slosilo 3.0.0 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 81d8f2c013b6f88d01bd7dd4c44b39c7cf0ffaa9385afca3e7ea826dae0855c8
4
- data.tar.gz: acd627ef6ca45a404ce08c7bc680c8db7ea1ebdbe10d45b248ae09e59e804a02
3
+ metadata.gz: 239f3678eb01bdaf97f3c7c243740ff3cf8c1b8507833ea07b150380d5a79ee2
4
+ data.tar.gz: 2226342fa45964d0fb368712c6c181c3c587aa5a3e46bda6a780f19346cc4d0e
5
5
  SHA512:
6
- metadata.gz: '098a049570888513d10bf23edacfb8c566f605a08a9e918a2a06c15839d406b14696edaf76c49b84820d3c0fc1147b0f7f754c74fdad680a98f919d134cabcc7'
7
- data.tar.gz: 6cef96001fcc2932c23e106c732d9e7722afd2f6a8af11e99a023a49aa005bdc8ff9f3fa4ce278644b753acfe0e50953e14cf86114e78877368b95107a1126c0
6
+ metadata.gz: 2ace59188f2bcdf101d45cfc94d1924f469522d3d1e4d076e444d017804fee4ebd862163d7bb9e07358c289257a9d485ade42a28b4bbab4f7cbfd6b70e3612e2
7
+ data.tar.gz: 061ade3a431b2a6073971343a2a15403ec93628a99aecd0150cfa7eb97c69382879a2c4ee45d5525053adfb2bf4b9ada5107d811eceeba4fe71280add15717a8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ # v3.0.1
2
+
3
+ * The symmetric cipher class now encrypts and decrypts in a thread-safe manner.
4
+ [cyberark/slosilo#31](https://github.com/cyberark/slosilo/pull/31)
5
+
1
6
  # v3.0.0
2
7
 
3
8
  * Transition to Ruby 3. Consuming projects based on Ruby 2 shall use slosilo V2.X.X.
data/Jenkinsfile CHANGED
@@ -3,6 +3,10 @@
3
3
  pipeline {
4
4
  agent { label 'executor-v2' }
5
5
 
6
+ triggers {
7
+ cron(getDailyCronString())
8
+ }
9
+
6
10
  options {
7
11
  timestamps()
8
12
  buildDiscarder(logRotator(daysToKeepStr: '30'))
@@ -33,7 +37,6 @@ pipeline {
33
37
  agent { label 'executor-v2' }
34
38
  when {
35
39
  allOf {
36
- branch 'master'
37
40
  expression {
38
41
  boolean publish = false
39
42
 
@@ -0,0 +1,7 @@
1
+ FROM ruby
2
+
3
+ COPY ./ /src/
4
+
5
+ WORKDIR /src
6
+
7
+ RUN bundle
@@ -0,0 +1,8 @@
1
+ version: '3'
2
+ services:
3
+ dev:
4
+ build:
5
+ context: ..
6
+ dockerfile: dev/Dockerfile.dev
7
+ volumes:
8
+ - ../:/src
@@ -5,6 +5,7 @@ module Slosilo
5
5
 
6
6
  def initialize
7
7
  @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
8
+ @cipher_mutex = Mutex.new
8
9
  end
9
10
 
10
11
  # This lets us do a final sanity check in migrations from older encryption versions
@@ -13,14 +14,18 @@ module Slosilo
13
14
  end
14
15
 
15
16
  def encrypt plaintext, opts = {}
16
- @cipher.reset
17
- @cipher.encrypt
18
- @cipher.key = (opts[:key] or raise("missing :key option"))
19
- @cipher.iv = iv = random_iv
20
- @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
21
- ctext = @cipher.update(plaintext) + @cipher.final
22
- tag = @cipher.auth_tag(TAG_LENGTH)
23
- "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
17
+ # All of these operations in OpenSSL must occur atomically, so we
18
+ # synchronize their access to make this step thread-safe.
19
+ @cipher_mutex.synchronize do
20
+ @cipher.reset
21
+ @cipher.encrypt
22
+ @cipher.key = (opts[:key] or raise("missing :key option"))
23
+ @cipher.iv = iv = random_iv
24
+ @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
25
+ ctext = @cipher.update(plaintext) + @cipher.final
26
+ tag = @cipher.auth_tag(TAG_LENGTH)
27
+ "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
28
+ end
24
29
  end
25
30
 
26
31
  def decrypt ciphertext, opts = {}
@@ -28,19 +33,23 @@ module Slosilo
28
33
 
29
34
  raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
30
35
 
31
- @cipher.reset
32
- @cipher.decrypt
33
- @cipher.key = opts[:key]
34
- @cipher.iv = iv
35
- @cipher.auth_tag = tag
36
- @cipher.auth_data = opts[:aad] || ""
37
- @cipher.update(ctext) + @cipher.final
36
+ # All of these operations in OpenSSL must occur atomically, so we
37
+ # synchronize their access to make this step thread-safe.
38
+ @cipher_mutex.synchronize do
39
+ @cipher.reset
40
+ @cipher.decrypt
41
+ @cipher.key = opts[:key]
42
+ @cipher.iv = iv
43
+ @cipher.auth_tag = tag
44
+ @cipher.auth_data = opts[:aad] || ""
45
+ @cipher.update(ctext) + @cipher.final
46
+ end
38
47
  end
39
-
48
+
40
49
  def random_iv
41
50
  @cipher.random_iv
42
51
  end
43
-
52
+
44
53
  def random_key
45
54
  @cipher.random_key
46
55
  end
@@ -1,3 +1,3 @@
1
1
  module Slosilo
2
- VERSION = "3.0.0"
2
+ VERSION = "3.0.1"
3
3
  end
data/publish-rubygem.sh CHANGED
@@ -2,10 +2,10 @@
2
2
 
3
3
  docker pull registry.tld/conjurinc/publish-rubygem
4
4
 
5
- docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
5
+ git clean -fxd
6
6
 
7
7
  summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
8
8
  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
9
9
  registry.tld/conjurinc/publish-rubygem slosilo
10
10
 
11
- docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
11
+ git clean -fxd
@@ -14,8 +14,29 @@ describe Slosilo::Symmetric do
14
14
  expect(subject.encrypt(plaintext, key: key, aad: auth_data)).to eq(ciphertext)
15
15
  end
16
16
  end
17
-
17
+
18
18
  describe '#decrypt' do
19
+
20
+ it "doesn't fail when called by multiple threads" do
21
+ threads = []
22
+
23
+ begin
24
+ # Verify we can successfuly decrypt using many threads without OpenSSL
25
+ # errors.
26
+ 1000.times do
27
+ threads << Thread.new do
28
+ 100.times do
29
+ expect(
30
+ subject.decrypt(ciphertext, key: key, aad: auth_data)
31
+ ).to eq(plaintext)
32
+ end
33
+ end
34
+ end
35
+ ensure
36
+ threads.each(&:join)
37
+ end
38
+ end
39
+
19
40
  it "decrypts with AES-256-GCM" do
20
41
  expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
21
42
  end
@@ -56,7 +77,7 @@ describe Slosilo::Symmetric do
56
77
  end
57
78
  end
58
79
  end
59
-
80
+
60
81
  describe '#random_iv' do
61
82
  it "generates a random iv" do
62
83
  expect_any_instance_of(OpenSSL::Cipher).to receive(:random_iv).and_return :iv
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: slosilo
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.0
4
+ version: 3.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafał Rzepecki
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-01 00:00:00.000000000 Z
11
+ date: 2023-02-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -157,6 +157,8 @@ files:
157
157
  - README.md
158
158
  - Rakefile
159
159
  - SECURITY.md
160
+ - dev/Dockerfile.dev
161
+ - dev/docker-compose.yml
160
162
  - lib/slosilo.rb
161
163
  - lib/slosilo/adapters/abstract_adapter.rb
162
164
  - lib/slosilo/adapters/file_adapter.rb