symmetric-encryption 4.3.0 → 4.4.0

data/lib/symmetric_encryption/config.rb

@@ -1,5 +1,5 @@
-require 'erb'
-require 'yaml'
+require "erb"
+require "yaml"
 module SymmetricEncryption
   class Config
     attr_reader :file_name, :env
@@ -38,12 +38,12 @@ module SymmetricEncryption
       config = deep_stringify_keys(config)
 
       FileUtils.mkdir_p(File.dirname(file_name))
-      File.open(file_name, 'w') do |f|
-        f.puts '# This file was auto generated by symmetric-encryption.'
-        f.puts '# Recommend using symmetric-encryption to make changes.'
-        f.puts '# For more info, run:'
-        f.puts '#   symmetric-encryption --help'
-        f.puts '#'
+      File.open(file_name, "w") do |f|
+        f.puts "# This file was auto generated by symmetric-encryption."
+        f.puts "# Recommend using symmetric-encryption to make changes."
+        f.puts "# For more info, run:"
+        f.puts "#   symmetric-encryption --help"
+        f.puts "#"
         f.write(config.to_yaml)
       end
     end
@@ -52,15 +52,15 @@ module SymmetricEncryption
     #
     # See: `.load!` for parameters.
     def initialize(file_name: nil, env: nil)
-      env ||= defined?(Rails) ? Rails.env : ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
+      env ||= defined?(Rails) ? Rails.env : ENV["RACK_ENV"] || ENV["RAILS_ENV"] || "development"
 
       unless file_name
-        root          = defined?(Rails) ? Rails.root : '.'
-        file_name     =
-          if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
+        root      = defined?(Rails) ? Rails.root : "."
+        file_name =
+          if (env_var = ENV["SYMMETRIC_ENCRYPTION_CONFIG"])
             File.expand_path(env_var)
           else
-            File.join(root, 'config', 'symmetric-encryption.yml')
+            File.join(root, "config", "symmetric-encryption.yml")
           end
         raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
       end
@@ -71,20 +71,21 @@ module SymmetricEncryption
 
     # Returns [Hash] the configuration for the supplied environment.
     def config
-      @config ||= begin
-        raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
+      @config ||=
+        begin
+          raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
 
-        env_config = YAML.load(ERB.new(File.new(file_name).read).result)[env]
-        raise(ConfigError, "Cannot find environment: #{env} in config file: #{file_name}") unless env_config
+          env_config = YAML.load(ERB.new(File.new(file_name).read).result)[env]
+          raise(ConfigError, "Cannot find environment: #{env} in config file: #{file_name}") unless env_config
 
-        env_config = self.class.send(:deep_symbolize_keys, env_config)
-        self.class.send(:migrate_old_formats!, env_config)
-      end
+          env_config = self.class.send(:deep_symbolize_keys, env_config)
+          self.class.send(:migrate_old_formats!, env_config)
+        end
     end
 
-    # Returns [Array(SymmetricEncrytion::Cipher)] ciphers specified in the configuration file.
+    # Returns [Array(SymmetricEncryption::Cipher)] ciphers specified in the configuration file.
     def ciphers
-      @ciphers ||= config[:ciphers].collect { |cipher_config| Cipher.from_config(cipher_config) }
+      @ciphers ||= config[:ciphers].collect { |cipher_config| Cipher.from_config(**cipher_config) }
     end
 
     # Iterate through the Hash symbolizing all keys.
@@ -129,22 +130,22 @@ module SymmetricEncryption
     def self.migrate_old_formats!(config)
       # Inline single cipher before :ciphers
       unless config.key?(:ciphers)
-        inline_cipher                               = {}
+        inline_cipher = {}
         config.keys.each { |key| inline_cipher[key] = config.delete(key) }
-        config[:ciphers]                            = [inline_cipher]
+        config[:ciphers] = [inline_cipher]
       end
 
       # Copy Old :private_rsa_key into each ciphers config
       # Cipher.from_config replaces it with the RSA Kek
       if config[:private_rsa_key]
-        private_rsa_key                                           = config.delete(:private_rsa_key)
+        private_rsa_key = config.delete(:private_rsa_key)
         config[:ciphers].each { |cipher| cipher[:private_rsa_key] = private_rsa_key }
       end
 
       # Old :cipher_name
       config[:ciphers].each do |cipher|
         if (old_key_name_cipher = cipher.delete(:cipher))
-          cipher[:cipher_name]  = old_key_name_cipher
+          cipher[:cipher_name] = old_key_name_cipher
         end
 
         # Only temporarily used during v4 Beta process
@@ -155,7 +156,7 @@ module SymmetricEncryption
         #   encrypted_key: <%= ENV['VAR'] %>
         if cipher.key?(:encrypted_key) && cipher[:encrypted_key].nil?
           cipher[:key_env_var] = :placeholder
-          puts 'WARNING: :encrypted_key resolved to nil. Please see the migrated config file for the new option :key_env_var.'
+          puts "WARNING: :encrypted_key resolved to nil. Please see the migrated config file for the new option :key_env_var."
         end
       end
       config

data/lib/symmetric_encryption/core.rb

@@ -1,34 +1,35 @@
 # Used for compression
-require 'zlib'
+require "zlib"
 # Used to coerce data types between string and their actual types
-require 'coercible'
+require "coercible"
 
-require 'symmetric_encryption/version'
-require 'symmetric_encryption/cipher'
-require 'symmetric_encryption/symmetric_encryption'
-require 'symmetric_encryption/exception'
+require "symmetric_encryption/version"
+require "symmetric_encryption/cipher"
+require "symmetric_encryption/symmetric_encryption"
+require "symmetric_encryption/exception"
 
 # @formatter:off
 module SymmetricEncryption
-  autoload :Coerce,                 'symmetric_encryption/coerce'
-  autoload :Config,                 'symmetric_encryption/config'
-  autoload :Encoder,                'symmetric_encryption/encoder'
-  autoload :EncryptedStringType,    'symmetric_encryption/types/encrypted_string_type'
-  autoload :Generator,              'symmetric_encryption/generator'
-  autoload :Header,                 'symmetric_encryption/header'
-  autoload :Key,                    'symmetric_encryption/key'
-  autoload :Reader,                 'symmetric_encryption/reader'
-  autoload :RSAKey,                 'symmetric_encryption/rsa_key'
-  autoload :Writer,                 'symmetric_encryption/writer'
-  autoload :CLI,                    'symmetric_encryption/cli'
-  autoload :Keystore,               'symmetric_encryption/keystore'
+  autoload :Coerce,                 "symmetric_encryption/coerce"
+  autoload :Config,                 "symmetric_encryption/config"
+  autoload :Encoder,                "symmetric_encryption/encoder"
+  autoload :EncryptedStringType,    "symmetric_encryption/types/encrypted_string_type"
+  autoload :Generator,              "symmetric_encryption/generator"
+  autoload :Header,                 "symmetric_encryption/header"
+  autoload :Key,                    "symmetric_encryption/key"
+  autoload :Reader,                 "symmetric_encryption/reader"
+  autoload :RSAKey,                 "symmetric_encryption/rsa_key"
+  autoload :Writer,                 "symmetric_encryption/writer"
+  autoload :CLI,                    "symmetric_encryption/cli"
+  autoload :Keystore,               "symmetric_encryption/keystore"
   module ActiveRecord
-    autoload :EncryptedAttribute,   'symmetric_encryption/active_record/encrypted_attribute'
+    autoload :EncryptedAttribute,   "symmetric_encryption/active_record/encrypted_attribute"
   end
+
   module Utils
-    autoload :Aws,                  'symmetric_encryption/utils/aws'
-    autoload :Files,                'symmetric_encryption/utils/files'
-    autoload :ReEncryptFiles,       'symmetric_encryption/utils/re_encrypt_files'
+    autoload :Aws,                  "symmetric_encryption/utils/aws"
+    autoload :Files,                "symmetric_encryption/utils/files"
+    autoload :ReEncryptFiles,       "symmetric_encryption/utils/re_encrypt_files"
   end
 end
 # @formatter:on

data/lib/symmetric_encryption/encoder.rb

@@ -6,6 +6,8 @@ module SymmetricEncryption
         Base64.new
       when :base64strict
         Base64Strict.new
+      when :base64urlsafe
+        Base64UrlSafe.new
       when :base16
         Base16.new
       when :none
@@ -35,14 +37,14 @@ module SymmetricEncryption
 
     class Base64
       def encode(binary_string)
-        return binary_string if binary_string.nil? || (binary_string == '')
+        return binary_string if binary_string.nil? || (binary_string == "")
 
         encoded_string = ::Base64.encode64(binary_string)
         encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       end
 
       def decode(encoded_string)
-        return encoded_string if encoded_string.nil? || (encoded_string == '')
+        return encoded_string if encoded_string.nil? || (encoded_string == "")
 
         decoded_string = ::Base64.decode64(encoded_string)
         decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
@@ -51,32 +53,48 @@ module SymmetricEncryption
 
     class Base64Strict
       def encode(binary_string)
-        return binary_string if binary_string.nil? || (binary_string == '')
+        return binary_string if binary_string.nil? || (binary_string == "")
 
         encoded_string = ::Base64.strict_encode64(binary_string)
         encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       end
 
       def decode(encoded_string)
-        return encoded_string if encoded_string.nil? || (encoded_string == '')
+        return encoded_string if encoded_string.nil? || (encoded_string == "")
 
         decoded_string = ::Base64.decode64(encoded_string)
         decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
       end
     end
 
+    class Base64UrlSafe
+      def encode(binary_string)
+        return binary_string if binary_string.nil? || (binary_string == "")
+
+        encoded_string = ::Base64.urlsafe_encode64(binary_string)
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
+      end
+
+      def decode(encoded_string)
+        return encoded_string if encoded_string.nil? || (encoded_string == "")
+
+        decoded_string = ::Base64.urlsafe_decode64(encoded_string)
+        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+      end
+    end
+
     class Base16
       def encode(binary_string)
-        return binary_string if binary_string.nil? || (binary_string == '')
+        return binary_string if binary_string.nil? || (binary_string == "")
 
-        encoded_string = binary_string.to_s.unpack('H*').first
+        encoded_string = binary_string.to_s.unpack("H*").first
         encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       end
 
       def decode(encoded_string)
-        return encoded_string if encoded_string.nil? || (encoded_string == '')
+        return encoded_string if encoded_string.nil? || (encoded_string == "")
 
-        decoded_string = [encoded_string].pack('H*')
+        decoded_string = [encoded_string].pack("H*")
         decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
       end
     end

data/lib/symmetric_encryption/generator.rb

@@ -8,11 +8,15 @@ module SymmetricEncryption
       compress  = options.delete(:compress) || false
       type      = options.delete(:type) || :string
 
-      raise(ArgumentError, "SymmetricEncryption Invalid options #{options.inspect} when encrypting '#{decrypted_name}'") unless options.empty?
-      raise(ArgumentError, "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}") unless SymmetricEncryption::COERCION_TYPES.include?(type)
+      unless options.empty?
+        raise(ArgumentError, "SymmetricEncryption Invalid options #{options.inspect} when encrypting '#{decrypted_name}'")
+      end
+      unless SymmetricEncryption::COERCION_TYPES.include?(type)
+        raise(ArgumentError, "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}")
+      end
 
       if model.const_defined?(:EncryptedAttributes, _search_ancestors = false)
-        mod                                                           = model.const_get(:EncryptedAttributes)
+        mod = model.const_get(:EncryptedAttributes)
       else
         mod = model.const_set(:EncryptedAttributes, Module.new)
         model.send(:include, mod)

data/lib/symmetric_encryption/header.rb

@@ -8,7 +8,7 @@ module SymmetricEncryption
   class Header
     # Encrypted data includes this header prior to encoding when
     # `always_add_header` is true.
-    MAGIC_HEADER      = '@EnC'.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+    MAGIC_HEADER      = "@EnC".force_encoding(SymmetricEncryption::BINARY_ENCODING)
     MAGIC_HEADER_SIZE = MAGIC_HEADER.size
 
     # [true|false] Whether to compress the data before encryption.
@@ -37,7 +37,7 @@ module SymmetricEncryption
     # Returns whether the supplied buffer starts with a symmetric_encryption header
     # Note: The encoding of the supplied buffer is forced to binary if not already binary
     def self.present?(buffer)
-      return false if buffer.nil? || (buffer == '')
+      return false if buffer.nil? || (buffer == "")
 
       buffer.force_encoding(SymmetricEncryption::BINARY_ENCODING)
       buffer.start_with?(MAGIC_HEADER)
@@ -122,7 +122,7 @@ module SymmetricEncryption
     #
     # Returns 0 if no header is present
     def parse(buffer, offset = 0)
-      return 0 if buffer.nil? || (buffer == '') || (buffer.length <= MAGIC_HEADER_SIZE + 2)
+      return 0 if buffer.nil? || (buffer == "") || (buffer.length <= MAGIC_HEADER_SIZE + 2)
 
       # Symmetric Encryption Header
       #
@@ -153,7 +153,7 @@ module SymmetricEncryption
 
       # Remove header and extract flags
       self.version = buffer.getbyte(offset)
-      offset      += 1
+      offset += 1
 
       unless cipher
         raise(
@@ -162,34 +162,34 @@ module SymmetricEncryption
         )
       end
 
-      flags   = buffer.getbyte(offset)
+      flags = buffer.getbyte(offset)
       offset += 1
 
       self.compress = (flags & FLAG_COMPRESSED) != 0
 
-      if (flags & FLAG_IV) != 0
-        self.iv, offset = read_string(buffer, offset)
-      else
+      if (flags & FLAG_IV).zero?
         self.iv = nil
+      else
+        self.iv, offset = read_string(buffer, offset)
       end
 
-      if (flags & FLAG_KEY) != 0
+      if (flags & FLAG_KEY).zero?
+        self.key = nil
+      else
         encrypted_key, offset = read_string(buffer, offset)
         self.key              = cipher.binary_decrypt(encrypted_key)
-      else
-        self.key = nil
       end
 
-      if (flags & FLAG_CIPHER_NAME) != 0
-        self.cipher_name, offset = read_string(buffer, offset)
-      else
+      if (flags & FLAG_CIPHER_NAME).zero?
         self.cipher_name = nil
+      else
+        self.cipher_name, offset = read_string(buffer, offset)
       end
 
-      if (flags & FLAG_AUTH_TAG) != 0
-        self.auth_tag, offset = read_string(buffer, offset)
-      else
+      if (flags & FLAG_AUTH_TAG).zero?
         self.auth_tag = nil
+      else
+        self.auth_tag, offset = read_string(buffer, offset)
       end
 
       offset
@@ -197,7 +197,7 @@ module SymmetricEncryption
 
     # Returns [String] this header as a string
     def to_s
-      flags  = 0
+      flags = 0
       flags |= FLAG_COMPRESSED if compressed?
       flags |= FLAG_IV if iv
       flags |= FLAG_KEY if key
@@ -207,23 +207,23 @@ module SymmetricEncryption
       header = "#{MAGIC_HEADER}#{version.chr(SymmetricEncryption::BINARY_ENCODING)}#{flags.chr(SymmetricEncryption::BINARY_ENCODING)}"
 
       if iv
-        header << [iv.length].pack('v')
+        header << [iv.length].pack("v")
         header << iv
       end
 
       if key
         encrypted = cipher.binary_encrypt(key, header: false)
-        header << [encrypted.length].pack('v')
+        header << [encrypted.length].pack("v")
         header << encrypted
       end
 
       if cipher_name
-        header << [cipher_name.length].pack('v')
+        header << [cipher_name.length].pack("v")
         header << cipher_name
       end
 
       if auth_tag
-        header << [auth_tag.length].pack('v')
+        header << [auth_tag.length].pack("v")
         header << auth_tag
       end
 
@@ -258,9 +258,9 @@ module SymmetricEncryption
       #   Exception when
       #   - offset exceeds length of buffer
       #   byteslice truncates when too long, but returns nil when start is beyond end of buffer
-      len     = buffer.byteslice(offset, 2).unpack('v').first
+      len = buffer.byteslice(offset, 2).unpack("v").first
       offset += 2
-      out     = buffer.byteslice(offset, len)
+      out = buffer.byteslice(offset, len)
       [out, offset + len]
     end
   end

data/lib/symmetric_encryption/key.rb

@@ -3,7 +3,7 @@ module SymmetricEncryption
   class Key
     attr_reader :key, :iv, :cipher_name
 
-    def initialize(key: :random, iv: :random, cipher_name: 'aes-256-cbc')
+    def initialize(key: :random, iv: :random, cipher_name: "aes-256-cbc")
       @key         = key == :random ? ::OpenSSL::Cipher.new(cipher_name).random_key : key
       @iv          = iv == :random ? ::OpenSSL::Cipher.new(cipher_name).random_iv : iv
       @cipher_name = cipher_name

data/lib/symmetric_encryption/keystore/aws.rb

@@ -1,4 +1,4 @@
-require 'aws-sdk-kms'
+require "aws-sdk-kms"
 module SymmetricEncryption
   module Keystore
     # Support AWS Key Management Service (KMS)
@@ -70,24 +70,20 @@ module SymmetricEncryption
       #                ],
       #   iv:          'T80pYzD0E6e/bJCdjZ6TiQ=='
       # }
-      def self.generate_data_key(version: 0,
+      def self.generate_data_key(cipher_name:, app_name:, environment:, key_path:, version: 0,
                                  regions: Utils::Aws::AWS_US_REGIONS,
                                  dek: nil,
-                                 cipher_name:,
-                                 app_name:,
-                                 environment:,
-                                 key_path:,
-                                 **args)
+                                 **_args)
 
         # TODO: Also support generating environment variables instead of files.
 
         version >= 255 ? (version = 1) : (version += 1)
-        regions                   = Array(regions).dup
+        regions = Array(regions).dup
 
         master_key_alias = master_key_alias(app_name, environment)
 
         # File per region for holding the encrypted data key
-        key_files   = regions.collect do |region|
+        key_files = regions.collect do |region|
           file_name = "#{app_name}_#{environment}_#{region}_v#{version}.encrypted_key"
           {region: region, file_name: ::File.join(key_path, file_name)}
         end
@@ -116,12 +112,13 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a file.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(region: nil, key_files:, master_key_alias:, key_encrypting_key: nil)
+      def initialize(key_files:, master_key_alias:, region: nil, key_encrypting_key: nil)
         @key_files        = key_files
         @master_key_alias = master_key_alias
-        @region           = region || ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || ::Aws.config[:region]
+        @region           = region || ENV["AWS_REGION"] || ENV["AWS_DEFAULT_REGION"] || ::Aws.config[:region]
         if key_encrypting_key
-          raise(SymmetricEncryption::ConfigError, 'AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key')
+          raise(SymmetricEncryption::ConfigError,
+                "AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key")
         end
       end
 
@@ -143,7 +140,7 @@ module SymmetricEncryption
           region    = key_file[:region]
           file_name = key_file[:file_name]
 
-          raise(ArgumentError, 'region and file_name are mandatory for each key_file entry') unless region && file_name
+          raise(ArgumentError, "region and file_name are mandatory for each key_file entry") unless region && file_name
 
           encrypted_data_key = aws(region).encrypt(data_key)
           write_encoded_to_file(file_name, encrypted_data_key)

data/lib/symmetric_encryption/keystore/environment.rb

@@ -7,13 +7,13 @@ module SymmetricEncryption
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
-        key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr('-', '_')
+        key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr("-", "_")
         new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
 
         {
@@ -50,9 +50,9 @@ module SymmetricEncryption
       def write(key)
         encrypted_key = key_encrypting_key.encrypt(key)
         puts "\n\n********************************************************************************"
-        puts 'Set the environment variable as follows:'
+        puts "Set the environment variable as follows:"
         puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
-        puts '********************************************************************************'
+        puts "********************************************************************************"
       end
 
       private

data/lib/symmetric_encryption/keystore/file.rb

@@ -2,17 +2,18 @@ module SymmetricEncryption
   module Keystore
     class File
       include Utils::Files
+      ALLOWED_PERMISSIONS = %w[100600 100400].freeze
 
       attr_accessor :file_name, :key_encrypting_key
 
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
@@ -47,11 +48,22 @@ module SymmetricEncryption
 
       # Returns the Encryption key in the clear.
       def read
-        raise(SymmetricEncryption::ConfigError,
-              "Symmetric Encryption key file: '#{file_name}' not found") unless ::File.exists?(file_name)
-        raise(SymmetricEncryption::ConfigError,
-              "Symmetric Encryption key file '#{file_name}' has the wrong "\
-              "permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.") unless correct_permissions?
+        unless ::File.exist?(file_name)
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file: '#{file_name}' not found")
+        end
+        unless correct_permissions?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.")
+        end
+        unless owned?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "owner (#{stat.uid}) or group (#{stat.gid}). "\
+                "Expected it to be owned by current user "\
+                "#{ENV['USER'] || ENV['USERNAME']}.")
+        end
 
         data = read_from_file(file_name)
         key_encrypting_key ? key_encrypting_key.decrypt(data) : data
@@ -69,9 +81,15 @@ module SymmetricEncryption
       # has the correct mode - readable and writable by its owner and no one
       # else, much like the keys one has in ~/.ssh
       def correct_permissions?
-        stat = ::File.stat(file_name)
+        ALLOWED_PERMISSIONS.include?(stat.mode.to_s(8))
+      end
+
+      def owned?
+        stat.owned?
+      end
 
-        stat.owned? && %w(100600 100400).include?(stat.mode.to_s(8))
+      def stat
+        ::File.stat(file_name)
       end
     end
   end

data/lib/symmetric_encryption/keystore/gcp.rb

@@ -5,12 +5,12 @@ module SymmetricEncryption
     class Gcp
       include Utils::Files
 
-      def self.generate_data_key(version: 0, cipher_name:, app_name:, environment:, key_path:)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, key_path:, version: 0)
         version >= 255 ? (version = 1) : (version += 1)
 
-        dek      = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        dek       = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         file_name = "#{key_path}/#{app_name}_#{environment}_v#{version}.encrypted_key"
-        keystore = new(
+        keystore  = new(
           key_file:    file_name,
           app_name:    app_name,
           environment: environment
@@ -18,21 +18,21 @@ module SymmetricEncryption
         keystore.write(dek.key)
 
         {
-          keystore:         :gcp,
-          cipher_name:      dek.cipher_name,
-          version:          version,
-          key_file:         file_name,
-          iv:               dek.iv,
-          crypto_key:       keystore.crypto_key
+          keystore:    :gcp,
+          cipher_name: dek.cipher_name,
+          version:     version,
+          key_file:    file_name,
+          iv:          dek.iv,
+          crypto_key:  keystore.crypto_key
         }
       end
 
       def initialize(key_file:, app_name: nil, environment: nil, key_encrypting_key: nil, crypto_key: nil, project_id: nil, credentials: nil, location_id: nil)
-        @crypto_key = crypto_key
-        @app_name = app_name
+        @crypto_key  = crypto_key
+        @app_name    = app_name
         @environment = environment
-        @file_name = key_file
-        @project_id = project_id
+        @file_name   = key_file
+        @project_id  = project_id
         @credentials = credentials
         @location_id = location_id
       end
@@ -46,7 +46,8 @@ module SymmetricEncryption
       end
 
       def crypto_key
-        @crypto_key ||= self.class::KMS::KeyManagementServiceClient.crypto_key_path(project_id, location_id, app_name, environment.to_s)
+        @crypto_key ||= self.class::KMS::KeyManagementServiceClient.crypto_key_path(project_id, location_id, app_name,
+                                                                                    environment.to_s)
       end
 
       private
@@ -69,18 +70,20 @@ module SymmetricEncryption
 
       def project_id
         @project_id ||= ENV["GOOGLE_CLOUD_PROJECT"]
-        raise 'GOOGLE_CLOUD_PROJECT must be set' if @project_id.nil?
+        raise "GOOGLE_CLOUD_PROJECT must be set" if @project_id.nil?
+
         @project_id
       end
 
       def credentials
-        @credentials ||= ENV['GOOGLE_CLOUD_KEYFILE']
-        raise 'GOOGLE_CLOUD_KEYFILE must be set' if @credentials.nil?
+        @credentials ||= ENV["GOOGLE_CLOUD_KEYFILE"]
+        raise "GOOGLE_CLOUD_KEYFILE must be set" if @credentials.nil?
+
         @credentials
       end
 
       def location_id
-        @location_id ||= ENV["GOOGLE_CLOUD_LOCATION"] || 'global'
+        @location_id ||= ENV["GOOGLE_CLOUD_LOCATION"] || "global"
       end
     end
   end