slosilo 2.2.2 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eee5855bf8948e460edebcc7e04399ad32ea9085f101860ddddb4687139a0bf8
-  data.tar.gz: 415fa1a618fbffda2ebf1dcb59abc42285d11d01afbc4697299708bbe3bd01fb
+  metadata.gz: 239f3678eb01bdaf97f3c7c243740ff3cf8c1b8507833ea07b150380d5a79ee2
+  data.tar.gz: 2226342fa45964d0fb368712c6c181c3c587aa5a3e46bda6a780f19346cc4d0e
 SHA512:
-  metadata.gz: '098214ef9bbb3ac810a28425e943fe81528573d54e7cdf85261c45cd1ab95fdc57a2387c629adc246339bc04488ff01a04d5655163bf8f423c2edacbb60f7a80'
-  data.tar.gz: 163a3a8097d4bafc592718d1bb37f1f2f8e25cbb5b637ba68c6478d787f131e08cc5d2a017f9d80bb5127c757d8f817b0a39c0e7c77557b45fc9e01206139305
+  metadata.gz: 2ace59188f2bcdf101d45cfc94d1924f469522d3d1e4d076e444d017804fee4ebd862163d7bb9e07358c289257a9d485ade42a28b4bbab4f7cbfd6b70e3612e2
+  data.tar.gz: 061ade3a431b2a6073971343a2a15403ec93628a99aecd0150cfa7eb97c69382879a2c4ee45d5525053adfb2bf4b9ada5107d811eceeba4fe71280add15717a8

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+# v3.0.1
+
+ * The symmetric cipher class now encrypts and decrypts in a thread-safe manner.
+   [cyberark/slosilo#31](https://github.com/cyberark/slosilo/pull/31)
+
+# v3.0.0
+
+* Transition to Ruby 3. Consuming projects based on Ruby 2 shall use slosilo V2.X.X.
+
 # v2.2.2
 
 * Add rake task `slosilo:recalculate_fingerprints` which rehashes the fingerprints in the keystore.

data/Jenkinsfile

@@ -3,6 +3,10 @@
 pipeline {
   agent { label 'executor-v2' }
 
+  triggers {
+    cron(getDailyCronString())
+  }
+
   options {
     timestamps()
     buildDiscarder(logRotator(daysToKeepStr: '30'))
@@ -10,13 +14,22 @@ pipeline {
 
   stages {
     stage('Test') {
-      steps {
-        sh './test.sh'
+      parallel {
+        stage('Run tests on EE') {
+          agent { label 'executor-v2-rhel-ee' }
+          steps {
+            sh './test.sh'
+          }
+          post { always {
+            stash name: 'eeTestResults', includes: 'spec/reports/*.xml', allowEmpty:true
+          }}
+        }
 
-        junit 'spec/reports/*.xml'
-        cobertura coberturaReportFile: 'spec/coverage/coverage.xml'
-        sh 'cp spec/coverage/coverage.xml cobertura.xml'
-        ccCoverage("cobertura", "github.com/cyberark/slosilo")
+        stage('Run tests') {
+          steps {
+            sh './test.sh'
+          }
+        }
       }
     }
 
@@ -24,7 +37,6 @@ pipeline {
       agent { label 'executor-v2' }
       when {
         allOf {
-          branch 'master'
           expression {
             boolean publish = false
 
@@ -52,6 +64,14 @@ pipeline {
 
   post {
     always {
+      dir('ee-results'){
+        unstash 'eeTestResults'
+      }
+      junit 'spec/reports/*.xml, ee-results/spec/reports/*.xml'
+      cobertura coberturaReportFile: 'spec/coverage/coverage.xml'
+      sh 'cp spec/coverage/coverage.xml cobertura.xml'
+      ccCoverage("cobertura", "github.com/cyberark/slosilo")
+
       cleanupAndNotify(currentBuild.currentResult)
     }
   }

data/README.md

@@ -19,6 +19,9 @@ And then execute:
 
 ## Compatibility
 
+Version 3.0 introduced full transition to Ruby 3.
+Consumers who use slosilo in Ruby 2 projects, shall use slosilo V2.X.X.
+
 Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
 for authenticated encryption. It allows you to provide AAD on all symmetric
 encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.

data/dev/Dockerfile.dev

@@ -0,0 +1,7 @@
+FROM ruby
+
+COPY ./ /src/
+
+WORKDIR /src
+
+RUN bundle

data/dev/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+  dev:
+    build:
+      context: ..
+      dockerfile: dev/Dockerfile.dev
+    volumes:
+      - ../:/src

data/lib/slosilo/attr_encrypted.rb

@@ -26,7 +26,10 @@ module Slosilo
         aad = options[:aad]
         # note nil.to_s is "", which is exactly the right thing
         auth_data = aad.respond_to?(:to_proc) ? aad.to_proc : proc{ |_| aad.to_s }
-        raise ":aad proc must take one argument" unless auth_data.arity.abs == 1 # take abs to allow *args arity, -1
+
+        # In ruby 3 .arity for #proc returns both 1 and 2, depends on internal #proc
+        # This method is also being called with aad which is string, in such case the arity is 1
+        raise ":aad proc must take two arguments" unless (auth_data.arity.abs == 2 || auth_data.arity.abs == 1)
 
         # push a module onto the inheritance hierarchy
         # this allows calling super in classes

data/lib/slosilo/symmetric.rb

@@ -5,6 +5,7 @@ module Slosilo
 
     def initialize
       @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
+      @cipher_mutex = Mutex.new
     end
 
     # This lets us do a final sanity check in migrations from older encryption versions
@@ -13,14 +14,18 @@ module Slosilo
     end
 
     def encrypt plaintext, opts = {}
-      @cipher.reset
-      @cipher.encrypt
-      @cipher.key = (opts[:key] or raise("missing :key option"))
-      @cipher.iv = iv = random_iv
-      @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
-      ctext = @cipher.update(plaintext) + @cipher.final
-      tag = @cipher.auth_tag(TAG_LENGTH)
-      "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
+      # All of these operations in OpenSSL must occur atomically, so we
+      # synchronize their access to make this step thread-safe.
+      @cipher_mutex.synchronize do
+        @cipher.reset
+        @cipher.encrypt
+        @cipher.key = (opts[:key] or raise("missing :key option"))
+        @cipher.iv = iv = random_iv
+        @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
+        ctext = @cipher.update(plaintext) + @cipher.final
+        tag = @cipher.auth_tag(TAG_LENGTH)
+        "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
+      end
     end
 
     def decrypt ciphertext, opts = {}
@@ -28,19 +33,23 @@ module Slosilo
 
       raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
 
-      @cipher.reset
-      @cipher.decrypt
-      @cipher.key = opts[:key]
-      @cipher.iv = iv
-      @cipher.auth_tag = tag
-      @cipher.auth_data = opts[:aad] || ""
-      @cipher.update(ctext) + @cipher.final
+      # All of these operations in OpenSSL must occur atomically, so we
+      # synchronize their access to make this step thread-safe.
+      @cipher_mutex.synchronize do
+        @cipher.reset
+        @cipher.decrypt
+        @cipher.key = opts[:key]
+        @cipher.iv = iv
+        @cipher.auth_tag = tag
+        @cipher.auth_data = opts[:aad] || ""
+        @cipher.update(ctext) + @cipher.final
+      end
     end
-    
+
     def random_iv
       @cipher.random_iv
     end
-    
+
     def random_key
       @cipher.random_key
     end

data/lib/slosilo/version.rb

@@ -1,3 +1,3 @@
 module Slosilo
-  VERSION = "2.2.2"
+  VERSION = "3.0.1"
 end

data/publish-rubygem.sh

@@ -2,10 +2,10 @@
 
 docker pull registry.tld/conjurinc/publish-rubygem
 
-docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+git clean -fxd
 
 summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
   docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
   registry.tld/conjurinc/publish-rubygem slosilo
 
-docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+git clean -fxd

data/slosilo.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
   gem.name          = "slosilo"
   gem.require_paths = ["lib"]
   gem.version       = Slosilo::VERSION
-  gem.required_ruby_version = '>= 1.9.3'
+  gem.required_ruby_version = '>= 3.0.0'
 
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'rspec', '~> 3.0'

data/spec/sequel_adapter_spec.rb

@@ -30,13 +30,13 @@ describe Slosilo::Adapters::SequelAdapter do
   describe "#put_key" do
     let(:id) { "id" }
     it "creates the key" do
-      expect(model).to receive(:create).with id: id, key: key.to_der
+      expect(model).to receive(:create).with(hash_including(:id => id, :key => key.to_der))
       allow(model).to receive_messages columns: [:id, :key]
       subject.put_key id, key
     end
 
     it "adds the fingerprint if feasible" do
-      expect(model).to receive(:create).with id: id, key: key.to_der, fingerprint: key.fingerprint
+      expect(model).to receive(:create).with(hash_including(:id => id, :key => key.to_der, :fingerprint => key.fingerprint))
       allow(model).to receive_messages columns: [:id, :key, :fingerprint]
       subject.put_key id, key
     end

data/spec/symmetric_spec.rb

@@ -14,8 +14,29 @@ describe Slosilo::Symmetric do
       expect(subject.encrypt(plaintext, key: key, aad: auth_data)).to eq(ciphertext)
     end
   end
-  
+
   describe '#decrypt' do
+
+    it "doesn't fail when called by multiple threads" do
+      threads = []
+
+      begin
+        # Verify we can successfuly decrypt using many threads without OpenSSL
+        # errors.
+        1000.times do
+          threads << Thread.new do
+            100.times do
+              expect(
+                subject.decrypt(ciphertext, key: key, aad: auth_data)
+              ).to eq(plaintext)
+            end
+          end
+        end
+      ensure
+        threads.each(&:join)
+      end
+    end
+
     it "decrypts with AES-256-GCM" do
       expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
     end
@@ -56,7 +77,7 @@ describe Slosilo::Symmetric do
       end
     end
   end
-  
+
   describe '#random_iv' do
     it "generates a random iv" do
       expect_any_instance_of(OpenSSL::Cipher).to receive(:random_iv).and_return :iv

data/test.sh

@@ -3,7 +3,7 @@
 iid=slosilo-test-$(date +%s)
 
 docker build -t $iid -f - . << EOF
-  FROM ruby
+  FROM ruby:3.0
   WORKDIR /app
   COPY Gemfile slosilo.gemspec ./
   RUN bundle

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: slosilo
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 3.0.1
 platform: ruby
 authors:
 - Rafał Rzepecki
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-26 00:00:00.000000000 Z
+date: 2023-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -146,7 +146,6 @@ extra_rdoc_files: []
 files:
 - ".dockerignore"
 - ".github/CODEOWNERS"
-- ".github/PULL_REQUEST_TEMPLATE.md"
 - ".gitignore"
 - ".gitleaks.toml"
 - ".kateproject"
@@ -158,6 +157,8 @@ files:
 - README.md
 - Rakefile
 - SECURITY.md
+- dev/Dockerfile.dev
+- dev/docker-compose.yml
 - lib/slosilo.rb
 - lib/slosilo/adapters/abstract_adapter.rb
 - lib/slosilo/adapters/file_adapter.rb
@@ -199,14 +200,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.3
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Store SSL keys in a database

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -1,21 +0,0 @@
-### What does this PR do?
-- _What's changed? Why were these changes made?_
-- _How should the reviewer approach this PR, especially if manual tests are required?_
-- _Are there relevant screenshots you can add to the PR description?_
-
-### What ticket does this PR close?
-Connected to #[relevant GitHub issues, eg 76]
-
-### Checklists
-
-#### Change log
-- [ ] The CHANGELOG has been updated, or
-- [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update
-
-#### Test coverage
-- [ ] This PR includes new unit and integration tests to go with the code changes, or
-- [ ] The changes in this PR do not require tests
-
-#### Documentation
-- [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or
-- [ ] This PR does not require updating any documentation