RubyGems - symmetric-encryption - Versions diffs - 4.0.1 → 4.1.0.beta1 - Mend

symmetric-encryption 4.0.1 → 4.1.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +4 -4
data/README.md +0 -7
data/lib/symmetric_encryption.rb +1 -1
data/lib/symmetric_encryption/cipher.rb +2 -2
data/lib/symmetric_encryption/cli.rb +27 -23
data/lib/symmetric_encryption/key.rb +0 -62
data/lib/symmetric_encryption/keystore.rb +143 -27
data/lib/symmetric_encryption/keystore/aws.rb +172 -0
data/lib/symmetric_encryption/keystore/environment.rb +5 -29
data/lib/symmetric_encryption/keystore/file.rb +7 -29
data/lib/symmetric_encryption/keystore/heroku.rb +22 -0
data/lib/symmetric_encryption/keystore/memory.rb +3 -2
data/lib/symmetric_encryption/railtie.rb +2 -2
data/lib/symmetric_encryption/utils/aws.rb +139 -0
data/lib/symmetric_encryption/utils/re_encrypt_files.rb +10 -3
data/lib/symmetric_encryption/version.rb +1 -1
data/test/key_test.rb +0 -157
data/test/keystore/aws_test.rb +133 -0
data/test/keystore/environment_test.rb +3 -51
data/test/keystore/file_test.rb +13 -52
data/test/keystore/heroku_test.rb +70 -0
data/test/keystore_test.rb +199 -3
data/test/test_db.sqlite3 +0 -0
data/test/test_helper.rb +1 -0
data/test/utils/aws_test.rb +75 -0
metadata +13 -4

data/lib/symmetric_encryption/keystore/environment.rb CHANGED

@@ -4,32 +4,10 @@ module SymmetricEncryption
     class Environment < Memory
       attr_accessor :key_env_var, :encoding
-      # Returns [Hash] initial configuration for heroku.
-      # Displays the keys that need to be added to the heroku environment.
-      def self.new_config(app_name: 'symmetric-encryption',
-                          environments: %i[development test release production],
-                          cipher_name: 'aes-256-cbc')
-        configs = {}
-        environments.each do |environment|
-          environment          = environment.to_sym
-          configs[environment] =
-            if %i[development test].include?(environment)
-              Keystore.dev_config
-            else
-              cfg = new_key_config(cipher_name: cipher_name, app_name: app_name, environment: environment)
-              {
-                ciphers: [cfg]
-              }
-            end
-        end
-        configs
-      end
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
         kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
@@ -39,6 +17,7 @@ module SymmetricEncryption
         new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
         {
+          keystore:           :environment,
           cipher_name:        dek.cipher_name,
           version:            version,
           key_env_var:        key_env_var,
@@ -70,11 +49,8 @@ module SymmetricEncryption
       def write(key)
         encrypted_key = key_encrypting_key.encrypt(key)
         puts "\n\n********************************************************************************"
-        puts "Add the environment key to Heroku:\n\n"
-        puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
-        puts
-        puts "Or, if using environment variables on another system set the environment variable as follows:\n\n"
-        puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\"\n\n"
+        puts "Set the environment variable as follows:"
+        puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
         puts '********************************************************************************'
       end

data/lib/symmetric_encryption/keystore/file.rb CHANGED

@@ -3,33 +3,10 @@ module SymmetricEncryption
     class File
       attr_accessor :file_name, :key_encrypting_key
-      # Returns [Hash] initial configuration.
-      # Generates the encrypted key file for every environment except development and test.
-      def self.new_config(key_path: '/etc/symmetric-encryption',
-                          app_name: 'symmetric-encryption',
-                          environments: %i[development test release production],
-                          cipher_name: 'aes-256-cbc')
-        configs = {}
-        environments.each do |environment|
-          environment          = environment.to_sym
-          configs[environment] =
-            if %i[development test].include?(environment)
-              Keystore.dev_config
-            else
-              cfg = new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, environment: environment)
-              {
-                ciphers: [cfg]
-              }
-            end
-        end
-        configs
-      end
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.new_key_config(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
         dek   ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
@@ -37,12 +14,13 @@ module SymmetricEncryption
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
-        new(file_name: dek_file_name, key_encrypting_key: kek).write(dek.key)
+        new(key_filename: dek_file_name, key_encrypting_key: kek).write(dek.key)
         kekek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.kekek")
-        new(file_name: kekek_file_name).write(kekek.key)
+        new(key_filename: kekek_file_name).write(kekek.key)
         {
+          keystore:           :file,
           cipher_name:        dek.cipher_name,
           version:            version,
           key_filename:       dek_file_name,
@@ -60,8 +38,8 @@ module SymmetricEncryption
       # Stores the Encryption key in a file.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(file_name:, key_encrypting_key: nil)
-        @file_name          = file_name
+      def initialize(key_filename:, key_encrypting_key: nil)
+        @file_name          = key_filename
         @key_encrypting_key = key_encrypting_key
       end

data/lib/symmetric_encryption/keystore/heroku.rb ADDED

@@ -0,0 +1,22 @@
+module SymmetricEncryption
+  module Keystore
+    # Heroku uses environment variables too.
+    class Heroku < Environment
+      # Returns [Hash] a new keystore configuration after generating the data key.
+      def self.generate_data_key(**args)
+        config            = super(**args)
+        config[:keystore] = :heroku
+        config
+      end
+      # Write the encrypted Encryption key to `encrypted_key` attribute.
+      def write(key)
+        encrypted_key = key_encrypting_key.encrypt(key)
+        puts "\n\n********************************************************************************"
+        puts "Add the environment key to Heroku:\n\n"
+        puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
+        puts '********************************************************************************'
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/keystore/memory.rb CHANGED

@@ -5,14 +5,14 @@ module SymmetricEncryption
       attr_accessor :key_encrypting_key
       attr_reader :encrypted_key
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
       #
       # Notes:
       # * For development and testing purposes only!!
       # * Never store the encrypted encryption key in the source code / config file.
-      def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
         kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
@@ -21,6 +21,7 @@ module SymmetricEncryption
         encrypted_key = new(key_encrypting_key: kek).write(dek.key)
         {
+          keystore:           :memory,
           cipher_name:        cipher_name,
           version:            version,
           encrypted_key:      encrypted_key,

data/lib/symmetric_encryption/railtie.rb CHANGED

@@ -37,12 +37,12 @@ module SymmetricEncryption #:nodoc:
           rescue ArgumentError => exc
             puts "\nSymmetric Encryption not able to read keys."
             puts "#{exc.class.name} #{exc.message}"
-            puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app-name #{app_name}\n\n"
+            puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
             raise(exc)
           end
         else
           puts "\nSymmetric Encryption config not found."
-          puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app-name #{app_name}\n\n"
+          puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
         end
       end
     end

data/lib/symmetric_encryption/utils/aws.rb ADDED

@@ -0,0 +1,139 @@
+require 'base64'
+require 'aws-sdk-kms'
+module SymmetricEncryption
+  module Utils
+    # Wrap the AWS KMS client so that it automatically creates the Customer Master Key,
+    # if one does not already exist.
+    #
+    # Map OpenSSL cipher names to AWS KMS key specs.
+    class Aws
+      attr_reader :master_key_alias, :client
+      AWS_US_REGIONS = %w[us-east-1 us-east-2 us-west-1 us-west-2].freeze
+      # TODO: Map to OpenSSL ciphers
+      AWS_KEY_SPEC_MAP = {
+        'aes-256-cbc' => 'AES_256',
+        'aes-128-cbc' => 'AES_128'
+      }
+      # TODO: Move to Keystore::Aws
+      # Rotate the Customer Master key in each of the supplied regions.
+      # After the master key has been rotated, use `.write_key_files` to generate
+      # a new DEK and re-encrypt with the new CMK in each region.
+      # def self.rotate_master_key(master_key_alias:, cipher_name:, regions: AWS_US_REGIONS)
+      #   Array(regions).collect do |region|
+      #     key_manager = new(region: region, master_key_alias: master_key_alias, cipher_name: cipher_name)
+      #     key_id      = key_manager.create_master_key
+      #     key_manager.create_alias(key_id)
+      #   end
+      # end
+      def initialize(region:, master_key_alias:)
+        # Can region be read from environment?
+        # Region is required for filename / env var name
+        @client           = ::Aws::KMS::Client.new(region: region)
+        @master_key_alias = master_key_alias
+      end
+      # Returns a new DEK encrypted using the CMK
+      def generate_encrypted_data_key(cipher_name)
+        auto_create_master_key do
+          client.generate_data_key_without_plaintext(key_id: master_key_alias, key_spec: key_spec(cipher_name)).ciphertext_blob
+        end
+      end
+      # Returns a new DEK in the clear
+      def generate_data_key(cipher_name)
+        auto_create_master_key do
+          client.generate_data_key(key_id: master_key_alias, key_spec: key_spec(cipher_name)).plaintext
+        end
+      end
+      # Decrypt data previously encrypted using the cmk
+      def decrypt(encrypted_data)
+        auto_create_master_key do
+          client.decrypt(ciphertext_blob: encrypted_data).plaintext
+        end
+      end
+      # Decrypt data previously encrypted using the cmk
+      def encrypt(data)
+        auto_create_master_key do
+          client.encrypt(key_id: master_key_alias, plaintext: data).ciphertext_blob
+        end
+      end
+      # Returns the AWS KMS key spec that matches the supplied OpenSSL cipher name
+      def key_spec(cipher_name)
+        key_spec = AWS_KEY_SPEC_MAP[cipher_name]
+        raise("OpenSSL Cipher: #{cipher_name} has not yet been mapped to an AWS key spec.") unless key_spec
+        key_spec
+      end
+      # Creates a new master key along with an alias that points to it.
+      # Returns [String] the new master key id that was created.
+      def create_master_key
+        key_id = create_new_master_key
+        create_alias(key_id)
+        key_id
+      end
+      # Deletes the current master key and its alias.
+      #
+      # retention_days: Number of days to keep the CMK before completely destroying it.
+      #
+      # NOTE:
+      #   Use with caution, only intended for testing purposes !!!
+      def delete_master_key(retention_days: 30)
+        key_info = client.describe_key(key_id: master_key_alias)
+        ap key_info
+        resp = client.schedule_key_deletion(key_id: key_info.key_metadata.key_id, pending_window_in_days: retention_days)
+        ap client.delete_alias(alias_name: master_key_alias)
+        resp.deletion_date
+      rescue ::Aws::KMS::Errors::NotFoundException
+        nil
+      end
+      private
+      attr_reader :client
+      def whoami
+        @whoami ||= `whoami`.strip
+      rescue StandardError
+        @whoami = 'unknown'
+      end
+      # Creates a new Customer Master Key for Symmetric Encryption use.
+      def create_new_master_key
+        # TODO: Add error handling and retry
+        resp = client.create_key(
+          description: 'Symmetric Encryption for Ruby Customer Masker Key',
+          tags:        [
+                         {tag_key: 'CreatedAt', tag_value: Time.now.to_s},
+                         {tag_key: 'CreatedBy', tag_value: whoami}
+                       ]
+        )
+        resp.key_metadata.key_id
+      end
+      def create_alias(key_id)
+        # TODO: Add error handling and retry
+        # TODO: Move existing alias if any
+        client.create_alias(alias_name: master_key_alias, target_key_id: key_id)
+      end
+      def auto_create_master_key
+        attempt = 1
+        yield
+      rescue ::Aws::KMS::Errors::NotFoundException
+        raise if attempt >= 2
+        create_master_key
+        attempt += 1
+        retry
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/utils/re_encrypt_files.rb CHANGED

@@ -52,8 +52,16 @@ module SymmetricEncryption
       def re_encrypt_contents(file_name)
         return 0 if File.size(file_name) > 256 * 1024
+        lines              = File.read(file_name)
+        hits, output_lines = re_encrypt_lines(lines)
+        File.open(file_name, 'wb') { |file| file.write(output_lines) } if hits.positive?
+        hits
+      end
+      # Replaces instances of encrypted data within lines of text with re-encrypted values
+      def re_encrypt_lines(lines)
         hits         = 0
-        lines        = File.read(file_name)
         output_lines = ''
         r            = regexp
         lines.each_line do |line|
@@ -72,8 +80,7 @@ module SymmetricEncryption
               line
             end
         end
-        File.open(file_name, 'wb') { |file| file.write(output_lines) } if hits.positive?
-        hits
+        [hits, output_lines]
       end
       # Re Encrypt an entire file

data/lib/symmetric_encryption/version.rb CHANGED

@@ -1,3 +1,3 @@
 module SymmetricEncryption
-  VERSION = '4.0.1'.freeze
+  VERSION = '4.1.0.beta1'.freeze
 end

data/test/key_test.rb CHANGED

@@ -2,15 +2,6 @@ require_relative 'test_helper'
 class KeyTest < Minitest::Test
   describe SymmetricEncryption::Key do
-    before do
-      Dir.mkdir('tmp') unless Dir.exist?('tmp')
-    end
-    after do
-      # Cleanup generated encryption key files.
-      `rm tmp/dek_tester* 2> /dev/null`
-    end
     let :random_key do
       SymmetricEncryption::Key.new
     end
@@ -27,30 +18,6 @@ class KeyTest < Minitest::Test
       SymmetricEncryption::Key.new(key: stored_key, iv: stored_iv)
     end
-    let :stored_key2 do
-      'ABCDEF1234567890ABCDEF1234567890'
-    end
-    let :stored_iv2 do
-      '1234567890ABCDEF'
-    end
-    let :key2 do
-      SymmetricEncryption::Key.new(key: stored_key2, iv: stored_iv2)
-    end
-    let :stored_key3 do
-      'ABCDEF0123456789ABCDEF0123456789'
-    end
-    let :stored_iv3 do
-      '0123456789ABCDEF'
-    end
-    let :key3 do
-      SymmetricEncryption::Key.new(key: stored_key3, iv: stored_iv3)
-    end
     let :ssn do
       '987654321'
     end
@@ -110,129 +77,5 @@ class KeyTest < Minitest::Test
         assert_equal stored_iv, key.iv
       end
     end
-    describe '.from_config' do
-      let :config do
-        {key: stored_key, iv: stored_iv}
-      end
-      let :config_key do
-        SymmetricEncryption::Key.from_config(config)
-      end
-      let :dek_file_name do
-        'tmp/dek_tester_dek.encrypted_key'
-      end
-      describe 'key' do
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-      describe 'encrypted_key' do
-        let :config do
-          {encrypted_key: key2.encrypt(stored_key), iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-        end
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-      describe 'key_filename' do
-        let :config do
-          File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
-          {key_filename: dek_file_name, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-        end
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-      describe 'key_env_var' do
-        let :env_var do
-          'TEST_KEY'
-        end
-        let :config do
-          ENV[env_var] = ::Base64.encode64(key2.encrypt(stored_key))
-          {key_env_var: env_var, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-        end
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-      describe 'file store with kekek' do
-        let :kekek_file_name do
-          'tmp/tester_kekek.key'
-        end
-        let :config do
-          File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
-          encrypted_key = key3.encrypt(stored_key2)
-          File.open(kekek_file_name, 'wb') { |f| f.write(stored_key3) }
-          {
-            key_filename:       dek_file_name,
-            iv:                 stored_iv,
-            key_encrypting_key: {
-              encrypted_key:      encrypted_key,
-              iv:                 stored_iv2,
-              key_encrypting_key: {
-                key_filename: kekek_file_name,
-                iv:           stored_iv3
-              }
-            }
-          }
-        end
-        it 'key' do
-          assert_equal stored_key, config_key.key
-        end
-        it 'iv' do
-          assert_equal stored_iv, config_key.iv
-        end
-        it 'cipher_name' do
-          assert_equal 'aes-256-cbc', config_key.cipher_name
-        end
-      end
-    end
   end
 end