4a83f165c2329456cc38158b2de5d17e76dd1fe0d098449
+  metadata.gz: '098214ef9bbb3ac810a28425e943fe81528573d54e7cdf85261c45cd1ab95fdc57a2387c629adc246339bc04488ff01a04d5655163bf8f423c2edacbb60f7a80'
+  data.tar.gz: 163a3a8097d4bafc592718d1bb37f1f2f8e25cbb5b637ba68c6478d787f131e08cc5d2a017f9d80bb5127c757d8f817b0a39c0e7c77557b45fc9e01206139305

data/.dockerignore

@@ -0,0 +1,2 @@
+/Gemfile.lock
+/spec/reports

data/.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
+
+# Changes to .trivyignore require Security Architect approval
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+
+# Changes to .codeclimate.yml require Quality Architect approval
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+
+# Changes to SECURITY.md require Security Architect approval
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+### What does this PR do?
+- _What's changed? Why were these changes made?_
+- _How should the reviewer approach this PR, especially if manual tests are required?_
+- _Are there relevant screenshots you can add to the PR description?_
+
+### What ticket does this PR close?
+Connected to #[relevant GitHub issues, eg 76]
+
+### Checklists
+
+#### Change log
+- [ ] The CHANGELOG has been updated, or
+- [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update
+
+#### Test coverage
+- [ ] This PR includes new unit and integration tests to go with the code changes, or
+- [ ] The changes in this PR do not require tests
+
+#### Documentation
+- [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or
+- [ ] This PR does not require updating any documentation

data/.gitleaks.toml

@@ -0,0 +1,221 @@
+title = "Secretless Broker gitleaks config"
+
+# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
+[[rules]]
+description = "AWS Client ID"
+regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS MWS key"
+regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+description = "PKCS8"
+regex = '''-----BEGIN PRIVATE KEY-----'''
+tags = ["key", "PKCS8"]
+
+[[rules]]
+description = "RSA"
+regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+tags = ["key", "RSA"]
+
+[[rules]]
+description = "SSH"
+regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+tags = ["key", "SSH"]
+
+[[rules]]
+description = "PGP"
+regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook Secret Key"
+regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook Client ID"
+regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook access token"
+regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter Secret Key"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Twitter Client ID"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "LinkedIn Client ID"
+regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "LinkedIn Secret Key"
+regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+tags = ["secret", "Twitter"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
+
+[[rules]]
+description = "EC"
+regex = '''-----BEGIN EC PRIVATE KEY-----'''
+tags = ["key", "EC"]
+
+[[rules]]
+description = "Generic API key"
+regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "API", "generic"]
+
+[[rules]]
+description = "Generic Secret"
+regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "Secret", "generic"]
+
+[[rules]]
+description = "Google API key"
+regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+tags = ["key", "Google"]
+
+[[rules]]
+description = "Google Cloud Platform API key"
+regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
+tags = ["key", "Google", "GCP"]
+
+[[rules]]
+description = "Google OAuth"
+regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Google OAuth access token"
+regex = '''ya29\.[0-9A-Za-z\-_]+'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Heroku API key"
+regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+tags = ["key", "Heroku"]
+
+[[rules]]
+description = "MailChimp API key"
+regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+tags = ["key", "Mailchimp"]
+
+[[rules]]
+description = "Mailgun API key"
+regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+tags = ["key", "Mailgun"]
+
+[[rules]]
+description = "Password in URL"
+regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
+tags = ["key", "URL", "generic"]
+
+[[rules]]
+description = "PayPal Braintree access token"
+regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+tags = ["key", "Paypal"]
+
+[[rules]]
+description = "Picatic API key"
+regex = '''sk_live_[0-9a-z]{32}'''
+tags = ["key", "Picatic"]
+
+[[rules]]
+description = "Slack Webhook"
+regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+tags = ["key", "slack"]
+
+[[rules]]
+description = "Stripe API key"
+regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+tags = ["key", "Stripe"]
+
+[[rules]]
+description = "Square access token"
+regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Square OAuth secret"
+regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Twilio API key"
+regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "twilio"]
+
+[whitelist]
+files = [
+  "(.*?)(jpg|gif|doc|pdf|bin)$",
+  ".gitleaks.toml"
+]
+regexes = [
+]
+commits = [
+  "3a496cef2d737f69038630f3c884a159f783bd06", # old commit to add test data
+  "047e58e40c87f9d19d68c21a533b706616ab1ef2", # old commit to add test data
+  "5345e49e7d63589fc637c2b0c7156bf97e9c72b8", # old commit to add test data
+  "9c31229cedceedd75e06c381fe7218571a03c26d" # old commit to add test data
+]
+
+# Additional Examples
+
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = [
+#     "4.1-4.3",
+#     "5.5-6.3",
+# ]
+# entropyROI = "line"
+# filetypes = [".go", ".py", ".c"]
+# tags = ["key"]
+# severity = "8"
+#
+#
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# filetypes = [".gee"]
+# entropyROI = "line"
+# tags = ["key"]
+# severity = "medium"
+
+# [[rules]]
+# description = "Any pem file"
+# filetypes = [".key"]
+# tags = ["pem"]
+# severity = "high"

data/CHANGELOG.md

@@ -0,0 +1,16 @@
+# v2.2.2
+
+* Add rake task `slosilo:recalculate_fingerprints` which rehashes the fingerprints in the keystore.
+**Note**: After migrating the slosilo keystore, run the above rake task to ensure the fingerprints are correctly hashed.
+
+# v2.2.1
+
+* Use SHA256 algorithm instead of MD5 for public key fingerprints.
+
+# v2.1.1
+
+* Add support for JWT-formatted tokens, with arbitrary expiration.
+
+# v2.0.1
+
+* Fixes a bug that occurs when signing tokens containing Unicode data

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+  
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing Workflow
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Jenkinsfile

@@ -0,0 +1,58 @@
+#!/usr/bin/env groovy
+
+pipeline {
+  agent { label 'executor-v2' }
+
+  options {
+    timestamps()
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
+  }
+
+  stages {
+    stage('Test') {
+      steps {
+        sh './test.sh'
+
+        junit 'spec/reports/*.xml'
+        cobertura coberturaReportFile: 'spec/coverage/coverage.xml'
+        sh 'cp spec/coverage/coverage.xml cobertura.xml'
+        ccCoverage("cobertura", "github.com/cyberark/slosilo")
+      }
+    }
+
+    stage('Publish to RubyGems') {
+      agent { label 'executor-v2' }
+      when {
+        allOf {
+          branch 'master'
+          expression {
+            boolean publish = false
+
+            try {
+              timeout(time: 5, unit: 'MINUTES') {
+                input(message: 'Publish to RubyGems?')
+                publish = true
+              }
+            } catch (final ignore) {
+              publish = false
+            }
+
+            return publish
+          }
+        }
+      }
+
+      steps {
+        checkout scm
+        sh './publish-rubygem.sh'
+        deleteDir()
+      }
+    }
+  }
+
+  post {
+    always {
+      cleanupAndNotify(currentBuild.currentResult)
+    }
+  }
+}

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2012 Conjur Inc
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 
 MIT License
 
@@ -19,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -2,7 +2,7 @@
 
 Slosilo is providing a ruby interface to some cryptographic primitives:
 - symmetric encryption,
-- a mixin for easy encryption of object attributes (WARNING: unauthenticated, see below),
+- a mixin for easy encryption of object attributes,
 - asymmetric encryption and signing,
 - a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
 - a keystore in files.
@@ -17,6 +17,20 @@ And then execute:
 
     $ bundle
 
+## Compatibility
+
+Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
+for authenticated encryption. It allows you to provide AAD on all symmetric
+encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
+
+This means you'll have to migrate all your existing data. There's no easy way to
+do this currently provided; it's recommended to create a database migration and
+put relevant code fragments in it directly. (This will also have the benefit of making
+the migration self-contained.)
+
+Since symmetric encryption is used in processing asymetrically encrypted messages,
+this incompatibility extends to those too.
+
 ## Usage
 
 ### Symmetric encryption
@@ -24,12 +38,14 @@ And then execute:
 ```ruby
 sym = Slosilo::Symmetric.new
 key = sym.random_key
-ciphertext = sym.encrypt "secret message", key: key
+# additional authenticated data
+message_id = "message 001"
+ciphertext = sym.encrypt "secret message", key: key, aad: message_id
 ```
 
 ```ruby
 sym = Slosilo::Symmetric.new
-message = sym.decrypt ciphertext, key: key
+message = sym.decrypt ciphertext, key: key, aad: message_id
 ```
 
 ### Encryption mixin
@@ -39,11 +55,15 @@ require 'slosilo'
 
 class Foo
   attr_accessor :foo
-  attr_encrypted :foo
+  attr_encrypted :foo, aad: :id
 
   def raw_foo
     @foo
   end
+
+  def id
+    "unique record id"
+  end
 end
 
 Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
@@ -56,13 +76,6 @@ obj.foo # => "bar"
 
 You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
 
-#### Warning
-
-The encrypted data is not authenticated; it's intended to prevent
-opportunistic access to secrets by a third party which gets hold of a database
-dump. *IT DOES NOT prevent tampering.* If your threat model includes an attacker
-which can modify the database, `attr_encrypted` by itself IS NOT SECURE.
-
 ### Asymmetric encryption and signing
 
 ```ruby
@@ -131,8 +144,6 @@ Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
 
 ## Contributing
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+We welcome contributions of all kinds to this repository. For instructions on
+how to get started and descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).