strongbox 0.4.2 → 0.4.3

data/.gitignore

@@ -0,0 +1,3 @@
+test/debug.log
+doc
+/strongbox-*.gem

data/Rakefile

@@ -24,22 +24,13 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-spec = Gem::Specification.new do |s|
-  s.name = "strongbox"
-  s.version = Strongbox::VERSION
-  s.summary = "Secures ActiveRecord fields with public key encryption."
-  s.authors = ["Spike Ilacqua"]
-  s.email = "spike@stuff-things.net"
-  s.homepage = "http://stuff-things.net/strongbox"
-  s.files = FileList["[A-Z]*", "init.rb", "{lib,rails}/**/*"]
-  s.add_runtime_dependency 'activerecord'
-  s.add_development_dependency 'thoughtbot-shoulda'
-  s.add_development_dependency 'sqlite3'
-end
-
 desc "Generate a gemspec file for GitHub"
 task :gemspec do
-  File.open("#{spec.name}.gemspec", 'w') do |f|
-    f.write spec.to_yaml
-  end
+  $spec = eval(File.read('strongbox.gemspec'))
+  $spec.validate
+end
+
+desc "Build the gem"
+task :build  => :gemspec do
+  Gem::Builder.new($spec).build
 end

data/lib/strongbox.rb

@@ -5,7 +5,7 @@ require 'strongbox/lock'
 
 module Strongbox
 
-  VERSION = "0.4.2"
+  VERSION = "0.4.3"
 
   RSA_PKCS1_PADDING	= OpenSSL::PKey::RSA::PKCS1_PADDING
   RSA_SSLV23_PADDING	= OpenSSL::PKey::RSA::SSLV23_PADDING

data/strongbox.gemspec

@@ -0,0 +1,23 @@
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+require 'strongbox'
+
+Gem::Specification.new do |s|
+  s.name = "strongbox"
+  s.version = Strongbox::VERSION
+  s.summary = "Secures ActiveRecord fields with public key encryption."
+  s.authors = ["Spike Ilacqua"]
+  s.email = "spike@stuff-things.net"
+  s.description = <<-EOF
+    Strongbox provides Public Key Encryption for ActiveRecord. By using a
+    public key sensitive information can be encrypted and stored automatically.
+    Once stored a password is required to access the information. dependencies
+    are specified in standard Ruby syntax.
+  EOF
+  s.homepage = "http://stuff-things.net/strongbox"
+  s.files = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
+  s.add_runtime_dependency 'activerecord'
+  s.add_development_dependency 'thoughtbot-shoulda'
+  s.add_development_dependency 'sqlite3'
+end

data/test/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+

data/test/fixtures/keypair.pem

@@ -0,0 +1,24 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,317921A00FB0882F
+
+f+GWBkcLJLsBUElOEKhqrtYgT1X4nixaZHD5x0VhmW2FrREz4vcqXrxwLTaRQJK/
+vHFJ/7IVmEHScwEognSfw/wX2HMIHczoQT3ugsa29Nt7t1VLGy9jvN1+1f+g90xe
+02jC7CYEKUJ3agZPox49i0/UN9OCIgdtKfecdDHYWyziob8yYTsUdDGyAXlPv0Kx
+0MPSCRDtEh4UJ2PIFyw2HowkYeNss6uIte9rxJGINI11D9vmXR0pH0XyCwHQn+2T
+ScHWg8BJ1rkBKydbKQ4vnfhGMjG+bZyrJXrJSoazXroseuhHu8QRUONm5Kl/zW1f
+GP1CjIfTCQQZECYIa2tXTFdL9y2ZOCn8xit57SwEpmJMvZC58PkQX5+/aHPcOXhl
+YrF+6FEfNpdBz9PUmv4Af2kTa88xZqm1Q3GtTOk7wsJpfeTMhU71KjA1pL9xNPrT
+DnKhtfLGvcgo8Z9BGOiLFe9uQvhhprX7isc1XdysbMigsVIWLvZp9RxRp/zAn7fy
+y56C6mc3tUwcq89RcxAn+bC75gwZO/hyVrnkhManOMfHTEiZXVybU9Ril3SZ+ry6
+8AxMid0ZWbbtCHdDc5rHfXsGeFhJZxBbg/WtMxBPGHNByqs8sWUM9Z8YoK8WMYxV
+GvC9RB4m0jgA4S3MEOMmKOXDuJxa7IgTgApVmLPl+sDOHGK3xAItYJJawJqOZQ1f
+r+x/8g19CuehuflCxDo+D4/RJMqkOEq+0FGUqI8lHv6vR6+YpkGdrQQXUohBy67f
+3Qym1ztZ8ygsttgJwnhwAfMh8FdIrVJc7NZ8pDiBZbg=
+-----END RSA PRIVATE KEY-----
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9F1ipsLL+V68bGSJFqFLQKgXq
+Glyyplx0s9KxgLbmbDICXpV7DceKaIBUkPZDx2DrlvjZmG+rG5ehdWNI7q/hupao
+NF0WzEiOp+30gISeyl81Z/NAmhcwcOnZpbS9nl4JLaWrN7iGC1geNBNDo+lVbsm1
+O2+Tlt8rjHsNjzgIzQIDAQAB
+-----END PUBLIC KEY-----

data/test/missing_attributes_test.rb

@@ -0,0 +1,77 @@
+require 'test/test_helper'
+
+class MissingAttribuesTest < Test::Unit::TestCase
+  context 'A Class with a secured field without a matching database column' do
+    setup do
+      ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+        table.string :in_the_clear
+      end
+      rebuild_class {}
+    end
+
+    should 'raise' do
+      assert_raise(Strongbox::StrongboxError) do
+        Dummy.class_eval do
+          encrypt_with_public_key :secret, :key_pair =>
+            File.join(FIXTURES_DIR,'keypair.pem')
+        end
+        @dummy = Dummy.new
+        @dummy.secret = 'Shhhh'
+      end
+    end
+
+    teardown do
+      rebuild_model
+    end
+  end
+
+  context 'A Class with a secured field missing symmetric database columns' do
+    setup do
+      ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+        table.string :in_the_clear
+        table.string :secret
+      end
+      rebuild_class {}
+    end
+
+    should 'raise' do
+      assert_raise(Strongbox::StrongboxError) do
+        Dummy.class_eval do
+          encrypt_with_public_key :secret, :key_pair =>
+            File.join(FIXTURES_DIR,'keypair.pem')
+        end
+        @dummy = Dummy.new
+        @dummy.secret = 'Shhhh'
+      end
+    end
+
+    teardown do
+      rebuild_model
+    end
+  end
+
+  context 'A Class with a secured field without a matching database column told not to check columns' do
+    setup do
+      ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+        table.string :in_the_clear
+      end
+      rebuild_class {}
+    end
+
+    should 'not raise' do
+      assert_nothing_raised do
+        Dummy.class_eval do
+          encrypt_with_public_key(:secret,
+                                  :key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                                  :ensure_required_columns => false)
+        end
+        @dummy = Dummy.new
+        @dummy.secret = 'Shhhh'
+      end
+    end
+
+    teardown do
+      rebuild_model
+    end
+  end
+end

data/test/strongbox_test.rb

@@ -0,0 +1,303 @@
+# -*- coding: utf-8 -*-
+require 'test/test_helper'
+
+class StrongboxTest < Test::Unit::TestCase
+  context 'A Class with a secured field' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => File.join(FIXTURES_DIR,'keypair.pem')
+    end
+
+    should 'not error when trying to also create a secure field' do
+      assert_nothing_raised do
+        Dummy.class_eval do
+          encrypt_with_public_key :secret
+        end
+      end
+    end
+
+     context 'that is valid' do
+       setup do
+         @dummy = Dummy.new
+         @dummy.secret = 'Shhhh'
+         @dummy.in_the_clear = 'Hey you guys!'
+       end
+
+       should 'not change unencrypted fields' do
+         assert_equal 'Hey you guys!', @dummy.in_the_clear
+       end
+
+       should 'return "*encrypted*" when locked'  do
+         assert_equal '*encrypted*', @dummy.secret.decrypt
+       end
+
+       should 'return secret when unlocked'  do
+         assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+       end
+
+       should 'generate and store symmetric encryption key and IV' do
+         assert_not_nil @dummy.attributes['secret_key']
+         assert_not_nil @dummy.attributes['secret_iv']
+       end
+
+       should 'raise on bad password' do
+         assert_raises(OpenSSL::PKey::RSAError) do
+           @dummy.secret.decrypt('letmein')
+         end
+       end
+
+       context 'updating unencrypted fields' do
+         setup do
+           @dummy.in_the_clear = 'I see you...'
+           @dummy.save
+         end
+
+         should 'not effect the secret' do
+           assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+         end
+       end
+
+       context 'updating the secret' do
+         setup do
+           @dummy.secret = @new_secret = 'Don\'t tell'
+           @dummy.save
+         end
+
+         should 'update the secret' do
+           assert_equal @new_secret, @dummy.secret.decrypt(@password)
+         end
+       end
+
+       context 'with symmetric encryption disabled' do
+         setup do
+           rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                         :symmetric => :never)
+           @dummy = Dummy.new
+           @dummy.secret = 'Shhhh'
+         end
+
+         should 'return "*encrypted*" when locked'  do
+           assert_equal '*encrypted*', @dummy.secret.decrypt
+         end
+
+         should 'return secret when unlocked'  do
+           assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+         end
+
+         should 'allow decryption of other strings encrypted with the same key' do
+           encrypted_text = File.read(File.join(FIXTURES_DIR,'encrypted'))
+           assert_equal 'Setec Astronomy', @dummy.secret.decrypt(@password, encrypted_text)
+         end
+
+         should 'not generate and store symmetric encryption key and IV' do
+           assert_nil @dummy.attributes['secret_key']
+           assert_nil @dummy.attributes['secret_iv']
+         end
+
+       end
+
+       context 'with Base64 encoding enabled' do
+         setup do
+           rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                         :base64 => true)
+           @dummy = Dummy.new
+           @dummy.secret = 'Shhhh'
+         end
+
+         should 'Base64 encode the ciphertext' do
+           # Base64 encoded text is limited to the charaters A–Z, a–z, and 0–9,
+           # and is padded with 0 to 2 equal-signs
+           assert_match /^[0-9A-Za-z+\/]+={0,2}$/, @dummy.attributes['secret']
+           assert_match /^[0-9A-Za-z+\/]+={0,2}$/, @dummy.attributes['secret_key']
+           assert_match /^[0-9A-Za-z+\/]+={0,2}$/, @dummy.attributes['secret_iv']
+         end
+
+         should 'encrypt the data'  do
+           assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+           assert_equal '*encrypted*', @dummy.secret.decrypt
+           assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+         end
+       end
+     end
+
+     context 'using blowfish cipher instead of AES' do
+       setup do
+         rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'),
+                       :symmetric_cipher => 'bf-cbc')
+         @dummy = Dummy.new
+         @dummy.secret = 'Shhhh'
+       end
+
+       should 'encrypt the data'  do
+         assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+         assert_equal '*encrypted*', @dummy.secret.decrypt
+         assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+       end
+     end
+  end
+
+  context 'when a public key is not provided' do
+    setup do
+      rebuild_class
+      @dummy = Dummy.new
+    end
+
+    should 'raise on encrypt' do
+      assert_raises(Strongbox::StrongboxError) do
+        @dummy.secret = 'Shhhh'
+      end
+    end
+  end
+
+  context 'when a private key is not provided' do
+     setup do
+      @password = 'boost facile'
+      rebuild_class(:public_key => File.join(FIXTURES_DIR,'keypair.pem'))
+      @dummy = Dummy.new(:secret => 'Shhhh')
+     end
+
+    should 'raise on decrypt with a password' do
+      assert_raises(Strongbox::StrongboxError) do
+        @dummy.secret.decrypt(@password)
+      end
+    end
+
+    should 'return "*encrypted*" when still locked' do
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+  end
+
+  context "when an unencrypted public key is used" do
+     setup do
+      rebuild_class(:public_key => generate_key_pair.public_key)
+      @dummy = Dummy.new(:secret => 'Shhhh')
+     end
+
+    should "encrypt the data"  do
+      assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+  end
+
+  context "when an unencrypted key pair is used" do
+     setup do
+      rebuild_class(:key_pair => generate_key_pair)
+      @dummy = Dummy.new(:secret => 'Shhhh')
+     end
+
+    should "encrypt the data"  do
+      assert_not_equal @dummy.attributes['secret'], 'Shhhh'
+      assert_equal "Shhhh", @dummy.secret.decrypt('')
+    end
+  end
+
+  context 'with validations' do
+    context 'using validates_presence_of' do
+      setup do
+        rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'))
+        Dummy.send(:validates_presence_of, :secret)
+        @valid = Dummy.new(:secret => 'Shhhh')
+        @invalid = Dummy.new(:secret => nil)
+      end
+
+      should 'not have an error on the secret when valid' do
+        assert @valid.valid?
+        assert_does_not_have_errors_on(@valid,:secret)
+      end
+
+      should 'have an error on the secret when invalid' do
+        assert !@invalid.valid?
+        assert_has_errors_on(@invalid,:secret)
+      end
+    end
+
+    context 'using validates_length_of' do
+      setup do
+        rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'))
+        Dummy.send(:validates_length_of,
+                   :secret,
+                   :in => 5..10,
+                   :allow_nil => true,
+                   :allow_blank => true
+                   )
+        @valid = Dummy.new(:secret => 'Shhhh')
+        @valid_nil = Dummy.new(:secret => nil)
+        @valid_blank = Dummy.new(:secret => '')
+        @invalid = Dummy.new(:secret => '1')
+      end
+
+      should 'not have an error on the secret when in range' do
+        assert @valid.valid?
+        assert_does_not_have_errors_on(@valid,:secret)
+      end
+
+      should 'not have an error on the secret when nil' do
+        assert @valid_nil.valid?
+        assert_does_not_have_errors_on(@valid_nil,:secret)
+      end
+
+      should 'not have an error on the secret when blank' do
+        assert @valid_blank.valid?
+        assert_does_not_have_errors_on(@valid_blank,:secret)
+      end
+
+      should 'have an error on the secret when invalid' do
+        assert !@invalid.valid?
+        assert_has_errors_on(@invalid,:secret)
+      end
+    end
+  end
+
+  context 'A Class with two secured fields' do
+    setup do
+      @password = 'boost facile'
+      key_pair = File.join(FIXTURES_DIR,'keypair.pem')
+      Dummy.class_eval do
+        encrypt_with_public_key :secret, :key_pair => key_pair
+        encrypt_with_public_key :segreto, :key_pair => key_pair,
+                                          :symmetric => :never
+      end
+    end
+
+    context 'that is valid' do
+      setup do
+        @dummy = Dummy.new
+        @dummy.secret = 'I have a secret...'
+        @dummy.segreto = 'Ho un segreto...'
+      end
+
+      should 'return "*encrypted*" when the record is locked'  do
+        assert_equal '*encrypted*', @dummy.secret.decrypt
+        assert_equal '*encrypted*', @dummy.segreto.decrypt
+      end
+
+       should 'return the secrets when unlocked'  do
+         assert_equal 'I have a secret...', @dummy.secret.decrypt(@password)
+         assert_equal 'Ho un segreto...', @dummy.segreto.decrypt(@password)
+       end
+
+    end
+  end
+
+  context 'Using strings for keys' do
+    setup do
+      @password = 'boost facile'
+      key_pair = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      public_key = OpenSSL::PKey::RSA.new(key_pair,"")
+      private_key = OpenSSL::PKey::RSA.new(key_pair,@password)
+      Dummy.class_eval do
+        encrypt_with_public_key :secret, :public_key => public_key, :private_key => private_key
+      end
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should 'return "*encrypted*" when locked'  do
+      assert_equal '*encrypted*', @dummy.secret.decrypt
+    end
+
+    should 'return secret when unlocked'  do
+      assert_equal 'Shhhh', @dummy.secret.decrypt(@password)
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,73 @@
+ROOT       = File.join(File.dirname(__FILE__), '..')
+RAILS_ROOT = ROOT
+$LOAD_PATH << File.join(ROOT, 'lib')
+
+require 'rubygems'
+require 'test/unit'
+require 'sqlite3'
+require 'active_record'
+require 'logger'
+gem 'thoughtbot-shoulda', ">= 2.9.0"
+require 'shoulda'
+begin require 'redgreen'; rescue LoadError; end
+
+require 'strongbox'
+
+ENV['RAILS_ENV'] ||= 'test'
+
+FIXTURES_DIR = File.join(File.dirname(__FILE__), "fixtures") 
+config = YAML::load(IO.read(File.dirname(__FILE__) + '/database.yml'))
+ActiveRecord::Base.logger = Logger.new(File.dirname(__FILE__) + "/debug.log")
+ActiveRecord::Base.establish_connection(config['test'])
+
+
+# rebuild_model and rebuild_class are borrowed directly from the Paperclip gem
+#
+# http://thoughtbot.com/projects/paperclip
+
+# rebuild_model (re)creates a database table for our Dummy model.
+# Call this to initial create a model, or to reset the database.
+
+def rebuild_model options = {}
+  ActiveRecord::Base.connection.create_table :dummies, :force => true do |table|
+    table.string :in_the_clear
+    table.binary :secret
+    table.binary :secret_key
+    table.binary :secret_iv
+    table.binary :segreto
+  end
+  rebuild_class options
+end
+
+# rebuild_class creates or replaces the Dummy ActiveRecord Model.
+# Call this when changing the options to encrypt_with_public_key
+
+def rebuild_class options = {}
+  ActiveRecord::Base.send(:include, Strongbox)
+  Object.send(:remove_const, "Dummy") rescue nil
+  Object.const_set("Dummy", Class.new(ActiveRecord::Base))
+  Dummy.class_eval do
+    include Strongbox
+    encrypt_with_public_key :secret, options
+  end
+end
+
+def assert_has_errors_on(model,attribute)
+  # Rails 2.X && Rails 3.X
+  !model.errors[attribute].empty?
+end
+
+def assert_does_not_have_errors_on(model,attribute)
+  # Rails 2.X                     Rails 3.X
+  model.errors[attribute].nil? || model.errors[attribute].empty?
+end
+
+def generate_key_pair(password = nil,size = 2048)
+  rsa_key = OpenSSL::PKey::RSA.new(size)
+  # If no password is provided, don't encrypt the key
+  return rsa_key if password.blank?
+  cipher =  OpenSSL::Cipher::Cipher.new('des3')
+  key_pair = rsa_key.to_pem(cipher,password)
+  key_pair << rsa_key.public_key.to_pem
+  return key_pair
+end

metadata

@@ -1,7 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: strongbox
 version: !ruby/object:Gem::Version 
-  version: 0.4.2
+  hash: 9
+  prerelease: 
+  segments: 
+  - 0
+  - 4
+  - 3
+  version: 0.4.3
 platform: ruby
 authors: 
 - Spike Ilacqua
@@ -9,40 +15,52 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-01-17 00:00:00 -07:00
+date: 2011-02-21 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activerecord
-  type: :runtime
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
-    version: 
+  type: :runtime
+  version_requirements: *id001
 - !ruby/object:Gem::Dependency 
   name: thoughtbot-shoulda
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
-    version: 
+  type: :development
+  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
   name: sqlite3
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
-    version: 
-description: 
+  type: :development
+  version_requirements: *id003
+description: "    Strongbox provides Public Key Encryption for ActiveRecord. By using a\n    public key sensitive information can be encrypted and stored automatically.\n    Once stored a password is required to access the information. dependencies\n    are specified in standard Ruby syntax.\n"
 email: spike@stuff-things.net
 executables: []
 
@@ -51,14 +69,21 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
+- .gitignore
 - LICENSE
-- Rakefile
-- README.html
 - README.textile
+- Rakefile
 - init.rb
-- lib/strongbox/lock.rb
 - lib/strongbox.rb
+- lib/strongbox/lock.rb
 - rails/init.rb
+- strongbox.gemspec
+- test/database.yml
+- test/fixtures/encrypted
+- test/fixtures/keypair.pem
+- test/missing_attributes_test.rb
+- test/strongbox_test.rb
+- test/test_helper.rb
 has_rdoc: true
 homepage: http://stuff-things.net/strongbox
 licenses: []
@@ -69,23 +94,34 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.5
+rubygems_version: 1.5.2
 signing_key: 
 specification_version: 3
 summary: Secures ActiveRecord fields with public key encryption.
-test_files: []
-
+test_files: 
+- test/database.yml
+- test/fixtures/encrypted
+- test/fixtures/keypair.pem
+- test/missing_attributes_test.rb
+- test/strongbox_test.rb
+- test/test_helper.rb

data/README.html

@@ -1,88 +0,0 @@
-<h1>Strongbox</h1>
-<p>Strongbox provides Public Key Encryption for ActiveRecord. By using a public key sensitive information can be encrypted and stored automatically. Once stored a password is required to access the information.</p>
-<p>Because the largest amount of data that can practically be encrypted with a public key is 245 byte, by default Strongbox uses a two layer approach. First it encrypts the attribute using symmetric encryption with a randomly generated key and initialization vector (IV) (which can just be through to as a second key), then it encrypts those with the public key.</p>
-<p>Strongbox stores the encrypted attribute in a database column by the same name, i.e. if you tell Strongbox to encrypt &#8220;secret&#8221; then it will be store in &#8220;secret&#8221; in the database, just as the unencrypted attribute would be. If symmetric encryption is used (the default) two additional columns &#8220;secret_key&#8221; and &#8220;secret_iv&#8221; are needed as well.</p>
-<p>The attribute is automatically encrypted simply by setting it:</p>
-user.secret = &#8220;Shhhhhhh&#8230;&#8221;
-<p>and decrypted by calling the &#8220;decrypt&#8221; method with the private key password.</p>
-plain_text = user.secret.decrypt &#8216;letmein&#8217;
-<h2>Quick Start</h2>
-<p>In your model:</p>
-<pre><code>class User &lt; ActiveRecord::Base
-  encrypt_with_public_key :secret,
-    :key_pair =&gt; File.join(RAILS_ROOT,'config','keypair.pem')
-end</code></pre>
-<p>In your migrations:</p>
-<pre><code>class AddSecretColumnsToUser &lt; ActiveRecord::Migration
-  def self.up
-    add_column :users, :secret, :binary
-    add_column :users, :secret_key, :binary
-    add_column :users, :secret_iv, :binary
-  end
-  def self.down
-    remove_column :users, :secret
-    remove_column :users, :secret_key
-    remove_column :users, :secret_iv
-  end  
-end</code></pre>
-<p>Generate a key pair:</p>
-<p>(Choose a strong password.)</p>
-<pre><code>openssl genrsa -des3 -out config/private.pem 2048
-openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
-cat config/private.pem  config/public.pem &gt;&gt; config/keypair.pem</code></pre>
-<p>In your views and forms you don&#8217;t need to do anything special to encrypt data. To decrypt call:</p>
-<pre><code>user.secret.decrypt 'password'</code></pre>
-<h2>Gem installation (Rails 2.1+)</h2>
-<p>In config/environment.rb:</p>
-<pre><code>config.gem "strongbox"</code></pre>
-<h2>Usage</h2>
-<p><em>encrypt_with_public_key</em> sets up the attribute it&#8217;s called on for automatic encryption.  It&#8217;s simplest form is:</p>
-<pre><code>class User &lt; ActiveRecord::Base
-  encrypt_with_public_key :secret,
-    :key_pair =&gt; File.join(RAILS_ROOT,'config','keypair.pem')
-end</code></pre>
-<p>Which will encrypt the attribute &#8220;secret&#8221;. The attribute will be encrypted using symmetric encryption with an automatically generated key and IV encrypted using the public key. This requires three columns in the database &#8220;secret&#8221;, &#8220;secret_key&#8221;, and &#8220;secret_iv&#8221; (see below).</p>
-<p>Options to encrypt_with_public_key are:</p>
-<p>:public_key &#8211; Path to the public key file.  Overrides :keypair.</p>
-<p>:private_key &#8211; Path to the private key file.  Overrides :keypair.</p>
-<p>:keypair &#8211; Path to a file containing both the public and private keys.</p>
-<p>:symmetric :always/:never &#8211; Encrypt the date using symmetric encryption. The public key is used to encrypt an automatically generated key and IV. This allows for large amounts of data to be encrypted. The size of data that can be encrypted directly with the public is limit to key size (in bytes) &#8211; 11. So a 2048 key can encrypt <strong>245 bytes</strong>. Defaults to <strong>:always</strong>.</p>
-<p>:symmetric_cipher &#8211; Cipher to use for symmetric encryption.  Defaults to <strong>&#8216;aes-256-cbc&#8217;</strong>.  Other ciphers support by OpenSSL may be used.</p>
-<p>:base64 true/false &#8211; Use Base64 encoding to convert encrypted data to text. Use when binary save data storage is not available.  Defaults to <strong>false</strong>.</p>
-<p>:padding &#8211; Method used to pad data encrypted with the public key. Defaults to <strong>RSA_PKCS1_PADDING</strong>. The default should be fine unless you are dealing with legacy data.</p>
-<p>:ensure_required_columns &#8211; Make sure the required database columns exist.  Defaults to <strong>true</strong>, set to false if you want to encrypt/decrypt data stored outside of the database.</p>
-<p>For example, encrypting a small attribute, providing only the public key for extra security, and Base64 encoding the encrypted data:</p>
-<pre><code>class User &lt; ActiveRecord::Base
-  validates_length_of :pin_code, :is =&gt; 4
-  encrypt_with_public_key :pin_code, 
-    :symmetric =&gt; :never,
-    :base64 =&gt; true,
-    :public_key =&gt; File.join(RAILS_ROOT,'config','public.pem')
-end</code></pre>
-<h2>Key Generation</h2>
-<p>Generate a key pair:</p>
-<pre><code>openssl genrsa -des3 -out config/private.pem 2048
-Generating RSA private key, 2048 bit long modulus
-......+++
-.+++
-e is 65537 (0x10001)
-Enter pass phrase for config/private.pem:
-Verifying - Enter pass phrase for config/private.pem:</code></pre>
-<p>and extract the the public key:</p>
-<pre><code>openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
-Enter pass phrase for config/private.pem:
-writing RSA key</code></pre>
-<p>If you are going to leave the private key installed it&#8217;s easiest to create a single key pair file:</p>
-<pre><code>cat config/private.pem  config/public.pem &gt;&gt; config/keypair.pem</code></pre>
-<p>Or, for added security, store the private key file else where, leaving only the public key.</p>
-<h2>Table Creation</h2>
-<p>In it&#8217;s default configuration Strongbox requires three columns, one the encrypted data, one for the encrypted symmetric key, and one for the encrypted symmetric IV. If symmetric encryption is disabled then only the columns for the data being encrypted is needed.</p>
-<p>If your underlying database allows, use the <strong>binary</strong> column type. If you must store your data in text format be sure to enable Base64 encoding and to use the <strong>text</strong> column type. If you use a <em>string</em> column and encrypt anything greater than 186 bytes (245 bytes if you don&#8217;t enable Base64 encoding) <strong>your data will be lost</strong>.</p>
-<h2>Security Caveats</h2>
-<p>If you don&#8217;t encrypt your data, then an attacker only needs to steal that data to get your secrets.</p>
-<p>If encrypt your data using symmetric encrypts and a stored key, then the attacker needs the data and the key stored on the server.</p>
-<p>If you use public key encryption, the attacker needs the data, the private key, and the password. This means the attacker has to sniff the password somehow, so that&#8217;s what you need to protect against.</p>
-<h2>Authors</h2>
-<p>Spike Ilacqua</p>
-<h2>Thanks</h2>
-<p>Strongbox&#8217;s implementation drew inspiration from Thoughtbot&#8217;s Paperclip gem http://www.thoughtbot.com/projects/paperclip</p>