symmetric-encryption 4.1.1 → 4.1.2

data/test/key_test.rb

@@ -1,81 +0,0 @@
-require_relative 'test_helper'
-
-class KeyTest < Minitest::Test
-  describe SymmetricEncryption::Key do
-    let :random_key do
-      SymmetricEncryption::Key.new
-    end
-
-    let :stored_key do
-      '1234567890ABCDEF1234567890ABCDEF'
-    end
-
-    let :stored_iv do
-      'ABCDEF1234567890'
-    end
-
-    let :key do
-      SymmetricEncryption::Key.new(key: stored_key, iv: stored_iv)
-    end
-
-    let :ssn do
-      '987654321'
-    end
-
-    let :encrypted_ssn do
-      essn = "cR\x9C,\x91\xA4{\b`\x9Fls\xA4\f\xD1\xBF"
-      essn.force_encoding('binary')
-      essn
-    end
-
-    describe 'encrypt' do
-      it 'empty string' do
-        assert_equal '', key.encrypt('')
-      end
-
-      it 'nil' do
-        assert_nil key.encrypt(nil)
-      end
-
-      it 'string' do
-        assert_equal encrypted_ssn, key.encrypt(ssn)
-      end
-    end
-
-    describe 'decrypt' do
-      it 'empty string' do
-        assert_equal '', key.decrypt('')
-      end
-
-      it 'nil' do
-        assert_nil key.decrypt(nil)
-      end
-
-      it 'string' do
-        assert_equal ssn, key.decrypt(encrypted_ssn)
-      end
-    end
-
-    describe 'key' do
-      it 'creates random key by default' do
-        assert key = random_key.key
-        refute_equal key, SymmetricEncryption::Key.new.key
-      end
-
-      it 'stores' do
-        assert_equal stored_key, key.key
-      end
-    end
-
-    describe 'iv' do
-      it 'creates random iv by default' do
-        assert iv = random_key.iv
-        refute_equal iv, SymmetricEncryption::Key.new.iv
-      end
-
-      it 'stores' do
-        assert_equal stored_iv, key.iv
-      end
-    end
-  end
-end

data/test/keystore/aws_test.rb

@@ -1,133 +0,0 @@
-require_relative '../test_helper'
-require 'stringio'
-
-module SymmetricEncryption
-  module Keystore
-    class AwsTest < Minitest::Test
-      describe SymmetricEncryption::Keystore::File do
-        before do
-          unless (ENV['AWS_ACCESS_KEY_ID'] && ENV['AWS_SECRET_ACCESS_KEY']) || ENV['AWS_CONFIG_FILE']
-            # For example: export AWS_CONFIG_FILE=~/.aws/credentials
-            skip 'Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or AWS_CONFIG_FILE to run AWS KMS tests'
-          end
-        end
-
-        let :the_test_path do
-          path = 'tmp/keystore/aws_test'
-          FileUtils.makedirs(path) unless ::File.exist?(path)
-          path
-        end
-
-        after do
-          # Cleanup generated encryption key files.
-          `rm #{the_test_path}/* 2> /dev/null`
-        end
-
-        let :regions do
-          %w[us-east-1 us-east-2]
-        end
-
-        let :version do
-          10
-        end
-
-        let :key_config do
-          SymmetricEncryption::Keystore::Aws.generate_data_key(
-            regions:     regions,
-            key_path:    the_test_path,
-            cipher_name: 'aes-256-cbc',
-            app_name:    'tester',
-            environment: 'test',
-            version:     version
-          )
-        end
-
-        let :master_key_alias do
-          'alias/symmetric-encryption/test'
-        end
-
-        describe '.generate_data_key' do
-          it 'increments the version' do
-            assert_equal 11, key_config[:version]
-          end
-
-          describe 'with 255 version' do
-            let :version do
-              255
-            end
-
-            it 'handles version wrap' do
-              assert_equal 1, key_config[:version]
-            end
-          end
-
-          describe 'with 0 version' do
-            let :version do
-              0
-            end
-
-            it 'increments version' do
-              assert_equal 1, key_config[:version]
-            end
-          end
-
-          it 'creates encrypted key file for every region' do
-            assert key_files         = key_config[:key_files]
-            common_data_key          = nil
-            first_encrypted_data_key = nil
-
-            master_key_alias = 'alias/symmetric-encryption/tester/test'
-
-            key_files.each do |key_file|
-              assert region      = key_file[:region]
-              assert file_name   = key_file[:file_name]
-              expected_file_name = "#{the_test_path}/tester_test_#{region}_v11.encrypted_key"
-
-              assert_equal expected_file_name, file_name
-              assert ::File.exist?(file_name)
-
-              assert encoded_data_key = ::File.read(file_name)
-              encrypted_data_key      = Base64.strict_decode64(encoded_data_key)
-
-              aws             = SymmetricEncryption::Utils::Aws.new(region: region, master_key_alias: master_key_alias)
-              assert data_key = aws.decrypt(encrypted_data_key)
-
-              # Verify that the dek is the same in every region, but encrypted with the CMK for that region.
-              if common_data_key
-                refute_equal encrypted_data_key, first_encrypted_data_key, 'Must be encrypted with region specific CMK'
-                assert_equal common_data_key, data_key, 'All regions must have the same data key'
-              else
-                first_encrypted_data_key = encrypted_data_key
-                common_data_key          = data_key
-              end
-            end
-          end
-
-          it 'retains cipher_name' do
-            assert_equal 'aes-256-cbc', key_config[:cipher_name]
-          end
-
-          it 'is readable by Keystore.read_key' do
-            ENV['AWS_REGION'] = 'us-east-1'
-            assert SymmetricEncryption::Keystore.read_key(key_config)
-          end
-        end
-
-        describe '#write, #read' do
-          let :keystore do
-            SymmetricEncryption::Keystore::Aws.new(
-              region:           'us-east-1',
-              master_key_alias: master_key_alias,
-              key_files:        [{region: 'us-east-1', file_name: "#{the_test_path}/file_1"}]
-            )
-          end
-
-          it 'stores the key' do
-            keystore.write('TEST')
-            assert_equal 'TEST', keystore.read
-          end
-        end
-      end
-    end
-  end
-end

data/test/keystore/environment_test.rb

@@ -1,70 +0,0 @@
-require_relative '../test_helper'
-require 'stringio'
-
-module SymmetricEncryption
-  class EnvironmentTest < Minitest::Test
-    describe SymmetricEncryption::Keystore::Environment do
-      describe '.generate_data_key' do
-        let :version do
-          10
-        end
-
-        let :keystore_config do
-          SymmetricEncryption::Keystore::Environment.generate_data_key(
-            cipher_name: 'aes-256-cbc',
-            app_name:    'tester',
-            environment: 'test',
-            version:     version
-          )
-        end
-
-        it 'increments the version' do
-          assert_equal 11, keystore_config[:version]
-        end
-
-        describe 'with 255 version' do
-          let :version do
-            255
-          end
-
-          it 'handles version wrap' do
-            assert_equal 1, keystore_config[:version]
-          end
-        end
-
-        describe 'with 0 version' do
-          let :version do
-            0
-          end
-
-          it 'increments version' do
-            assert_equal 1, keystore_config[:version]
-          end
-        end
-
-        it 'retains the env var name' do
-          assert_equal 'TESTER_TEST_V11', keystore_config[:key_env_var]
-        end
-
-        it 'retains cipher_name' do
-          assert_equal 'aes-256-cbc', keystore_config[:cipher_name]
-        end
-      end
-
-      describe '#read' do
-        let :key do
-          SymmetricEncryption::Key.new
-        end
-
-        let :keystore do
-          SymmetricEncryption::Keystore::Environment.new(key_env_var: 'TESTER_ENV_VAR', key_encrypting_key: key)
-        end
-
-        it 'reads the key' do
-          ENV['TESTER_ENV_VAR'] = Base64.strict_encode64(key.encrypt('TEST'))
-          assert_equal 'TEST', keystore.read
-        end
-      end
-    end
-  end
-end

data/test/keystore/file_test.rb

@@ -1,85 +0,0 @@
-require_relative '../test_helper'
-require 'stringio'
-
-module SymmetricEncryption
-  class FileTest < Minitest::Test
-    describe SymmetricEncryption::Keystore::File do
-      let :the_test_path do
-        path = 'tmp/keystore/file_test'
-        FileUtils.makedirs(path) unless ::File.exist?(path)
-        path
-      end
-
-      after do
-        # Cleanup generated encryption key files.
-        `rm #{the_test_path}/* 2> /dev/null`
-      end
-
-      describe '.generate_data_key' do
-        let :version do
-          10
-        end
-
-        let :key_config do
-          SymmetricEncryption::Keystore::File.generate_data_key(
-            key_path:    the_test_path,
-            cipher_name: 'aes-256-cbc',
-            app_name:    'tester',
-            environment: 'test',
-            version:     version
-          )
-        end
-
-        it 'increments the version' do
-          assert_equal 11, key_config[:version]
-        end
-
-        describe 'with 255 version' do
-          let :version do
-            255
-          end
-
-          it 'handles version wrap' do
-            assert_equal 1, key_config[:version]
-          end
-        end
-
-        describe 'with 0 version' do
-          let :version do
-            0
-          end
-
-          it 'increments version' do
-            assert_equal 1, key_config[:version]
-          end
-        end
-
-        it 'creates the encrypted key file' do
-          file_name = "#{the_test_path}/tester_test_v11.encrypted_key"
-          assert_equal file_name, key_config[:key_filename]
-          assert File.exist?(file_name)
-        end
-
-        it 'retains cipher_name' do
-          assert_equal 'aes-256-cbc', key_config[:cipher_name]
-        end
-
-        it 'is readable by Key.from_config' do
-          key_config.delete(:version)
-          assert SymmetricEncryption::Keystore.read_key(key_config)
-        end
-      end
-
-      describe '#write, #read' do
-        let :keystore do
-          SymmetricEncryption::Keystore::File.new(key_filename: "#{the_test_path}/tester.key", key_encrypting_key: SymmetricEncryption::Key.new)
-        end
-
-        it 'stores the key' do
-          keystore.write('TEST')
-          assert_equal 'TEST', keystore.read
-        end
-      end
-    end
-  end
-end

data/test/keystore/heroku_test.rb

@@ -1,70 +0,0 @@
-require_relative '../test_helper'
-require 'stringio'
-
-module SymmetricEncryption
-  class HerokuTest < Minitest::Test
-    describe SymmetricEncryption::Keystore::Heroku do
-      describe '.generate_data_key' do
-        let :version do
-          10
-        end
-
-        let :keystore_config do
-          SymmetricEncryption::Keystore::Heroku.generate_data_key(
-            cipher_name: 'aes-256-cbc',
-            app_name:    'tester',
-            environment: 'test',
-            version:     version
-          )
-        end
-
-        it 'increments the version' do
-          assert_equal 11, keystore_config[:version]
-        end
-
-        describe 'with 255 version' do
-          let :version do
-            255
-          end
-
-          it 'handles version wrap' do
-            assert_equal 1, keystore_config[:version]
-          end
-        end
-
-        describe 'with 0 version' do
-          let :version do
-            0
-          end
-
-          it 'increments version' do
-            assert_equal 1, keystore_config[:version]
-          end
-        end
-
-        it 'retains the env var name' do
-          assert_equal 'TESTER_TEST_V11', keystore_config[:key_env_var]
-        end
-
-        it 'retains cipher_name' do
-          assert_equal 'aes-256-cbc', keystore_config[:cipher_name]
-        end
-      end
-
-      describe '#read' do
-        let :key do
-          SymmetricEncryption::Key.new
-        end
-
-        let :keystore do
-          SymmetricEncryption::Keystore::Heroku.new(key_env_var: 'TESTER_ENV_VAR', key_encrypting_key: key)
-        end
-
-        it 'reads the key' do
-          ENV['TESTER_ENV_VAR'] = Base64.strict_encode64(key.encrypt('TEST'))
-          assert_equal 'TEST', keystore.read
-        end
-      end
-    end
-  end
-end

data/test/keystore_test.rb

@@ -1,254 +0,0 @@
-require_relative 'test_helper'
-
-module SymmetricEncryption
-  class KeystoreTest < Minitest::Test
-    describe SymmetricEncryption::Keystore do
-      let :keystore do
-        SymmetricEncryption::Keystore::File.new(file_name: 'tmp/tester.key', key_encrypting_key: SymmetricEncryption::Key.new)
-      end
-
-      let :the_test_path do
-        path = 'tmp/keystore_test'
-        FileUtils.makedirs(path) unless ::File.exist?(path)
-        path
-      end
-
-      after do
-        # Cleanup generated encryption key files.
-        `rm #{the_test_path}/* 2> /dev/null`
-      end
-
-      let :random_key do
-        SymmetricEncryption::Key.new
-      end
-
-      let :stored_key do
-        '1234567890ABCDEF1234567890ABCDEF'
-      end
-
-      let :stored_iv do
-        'ABCDEF1234567890'
-      end
-
-      let :key do
-        SymmetricEncryption::Key.new(key: stored_key, iv: stored_iv)
-      end
-
-      let :stored_key2 do
-        'ABCDEF1234567890ABCDEF1234567890'
-      end
-
-      let :stored_iv2 do
-        '1234567890ABCDEF'
-      end
-
-      let :key2 do
-        SymmetricEncryption::Key.new(key: stored_key2, iv: stored_iv2)
-      end
-
-      let :stored_key3 do
-        'ABCDEF0123456789ABCDEF0123456789'
-      end
-
-      let :stored_iv3 do
-        '0123456789ABCDEF'
-      end
-
-      let :key3 do
-        SymmetricEncryption::Key.new(key: stored_key3, iv: stored_iv3)
-      end
-
-      describe '.generate_data_keys' do
-        let :environments do
-          %i[development test acceptance preprod production]
-        end
-
-        let :config do
-          SymmetricEncryption::Keystore.generate_data_keys(
-            keystore:     :file,
-            key_path:     the_test_path,
-            app_name:     'tester',
-            environments: environments,
-            cipher_name:  'aes-128-cbc'
-          )
-        end
-
-        it 'creates keys for each environment' do
-          assert_equal environments, config.keys, config
-        end
-
-        it 'use test config for development and test' do
-          assert_equal SymmetricEncryption::Keystore.dev_config, config[:test]
-          assert_equal SymmetricEncryption::Keystore.dev_config, config[:development]
-        end
-      end
-
-      describe '.rotate_keys' do
-        let :environments do
-          %i[development test acceptance preprod production]
-        end
-
-        let :config do
-          SymmetricEncryption::Keystore.generate_data_keys(
-            keystore:     :file,
-            key_path:     the_test_path,
-            app_name:     'tester',
-            environments: environments,
-            cipher_name:  'aes-128-cbc'
-          )
-        end
-
-        let :rolling_deploy do
-          false
-        end
-
-        let :key_rotation do
-          SymmetricEncryption::Keystore.rotate_keys!(
-            config,
-            environments:   environments,
-            app_name:       'tester',
-            rolling_deploy: rolling_deploy
-          )
-        end
-
-        it 'creates an encrypted key file for all non-test environments' do
-          (environments - %i[development test]).each do |env|
-            assert key_rotation
-            assert key_rotation[env.to_sym], key_rotation
-            assert key_rotation[env.to_sym][:ciphers]
-            assert ciphers = key_rotation[env.to_sym][:ciphers], "Environment #{env} is missing ciphers: #{key_rotation[env.to_sym].inspect}"
-            assert_equal 2, ciphers.size, "Environment #{env}: #{ciphers.inspect}"
-            assert new_config = ciphers.first
-            assert file_name  = new_config[:key_filename], "Environment #{env} is missing key_filename: #{ciphers.inspect}"
-            assert File.exist?(file_name)
-            assert_equal 2, new_config[:version]
-          end
-        end
-      end
-
-      describe '.read_key' do
-        let :config do
-          {key: stored_key, iv: stored_iv}
-        end
-
-        let :config_key do
-          SymmetricEncryption::Keystore.read_key(config)
-        end
-
-        let :dek_file_name do
-          "#{the_test_path}/dek_tester_dek.encrypted_key"
-        end
-
-        describe 'key' do
-          it 'key' do
-            assert_equal stored_key, config_key.key
-          end
-
-          it 'iv' do
-            assert_equal stored_iv, config_key.iv
-          end
-
-          it 'cipher_name' do
-            assert_equal 'aes-256-cbc', config_key.cipher_name
-          end
-        end
-
-        describe 'encrypted_key' do
-          let :config do
-            {encrypted_key: key2.encrypt(stored_key), iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-          end
-
-          it 'key' do
-            assert_equal stored_key, config_key.key
-          end
-
-          it 'iv' do
-            assert_equal stored_iv, config_key.iv
-          end
-
-          it 'cipher_name' do
-            assert_equal 'aes-256-cbc', config_key.cipher_name
-          end
-        end
-
-        describe 'key_filename' do
-          let :config do
-            File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
-            {key_filename: dek_file_name, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-          end
-
-          it 'key' do
-            assert_equal stored_key, config_key.key
-          end
-
-          it 'iv' do
-            assert_equal stored_iv, config_key.iv
-          end
-
-          it 'cipher_name' do
-            assert_equal 'aes-256-cbc', config_key.cipher_name
-          end
-        end
-
-        describe 'key_env_var' do
-          let :env_var do
-            'TEST_KEY'
-          end
-
-          let :config do
-            ENV[env_var] = ::Base64.strict_encode64(key2.encrypt(stored_key))
-            {key_env_var: env_var, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
-          end
-
-          it 'key' do
-            assert_equal stored_key, config_key.key
-          end
-
-          it 'iv' do
-            assert_equal stored_iv, config_key.iv
-          end
-
-          it 'cipher_name' do
-            assert_equal 'aes-256-cbc', config_key.cipher_name
-          end
-        end
-
-        describe 'file store with kekek' do
-          let :kekek_file_name do
-            "#{the_test_path}/tester_kekek.key"
-          end
-
-          let :config do
-            File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
-            encrypted_key = key3.encrypt(stored_key2)
-            File.open(kekek_file_name, 'wb') { |f| f.write(stored_key3) }
-            {
-              key_filename:       dek_file_name,
-              iv:                 stored_iv,
-              key_encrypting_key: {
-                encrypted_key:      encrypted_key,
-                iv:                 stored_iv2,
-                key_encrypting_key: {
-                  key_filename: kekek_file_name,
-                  iv:           stored_iv3
-                }
-              }
-            }
-          end
-
-          it 'key' do
-            assert_equal stored_key, config_key.key
-          end
-
-          it 'iv' do
-            assert_equal stored_iv, config_key.iv
-          end
-
-          it 'cipher_name' do
-            assert_equal 'aes-256-cbc', config_key.cipher_name
-          end
-        end
-      end
-    end
-  end
-end