symmetric-encryption 3.8.3 → 3.9.0

data/lib/symmetric_encryption/railtie.rb

@@ -8,7 +8,7 @@ module SymmetricEncryption #:nodoc:
     #   module MyApplication
     #     class Application < Rails::Application
     #       config.symmetric_encryption.cipher = SymmetricEncryption::Cipher.new(
-    #         key:    '1234567890ABCDEF1234567890ABCDEF',
+    #         key:    '1234567890ABCDEF',
     #         iv:     '1234567890ABCDEF',
     #         cipher_name: 'aes-128-cbc'
     #       )
@@ -26,8 +26,8 @@ module SymmetricEncryption #:nodoc:
     # @example symmetric-encryption.yml
     #
     #   development:
-    #     cipher_name: aes-256-cbc
-    #     key:         1234567890ABCDEF1234567890ABCDEF
+    #     cipher_name: aes-128-cbc
+    #     key:         1234567890ABCDEF
     #     iv:          1234567890ABCDEF
     #
     # Loaded before Active Record initializes since database.yml can have encrypted

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -33,7 +33,7 @@ module SymmetricEncryption
   # Example: For testing purposes the following test cipher can be used:
   #
   #   SymmetricEncryption.cipher = SymmetricEncryption::Cipher.new(
-  #     key:    '1234567890ABCDEF1234567890ABCDEF',
+  #     key:    '1234567890ABCDEF',
   #     iv:     '1234567890ABCDEF',
   #     cipher: 'aes-128-cbc'
   #   )
@@ -253,7 +253,7 @@ module SymmetricEncryption
   #  environment:
   #    Which environments config to load. Usually: production, development, etc.
   #    Default: Rails.env
-  def self.load!(filename=nil, environment=nil)
+  def self.load!(filename = nil, environment = nil)
     Config.load!(filename, environment)
   end
 
@@ -261,18 +261,51 @@ module SymmetricEncryption
   #
   # Note: Only the current Encryption key settings are used
   #
-  # Creates Symmetric Key .key
-  #   and initialization vector .iv
-  #       which is encrypted with the above Public key
+  # Creates Symmetric Key .key and initialization vector .iv
+  # which is encrypted with the key encryption key.
   #
   # Existing key files will be renamed if present
-  def self.generate_symmetric_key_files(filename=nil, environment=nil)
+  def self.generate_symmetric_key_files(filename = nil, environment = nil)
     config        = Config.read_config(filename, environment)
 
     # Only regenerating the first configured cipher
     cipher_config = config[:ciphers].first
-    key_config    = {environment: environment, private_rsa_key: config[:private_rsa_key]}
-    Cipher.generate_random_keys(key_config.merge(cipher_config))
+
+    # Delete unused config keys to generate new random keys
+    [:version, :always_add_header].each do |key|
+      cipher_config.delete(key)
+    end
+
+    key_config    = {private_rsa_key: config[:private_rsa_key]}
+    cipher_cfg    = Cipher.generate_random_keys(key_config.merge(cipher_config))
+
+    puts
+    if encoded_encrypted_key = cipher_cfg[:encrypted_key]
+      puts 'If running in Heroku, add the environment specific key:'
+      puts "heroku config:add #{environment.upcase}_KEY1=#{encoded_encrypted_key}\n"
+    end
+
+    if encoded_encrypted_iv = cipher_cfg[:encrypted_iv]
+      puts 'If running in Heroku, add the environment specific key:'
+      puts "heroku config:add #{environment.upcase}_IV1=#{encoded_encrypted_iv}"
+    end
+
+    if key = cipher_cfg[:key]
+      puts "Please add the key: #{key} to your config file"
+    end
+
+    if iv = cipher_cfg[:iv]
+      puts "Please add the iv: #{iv} to your config file"
+    end
+
+    if file_name = cipher_cfg[:key_filename]
+      puts("Please copy #{file_name} to the other servers in #{environment}.")
+    end
+
+    if file_name = cipher_cfg[:iv_filename]
+      puts("Please copy #{file_name} to the other servers in #{environment}.")
+    end
+    cipher_cfg
   end
 
   # Generate a 22 character random password

data/lib/symmetric_encryption/utils/re_encrypt_config_files.rb

@@ -0,0 +1,82 @@
+# Used for re-encrypting encrypted passwords stored in configuration files.
+#
+# Search for `SymmetricEncryption.try_decrypt` in config files and replace the
+# encrypted value with one encrypted using the new encryption key.
+#
+# Example:
+#   re_encrypt = SymmetricEncryption::Utils::ReEncryptConfigFiles.new(version: 4)
+#   re_encrypt.process_directory('../../**/*.yml')
+module SymmetricEncryption
+  module Utils
+    class ReEncryptConfigFiles
+      DEFAULT_REGEXP = /\A(.*)SymmetricEncryption.try_decrypt[\s\(\"\'].([\w@=+\/\\]+)[\'\"](.*)\Z/
+
+      attr_accessor :cipher, :path, :search_regexp
+
+      # Parameters:
+      #   version: [Integer]
+      #     Version of the encryption key to use when re-encrypting the value.
+      #     Default: Default cipher ( first in the list of configured ciphers )
+      def initialize(params={})
+        params         = params.dup
+        version        = params.delete(:version)
+        @path          = params.delete(:path)
+        @search_regexp = params.delete(:search_regexp) || DEFAULT_REGEXP
+        @cipher        = SymmetricEncryption.cipher(version)
+        raise(ArgumentError, "Undefined encryption key version: #{version}") if @cipher.nil?
+        raise(ArgumentError, "Unknown parameters: #{params.inspect}") if params.size > 0
+      end
+
+      # Re-encrypt the supplied enctrypted value with the new cipher
+      def re_encrypt(encrypted)
+        if unencrypted = SymmetricEncryption.try_decrypt(encrypted)
+          cipher.encrypt(unencrypted)
+        else
+          encrypted
+        end
+      end
+
+      # Process a single file.
+      #
+      # Returns [true|false] whether the file was modified
+      def process_file(file_name)
+        match        = false
+        lines        = File.read(file_name)
+        output_lines = ''
+        lines.each_line do |line|
+          if result = line.match(search_regexp)
+            before_str = result[1]
+            encrypted  = result[2]
+            after_str  = result[3]
+            after_str  = after_str[1..-1] if after_str.starts_with?(')')
+            new_value  = re_encrypt(encrypted)
+            if new_value != encrypted
+              match = true
+              output_lines << "#{before_str}SymmetricEncryption.try_decrypt('#{new_value}')#{after_str}\n"
+            else
+              output_lines << line
+            end
+          else
+            output_lines << line
+          end
+        end
+        if match
+          File.open(file_name, 'wb') { |file| file.write(output_lines) }
+        end
+        match
+      end
+
+      # Process a directory of files.
+      #
+      # Parameters:
+      #   path: [String]
+      #     Search path to look for files in.
+      #     Example: '../../**/*.yml'
+      def process_directory(path)
+        Dir[path].each do |file_name|
+          process_file(file_name)
+        end
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/version.rb

@@ -1,3 +1,3 @@
 module SymmetricEncryption #:nodoc
-  VERSION = '3.8.3'
+  VERSION = '3.9.0'
 end

data/test/active_record_test.rb

@@ -1,6 +1,5 @@
 require_relative 'test_helper'
 
-ActiveRecord::Base.logger         = SemanticLogger[ActiveRecord]
 ActiveRecord::Base.configurations = YAML::load(ERB.new(IO.read('test/config/database.yml')).result)
 ActiveRecord::Base.establish_connection(:test)
 
@@ -138,7 +137,7 @@ class ActiveRecordTest < Minitest::Test
       )
     end
 
-    it 'have encrypted methods' do
+    it 'has encrypted methods' do
       assert_equal true, @user.respond_to?(:encrypted_bank_account_number)
       assert_equal true, @user.respond_to?(:bank_account_number)
       assert_equal true, @user.respond_to?(:encrypted_social_security_number)
@@ -150,153 +149,155 @@ class ActiveRecordTest < Minitest::Test
       assert_equal true, @user.respond_to?(:bank_account_number_changed?)
     end
 
-    it 'have unencrypted values' do
+    it 'has unencrypted values' do
       assert_equal @bank_account_number, @user.bank_account_number
       assert_equal @social_security_number, @user.social_security_number
     end
 
-    it 'have encrypted values' do
+    it 'has encrypted values' do
       assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
       assert_equal @social_security_number_encrypted, @user.encrypted_social_security_number
     end
 
-    it 'support same iv' do
-      @user.social_security_number = @social_security_number
-      assert first_value = @user.social_security_number
-      # Assign the same value
-      @user.social_security_number = @social_security_number
-      assert_equal first_value, @user.social_security_number
-    end
-
-    it 'support a random iv' do
-      @user.string_value = STRING_VALUE
-      assert first_value = @user.encrypted_string_value
-      # Assign the same value
-      @user.string_value = STRING_VALUE.dup
-      assert first_value != @user.encrypted_string_value
-    end
+    describe ':random_iv' do
+      it 'false' do
+        @user.social_security_number = @social_security_number
+        assert first_value = @user.social_security_number
+        # Assign the same value
+        @user.social_security_number = @social_security_number
+        assert_equal first_value, @user.social_security_number
+      end
 
-    it 'support a random iv and compress' do
-      @user.string_value      = STRING_VALUE
-      @user.long_string_value = STRING_VALUE
+      it 'true' do
+        @user.string_value = STRING_VALUE
+        assert first_value = @user.encrypted_string_value
+        # Assign the same value
+        @user.string_value = STRING_VALUE.dup
+        assert first_value != @user.encrypted_string_value
+      end
 
-      refute_equal @user.encrypted_long_string_value, @user.encrypted_string_value
-    end
+      it 'true and compress: true' do
+        @user.string_value      = STRING_VALUE
+        @user.long_string_value = STRING_VALUE
 
-    it 'encrypt' do
-      user                     = User.new
-      user.bank_account_number = @bank_account_number
-      assert_equal @bank_account_number, user.bank_account_number
-      assert_equal @bank_account_number_encrypted, user.encrypted_bank_account_number
+        refute_equal @user.encrypted_long_string_value, @user.encrypted_string_value
+      end
     end
 
-    it 'allow lookups using unencrypted or encrypted column name' do
-      if ActiveRecord::VERSION::STRING.to_f < 4.1
-        @user.save!
-
-        inq = User.find_by_bank_account_number(@bank_account_number)
-        assert_equal @bank_account_number, inq.bank_account_number
-        assert_equal @bank_account_number_encrypted, inq.encrypted_bank_account_number
-
-        @user.delete
+    describe 'attribute=' do
+      it 'encrypt' do
+        user                     = User.new
+        user.bank_account_number = @bank_account_number
+        assert_equal @bank_account_number, user.bank_account_number
+        assert_equal @bank_account_number_encrypted, user.encrypted_bank_account_number
       end
-    end
 
-    it 'all paths it lead to the same result' do
-      assert_equal @bank_account_number_encrypted, (@user.encrypted_social_security_number = @bank_account_number_encrypted)
-      assert_equal @bank_account_number, @user.social_security_number
-      assert_equal @bank_account_number_encrypted, @user.encrypted_social_security_number
-    end
+      it 'all paths it lead to the same result' do
+        assert_equal @bank_account_number_encrypted, (@user.encrypted_social_security_number = @bank_account_number_encrypted)
+        assert_equal @bank_account_number, @user.social_security_number
+        assert_equal @bank_account_number_encrypted, @user.encrypted_social_security_number
+      end
 
-    it 'all paths it lead to the same result 2' do
-      assert_equal @bank_account_number, (@user.social_security_number = @bank_account_number)
-      assert_equal @bank_account_number_encrypted, @user.encrypted_social_security_number
-      assert_equal @bank_account_number, @user.social_security_number
-    end
+      it 'all paths it lead to the same result 2' do
+        assert_equal @bank_account_number, (@user.social_security_number = @bank_account_number)
+        assert_equal @bank_account_number_encrypted, @user.encrypted_social_security_number
+        assert_equal @bank_account_number, @user.social_security_number
+      end
 
-    it 'all paths it lead to the same result, check uninitialized' do
-      user = User.new
-      assert_equal nil, user.social_security_number
-      assert_equal @bank_account_number, (user.social_security_number = @bank_account_number)
-      assert_equal @bank_account_number, user.social_security_number
-      assert_equal @bank_account_number_encrypted, user.encrypted_social_security_number
+      it 'all paths it lead to the same result, check uninitialized' do
+        user = User.new
+        assert_nil user.social_security_number
+        assert_equal @bank_account_number, (user.social_security_number = @bank_account_number)
+        assert_equal @bank_account_number, user.social_security_number
+        assert_equal @bank_account_number_encrypted, user.encrypted_social_security_number
 
-      assert_equal nil, (user.social_security_number = nil)
-      assert_equal nil, user.social_security_number
-      assert_equal nil, user.encrypted_social_security_number
+        assert_nil (user.social_security_number = nil)
+        assert_nil user.social_security_number
+        assert_nil user.encrypted_social_security_number
+      end
     end
 
-    it 'allow unencrypted values to be passed to the constructor' do
-      user = User.new(bank_account_number: @bank_account_number, social_security_number: @social_security_number)
-      assert_equal @bank_account_number, user.bank_account_number
-      assert_equal @social_security_number, user.social_security_number
-      assert_equal @bank_account_number_encrypted, user.encrypted_bank_account_number
-      assert_equal @social_security_number_encrypted, user.encrypted_social_security_number
+    describe '.new' do
+      it 'allows unencrypted values to be passed to the constructor' do
+        user = User.new(bank_account_number: @bank_account_number, social_security_number: @social_security_number)
+        assert_equal @bank_account_number, user.bank_account_number
+        assert_equal @social_security_number, user.social_security_number
+        assert_equal @bank_account_number_encrypted, user.encrypted_bank_account_number
+        assert_equal @social_security_number_encrypted, user.encrypted_social_security_number
+      end
     end
 
-    it 'return encrypted attributes for the class' do
-      expect = {social_security_number: :encrypted_social_security_number, bank_account_number: :encrypted_bank_account_number}
-      result = User.encrypted_attributes
-      expect.each_pair { |k, v| assert_equal expect[k], result[k] }
+    describe '.encrypted_attributes' do
+      it 'returns encrypted attributes for the class' do
+        expect = {social_security_number: :encrypted_social_security_number, bank_account_number: :encrypted_bank_account_number}
+        result = User.encrypted_attributes
+        expect.each_pair { |k, v| assert_equal expect[k], result[k] }
+      end
     end
 
-    it 'return encrypted keys for the class' do
-      expect = [:social_security_number, :bank_account_number]
-      result = User.encrypted_keys
-      expect.each { |val| assert result.include?(val) }
+    describe '.encrypted_keys' do
+      it 'return encrypted keys for the class' do
+        expect = [:social_security_number, :bank_account_number]
+        result = User.encrypted_keys
+        expect.each { |val| assert result.include?(val) }
 
-      # Also check encrypted_attribute?
-      expect.each { |val| assert User.encrypted_attribute?(val) }
+        # Also check encrypted_attribute?
+        expect.each { |val| assert User.encrypted_attribute?(val) }
+      end
     end
 
-    it 'return encrypted columns for the class' do
-      expect = [:encrypted_social_security_number, :encrypted_bank_account_number]
-      result = User.encrypted_columns
-      expect.each { |val| assert result.include?(val) }
+    describe '.encrypted_columns' do
+      it 'return encrypted columns for the class' do
+        expect = [:encrypted_social_security_number, :encrypted_bank_account_number]
+        result = User.encrypted_columns
+        expect.each { |val| assert result.include?(val) }
 
-      # Also check encrypted_column?
-      expect.each { |val| assert User.encrypted_column?(val) }
+        # Also check encrypted_column?
+        expect.each { |val| assert User.encrypted_column?(val) }
+      end
     end
 
-    it 'validate encrypted data' do
-      assert @user.valid?
-      @user.encrypted_bank_account_number = '123'
-      assert_equal false, @user.valid?
-      assert_equal ['must be a value encrypted using SymmetricEncryption.encrypt'], @user.errors[:encrypted_bank_account_number]
-      @user.encrypted_bank_account_number = SymmetricEncryption.encrypt('123')
-      assert @user.valid?
-      @user.bank_account_number = '123'
-      assert @user.valid?
-    end
+    describe '#valid?' do
+      it 'validate encrypted data' do
+        assert @user.valid?
+        @user.encrypted_bank_account_number = '123'
+        assert_equal false, @user.valid?
+        assert_equal ['must be a value encrypted using SymmetricEncryption.encrypt'], @user.errors[:encrypted_bank_account_number]
+        @user.encrypted_bank_account_number = SymmetricEncryption.encrypt('123')
+        assert @user.valid?
+        @user.bank_account_number = '123'
+        assert @user.valid?
+      end
 
-    it 'validate un-encrypted string data' do
-      assert @user.valid?
-      @user.text = '123'
-      assert_equal false, @user.valid?
-      assert_equal ['only allows letters'], @user.errors[:text]
-      @user.text = nil
-      assert_equal false, @user.valid?
-      assert_equal ['only allows letters', "can't be blank"], @user.errors[:text]
-      @user.text = ''
-      assert_equal false, @user.valid?
-      assert_equal ['only allows letters', "can't be blank"], @user.errors[:text]
-    end
+      it 'validate un-encrypted string data' do
+        assert @user.valid?
+        @user.text = '123'
+        assert_equal false, @user.valid?
+        assert_equal ['only allows letters'], @user.errors[:text]
+        @user.text = nil
+        assert_equal false, @user.valid?
+        assert_equal ['only allows letters', "can't be blank"], @user.errors[:text]
+        @user.text = ''
+        assert_equal false, @user.valid?
+        assert_equal ['only allows letters', "can't be blank"], @user.errors[:text]
+      end
 
-    it 'validate un-encrypted integer data with coercion' do
-      assert @user.valid?
-      @user.number = '123'
-      assert @user.valid?
-      assert_equal 123, @user.number
-      assert @user.valid?
-      @user.number = ''
-      assert_equal false, @user.valid?
-      assert_equal nil, @user.number
-      assert_equal ["can't be blank"], @user.errors[:number]
-      @user.number = nil
-      assert_equal nil, @user.number
-      assert_equal nil, @user.encrypted_number
-      assert_equal false, @user.valid?
-      assert_equal ["can't be blank"], @user.errors[:number]
+      it 'validate un-encrypted integer data with coercion' do
+        assert @user.valid?
+        @user.number = '123'
+        assert @user.valid?
+        assert_equal 123, @user.number
+        assert @user.valid?
+        @user.number = ''
+        assert_equal false, @user.valid?
+        assert_nil @user.number
+        assert_equal ["can't be blank"], @user.errors[:number]
+        @user.number = nil
+        assert_nil @user.number
+        assert_nil @user.encrypted_number
+        assert_equal false, @user.valid?
+        assert_equal ["can't be blank"], @user.errors[:number]
+      end
     end
 
     describe 'with saved user' do
@@ -329,28 +330,30 @@ class ActiveRecordTest < Minitest::Test
         end
       end
 
-      it 'revert changes on reload' do
-        new_bank_account_number   = '444444444'
-        @user.bank_account_number = new_bank_account_number
-        assert_equal new_bank_account_number, @user.bank_account_number
-
-        # Reload User model from the database
-        @user.reload
-        assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
-        assert_equal @bank_account_number, @user.bank_account_number
-      end
+      describe '#reload' do
+        it 'reverts changes' do
+          new_bank_account_number   = '444444444'
+          @user.bank_account_number = new_bank_account_number
+          assert_equal new_bank_account_number, @user.bank_account_number
 
-      it 'revert changes to encrypted field on reload' do
-        new_bank_account_number             = '111111111'
-        new_encrypted_bank_account_number   = SymmetricEncryption.encrypt(new_bank_account_number)
-        @user.encrypted_bank_account_number = new_encrypted_bank_account_number
-        assert_equal new_encrypted_bank_account_number, @user.encrypted_bank_account_number
-        assert_equal new_bank_account_number, @user.bank_account_number
+          # Reload User model from the database
+          @user.reload
+          assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
+          assert_equal @bank_account_number, @user.bank_account_number
+        end
 
-        # Reload User model from the database
-        @user.reload
-        assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
-        assert_equal @bank_account_number, @user.bank_account_number
+        it 'reverts changes to encrypted field' do
+          new_bank_account_number             = '111111111'
+          new_encrypted_bank_account_number   = SymmetricEncryption.encrypt(new_bank_account_number)
+          @user.encrypted_bank_account_number = new_encrypted_bank_account_number
+          assert_equal new_encrypted_bank_account_number, @user.encrypted_bank_account_number
+          assert_equal new_bank_account_number, @user.bank_account_number
+
+          # Reload User model from the database
+          @user.reload
+          assert_equal @bank_account_number_encrypted, @user.encrypted_bank_account_number
+          assert_equal @bank_account_number, @user.bank_account_number
+        end
       end
 
       describe 'data types' do
@@ -383,8 +386,11 @@ class ActiveRecordTest < Minitest::Test
             end
 
             it 'return correct data type' do
-              assert_equal @value, @user_clone.send(@attribute), @user_clone.attributes.ai
-              assert @user.clone.send(@attribute).kind_of?(@klass)
+              val = @user_clone.send(@attribute)
+              # Need to dup since minitest attempts to modify the decrypted value which is frozen
+              val = val.dup if val.duplicable?
+              assert_equal @value, val, @user_clone.attributes.ai
+              assert @user.send(@attribute).kind_of?(@klass)
             end
 
             it 'coerce data type before save' do
@@ -425,7 +431,10 @@ class ActiveRecordTest < Minitest::Test
               @user_clone.save!
 
               @user.reload
-              assert_equal @new_value, @user.send(@attribute)
+              val = @user.send(@attribute)
+              # Need to dup since minitest attempts to modify the decrypted value which is frozen
+              val = val.dup if val.duplicable?
+              assert_equal @new_value, val
             end
           end
         end