symmetric-encryption 3.8.3 → 3.9.0

data/lib/symmetric_encryption/config.rb

@@ -59,7 +59,6 @@ module SymmetricEncryption
     #  environment:
     #    Which environments config to load. Usually: production, development, etc.
     def self.extract_ciphers(config)
-      # RSA key to decrypt key files
       private_rsa_key = config[:private_rsa_key]
 
       config[:ciphers].collect do |cipher_config|

data/lib/symmetric_encryption/encoder.rb

@@ -0,0 +1,79 @@
+module SymmetricEncryption
+  module Encoder
+    def self.[](encoding)
+      case encoding
+      when :base64
+        Base64.new
+      when :base64strict
+        Base64Strict.new
+      when :base16
+        Base16.new
+      when :none
+        None.new
+      else
+        raise(ArgumentError, "Unknown encoder: #{encoding.inspect}")
+      end
+    end
+
+    def self.encode(binary_string, encoding)
+      encoder(encoding).encode(binary_string)
+    end
+
+    def self.decode(encoded_string, encoding)
+      encoder(encoding).decode(encoded_string)
+    end
+
+    class None
+      def encode(binary_string)
+        binary_string
+      end
+
+      def decode(encoded_string)
+        encoded_string
+      end
+    end
+
+    class Base64
+      def encode(binary_string)
+        return binary_string if binary_string.nil? || (binary_string == '')
+        encoded_string = ::Base64.encode64(binary_string)
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
+      end
+
+      def decode(encoded_string)
+        return encoded_string if encoded_string.nil? || (encoded_string == '')
+        decoded_string = ::Base64.decode64(encoded_string)
+        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+      end
+    end
+
+    class Base64Strict
+      def encode(binary_string)
+        return binary_string if binary_string.nil? || (binary_string == '')
+        encoded_string = ::Base64.strict_encode64(binary_string)
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
+      end
+
+      def decode(encoded_string)
+        return encoded_string if encoded_string.nil? || (encoded_string == '')
+        decoded_string = ::Base64.decode64(encoded_string)
+        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+      end
+    end
+
+    class Base16
+      def encode(binary_string)
+        return binary_string if binary_string.nil? || (binary_string == '')
+        encoded_string = binary_string.to_s.unpack('H*').first
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
+      end
+
+      def decode(encoded_string)
+        return encoded_string if encoded_string.nil? || (encoded_string == '')
+        decoded_string = [encoded_string].pack('H*')
+        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+      end
+    end
+  end
+end
+

data/lib/symmetric_encryption/extensions/active_record/base.rb

@@ -1,147 +1,107 @@
 module ActiveRecord #:nodoc:
   class Base
+    # Transparently encrypt and decrypt values stored via ActiveRecord.
+    #
+    # Parameters:
+    # * Symbolic names of each method to create which has a corresponding
+    #   method already defined in rails starting with: encrypted_
+    # * Followed by an optional hash:
+    #     :random_iv [true|false]
+    #       Whether the encrypted value should use a random IV every time the
+    #       field is encrypted.
+    #       It is recommended to set this to true where feasible. If the encrypted
+    #       value could be used as part of a SQL where clause, or as part
+    #       of any lookup, then it must be false.
+    #       Setting random_iv to true will result in a different encrypted output for
+    #       the same input string.
+    #       Note: Only set to true if the field will never be used as part of
+    #         the where clause in an SQL query.
+    #       Note: When random_iv is true it will add a 8 byte header, plus the bytes
+    #         to store the random IV in every returned encrypted string, prior to the
+    #         encoding if any.
+    #       Default: false
+    #       Highly Recommended where feasible: true
+    #
+    #     :type [Symbol]
+    #       The type for this field, #see SymmetricEncryption::COERCION_TYPES
+    #       Default: :string
+    #
+    #     :compress [true|false]
+    #       Whether to compress str before encryption
+    #       Should only be used for large strings since compression overhead and
+    #       the overhead of adding the 'magic' header may exceed any benefits of
+    #       compression
+    #       Note: Adds a 6 byte header prior to encoding, only if :random_iv is false
+    #       Default: false
+    def self.attr_encrypted(*params)
+      # Ensure ActiveRecord has created all its methods first
+      # Ignore failures since the table may not yet actually exist
+      define_attribute_methods rescue nil
 
-    class << self # Class methods
-      # Drop in replacement for attr_encrypted gem, except that it uses
-      # SymmetricEncryption for managing the encryption key
-      #
-      # Parameters:
-      # * Symbolic names of each method to create which has a corresponding
-      #   method already defined in rails starting with: encrypted_
-      # * Followed by an optional hash:
-      #     :random_iv [true|false]
-      #       Whether the encrypted value should use a random IV every time the
-      #       field is encrypted.
-      #       It is recommended to set this to true where feasible. If the encrypted
-      #       value could be used as part of a SQL where clause, or as part
-      #       of any lookup, then it must be false.
-      #       Setting random_iv to true will result in a different encrypted output for
-      #       the same input string.
-      #       Note: Only set to true if the field will never be used as part of
-      #         the where clause in an SQL query.
-      #       Note: When random_iv is true it will add a 8 byte header, plus the bytes
-      #         to store the random IV in every returned encrypted string, prior to the
-      #         encoding if any.
-      #       Default: false
-      #       Highly Recommended where feasible: true
-      #
-      #     :type [Symbol]
-      #       The type for this field, #see SymmetricEncryption::COERCION_TYPES
-      #       Default: :string
-      #
-      #     :compress [true|false]
-      #       Whether to compress str before encryption
-      #       Should only be used for large strings since compression overhead and
-      #       the overhead of adding the 'magic' header may exceed any benefits of
-      #       compression
-      #       Note: Adds a 6 byte header prior to encoding, only if :random_iv is false
-      #       Default: false
-      def attr_encrypted(*params)
-        # Ensure ActiveRecord has created all its methods first
-        # Ignore failures since the table may not yet actually exist
-        define_attribute_methods rescue nil
+      options = params.last.is_a?(Hash) ? params.pop.dup : {}
 
-        options = params.last.is_a?(Hash) ? params.pop.dup : {}
-
-        params.each do |attribute|
-          SymmetricEncryption::Generator.generate_decrypted_accessors(self, attribute, "encrypted_#{attribute}", options)
-          encrypted_attributes[attribute.to_sym] = "encrypted_#{attribute}".to_sym
-        end
-      end
-
-      # Contains a hash of encrypted attributes with virtual attribute names as keys and real attribute
-      # names as values
-      #
-      # Example
-      #
-      #   class User < ActiveRecord::Base
-      #     attr_encrypted :email
-      #   end
-      #
-      #   User.encrypted_attributes  =>  { email: encrypted_email }
-      def encrypted_attributes
-        @encrypted_attributes ||= superclass.respond_to?(:encrypted_attributes) ? superclass.encrypted_attributes.dup : {}
-      end
-
-      # Return the name of all encrypted virtual attributes as an Array of symbols
-      # Example: [:email, :password]
-      def encrypted_keys
-        @encrypted_keys ||= encrypted_attributes.keys
-      end
-
-      # Return the name of all encrypted columns as an Array of symbols
-      # Example: [:encrypted_email, :encrypted_password]
-      def encrypted_columns
-        @encrypted_columns ||= encrypted_attributes.values
+      params.each do |attribute|
+        SymmetricEncryption::Generator.generate_decrypted_accessors(self, attribute, "encrypted_#{attribute}", options)
+        encrypted_attributes[attribute.to_sym] = "encrypted_#{attribute}".to_sym
       end
+    end
 
-      # Returns whether an attribute has been configured to be encrypted
-      #
-      # Example
-      #
-      #   class User < ActiveRecord::Base
-      #     attr_accessor :name
-      #     attr_encrypted :email
-      #   end
-      #
-      #   User.encrypted_attribute?(:name) # false
-      #   User.encrypted_attribute?(:email) # true
-      def encrypted_attribute?(attribute)
-        encrypted_keys.include?(attribute)
-      end
+    # Contains a hash of encrypted attributes with virtual attribute names as keys and real attribute
+    # names as values
+    #
+    # Example
+    #
+    #   class User < ActiveRecord::Base
+    #     attr_encrypted :email
+    #   end
+    #
+    #   User.encrypted_attributes  =>  { email: encrypted_email }
+    def self.encrypted_attributes
+      @encrypted_attributes ||= superclass.respond_to?(:encrypted_attributes) ? superclass.encrypted_attributes.dup : {}
+    end
 
-      # Returns whether the attribute is the database column to hold the
-      # encrypted data for a matching encrypted attribute
-      #
-      # Example
-      #
-      #   class User < ActiveRecord::Base
-      #     attr_accessor :name
-      #     attr_encrypted :email
-      #   end
-      #
-      #   User.encrypted_column?(:encrypted_name) # false
-      #   User.encrypted_column?(:encrypted_email) # true
-      def encrypted_column?(attribute)
-        encrypted_columns.include?(attribute)
-      end
+    # Return the name of all encrypted virtual attributes as an Array of symbols
+    # Example: [:email, :password]
+    def self.encrypted_keys
+      @encrypted_keys ||= encrypted_attributes.keys
+    end
 
-      private
+    # Return the name of all encrypted columns as an Array of symbols
+    # Example: [:encrypted_email, :encrypted_password]
+    def self.encrypted_columns
+      @encrypted_columns ||= encrypted_attributes.values
+    end
 
-      # Allows you to use dynamic methods like <tt>find_by_email</tt> or <tt>scoped_by_email</tt> for
-      # encrypted attributes
-      #
-      # This is useful for encrypting fields like email addresses. Your user's email addresses
-      # are encrypted in the database, but you can still look up a user by email for logging in
-      #
-      # Example
-      #
-      #   class User < ActiveRecord::Base
-      #     attr_encrypted :email
-      #   end
-      #
-      #   User.find_by_email_and_password('test@example.com', 'testing')
-      #   # results in a call to
-      #   User.find_by_encrypted_email_and_password('the_encrypted_version_of_test@example.com', 'testing')
-      def method_missing_with_attr_encrypted(method, *args, &block)
-        if match = /^(find|scoped)_(all_by|by)_([_a-zA-Z]\w*)$/.match(method.to_s)
-          attribute_names = match.captures.last.split('_and_')
-          attribute_names.each_with_index do |attribute, index|
-            encrypted_name = "encrypted_#{attribute}"
-            if method_defined? encrypted_name.to_sym
-              args[index]            = ::SymmetricEncryption.encrypt(args[index])
-              attribute_names[index] = encrypted_name
-            end
-          end
-          method = "#{match.captures[0]}_#{match.captures[1]}_#{attribute_names.join('_and_')}".to_sym
-        end
-        method_missing_without_attr_encrypted(method, *args, &block)
-      end
+    # Returns whether an attribute has been configured to be encrypted
+    #
+    # Example
+    #
+    #   class User < ActiveRecord::Base
+    #     attr_accessor :name
+    #     attr_encrypted :email
+    #   end
+    #
+    #   User.encrypted_attribute?(:name) # false
+    #   User.encrypted_attribute?(:email) # true
+    def self.encrypted_attribute?(attribute)
+      encrypted_keys.include?(attribute)
+    end
 
-      # Dynamic finders dropped in Rails 4.1
-      if ActiveRecord::VERSION::STRING.to_f < 4.1
-        alias_method_chain :method_missing, :attr_encrypted
-      end
+    # Returns whether the attribute is the database column to hold the
+    # encrypted data for a matching encrypted attribute
+    #
+    # Example
+    #
+    #   class User < ActiveRecord::Base
+    #     attr_accessor :name
+    #     attr_encrypted :email
+    #   end
+    #
+    #   User.encrypted_column?(:encrypted_name) # false
+    #   User.encrypted_column?(:encrypted_email) # true
+    def self.encrypted_column?(attribute)
+      encrypted_columns.include?(attribute)
     end
+
   end
 end

data/lib/symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key.rb

@@ -1,4 +1,6 @@
-# Support Encryption and decryption of fields in MongoMapper
+#
+# DEPRECATED !!!
+#
 module MongoMapper
   module Plugins
     module EncryptedKey
@@ -17,94 +19,6 @@ module MongoMapper
       }
 
       module ClassMethods
-        # MongoMapper::Document.encrypted_key
-        #
-        # Support automatic encryption and decryption of fields in MongoMapper
-        #
-        # Example:
-        #
-        #  class Person
-        #    include MongoMapper::Document
-        #
-        #    key           :name,                   String
-        #    encrypted_key :social_security_number, String
-        #    key           :date_of_birth,          Date
-        #    encrypted_key :life_history,           String, encrypted: { compress: true, random_iv: true }
-        #
-        #    # Encrypted fields are _always_ stored in Mongo as a String
-        #    # By specifying a type other than String, Symmetric Encryption will
-        #    # perform the necessary conversions
-        #    #
-        #    # The following types are supported:
-        #    #   String
-        #    #   Integer
-        #    #   Float
-        #    #   BigDecimal
-        #    #   DateTime
-        #    #   Time
-        #    #   Date
-        #    #   Hash - (Stored as encrypted JSON in MongoDB)
-        #    encrypted_key :age,                    Integer, encrypted: { random_iv: true }
-        #  end
-        #
-        # The above document results in the following document in the Mongo collection 'persons':
-        # {
-        #   'name' : 'Joe',
-        #   'encrypted_social_security_number' : '...',
-        #   'age'  : 21
-        #   'encrypted_life_history' : '...',
-        # }
-        #
-        # Symmetric Encryption creates the getters and setters to be able to work with the field
-        # in it's decrypted form. For example
-        #
-        # Example:
-        #   person = Person.where(encrypted_social_security_number: '...').first
-        #
-        #   puts "Decrypted Social Security Number is: #{person.social_security_number}"
-        #
-        #   # Or is the same as
-        #   puts "Decrypted Social Security Number is: #{SymmetricEncryption.decrypt(person.encrypted_social_security_number)}"
-        #
-        #   # Sets the encrypted_social_security_number to encrypted version
-        #   person.social_security_number = '123456789'
-        #
-        #   # Or, is equivalent to:
-        #   person.encrypted_social_security_number = SymmetricEncryption.encrypt('123456789')
-        #
-        # Note: Only 'String' types are currently supported for encryption
-        #
-        # Note: Unlike attr_encrypted finders must use the encrypted field name
-        #   Invalid Example, does not work:
-        #     person = Person.where(social_security_number: '123456789').first
-        #
-        #   Valid Example:
-        #     person = Person.where(encrypted_social_security_number: SymmetricEncryption.encrypt('123456789')).first
-        #
-        # Defines all the fields that are accessible on the Document
-        # For each field that is defined, a getter and setter will be
-        # added as an instance method to the Document.
-        #
-        # @example Define an encrypted key
-        #   encrypted_key :social_security_number, String, encrypted: {compress: false, random_iv: false}
-        #   encrypted_key :sensitive_text,         String, encrypted: {compress: true, random_iv: true}
-        #
-        # @param [ Symbol ] name The name of the key.
-        # @param [ Object ] type The type of the key.
-        # @param [ Hash ] options The options to pass to the field, including any MongoMapper specific options
-        #
-        # @option options [ Hash ] :encrypted consists of:
-        #     @option options [ Boolean ] :random_iv  Whether the encrypted value should use a random IV every time the field is encrypted.
-        #     @option options [ Boolean ] :compress   Whether to compress this encrypted field
-        #     @option options [ Symbol ]  :encrypt_as Name of the encypted field in Mongo
-        #
-        #     Some of the other regular MongoMapper options:
-        #       :default, :alias, :field_name, :accessors, :abbr
-        #
-        # Note:
-        #   Use MongoMapper's built-in support for :field_name to specify a different
-        #   field name in MongoDB for the encrypted field from what is used via the model
-        #
         def encrypted_key(key_name, type, full_options={})
           full_options       = full_options.is_a?(Hash) ? full_options.dup : {}
           options            = full_options.delete(:encrypted) || {}

data/lib/symmetric_encryption/key_encryption_key.rb

@@ -0,0 +1,32 @@
+require 'openssl'
+module SymmetricEncryption
+  # Class that manages the key that is used to encrypt the encryption key.
+  # Currently uses RSA asymmetric encryption to secure the key.
+  #
+  # Note:
+  #   No encoding or decoding is performed.
+  class KeyEncryptionKey
+    # Returns [String] a new key encryption key.
+    def self.generate(options = {})
+      options = options.dup
+      size    = options.delete(:size) || 2048
+      OpenSSL::PKey::RSA.generate(size).to_s
+    end
+
+    def initialize(key_encryption_key)
+      @rsa = OpenSSL::PKey::RSA.new(key_encryption_key)
+    end
+
+    def encrypt(key)
+      rsa.public_encrypt(key)
+    end
+
+    def decrypt(encrypted_key)
+      rsa.private_decrypt(encrypted_key)
+    end
+
+    private
+
+    attr_reader :rsa
+  end
+end