slosilo 3.0.0 → 3.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/Jenkinsfile +4 -1
- data/dev/Dockerfile.dev +7 -0
- data/dev/docker-compose.yml +8 -0
- data/lib/slosilo/symmetric.rb +26 -17
- data/lib/slosilo/version.rb +1 -1
- data/publish-rubygem.sh +2 -2
- data/spec/symmetric_spec.rb +23 -2
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 239f3678eb01bdaf97f3c7c243740ff3cf8c1b8507833ea07b150380d5a79ee2
|
4
|
+
data.tar.gz: 2226342fa45964d0fb368712c6c181c3c587aa5a3e46bda6a780f19346cc4d0e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2ace59188f2bcdf101d45cfc94d1924f469522d3d1e4d076e444d017804fee4ebd862163d7bb9e07358c289257a9d485ade42a28b4bbab4f7cbfd6b70e3612e2
|
7
|
+
data.tar.gz: 061ade3a431b2a6073971343a2a15403ec93628a99aecd0150cfa7eb97c69382879a2c4ee45d5525053adfb2bf4b9ada5107d811eceeba4fe71280add15717a8
|
data/CHANGELOG.md
CHANGED
data/Jenkinsfile
CHANGED
@@ -3,6 +3,10 @@
|
|
3
3
|
pipeline {
|
4
4
|
agent { label 'executor-v2' }
|
5
5
|
|
6
|
+
triggers {
|
7
|
+
cron(getDailyCronString())
|
8
|
+
}
|
9
|
+
|
6
10
|
options {
|
7
11
|
timestamps()
|
8
12
|
buildDiscarder(logRotator(daysToKeepStr: '30'))
|
@@ -33,7 +37,6 @@ pipeline {
|
|
33
37
|
agent { label 'executor-v2' }
|
34
38
|
when {
|
35
39
|
allOf {
|
36
|
-
branch 'master'
|
37
40
|
expression {
|
38
41
|
boolean publish = false
|
39
42
|
|
data/dev/Dockerfile.dev
ADDED
data/lib/slosilo/symmetric.rb
CHANGED
@@ -5,6 +5,7 @@ module Slosilo
|
|
5
5
|
|
6
6
|
def initialize
|
7
7
|
@cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
|
8
|
+
@cipher_mutex = Mutex.new
|
8
9
|
end
|
9
10
|
|
10
11
|
# This lets us do a final sanity check in migrations from older encryption versions
|
@@ -13,14 +14,18 @@ module Slosilo
|
|
13
14
|
end
|
14
15
|
|
15
16
|
def encrypt plaintext, opts = {}
|
16
|
-
|
17
|
-
|
18
|
-
@
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
17
|
+
# All of these operations in OpenSSL must occur atomically, so we
|
18
|
+
# synchronize their access to make this step thread-safe.
|
19
|
+
@cipher_mutex.synchronize do
|
20
|
+
@cipher.reset
|
21
|
+
@cipher.encrypt
|
22
|
+
@cipher.key = (opts[:key] or raise("missing :key option"))
|
23
|
+
@cipher.iv = iv = random_iv
|
24
|
+
@cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
|
25
|
+
ctext = @cipher.update(plaintext) + @cipher.final
|
26
|
+
tag = @cipher.auth_tag(TAG_LENGTH)
|
27
|
+
"#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
|
28
|
+
end
|
24
29
|
end
|
25
30
|
|
26
31
|
def decrypt ciphertext, opts = {}
|
@@ -28,19 +33,23 @@ module Slosilo
|
|
28
33
|
|
29
34
|
raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
|
30
35
|
|
31
|
-
|
32
|
-
|
33
|
-
@
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
36
|
+
# All of these operations in OpenSSL must occur atomically, so we
|
37
|
+
# synchronize their access to make this step thread-safe.
|
38
|
+
@cipher_mutex.synchronize do
|
39
|
+
@cipher.reset
|
40
|
+
@cipher.decrypt
|
41
|
+
@cipher.key = opts[:key]
|
42
|
+
@cipher.iv = iv
|
43
|
+
@cipher.auth_tag = tag
|
44
|
+
@cipher.auth_data = opts[:aad] || ""
|
45
|
+
@cipher.update(ctext) + @cipher.final
|
46
|
+
end
|
38
47
|
end
|
39
|
-
|
48
|
+
|
40
49
|
def random_iv
|
41
50
|
@cipher.random_iv
|
42
51
|
end
|
43
|
-
|
52
|
+
|
44
53
|
def random_key
|
45
54
|
@cipher.random_key
|
46
55
|
end
|
data/lib/slosilo/version.rb
CHANGED
data/publish-rubygem.sh
CHANGED
@@ -2,10 +2,10 @@
|
|
2
2
|
|
3
3
|
docker pull registry.tld/conjurinc/publish-rubygem
|
4
4
|
|
5
|
-
|
5
|
+
git clean -fxd
|
6
6
|
|
7
7
|
summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
|
8
8
|
docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
|
9
9
|
registry.tld/conjurinc/publish-rubygem slosilo
|
10
10
|
|
11
|
-
|
11
|
+
git clean -fxd
|
data/spec/symmetric_spec.rb
CHANGED
@@ -14,8 +14,29 @@ describe Slosilo::Symmetric do
|
|
14
14
|
expect(subject.encrypt(plaintext, key: key, aad: auth_data)).to eq(ciphertext)
|
15
15
|
end
|
16
16
|
end
|
17
|
-
|
17
|
+
|
18
18
|
describe '#decrypt' do
|
19
|
+
|
20
|
+
it "doesn't fail when called by multiple threads" do
|
21
|
+
threads = []
|
22
|
+
|
23
|
+
begin
|
24
|
+
# Verify we can successfuly decrypt using many threads without OpenSSL
|
25
|
+
# errors.
|
26
|
+
1000.times do
|
27
|
+
threads << Thread.new do
|
28
|
+
100.times do
|
29
|
+
expect(
|
30
|
+
subject.decrypt(ciphertext, key: key, aad: auth_data)
|
31
|
+
).to eq(plaintext)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
ensure
|
36
|
+
threads.each(&:join)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
19
40
|
it "decrypts with AES-256-GCM" do
|
20
41
|
expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
|
21
42
|
end
|
@@ -56,7 +77,7 @@ describe Slosilo::Symmetric do
|
|
56
77
|
end
|
57
78
|
end
|
58
79
|
end
|
59
|
-
|
80
|
+
|
60
81
|
describe '#random_iv' do
|
61
82
|
it "generates a random iv" do
|
62
83
|
expect_any_instance_of(OpenSSL::Cipher).to receive(:random_iv).and_return :iv
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: slosilo
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rafał Rzepecki
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-02-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -157,6 +157,8 @@ files:
|
|
157
157
|
- README.md
|
158
158
|
- Rakefile
|
159
159
|
- SECURITY.md
|
160
|
+
- dev/Dockerfile.dev
|
161
|
+
- dev/docker-compose.yml
|
160
162
|
- lib/slosilo.rb
|
161
163
|
- lib/slosilo/adapters/abstract_adapter.rb
|
162
164
|
- lib/slosilo/adapters/file_adapter.rb
|