slosilo 3.0.0 → 3.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/Jenkinsfile +4 -1
  4. data/dev/Dockerfile.dev +7 -0
  5. data/dev/docker-compose.yml +8 -0
  6. data/lib/slosilo/symmetric.rb +26 -17
  7. data/lib/slosilo/version.rb +1 -1
  8. data/publish-rubygem.sh +2 -2
  9. data/spec/symmetric_spec.rb +23 -2
  10. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 81d8f2c013b6f88d01bd7dd4c44b39c7cf0ffaa9385afca3e7ea826dae0855c8
4
- data.tar.gz: acd627ef6ca45a404ce08c7bc680c8db7ea1ebdbe10d45b248ae09e59e804a02
3
+ metadata.gz: 239f3678eb01bdaf97f3c7c243740ff3cf8c1b8507833ea07b150380d5a79ee2
4
+ data.tar.gz: 2226342fa45964d0fb368712c6c181c3c587aa5a3e46bda6a780f19346cc4d0e
5
5
  SHA512:
6
- metadata.gz: '098a049570888513d10bf23edacfb8c566f605a08a9e918a2a06c15839d406b14696edaf76c49b84820d3c0fc1147b0f7f754c74fdad680a98f919d134cabcc7'
7
- data.tar.gz: 6cef96001fcc2932c23e106c732d9e7722afd2f6a8af11e99a023a49aa005bdc8ff9f3fa4ce278644b753acfe0e50953e14cf86114e78877368b95107a1126c0
6
+ metadata.gz: 2ace59188f2bcdf101d45cfc94d1924f469522d3d1e4d076e444d017804fee4ebd862163d7bb9e07358c289257a9d485ade42a28b4bbab4f7cbfd6b70e3612e2
7
+ data.tar.gz: 061ade3a431b2a6073971343a2a15403ec93628a99aecd0150cfa7eb97c69382879a2c4ee45d5525053adfb2bf4b9ada5107d811eceeba4fe71280add15717a8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ # v3.0.1
2
+
3
+ * The symmetric cipher class now encrypts and decrypts in a thread-safe manner.
4
+ [cyberark/slosilo#31](https://github.com/cyberark/slosilo/pull/31)
5
+
1
6
  # v3.0.0
2
7
 
3
8
  * Transition to Ruby 3. Consuming projects based on Ruby 2 shall use slosilo V2.X.X.
data/Jenkinsfile CHANGED
@@ -3,6 +3,10 @@
3
3
  pipeline {
4
4
  agent { label 'executor-v2' }
5
5
 
6
+ triggers {
7
+ cron(getDailyCronString())
8
+ }
9
+
6
10
  options {
7
11
  timestamps()
8
12
  buildDiscarder(logRotator(daysToKeepStr: '30'))
@@ -33,7 +37,6 @@ pipeline {
33
37
  agent { label 'executor-v2' }
34
38
  when {
35
39
  allOf {
36
- branch 'master'
37
40
  expression {
38
41
  boolean publish = false
39
42
 
data/dev/Dockerfile.dev ADDED
@@ -0,0 +1,7 @@
1
+ FROM ruby
2
+
3
+ COPY ./ /src/
4
+
5
+ WORKDIR /src
6
+
7
+ RUN bundle
data/dev/docker-compose.yml ADDED
@@ -0,0 +1,8 @@
1
+ version: '3'
2
+ services:
3
+ dev:
4
+ build:
5
+ context: ..
6
+ dockerfile: dev/Dockerfile.dev
7
+ volumes:
8
+ - ../:/src
data/lib/slosilo/symmetric.rb CHANGED
@@ -5,6 +5,7 @@ module Slosilo
5
5
 
6
6
  def initialize
7
7
  @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
8
+ @cipher_mutex = Mutex.new
8
9
  end
9
10
 
10
11
  # This lets us do a final sanity check in migrations from older encryption versions
@@ -13,14 +14,18 @@ module Slosilo
13
14
  end
14
15
 
15
16
  def encrypt plaintext, opts = {}
16
- @cipher.reset
17
- @cipher.encrypt
18
- @cipher.key = (opts[:key] or raise("missing :key option"))
19
- @cipher.iv = iv = random_iv
20
- @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
21
- ctext = @cipher.update(plaintext) + @cipher.final
22
- tag = @cipher.auth_tag(TAG_LENGTH)
23
- "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
17
+ # All of these operations in OpenSSL must occur atomically, so we
18
+ # synchronize their access to make this step thread-safe.
19
+ @cipher_mutex.synchronize do
20
+ @cipher.reset
21
+ @cipher.encrypt
22
+ @cipher.key = (opts[:key] or raise("missing :key option"))
23
+ @cipher.iv = iv = random_iv
24
+ @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
25
+ ctext = @cipher.update(plaintext) + @cipher.final
26
+ tag = @cipher.auth_tag(TAG_LENGTH)
27
+ "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
28
+ end
24
29
  end
25
30
 
26
31
  def decrypt ciphertext, opts = {}
@@ -28,19 +33,23 @@ module Slosilo
28
33
 
29
34
  raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
30
35
 
31
- @cipher.reset
32
- @cipher.decrypt
33
- @cipher.key = opts[:key]
34
- @cipher.iv = iv
35
- @cipher.auth_tag = tag
36
- @cipher.auth_data = opts[:aad] || ""
37
- @cipher.update(ctext) + @cipher.final
36
+ # All of these operations in OpenSSL must occur atomically, so we
37
+ # synchronize their access to make this step thread-safe.
38
+ @cipher_mutex.synchronize do
39
+ @cipher.reset
40
+ @cipher.decrypt
41
+ @cipher.key = opts[:key]
42
+ @cipher.iv = iv
43
+ @cipher.auth_tag = tag
44
+ @cipher.auth_data = opts[:aad] || ""
45
+ @cipher.update(ctext) + @cipher.final
46
+ end
38
47
  end
39
-
48
+
40
49
  def random_iv
41
50
  @cipher.random_iv
42
51
  end
43
-
52
+
44
53
  def random_key
45
54
  @cipher.random_key
46
55
  end
data/lib/slosilo/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Slosilo
2
- VERSION = "3.0.0"
2
+ VERSION = "3.0.1"
3
3
  end
data/publish-rubygem.sh CHANGED
@@ -2,10 +2,10 @@
2
2
 
3
3
  docker pull registry.tld/conjurinc/publish-rubygem
4
4
 
5
- docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
5
+ git clean -fxd
6
6
 
7
7
  summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
8
8
  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
9
9
  registry.tld/conjurinc/publish-rubygem slosilo
10
10
 
11
- docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
11
+ git clean -fxd
data/spec/symmetric_spec.rb CHANGED
@@ -14,8 +14,29 @@ describe Slosilo::Symmetric do
14
14
  expect(subject.encrypt(plaintext, key: key, aad: auth_data)).to eq(ciphertext)
15
15
  end
16
16
  end
17
-
17
+
18
18
  describe '#decrypt' do
19
+
20
+ it "doesn't fail when called by multiple threads" do
21
+ threads = []
22
+
23
+ begin
24
+ # Verify we can successfuly decrypt using many threads without OpenSSL
25
+ # errors.
26
+ 1000.times do
27
+ threads << Thread.new do
28
+ 100.times do
29
+ expect(
30
+ subject.decrypt(ciphertext, key: key, aad: auth_data)
31
+ ).to eq(plaintext)
32
+ end
33
+ end
34
+ end
35
+ ensure
36
+ threads.each(&:join)
37
+ end
38
+ end
39
+
19
40
  it "decrypts with AES-256-GCM" do
20
41
  expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
21
42
  end
@@ -56,7 +77,7 @@ describe Slosilo::Symmetric do
56
77
  end
57
78
  end
58
79
  end
59
-
80
+
60
81
  describe '#random_iv' do
61
82
  it "generates a random iv" do
62
83
  expect_any_instance_of(OpenSSL::Cipher).to receive(:random_iv).and_return :iv
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: slosilo
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.0
4
+ version: 3.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafał Rzepecki
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-01 00:00:00.000000000 Z
11
+ date: 2023-02-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -157,6 +157,8 @@ files:
157
157
  - README.md
158
158
  - Rakefile
159
159
  - SECURITY.md
160
+ - dev/Dockerfile.dev
161
+ - dev/docker-compose.yml
160
162
  - lib/slosilo.rb
161
163
  - lib/slosilo/adapters/abstract_adapter.rb
162
164
  - lib/slosilo/adapters/file_adapter.rb