snowden 0.9.0

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+tags
+bundle
+bin

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in snowden.gemspec
+gemspec
+
+gem "rspec-expectations", :github => "rspec/rspec-expectations"
+gem "rspec-mocks", :github => "rspec/rspec-mocks"
+gem "rspec-core", :github => "rspec/rspec-core"
+gem "redis"
+gem "hiredis"
+gem "redis_gun"
+gem "simplecov"
+gem "yard"

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Cambridge Healthcare Ltd.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,151 @@
+# Snowden
+
+Snowden is a gem for managing encrypted search indices. It can do fuzzy search
+on text indices and supports pluggable backends.
+
+**Snowden currently sits at version `0.9.0`, we want some feedback before
+making the API concrete. That said, we're pretty happy with this and using it
+in production. Please send issues/pull requests if you have problems.**
+
+The basic idea behind Snowden is captured in
+[this paper](http://www.cs.cityu.edu.hk/~congwang/papers/INFOCOM10-search.pdf).
+
+The search algorithm works by encrypting "wildcard strings" over the key in
+the index that you're trying to encrypt. When you search you construct a wildcard
+set over your search term. You encrypt the search wildcard set, and this
+will produce a matching encrypted value in the stored wildcard set if any
+of the wildcards overlap.
+
+An example of this can be seen below:
+
+```
+Store: "bacon"
+
+Wildcard set (size 1):
+
+["bacon", "*bacon", "b*acon", "ba*con", "bac*on", "baco*n", "bacon*", "*acon", "b*con", "ba*on", "bac*n", "baco*"]
+
+Search: "baco":
+
+Wildcard set (size 1):
+
+["baco", "*baco", "b*aco", "ba*co", "bac*o", "baco*", "*aco", "b*co", "ba*o", "bac*"]
+
+Matches:
+
+["baco*"]
+```
+
+The encryption we use for keys encrypts the same string as the same value
+so this match can happen without the values being decrypted.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'snowden'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install snowden
+
+## Usage
+
+```ruby
+require 'snowden'
+
+# 256 bit aes with 128 bit block
+aes_key = "a"*(256/8)
+aes_iv  = "b"*(128/8)
+
+index    = Snowden.new_encrypted_index(aes_key, aes_iv, Snowden::Backends::HashBackend.new)
+searcher = Snowden.new_encrypted_searcher(aes_key, aes_iv, index)
+
+index.store("bacon", "bits")
+
+searcher.search("bac")
+# => ["bits"]
+```
+
+## Backends and namespacing
+
+Snowden supports multiple backends for storing your encrypted search indices,
+two backends are provided as part of the gem:
+
+* An in memory hash backend `Snowden::Backends::HashBackend`
+* A redis backend `Snowden::Backends::RedisBackend`
+
+Both support taking a namespace, which allows you to store multiple different
+encrypted indices in the same store. The redis backend also takes a
+`Redis` object from the [redis](https://github.com/redis/redis-rb) gem to serve
+as its connection to the redis server.
+
+An example of the use of the redis backend is:
+
+```ruby
+require "redis"
+
+redis = Redis.new(:driver => :hiredis)
+redis_backend = Snowden::Backends::RedisBackend.new("index_namespace", redis)
+
+aes_key = OpenSSL::Random.random_bytes(256/8)
+aes_iv = OpenSSL::Random.random_bytes(128/8)
+
+index = Snowden.new_encrypted_index(aes_key, aes_iv, redis_backend)
+#...
+```
+
+
+## Configuration
+
+Snowden has a core configuration object that allows you to change various
+aspects of the gem's operation.
+
+###Changing the cipher used by Snowden
+
+```ruby
+Snowden.configuration.cipher_spec = "RC4"
+
+#Sometime later:
+index = Snowden.new_encrypted_index(key, iv, Snowden::Backends::HashBackend.new)
+```
+
+For a complete list of possible ciphers you can use this snippet in `irb`
+
+```ruby
+OpenSSL::Cipher.ciphers.each do |c| p c end; nil
+```
+
+The default cipher in Snowden is `AES-256-CBC` which we believe to be secure
+enough for our purposes, your mileage may vary.
+
+32 bytes of random padding are added to the front of ciphertexts in Snowden to
+prevent the same value stored under many different index keys being
+diffentiable when encrypted under the same key and IV.
+
+##Implementing your own backends
+
+A Snowden backend is a ruby class that:
+
+* Can be constructed with a namespace
+* Responds to `#save(key, value)` which returns nil
+* Responds to `#find(key)` which returns all the values saved under that key
+
+The two backends built into Snowden (in `lib/snowden/backends`) serve as
+reference implementations of Snowden backends.
+
+## Contributing
+
+Please note: you need to have a redis server running on the default port to
+run the specs, this is for integration testing the `RedisBackend` class.
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/snowden.rb

@@ -0,0 +1,76 @@
+require "snowden/backends/hash_backend"
+require "snowden/backends/redis_backend"
+require "snowden/configuration"
+require "snowden/crypto"
+require "snowden/wildcard_generator"
+require "snowden/encrypted_search_index"
+require "snowden/encrypted_searcher"
+
+module Snowden
+  # A handle to the Snowden configuration object used elsewhere in the gem
+  #
+  # @return [Snowden::Configuration] the configuration object
+  def self.configuration
+    @configuration ||= Snowden::Configuration.new
+  end
+
+  # Creates a new index that will encrypt keys and values stored within it
+  #
+  # @param key [String]
+  #   a bytestring key for the underlying encryption algorithm.
+  #
+  # @param iv  [String]
+  #   a bytestring iv for the underlying encryption algorithm.
+  #
+  # @param backend [Snowden::Backend]
+  #   an object that implements the snowden backend protocol.
+  #
+  # @return [Snowden::EncryptedSearchIndex]
+  #   a snowden index to store values in.
+  #
+  def self.new_encrypted_index(key, iv, backend)
+    EncryptedSearchIndex.new(
+      :crypto             => crypto_for(key, iv),
+      :backend            => backend,
+      :wildcard_generator => wildcard_generator,
+    )
+  end
+
+  # Creates a new searcher for a snowden index
+  #
+  # @param key [String]
+  #   a bytestring key for the underlying encryption algorithm.
+  #   Note: the key and iv must match the ones passed to create the index
+  #
+  # @param iv [String]
+  #   a bytestring iv for the underlying encryption algorithm.
+  #   Note: the key and iv must match the ones passed to create the index
+  #
+  # @param index [Snowden::EncryptedSearchIndex]
+  #   the index to search.
+  #
+  # @return [Snowden::EncryptedSearcher]
+  #   a searcher for the index.
+  def self.new_encrypted_searcher(key, iv, index)
+    EncryptedSearcher.new(
+      :crypto             => crypto_for(key, iv),
+      :index              => index,
+      :wildcard_generator => wildcard_generator,
+    )
+  end
+
+  private
+
+  def self.wildcard_generator
+    WildcardGenerator.new(:edit_distance => configuration.edit_distance)
+  end
+
+  def self.crypto_for(key, iv)
+    Crypto.new(
+      :key          => key,
+      :iv           => iv,
+      :cipher_spec  => configuration.cipher_spec,
+      :padding_size => configuration.padding_byte_size
+    )
+  end
+end

data/lib/snowden/backends/hash_backend.rb

@@ -0,0 +1,41 @@
+module Snowden
+  module Backends
+    #@api private
+    SNOWDEN_BACKEND_HASH = {}
+
+    class HashBackend
+      #Creates a new redis backend
+      #
+      # @param namespace [String] the string this backend is namespaced under.
+      # @param hash     [Hash] a Hash object instance to save values in.
+      def initialize(namespace="", hash=SNOWDEN_BACKEND_HASH)
+        @namespace = namespace
+        @hash      = hash
+      end
+
+      #Saves a value in this index
+      #
+      # @param key   [String] the string key to save the value under.
+      # @param value [String] the value to save.
+      def save(key, value)
+        @hash[namespaced_key(key)] ||= []
+        @hash[namespaced_key(key)] << value
+        nil
+      end
+
+      #Finds a value in this index
+      #
+      # @param key [String] the string key to search the index for.
+      # @return [ [String] ] a list of strings that matched the namespaced key.
+      def find(key)
+        @hash.fetch(namespaced_key(key), [])
+      end
+
+      private
+
+      def namespaced_key(key)
+        [@namespace, key]
+      end
+    end
+  end
+end

data/lib/snowden/backends/redis_backend.rb

@@ -0,0 +1,42 @@
+require "redis"
+
+module Snowden
+  module Backends
+    class RedisBackend
+      #Creates a new redis backend
+      #
+      # @param namespace [String] the string this backend is namespaced under.
+      # @param redis     [Redis] a Redis object instance to talk to a redis
+      #                          database.
+      def initialize(namespace="", redis=Redis.new(:driver => :hiredis))
+        @namespace = namespace
+        @redis     = redis
+      end
+
+      #Saves a value in this index
+      #
+      # @param key   [String] the string key to save the value under.
+      # @param value [String] the value to save.
+      def save(key, value)
+        redis.lpush(namespaced_key(key), value)
+        nil
+      end
+
+      #Finds a value in this index
+      #
+      # @param key [String] the string key to search the index for.
+      # @return [ [String] ] a list of strings that matched the namespaced key.
+      def find(key)
+        redis.lrange(namespaced_key(key), 0, -1)
+      end
+
+      private
+
+      def namespaced_key(key)
+        namespace + ":" + key
+      end
+
+      attr_reader :redis, :namespace
+    end
+  end
+end

data/lib/snowden/configuration.rb

@@ -0,0 +1,28 @@
+module Snowden
+  #The object that holds all the configuration details for Snowden
+  #@attr edit_distance [Integer] the size of the edit distance sets that
+  #                              are created when searching and
+  #                              storing strings.
+  #                              See an example at:
+  #                              https://gist.github.com/samphippen/6621771.
+  #                              Defaults to 3.
+  #
+  #@attr cipher_spec [String] an OpenSSL cipher spec to use with Snowden.
+  #                           Defaults to "AES-256-CBC".
+  #
+  #@attr padding_byte_size [Integer] the amount of random padding to add to
+  #                                  values stored in the index. Defaults to 32.
+  #                                  Change at your own risk.
+  #                                  Never set to lower than 2 blocks if you're
+  #                                  using a block cipher.
+  class Configuration
+    attr_accessor :edit_distance, :cipher_spec, :padding_byte_size, :backend
+
+    #Sets up the configuration object
+    def initialize
+      @edit_distance     = 3
+      @cipher_spec       = "AES-256-CBC"
+      @padding_byte_size = 32
+    end
+  end
+end

data/lib/snowden/crypto.rb

@@ -0,0 +1,46 @@
+require "openssl"
+
+module Snowden
+  #@api private
+  class Crypto
+    def initialize(args)
+      @key          = args.fetch(:key)
+      @iv           = args.fetch(:iv)
+      @cipher_spec  = args.fetch(:cipher_spec)
+      @padding_size = args.fetch(:padding_size)
+    end
+
+    def decrypt(data)
+      cipher(:decrypt, data)
+    end
+
+    def encrypt(data)
+      cipher(:encrypt, data)
+    end
+
+    def padded_encrypt(data)
+      encrypt(OpenSSL::Random.random_bytes(padding_size) + data)
+    end
+
+    def padded_decrypt(data)
+      decrypt(data)[padding_size..-1]
+    end
+
+    private
+
+    attr_reader :key, :iv, :cipher_spec, :padding_size
+
+    def cipher(mode, data)
+      c = symmetric_cipher
+      c.public_send(mode)
+      c.key = key
+      c.iv  = iv
+
+      c.update(data) + c.final
+    end
+
+    def symmetric_cipher
+      OpenSSL::Cipher::Cipher.new(cipher_spec)
+    end
+  end
+end

data/lib/snowden/encrypted_search_index.rb

@@ -0,0 +1,53 @@
+module Snowden
+  class EncryptedSearchIndex
+    #Creates a new search index
+    #
+    # @param args [Hash]
+    #   A hash that must contain the following keys:
+    #     * :crypto - an instance of Snowden::Crypto primed with some key and
+    #                 iv
+    #     * :backend - a Snowden::Backends compatible backend.
+    #     * :wildcard_generator - an instance of Snowden::WildcardGenerator
+    def initialize(args)
+      @crypto             = args.fetch(:crypto)
+      @backend            = args.fetch(:backend)
+      @wildcard_generator = args.fetch(:wildcard_generator)
+    end
+
+    #Stores a value under the key
+    #
+    # @param key [String] the key to store the value under
+    # @param value [String] the value to store in the key
+    #
+    # @return nil
+    def store(key, value)
+      wildcard_generator.wildcards(key).each do |wildcard|
+        backend.save(encrypt_key(wildcard), encrypt_value(value))
+      end
+      nil
+    end
+
+    # Looks up the key in the backend
+    #
+    # @api private
+    #
+    # @param key [String] the key to look up in the backend. Note: the key does
+    #                     not have wildcarding applied to it. Calling this
+    #                     method directly is probably a bad idea.
+    def search(key)
+      backend.find(key)
+    end
+
+    private
+
+    attr_reader :backend, :crypto, :wildcard_generator, :bytestream_generator
+
+    def encrypt_key(key)
+      crypto.encrypt(key)
+    end
+
+    def encrypt_value(value)
+      crypto.padded_encrypt(value)
+    end
+  end
+end

data/lib/snowden/encrypted_searcher.rb

@@ -0,0 +1,40 @@
+module Snowden
+  class EncryptedSearcher
+    #Creates a new search index
+    #
+    # @param args [Hash]
+    #   A hash that must contain the following keys:
+    #     * :crypto - an instance of Snowden::Crypto primed with some key and
+    #                 iv. Note: the key and iv this crypto uses must match the
+    #                 ones used by the index
+    #     * :index - a Snowden::EncryptedSearchIndex instance .
+    #     * :wildcard_generator - an instance of Snowden::WildcardGenerator
+    def initialize(args)
+      @crypto             = args.fetch(:crypto)
+      @index              = args.fetch(:index)
+      @wildcard_generator = args.fetch(:wildcard_generator)
+    end
+
+    # Looks up the search string in the index.
+    #
+    # @param search_string [String] the string to search the index for
+    #
+    # @return [ [String] ] a list of strings that were matched by the search
+    #                      string in the index.
+    def search(search_string)
+      wildcard_generator.wildcards(search_string).flat_map { |wildcard|
+        encrypted_values = encrypted_values_for_key(wildcard)
+        encrypted_values.map {|v| crypto.padded_decrypt(v) }
+      }.uniq
+    end
+
+    private
+
+    attr_reader :wildcard_generator, :crypto, :index, :padding_size
+
+    def encrypted_values_for_key(key)
+      encrypted_key = crypto.encrypt(key)
+      index.search(encrypted_key)
+    end
+  end
+end

data/lib/snowden/version.rb

@@ -0,0 +1,3 @@
+module Snowden
+  VERSION = "0.9.0"
+end

data/lib/snowden/wildcard_generator.rb

@@ -0,0 +1,39 @@
+module Snowden
+  class WildcardGenerator
+    def initialize(args)
+      @edit_distance = args.fetch(:edit_distance)
+    end
+
+    # @api private
+    def wildcards(string)
+      wildcards = [string]
+      edit_distance.times do
+        wildcards = add_wildcard_layer(wildcards)
+      end
+
+      wildcards = wildcards.uniq
+
+      wildcards.to_enum
+    end
+
+    private
+
+    attr_reader :edit_distance
+
+    def add_wildcard_layer(list_of_strings)
+      list_of_strings.map {|s| base_wildcards(s) }.flatten
+    end
+
+    def base_wildcards(string)
+      string_range = (0..string.length)
+
+      [string]
+        .concat(string_range.map { |i| string.dup.insert(i, wildcard_char) })
+        .concat(string_range.map { |i| string.dup.tap { |s| s[i] = wildcard_char } })
+    end
+
+    def wildcard_char
+      "*"
+    end
+  end
+end

data/snowden.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'snowden/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "snowden"
+  spec.version       = Snowden::VERSION
+  spec.authors       = ["Sam Phippen", "Stephen Best"]
+  spec.email         = ["samphippen@googlemail.com", "stephen@howareyou.com"]
+  spec.description   = %q{Fuzzy encrypted indexes in ruby}
+  spec.summary       = %q{Fuzzy encrypted indexes in ruby}
+  spec.homepage      = "http://github.com/cambridge-healthcare/snowden"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "redis"
+  spec.add_dependency "hiredis"
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+end

data/spec/readme_spec.rb

@@ -0,0 +1,47 @@
+require "spec_helper"
+require "redis"
+require 'snowden'
+
+describe "the examples from the readme" do
+  before do
+    Redis.new(:driver => :hiredis).flushdb
+  end
+
+  it "works for the example in the usage section" do
+    # 256 bit aes with 128 bit block
+    aes_key = "a"*(256/8)
+    aes_iv  = "b"*(128/8)
+
+    index    = Snowden.new_encrypted_index(aes_key, aes_iv, Snowden::Backends::HashBackend.new("",{}))
+    searcher = Snowden.new_encrypted_searcher(aes_key, aes_iv, index)
+
+    index.store("bacon", "bits")
+
+    # => ["bits"]
+    expect(searcher.search("bac")).to eq(["bits"])
+  end
+
+  it "works for the example in the redis section" do
+    redis = Redis.new(:driver => :hiredis)
+    redis_backend = Snowden::Backends::RedisBackend.new("index_namespace", redis)
+
+    aes_key = OpenSSL::Random.random_bytes(256/8)
+    aes_iv = OpenSSL::Random.random_bytes(128/8)
+
+    index = Snowden.new_encrypted_index(aes_key, aes_iv, redis_backend)
+    index.store("bacon", "bits")
+
+    searcher = Snowden.new_encrypted_searcher(aes_key, aes_iv, index)
+    expect(searcher.search("bac")).to eq(["bits"])
+  end
+
+  it "works for the cipher_spec example in the configuration section" do
+    Snowden.configuration.cipher_spec = "RC4"
+
+    aes_key = "a"*(256/8)
+    aes_iv  = "b"*(128/8)
+
+    #Sometime later:
+    index = Snowden.new_encrypted_index(aes_key, aes_iv, Snowden::Backends::HashBackend.new("",{}))
+  end
+end

data/spec/snowden/backends/hash_backend_spec.rb

@@ -0,0 +1,33 @@
+require "spec_helper"
+require "snowden"
+
+module Snowden::Backends
+  describe HashBackend do
+    subject(:backend) { HashBackend.new("nomspace", hash) }
+    let(:hash) { {} }
+
+    describe "#save" do
+      it "returns nil" do
+        expect(backend.save(:key, :value)).to be nil
+      end
+    end
+
+    describe "#find" do
+      let(:hash) { {["nomspace", :key2] => :value2} }
+
+      it "finds the value stored under the key in the hash" do
+        expect(backend.find(:key2)).to eq(:value2)
+      end
+    end
+
+    describe "saving and finding" do
+      let(:hash) { {} }
+
+      it "can find values it has saved" do
+        backend.save(:key, :value)
+        expect(backend.find(:key)).to eq([:value])
+      end
+    end
+  end
+end
+

data/spec/snowden/backends/redis_backend_spec.rb

@@ -0,0 +1,38 @@
+require "spec_helper"
+require "snowden"
+require "redis_gun"
+
+module Snowden::Backends
+  describe RedisBackend do
+    subject(:backend) { RedisBackend.new("namespace", redis_connection_helper) }
+    let(:redis_connection) { RedisGun::RedisServer.new.tap {|x| x.running? } }
+
+    describe "#save" do
+      it "returns nil" do
+        expect(backend.save("key", "value")).to be nil
+      end
+    end
+
+    describe "#find" do
+      it "finds the value stored under the key in redis" do
+        redis_connection_helper.lpush("namespace:bacon", "troll")
+        expect(backend.find("bacon")).to eq(["troll"])
+      end
+    end
+
+    describe "saving and finding" do
+      it "can find values it has saved" do
+        backend.save("key", "value")
+        expect(backend.find("key")).to eq(["value"])
+      end
+    end
+
+    def redis_connection_helper
+      Redis.new(:url => redis_connection.socket)
+    end
+
+    after do
+      redis_connection.stop
+    end
+  end
+end

data/spec/snowden/crypto_spec.rb

@@ -0,0 +1,29 @@
+require "spec_helper"
+require "snowden"
+
+module Snowden
+  describe Crypto do
+    subject(:crypto) {
+      Crypto.new(
+        :key          => key,
+        :iv           => iv,
+        :cipher_spec  => cipher_spec,
+        :padding_size => padding_size,
+      )
+    }
+
+    let(:key) { "a"*(256/8) }
+    let(:iv)  { "b"*(128/8) }
+
+    let(:cipher_spec)  { "AES-256-CBC" }
+    let(:padding_size) { double(:padding_size) }
+
+    it "can encrypt data" do
+      expect(crypto.encrypt("asdf")).not_to be == "asdf"
+    end
+
+    it "can decrypt data that it encrypts" do
+      expect(crypto.decrypt(crypto.encrypt("asdf"))).to be == "asdf"
+    end
+  end
+end

data/spec/snowden/encrypted_search_index_spec.rb

@@ -0,0 +1,43 @@
+require "spec_helper"
+require "snowden"
+
+module Snowden
+  describe EncryptedSearchIndex do
+    subject(:index) {
+      EncryptedSearchIndex.new(
+        :crypto             => crypto,
+        :backend            => backend,
+        :wildcard_generator => wildcard_generator,
+      )
+    }
+
+    let(:crypto)                 { double("crypto") }
+    let(:key)                    { double("key")   }
+    let(:value)                  { double("value") }
+    let(:wildcard_key)           { double("wildcard key") }
+    let(:encrypted_wildcard_key) { double("encrypted wildcard key") }
+    let(:encrypted_value)        { double("encrypted value") }
+    let(:backend)                { double("backend", :save => nil) }
+    let(:wildcard_generator)     { double("wildcard_generator") }
+
+
+    describe "#save" do
+      it "stores the wildcard and the encrypted value" do
+        allow(wildcard_generator).to receive(:wildcards).with(key).and_return([wildcard_key].to_enum)
+        allow(crypto).to receive(:encrypt).with(wildcard_key).and_return(encrypted_wildcard_key)
+        allow(crypto).to receive(:padded_encrypt).with(value).and_return(encrypted_value)
+
+        index.store(key, value)
+
+        expect(backend).to have_received(:save).with(encrypted_wildcard_key, encrypted_value)
+      end
+    end
+
+    describe "#search" do
+      it "retreives the value matching the passed encrypted value" do
+        allow(backend).to receive(:find).with(encrypted_wildcard_key).and_return(encrypted_value)
+        expect(index.search(encrypted_wildcard_key)).to be == encrypted_value
+      end
+    end
+  end
+end

data/spec/snowden/encrypted_searcher_spec.rb

@@ -0,0 +1,89 @@
+require "spec_helper"
+require "snowden"
+
+module Snowden
+  describe EncryptedSearcher do
+    subject(:searcher) {
+      EncryptedSearcher.new(
+        :crypto             => crypto,
+        :index              => index,
+        :wildcard_generator => wildcard_generator,
+      )
+    }
+
+    let(:crypto)             { double("crypto") }
+    let(:index)              { double("index")  }
+    let(:wildcard_generator) { double("wildcard generator") }
+
+    describe "#search" do
+      let(:search_string)                    { double(:search_string) }
+      let(:wildcard_search_string)           { double(:wildcard_search_string) }
+      let(:encrypted_wildcard_search_string) { double(:encrypted_wildcard_search_string) }
+      let(:encrypted_value)                  { double(:encrypted_value) }
+      let(:decrypted_value)                  { double(:decrypted_value) }
+
+      it "returns the decrypted first matching encrypted value" do
+        allow(wildcard_generator).to receive(:wildcards)
+          .and_return([wildcard_search_string].to_enum)
+
+        allow(crypto).to receive(:encrypt)
+          .with(wildcard_search_string).and_return(encrypted_wildcard_search_string)
+
+        allow(crypto).to receive(:padded_decrypt)
+          .with(encrypted_value).and_return(decrypted_value)
+
+        allow(index).to receive(:search)
+          .with(encrypted_wildcard_search_string).and_return([encrypted_value])
+
+        expect(searcher.search(search_string)).to eq([decrypted_value])
+      end
+
+      context "with two matching encrypted values" do
+        let(:encrypted_value1) { double(:encrypted_value1) }
+        let(:decrypted_value1) { double(:decrypted_value1) }
+        let(:encrypted_value2) { double(:encrypted_value2) }
+        let(:decrypted_value2) { double(:decrypted_value2) }
+
+        it "returns both decrypted values" do
+          allow(wildcard_generator).to receive(:wildcards)
+            .and_return([wildcard_search_string].to_enum)
+
+          allow(crypto).to receive(:encrypt)
+            .with(wildcard_search_string).and_return(encrypted_wildcard_search_string)
+
+          allow(crypto).to receive(:padded_decrypt)
+            .with(encrypted_value1).and_return(decrypted_value1)
+
+          allow(index).to receive(:search)
+            .with(encrypted_wildcard_search_string).and_return([encrypted_value1, encrypted_value2])
+
+          allow(crypto).to receive(:padded_decrypt)
+            .with(encrypted_value2).and_return(decrypted_value2)
+
+          expect(searcher.search(search_string)).to eq([decrypted_value1, decrypted_value2])
+        end
+
+        context "when the values are the same" do
+          let(:encrypted_value1) { double(:encrypted_value1) }
+          let(:decrypted_value1) { double(:decrypted_value1) }
+
+          it "returns both decrypted values" do
+            allow(wildcard_generator).to receive(:wildcards)
+              .and_return([wildcard_search_string].to_enum)
+
+            allow(crypto).to receive(:encrypt)
+              .with(wildcard_search_string).and_return(encrypted_wildcard_search_string)
+
+            allow(index).to receive(:search)
+              .with(encrypted_wildcard_search_string).and_return([encrypted_value1, encrypted_value1])
+
+            allow(crypto).to receive(:padded_decrypt)
+              .with(encrypted_value1).and_return(decrypted_value1).exactly(2).times
+
+            expect(searcher.search(search_string)).to eq([decrypted_value1])
+          end
+        end
+      end
+    end
+  end
+end

data/spec/snowden/wildcard_generator_spec.rb

@@ -0,0 +1,27 @@
+require "spec_helper"
+require "snowden"
+
+module Snowden
+  describe WildcardGenerator do
+    let(:wildcard_generator) { WildcardGenerator.new(:edit_distance => 2) }
+
+    let(:wildcards_fixture) { [
+      "a", "*a", "a*", "*", "**a", "*a*", "**", "a**"
+    ].sort }
+
+    describe "#each_wildcard" do
+      it "yields to the passed block" do
+        called = false
+        wildcard_generator.wildcards("a").each do
+          called = true
+        end
+
+        expect(called).to be true
+      end
+
+      it "gives back some wildcards" do
+        expect(wildcard_generator.wildcards("a").to_a.sort).to eq(wildcards_fixture)
+      end
+    end
+  end
+end

data/spec/snowden_spec.rb

@@ -0,0 +1,58 @@
+require "spec_helper"
+require "snowden"
+
+describe Snowden do
+  let(:key)     { "a"*(256/8) }
+  let(:iv)      { "b"*(128/8) }
+
+  describe ".new_encrypted_index" do
+    subject(:index) { Snowden.new_encrypted_index(
+        key,
+        iv,
+        Snowden::Backends::HashBackend.new({})
+      )
+    }
+
+    it "gives back an index" do
+      expect(index).to be_a_kind_of Snowden::EncryptedSearchIndex
+    end
+
+    it "builds an index that does crypto" do
+      subject.store("encrypt me", "please")
+
+      encrypted_value = index.search(encrypt_helper("encrypt me")).first
+      decrypted_value = padded_decrypt_helper(encrypted_value)
+
+      expect(decrypted_value).to eq("please")
+    end
+  end
+
+  describe ".new_encrypted_searcher" do
+    let(:index) { Snowden.new_encrypted_index(
+        key,
+        iv,
+        Snowden::Backends::HashBackend.new({})
+      )
+    }
+    subject(:searcher) { Snowden.new_encrypted_searcher(key, iv, index) }
+
+    it "gives back a searcher" do
+      expect(subject).to be_a_kind_of Snowden::EncryptedSearcher
+    end
+
+    it "builds a searcher that can find values in the index" do
+      index.store("sam", "12345")
+      index.store("gerhard", "pony")
+
+      expect(searcher.search("gerha")).to eq(["pony"])
+    end
+  end
+
+  def encrypt_helper(value)
+    Snowden.crypto_for(key, iv).encrypt(value)
+  end
+
+  def padded_decrypt_helper(value)
+    Snowden.crypto_for(key, iv).padded_decrypt(value)
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,24 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+require 'simplecov'
+SimpleCov.start
+
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  config.order = 'random'
+
+  config.mock_with :rspec do |configuration|
+    configuration.syntax = :expect
+  end
+
+  config.expect_with :rspec do |configuration|
+    configuration.syntax = :expect
+  end
+end

metadata

@@ -0,0 +1,153 @@
+--- !ruby/object:Gem::Specification
+name: snowden
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+  prerelease: 
+platform: ruby
+authors:
+- Sam Phippen
+- Stephen Best
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-09-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: hiredis
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Fuzzy encrypted indexes in ruby
+email:
+- samphippen@googlemail.com
+- stephen@howareyou.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/snowden.rb
+- lib/snowden/backends/hash_backend.rb
+- lib/snowden/backends/redis_backend.rb
+- lib/snowden/configuration.rb
+- lib/snowden/crypto.rb
+- lib/snowden/encrypted_search_index.rb
+- lib/snowden/encrypted_searcher.rb
+- lib/snowden/version.rb
+- lib/snowden/wildcard_generator.rb
+- snowden.gemspec
+- spec/readme_spec.rb
+- spec/snowden/backends/hash_backend_spec.rb
+- spec/snowden/backends/redis_backend_spec.rb
+- spec/snowden/crypto_spec.rb
+- spec/snowden/encrypted_search_index_spec.rb
+- spec/snowden/encrypted_searcher_spec.rb
+- spec/snowden/wildcard_generator_spec.rb
+- spec/snowden_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/cambridge-healthcare/snowden
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -3778383592789494811
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -3778383592789494811
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: Fuzzy encrypted indexes in ruby
+test_files:
+- spec/readme_spec.rb
+- spec/snowden/backends/hash_backend_spec.rb
+- spec/snowden/backends/redis_backend_spec.rb
+- spec/snowden/crypto_spec.rb
+- spec/snowden/encrypted_search_index_spec.rb
+- spec/snowden/encrypted_searcher_spec.rb
+- spec/snowden/wildcard_generator_spec.rb
+- spec/snowden_spec.rb
+- spec/spec_helper.rb
+has_rdoc: