symmetric-encryption 4.0.0 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 1e1b5ae57f5d8cdffd7543b690a8dc1c56e3d3d2
-  data.tar.gz: 8243a0f27600f82f27b098199292938b36c64f34
+SHA256:
+  metadata.gz: a8b4f45cc7b6dca91b1eb5d8eb5df044485d0a484f93472ce38fee62559453e8
+  data.tar.gz: 973376b8363032b2a71aaf840a3012cf7485d7f6b16f2ea1ebf20f622eaf56f0
 SHA512:
-  metadata.gz: 51199eae1a22f24db637e403b774ac501c9e5f10635cabde7fb65e42517dace89c6badbe7de2649c6fc9ea8fec4f0f7f9544892b288000c31aa3a73ef0908b12
-  data.tar.gz: 8a912faebf87253678af05880029114dfe433edff0168207d200d9aefbffff9c3c1807d290904c1d1e22c9417ca0200849b77122bec26efc011dd82837753800
+  metadata.gz: ae3695e636ea98bcbfe489187e26244dee6116257afdf4383a234359c201974024d3180d1ea1851edbc1798343ce1ab862fea20691a01f8eb7993b58a7206921
+  data.tar.gz: cbe308f3287c77c32996551b8f4ace32fd803e123e32f906ed21d65bf6d3823b19ce5459623a445a4ffd4bb1b33a0377558ad6604e98d61ae17b206d4cef1892

data/Rakefile

@@ -9,7 +9,7 @@ task :gem do
   system 'gem build symmetric-encryption.gemspec'
 end
 
-task :publish => :gem do
+task publish: :gem do
   system "git tag -a v#{SymmetricEncryption::VERSION} -m 'Tagging #{SymmetricEncryption::VERSION}'"
   system 'git push --tags'
   system "gem push symmetric-encryption-#{SymmetricEncryption::VERSION}.gem"
@@ -23,7 +23,7 @@ Rake::TestTask.new(:test) do |t|
 end
 
 # By default run tests against all appraisals
-if !ENV["APPRAISAL_INITIALIZED"] && !ENV["TRAVIS"]
+if !ENV['APPRAISAL_INITIALIZED'] && !ENV['TRAVIS']
   require 'appraisal'
   task default: :appraisal
 else

data/bin/symmetric-encryption

@@ -2,4 +2,4 @@
 
 require 'symmetric_encryption'
 
-SymmetricEncryption::CLI.run!(ARGV)
+SymmetricEncryption::CLI.run!(ARGV)

data/lib/symmetric-encryption.rb

@@ -1 +1 @@
-require 'symmetric_encryption'
+require 'symmetric_encryption'

data/lib/symmetric_encryption.rb

@@ -8,7 +8,7 @@ require 'symmetric_encryption/cipher'
 require 'symmetric_encryption/symmetric_encryption'
 require 'symmetric_encryption/exception'
 
-#@formatter:off
+# @formatter:off
 module SymmetricEncryption
   autoload :Coerce,                 'symmetric_encryption/coerce'
   autoload :Config,                 'symmetric_encryption/config'
@@ -26,7 +26,7 @@ module SymmetricEncryption
     autoload :ReEncryptFiles,       'symmetric_encryption/utils/re_encrypt_files'
   end
 end
-#@formatter:on
+# @formatter:on
 
 # Add support for other libraries only if they have already been loaded
 require 'symmetric_encryption/railtie' if defined?(Rails)

data/lib/symmetric_encryption/cipher.rb

@@ -13,10 +13,10 @@ module SymmetricEncryption
 
     # Returns [Cipher] from a cipher config instance.
     def self.from_config(cipher_name: 'aes-256-cbc',
-      version: 0,
-      always_add_header: true,
-      encoding: :base64strict,
-      **config)
+                         version: 0,
+                         always_add_header: true,
+                         encoding: :base64strict,
+                         **config)
 
       Key.migrate_config!(config)
       key = Key.from_config(cipher_name: cipher_name, **config)
@@ -84,7 +84,7 @@ module SymmetricEncryption
       @version           = version.to_i
       @always_add_header = always_add_header
 
-      raise(ArgumentError, "Cipher version has a valid range of 0 to 255. #{@version} is too high, or negative") if (@version > 255) || (@version < 0)
+      raise(ArgumentError, "Cipher version has a valid range of 0 to 255. #{@version} is too high, or negative") if (@version > 255) || @version.negative?
     end
 
     # Change the encoding
@@ -136,7 +136,7 @@ module SymmetricEncryption
       str = str.to_s
       return str if str.empty?
       encrypted = binary_encrypt(str, random_iv: random_iv, compress: compress, header: header)
-      self.encode(encrypted)
+      encode(encrypted)
     end
 
     # Decode and Decrypt string
@@ -157,16 +157,14 @@ module SymmetricEncryption
     # is thread-safe and can be called concurrently by multiple threads with
     # the same instance of Cipher
     def decrypt(str)
-      decoded = self.decode(str)
+      decoded = decode(str)
       return unless decoded
 
       return decoded if decoded.empty?
       decrypted = binary_decrypt(decoded)
 
       # Try to force result to UTF-8 encoding, but if it is not valid, force it back to Binary
-      unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
-        decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING)
-      end
+      decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING) unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
 
       decrypted
     end
@@ -249,7 +247,7 @@ module SymmetricEncryption
       return string if string.empty?
 
       # Header required when adding a random_iv or compressing
-      header = Header.new(version: version, compress: compress) if (header == true) || random_iv || compress
+      header = Header.new(version: version, compress: compress) if header || random_iv || compress
 
       # Creates a new OpenSSL::Cipher with every call so that this call is thread-safe.
       openssl_cipher = ::OpenSSL::Cipher.new(cipher_name)
@@ -260,8 +258,8 @@ module SymmetricEncryption
         if header
           if random_iv
             openssl_cipher.iv = header.iv = openssl_cipher.random_iv
-          elsif self.iv
-            openssl_cipher.iv = self.iv
+          elsif iv
+            openssl_cipher.iv = iv
           end
           header.to_s + openssl_cipher.update(compress ? Zlib::Deflate.deflate(string) : string)
         else
@@ -307,12 +305,12 @@ module SymmetricEncryption
       return str if str.empty?
 
       offset = header.parse(str)
-      data   = offset > 0 ? str[offset..-1] : str
+      data   = offset.positive? ? str[offset..-1] : str
 
       openssl_cipher = ::OpenSSL::Cipher.new(header.cipher_name || cipher_name)
       openssl_cipher.decrypt
       openssl_cipher.key = header.key || @key
-      if iv = (header.iv || @iv)
+      if (iv = header.iv || @iv)
         openssl_cipher.iv = iv
       end
       result = openssl_cipher.update(data)
@@ -322,12 +320,12 @@ module SymmetricEncryption
 
     # Returns the magic header after applying the encoding in this cipher
     def encoded_magic_header
-      @encoded_magic_header ||= encoder.encode(SymmetricEncryption::Header::MAGIC_HEADER).gsub('=', '').strip
+      @encoded_magic_header ||= encoder.encode(SymmetricEncryption::Header::MAGIC_HEADER).delete('=').strip
     end
 
     # Returns [String] object represented as a string, filtering out the key
     def inspect
-      "#<#{self.class}:0x#{self.__id__.to_s(16)} @key=\"[FILTERED]\" @iv=#{iv.inspect} @cipher_name=#{cipher_name.inspect}, @version=#{version.inspect}, @encoding=#{encoding.inspect}, @always_add_header=#{always_add_header.inspect}>"
+      "#<#{self.class}:0x#{__id__.to_s(16)} @key=\"[FILTERED]\" @iv=#{iv.inspect} @cipher_name=#{cipher_name.inspect}, @version=#{version.inspect}, @encoding=#{encoding.inspect}, @always_add_header=#{always_add_header.inspect}>"
     end
 
     # DEPRECATED
@@ -350,6 +348,5 @@ module SymmetricEncryption
     private
 
     attr_reader :key
-
   end
 end

data/lib/symmetric_encryption/cli.rb

@@ -8,7 +8,7 @@ module SymmetricEncryption
                 :environments, :cipher_name, :rolling_deploy, :rotate_keys, :rotate_kek, :prompt, :show_version,
                 :cleanup_keys, :activate_key, :migrate
 
-    KEYSTORES = [:heroku, :environment, :file]
+    KEYSTORES = %i[heroku environment file].freeze
 
     def self.run!(argv)
       new(argv).run!
@@ -16,7 +16,7 @@ module SymmetricEncryption
 
     def initialize(argv)
       @version          = current_version
-      @environment      = ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
+      @environment      = ENV['SYMMETRIC_ENCRYPTION_ENV'] || ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
       @config_file_path = File.expand_path(ENV['SYMMETRIC_ENCRYPTION_CONFIG'] || 'config/symmetric-encryption.yml')
       @app_name         = 'symmetric-encryption'
       @key_path         = '/etc/symmetric-encryption'
@@ -28,7 +28,7 @@ module SymmetricEncryption
 
       if argv.empty?
         puts parser
-        exit -10
+        exit(-10)
       end
       parser.parse!(argv)
     end
@@ -71,17 +71,17 @@ module SymmetricEncryption
 
     def parser
       @parser ||= OptionParser.new do |opts|
-        opts.banner = <<BANNER
-Symmetric Encryption v#{VERSION}
+        opts.banner = <<~BANNER
+          Symmetric Encryption v#{VERSION}
 
-  For more information, see: https://rocketjob.github.io/symmetric-encryption/
+            For more information, see: https://rocketjob.github.io/symmetric-encryption/
 
-  Note: 
-    It is recommended to backup the current configuration file, or place it in version control before running
-    the configuration manipulation commands below.
+            Note:
+              It is recommended to backup the current configuration file, or place it in version control before running
+              the configuration manipulation commands below.
 
-symmetric-encryption [options]
-BANNER
+          symmetric-encryption [options]
+        BANNER
 
         opts.on '-e', '--encrypt [FILE_NAME]', 'Encrypt a file, or read from stdin if no file name is supplied.' do |file_name|
           @encrypt = file_name || STDIN
@@ -103,7 +103,7 @@ BANNER
           @compress = true
         end
 
-        opts.on '-E', '--env ENVIRONMENT', "Environment to use in the config file. Default: RACK_ENV || RAILS_ENV || 'development'" do |environment|
+        opts.on '-E', '--env ENVIRONMENT', "Environment to use in the config file. Default: SYMMETRIC_ENCRYPTION_ENV || RACK_ENV || RAILS_ENV || 'development'" do |environment|
           @environment = environment
         end
 
@@ -116,7 +116,7 @@ BANNER
         end
 
         opts.on '-r', '--re-encrypt [PATTERN]', 'ReEncrypt all files matching the pattern. Default:  "**/*.{yml,rb}"' do |pattern|
-          @re_encrypt = pattern || "**/*.{yml,rb}"
+          @re_encrypt = pattern || '**/*.{yml,rb}'
         end
 
         opts.on '-n', '--new-password [SIZE]', 'Generate a new random password using only characters that are URL-safe base64. Default size is 22.' do |size|
@@ -139,11 +139,11 @@ BANNER
           @app_name = name
         end
 
-        opts.on '-S', '--environments ENVIRONMENTS', "Comma separated list of environments for which to generate the config file. Default: development,test,release,production" do |environments|
+        opts.on '-S', '--environments ENVIRONMENTS', 'Comma separated list of environments for which to generate the config file. Default: development,test,release,production' do |environments|
           @environments = environments.split(',').collect(&:strip).collect(&:to_sym)
         end
 
-        opts.on '-C', '--cipher-name NAME', "Name of the cipher to use when generating a new config file, or when rotating keys. Default: aes-256-cbc" do |name|
+        opts.on '-C', '--cipher-name NAME', 'Name of the cipher to use when generating a new config file, or when rotating keys. Default: aes-256-cbc' do |name|
           @cipher_name = name
         end
 
@@ -167,7 +167,7 @@ BANNER
           @cleanup_keys = true
         end
 
-        opts.on '-V', '--key-version NUMBER', "Encryption key version to use when encrypting or re-encrypting. Default: (Current global version)." do |number|
+        opts.on '-V', '--key-version NUMBER', 'Encryption key version to use when encrypting or re-encrypting. Default: (Current global version).' do |number|
           @version = number.to_i
         end
 
@@ -185,7 +185,6 @@ BANNER
           puts opts
           exit
         end
-
       end
     end
 
@@ -199,8 +198,8 @@ BANNER
 
     def generate_new_config
       config_file_does_not_exist!
-      self.environments ||= %i(development test release production)
-      cfg          =
+      self.environments ||= %i[development test release production]
+      cfg               =
         if keystore == :file
           SymmetricEncryption::Keystore::File.new_config(
             key_path:     key_path,
@@ -208,7 +207,7 @@ BANNER
             environments: environments,
             cipher_name:  cipher_name
           )
-        elsif [:heroku, :environment].include?(keystore)
+        elsif %i[heroku environment].include?(keystore)
           SymmetricEncryption::Keystore::Environment.new_config(
             app_name:     app_name,
             environments: environments,
@@ -216,7 +215,7 @@ BANNER
           )
         else
           puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
-          exit -3
+          exit(-3)
         end
       Config.write_file(config_file_path, cfg)
       puts "New configuration file created at: #{config_file_path}"
@@ -246,11 +245,10 @@ BANNER
       config = Config.read_file(config_file_path)
       config.each_pair do |env, cfg|
         next if environments && !environments.include?(env.to_sym)
-        if ciphers = cfg[:ciphers]
-          highest = ciphers.max_by { |i| i[:version] }
-          ciphers.clear
-          ciphers << highest
-        end
+        next unless ciphers = cfg[:ciphers]
+        highest = ciphers.max_by { |i| i[:version] }
+        ciphers.clear
+        ciphers << highest
       end
 
       Config.write_file(config_file_path, config)
@@ -261,11 +259,10 @@ BANNER
       config = Config.read_file(config_file_path)
       config.each_pair do |env, cfg|
         next if environments && !environments.include?(env.to_sym)
-        if ciphers = cfg[:ciphers]
-          highest = ciphers.max_by { |i| i[:version] }
-          ciphers.delete(highest)
-          ciphers.unshift(highest)
-        end
+        next unless ciphers = cfg[:ciphers]
+        highest = ciphers.max_by { |i| i[:version] }
+        ciphers.delete(highest)
+        ciphers.unshift(highest)
       end
 
       Config.write_file(config_file_path, config)
@@ -309,9 +306,7 @@ BANNER
         value1 = HighLine.new.ask('Enter the value to encrypt:') { |q| q.echo = '*' }
         value2 = HighLine.new.ask('Re-enter the value to encrypt:') { |q| q.echo = '*' }
 
-        if value1 != value2
-          puts('Values do not match, please try again')
-        end
+        puts('Values do not match, please try again') if value1 != value2
       end
 
       encrypted = SymmetricEncryption.cipher(version).encrypt(value1, compress: compress)
@@ -336,8 +331,7 @@ BANNER
     def config_file_does_not_exist!
       return unless File.exist?(config_file_path)
       puts "\nConfiguration file already exists, please move or rename: #{config_file_path}\n\n"
-      exit -1
+      exit(-1)
     end
-
   end
 end

data/lib/symmetric_encryption/coerce.rb

@@ -9,7 +9,7 @@ module SymmetricEncryption
       datetime: DateTime,
       time:     Time,
       date:     Date
-    }
+    }.freeze
 
     # Coerce given value into given type
     # Does not coerce json or yaml values
@@ -42,7 +42,7 @@ module SymmetricEncryption
       when :yaml
         YAML.load(value)
       else
-        self.coerce(value, type, String)
+        coerce(value, type, String)
       end
     end
 
@@ -60,7 +60,7 @@ module SymmetricEncryption
       when :yaml
         value.to_yaml
       else
-        self.coerce(value, :string, coercion_type(type, value))
+        coerce(value, :string, coercion_type(type, value))
       end
     end
 
@@ -72,6 +72,5 @@ module SymmetricEncryption
         TYPE_MAP[symbol]
       end
     end
-
   end
 end

data/lib/symmetric_encryption/config.rb

@@ -29,7 +29,7 @@ module SymmetricEncryption
     def self.read_file(file_name)
       config = YAML.load(ERB.new(File.new(file_name).read).result)
       config = deep_symbolize_keys(config)
-      config.each_pair { |env, cfg| SymmetricEncryption::Config.send(:migrate_old_formats!, cfg) }
+      config.each_pair { |_env, cfg| SymmetricEncryption::Config.send(:migrate_old_formats!, cfg) }
       config
     end
 
@@ -50,14 +50,12 @@ module SymmetricEncryption
     #
     # See: `.load!` for parameters.
     def initialize(file_name: nil, env: nil)
-      unless env
-        env = defined?(Rails) ? Rails.env : ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
-      end
+      env ||= defined?(Rails) ? Rails.env : ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
 
       unless file_name
         root      = defined?(Rails) ? Rails.root : '.'
         file_name =
-          if env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG']
+          if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
             File.expand_path(env_var)
           else
             File.join(root, 'config', 'symmetric-encryption.yml')
@@ -73,11 +71,12 @@ module SymmetricEncryption
     def config
       @config ||= begin
         raise(ConfigError, "Cannot find config file: #{file_name}") unless File.exist?(file_name)
-        unless env_config = YAML.load(ERB.new(File.new(file_name).read).result)[env]
-          raise(ConfigError, "Cannot find environment: #{env} in config file: #{file_name}")
-        end
-        env_config = self.class.deep_symbolize_keys(env_config)
-        self.class.migrate_old_formats!(env_config)
+
+        env_config = YAML.load(ERB.new(File.new(file_name).read).result)[env]
+        raise(ConfigError, "Cannot find environment: #{env} in config file: #{file_name}") unless env_config
+
+        env_config = self.class.send(:deep_symbolize_keys, env_config)
+        self.class.send(:migrate_old_formats!, env_config)
       end
     end
 
@@ -86,49 +85,49 @@ module SymmetricEncryption
       @ciphers ||= config[:ciphers].collect { |cipher_config| Cipher.from_config(cipher_config) }
     end
 
-    private
-
     # Iterate through the Hash symbolizing all keys.
-    def self.deep_symbolize_keys(x)
-      case x
+    def self.deep_symbolize_keys(object)
+      case object
       when Hash
         result = {}
-        x.each_pair do |key, value|
+        object.each_pair do |key, value|
           key         = key.to_sym if key.is_a?(String)
           result[key] = deep_symbolize_keys(value)
         end
         result
       when Array
-        x.collect { |i| deep_symbolize_keys(i) }
+        object.collect { |i| deep_symbolize_keys(i) }
       else
-        x
+        object
       end
     end
+    private_class_method :deep_symbolize_keys
 
     # Iterate through the Hash symbolizing all keys.
-    def self.deep_stringify_keys(x)
-      case x
+    def self.deep_stringify_keys(object)
+      case object
       when Hash
         result = {}
-        x.each_pair do |key, value|
+        object.each_pair do |key, value|
           key         = key.to_s if key.is_a?(Symbol)
           result[key] = deep_stringify_keys(value)
         end
         result
       when Array
-        x.collect { |i| deep_stringify_keys(i) }
+        object.collect { |i| deep_stringify_keys(i) }
       else
-        x
+        object
       end
     end
+    private_class_method :deep_stringify_keys
 
     # Migrate old configuration format for this environment
     def self.migrate_old_formats!(config)
       # Inline single cipher before :ciphers
-      unless config.has_key?(:ciphers)
-        cipher = {}
-        config.keys.each { |key| cipher[key] = config.delete(key) }
-        config[:ciphers] = [cipher]
+      unless config.key?(:ciphers)
+        inline_cipher = {}
+        config.keys.each { |key| inline_cipher[key] = config.delete(key) }
+        config[:ciphers] = [inline_cipher]
       end
 
       # Copy Old :private_rsa_key into each ciphers config
@@ -140,26 +139,23 @@ module SymmetricEncryption
 
       # Old :cipher_name
       config[:ciphers].each do |cipher|
-        if old_key_name_cipher = cipher.delete(:cipher)
+        if (old_key_name_cipher = cipher.delete(:cipher))
           cipher[:cipher_name] = old_key_name_cipher
         end
 
         # Only temporarily used during v4 Beta process
-        if cipher[:key_encrypting_key].is_a?(String)
-          cipher[:private_rsa_key] = cipher.delete(:key_encrypting_key)
-        end
+        cipher[:private_rsa_key] = cipher.delete(:key_encrypting_key) if cipher[:key_encrypting_key].is_a?(String)
 
         # Check for a prior env var in encrypted key
         # Example:
         #   encrypted_key: <%= ENV['VAR'] %>
-        if cipher.has_key?(:encrypted_key) && cipher[:encrypted_key].nil?
+        if cipher.key?(:encrypted_key) && cipher[:encrypted_key].nil?
           cipher[:key_env_var] = :placeholder
-          puts "WARNING: :encrypted_key resolved to nil. Please see the migrated config file for the new option :key_env_var."
+          puts 'WARNING: :encrypted_key resolved to nil. Please see the migrated config file for the new option :key_env_var.'
         end
-
       end
       config
     end
-
+    private_class_method :migrate_old_formats!
   end
 end