symmetric-encryption 4.0.1 → 4.1.0.beta1

data/lib/symmetric_encryption/keystore/environment.rb

@@ -4,32 +4,10 @@ module SymmetricEncryption
     class Environment < Memory
       attr_accessor :key_env_var, :encoding
 
-      # Returns [Hash] initial configuration for heroku.
-      # Displays the keys that need to be added to the heroku environment.
-      def self.new_config(app_name: 'symmetric-encryption',
-                          environments: %i[development test release production],
-                          cipher_name: 'aes-256-cbc')
-
-        configs = {}
-        environments.each do |environment|
-          environment          = environment.to_sym
-          configs[environment] =
-            if %i[development test].include?(environment)
-              Keystore.dev_config
-            else
-              cfg = new_key_config(cipher_name: cipher_name, app_name: app_name, environment: environment)
-              {
-                ciphers: [cfg]
-              }
-            end
-        end
-        configs
-      end
-
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
 
         kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
@@ -39,6 +17,7 @@ module SymmetricEncryption
         new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
 
         {
+          keystore:           :environment,
           cipher_name:        dek.cipher_name,
           version:            version,
           key_env_var:        key_env_var,
@@ -70,11 +49,8 @@ module SymmetricEncryption
       def write(key)
         encrypted_key = key_encrypting_key.encrypt(key)
         puts "\n\n********************************************************************************"
-        puts "Add the environment key to Heroku:\n\n"
-        puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
-        puts
-        puts "Or, if using environment variables on another system set the environment variable as follows:\n\n"
-        puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\"\n\n"
+        puts "Set the environment variable as follows:"
+        puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
         puts '********************************************************************************'
       end
 

data/lib/symmetric_encryption/keystore/file.rb

@@ -3,33 +3,10 @@ module SymmetricEncryption
     class File
       attr_accessor :file_name, :key_encrypting_key
 
-      # Returns [Hash] initial configuration.
-      # Generates the encrypted key file for every environment except development and test.
-      def self.new_config(key_path: '/etc/symmetric-encryption',
-                          app_name: 'symmetric-encryption',
-                          environments: %i[development test release production],
-                          cipher_name: 'aes-256-cbc')
-
-        configs = {}
-        environments.each do |environment|
-          environment          = environment.to_sym
-          configs[environment] =
-            if %i[development test].include?(environment)
-              Keystore.dev_config
-            else
-              cfg = new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, environment: environment)
-              {
-                ciphers: [cfg]
-              }
-            end
-        end
-        configs
-      end
-
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.new_key_config(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
 
         dek   ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
@@ -37,12 +14,13 @@ module SymmetricEncryption
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
-        new(file_name: dek_file_name, key_encrypting_key: kek).write(dek.key)
+        new(key_filename: dek_file_name, key_encrypting_key: kek).write(dek.key)
 
         kekek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.kekek")
-        new(file_name: kekek_file_name).write(kekek.key)
+        new(key_filename: kekek_file_name).write(kekek.key)
 
         {
+          keystore:           :file,
           cipher_name:        dek.cipher_name,
           version:            version,
           key_filename:       dek_file_name,
@@ -60,8 +38,8 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a file.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(file_name:, key_encrypting_key: nil)
-        @file_name          = file_name
+      def initialize(key_filename:, key_encrypting_key: nil)
+        @file_name          = key_filename
         @key_encrypting_key = key_encrypting_key
       end
 

data/lib/symmetric_encryption/keystore/heroku.rb

@@ -0,0 +1,22 @@
+module SymmetricEncryption
+  module Keystore
+    # Heroku uses environment variables too.
+    class Heroku < Environment
+      # Returns [Hash] a new keystore configuration after generating the data key.
+      def self.generate_data_key(**args)
+        config            = super(**args)
+        config[:keystore] = :heroku
+        config
+      end
+
+      # Write the encrypted Encryption key to `encrypted_key` attribute.
+      def write(key)
+        encrypted_key = key_encrypting_key.encrypt(key)
+        puts "\n\n********************************************************************************"
+        puts "Add the environment key to Heroku:\n\n"
+        puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
+        puts '********************************************************************************'
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/keystore/memory.rb

@@ -5,14 +5,14 @@ module SymmetricEncryption
       attr_accessor :key_encrypting_key
       attr_reader :encrypted_key
 
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
       #
       # Notes:
       # * For development and testing purposes only!!
       # * Never store the encrypted encryption key in the source code / config file.
-      def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
 
         kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
@@ -21,6 +21,7 @@ module SymmetricEncryption
         encrypted_key = new(key_encrypting_key: kek).write(dek.key)
 
         {
+          keystore:           :memory,
           cipher_name:        cipher_name,
           version:            version,
           encrypted_key:      encrypted_key,

data/lib/symmetric_encryption/railtie.rb

@@ -37,12 +37,12 @@ module SymmetricEncryption #:nodoc:
           rescue ArgumentError => exc
             puts "\nSymmetric Encryption not able to read keys."
             puts "#{exc.class.name} #{exc.message}"
-            puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app-name #{app_name}\n\n"
+            puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
             raise(exc)
           end
         else
           puts "\nSymmetric Encryption config not found."
-          puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app-name #{app_name}\n\n"
+          puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
         end
       end
     end

data/lib/symmetric_encryption/utils/aws.rb

@@ -0,0 +1,139 @@
+require 'base64'
+require 'aws-sdk-kms'
+module SymmetricEncryption
+  module Utils
+    # Wrap the AWS KMS client so that it automatically creates the Customer Master Key,
+    # if one does not already exist.
+    #
+    # Map OpenSSL cipher names to AWS KMS key specs.
+    class Aws
+      attr_reader :master_key_alias, :client
+
+      AWS_US_REGIONS = %w[us-east-1 us-east-2 us-west-1 us-west-2].freeze
+
+      # TODO: Map to OpenSSL ciphers
+      AWS_KEY_SPEC_MAP = {
+        'aes-256-cbc' => 'AES_256',
+        'aes-128-cbc' => 'AES_128'
+      }
+
+      # TODO: Move to Keystore::Aws
+      # Rotate the Customer Master key in each of the supplied regions.
+      # After the master key has been rotated, use `.write_key_files` to generate
+      # a new DEK and re-encrypt with the new CMK in each region.
+      # def self.rotate_master_key(master_key_alias:, cipher_name:, regions: AWS_US_REGIONS)
+      #   Array(regions).collect do |region|
+      #     key_manager = new(region: region, master_key_alias: master_key_alias, cipher_name: cipher_name)
+      #     key_id      = key_manager.create_master_key
+      #     key_manager.create_alias(key_id)
+      #   end
+      # end
+
+      def initialize(region:, master_key_alias:)
+        # Can region be read from environment?
+        # Region is required for filename / env var name
+        @client           = ::Aws::KMS::Client.new(region: region)
+        @master_key_alias = master_key_alias
+      end
+
+      # Returns a new DEK encrypted using the CMK
+      def generate_encrypted_data_key(cipher_name)
+        auto_create_master_key do
+          client.generate_data_key_without_plaintext(key_id: master_key_alias, key_spec: key_spec(cipher_name)).ciphertext_blob
+        end
+      end
+
+      # Returns a new DEK in the clear
+      def generate_data_key(cipher_name)
+        auto_create_master_key do
+          client.generate_data_key(key_id: master_key_alias, key_spec: key_spec(cipher_name)).plaintext
+        end
+      end
+
+      # Decrypt data previously encrypted using the cmk
+      def decrypt(encrypted_data)
+        auto_create_master_key do
+          client.decrypt(ciphertext_blob: encrypted_data).plaintext
+        end
+      end
+
+      # Decrypt data previously encrypted using the cmk
+      def encrypt(data)
+        auto_create_master_key do
+          client.encrypt(key_id: master_key_alias, plaintext: data).ciphertext_blob
+        end
+      end
+
+      # Returns the AWS KMS key spec that matches the supplied OpenSSL cipher name
+      def key_spec(cipher_name)
+        key_spec = AWS_KEY_SPEC_MAP[cipher_name]
+        raise("OpenSSL Cipher: #{cipher_name} has not yet been mapped to an AWS key spec.") unless key_spec
+        key_spec
+      end
+
+      # Creates a new master key along with an alias that points to it.
+      # Returns [String] the new master key id that was created.
+      def create_master_key
+        key_id = create_new_master_key
+        create_alias(key_id)
+        key_id
+      end
+
+      # Deletes the current master key and its alias.
+      #
+      # retention_days: Number of days to keep the CMK before completely destroying it.
+      #
+      # NOTE:
+      #   Use with caution, only intended for testing purposes !!!
+      def delete_master_key(retention_days: 30)
+        key_info = client.describe_key(key_id: master_key_alias)
+        ap key_info
+        resp = client.schedule_key_deletion(key_id: key_info.key_metadata.key_id, pending_window_in_days: retention_days)
+        ap client.delete_alias(alias_name: master_key_alias)
+        resp.deletion_date
+      rescue ::Aws::KMS::Errors::NotFoundException
+        nil
+      end
+
+      private
+
+      attr_reader :client
+
+      def whoami
+        @whoami ||= `whoami`.strip
+      rescue StandardError
+        @whoami = 'unknown'
+      end
+
+      # Creates a new Customer Master Key for Symmetric Encryption use.
+      def create_new_master_key
+        # TODO: Add error handling and retry
+
+        resp = client.create_key(
+          description: 'Symmetric Encryption for Ruby Customer Masker Key',
+          tags:        [
+                         {tag_key: 'CreatedAt', tag_value: Time.now.to_s},
+                         {tag_key: 'CreatedBy', tag_value: whoami}
+                       ]
+        )
+        resp.key_metadata.key_id
+      end
+
+      def create_alias(key_id)
+        # TODO: Add error handling and retry
+        # TODO: Move existing alias if any
+        client.create_alias(alias_name: master_key_alias, target_key_id: key_id)
+      end
+
+      def auto_create_master_key
+        attempt = 1
+        yield
+      rescue ::Aws::KMS::Errors::NotFoundException
+        raise if attempt >= 2
+        create_master_key
+        attempt += 1
+        retry
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/utils/re_encrypt_files.rb

@@ -52,8 +52,16 @@ module SymmetricEncryption
       def re_encrypt_contents(file_name)
         return 0 if File.size(file_name) > 256 * 1024
 
+        lines              = File.read(file_name)
+        hits, output_lines = re_encrypt_lines(lines)
+
+        File.open(file_name, 'wb') { |file| file.write(output_lines) } if hits.positive?
+        hits
+      end
+
+      # Replaces instances of encrypted data within lines of text with re-encrypted values
+      def re_encrypt_lines(lines)
         hits         = 0
-        lines        = File.read(file_name)
         output_lines = ''
         r            = regexp
         lines.each_line do |line|
@@ -72,8 +80,7 @@ module SymmetricEncryption
               line
             end
         end
-        File.open(file_name, 'wb') { |file| file.write(output_lines) } if hits.positive?
-        hits
+        [hits, output_lines]
       end
 
       # Re Encrypt an entire file

data/lib/symmetric_encryption/version.rb

@@ -1,3 +1,3 @@
 module SymmetricEncryption
-  VERSION = '4.0.1'.freeze
+  VERSION = '4.1.0.beta1'.freeze
 end

data/test/key_test.rb

@@ -2,15 +2,6 @@ require_relative 'test_helper'
 
 class KeyTest < Minitest::Test
   describe SymmetricEncryption::Key do
-    before do
-      Dir.mkdir('tmp') unless Dir.exist?('tmp')
-    end
-
-    after do
-      # Cleanup generated encryption key files.
-      `rm tmp/dek_tester* 2> /dev/null`
-    end
-
     let :random_key do
       SymmetricEncryption::Key.new
     end
@@ -27,30 +18,6 @@ class KeyTest < Minitest::Test
       SymmetricEncryption::Key.new(key: stored_key, iv: stored_iv)
     end
 
-    let :stored_key2 do
-      'ABCDEF1234567890ABCDEF1234567890'
-    end
-
-    let :stored_iv2 do
-      '1234567890ABCDEF'
-    end
-
-    let :key2 do
-      SymmetricEncryption::Key.new(key: stored_key2, iv: stored_iv2)
-    end
-
-    let :stored_key3 do
-      'ABCDEF0123456789ABCDEF0123456789'
-    end
-
-    let :stored_iv3 do
-      '0123456789ABCDEF'
-    end
-
-    let :key3 do
-      SymmetricEncryption::Key.new(key: stored_key3, iv: stored_iv3)
-    end
-
     let :ssn do
       '987654321'
     end
@@ -110,129 +77,5 @@ class KeyTest < Minitest::Test
         assert_equal stored_iv, key.iv
       end
     end
-
-    describe '.from_config' do
-      let :config do
-        {key: stored_key, iv: stored_iv}
-      end
-
-      let :config_key do
-        SymmetricEncryption::Key.from_config(config)
-      end
-
-      let :dek_file_name do
-        'tmp/dek_tester_dek.encrypted_key'
-      end
-
-      describe 'key' do
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-
-      describe 'encrypted_key' do
-        let :config do
-          {encrypted_key: key2.encrypt(stored_key), iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-        end
-
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-
-      describe 'key_filename' do
-        let :config do
-          File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
-          {key_filename: dek_file_name, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-        end
-
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-
-      describe 'key_env_var' do
-        let :env_var do
-          'TEST_KEY'
-        end
-
-        let :config do
-          ENV[env_var] = ::Base64.encode64(key2.encrypt(stored_key))
-          {key_env_var: env_var, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-        end
-
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-
-      describe 'file store with kekek' do
-        let :kekek_file_name do
-          'tmp/tester_kekek.key'
-        end
-
-        let :config do
-          File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
-          encrypted_key = key3.encrypt(stored_key2)
-          File.open(kekek_file_name, 'wb') { |f| f.write(stored_key3) }
-          {
-            key_filename:       dek_file_name,
-            iv:                 stored_iv,
-            key_encrypting_key: {
-              encrypted_key:      encrypted_key,
-              iv:                 stored_iv2,
-              key_encrypting_key: {
-                key_filename: kekek_file_name,
-                iv:           stored_iv3
-              }
-            }
-          }
-        end
-
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-    end
   end
 end