symmetric-encryption 3.9.1 → 4.0.0.beta3

data/test/keystore/environment_test.rb

@@ -0,0 +1,119 @@
+require_relative '../test_helper'
+require 'stringio'
+
+module SymmetricEncryption
+  class FileTest < Minitest::Test
+    describe SymmetricEncryption::Keystore::Environment do
+      after do
+        # Cleanup generated encryption key files.
+        `rm tmp/tester* 2> /dev/null`
+      end
+
+      describe '.new_key_config' do
+        let :version do
+          10
+        end
+
+        let :keystore_config do
+          SymmetricEncryption::Keystore::Environment.new_key_config(
+            cipher_name:        'aes-256-cbc',
+            app_name:           'tester',
+            environment:        'test',
+            version:            version
+          )
+        end
+
+        it 'increments the version' do
+          assert_equal 11, keystore_config[:version]
+        end
+
+        describe 'with 255 version' do
+          let :version do
+            255
+          end
+
+          it 'handles version wrap' do
+            assert_equal 1, keystore_config[:version]
+          end
+        end
+
+        describe 'with 0 version' do
+          let :version do
+            0
+          end
+
+          it 'increments version' do
+            assert_equal 1, keystore_config[:version]
+          end
+        end
+
+        it 'retains the env var name' do
+          assert_equal "TESTER_TEST_V11", keystore_config[:key_env_var]
+        end
+
+        it 'retains cipher_name' do
+          assert_equal 'aes-256-cbc', keystore_config[:cipher_name]
+        end
+      end
+
+      describe '.new_config' do
+        let :environments do
+          %i(development test acceptance preprod production)
+        end
+
+        let :config do
+          SymmetricEncryption::Keystore::Environment.new_config(
+            app_name:     'tester',
+            environments: environments,
+            cipher_name:  'aes-128-cbc'
+          )
+        end
+
+        it 'creates keys for each environment' do
+          assert_equal environments, config.keys, config
+        end
+
+        it 'use test config for development and test' do
+          assert_equal SymmetricEncryption::Keystore.dev_config, config[:test]
+          assert_equal SymmetricEncryption::Keystore.dev_config, config[:development]
+        end
+
+        it 'each non test environment has a key encryption key' do
+          (environments - %i(development test)).each do |env|
+            assert config[env][:ciphers].first[:key_encrypting_key], "Environment #{env} is missing the key encryption key"
+          end
+        end
+
+        it 'every environment has ciphers' do
+          environments.each do |env|
+            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
+            assert_equal 1, ciphers.size
+          end
+        end
+
+        it 'creates an encrypted key file for all non-test environments' do
+          (environments - %i(development test)).each do |env|
+            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
+            assert file_name = ciphers.first[:key_env_var], "Environment #{env} is missing key_env_var: #{ciphers.inspect}"
+          end
+        end
+      end
+
+      describe '#read' do
+        let :key do
+          SymmetricEncryption::Key.new
+        end
+
+        let :keystore do
+          SymmetricEncryption::Keystore::Environment.new(key_env_var: 'TESTER_ENV_VAR', key_encrypting_key: key)
+        end
+
+        it 'reads the key' do
+          ENV["TESTER_ENV_VAR"] = Base64.strict_encode64(key.encrypt('TEST'))
+          assert_equal 'TEST', keystore.read
+        end
+      end
+
+    end
+  end
+end

data/test/keystore/file_test.rb

@@ -0,0 +1,125 @@
+require_relative '../test_helper'
+require 'stringio'
+
+module SymmetricEncryption
+  class FileTest < Minitest::Test
+    describe SymmetricEncryption::Keystore::File do
+      after do
+        # Cleanup generated encryption key files.
+        `rm tmp/tester* 2> /dev/null`
+      end
+
+      describe '.new_key_config' do
+        let :version do
+          10
+        end
+
+        let :key_config do
+          SymmetricEncryption::Keystore::File.new_key_config(
+            key_path:           'tmp',
+            cipher_name:        'aes-256-cbc',
+            app_name:           'tester',
+            environment:        'test',
+            version:            version
+          )
+        end
+
+        it 'increments the version' do
+          assert_equal 11, key_config[:version]
+        end
+
+        describe 'with 255 version' do
+          let :version do
+            255
+          end
+
+          it 'handles version wrap' do
+            assert_equal 1, key_config[:version]
+          end
+        end
+
+        describe 'with 0 version' do
+          let :version do
+            0
+          end
+
+          it 'increments version' do
+            assert_equal 1, key_config[:version]
+          end
+        end
+
+        it 'creates the encrypted key file' do
+          file_name = 'tmp/tester_test_v11.encrypted_key'
+          assert_equal file_name, key_config[:key_filename]
+          assert File.exist?(file_name)
+        end
+
+        it 'retains cipher_name' do
+          assert_equal 'aes-256-cbc', key_config[:cipher_name]
+        end
+
+        it 'is readable by Key.from_config' do
+          key_config.delete(:version)
+          assert key = SymmetricEncryption::Key.from_config(key_config)
+        end
+      end
+
+      describe '.new_config' do
+        let :environments do
+          %i(development test acceptance preprod production)
+        end
+
+        let :config do
+          SymmetricEncryption::Keystore::File.new_config(
+            key_path:     'tmp',
+            app_name:     'tester',
+            environments: environments,
+            cipher_name:  'aes-128-cbc'
+          )
+        end
+
+        it 'creates keys for each environment' do
+          assert_equal environments, config.keys, config
+        end
+
+        it 'use test config for development and test' do
+          assert_equal SymmetricEncryption::Keystore.dev_config, config[:test]
+          assert_equal SymmetricEncryption::Keystore.dev_config, config[:development]
+        end
+
+        it 'each non test environment has a key encryption key' do
+          (environments - %i(development test)).each do |env|
+            assert config[env][:ciphers].first[:key_encrypting_key], "Environment #{env} is missing the key encryption key"
+          end
+        end
+
+        it 'every environment has ciphers' do
+          environments.each do |env|
+            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
+            assert_equal 1, ciphers.size
+          end
+        end
+
+        it 'creates an encrypted key file for all non-test environments' do
+          (environments - %i(development test)).each do |env|
+            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
+            assert file_name = ciphers.first[:key_filename], "Environment #{env} is missing key_filename: #{ciphers.inspect}"
+            assert File.exist?(file_name)
+          end
+        end
+      end
+
+      describe '#write, #read' do
+        let :keystore do
+          SymmetricEncryption::Keystore::File.new(file_name: 'tmp/tester.key', key_encrypting_key: SymmetricEncryption::Key.new)
+        end
+
+        it 'stores the key' do
+          keystore.write('TEST')
+          assert_equal 'TEST', keystore.read
+        end
+      end
+
+    end
+  end
+end

data/test/keystore_test.rb

@@ -0,0 +1,59 @@
+require_relative 'test_helper'
+
+module SymmetricEncryption
+  class KeystoreTest < Minitest::Test
+    describe SymmetricEncryption::Keystore do
+      let :keystore do
+        SymmetricEncryption::Keystore::File.new(file_name: 'tmp/tester.key', key_encrypting_key: SymmetricEncryption::Key.new)
+      end
+
+      after do
+        # Cleanup generated encryption key files.
+        `rm tmp/tester* 2>/dev/null`
+      end
+
+      describe '.rotate_keys' do
+        let :environments do
+          %i(development test acceptance preprod production)
+        end
+
+        let :config do
+          SymmetricEncryption::Keystore::File.new_config(
+            key_path:     'tmp',
+            app_name:     'tester',
+            environments: environments,
+            cipher_name:  'aes-128-cbc'
+          )
+        end
+
+        let :rolling_deploy do
+          false
+        end
+
+        let :key_rotation do
+          SymmetricEncryption::Keystore.rotate_keys!(
+            config,
+            environments:   environments,
+            app_name:       'tester',
+            rolling_deploy: rolling_deploy
+          )
+        end
+
+        it 'creates an encrypted key file for all non-test environments' do
+          (environments - %i(development test)).each do |env|
+            assert key_rotation
+            assert key_rotation[env.to_sym], key_rotation
+            assert key_rotation[env.to_sym][:ciphers]
+            assert ciphers = key_rotation[env.to_sym][:ciphers], "Environment #{env} is missing ciphers: #{key_rotation[env.to_sym].inspect}"
+            assert_equal 2, ciphers.size, "Environment #{env}: #{ciphers.inspect}"
+            assert new_config = ciphers.first
+            assert file_name = new_config[:key_filename], "Environment #{env} is missing key_filename: #{ciphers.inspect}"
+            assert File.exist?(file_name)
+            assert_equal 2, new_config[:version]
+          end
+        end
+      end
+
+    end
+  end
+end

data/test/mongoid_test.rb

@@ -85,17 +85,17 @@ begin
           encrypted_social_security_number: @social_security_number_encrypted,
           name:                             'Joe Bloggs',
           # data type specific fields
-          integer_value:                    @integer_value,
-          aliased_integer_value:            @integer_value,
-          float_value:                      @float_value,
-          decimal_value:                    @decimal_value,
-          datetime_value:                   @datetime_value,
-          time_value:                       @time_value,
-          date_value:                       @date_value,
-          true_value:                       true,
-          false_value:                      false,
-          data_yaml:                        @h.dup,
-          data_json:                        @h.dup
+          integer_value:         @integer_value,
+          aliased_integer_value: @integer_value,
+          float_value:           @float_value,
+          decimal_value:         @decimal_value,
+          datetime_value:        @datetime_value,
+          time_value:            @time_value,
+          date_value:            @date_value,
+          true_value:            true,
+          false_value:           false,
+          data_yaml:             @h.dup,
+          data_json:             @h.dup
         )
       end
 
@@ -153,9 +153,9 @@ begin
       it 'support a random iv' do
         @user.string = @string
         assert first_value = @user.encrypted_string
-        # Assign the same value
+        @user.string = 'blah'
         @user.string = @string.dup
-        assert_equal true, first_value != @user.encrypted_string
+        refute_equal first_value, @user.encrypted_string
       end
 
       it 'support a random iv and compress' do

data/test/reader_test.rb

@@ -6,25 +6,24 @@ require 'stringio'
 class ReaderTest < Minitest::Test
   describe SymmetricEncryption::Reader do
     before do
-      @data                          = [
+      @data     = [
         "Hello World\n",
         "Keep this secret\n",
         'And keep going even further and further...'
       ]
-      @data_str                      = @data.inject('') { |sum, str| sum << str }
-      @data_len                      = @data_str.length
+      @data_str = @data.inject('') { |sum, str| sum << str }
+      @data_len = @data_str.length
       # Use Cipher 0 since it does not always include a header
       @cipher                        = SymmetricEncryption.cipher(0)
-      @data_encrypted_without_header = @cipher.binary_encrypt(@data_str)
-
-      @data_encrypted_with_header = SymmetricEncryption::Cipher.build_header(
-        @cipher.version,
-        false,
-        @cipher.send(:iv),
-        @cipher.send(:key),
-        @cipher.cipher_name
+      @data_encrypted_without_header = @cipher.binary_encrypt(@data_str, header: false)
+
+      header                      = SymmetricEncryption::Header.new(
+        version:     @cipher.version,
+        iv:          @cipher.iv,
+        key:         @cipher.send(:key),
+        cipher_name: @cipher.cipher_name
       )
-      @data_encrypted_with_header << @cipher.binary_encrypt(@data_str)
+      @data_encrypted_with_header = @cipher.binary_encrypt(@data_str, header: header)
 
       # Verify regular decrypt can decrypt this string
       @cipher.binary_decrypt(@data_encrypted_without_header)
@@ -39,14 +38,14 @@ class ReaderTest < Minitest::Test
         end
 
         it "#read()" do
-          stream    = StringIO.new(@data_encrypted)
+          stream = StringIO.new(@data_encrypted)
           # Version 0 supplied if the file/stream does not have a header
           decrypted = SymmetricEncryption::Reader.open(stream, version: 0) { |file| file.read }
           assert_equal @data_str, decrypted
         end
 
         it "#read(size) followed by #read()" do
-          stream    = StringIO.new(@data_encrypted)
+          stream = StringIO.new(@data_encrypted)
           # Version 0 supplied if the file/stream does not have a header
           decrypted = SymmetricEncryption::Reader.open(stream, version: 0) do |file|
             file.read(10)
@@ -56,8 +55,8 @@ class ReaderTest < Minitest::Test
         end
 
         it "#each_line" do
-          stream    = StringIO.new(@data_encrypted)
-          i         = 0
+          stream = StringIO.new(@data_encrypted)
+          i      = 0
           # Version 0 supplied if the file/stream does not have a header
           SymmetricEncryption::Reader.open(stream, version: 0) do |file|
             file.each_line do |line|
@@ -68,7 +67,7 @@ class ReaderTest < Minitest::Test
         end
 
         it "#read(size)" do
-          stream    = StringIO.new(@data_encrypted)
+          stream = StringIO.new(@data_encrypted)
           # Version 0 supplied if the file/stream does not have a header
           SymmetricEncryption::Reader.open(stream, version: 0) do |file|
             index = 0
@@ -110,26 +109,26 @@ class ReaderTest < Minitest::Test
             case usecase
             when :data
               # Create encrypted file
-              @eof      = false
-              @filename = '_test'
-              @header   = (options[:header] != false)
-              SymmetricEncryption::Writer.open(@filename, options) do |file|
+              @eof       = false
+              @file_name = '_test'
+              @header    = (options[:header] != false)
+              SymmetricEncryption::Writer.open(@file_name, options) do |file|
                 @data.inject(0) { |sum, str| sum + file.write(str) }
               end
             when :empty
-              @data_str = ''
-              @eof      = true
-              @filename = '_test_empty'
-              @header   = (options[:header] != false)
-              SymmetricEncryption::Writer.open(@filename, options) do |file|
+              @data_str  = ''
+              @eof       = true
+              @file_name = '_test_empty'
+              @header    = (options[:header] != false)
+              SymmetricEncryption::Writer.open(@file_name, options) do |file|
                 # Leave data portion empty
               end
             when :blank
-              @data_str = ''
-              @eof      = true
-              @filename = File.join(File.dirname(__FILE__), 'config/empty.csv')
-              @header   = false
-              assert_equal 0, File.size(@filename)
+              @data_str  = ''
+              @eof       = true
+              @file_name = File.join(File.dirname(__FILE__), 'config/empty.csv')
+              @header    = false
+              assert_equal 0, File.size(@file_name)
             else
               raise "Unhandled usecase: #{usecase}"
             end
@@ -137,25 +136,25 @@ class ReaderTest < Minitest::Test
           end
 
           after do
-            File.delete(@filename) if File.exist?(@filename) && !@filename.end_with?('empty.csv')
+            File.delete(@file_name) if File.exist?(@file_name) && !@file_name.end_with?('empty.csv')
           end
 
           it '.empty?' do
-            assert_equal (@data_size==0), SymmetricEncryption::Reader.empty?(@filename)
+            assert_equal (@data_size==0), SymmetricEncryption::Reader.empty?(@file_name)
             assert_raises Errno::ENOENT do
               SymmetricEncryption::Reader.empty?('missing_file')
             end
           end
 
           it '.header_present?' do
-            assert_equal @header, SymmetricEncryption::Reader.header_present?(@filename)
+            assert_equal @header, SymmetricEncryption::Reader.header_present?(@file_name)
             assert_raises Errno::ENOENT do
               SymmetricEncryption::Reader.header_present?('missing_file')
             end
           end
 
           it '.open return Zlib::GzipReader when compressed' do
-            file = SymmetricEncryption::Reader.open(@filename)
+            file = SymmetricEncryption::Reader.open(@file_name)
             #assert_equal (@header && (options[:compress]||false)), file.is_a?(Zlib::GzipReader)
             file.close
           end
@@ -163,7 +162,7 @@ class ReaderTest < Minitest::Test
           it '#read' do
             data   = nil
             eof    = nil
-            result = SymmetricEncryption::Reader.open(@filename) do |file|
+            result = SymmetricEncryption::Reader.open(@file_name) do |file|
               eof  = file.eof?
               data = file.read
             end
@@ -173,7 +172,7 @@ class ReaderTest < Minitest::Test
           end
 
           it '#read(size)' do
-            file = SymmetricEncryption::Reader.open(@filename)
+            file = SymmetricEncryption::Reader.open(@file_name)
             eof  = file.eof?
             data = file.read(4096)
             file.close
@@ -188,7 +187,7 @@ class ReaderTest < Minitest::Test
           end
 
           it '#each_line' do
-            SymmetricEncryption::Reader.open(@filename) do |file|
+            SymmetricEncryption::Reader.open(@file_name) do |file|
               i = 0
               file.each_line do |line|
                 assert_equal @data[i], line
@@ -198,7 +197,7 @@ class ReaderTest < Minitest::Test
           end
 
           it '#rewind' do
-            decrypted = SymmetricEncryption::Reader.open(@filename) do |file|
+            decrypted = SymmetricEncryption::Reader.open(@file_name) do |file|
               file.read
               file.rewind
               file.read
@@ -207,7 +206,7 @@ class ReaderTest < Minitest::Test
           end
 
           it '#gets(nil,size)' do
-            file = SymmetricEncryption::Reader.open(@filename)
+            file = SymmetricEncryption::Reader.open(@file_name)
             eof  = file.eof?
             data = file.gets(nil, 4096)
             file.close
@@ -227,7 +226,7 @@ class ReaderTest < Minitest::Test
           end
 
           it '#gets(delim)' do
-            SymmetricEncryption::Reader.open(@filename) do |file|
+            SymmetricEncryption::Reader.open(@file_name) do |file|
               i = 0
               while line = file.gets("\n")
                 assert_equal @data[i], line
@@ -238,7 +237,7 @@ class ReaderTest < Minitest::Test
           end
 
           it '#gets(delim,size)' do
-            SymmetricEncryption::Reader.open(@filename) do |file|
+            SymmetricEncryption::Reader.open(@file_name) do |file|
               i = 0
               while file.gets("\n", 128)
                 i += 1
@@ -253,24 +252,24 @@ class ReaderTest < Minitest::Test
 
     describe 'reading from files with previous keys' do
       before do
-        @filename = '_test'
+        @file_name = '_test'
         # Create encrypted file with old encryption key
-        SymmetricEncryption::Writer.open(@filename, version: 0) do |file|
+        SymmetricEncryption::Writer.open(@file_name, version: 0) do |file|
           @data.inject(0) { |sum, str| sum + file.write(str) }
         end
       end
 
       after do
-        File.delete(@filename) if File.exist?(@filename)
+        File.delete(@file_name) if File.exist?(@file_name)
       end
 
       it 'decrypt from file in a single read' do
-        decrypted = SymmetricEncryption::Reader.open(@filename) { |file| file.read }
+        decrypted = SymmetricEncryption::Reader.open(@file_name) { |file| file.read }
         assert_equal @data_str, decrypted
       end
 
       it 'decrypt from file a line at a time' do
-        SymmetricEncryption::Reader.open(@filename) do |file|
+        SymmetricEncryption::Reader.open(@file_name) do |file|
           i = 0
           file.each_line do |line|
             assert_equal @data[i], line
@@ -280,7 +279,7 @@ class ReaderTest < Minitest::Test
       end
 
       it 'support rewind' do
-        decrypted = SymmetricEncryption::Reader.open(@filename) do |file|
+        decrypted = SymmetricEncryption::Reader.open(@file_name) do |file|
           file.read
           file.rewind
           file.read
@@ -291,30 +290,30 @@ class ReaderTest < Minitest::Test
 
     describe 'reading from files with previous keys without a header' do
       before do
-        @filename = '_test'
+        @file_name = '_test'
         # Create encrypted file with old encryption key
-        SymmetricEncryption::Writer.open(@filename, version: 0, header: false, random_key: false) do |file|
+        SymmetricEncryption::Writer.open(@file_name, version: 0, header: false, random_key: false, random_iv: false) do |file|
           @data.inject(0) { |sum, str| sum + file.write(str) }
         end
       end
 
       after do
         begin
-          File.delete(@filename) if File.exist?(@filename)
+          File.delete(@file_name) if File.exist?(@file_name)
         rescue Errno::EACCES
           # Required for Windows
         end
       end
 
       it 'decrypt from file in a single read' do
-        decrypted = SymmetricEncryption::Reader.open(@filename, version: 0) { |file| file.read }
+        decrypted = SymmetricEncryption::Reader.open(@file_name, version: 0) { |file| file.read }
         assert_equal @data_str, decrypted
       end
 
       it 'decrypt from file in a single read with different version' do
         # Should fail since file was encrypted using version 0 key
         assert_raises OpenSSL::Cipher::CipherError do
-          SymmetricEncryption::Reader.open(@filename, version: 2) { |file| file.read }
+          SymmetricEncryption::Reader.read(@file_name, version: 1)
         end
       end
     end