symmetric-encryption 3.9.1 → 4.0.0.beta3

data/lib/symmetric_encryption/cli.rb

@@ -0,0 +1,343 @@
+require 'optparse'
+require 'fileutils'
+module SymmetricEncryption
+  class CLI
+    attr_reader :key_path, :app_name, :encrypt, :config_file_path,
+                :decrypt, :random_password, :new_keys, :generate, :environment,
+                :keystore, :re_encrypt, :version, :output_file_name, :compress,
+                :environments, :cipher_name, :rolling_deploy, :rotate_keys, :rotate_kek, :prompt, :show_version,
+                :cleanup_keys, :activate_key, :migrate
+
+    KEYSTORES = [:heroku, :environment, :file]
+
+    def self.run!(argv)
+      new(argv).run!
+    end
+
+    def initialize(argv)
+      @version          = current_version
+      @environment      = ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
+      @config_file_path = File.expand_path(ENV['SYMMETRIC_ENCRYPTION_CONFIG'] || 'config/symmetric-encryption.yml')
+      @app_name         = 'symmetric-encryption'
+      @key_path         = '/etc/symmetric-encryption'
+      @cipher_name      = 'aes-256-cbc'
+      @rolling_deploy   = false
+      @prompt           = false
+      @show_version     = false
+      @keystore         = :file
+
+      if argv.empty?
+        puts parser
+        exit -10
+      end
+      parser.parse!(argv)
+    end
+
+    def run!
+      raise(ArgumentError, 'Cannot cleanup keys and rotate keys at the same time') if cleanup_keys && rotate_keys
+
+      if show_version
+        puts "Symmetric Encryption v#{VERSION}"
+        puts "OpenSSL v#{OpenSSL::VERSION}"
+        puts "Environment: #{environment}"
+      elsif encrypt
+        load_config
+        prompt ? encrypt_string : encrypt_file(encrypt)
+      elsif decrypt
+        load_config
+        prompt ? decrypt_string : decrypt_file(decrypt)
+      elsif random_password
+        load_config
+        gen_random_password(random_password)
+      elsif migrate
+        run_migrate
+      elsif re_encrypt
+        load_config
+        SymmetricEncryption::Utils::ReEncryptFiles.new(version: version).process_directory(re_encrypt)
+      elsif activate_key
+        run_activate_key
+      elsif rotate_kek
+        run_rotate_kek
+      elsif rotate_keys
+        run_rotate_keys
+      elsif cleanup_keys
+        run_cleanup_keys
+      elsif generate
+        generate_new_config
+      else
+        puts parser
+      end
+    end
+
+    def parser
+      @parser ||= OptionParser.new do |opts|
+        opts.banner = <<BANNER
+Symmetric Encryption v#{VERSION}
+
+  For more information, see: https://rocketjob.github.io/symmetric-encryption/
+
+  Note: 
+    It is recommended to backup the current configuration file, or place it in version control before running
+    the configuration manipulation commands below.
+
+symmetric-encryption [options]
+BANNER
+
+        opts.on '-e', '--encrypt [FILE_NAME]', 'Encrypt a file, or read from stdin if no file name is supplied.' do |file_name|
+          @encrypt = file_name || STDIN
+        end
+
+        opts.on '-d', '--decrypt [FILE_NAME]', 'Decrypt a file, or read from stdin if no file name is supplied.' do |file_name|
+          @decrypt = file_name || STDIN
+        end
+
+        opts.on '-o', '--output FILE_NAME', 'Write encrypted or decrypted file to this file, otherwise output goes to stdout.' do |file_name|
+          @output_file_name = file_name
+        end
+
+        opts.on '-P', '--prompt', 'When encrypting or decrypting, prompt for a string encrypt or decrypt.' do
+          @prompt = true
+        end
+
+        opts.on '-z', '--compress', 'Compress encrypted output file.' do
+          @compress = true
+        end
+
+        opts.on '-E', '--env ENVIRONMENT', "Environment to use in the config file. Default: RACK_ENV || RAILS_ENV || 'development'" do |environment|
+          @environment = environment
+        end
+
+        opts.on '-c', '--config CONFIG_FILE_PATH', 'File name & path to the Symmetric Encryption configuration file. Default: config/symmetric-encryption.yml or Env var: `SYMMETRIC_ENCRYPTION_CONFIG`' do |path|
+          @config_file_path = path
+        end
+
+        opts.on '-m', '--migrate', 'Migrate configuration file to new format.' do
+          @migrate = true
+        end
+
+        opts.on '-r', '--re-encrypt [PATTERN]', 'ReEncrypt all files matching the pattern. Default:  "**/*.{yml,rb}"' do |pattern|
+          @re_encrypt = pattern || "**/*.{yml,rb}"
+        end
+
+        opts.on '-n', '--new-password [SIZE]', 'Generate a new random password using only characters that are URL-safe base64. Default size is 22.' do |size|
+          @random_password = (size || 22).to_i
+        end
+
+        opts.on '-g', '--generate', 'Generate a new configuration file and encryption keys for every environment.' do |config|
+          @generate = config
+        end
+
+        opts.on '-s', '--keystore heroku|environment|file', 'Generate a new configuration file and encryption keys for every environment.' do |keystore|
+          @keystore = (keystore || 'file').downcase.to_sym
+        end
+
+        opts.on '-K', '--key-path KEY_PATH', 'Output path in which to write generated key files. Default: /etc/symmetric-encryption' do |path|
+          @key_path = path
+        end
+
+        opts.on '-a', '--app-name NAME', 'Application name to use when generating a new configuration. Default: symmetric-encryption' do |name|
+          @app_name = name
+        end
+
+        opts.on '-S', '--environments ENVIRONMENTS', "Comma separated list of environments for which to generate the config file. Default: development,test,release,production" do |environments|
+          @environments = environments.split(',').collect(&:strip).collect(&:to_sym)
+        end
+
+        opts.on '-C', '--cipher-name NAME', "Name of the cipher to use when generating a new config file, or when rotating keys. Default: aes-256-cbc" do |name|
+          @cipher_name = name
+        end
+
+        opts.on '-R', '--rotate-keys', 'Generates a new encryption key version, encryption key files, and updates the configuration file.' do
+          @rotate_keys = true
+        end
+
+        opts.on '-U', '--rotate-kek', 'Replace the existing key encrypting keys only, the data encryption key is not changed, and updates the configuration file.' do
+          @rotate_kek = true
+        end
+
+        opts.on '-D', '--rolling-deploy', 'During key rotation, support a rolling deploy by placing the new key second in the list so that it is not activated yet.' do
+          @rolling_deploy = true
+        end
+
+        opts.on '-A', '--activate-key', 'Activates the key by moving the key with the highest version to the top.' do
+          @activate_key = true
+        end
+
+        opts.on '-X', '--cleanup-keys', 'Removes all encryption keys, except the one with the highest version from the configuration file.' do
+          @cleanup_keys = true
+        end
+
+        opts.on '-V', '--key-version NUMBER', "Encryption key version to use when encrypting or re-encrypting. Default: (Current global version)." do |number|
+          @version = number.to_i
+        end
+
+        opts.on '-L', '--ciphers', 'List available OpenSSL ciphers.' do
+          puts "OpenSSL v#{OpenSSL::VERSION}. Available Ciphers:"
+          puts OpenSSL::Cipher.ciphers.join("\n")
+          exit
+        end
+
+        opts.on '-v', '--version', 'Display Symmetric Encryption version.' do
+          @show_version = true
+        end
+
+        opts.on('-h', '--help', 'Prints this help.') do
+          puts opts
+          exit
+        end
+
+      end
+    end
+
+    private
+
+    attr_writer :environments
+
+    def load_config
+      Config.load!(file_name: config_file_path, env: environment)
+    end
+
+    def generate_new_config
+      config_file_does_not_exist!
+      self.environments ||= %i(development test release production)
+      cfg          =
+        if keystore == :file
+          SymmetricEncryption::Keystore::File.new_config(
+            key_path:     key_path,
+            app_name:     app_name,
+            environments: environments,
+            cipher_name:  cipher_name
+          )
+        elsif [:heroku, :environment].include?(keystore)
+          SymmetricEncryption::Keystore::Environment.new_config(
+            app_name:     app_name,
+            environments: environments,
+            cipher_name:  cipher_name
+          )
+        else
+          puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
+          exit -3
+        end
+      Config.write_file(config_file_path, cfg)
+      puts "New configuration file created at: #{config_file_path}"
+    end
+
+    def run_migrate
+      config = Config.read_file(config_file_path)
+      Config.write_file(config_file_path, config)
+      puts "Existing configuration file successfully migrated to the new format: #{config_file_path}"
+    end
+
+    def run_rotate_keys
+      config = Config.read_file(config_file_path)
+      SymmetricEncryption::Keystore.rotate_keys!(config, environments: environments || [], app_name: app_name, rolling_deploy: rolling_deploy)
+      Config.write_file(config_file_path, config)
+      puts "Existing configuration file updated with new keys: #{config_file_path}"
+    end
+
+    def run_rotate_kek
+      config = Config.read_file(config_file_path)
+      SymmetricEncryption::Keystore.rotate_key_encrypting_keys!(config, environments: environments || [], app_name: app_name)
+      Config.write_file(config_file_path, config)
+      puts "Existing configuration file updated with new key encrypting keys: #{config_file_path}"
+    end
+
+    def run_cleanup_keys
+      config = Config.read_file(config_file_path)
+      config.each_pair do |env, cfg|
+        next if environments && !environments.include?(env.to_sym)
+        if ciphers = cfg[:ciphers]
+          highest = ciphers.max_by { |i| i[:version] }
+          ciphers.clear
+          ciphers << highest
+        end
+      end
+
+      Config.write_file(config_file_path, config)
+      puts "Removed all but the key with the highest version in: #{config_file_path}"
+    end
+
+    def run_activate_key
+      config = Config.read_file(config_file_path)
+      config.each_pair do |env, cfg|
+        next if environments && !environments.include?(env.to_sym)
+        if ciphers = cfg[:ciphers]
+          highest = ciphers.max_by { |i| i[:version] }
+          ciphers.delete(highest)
+          ciphers.unshift(highest)
+        end
+      end
+
+      Config.write_file(config_file_path, config)
+      puts "Activated the keys with the highest versions in: #{config_file_path}"
+    end
+
+    def encrypt_file(input_file_name)
+      SymmetricEncryption::Writer.encrypt(source: input_file_name, target: output_file_name || STDOUT, compress: compress, version: version)
+    end
+
+    def decrypt_file(input_file_name)
+      SymmetricEncryption::Reader.decrypt(source: input_file_name, target: output_file_name || STDOUT, version: version)
+    end
+
+    def decrypt_string
+      begin
+        require 'highline'
+      rescue LoadError
+        puts("\nPlease install gem highline before using the command line task to decrypt an entered string.\n   gem install \"highline\"\n\n")
+        exit -2
+      end
+
+      encrypted = HighLine.new.ask('Enter the value to decrypt:')
+      text      = SymmetricEncryption.cipher(version).decrypt(encrypted)
+
+      puts("\n\nEncrypted: #{encrypted}")
+      output_file_name ? File.open(output_file_name, 'wb') { |f| f << text } : puts("Decrypted: #{text}\n\n")
+    end
+
+    def encrypt_string
+      begin
+        require 'highline'
+      rescue LoadError
+        puts("\nPlease install gem highline before using the command line task to encrypt an entered string.\n   gem install \"highline\"\n\n")
+        exit -2
+      end
+      value1 = nil
+      value2 = 0
+
+      while value1 != value2
+        value1 = HighLine.new.ask('Enter the value to encrypt:') { |q| q.echo = '*' }
+        value2 = HighLine.new.ask('Re-enter the value to encrypt:') { |q| q.echo = '*' }
+
+        if value1 != value2
+          puts('Values do not match, please try again')
+        end
+      end
+
+      encrypted = SymmetricEncryption.cipher(version).encrypt(value1, compress: compress)
+      output_file_name ? File.open(output_file_name, 'wb') { |f| f << encrypted } : puts("\n\nEncrypted: #{encrypted}\n\n")
+    end
+
+    def gen_random_password(size)
+      p = SymmetricEncryption.random_password(size)
+      puts("\nGenerated Password: #{p}")
+      encrypted = SymmetricEncryption.encrypt(p)
+      puts("Encrypted: #{encrypted}\n\n")
+      File.open(output_file_name, 'wb') { |f| f << encrypted } if output_file_name
+    end
+
+    def current_version
+      SymmetricEncryption.cipher.version
+    rescue SymmetricEncryption::ConfigError
+      nil
+    end
+
+    # Ensure that the config file does not already exist before generating a new one.
+    def config_file_does_not_exist!
+      return unless File.exist?(config_file_path)
+      puts "\nConfiguration file already exists, please move or rename: #{config_file_path}\n\n"
+      exit -1
+    end
+
+  end
+end

data/lib/symmetric_encryption/coerce.rb

@@ -13,8 +13,8 @@ module SymmetricEncryption
 
     # Coerce given value into given type
     # Does not coerce json or yaml values
-    def self.coerce(value, type, from_type=nil)
-      return if blank?(value)
+    def self.coerce(value, type, from_type = nil)
+      return value if value.nil? || (value == '')
 
       from_type ||= value.class
       case type
@@ -32,7 +32,8 @@ module SymmetricEncryption
     # Note: if the type is :string, then the value is returned as is, and the
     #   coercible gem is not used at all.
     def self.coerce_from_string(value, type)
-      return if value.nil?
+      return value if value.nil? || (value == '')
+
       case type
       when :string
         value
@@ -49,7 +50,7 @@ module SymmetricEncryption
     # Note: if the type is :string, and value is not nil, then #to_s is called
     #   on the value and the coercible gem is not used at all.
     def self.coerce_to_string(value, type)
-      return if value.nil?
+      return value if value.nil? || (value == '')
 
       case type
       when :string
@@ -72,21 +73,5 @@ module SymmetricEncryption
       end
     end
 
-    private
-
-    BLANK_RE = /\A[[:space:]]*\z/
-
-    # Returns [true|false] whether the supplied value is blank?
-    def self.blank?(value)
-      return true if value.nil?
-      if value.is_a?(String)
-        return true if value.empty?
-        # When Binary data is supplied that cannot convert to UTF-8 it is clearly not blank
-        return false unless value.dup.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
-        (value =~ BLANK_RE) == 0
-      else
-        false
-      end
-    end
   end
 end

data/lib/symmetric_encryption/config.rb

@@ -1,72 +1,94 @@
+require 'erb'
+require 'yaml'
 module SymmetricEncryption
-  module Config
-    # Load the Encryption Configuration from a YAML file
-    #  filename:
-    #    Name of file to read.
-    #        Mandatory for non-Rails apps
-    #        Default: Rails.root/config/symmetric-encryption.yml
-    #  environment:
-    #    Which environments config to load. Usually: production, development, etc.
-    #    Default: Rails.env
-    def self.load!(filename=nil, environment=nil)
-      config  = read_config(filename, environment)
-      ciphers = extract_ciphers(config)
+  class Config
+    attr_reader :file_name, :env
 
+    # Load the Encryption Configuration from a YAML file.
+    #
+    #  file_name:
+    #    Name of configuration file.
+    #    Default: "#{Rails.root}/config/symmetric-encryption.yml"
+    #    Note:
+    #      The Symmetric Encryption config file name can also be set using the `SYMMETRIC_ENCRYPTION_CONFIG`
+    #      environment variable.
+    #
+    #  env:
+    #    Which environments config to load. Usually: production, development, etc.
+    #    Non-Rails apps can set env vars: RAILS_ENV, or RACK_ENV
+    #    Default: Rails.env || ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
+    def self.load!(file_name: nil, env: nil)
+      config                                = new(file_name: file_name, env: env)
+      ciphers                               = config.ciphers
       SymmetricEncryption.cipher            = ciphers.shift
       SymmetricEncryption.secondary_ciphers = ciphers
       true
     end
 
-    private
+    # Reads the entire configuration for all environments from the supplied file name.
+    def self.read_file(file_name)
+      config = YAML.load(ERB.new(File.new(file_name).read).result)
+      config = deep_symbolize_keys(config)
+      config.each_pair { |env, cfg| SymmetricEncryption::Config.send(:migrate_old_formats!, cfg) }
+      config
+    end
 
-    # Returns [Hash] the configuration for the supplied environment
-    def self.read_config(filename=nil, environment=nil)
-      config_filename = filename || File.join(Rails.root, 'config', 'symmetric-encryption.yml')
-      cfg             = YAML.load(ERB.new(File.new(config_filename).read).result)[environment || Rails.env]
-      extract_config(cfg)
+    # Write the entire configuration for all environments to the supplied file name.
+    def self.write_file(file_name, config)
+      config = deep_stringify_keys(config)
+      File.open(file_name, 'w') do |f|
+        f.puts '# This file was auto generated by symmetric-encryption.'
+        f.puts '# Recommend using symmetric-encryption to make changes.'
+        f.puts '# For more info, run:'
+        f.puts '#   symmetric-encryption --help'
+        f.puts '#'
+        f.write(config.to_yaml)
+      end
     end
 
-    # Returns [ private_rsa_key, ciphers ] config
-    def self.extract_config(config)
-      config = deep_symbolize_keys(config)
+    # Load the Encryption Configuration from a YAML file.
+    #
+    # See: `.load!` for parameters.
+    def initialize(file_name: nil, env: nil)
+      unless env
+        env = defined?(Rails) ? Rails.env : ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
+      end
 
-      # Old format?
-      unless config.has_key?(:ciphers)
-        config = {
-          private_rsa_key: config.delete(:private_rsa_key),
-          ciphers:         [config]
-        }
+      unless file_name
+        root      = defined?(Rails) ? Rails.root : '.'
+        file_name =
+          if env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG']
+            File.expand_path(env_var)
+          else
+            File.join(root, 'config', 'symmetric-encryption.yml')
+          end
+        raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
       end
 
-      # Old format cipher name?
-      config[:ciphers] = config[:ciphers].collect do |cipher|
-        if old_key_name_cipher = cipher.delete(:cipher)
-          cipher[:cipher_name] = old_key_name_cipher
+      @env       = env
+      @file_name = file_name
+    end
+
+    # Returns [Hash] the configuration for the supplied environment.
+    def config
+      @config ||= begin
+        raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
+        unless env_config = YAML.load(ERB.new(File.new(file_name).read).result)[env]
+          raise(ConfigError, "Cannot find environment: #{env} in config file: #{file_name}")
         end
-        cipher
+        env_config = self.class.deep_symbolize_keys(env_config)
+        self.class.migrate_old_formats!(env_config)
       end
-      config
     end
 
-    # Returns [Array(SymmetricEncrytion::Cipher)] ciphers specified in the configuration file
-    #
-    # Read the configuration from the YAML file and return in the latest format
-    #
-    #  filename:
-    #    Name of file to read.
-    #        Mandatory for non-Rails apps
-    #        Default: Rails.root/config/symmetric-encryption.yml
-    #  environment:
-    #    Which environments config to load. Usually: production, development, etc.
-    def self.extract_ciphers(config)
-      private_rsa_key = config[:private_rsa_key]
-
-      config[:ciphers].collect do |cipher_config|
-        Cipher.new({private_rsa_key: private_rsa_key}.merge(cipher_config))
-      end
+    # Returns [Array(SymmetricEncrytion::Cipher)] ciphers specified in the configuration file.
+    def ciphers
+      @ciphers ||= config[:ciphers].collect { |cipher_config| Cipher.from_config(cipher_config) }
     end
 
-    # Iterate through the Hash symbolizing all keys
+    private
+
+    # Iterate through the Hash symbolizing all keys.
     def self.deep_symbolize_keys(x)
       case x
       when Hash
@@ -83,5 +105,61 @@ module SymmetricEncryption
       end
     end
 
+    # Iterate through the Hash symbolizing all keys.
+    def self.deep_stringify_keys(x)
+      case x
+      when Hash
+        result = {}
+        x.each_pair do |key, value|
+          key         = key.to_s if key.is_a?(Symbol)
+          result[key] = deep_stringify_keys(value)
+        end
+        result
+      when Array
+        x.collect { |i| deep_stringify_keys(i) }
+      else
+        x
+      end
+    end
+
+    # Migrate old configuration format for this environment
+    def self.migrate_old_formats!(config)
+      # Inline single cipher before :ciphers
+      unless config.has_key?(:ciphers)
+        cipher = {}
+        config.keys.each { |key| cipher[key] = config.delete(key) }
+        config[:ciphers] = [cipher]
+      end
+
+      # Copy Old :private_rsa_key into each ciphers config
+      # Cipher.from_config replaces it with the RSA Kek
+      if config[:private_rsa_key]
+        private_rsa_key = config.delete(:private_rsa_key)
+        config[:ciphers].each { |cipher| cipher[:private_rsa_key] = private_rsa_key }
+      end
+
+      # Old :cipher_name
+      config[:ciphers].each do |cipher|
+        if old_key_name_cipher = cipher.delete(:cipher)
+          cipher[:cipher_name] = old_key_name_cipher
+        end
+
+        # Only temporarily used during v4 Beta process
+        if cipher[:key_encrypting_key].is_a?(String)
+          cipher[:private_rsa_key] = cipher.delete(:key_encrypting_key)
+        end
+
+        # Check for a prior env var in encrypted key
+        # Example:
+        #   encrypted_key: <%= ENV['VAR'] %>
+        if cipher.has_key?(:encrypted_key) && cipher[:encrypted_key].nil?
+          cipher[:key_env_var] = :placeholder
+          puts "WARNING: :encrypted_key resolved to nil. Please see the migrated config file for the new option :key_env_var."
+        end
+
+      end
+      config
+    end
+
   end
 end

data/lib/symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key.rb

@@ -20,8 +20,8 @@ module MongoMapper
 
       module ClassMethods
         def encrypted_key(key_name, type, full_options={})
-          full_options       = full_options.is_a?(Hash) ? full_options.dup : {}
-          options            = full_options.delete(:encrypted) || {}
+          full_options = full_options.is_a?(Hash) ? full_options.dup : {}
+          options      = full_options.delete(:encrypted) || {}
           # Support overriding the name of the decrypted attribute
           encrypted_key_name = options.delete(:encrypt_as) || "encrypted_#{key_name}"
           options[:type]     = COERCION_MAP[type] unless [:yaml, :json].include?(options[:type])

data/lib/symmetric_encryption/generator.rb

@@ -25,7 +25,8 @@ module SymmetricEncryption
         # Freeze the decrypted field value so that it is not modified directly
         def #{decrypted_name}=(value)
           v = SymmetricEncryption::Coerce.coerce(value, :#{type})
-          self.#{encrypted_name} = @stored_#{encrypted_name} = ::SymmetricEncryption.encrypt(v, #{random_iv}, #{compress}, :#{type})
+          return if (@#{decrypted_name} == v) && !v.nil? && !(v == '')
+          self.#{encrypted_name} = @stored_#{encrypted_name} = ::SymmetricEncryption.encrypt(v, random_iv: #{random_iv}, compress: #{compress}, type: :#{type})
           @#{decrypted_name} = v.freeze
         end
 
@@ -34,7 +35,7 @@ module SymmetricEncryption
         # If this method is not called, then the encrypted value is never decrypted
         def #{decrypted_name}
           if !defined?(@stored_#{encrypted_name}) || (@stored_#{encrypted_name} != self.#{encrypted_name})
-            @#{decrypted_name} = ::SymmetricEncryption.decrypt(self.#{encrypted_name}, nil, :#{type}).freeze
+            @#{decrypted_name} = ::SymmetricEncryption.decrypt(self.#{encrypted_name}, type: :#{type}).freeze
             @stored_#{encrypted_name} = self.#{encrypted_name}
           end
           @#{decrypted_name}