symmetric-encryption 0.1.2 → 0.2.0

data/README.md

@@ -3,7 +3,7 @@ symmetric-encryption
 
 * http://github.com/ClarityServices/symmetric-encryption
 
-### Introduction
+## Introduction
 
 Any project that wants to meet PCI compliance has to ensure that the data is encrypted
 whilst in flight and at rest. Amongst many other other requirements all passwords
@@ -12,24 +12,288 @@ in configuration files have to be encrypted
 This Gem helps achieve compliance by supporting encryption of data in a simple
 and consistent way
 
-### Features
+## Security
+
+Many solutions that encrypt data require the encryption keys to be stored in the
+applications source code or leave it up to the developer to secure the keys on
+the application servers. symmetric-encryption takes care of securing the
+symmetric encryption keys.
+
+The following steps are used to secure the symmetric encryption keys using symmetric-encryption:
+
+* Symmetric Encryption keys are stored in files that are not part of the application,
+its source code, or even stored in its source control system. These files can be
+created, managed and further secured by System Administrators. This prevents
+developers having or needing to have access to the symmetric encryption keys
+* The Operating System security features limit access to the Symmetric Encryption
+key files to System Administrators and the userid under which the Rails application runs.
+* The files in which the Symmetric Encryption keys are stored are futher
+encrypted using RSA 2048 bit encryption
+
+In order for anyone to decrypt the data being encrypted in the database, they
+would need access to ALL of the following:
+* A copy of the files containing the Symmetric Encryption Keys which are secured
+by the Operating System
+* The application source code containing the RSA private key to decrypt the above files
+* The userid and password for the database to copy the encrypted data itself,
+or an unsecured copy or export of the database contents
+
+## Features
 
 * Encryption of passwords in configuration files
-* attr_encrypted replacement
+* Encryption of ActiveRecord model attributes by prefixing attributes / column
+names with encrypted_
 * Externalization of symmetric encryption keys so that they are not in the
-  source code
+  source code, or the source code control system
+* Drop in replacement for attr_encrypted. Just remove the attr_encrypted gem
+* Compatible with the default Encryption algorithm in attr_encrypted
+* More efficient replacement for attr_encrypted since only ActiveRecord Models
+are extended with encrypted_ behavior, rather than every object in the system
+* Custom validator for ActiveRecord Models
+
+## Examples
+
+### Encryption Example
+
+    Symmetric::Encryption.encrypt "Sensitive data"
+
+### Decryption Example
+
+    Symmetric::Encryption.decrypt "JqLJOi6dNjWI9kX9lSL1XQ==\n"
+
+### Validation Example
+
+    class MyModel < ActiveRecord::Base
+      validates :encrypted_ssn, :symmetric_encrypted => true
+    end
+
+    m = MyModel.new
+    m.valid?
+    #  => false
+    m.encrypted_ssn = Symmetric::Encryption.encrypt('123456789')
+    m.valid?
+    #  => true
+
+### Encrypting Passwords in configuration files
+
+Passwords can be encrypted in any YAML configuration file.
+
+For example config/database.yml
+
+    production:
+      adapter:  mysql
+      host:     db1w
+      database: myapp_production
+      username: admin
+      password: <%= Symmetric::Encryption.try_decrypt "JqLJOi6dNjWI9kX9lSL1XQ==\n" %>
+
+Note: Use Symmetric::Encryption.try_decrypt method which will return nil if it
+  fails to decrypt the value, which is essential when the encryption keys differ
+  between environments
+
+Note: In order for the above technique to work in other YAML configuration files
+  the YAML file must be processed using ERB prior to passing to YAML. For example
 
-### Install
+    config_file = Rails.root.join('config', 'redis.yml')
+    raise "redis config not found. Create a config file at: config/redis.yml" unless config_file.file?
+
+    cfg = YAML.load(ERB.new(File.new(config_file).read).result)[Rails.env]
+    raise("Environment #{Rails.env} not defined in redis.yml") unless cfg
+
+### Generating encrypted passwords
+
+The following rake task can be used to generate encrypted passwords for the
+specified environment
+
+Note: Passwords must be encrypted in the environment in which they will be used.
+  Since each environment should have its own symmetric encryption keys
+
+## Install
 
   gem install symmetric-encryption
 
+## Configuration
+
+### Generating the RSA Private key
+
+To protect the files holding the Symmetric Encryption keys, symmetric-encryption uses 2048 bit RSA
+encryption.
+
+Generate the RSA Private key as follows
+
+    openssl genrsa 2048
+
+Paste the output into the configuration created below
+
+### Creating the configuration file
+
+Create a configuration file in config/symmetric-encryption.yml per the following example:
+
+    #
+    # Symmetric Encryption for Ruby
+    #
+    ---
+    # Just use test symmetric encryption keys in the development environment
+    # No private key required since we are not reading the keys from a file
+    development: &development_defaults
+      cipher: aes-256-cbc
+      symmetric_key: 1234567890ABCDEF1234567890ABCDEF
+      symmetric_iv: 1234567890ABCDEF
+
+    test:
+      <<: *development_defaults
+
+    release: &release_defaults
+      # Since the key to encrypt and decrypt with must NOT be stored along with the
+      # source code, we only hold a RSA key that is used to unlock the file
+      # containing the actual symmetric encryption key
+      #
+      # To generate a new RSA private key:
+      #    openssl genrsa 2048
+      private_rsa_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+           ...
+           paste RSA key generated above here
+           ...
+        -----END RSA PRIVATE KEY-----
+
+      # Filename containing Symmetric Encryption Key
+      # Note: The file contents must be RSA 2048 bit encrypted
+      #       with the public key derived from the private key above
+      symmetric_key_filename: /etc/rails/.rails.key
+      symmetric_iv_filename: /etc/rails/.rails.iv
+
+      # Use aes-256-cbc encryption
+      cipher: aes-256-cbc
+
+    hotfix:
+      <<: *release_defaults
+
+    production:
+      <<: *release_defaults
+
+This configuration file should be checked into the source code control system.
+It does Not include the Symmetric Encryption keys. They will be generated in the
+next step.
+
+### Generating and securing the Symmetric Encryption keys
+
+The symmetric encryption key consists of the key itself and an optional
+initialization vector.
+
+To generate the keys run the following Rake task in each environment:
+
+    RAILS_ENV=release rake symmetric_encryption:generate_symmetric_keys
+
+Replace 'release' as necessary for each environment.
+
+Make sure that the current user has read and write access to the folder listed
+in the configuration option symmetric_key_filename above.
+
+Once the Symmetric Encryption keys have been generated, secure them further by
+making the files read-only to the Rails user and not readable by any other user
+
+    chmod ...
+
+When running multiple Rails servers in a particular environment copy the same
+key files to every server in that environment. I.e. All Rails servers in each
+environment must run the same encryption keys.
+
+Note: The generate step above must only be run once in each environment
+
+## Using in non-Rails environments
+
+symmetric-encryption can also be used in non-Rails environment. At application
+startup, run the code below to initialize symmetric-encryption prior to
+attempting to encrypt or decrypt any data
+
+    require 'symmetric-encryption'
+    Symmetric::Encryption.load!('config/symmetric-encryption.yml', 'production')
+
+Parameters:
+* Filename of the configuration file created above
+* Name of the environment to load the configuration for
+
+To manually generate the symmetric encryption keys, run the code below
+
+    require 'symmetric-encryption'
+    Symmetric::Encryption.generate_symmetric_key_files('config/symmetric-encryption.yml', 'production')
+
+Parameters:
+* Filename of the configuration file created above
+* Name of the environment to load the configuration for
+
+## Supporting Multiple Encryption Keys
+
+For complete PCI compliance it is necessary to change the Symmetric Encryption
+keys every year. During the transition period of moving from one encryption
+key to another symmetric-encryption supports multiple Symmetric Encryption keys.
+If decryption with the current key fails, any previous keys will also be tried
+automatically.
+
+By default the latest key is used for encrypting data. Another key can be specified
+for encryption so that old data can be looked in queries, etc.
+
+Since just the Symmetric Encryption keys are being changed, we can still continue to
+use the same RSA Private key for gaining access to the Symmetric Encryption Keys
+
+### Configuring multiple Symmetric Encryption keys
+
+
+
+Create a configuration file in config/symmetric-encryption.yml per the following example:
+
+    #
+    # Symmetric Encryption for Ruby
+    #
+    ---
+    # Just use test symmetric encryption keys in the development environment
+    # No private key required since we are not reading the keys from a file
+    development: &development_defaults
+      cipher: aes-256-cbc
+      symmetric_key: 1234567890ABCDEF1234567890ABCDEF
+      symmetric_iv: 1234567890ABCDEF
+
+    test:
+      <<: *development_defaults
+
+    release: &release_defaults
+      # Since the key to encrypt and decrypt with must NOT be stored along with the
+      # source code, we only hold a RSA key that is used to unlock the file
+      # containing the actual symmetric encryption key
+      #
+      # To generate a new RSA private key:
+      #    openssl genrsa 2048
+      private_rsa_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+           ...
+           paste RSA key generated above here
+           ...
+        -----END RSA PRIVATE KEY-----
+
+      # Filename containing Symmetric Encryption Key
+      # Note: The file contents must be RSA 2048 bit encrypted
+      #       with the public key derived from the private key above
+      symmetric_key_filename: /etc/rails/.rails.key
+      symmetric_iv_filename: /etc/rails/.rails.iv
+
+      # Use aes-256-cbc encryption
+      cipher: aes-256-cbc
+
+    hotfix:
+      <<: *release_defaults
+
+    production:
+      <<: *release_defaults
+
+
+
 Meta
 ----
 
 * Code: `git clone git://github.com/ClarityServices/symmetric-encryption.git`
 * Home: <https://github.com/ClarityServices/symmetric-encryption>
-* Docs: TODO <http://ClarityServices.github.com/symmetric-encryption/>
-* Bugs: <http://github.com/reidmorrison/symmetric-encryption/issues>
+* Bugs: <http://github.com/ClarityServices/symmetric-encryption/issues>
 * Gems: <http://rubygems.org/gems/symmetric-encryption>
 
 This project uses [Semantic Versioning](http://semver.org/).
@@ -55,3 +319,10 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
+
+Compliance
+----------
+
+Although this library has assisted Clarity in meeting PCI Compliance it in no
+way guarantees that PCI Compliance will be met by anyone using this library
+for encryption purposes.

data/examples/symmetric-encryption.yml

@@ -0,0 +1,66 @@
+#
+# Symmetric Encryption for Ruby
+#
+---
+# Just use test symmetric encryption keys in the development environment
+# No private key required since we are not reading the keys from a file
+development: &development_defaults
+  cipher: aes-256-cbc
+  symmetric_key: 1234567890ABCDEF1234567890ABCDEF
+  symmetric_iv: 1234567890ABCDEF
+
+test:
+  <<: *development_defaults
+
+release: &release_defaults
+  # Since the key to encrypt and decrypt with must NOT be stored along with the
+  # source code, we only hold a RSA key that is used to unlock the file
+  # containing the actual symmetric encryption key
+  #
+  # To generate a new RSA private key:
+  #    openssl genrsa 2048
+
+  # Sample RSA Key, do not use this one as is, generate a new one
+  private_rsa_key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
+    6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
+    qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
+    IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
+    fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
+    WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
+    ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
+    k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
+    0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
+    Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
+    ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
+    nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
+    nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
+    M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
+    SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
+    suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
+    hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
+    MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
+    ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
+    ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
+    /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
+    VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
+    h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
+    PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
+    r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
+    -----END RSA PRIVATE KEY-----
+
+  # Filename containing Symmetric Encryption Key
+  # Note: The file contents must be RSA 2048 bit encrypted
+  #       with the public key derived from the private key above
+  symmetric_key_filename: /etc/rails/.rails.key
+  symmetric_iv_filename: /etc/rails/.rails.iv
+
+  # Use aes-256-cbc encryption
+  cipher: aes-256-cbc
+
+hotfix:
+  <<: *release_defaults
+
+production:
+  <<: *release_defaults

data/lib/symmetric-encryption.rb

@@ -2,5 +2,8 @@ require 'symmetric/version'
 require 'symmetric/encryption'
 if defined?(Rails)
   require 'symmetric/railtie'
-  require "symmetric/extensions/active_record/base"
+end
+if defined?(ActiveRecord::Base)
+  require 'symmetric/extensions/active_record/base'
+  require 'symmetric/railties/symmetric_encrypted_validator'
 end

data/lib/symmetric/encryption.rb

@@ -1,6 +1,7 @@
 require 'base64'
 require 'openssl'
 require 'zlib'
+require 'yaml'
 
 module Symmetric
 
@@ -16,6 +17,27 @@ module Symmetric
       MAGIC_HEADER_SIZE = MAGIC_HEADER.size
     end
 
+    # The minimum length for an encrypted string
+    def self.min_encrypted_length
+      @@min_encrypted_length ||= encrypt('1').length
+    end
+
+    # Returns [true|false] a best effort determination as to whether the supplied
+    # string is encrypted or not, without incurring the penalty of actually
+    # decrypting the supplied data
+    #   Parameters:
+    #     encrypted_data: Encrypted string
+    def self.encrypted?(encrypted_data)
+      # Simple checks first
+      return false if (encrypted_data.length < min_encrypted_length) || (!encrypted_data.end_with?("\n"))
+      # For now have to decrypt it fully
+      begin
+        decrypt(encrypted_data) ? true : false
+      rescue
+        false
+      end
+    end
+
     # Set the Symmetric Cipher to be used
     def self.cipher=(cipher)
       @@cipher = cipher
@@ -55,8 +77,9 @@ module Symmetric
         self.key = symmetric_key
         self.iv = symmetric_iv
       else
-        self.load_keys(config['symmetric_key_filename'], config['symmetric_iv_filename'], config['private_rsa_key'])
+        load_keys(config['symmetric_key_filename'], config['symmetric_iv_filename'], config['private_rsa_key'])
       end
+      true
     end
 
     # Load the symmetric key to use for encrypting and decrypting data

data/lib/symmetric/railtie.rb

@@ -28,7 +28,7 @@ module Symmetric #:nodoc:
     #
     # Loaded before Active Record initializes since database.yml can have encrypted
     # passwords in it
-    initializer "load symmetry encryption keys" , :before=>"active_record.initialize_database" do
+    initializer "load symmetric encryption keys" , :before=>"active_record.initialize_database" do
       config_file = Rails.root.join("config", "symmetric-encryption.yml")
       if config_file.file?
         ::Symmetric::Encryption.load!(config_file, Rails.env)

data/lib/symmetric/railties/symmetric_encrypted_validator.rb

@@ -0,0 +1,18 @@
+# Add an ActiveModel Validator
+#
+# Example:
+#  class MyModel < ActiveRecord::Base
+#    validates :encrypted_ssn, :symmetric_encrypted => true
+#  end
+#
+#  m = MyModel.new
+#  m.valid?
+#  #  => false
+#  m.encrypted_ssn = Symmetric::Encryption.encrypt('123456789')
+#  m.valid?
+#  #  => true
+class SymmetricEncryptedValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    record.errors.add(attribute, "must be a value encrypted using Symmetric::Encryption.encrypt") unless Symmetric::Encryption.encrypted?(value)
+  end
+end

data/lib/symmetric/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module Symmetric #:nodoc
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

data/test/attr_encrypted_test.rb

@@ -0,0 +1,156 @@
+# Allow examples to be run in-place without requiring a gem install
+$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
+
+require 'rubygems'
+require 'logger'
+require 'erb'
+require 'test/unit'
+require 'shoulda'
+require 'active_record'
+require 'symmetric-encryption'
+
+# #TODO Need to supply the model and migrations for this test
+# Adding to existing AR model User
+# Unit Test for Symmetric::Encryption
+#
+
+#ROOT = File.join(File.dirname(__FILE__), '..')
+
+#['/lib', '/db'].each do |folder|
+#  $:.unshift File.join(ROOT, folder)
+#end
+
+ActiveRecord::Base.logger = Logger.new($stderr)
+ActiveRecord::Base.configurations = YAML::load(ERB.new(IO.read('test/config/database.yml')).result)
+ActiveRecord::Base.establish_connection('test')
+
+#ActiveRecord::Base.connection.create_database 'symmetric_encryption_test', :charset => :utf8
+#require 'db/schema'
+
+#The file db/schema.rb contains, for example:
+
+ActiveRecord::Schema.define :version => 0 do
+  create_table :users, :force => true do |t|
+    t.string :encrypted_bank_account_number
+    t.string :encrypted_social_security_number
+  end
+end
+
+class User < ActiveRecord::Base
+  attr_encrypted :bank_account_number
+  attr_encrypted :social_security_number
+
+  validates :encrypted_bank_account_number, :symmetric_encrypted => true
+  validates :encrypted_social_security_number, :symmetric_encrypted => true
+end
+
+class AttrEncryptedTest < Test::Unit::TestCase
+  context 'initialized' do
+
+    setup do
+      Symmetric::Encryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
+    end
+
+    context 'an ActiveRecord environment' do
+      setup do
+        config_file = File.join(File.dirname(__FILE__), 'config', 'database.yml')
+        raise "database config not found. Create a config file at: test/config/database.yml" unless File.exists? config_file
+
+        cfg = YAML.load(ERB.new(File.new(config_file).read).result)['test']
+        raise("Environment 'test' not defined in test/config/database.yml") unless cfg
+
+        User.establish_connection(cfg)
+      end
+
+      context 'the Symmetric::Encryption Library' do
+
+        setup do
+          @bank_account_number = "1234567890"
+          @bank_account_number_encrypted = "QUxoUU8O/mi0o9ykgXNBFg==\n"
+
+          @social_security_number = "987654321"
+          @social_security_number_encrypted = "Jj7dKb3B0aUCnqH/YKGvKw==\n"
+
+          @user = User.new(
+            # Encrypted Attribute
+            :bank_account_number              => @bank_account_number,
+            # Encrypted Attribute
+            :social_security_number           => @social_security_number
+          )
+        end
+
+        should "have encrypted methods" do
+          assert_equal true, @user.respond_to?(:encrypted_bank_account_number)
+          assert_equal true, @user.respond_to?(:bank_account_number)
+          assert_equal true, @user.respond_to?(:encrypted_social_security_number)
+          assert_equal true, @user.respond_to?(:social_security_number)
+          assert_equal false, @user.respond_to?(:encrypted_name)
+        end
+
+        should "have unencrypted values" do
+          assert_equal @bank_account_number, @user.bank_account_number
+          assert_equal @social_security_number, @user.social_security_number
+        end
+
+        should "have encrypted values" do
+          assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
+          assert_equal @social_security_number_encrypted, @user.encrypted_social_security_number
+        end
+
+        should "encrypt" do
+          user = User.new
+          user.bank_account_number = @bank_account_number
+          assert_equal @bank_account_number, user.bank_account_number
+          assert_equal @bank_account_number_encrypted, user.encrypted_bank_account_number
+        end
+
+        should "allow lookups using unencrypted or encrypted column name" do
+          @user.save!
+
+          inq = User.find_by_bank_account_number(@bank_account_number)
+          assert_equal @bank_account_number, inq.bank_account_number
+          assert_equal @bank_account_number_encrypted, inq.encrypted_bank_account_number
+
+          @user.delete
+        end
+
+        should "return encrypted attributes for the class" do
+          expect = {:social_security_number=>:encrypted_social_security_number, :bank_account_number=>:encrypted_bank_account_number}
+          result = User.encrypted_attributes
+          expect.each_pair {|k,v| assert_equal expect[k], result[k]}
+        end
+
+        should "return encrypted keys for the class" do
+          expect = [:social_security_number, :bank_account_number]
+          result = User.encrypted_keys
+          expect.each {|val| assert_equal true, result.include?(val)}
+
+          # Also check encrypted_attribute?
+          expect.each {|val| assert_equal true, User.encrypted_attribute?(val)}
+        end
+
+        should "return encrypted columns for the class" do
+          expect = [:encrypted_social_security_number, :encrypted_bank_account_number]
+          result = User.encrypted_columns
+          expect.each {|val| assert_equal true, result.include?(val)}
+
+          # Also check encrypted_column?
+          expect.each {|val| assert_equal true, User.encrypted_column?(val)}
+        end
+
+        should "validate encrypted data" do
+          assert_equal true, @user.valid?
+          @user.encrypted_bank_account_number = '123'
+          assert_equal false, @user.valid?
+          assert_equal ["must be a value encrypted using Symmetric::Encryption.encrypt"], @user.errors[:encrypted_bank_account_number]
+          @user.encrypted_bank_account_number = Symmetric::Encryption.encrypt('123')
+          assert_equal true, @user.valid?
+          @user.bank_account_number = '123'
+          assert_equal true, @user.valid?
+        end
+
+      end
+
+    end
+  end
+end

data/test/config/database.yml

@@ -0,0 +1,7 @@
+test:
+  database: symmetric_encryption_test
+  username: root
+  password:
+  encoding: utf8
+  adapter:  mysql
+  host:     127.0.0.1

data/test/config/symmetric-encryption.yml

@@ -0,0 +1,43 @@
+#
+# Test Config
+#
+---
+test:
+  # Sample RSA Key, do not use this one as is, generate a new one
+  private_rsa_key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
+    6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
+    qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
+    IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
+    fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
+    WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
+    ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
+    k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
+    0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
+    Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
+    ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
+    nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
+    nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
+    M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
+    SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
+    suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
+    hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
+    MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
+    ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
+    ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
+    /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
+    VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
+    h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
+    PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
+    r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
+    -----END RSA PRIVATE KEY-----
+
+  # Filename containing Symmetric Encryption Key
+  # Note: The file contents must be RSA 2048 bit encrypted
+  #       with the public key derived from the private key above
+  symmetric_key_filename: test/config/test.key
+  symmetric_iv_filename:  test/config/test.iv
+
+  # Use aes-256-cbc encryption
+  cipher: aes-256-cbc

data/test/config/test.iv

@@ -0,0 +1,4 @@
+��i��pmX�Q"`
+�6;�Y	$X<�b��K׶md��Qa�ق�T�(�3�--�/F��w�8�Q�y9�ax�2/i��˹#3E���wX�&J
+�3��l�*�4�t���`�/K�w�(�F����S���qR3b�Т��_މ��f!.�㹐m�����/�����ZܻeX���"�_Z)��R�E�]P@p�"c���/"H�χm�!&��ڜv�v�G�X��#�����ɍ���S>�T?'�L��ȫ����
+�P

data/test/config/test.key

@@ -0,0 +1,2 @@
+e@	���D/�t4��k��"z��Qmg
+m��r��Ն��۪�ӃqE-�}��]��=���8�WzVܮ+�R�nt���R2����.��Iu�l

data/test/encryption_test.rb

@@ -4,99 +4,38 @@ $LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
 require 'rubygems'
 require 'test/unit'
 require 'shoulda'
-require 'symmetric-encryption'
-require 'yaml'
-
-# #TODO Need to supply the model and migrations for this test
-class User
-  attr_encrypted :bank_account_number
-  attr_encrypted :social_security_number
-end
 
 # Unit Test for Symmetric::Encryption
 #
-class EncryptionTest <  ActiveSupport::TestCase
-  context 'the Symmetric::Encryption Library' do
+class EncryptionTest < Test::Unit::TestCase
+  context 'initialized' do
 
     setup do
-      @bank_account_number = "1234567890"
-      @bank_account_number_encrypted = "V8Dg6zeeIpDg4+qrn2mjlA==\n"
-
-      @social_security_number = "987654321"
-      @social_security_number_encrypted = "Qd0qzN6oVuATJQBTf8X6tg==\n"
-
-      @user = User.new(
-        # Encrypted Attribute
-        :bank_account_number              => @bank_account_number,
-        # Encrypted Attribute
-        :social_security_number           => @social_security_number
-      )
-    end
-
-    should "encrypt simple string" do
-      assert_equal @social_security_number_encrypted, Symmetric::Encryption.encrypt(@social_security_number)
-    end
-
-    should "decrypt string" do
-      assert_equal @social_security_number, Symmetric::Encryption.decrypt(@social_security_number_encrypted)
-    end
-
-    should "have encrypted methods" do
-      assert_equal true, @user.respond_to?(:encrypted_bank_account_number)
-      assert_equal true, @user.respond_to?(:encrypted_social_security_number)
-      assert_equal false, @user.respond_to?(:encrypted_name)
-    end
-
-    should "have unencrypted values" do
-      assert_equal @bank_account_number, @user.bank_account_number
-      assert_equal @social_security_number, @user.social_security_number
+      Symmetric::Encryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
     end
 
-    should "have encrypted values" do
-      assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
-      assert_equal @social_security_number_encrypted, @user.encrypted_social_security_number
-    end
-
-    should "encrypt" do
-      user = User.new
-      user.bank_account_number = @bank_account_number
-      assert_equal @bank_account_number, user.bank_account_number
-      assert_equal @bank_account_number_encrypted, user.encrypted_bank_account_number
-    end
-
-    should "allow lookups using unencrypted or encrypted column name" do
-      user_id = @user.save!
-
-      inq = User.find_by_bank_account_number(@bank_account_number)
-      assert_equal @bank_account_number, inq.bank_account_number
-      assert_equal @bank_account_number_encrypted, inq.encrypted_bank_account_number
-
-      User.delete(user_id)
-    end
-
-    should "return encrypted attributes for the class" do
-      expect = {:social_security_number=>:encrypted_social_security_number, :bank_account_number=>:encrypted_bank_account_number, :check_bank_account_number=>:encrypted_check_bank_account_number}
-      result = User.encrypted_attributes
-      expect.each_pair {|k,v| assert_equal expect[k], result[k]}
-    end
+    context 'Symmetric::Encryption tests' do
+      setup do
+        @bank_account_number = "1234567890"
+        @bank_account_number_encrypted = "QUxoUU8O/mi0o9ykgXNBFg==\n"
 
-    should "return encrypted keys for the class" do
-      expect = [:social_security_number, :bank_account_number, :check_bank_account_number]
-      result = User.encrypted_keys
-      expect.each {|val| assert_equal true, result.include?(val)}
+        @social_security_number = "987654321"
+        @social_security_number_encrypted = "Jj7dKb3B0aUCnqH/YKGvKw==\n"
+      end
 
-      # Also check encrypted_attribute?
-      expect.each {|val| assert_equal true, User.encrypted_attribute?(val)}
-    end
+      should "encrypt simple string" do
+        assert_equal @social_security_number_encrypted, Symmetric::Encryption.encrypt(@social_security_number)
+      end
 
-    should "return encrypted columns for the class" do
-      expect = [:encrypted_social_security_number, :encrypted_bank_account_number, :encrypted_check_bank_account_number]
-      result = User.encrypted_columns
-      expect.each {|val| assert_equal true, result.include?(val)}
+      should "decrypt string" do
+        assert_equal @social_security_number, Symmetric::Encryption.decrypt(@social_security_number_encrypted)
+      end
 
-      # Also check encrypted_column?
-      expect.each {|val| assert_equal true, User.encrypted_column?(val)}
+      should "determine if string is encrypted" do
+        assert_equal true, Symmetric::Encryption.encrypted?(@social_security_number_encrypted)
+        assert_equal false, Symmetric::Encryption.encrypted?(@social_security_number)
+      end
     end
-
   end
+
 end

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 1
   - 2
-  version: 0.1.2
+  - 0
+  version: 0.2.0
 platform: ruby
 authors: 
 - Reid Morrison
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-01-24 00:00:00 -05:00
+date: 2012-03-14 00:00:00 -04:00
 default_executable: 
 dependencies: []
 
@@ -28,9 +28,11 @@ extensions: []
 extra_rdoc_files: []
 
 files: 
+- examples/symmetric-encryption.yml
 - lib/symmetric/encryption.rb
 - lib/symmetric/extensions/active_record/base.rb
 - lib/symmetric/railtie.rb
+- lib/symmetric/railties/symmetric_encrypted_validator.rb
 - lib/symmetric/railties/symmetric_encryption.rake
 - lib/symmetric/version.rb
 - lib/symmetric-encryption.rb
@@ -43,8 +45,12 @@ files:
 - nbproject/project.xml
 - Rakefile
 - README.md
-- symmetric-encryption-0.1.0.gem
-- symmetric-encryption-0.1.1.gem
+- symmetric-encryption-0.1.2.gem
+- test/attr_encrypted_test.rb
+- test/config/database.yml
+- test/config/symmetric-encryption.yml
+- test/config/test.iv
+- test/config/test.key
 - test/encryption_test.rb
 has_rdoc: true
 homepage: https://github.com/ClarityServices/symmetric-encryption