slosilo 2.0.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b2f977e53f906393dcac0918f5fb5b2b2b41563b
-  data.tar.gz: 967b35f4ed8f91c24dfab09245ff0cb798b585ed
+SHA256:
+  metadata.gz: 81d8f2c013b6f88d01bd7dd4c44b39c7cf0ffaa9385afca3e7ea826dae0855c8
+  data.tar.gz: acd627ef6ca45a404ce08c7bc680c8db7ea1ebdbe10d45b248ae09e59e804a02
 SHA512:
-  metadata.gz: fd31b09380e3f9411aca6a7ee9244d727e0962954da29c18adffa68b81b58265607205b5a519de8d211da07f412600788c1b5579fc0a604e06328e5bb86e62a8
-  data.tar.gz: 3454255c91a0a62c59bedf5b425e5b5a9fdb1ba29283d85ae0e5be7ca9b5cd2b1fa44b4fa280d65d37441d802e634309a928373848ad4cf199c9e5ac58d074cd
+  metadata.gz: '098a049570888513d10bf23edacfb8c566f605a08a9e918a2a06c15839d406b14696edaf76c49b84820d3c0fc1147b0f7f754c74fdad680a98f919d134cabcc7'
+  data.tar.gz: 6cef96001fcc2932c23e106c732d9e7722afd2f6a8af11e99a023a49aa005bdc8ff9f3fa4ce278644b753acfe0e50953e14cf86114e78877368b95107a1126c0

data/.dockerignore

@@ -0,0 +1,2 @@
+/Gemfile.lock
+/spec/reports

data/.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
+
+# Changes to .trivyignore require Security Architect approval
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+
+# Changes to .codeclimate.yml require Quality Architect approval
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+
+# Changes to SECURITY.md require Security Architect approval
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.gitleaks.toml

@@ -0,0 +1,221 @@
+title = "Secretless Broker gitleaks config"
+
+# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
+[[rules]]
+description = "AWS Client ID"
+regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS MWS key"
+regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+description = "PKCS8"
+regex = '''-----BEGIN PRIVATE KEY-----'''
+tags = ["key", "PKCS8"]
+
+[[rules]]
+description = "RSA"
+regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+tags = ["key", "RSA"]
+
+[[rules]]
+description = "SSH"
+regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+tags = ["key", "SSH"]
+
+[[rules]]
+description = "PGP"
+regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook Secret Key"
+regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook Client ID"
+regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook access token"
+regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter Secret Key"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Twitter Client ID"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "LinkedIn Client ID"
+regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "LinkedIn Secret Key"
+regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+tags = ["secret", "Twitter"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
+
+[[rules]]
+description = "EC"
+regex = '''-----BEGIN EC PRIVATE KEY-----'''
+tags = ["key", "EC"]
+
+[[rules]]
+description = "Generic API key"
+regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "API", "generic"]
+
+[[rules]]
+description = "Generic Secret"
+regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "Secret", "generic"]
+
+[[rules]]
+description = "Google API key"
+regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+tags = ["key", "Google"]
+
+[[rules]]
+description = "Google Cloud Platform API key"
+regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
+tags = ["key", "Google", "GCP"]
+
+[[rules]]
+description = "Google OAuth"
+regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Google OAuth access token"
+regex = '''ya29\.[0-9A-Za-z\-_]+'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Heroku API key"
+regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+tags = ["key", "Heroku"]
+
+[[rules]]
+description = "MailChimp API key"
+regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+tags = ["key", "Mailchimp"]
+
+[[rules]]
+description = "Mailgun API key"
+regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+tags = ["key", "Mailgun"]
+
+[[rules]]
+description = "Password in URL"
+regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
+tags = ["key", "URL", "generic"]
+
+[[rules]]
+description = "PayPal Braintree access token"
+regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+tags = ["key", "Paypal"]
+
+[[rules]]
+description = "Picatic API key"
+regex = '''sk_live_[0-9a-z]{32}'''
+tags = ["key", "Picatic"]
+
+[[rules]]
+description = "Slack Webhook"
+regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+tags = ["key", "slack"]
+
+[[rules]]
+description = "Stripe API key"
+regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+tags = ["key", "Stripe"]
+
+[[rules]]
+description = "Square access token"
+regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Square OAuth secret"
+regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Twilio API key"
+regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "twilio"]
+
+[whitelist]
+files = [
+  "(.*?)(jpg|gif|doc|pdf|bin)$",
+  ".gitleaks.toml"
+]
+regexes = [
+]
+commits = [
+  "3a496cef2d737f69038630f3c884a159f783bd06", # old commit to add test data
+  "047e58e40c87f9d19d68c21a533b706616ab1ef2", # old commit to add test data
+  "5345e49e7d63589fc637c2b0c7156bf97e9c72b8", # old commit to add test data
+  "9c31229cedceedd75e06c381fe7218571a03c26d" # old commit to add test data
+]
+
+# Additional Examples
+
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = [
+#     "4.1-4.3",
+#     "5.5-6.3",
+# ]
+# entropyROI = "line"
+# filetypes = [".go", ".py", ".c"]
+# tags = ["key"]
+# severity = "8"
+#
+#
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# filetypes = [".gee"]
+# entropyROI = "line"
+# tags = ["key"]
+# severity = "medium"
+
+# [[rules]]
+# description = "Any pem file"
+# filetypes = [".key"]
+# tags = ["pem"]
+# severity = "high"

data/CHANGELOG.md

@@ -1,4 +1,20 @@
+# v3.0.0
+
+* Transition to Ruby 3. Consuming projects based on Ruby 2 shall use slosilo V2.X.X.
+
+# v2.2.2
+
+* Add rake task `slosilo:recalculate_fingerprints` which rehashes the fingerprints in the keystore.
+**Note**: After migrating the slosilo keystore, run the above rake task to ensure the fingerprints are correctly hashed.
+
+# v2.2.1
+
+* Use SHA256 algorithm instead of MD5 for public key fingerprints.
+
+# v2.1.1
+
+* Add support for JWT-formatted tokens, with arbitrary expiration.
+
 # v2.0.1
 
 * Fixes a bug that occurs when signing tokens containing Unicode data
-

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+  
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing Workflow
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Jenkinsfile

@@ -0,0 +1,75 @@
+#!/usr/bin/env groovy
+
+pipeline {
+  agent { label 'executor-v2' }
+
+  options {
+    timestamps()
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
+  }
+
+  stages {
+    stage('Test') {
+      parallel {
+        stage('Run tests on EE') {
+          agent { label 'executor-v2-rhel-ee' }
+          steps {
+            sh './test.sh'
+          }
+          post { always {
+            stash name: 'eeTestResults', includes: 'spec/reports/*.xml', allowEmpty:true
+          }}
+        }
+
+        stage('Run tests') {
+          steps {
+            sh './test.sh'
+          }
+        }
+      }
+    }
+
+    stage('Publish to RubyGems') {
+      agent { label 'executor-v2' }
+      when {
+        allOf {
+          branch 'master'
+          expression {
+            boolean publish = false
+
+            try {
+              timeout(time: 5, unit: 'MINUTES') {
+                input(message: 'Publish to RubyGems?')
+                publish = true
+              }
+            } catch (final ignore) {
+              publish = false
+            }
+
+            return publish
+          }
+        }
+      }
+
+      steps {
+        checkout scm
+        sh './publish-rubygem.sh'
+        deleteDir()
+      }
+    }
+  }
+
+  post {
+    always {
+      dir('ee-results'){
+        unstash 'eeTestResults'
+      }
+      junit 'spec/reports/*.xml, ee-results/spec/reports/*.xml'
+      cobertura coberturaReportFile: 'spec/coverage/coverage.xml'
+      sh 'cp spec/coverage/coverage.xml cobertura.xml'
+      ccCoverage("cobertura", "github.com/cyberark/slosilo")
+
+      cleanupAndNotify(currentBuild.currentResult)
+    }
+  }
+}

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2012 Conjur Inc
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 
 MIT License
 
@@ -19,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -19,6 +19,9 @@ And then execute:
 
 ## Compatibility
 
+Version 3.0 introduced full transition to Ruby 3.
+Consumers who use slosilo in Ruby 2 projects, shall use slosilo V2.X.X.
+
 Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
 for authenticated encryption. It allows you to provide AAD on all symmetric
 encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
@@ -144,8 +147,6 @@ Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
 
 ## Contributing
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+We welcome contributions of all kinds to this repository. For instructions on
+how to get started and descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -49,6 +49,17 @@ module Slosilo
         end
       end
 
+      def recalculate_fingerprints
+        # Use a transaction to ensure that all fingerprints are updated together. If any update fails,
+        # we want to rollback all updates.
+        model.db.transaction do
+          model.each do |m|
+            m.update fingerprint: Slosilo::Key.new(m.key).fingerprint
+          end
+        end
+      end
+
+
       def migrate!
         unless fingerprint_in_db?
           model.db.transaction do
@@ -59,9 +70,7 @@ module Slosilo
             # reload the schema
             model.set_dataset model.dataset
 
-            model.each do |m|
-              m.update fingerprint: Slosilo::Key.new(m.key).fingerprint
-            end
+            recalculate_fingerprints
 
             model.db.alter_table :slosilo_keystore do
               set_column_not_null :fingerprint

data/lib/slosilo/attr_encrypted.rb

@@ -26,7 +26,10 @@ module Slosilo
         aad = options[:aad]
         # note nil.to_s is "", which is exactly the right thing
         auth_data = aad.respond_to?(:to_proc) ? aad.to_proc : proc{ |_| aad.to_s }
-        raise ":aad proc must take one argument" unless auth_data.arity.abs == 1 # take abs to allow *args arity, -1
+
+        # In ruby 3 .arity for #proc returns both 1 and 2, depends on internal #proc
+        # This method is also being called with aad which is string, in such case the arity is 1
+        raise ":aad proc must take two arguments" unless (auth_data.arity.abs == 2 || auth_data.arity.abs == 1)
 
         # push a module onto the inheritance hierarchy
         # this allows calling super in classes

data/lib/slosilo/errors.rb

@@ -8,5 +8,8 @@ module Slosilo
         super
       end
     end
+
+    class TokenValidationError < Error
+    end
   end
 end

data/lib/slosilo/jwt.rb

@@ -0,0 +1,122 @@
+require 'json'
+
+module Slosilo
+  # A JWT-formatted Slosilo token.
+  # @note This is not intended to be a general-purpose JWT implementation.
+  class JWT
+    # Create a new unsigned token with the given claims.
+    # @param claims [#to_h] claims to embed in this token.
+    def initialize claims = {}
+      @claims = JSONHash[claims]
+    end
+
+    # Parse a token in compact representation
+    def self.parse_compact raw
+      load *raw.split('.', 3).map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Parse a token in JSON representation.
+    # @note only single signature is currently supported.
+    def self.parse_json raw
+      raw = JSON.load raw unless raw.respond_to? :to_h
+      parts = raw.to_h.values_at(*%w(protected payload signature))
+      fail ArgumentError, "input not a complete JWT" unless parts.all?
+      load *parts.map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Add a signature.
+    # @note currently only a single signature is handled;
+    # the token will be frozen after this operation.
+    def add_signature header, &sign
+      @claims = canonicalize_claims.freeze
+      @header = JSONHash[header].freeze
+      @signature = sign[string_to_sign].freeze
+      freeze
+    end
+
+    def string_to_sign
+      [header, claims].map(&method(:encode)).join '.'
+    end
+
+    # Returns the JSON serialization of this JWT.
+    def to_json *a
+      {
+        protected: encode(header),
+        payload: encode(claims),
+        signature: encode(signature)
+      }.to_json *a
+    end
+
+    # Returns the compact serialization of this JWT.
+    def to_s
+      [header, claims, signature].map(&method(:encode)).join('.')
+    end
+
+    attr_accessor :claims, :header, :signature
+
+    private
+
+    # Create a JWT token object from existing header, payload, and signature strings.
+    # @param header [#to_s] URLbase64-encoded representation of the protected header
+    # @param payload [#to_s] URLbase64-encoded representation of the token payload
+    # @param signature [#to_s] URLbase64-encoded representation of the signature
+    def self.load header, payload, signature
+      self.new(JSONHash.load payload).tap do |token|
+        token.header = JSONHash.load header
+        token.signature = signature.to_s.freeze
+        token.freeze
+      end
+    end
+
+    def canonicalize_claims
+      claims[:iat] = Time.now unless claims.include? :iat
+      claims[:iat] = claims[:iat].to_time.to_i
+      claims[:exp] = claims[:exp].to_time.to_i if claims.include? :exp
+      JSONHash[claims.to_a]
+    end
+
+    # Convenience method to make the above code clearer.
+    # Converts to string and urlbase64-encodes.
+    def encode s
+      Base64.urlsafe_encode64 s.to_s
+    end
+
+    # a hash with a possibly frozen JSON stringification
+    class JSONHash < Hash
+      def to_s
+        @repr || to_json
+      end
+
+      def freeze
+        @repr = to_json.freeze
+        super
+      end
+
+      def self.load raw
+        self[JSON.load raw.to_s].tap do |h|
+          h.send :repr=, raw
+        end
+      end
+
+      private
+
+      def repr= raw
+        @repr = raw.freeze
+        freeze
+      end
+    end
+  end
+
+  # Try to convert by detecting token representation and parsing
+  def self.JWT raw
+    if raw.is_a? JWT
+      raw
+    elsif raw.respond_to?(:to_h) || raw =~ /\A\s*\{/
+      JWT.parse_json raw
+    else
+      JWT.parse_compact raw
+    end
+  rescue
+    raise ArgumentError, "invalid value for JWT(): #{raw.inspect}"
+  end
+end