symmetric-encryption 4.0.1 → 4.1.0.beta1

data/test/keystore/aws_test.rb

@@ -0,0 +1,133 @@
+require_relative '../test_helper'
+require 'stringio'
+
+module SymmetricEncryption
+  module Keystore
+    class AwsTest < Minitest::Test
+      describe SymmetricEncryption::Keystore::File do
+        before do
+          unless (ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']) || ENV['AWS_CONFIG_FILE']
+            # For example: export AWS_CONFIG_FILE=~/.aws/credentials
+            skip 'Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or AWS_CONFIG_FILE to run AWS KMS tests'
+          end
+        end
+
+        let :the_test_path do
+          path = "tmp/keystore/aws_test"
+          FileUtils.makedirs(path) unless ::File.exist?(path)
+          path
+        end
+
+        after do
+          # Cleanup generated encryption key files.
+          `rm #{the_test_path}/* 2> /dev/null`
+        end
+
+        let :regions do
+          %w[us-east-1 us-east-2]
+        end
+
+        let :version do
+          10
+        end
+
+        let :key_config do
+          SymmetricEncryption::Keystore::Aws.generate_data_key(
+            regions:     regions,
+            key_path:    the_test_path,
+            cipher_name: 'aes-256-cbc',
+            app_name:    'tester',
+            environment: 'test',
+            version:     version
+          )
+        end
+
+        let :master_key_alias do
+          'alias/symmetric-encryption/test'
+        end
+
+        describe '.generate_data_key' do
+          it 'increments the version' do
+            assert_equal 11, key_config[:version]
+          end
+
+          describe 'with 255 version' do
+            let :version do
+              255
+            end
+
+            it 'handles version wrap' do
+              assert_equal 1, key_config[:version]
+            end
+          end
+
+          describe 'with 0 version' do
+            let :version do
+              0
+            end
+
+            it 'increments version' do
+              assert_equal 1, key_config[:version]
+            end
+          end
+
+          it 'creates encrypted key file for every region' do
+            assert key_files = key_config[:key_files]
+            common_data_key          = nil
+            first_encrypted_data_key = nil
+
+            master_key_alias = "alias/symmetric-encryption/tester/test"
+
+            key_files.each do |key_file|
+              assert region = key_file[:region]
+              assert file_name = key_file[:file_name]
+              expected_file_name = "#{the_test_path}/tester_test_#{region}_v11.encrypted_key"
+
+              assert_equal expected_file_name, file_name
+              assert ::File.exist?(file_name)
+
+              assert encoded_data_key = ::File.read(file_name)
+              encrypted_data_key = Base64.strict_decode64(encoded_data_key)
+
+              aws = SymmetricEncryption::Utils::Aws.new(region: region, master_key_alias: master_key_alias)
+              assert data_key = aws.decrypt(encrypted_data_key)
+
+              # Verify that the dek is the same in every region, but encrypted with the CMK for that region.
+              if common_data_key
+                refute_equal encrypted_data_key, first_encrypted_data_key, 'Must be encrypted with region specific CMK'
+                assert_equal common_data_key, data_key, 'All regions must have the same data key'
+              else
+                first_encrypted_data_key = encrypted_data_key
+                common_data_key          = data_key
+              end
+            end
+          end
+
+          it 'retains cipher_name' do
+            assert_equal 'aes-256-cbc', key_config[:cipher_name]
+          end
+
+          it 'is readable by Keystore.read_key' do
+            ENV['AWS_REGION'] = 'us-east-1'
+            assert SymmetricEncryption::Keystore.read_key(key_config)
+          end
+        end
+
+        describe '#write, #read' do
+          let :keystore do
+            SymmetricEncryption::Keystore::Aws.new(
+              region:           'us-east-1',
+              master_key_alias: master_key_alias,
+              key_files:        [{region: 'us-east-1', file_name: "#{the_test_path}/file_1"}]
+            )
+          end
+
+          it 'stores the key' do
+            keystore.write('TEST')
+            assert_equal 'TEST', keystore.read
+          end
+        end
+      end
+    end
+  end
+end

data/test/keystore/environment_test.rb

@@ -2,20 +2,15 @@ require_relative '../test_helper'
 require 'stringio'
 
 module SymmetricEncryption
-  class FileTest < Minitest::Test
+  class EnvironmentTest < Minitest::Test
     describe SymmetricEncryption::Keystore::Environment do
-      after do
-        # Cleanup generated encryption key files.
-        `rm tmp/tester* 2> /dev/null`
-      end
-
-      describe '.new_key_config' do
+      describe '.generate_data_key' do
         let :version do
           10
         end
 
         let :keystore_config do
-          SymmetricEncryption::Keystore::Environment.new_key_config(
+          SymmetricEncryption::Keystore::Environment.generate_data_key(
             cipher_name: 'aes-256-cbc',
             app_name:    'tester',
             environment: 'test',
@@ -56,49 +51,6 @@ module SymmetricEncryption
         end
       end
 
-      describe '.new_config' do
-        let :environments do
-          %i[development test acceptance preprod production]
-        end
-
-        let :config do
-          SymmetricEncryption::Keystore::Environment.new_config(
-            app_name:     'tester',
-            environments: environments,
-            cipher_name:  'aes-128-cbc'
-          )
-        end
-
-        it 'creates keys for each environment' do
-          assert_equal environments, config.keys, config
-        end
-
-        it 'use test config for development and test' do
-          assert_equal SymmetricEncryption::Keystore.dev_config, config[:test]
-          assert_equal SymmetricEncryption::Keystore.dev_config, config[:development]
-        end
-
-        it 'each non test environment has a key encryption key' do
-          (environments - %i[development test]).each do |env|
-            assert config[env][:ciphers].first[:key_encrypting_key], "Environment #{env} is missing the key encryption key"
-          end
-        end
-
-        it 'every environment has ciphers' do
-          environments.each do |env|
-            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
-            assert_equal 1, ciphers.size
-          end
-        end
-
-        it 'creates an encrypted key file for all non-test environments' do
-          (environments - %i[development test]).each do |env|
-            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
-            assert ciphers.first[:key_env_var], "Environment #{env} is missing key_env_var: #{ciphers.inspect}"
-          end
-        end
-      end
-
       describe '#read' do
         let :key do
           SymmetricEncryption::Key.new

data/test/keystore/file_test.rb

@@ -4,19 +4,25 @@ require 'stringio'
 module SymmetricEncryption
   class FileTest < Minitest::Test
     describe SymmetricEncryption::Keystore::File do
+      let :the_test_path do
+        path = "tmp/keystore/file_test"
+        FileUtils.makedirs(path) unless ::File.exist?(path)
+        path
+      end
+
       after do
         # Cleanup generated encryption key files.
-        `rm tmp/tester* 2> /dev/null`
+        `rm #{the_test_path}/* 2> /dev/null`
       end
 
-      describe '.new_key_config' do
+      describe '.generate_data_key' do
         let :version do
           10
         end
 
         let :key_config do
-          SymmetricEncryption::Keystore::File.new_key_config(
-            key_path:    'tmp',
+          SymmetricEncryption::Keystore::File.generate_data_key(
+            key_path:    the_test_path,
             cipher_name: 'aes-256-cbc',
             app_name:    'tester',
             environment: 'test',
@@ -49,7 +55,7 @@ module SymmetricEncryption
         end
 
         it 'creates the encrypted key file' do
-          file_name = 'tmp/tester_test_v11.encrypted_key'
+          file_name = "#{the_test_path}/tester_test_v11.encrypted_key"
           assert_equal file_name, key_config[:key_filename]
           assert File.exist?(file_name)
         end
@@ -60,58 +66,13 @@ module SymmetricEncryption
 
         it 'is readable by Key.from_config' do
           key_config.delete(:version)
-          assert SymmetricEncryption::Key.from_config(key_config)
-        end
-      end
-
-      describe '.new_config' do
-        let :environments do
-          %i[development test acceptance preprod production]
-        end
-
-        let :config do
-          SymmetricEncryption::Keystore::File.new_config(
-            key_path:     'tmp',
-            app_name:     'tester',
-            environments: environments,
-            cipher_name:  'aes-128-cbc'
-          )
-        end
-
-        it 'creates keys for each environment' do
-          assert_equal environments, config.keys, config
-        end
-
-        it 'use test config for development and test' do
-          assert_equal SymmetricEncryption::Keystore.dev_config, config[:test]
-          assert_equal SymmetricEncryption::Keystore.dev_config, config[:development]
-        end
-
-        it 'each non test environment has a key encryption key' do
-          (environments - %i[development test]).each do |env|
-            assert config[env][:ciphers].first[:key_encrypting_key], "Environment #{env} is missing the key encryption key"
-          end
-        end
-
-        it 'every environment has ciphers' do
-          environments.each do |env|
-            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
-            assert_equal 1, ciphers.size
-          end
-        end
-
-        it 'creates an encrypted key file for all non-test environments' do
-          (environments - %i[development test]).each do |env|
-            assert ciphers = config[env][:ciphers], "Environment #{env} is missing ciphers: #{config[env].inspect}"
-            assert file_name = ciphers.first[:key_filename], "Environment #{env} is missing key_filename: #{ciphers.inspect}"
-            assert File.exist?(file_name)
-          end
+          assert SymmetricEncryption::Keystore.read_key(key_config)
         end
       end
 
       describe '#write, #read' do
         let :keystore do
-          SymmetricEncryption::Keystore::File.new(file_name: 'tmp/tester.key', key_encrypting_key: SymmetricEncryption::Key.new)
+          SymmetricEncryption::Keystore::File.new(key_filename: "#{the_test_path}/tester.key", key_encrypting_key: SymmetricEncryption::Key.new)
         end
 
         it 'stores the key' do

data/test/keystore/heroku_test.rb

@@ -0,0 +1,70 @@
+require_relative '../test_helper'
+require 'stringio'
+
+module SymmetricEncryption
+  class HerokuTest < Minitest::Test
+    describe SymmetricEncryption::Keystore::Heroku do
+      describe '.generate_data_key' do
+        let :version do
+          10
+        end
+
+        let :keystore_config do
+          SymmetricEncryption::Keystore::Heroku.generate_data_key(
+            cipher_name: 'aes-256-cbc',
+            app_name:    'tester',
+            environment: 'test',
+            version:     version
+          )
+        end
+
+        it 'increments the version' do
+          assert_equal 11, keystore_config[:version]
+        end
+
+        describe 'with 255 version' do
+          let :version do
+            255
+          end
+
+          it 'handles version wrap' do
+            assert_equal 1, keystore_config[:version]
+          end
+        end
+
+        describe 'with 0 version' do
+          let :version do
+            0
+          end
+
+          it 'increments version' do
+            assert_equal 1, keystore_config[:version]
+          end
+        end
+
+        it 'retains the env var name' do
+          assert_equal 'TESTER_TEST_V11', keystore_config[:key_env_var]
+        end
+
+        it 'retains cipher_name' do
+          assert_equal 'aes-256-cbc', keystore_config[:cipher_name]
+        end
+      end
+
+      describe '#read' do
+        let :key do
+          SymmetricEncryption::Key.new
+        end
+
+        let :keystore do
+          SymmetricEncryption::Keystore::Heroku.new(key_env_var: 'TESTER_ENV_VAR', key_encrypting_key: key)
+        end
+
+        it 'reads the key' do
+          ENV['TESTER_ENV_VAR'] = Base64.strict_encode64(key.encrypt('TEST'))
+          assert_equal 'TEST', keystore.read
+        end
+      end
+    end
+  end
+end

data/test/keystore_test.rb

@@ -7,9 +7,80 @@ module SymmetricEncryption
         SymmetricEncryption::Keystore::File.new(file_name: 'tmp/tester.key', key_encrypting_key: SymmetricEncryption::Key.new)
       end
 
+      let :the_test_path do
+        path = "tmp/keystore_test"
+        FileUtils.makedirs(path) unless ::File.exist?(path)
+        path
+      end
+
       after do
         # Cleanup generated encryption key files.
-        `rm tmp/tester* 2>/dev/null`
+        `rm #{the_test_path}/* 2> /dev/null`
+      end
+
+      let :random_key do
+        SymmetricEncryption::Key.new
+      end
+
+      let :stored_key do
+        '1234567890ABCDEF1234567890ABCDEF'
+      end
+
+      let :stored_iv do
+        'ABCDEF1234567890'
+      end
+
+      let :key do
+        SymmetricEncryption::Key.new(key: stored_key, iv: stored_iv)
+      end
+
+      let :stored_key2 do
+        'ABCDEF1234567890ABCDEF1234567890'
+      end
+
+      let :stored_iv2 do
+        '1234567890ABCDEF'
+      end
+
+      let :key2 do
+        SymmetricEncryption::Key.new(key: stored_key2, iv: stored_iv2)
+      end
+
+      let :stored_key3 do
+        'ABCDEF0123456789ABCDEF0123456789'
+      end
+
+      let :stored_iv3 do
+        '0123456789ABCDEF'
+      end
+
+      let :key3 do
+        SymmetricEncryption::Key.new(key: stored_key3, iv: stored_iv3)
+      end
+
+      describe '.generate_data_keys' do
+        let :environments do
+          %i[development test acceptance preprod production]
+        end
+
+        let :config do
+          SymmetricEncryption::Keystore.generate_data_keys(
+            keystore:     :file,
+            key_path:     the_test_path,
+            app_name:     'tester',
+            environments: environments,
+            cipher_name:  'aes-128-cbc'
+          )
+        end
+
+        it 'creates keys for each environment' do
+          assert_equal environments, config.keys, config
+        end
+
+        it 'use test config for development and test' do
+          assert_equal SymmetricEncryption::Keystore.dev_config, config[:test]
+          assert_equal SymmetricEncryption::Keystore.dev_config, config[:development]
+        end
       end
 
       describe '.rotate_keys' do
@@ -18,8 +89,9 @@ module SymmetricEncryption
         end
 
         let :config do
-          SymmetricEncryption::Keystore::File.new_config(
-            key_path:     'tmp',
+          SymmetricEncryption::Keystore.generate_data_keys(
+            keystore:     :file,
+            key_path:     the_test_path,
             app_name:     'tester',
             environments: environments,
             cipher_name:  'aes-128-cbc'
@@ -53,6 +125,130 @@ module SymmetricEncryption
           end
         end
       end
+
+      describe '.read_key' do
+        let :config do
+          {key: stored_key, iv: stored_iv}
+        end
+
+        let :config_key do
+          SymmetricEncryption::Keystore.read_key(config)
+        end
+
+        let :dek_file_name do
+          "#{the_test_path}/dek_tester_dek.encrypted_key"
+        end
+
+        describe 'key' do
+          it 'key' do
+            assert_equal stored_key, config_key.key
+          end
+
+          it 'iv' do
+            assert_equal stored_iv, config_key.iv
+          end
+
+          it 'cipher_name' do
+            assert_equal 'aes-256-cbc', config_key.cipher_name
+          end
+        end
+
+        describe 'encrypted_key' do
+          let :config do
+            {encrypted_key: key2.encrypt(stored_key), iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
+          end
+
+          it 'key' do
+            assert_equal stored_key, config_key.key
+          end
+
+          it 'iv' do
+            assert_equal stored_iv, config_key.iv
+          end
+
+          it 'cipher_name' do
+            assert_equal 'aes-256-cbc', config_key.cipher_name
+          end
+        end
+
+        describe 'key_filename' do
+          let :config do
+            File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
+            {key_filename: dek_file_name, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
+          end
+
+          it 'key' do
+            assert_equal stored_key, config_key.key
+          end
+
+          it 'iv' do
+            assert_equal stored_iv, config_key.iv
+          end
+
+          it 'cipher_name' do
+            assert_equal 'aes-256-cbc', config_key.cipher_name
+          end
+        end
+
+        describe 'key_env_var' do
+          let :env_var do
+            'TEST_KEY'
+          end
+
+          let :config do
+            ENV[env_var] = ::Base64.strict_encode64(key2.encrypt(stored_key))
+            {key_env_var: env_var, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
+          end
+
+          it 'key' do
+            assert_equal stored_key, config_key.key
+          end
+
+          it 'iv' do
+            assert_equal stored_iv, config_key.iv
+          end
+
+          it 'cipher_name' do
+            assert_equal 'aes-256-cbc', config_key.cipher_name
+          end
+        end
+
+        describe 'file store with kekek' do
+          let :kekek_file_name do
+            "#{the_test_path}/tester_kekek.key"
+          end
+
+          let :config do
+            File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
+            encrypted_key = key3.encrypt(stored_key2)
+            File.open(kekek_file_name, 'wb') { |f| f.write(stored_key3) }
+            {
+              key_filename:       dek_file_name,
+              iv:                 stored_iv,
+              key_encrypting_key: {
+                encrypted_key:      encrypted_key,
+                iv:                 stored_iv2,
+                key_encrypting_key: {
+                  key_filename: kekek_file_name,
+                  iv:           stored_iv3
+                }
+              }
+            }
+          end
+
+          it 'key' do
+            assert_equal stored_key, config_key.key
+          end
+
+          it 'iv' do
+            assert_equal stored_iv, config_key.iv
+          end
+
+          it 'cipher_name' do
+            assert_equal 'aes-256-cbc', config_key.cipher_name
+          end
+        end
+      end
     end
   end
 end