symmetric-encryption 3.3 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 37b9132a3f23db50841774bccd1d0ea48db0a325
-  data.tar.gz: 66808f69ba790855acac29dcd2ca59b59ec5a611
+  metadata.gz: 6c78c33fe68704b26ebd996fd8ea8785d73c6fa1
+  data.tar.gz: 5f1534c06fae8c76cfc0dccf5a2612ce45fbf683
 SHA512:
-  metadata.gz: 33ba910830b6f113ccefe74d029e2ec5d68f3ea15234bae0234c7de335d9d9e29f13edbc248398f6d766e02277ee22535f8d274cae10b48bcc9b8f388de81af5
-  data.tar.gz: c0dbfec5a29239451d18cd4ec8eef68f891100267a1b670e4b9224861b3cf9321ae7f525fc08ca7927aca260c72ec6696da40cca57af243d343bf288b28c40be
+  metadata.gz: 1fdf134465788b41776a086b5f86d0e2c43778899263bb9c3c702124779b5cad0d61466c1af15a11338959f76b7f6435598be7cb0f80d2c92a8d50727c21d372
+  data.tar.gz: 99a8de3d8d8aa73832f9541b7ab1b448685cd99739a59c600e543f4b27ef55b7c7025b3aaa62d2a0ae91c086aea30e9d9ac08209c2bfb1df7b4bf45ae8ac28eb

data/README.md

@@ -417,6 +417,8 @@ Install the Gem with bundler
 
 ## Rails Configuration
 
+If deploying to Heroku skip to the section "Rails Configuration for a Heroku deployment" below
+
 ### Creating the configuration file
 
 The configuration file contains the path to the production encryption key files.
@@ -484,6 +486,27 @@ environment must run the same encryption keys.
 
 Note: The generate step above must only be run once in each environment
 
+## Rails Configuration for a Heroku deployment
+
+Deploying to Heroku requires the encrypted key to be stored in an environment
+variable rather than as a file on disk.
+
+Generate the configuration file:
+
+    rails g symmetric_encryption:heroku_config
+
+Note: Ignore the warning about "Symmetric Encryption config not found" since it is
+being generated.
+
+Note: The encrypted keys for the release and production environments are displayed on
+screen and must be entered manually as environment variables into Heroku so that the
+application can find them when it starts.
+
+#### Save to version control
+
+This configuration file should be checked into the source code control system.
+It does Not include the Symmetric Encryption keys.
+
 ## Using in non-Rails environments
 
 SymmetricEncryption can also be used in non-Rails environment.
@@ -681,6 +704,7 @@ Contributors
 ------------
 
 [M. Scott Ford](https://github.com/mscottford)
+[Adam St. John](https://github.com/astjohn)
 
 License
 -------

data/lib/rails/generators/symmetric_encryption/heroku_config/heroku_config_generator.rb

@@ -0,0 +1,20 @@
+module SymmetricEncryption
+  module Generators
+    class HerokuConfigGenerator < Rails::Generators::Base
+      desc "Creates a SymmetricEncryption configuration file at config/symmetric-encryption.yml for use in heroku"
+
+      def self.source_root
+        @_symmetric_encryption_source_root ||= File.expand_path("../templates", __FILE__)
+      end
+
+      def app_name
+        Rails::Application.subclasses.first.parent.to_s.underscore
+      end
+
+      def create_config_file
+        template 'symmetric-encryption.yml', File.join('config', "symmetric-encryption.yml")
+      end
+
+    end
+  end
+end

data/lib/rails/generators/symmetric_encryption/heroku_config/templates/symmetric-encryption.yml

@@ -0,0 +1,75 @@
+#
+# Symmetric Encryption for Ruby
+#
+---
+# For the development and test environments the test symmetric encryption keys
+# can be placed directly in the source code.
+# And therefore no RSA private key is required
+development:   &development_defaults
+  key:         1234567890ABCDEF1234567890ABCDEF
+  iv:          1234567890ABCDEF
+  cipher_name: aes-128-cbc
+  encoding:    :base64strict
+
+test:
+  <<: *development_defaults
+
+<%
+cipher_name   = 'aes-256-cbc'
+rsa_key       = OpenSSL::PKey::RSA.generate(2048)
+key_pair      = SymmetricEncryption::Cipher.random_key_pair(cipher_name)
+iv            = ::Base64.strict_encode64(key_pair[:iv])
+encrypted_key = ::Base64.strict_encode64(rsa_key.public_encrypt(key_pair[:key]))
+
+puts "\n\n********************************************************************************"
+puts "Add the release environment key to Heroku: (Optional)\n\n"
+puts "  heroku config:add RELEASE_KEY1:#{encrypted_key}\n\n"
+-%>
+release:
+  # Since the key to encrypt and decrypt with must NOT be stored along with the
+  # source code, we only hold a RSA key that is used to unlock the file
+  # containing the actual symmetric encryption key
+  private_rsa_key: |
+<%= rsa_key.to_s.each_line.collect { |line| "    #{line}" }.join('') %>
+
+  # List Symmetric Key files in the order of current / latest first
+  ciphers:
+    -
+      # Filename containing Symmetric Encryption Key encrypted using the
+      # RSA public key derived from the private key above
+      encrypted_key: "<%= '<' + "%= ENV['RELEASE_KEY1'] %" + '>' %>"
+      iv:            "<%=  iv %>"
+      cipher_name:   <%=  cipher_name %>
+      # Base64 encode encrypted data without newlines
+      encoding:      :base64strict
+      version:       1
+
+<%
+cipher_name   = 'aes-256-cbc'
+rsa_key       = OpenSSL::PKey::RSA.generate(2048)
+key_pair      = SymmetricEncryption::Cipher.random_key_pair(cipher_name)
+iv            = ::Base64.strict_encode64(key_pair[:iv])
+encrypted_key = ::Base64.strict_encode64(rsa_key.public_encrypt(key_pair[:key]))
+
+puts "Add the production key to Heroku:\n\n"
+puts "  heroku config:add PRODUCTION_KEY1:#{encrypted_key}\n\n"
+puts "********************************************************************************\n\n\n"
+-%>
+production:
+  # Since the key to encrypt and decrypt with must NOT be stored along with the
+  # source code, we only hold a RSA key that is used to unlock the file
+  # containing the actual symmetric encryption key
+  private_rsa_key: |
+<%= rsa_key.to_s.each_line.collect { |line| "    #{line}" }.join('') %>
+
+  # List Symmetric Key files in the order of current / latest first
+  ciphers:
+    -
+      # Filename containing Symmetric Encryption Key encrypted using the
+      # RSA public key derived from the private key above
+      encrypted_key: "<%= '<' + "%= ENV['PRODUCTION_KEY1'] %" + '>' %>"
+      iv:            "<%=  iv %>"
+      cipher_name:   <%=  cipher_name %>
+      # Base64 encode encrypted data without newlines
+      encoding:      :base64strict
+      version:       1

data/lib/symmetric_encryption/extensions/active_record/base.rb

@@ -81,8 +81,9 @@ module ActiveRecord #:nodoc:
             # Set the un-encrypted attribute
             # Also updates the encrypted field with the encrypted value
             def #{attribute}=(value)
-              self.encrypted_#{attribute} = @stored_encrypted_#{attribute} = ::SymmetricEncryption.encrypt(value,#{random_iv},#{compress},:#{type})
-              @#{attribute} = value.freeze
+              v = SymmetricEncryption::coerce(value, :#{type})
+              self.encrypted_#{attribute} = @stored_encrypted_#{attribute} = ::SymmetricEncryption.encrypt(v,#{random_iv},#{compress},:#{type})
+              @#{attribute} = v.freeze
             end
           UNENCRYPTED
 

data/lib/symmetric_encryption/mongoid.rb

@@ -95,7 +95,9 @@ Mongoid::Fields.option :encrypted do |model, field, options|
     decrypted_field_name = options.delete(:decrypt_as)
     if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?('encrypted_')
       decrypted_field_name = encrypted_field_name.to_s['encrypted_'.length..-1]
-    else
+    end
+
+    if decrypted_field_name.nil?
       raise "SymmetricEncryption for Mongoid. Encryption enabled for field #{encrypted_field_name}. It must either start with 'encrypted_' or the option :decrypt_as must be supplied"
     end
 
@@ -119,8 +121,9 @@ Mongoid::Fields.option :encrypted do |model, field, options|
       # Also updates the encrypted field with the encrypted value
       # Freeze the decrypted field value so that it is not modified directly
       def #{decrypted_field_name}=(value)
-        self.#{encrypted_field_name} = @stored_#{encrypted_field_name} = ::SymmetricEncryption.encrypt(value,#{random_iv},#{compress},:#{type})
-        @#{decrypted_field_name} = value.freeze
+        v = SymmetricEncryption::coerce(value, :#{type})
+        self.#{encrypted_field_name} = @stored_#{encrypted_field_name} = ::SymmetricEncryption.encrypt(v,#{random_iv},#{compress},:#{type})
+        @#{decrypted_field_name} = v.freeze
       end
 
       # Returns the decrypted value for the encrypted field

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -387,12 +387,14 @@ module SymmetricEncryption
   #
   #     :encrypted_key
   #       Symmetric key encrypted using the public key from the private_rsa_key
+  #       and then Base64 encoded
   #
   #     :iv
   #       Optional: The actual iv to use for encryption/decryption purposes
   #
   #     :encrypted_iv
   #       Initialization vector encrypted using the public key from the private_rsa_key
+  #       and then Base64 encoded
   #
   #     :iv_filename
   #       Optional: Name of file containing symmetric key initialization vector
@@ -455,6 +457,23 @@ module SymmetricEncryption
     Cipher.new(config)
   end
 
+  # Coerce given value into given type
+  # Does not coerce json or yaml values
+  def self.coerce(value, type, from_type=nil)
+    return if value.nil?
+
+    from_type ||= value.class
+    case type
+    when :json
+      value
+    when :yaml
+      value
+    else
+      coercer = Coercible::Coercer.new
+      coercer[from_type].send("to_#{type}".to_sym, value)
+    end
+  end
+
   # Uses coercible gem to coerce values from strings into the target type
   # Note: if the type is :string, then the value is returned as is, and the
   #   coercible gem is not used at all.
@@ -468,9 +487,7 @@ module SymmetricEncryption
     when :yaml
       YAML.load(value)
     else
-      coercer = Coercible::Coercer.new
-      coercion_method = "to_#{type}".to_sym
-      coercer[String].send(coercion_method, value)
+      self.coerce(value, type, String)
     end
   end
 
@@ -488,8 +505,7 @@ module SymmetricEncryption
     when :yaml
       value.to_yaml
     else
-      coercer = Coercible::Coercer.new
-      coercer[coercion_type(type, value)].to_string(value)
+      self.coerce(value, :string, coercion_type(type, value))
     end
   end
 

data/lib/symmetric_encryption/version.rb

@@ -1,3 +1,3 @@
 module SymmetricEncryption #:nodoc
-  VERSION = "3.3"
+  VERSION = "3.4.0"
 end

data/test/attr_encrypted_test.rb

@@ -231,6 +231,8 @@ class AttrEncryptedTest < Test::Unit::TestCase
       assert_equal true, @user.valid?
     end
 
+
+
     context "with saved user" do
       setup do
         @user.save!
@@ -240,6 +242,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
         @user.destroy
       end
 
+      should "return correct data type before save" do
+        u = User.new(:integer_value => "5")
+        assert_equal 5, u.integer_value
+        assert u.integer_value.kind_of?(Integer)
+      end
+
       should "handle gsub! for non-encrypted_field" do
         @user.name.gsub!('a', 'v')
         new_name = @name.gsub('a', 'v')
@@ -290,6 +298,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.integer_value.kind_of?(Integer)
           end
 
+          should "coerce data type before save" do
+            u = User.new(:integer_value => "5")
+            assert_equal 5, u.integer_value
+            assert u.integer_value.kind_of?(Integer)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.integer_value = nil
             @user_clone.save!
@@ -315,6 +329,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.float_value.kind_of?(Float)
           end
 
+          should "coerce data type before save" do
+            u = User.new(:float_value => "5.6")
+            assert_equal 5.6, u.float_value
+            assert u.float_value.kind_of?(Float)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.float_value = nil
             @user_clone.save!
@@ -340,6 +360,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.decimal_value.kind_of?(BigDecimal)
           end
 
+          should "coerce data type before save" do
+            u = User.new(:decimal_value => "99.95")
+            assert_equal BigDecimal.new("99.95"), u.decimal_value
+            assert u.decimal_value.kind_of?(BigDecimal)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.decimal_value = nil
             @user_clone.save!
@@ -365,6 +391,13 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.datetime_value.kind_of?(DateTime)
           end
 
+          should "coerce data type before save" do
+            now = Time.now
+            u = User.new(:datetime_value => now)
+            assert_equal now, u.datetime_value
+            assert u.datetime_value.kind_of?(DateTime)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.datetime_value = nil
             @user_clone.save!
@@ -390,6 +423,13 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.time_value.kind_of?(Time)
           end
 
+          should "coerce data type before save" do
+            now = Time.now
+            u = User.new(:time_value => now)
+            assert_equal now, u.time_value
+            assert u.time_value.kind_of?(Time)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.time_value = nil
             @user_clone.save!
@@ -415,6 +455,13 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.date_value.kind_of?(Date)
           end
 
+          should "coerce data type before save" do
+            now = Time.now
+            u = User.new(:date_value => now)
+            assert_equal now.to_date, u.date_value
+            assert u.date_value.kind_of?(Date)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.date_value = nil
             @user_clone.save!
@@ -440,6 +487,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.true_value.kind_of?(TrueClass)
           end
 
+          should "coerce data type before save" do
+            u = User.new(:true_value => "1")
+            assert_equal true, u.true_value
+            assert u.true_value.kind_of?(TrueClass)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.true_value = nil
             @user_clone.save!
@@ -465,6 +518,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.false_value.kind_of?(FalseClass)
           end
 
+          should "coerce data type before save" do
+            u = User.new(:false_value => "0")
+            assert_equal false, u.false_value
+            assert u.false_value.kind_of?(FalseClass)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.false_value = nil
             @user_clone.save!
@@ -499,6 +558,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.data_json.kind_of?(Hash)
           end
 
+          should "not coerce data type (leaves as hash) before save" do
+            u = User.new(:data_json => @h)
+            assert_equal @h, u.data_json
+            assert u.data_json.kind_of?(Hash)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.data_json = nil
             @user_clone.save!
@@ -525,6 +590,12 @@ class AttrEncryptedTest < Test::Unit::TestCase
             assert @user.clone.data_yaml.kind_of?(Hash)
           end
 
+          should "not coerce data type (leaves as hash) before save" do
+            u = User.new(:data_yaml => @h)
+            assert_equal @h, u.data_yaml
+            assert u.data_yaml.kind_of?(Hash)
+          end
+
           should "permit replacing value with nil" do
             @user_clone.data_yaml = nil
             @user_clone.save!

data/test/field_encrypted_test.rb

@@ -14,6 +14,7 @@ class MongoidUser
   field :encrypted_long_string,            :type => String,  :encrypted => {:random_iv => true, :compress => true}
 
   field :encrypted_integer_value,  :type => String, :encrypted => {:type => :integer}
+  field :aiv,                      :type => String, :encrypted => {:type => :integer, decrypt_as: :aliased_integer_value}
   field :encrypted_float_value,    :type => String, :encrypted => {:type => :float}
   field :encrypted_decimal_value,  :type => String, :encrypted => {:type => :decimal}
   field :encrypted_datetime_value, :type => String, :encrypted => {:type => :datetime}
@@ -70,6 +71,7 @@ class FieldEncryptedTest < Test::Unit::TestCase
         :name                             => "Joe Bloggs",
         # data type specific fields
         :integer_value          => @integer_value,
+        :aliased_integer_value  => @integer_value,
         :float_value            => @float_value,
         :decimal_value          => @decimal_value,
         :datetime_value         => @datetime_value,
@@ -110,6 +112,11 @@ class FieldEncryptedTest < Test::Unit::TestCase
       assert_equal true, @user.respond_to?(:name=)
     end
 
+    should "support aliased fields" do
+      assert_equal true, @user.respond_to?(:aliased_integer_value=)
+      assert_equal true, @user.respond_to?(:aliased_integer_value)
+    end
+
     should "have unencrypted values" do
       assert_equal @bank_account_number, @user.bank_account_number
       assert_equal @social_security_number, @user.social_security_number
@@ -194,12 +201,25 @@ class FieldEncryptedTest < Test::Unit::TestCase
         @user_clone = MongoidUser.find(@user.id)
       end
 
+      context "aliased fields" do
+        should "return correct data type" do
+          @user_clone.aliased_integer_value = "5"
+          assert_equal 5, @user_clone.aliased_integer_value
+        end
+      end
+
       context "integer values" do
         should "return correct data type" do
           assert_equal @integer_value, @user_clone.integer_value
           assert @user.clone.integer_value.kind_of?(Integer)
         end
 
+        should "coerce data type before save" do
+          u = MongoidUser.new(:integer_value => "5")
+          assert_equal 5, u.integer_value
+          assert u.integer_value.kind_of?(Integer)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.integer_value = nil
           @user_clone.save!
@@ -225,6 +245,12 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.float_value.kind_of?(Float)
         end
 
+        should "coerce data type before save" do
+          u = MongoidUser.new(:float_value => "5.6")
+          assert_equal 5.6, u.float_value
+          assert u.float_value.kind_of?(Float)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.float_value = nil
           @user_clone.save!
@@ -250,6 +276,12 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.decimal_value.kind_of?(BigDecimal)
         end
 
+        should "coerce data type before save" do
+          u = MongoidUser.new(:decimal_value => "99.95")
+          assert_equal BigDecimal.new("99.95"), u.decimal_value
+          assert u.decimal_value.kind_of?(BigDecimal)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.decimal_value = nil
           @user_clone.save!
@@ -275,6 +307,13 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.datetime_value.kind_of?(DateTime)
         end
 
+        should "coerce data type before save" do
+          now = Time.now
+          u = MongoidUser.new(:datetime_value => now)
+          assert_equal now, u.datetime_value
+          assert u.datetime_value.kind_of?(DateTime)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.datetime_value = nil
           @user_clone.save!
@@ -300,6 +339,13 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.time_value.kind_of?(Time)
         end
 
+        should "coerce data type before save" do
+          now = Time.now
+          u = MongoidUser.new(:time_value => now)
+          assert_equal now, u.time_value
+          assert u.time_value.kind_of?(Time)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.time_value = nil
           @user_clone.save!
@@ -325,6 +371,13 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.date_value.kind_of?(Date)
         end
 
+        should "coerce data type before save" do
+          now = Time.now
+          u = MongoidUser.new(:date_value => now)
+          assert_equal now.to_date, u.date_value
+          assert u.date_value.kind_of?(Date)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.date_value = nil
           @user_clone.save!
@@ -350,6 +403,12 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.true_value.kind_of?(TrueClass)
         end
 
+        should "coerce data type before save" do
+          u = MongoidUser.new(:true_value => "1")
+          assert_equal true, u.true_value
+          assert u.true_value.kind_of?(TrueClass)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.true_value = nil
           @user_clone.save!
@@ -375,6 +434,12 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.false_value.kind_of?(FalseClass)
         end
 
+        should "coerce data type before save" do
+          u = MongoidUser.new(:false_value => "0")
+          assert_equal false, u.false_value
+          assert u.false_value.kind_of?(FalseClass)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.false_value = nil
           @user_clone.save!
@@ -409,6 +474,12 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.data_json.kind_of?(Hash)
         end
 
+        should "not coerce data type (leaves as hash) before save" do
+          u = MongoidUser.new(:data_json => @h)
+          assert_equal @h, u.data_json
+          assert u.data_json.kind_of?(Hash)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.data_json = nil
           @user_clone.save!
@@ -435,6 +506,12 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert @user.clone.data_yaml.kind_of?(Hash)
         end
 
+        should "not coerce data type (leaves as hash) before save" do
+          u = MongoidUser.new(:data_yaml => @h)
+          assert_equal @h, u.data_yaml
+          assert u.data_yaml.kind_of?(Hash)
+        end
+
         should "permit replacing value with nil" do
           @user_clone.data_yaml = nil
           @user_clone.save!
@@ -454,6 +531,7 @@ class FieldEncryptedTest < Test::Unit::TestCase
           assert_equal new_value, @user.data_yaml
         end
       end
+
     end
 
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: symmetric-encryption
 version: !ruby/object:Gem::Version
-  version: '3.3'
+  version: 3.4.0
 platform: ruby
 authors:
 - Reid Morrison
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-11 00:00:00.000000000 Z
+date: 2014-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: coercible
@@ -39,6 +39,8 @@ files:
 - examples/symmetric-encryption.yml
 - lib/rails/generators/symmetric_encryption/config/config_generator.rb
 - lib/rails/generators/symmetric_encryption/config/templates/symmetric-encryption.yml
+- lib/rails/generators/symmetric_encryption/heroku_config/heroku_config_generator.rb
+- lib/rails/generators/symmetric_encryption/heroku_config/templates/symmetric-encryption.yml
 - lib/rails/generators/symmetric_encryption/new_keys/new_keys_generator.rb
 - lib/symmetric-encryption.rb
 - lib/symmetric_encryption.rb