slosilo 1.1.0 → 2.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.dockerignore +2 -0
- data/.github/CODEOWNERS +10 -0
- data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
- data/.gitleaks.toml +221 -0
- data/CHANGELOG.md +16 -0
- data/CONTRIBUTING.md +16 -0
- data/Jenkinsfile +58 -0
- data/LICENSE +2 -2
- data/README.md +27 -16
- data/SECURITY.md +42 -0
- data/lib/slosilo.rb +1 -0
- data/lib/slosilo/adapters/sequel_adapter.rb +13 -4
- data/lib/slosilo/attr_encrypted.rb +29 -6
- data/lib/slosilo/errors.rb +3 -0
- data/lib/slosilo/jwt.rb +122 -0
- data/lib/slosilo/key.rb +86 -3
- data/lib/slosilo/keystore.rb +13 -2
- data/lib/slosilo/symmetric.rb +30 -9
- data/lib/slosilo/version.rb +1 -1
- data/lib/tasks/slosilo.rake +5 -0
- data/publish-rubygem.sh +11 -0
- data/slosilo.gemspec +11 -2
- data/spec/encrypted_attributes_spec.rb +114 -0
- data/spec/file_adapter_spec.rb +1 -1
- data/spec/jwt_spec.rb +102 -0
- data/spec/key_spec.rb +63 -4
- data/spec/sequel_adapter_spec.rb +1 -1
- data/spec/slosilo_spec.rb +32 -0
- data/spec/spec_helper.rb +5 -2
- data/spec/symmetric_spec.rb +39 -17
- data/test.sh +27 -0
- metadata +64 -23
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: eee5855bf8948e460edebcc7e04399ad32ea9085f101860ddddb4687139a0bf8
|
4
|
+
data.tar.gz: 415fa1a618fbffda2ebf1dcb59abc42285d11d01afbc4697299708bbe3bd01fb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '098214ef9bbb3ac810a28425e943fe81528573d54e7cdf85261c45cd1ab95fdc57a2387c629adc246339bc04488ff01a04d5655163bf8f423c2edacbb60f7a80'
|
7
|
+
data.tar.gz: 163a3a8097d4bafc592718d1bb37f1f2f8e25cbb5b637ba68c6478d787f131e08cc5d2a017f9d80bb5127c757d8f817b0a39c0e7c77557b45fc9e01206139305
|
data/.dockerignore
ADDED
data/.github/CODEOWNERS
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
|
2
|
+
|
3
|
+
# Changes to .trivyignore require Security Architect approval
|
4
|
+
.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
|
5
|
+
|
6
|
+
# Changes to .codeclimate.yml require Quality Architect approval
|
7
|
+
.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
|
8
|
+
|
9
|
+
# Changes to SECURITY.md require Security Architect approval
|
10
|
+
SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
|
@@ -0,0 +1,21 @@
|
|
1
|
+
### What does this PR do?
|
2
|
+
- _What's changed? Why were these changes made?_
|
3
|
+
- _How should the reviewer approach this PR, especially if manual tests are required?_
|
4
|
+
- _Are there relevant screenshots you can add to the PR description?_
|
5
|
+
|
6
|
+
### What ticket does this PR close?
|
7
|
+
Connected to #[relevant GitHub issues, eg 76]
|
8
|
+
|
9
|
+
### Checklists
|
10
|
+
|
11
|
+
#### Change log
|
12
|
+
- [ ] The CHANGELOG has been updated, or
|
13
|
+
- [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update
|
14
|
+
|
15
|
+
#### Test coverage
|
16
|
+
- [ ] This PR includes new unit and integration tests to go with the code changes, or
|
17
|
+
- [ ] The changes in this PR do not require tests
|
18
|
+
|
19
|
+
#### Documentation
|
20
|
+
- [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or
|
21
|
+
- [ ] This PR does not require updating any documentation
|
data/.gitleaks.toml
ADDED
@@ -0,0 +1,221 @@
|
|
1
|
+
title = "Secretless Broker gitleaks config"
|
2
|
+
|
3
|
+
# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
|
4
|
+
# If GITLEAKS_CONFIG environment variable
|
5
|
+
# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
|
6
|
+
# configurations from that path. Gitleaks does not whitelist anything by default.
|
7
|
+
# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
|
8
|
+
# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
|
9
|
+
[[rules]]
|
10
|
+
description = "AWS Client ID"
|
11
|
+
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
|
12
|
+
tags = ["key", "AWS"]
|
13
|
+
|
14
|
+
[[rules]]
|
15
|
+
description = "AWS Secret Key"
|
16
|
+
regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
|
17
|
+
tags = ["key", "AWS"]
|
18
|
+
|
19
|
+
[[rules]]
|
20
|
+
description = "AWS MWS key"
|
21
|
+
regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
|
22
|
+
tags = ["key", "AWS", "MWS"]
|
23
|
+
|
24
|
+
[[rules]]
|
25
|
+
description = "PKCS8"
|
26
|
+
regex = '''-----BEGIN PRIVATE KEY-----'''
|
27
|
+
tags = ["key", "PKCS8"]
|
28
|
+
|
29
|
+
[[rules]]
|
30
|
+
description = "RSA"
|
31
|
+
regex = '''-----BEGIN RSA PRIVATE KEY-----'''
|
32
|
+
tags = ["key", "RSA"]
|
33
|
+
|
34
|
+
[[rules]]
|
35
|
+
description = "SSH"
|
36
|
+
regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
|
37
|
+
tags = ["key", "SSH"]
|
38
|
+
|
39
|
+
[[rules]]
|
40
|
+
description = "PGP"
|
41
|
+
regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
|
42
|
+
tags = ["key", "PGP"]
|
43
|
+
|
44
|
+
[[rules]]
|
45
|
+
description = "Facebook Secret Key"
|
46
|
+
regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
|
47
|
+
tags = ["key", "Facebook"]
|
48
|
+
|
49
|
+
[[rules]]
|
50
|
+
description = "Facebook Client ID"
|
51
|
+
regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
|
52
|
+
tags = ["key", "Facebook"]
|
53
|
+
|
54
|
+
[[rules]]
|
55
|
+
description = "Facebook access token"
|
56
|
+
regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
|
57
|
+
tags = ["key", "Facebook"]
|
58
|
+
|
59
|
+
[[rules]]
|
60
|
+
description = "Twitter Secret Key"
|
61
|
+
regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
|
62
|
+
tags = ["key", "Twitter"]
|
63
|
+
|
64
|
+
[[rules]]
|
65
|
+
description = "Twitter Client ID"
|
66
|
+
regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
|
67
|
+
tags = ["client", "Twitter"]
|
68
|
+
|
69
|
+
[[rules]]
|
70
|
+
description = "Github"
|
71
|
+
regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
|
72
|
+
tags = ["key", "Github"]
|
73
|
+
|
74
|
+
[[rules]]
|
75
|
+
description = "LinkedIn Client ID"
|
76
|
+
regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
|
77
|
+
tags = ["client", "Twitter"]
|
78
|
+
|
79
|
+
[[rules]]
|
80
|
+
description = "LinkedIn Secret Key"
|
81
|
+
regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
|
82
|
+
tags = ["secret", "Twitter"]
|
83
|
+
|
84
|
+
[[rules]]
|
85
|
+
description = "Slack"
|
86
|
+
regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
|
87
|
+
tags = ["key", "Slack"]
|
88
|
+
|
89
|
+
[[rules]]
|
90
|
+
description = "EC"
|
91
|
+
regex = '''-----BEGIN EC PRIVATE KEY-----'''
|
92
|
+
tags = ["key", "EC"]
|
93
|
+
|
94
|
+
[[rules]]
|
95
|
+
description = "Generic API key"
|
96
|
+
regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
|
97
|
+
tags = ["key", "API", "generic"]
|
98
|
+
|
99
|
+
[[rules]]
|
100
|
+
description = "Generic Secret"
|
101
|
+
regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
|
102
|
+
tags = ["key", "Secret", "generic"]
|
103
|
+
|
104
|
+
[[rules]]
|
105
|
+
description = "Google API key"
|
106
|
+
regex = '''AIza[0-9A-Za-z\\-_]{35}'''
|
107
|
+
tags = ["key", "Google"]
|
108
|
+
|
109
|
+
[[rules]]
|
110
|
+
description = "Google Cloud Platform API key"
|
111
|
+
regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
|
112
|
+
tags = ["key", "Google", "GCP"]
|
113
|
+
|
114
|
+
[[rules]]
|
115
|
+
description = "Google OAuth"
|
116
|
+
regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
|
117
|
+
tags = ["key", "Google", "OAuth"]
|
118
|
+
|
119
|
+
[[rules]]
|
120
|
+
description = "Google OAuth access token"
|
121
|
+
regex = '''ya29\.[0-9A-Za-z\-_]+'''
|
122
|
+
tags = ["key", "Google", "OAuth"]
|
123
|
+
|
124
|
+
[[rules]]
|
125
|
+
description = "Heroku API key"
|
126
|
+
regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
|
127
|
+
tags = ["key", "Heroku"]
|
128
|
+
|
129
|
+
[[rules]]
|
130
|
+
description = "MailChimp API key"
|
131
|
+
regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
|
132
|
+
tags = ["key", "Mailchimp"]
|
133
|
+
|
134
|
+
[[rules]]
|
135
|
+
description = "Mailgun API key"
|
136
|
+
regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
|
137
|
+
tags = ["key", "Mailgun"]
|
138
|
+
|
139
|
+
[[rules]]
|
140
|
+
description = "Password in URL"
|
141
|
+
regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
|
142
|
+
tags = ["key", "URL", "generic"]
|
143
|
+
|
144
|
+
[[rules]]
|
145
|
+
description = "PayPal Braintree access token"
|
146
|
+
regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
|
147
|
+
tags = ["key", "Paypal"]
|
148
|
+
|
149
|
+
[[rules]]
|
150
|
+
description = "Picatic API key"
|
151
|
+
regex = '''sk_live_[0-9a-z]{32}'''
|
152
|
+
tags = ["key", "Picatic"]
|
153
|
+
|
154
|
+
[[rules]]
|
155
|
+
description = "Slack Webhook"
|
156
|
+
regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
|
157
|
+
tags = ["key", "slack"]
|
158
|
+
|
159
|
+
[[rules]]
|
160
|
+
description = "Stripe API key"
|
161
|
+
regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
|
162
|
+
tags = ["key", "Stripe"]
|
163
|
+
|
164
|
+
[[rules]]
|
165
|
+
description = "Square access token"
|
166
|
+
regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
|
167
|
+
tags = ["key", "square"]
|
168
|
+
|
169
|
+
[[rules]]
|
170
|
+
description = "Square OAuth secret"
|
171
|
+
regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
|
172
|
+
tags = ["key", "square"]
|
173
|
+
|
174
|
+
[[rules]]
|
175
|
+
description = "Twilio API key"
|
176
|
+
regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
|
177
|
+
tags = ["key", "twilio"]
|
178
|
+
|
179
|
+
[whitelist]
|
180
|
+
files = [
|
181
|
+
"(.*?)(jpg|gif|doc|pdf|bin)$",
|
182
|
+
".gitleaks.toml"
|
183
|
+
]
|
184
|
+
regexes = [
|
185
|
+
]
|
186
|
+
commits = [
|
187
|
+
"3a496cef2d737f69038630f3c884a159f783bd06", # old commit to add test data
|
188
|
+
"047e58e40c87f9d19d68c21a533b706616ab1ef2", # old commit to add test data
|
189
|
+
"5345e49e7d63589fc637c2b0c7156bf97e9c72b8", # old commit to add test data
|
190
|
+
"9c31229cedceedd75e06c381fe7218571a03c26d" # old commit to add test data
|
191
|
+
]
|
192
|
+
|
193
|
+
# Additional Examples
|
194
|
+
|
195
|
+
# [[rules]]
|
196
|
+
# description = "Generic Key"
|
197
|
+
# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
|
198
|
+
# entropies = [
|
199
|
+
# "4.1-4.3",
|
200
|
+
# "5.5-6.3",
|
201
|
+
# ]
|
202
|
+
# entropyROI = "line"
|
203
|
+
# filetypes = [".go", ".py", ".c"]
|
204
|
+
# tags = ["key"]
|
205
|
+
# severity = "8"
|
206
|
+
#
|
207
|
+
#
|
208
|
+
# [[rules]]
|
209
|
+
# description = "Generic Key"
|
210
|
+
# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
|
211
|
+
# entropies = ["4.1-4.3"]
|
212
|
+
# filetypes = [".gee"]
|
213
|
+
# entropyROI = "line"
|
214
|
+
# tags = ["key"]
|
215
|
+
# severity = "medium"
|
216
|
+
|
217
|
+
# [[rules]]
|
218
|
+
# description = "Any pem file"
|
219
|
+
# filetypes = [".key"]
|
220
|
+
# tags = ["pem"]
|
221
|
+
# severity = "high"
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
# v2.2.2
|
2
|
+
|
3
|
+
* Add rake task `slosilo:recalculate_fingerprints` which rehashes the fingerprints in the keystore.
|
4
|
+
**Note**: After migrating the slosilo keystore, run the above rake task to ensure the fingerprints are correctly hashed.
|
5
|
+
|
6
|
+
# v2.2.1
|
7
|
+
|
8
|
+
* Use SHA256 algorithm instead of MD5 for public key fingerprints.
|
9
|
+
|
10
|
+
# v2.1.1
|
11
|
+
|
12
|
+
* Add support for JWT-formatted tokens, with arbitrary expiration.
|
13
|
+
|
14
|
+
# v2.0.1
|
15
|
+
|
16
|
+
* Fixes a bug that occurs when signing tokens containing Unicode data
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
# Contributing
|
2
|
+
|
3
|
+
For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
|
4
|
+
|
5
|
+
## Contributing Workflow
|
6
|
+
|
7
|
+
1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
|
8
|
+
2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
|
9
|
+
3. Make local changes to your fork by editing files
|
10
|
+
3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
|
11
|
+
4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
|
12
|
+
5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
|
13
|
+
|
14
|
+
From here your pull request will be reviewed and once you've responded to all
|
15
|
+
feedback it will be merged into the project. Congratulations, you're a
|
16
|
+
contributor!
|
data/Jenkinsfile
ADDED
@@ -0,0 +1,58 @@
|
|
1
|
+
#!/usr/bin/env groovy
|
2
|
+
|
3
|
+
pipeline {
|
4
|
+
agent { label 'executor-v2' }
|
5
|
+
|
6
|
+
options {
|
7
|
+
timestamps()
|
8
|
+
buildDiscarder(logRotator(daysToKeepStr: '30'))
|
9
|
+
}
|
10
|
+
|
11
|
+
stages {
|
12
|
+
stage('Test') {
|
13
|
+
steps {
|
14
|
+
sh './test.sh'
|
15
|
+
|
16
|
+
junit 'spec/reports/*.xml'
|
17
|
+
cobertura coberturaReportFile: 'spec/coverage/coverage.xml'
|
18
|
+
sh 'cp spec/coverage/coverage.xml cobertura.xml'
|
19
|
+
ccCoverage("cobertura", "github.com/cyberark/slosilo")
|
20
|
+
}
|
21
|
+
}
|
22
|
+
|
23
|
+
stage('Publish to RubyGems') {
|
24
|
+
agent { label 'executor-v2' }
|
25
|
+
when {
|
26
|
+
allOf {
|
27
|
+
branch 'master'
|
28
|
+
expression {
|
29
|
+
boolean publish = false
|
30
|
+
|
31
|
+
try {
|
32
|
+
timeout(time: 5, unit: 'MINUTES') {
|
33
|
+
input(message: 'Publish to RubyGems?')
|
34
|
+
publish = true
|
35
|
+
}
|
36
|
+
} catch (final ignore) {
|
37
|
+
publish = false
|
38
|
+
}
|
39
|
+
|
40
|
+
return publish
|
41
|
+
}
|
42
|
+
}
|
43
|
+
}
|
44
|
+
|
45
|
+
steps {
|
46
|
+
checkout scm
|
47
|
+
sh './publish-rubygem.sh'
|
48
|
+
deleteDir()
|
49
|
+
}
|
50
|
+
}
|
51
|
+
}
|
52
|
+
|
53
|
+
post {
|
54
|
+
always {
|
55
|
+
cleanupAndNotify(currentBuild.currentResult)
|
56
|
+
}
|
57
|
+
}
|
58
|
+
}
|
data/LICENSE
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
Copyright (c)
|
1
|
+
Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
|
2
2
|
|
3
3
|
MIT License
|
4
4
|
|
@@ -19,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
19
|
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
20
|
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
21
|
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
-
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
Slosilo is providing a ruby interface to some cryptographic primitives:
|
4
4
|
- symmetric encryption,
|
5
|
-
- a mixin for easy encryption of object attributes
|
5
|
+
- a mixin for easy encryption of object attributes,
|
6
6
|
- asymmetric encryption and signing,
|
7
7
|
- a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
|
8
8
|
- a keystore in files.
|
@@ -17,6 +17,20 @@ And then execute:
|
|
17
17
|
|
18
18
|
$ bundle
|
19
19
|
|
20
|
+
## Compatibility
|
21
|
+
|
22
|
+
Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
|
23
|
+
for authenticated encryption. It allows you to provide AAD on all symmetric
|
24
|
+
encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
|
25
|
+
|
26
|
+
This means you'll have to migrate all your existing data. There's no easy way to
|
27
|
+
do this currently provided; it's recommended to create a database migration and
|
28
|
+
put relevant code fragments in it directly. (This will also have the benefit of making
|
29
|
+
the migration self-contained.)
|
30
|
+
|
31
|
+
Since symmetric encryption is used in processing asymetrically encrypted messages,
|
32
|
+
this incompatibility extends to those too.
|
33
|
+
|
20
34
|
## Usage
|
21
35
|
|
22
36
|
### Symmetric encryption
|
@@ -24,12 +38,14 @@ And then execute:
|
|
24
38
|
```ruby
|
25
39
|
sym = Slosilo::Symmetric.new
|
26
40
|
key = sym.random_key
|
27
|
-
|
41
|
+
# additional authenticated data
|
42
|
+
message_id = "message 001"
|
43
|
+
ciphertext = sym.encrypt "secret message", key: key, aad: message_id
|
28
44
|
```
|
29
45
|
|
30
46
|
```ruby
|
31
47
|
sym = Slosilo::Symmetric.new
|
32
|
-
message = sym.decrypt ciphertext, key: key
|
48
|
+
message = sym.decrypt ciphertext, key: key, aad: message_id
|
33
49
|
```
|
34
50
|
|
35
51
|
### Encryption mixin
|
@@ -39,11 +55,15 @@ require 'slosilo'
|
|
39
55
|
|
40
56
|
class Foo
|
41
57
|
attr_accessor :foo
|
42
|
-
attr_encrypted :foo
|
58
|
+
attr_encrypted :foo, aad: :id
|
43
59
|
|
44
60
|
def raw_foo
|
45
61
|
@foo
|
46
62
|
end
|
63
|
+
|
64
|
+
def id
|
65
|
+
"unique record id"
|
66
|
+
end
|
47
67
|
end
|
48
68
|
|
49
69
|
Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
|
@@ -56,13 +76,6 @@ obj.foo # => "bar"
|
|
56
76
|
|
57
77
|
You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
|
58
78
|
|
59
|
-
#### Warning
|
60
|
-
|
61
|
-
The encrypted data is not authenticated; it's intended to prevent
|
62
|
-
opportunistic access to secrets by a third party which gets hold of a database
|
63
|
-
dump. *IT DOES NOT prevent tampering.* If your threat model includes an attacker
|
64
|
-
which can modify the database, `attr_encrypted` by itself IS NOT SECURE.
|
65
|
-
|
66
79
|
### Asymmetric encryption and signing
|
67
80
|
|
68
81
|
```ruby
|
@@ -131,8 +144,6 @@ Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
|
|
131
144
|
|
132
145
|
## Contributing
|
133
146
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
4. Push to the branch (`git push origin my-new-feature`)
|
138
|
-
5. Create new Pull Request
|
147
|
+
We welcome contributions of all kinds to this repository. For instructions on
|
148
|
+
how to get started and descriptions of our development workflows, please see our
|
149
|
+
[contributing guide](CONTRIBUTING.md).
|