tanker-core 2.4.0.alpha.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 57f44d6be8d76f8ff69da88a526b3c8c072f4e808e47a285a87ed55f2e875b59
+  data.tar.gz: e516030ca9398dc735fd7761a35cad49c48d9b21a9e17e552868d723eb822baf
+SHA512:
+  metadata.gz: 1750b63a90e38b18cc85640e04e6eb6393c7cf199b29cb05f6d4d90c7df2d5ac07c0b061be2361079d49f1aab0f9bdf8e450936f1a0c883134d7c8274a2a9e30
+  data.tar.gz: a030e6c1572f5c9afa10132e19bbb43f9f80ab7f040a19ab6e10ceaa1256b760ee4fd7c434bfe48b932b0ddda1294979e4725215befe68068bff9eada75a90a0

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright 2020 Kontrol SAS
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.rst

@@ -0,0 +1,30 @@
+.. image:: https://img.shields.io/badge/License-Apache%202.0-blue.svg
+  :target: https://opensource.org/licenses/Apache-2.0
+
+Tanker Ruby SDK
+=================
+
+Overview
+--------
+
+The `Tanker SDK <https://tanker.io>`_ provides an easy-to-use SDK allowing you to protect your users'
+data.
+
+This repository only contains Ruby bindings. The core library can be found in the `TankerHQ/sdk-native GitHub project <https://github.com/TankerHQ/sdk-native>`_.
+
+Contributing
+------------
+
+We are actively working to allow external developers to build and test this project
+from source. That being said, we welcome feedback of any kind. Feel free to
+open issues on the GitHub bug tracker.
+
+Running the tests: `bundle exec rake spec`
+
+Checking vulnerabilities in the dependencies: `bundle exec bundle-audit check --update`
+
+Documentation
+-------------
+
+See the `API documentation <https://tankerhq.github.io/sdk-ruby>`_.
+

data/lib/tanker-core.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'tanker/core'

data/lib/tanker/admin.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'ffi'
+require_relative 'admin/c_admin'
+require_relative 'admin/c_admin/c_app_descriptor'
+require_relative 'admin/app'
+
+module Tanker
+  class Admin
+    def initialize(admin_url, id_token, api_url)
+      @admin_url = admin_url
+      @id_token = id_token
+      @api_url = api_url
+    end
+
+    # Authenticate to the Tanker admin server API
+    # This must be called before doing any other operation
+    def connect
+      @cadmin = CAdmin.tanker_admin_connect(@admin_url, @id_token).get
+      cadmin_addr = @cadmin.address
+      ObjectSpace.define_finalizer(@cadmin) do |_|
+        CAdmin.tanker_admin_destroy(FFI::Pointer.new(:void, cadmin_addr)).get
+      end
+    end
+
+    def create_app(name)
+      assert_connected
+      descriptor_ptr = CAdmin.tanker_admin_create_app(@cadmin, name).get
+      descriptor = CAdmin::CAppDescriptor.new(descriptor_ptr)
+      App.new(@api_url, descriptor[:id], descriptor[:auth_token], descriptor[:private_key])
+    end
+
+    def delete_app(app_id)
+      assert_connected
+      CAdmin.tanker_admin_delete_app(@cadmin, app_id).get
+    end
+
+    def app_update(app_id, oidc_client_id, oidc_client_provider)
+      assert_connected
+      CAdmin.tanker_admin_app_update(@cadmin, app_id, oidc_client_id, oidc_client_provider).get
+    end
+
+    private
+
+    def assert_connected
+      raise 'You need to connect() before using the admin API!' if @cadmin.nil?
+    end
+  end
+
+  private_constant :Admin
+end

data/lib/tanker/admin/app.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Tanker
+  class Admin
+    # Information from the Admin SDK concerning a Tanker application
+    class App
+      attr_reader :url, :id, :auth_token, :private_key
+
+      def initialize(url, id, auth_token, private_key)
+        @url = url
+        @id = id
+        @auth_token = auth_token
+        @private_key = private_key
+      end
+
+      def get_verification_code(email)
+        CAdmin.tanker_get_verification_code(@url, @id, @auth_token, email).get_string
+      end
+    end
+  end
+end

data/lib/tanker/admin/c_admin.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'ffi'
+require 'tanker/c_tanker/c_future'
+
+module Tanker
+  class Admin
+    module CAdmin
+      extend FFI::Library
+
+      ffi_lib "#{__dir__}/../../../vendor/libctanker/linux64/tanker/lib/libtanker_admin-c.so"
+
+      typedef :pointer, :admin_pointer
+
+      # Note: We use those CFutures with the tanker_future_* functions exposed by CTanker,
+      # this is safe because we only do simple synchronous blocking calls, without using tanker_future_then.
+
+      attach_function :tanker_admin_connect, [:string, :string], CTanker::CFuture
+      attach_function :tanker_admin_create_app, [:admin_pointer, :string], CTanker::CFuture
+      attach_function :tanker_admin_delete_app, [:admin_pointer, :string], CTanker::CFuture
+      attach_function :tanker_admin_destroy, [:admin_pointer], CTanker::CFuture
+      attach_function :tanker_admin_app_descriptor_free, [:pointer], :void
+      attach_function :tanker_admin_app_update, [:admin_pointer, :string, :string, :string], CTanker::CFuture
+      attach_function :tanker_get_verification_code, [:string, :string, :string, :string], CTanker::CFuture
+    end
+
+    private_constant :CAdmin
+  end
+end

data/lib/tanker/admin/c_admin/c_app_descriptor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module Tanker
+  class Admin
+    class CAdmin::CAppDescriptor < FFI::ManagedStruct
+      layout :name, :string,
+             :id, :string,
+             :auth_token, :string,
+             :private_key, :string,
+             :public_key, :string
+
+      def get_verification_code(email)
+        CTanker.tanker_get_verification_code(email).get
+      end
+
+      def self.release(ptr)
+        CAdmin.tanker_admin_app_descriptor_free ptr
+      end
+    end
+  end
+end

data/lib/tanker/c_tanker.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require 'ffi'
+require_relative 'core/options'
+require_relative 'sharing_options'
+require_relative 'c_tanker/c_future'
+require_relative 'c_tanker/c_verification'
+require_relative 'c_tanker/c_verification_method'
+require_relative 'c_tanker/c_log_record'
+require_relative 'c_tanker/c_event'
+require_relative 'c_tanker/c_device_info'
+
+module FFI::Library
+  # Marking a function blocking releases the global Ruby lock.
+  # This is required for every function that could invoke a callback (including log handler) in another thread
+  def blocking_attach_function(func, args, returns = nil)
+    attach_function func, args, returns, blocking: true
+  end
+end
+
+module Tanker
+  module CTanker
+    extend FFI::Library
+
+    ffi_lib "#{__dir__}/../../vendor/libctanker/linux64/tanker/lib/libctanker.so"
+
+    typedef :pointer, :session_pointer
+    typedef :pointer, :enc_sess_pointer
+    typedef :pointer, :stream_pointer
+    typedef :pointer, :read_operation_pointer
+
+    callback :log_handler_callback, [CLogRecord.by_ref], :void
+    callback :event_callback, [:pointer], :void
+    callback :stream_input_source_callback, [:pointer, :int64, :read_operation_pointer, :pointer], :void
+
+    blocking_attach_function :tanker_init, [], :void
+    blocking_attach_function :tanker_version_string, [], :string
+    blocking_attach_function :tanker_create, [Tanker::Core::Options], CFuture
+    blocking_attach_function :tanker_destroy, [:session_pointer], CFuture
+    blocking_attach_function :tanker_start, [:session_pointer, :string], CFuture
+    blocking_attach_function :tanker_register_identity, [:session_pointer, CVerification], CFuture
+    blocking_attach_function :tanker_verify_identity, [:session_pointer, CVerification], CFuture
+    blocking_attach_function :tanker_get_verification_methods, [:session_pointer], CFuture
+    blocking_attach_function :tanker_set_verification_method, [:session_pointer, CVerification], CFuture
+    blocking_attach_function :tanker_stop, [:session_pointer], CFuture
+    blocking_attach_function :tanker_status, [:session_pointer], :uint32
+    blocking_attach_function :tanker_generate_verification_key, [:session_pointer], CFuture
+    blocking_attach_function :tanker_device_id, [:session_pointer], CFuture
+    blocking_attach_function :tanker_revoke_device, [:session_pointer, :string], CFuture
+    blocking_attach_function :tanker_get_device_list, [:session_pointer], CFuture
+
+    blocking_attach_function :tanker_attach_provisional_identity, [:session_pointer, :string], CFuture
+    blocking_attach_function :tanker_verify_provisional_identity, [:session_pointer, CVerification], CFuture
+
+    blocking_attach_function :tanker_encrypted_size, [:uint64], :uint64
+    blocking_attach_function :tanker_decrypted_size, [:pointer, :uint64], CFuture
+    blocking_attach_function :tanker_get_resource_id, [:pointer, :uint64], CFuture
+
+    blocking_attach_function :tanker_encrypt, [:session_pointer, :pointer, :pointer, :uint64,
+                                               Tanker::EncryptionOptions], CFuture
+    blocking_attach_function :tanker_decrypt, [:session_pointer, :pointer, :pointer, :uint64], CFuture
+    blocking_attach_function :tanker_share, [:session_pointer, :pointer, :uint64, :pointer, :uint64,
+                                             :pointer, :uint64], CFuture
+
+    blocking_attach_function :tanker_future_wait, [CFuture], :void
+    blocking_attach_function :tanker_future_has_error, [CFuture], :bool
+    blocking_attach_function :tanker_future_get_error, [CFuture], CTankerError.by_ref
+    blocking_attach_function :tanker_future_get_voidptr, [CFuture], :pointer
+    blocking_attach_function :tanker_future_destroy, [CFuture], :void
+
+    blocking_attach_function :tanker_create_group, [:session_pointer, :pointer, :uint64], CFuture
+    blocking_attach_function :tanker_update_group_members, [:session_pointer, :string,
+                                                            :pointer, :uint64], CFuture
+
+    blocking_attach_function :tanker_encryption_session_open, [:session_pointer, :pointer, :uint64,
+                                                               :pointer, :uint64], CFuture
+    blocking_attach_function :tanker_encryption_session_close, [:enc_sess_pointer], CFuture
+    blocking_attach_function :tanker_encryption_session_encrypted_size, [:uint64], :uint64
+    blocking_attach_function :tanker_encryption_session_get_resource_id, [:enc_sess_pointer], CFuture
+    blocking_attach_function :tanker_encryption_session_encrypt, [:enc_sess_pointer, :pointer,
+                                                                  :pointer, :uint64], CFuture
+    blocking_attach_function :tanker_encryption_session_stream_encrypt, [:enc_sess_pointer,
+                                                                         :stream_input_source_callback, :pointer],
+                             CFuture
+
+    blocking_attach_function :tanker_stream_encrypt, [:session_pointer, :stream_input_source_callback,
+                                                      :pointer, Tanker::EncryptionOptions], CFuture
+    blocking_attach_function :tanker_stream_decrypt, [:session_pointer, :stream_input_source_callback,
+                                                      :pointer], CFuture
+    blocking_attach_function :tanker_stream_read_operation_finish, [:read_operation_pointer, :int64], :void
+    blocking_attach_function :tanker_stream_read, [:stream_pointer, :pointer, :int64], CFuture
+
+    blocking_attach_function :tanker_stream_get_resource_id, [:stream_pointer], CFuture
+    blocking_attach_function :tanker_stream_close, [:stream_pointer], CFuture
+
+    blocking_attach_function :tanker_set_log_handler, [:log_handler_callback], :void
+    blocking_attach_function :tanker_event_connect, [:session_pointer, :uint32, :event_callback, :pointer], CFuture
+
+    blocking_attach_function :tanker_prehash_password, [:string], CFuture
+
+    blocking_attach_function :tanker_free_buffer, [:pointer], :void
+    blocking_attach_function :tanker_free_verification_method_list, [:pointer], :void
+    blocking_attach_function :tanker_free_device_list, [:pointer], :void
+  end
+
+  private_constant :CTanker
+end

data/lib/tanker/c_tanker/c_device_info.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module Tanker
+  module CTanker
+    class CDeviceInfo < FFI::Struct
+      layout :device_id, :string,
+             :is_revoked, :bool
+
+      attr_reader :device_id
+
+      def initialize(pointer)
+        super pointer
+        @device_id = self[:device_id]
+        @is_revoked = self[:is_revoked]
+      end
+
+      def revoked?
+        @is_revoked
+      end
+    end
+  end
+end

data/lib/tanker/c_tanker/c_event.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module Tanker::CTanker
+  # Tanker events for which handlers can be attached
+  module CTankerEvent
+    SESSION_CLOSED = 0
+    DEVICE_REVOKED = 1
+  end
+end

data/lib/tanker/c_tanker/c_future.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'ffi'
+require 'tanker/error'
+require_relative 'c_tanker_error'
+
+module Tanker
+  module CTanker
+    extend FFI::Library
+
+    ffi_lib "#{__dir__}/../../../vendor/libctanker/linux64/tanker/lib/libctanker.so"
+
+    class CFuture < FFI::AutoPointer
+      def initialize(ptr, proc = nil, &block)
+        super
+        @cfuture = ptr
+      end
+
+      def self.release(ptr)
+        CTanker.tanker_future_destroy ptr
+      end
+
+      def get
+        CTanker.tanker_future_wait @cfuture
+        if CTanker.tanker_future_has_error @cfuture
+          cerr = CTanker.tanker_future_get_error @cfuture
+          raise Error, cerr
+        else
+          CTanker.tanker_future_get_voidptr @cfuture
+        end
+      end
+
+      def get_string # rubocop:disable Naming/AccessorMethodName (this is not a getter)
+        str_ptr = get
+        str = str_ptr.get_string(0).force_encoding(Encoding::UTF_8)
+        CTanker.tanker_free_buffer str_ptr
+        str
+      end
+    end
+  end
+end

data/lib/tanker/c_tanker/c_log_record.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+# Log record of the log handler callback
+class CLogRecord < FFI::Struct
+  layout :category, :string,
+         :level, :uint32,
+         :file, :string,
+         :line, :uint32,
+         :message, :string
+end

data/lib/tanker/c_tanker/c_string.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module Tanker::CTanker
+  # Fun fact: Strings in structs with the FFI lib are read-only,
+  # you can't just assign a string literal to a cstring.
+  # They'd rather not handle allocations transparently (lifetimes are tricky),
+  # so we have to take care of allocations and lifetimes ourselves.
+  def self.new_cstring(str_or_nil, manual = false)
+    return nil if str_or_nil.nil?
+
+    cstr = FFI::MemoryPointer.from_string(str_or_nil)
+    cstr.autorelease = !manual
+    cstr
+  end
+
+  def self.new_cstring_array(strings)
+    cstrings = FFI::MemoryPointer.new(:pointer, strings.length)
+    cstrings.write_array_of_pointer(strings.map { |id| new_cstring id })
+    cstrings
+  end
+
+  def self.free_manual_cstring(cstr_or_nil)
+    cstr_or_nil&.free
+  end
+end

data/lib/tanker/c_tanker/c_tanker_error.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'ffi'
+
+module Tanker::CTanker
+  # Errors returned by native tanker futures
+  class CTankerError < FFI::Struct
+    layout :error_code, :int,
+           :error_message, :string
+  end
+end

data/lib/tanker/c_tanker/c_verification.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'ffi'
+require 'tanker/core/verification'
+require 'tanker/c_tanker/c_string'
+
+module Tanker
+  module CTanker
+    class CEmailVerification < FFI::Struct
+      layout :version, :uint8,
+             :email, :pointer,
+             :verification_code, :pointer
+
+      def initialize(email, verification_code)
+        # Note: Instance variables are required to keep the CStrings alive
+        @email = CTanker.new_cstring email
+        @verification_code = CTanker.new_cstring verification_code
+
+        self[:version] = 1
+        self[:email] = @email
+        self[:verification_code] = @verification_code
+      end
+    end
+
+    class CVerification < FFI::Struct
+      layout :version, :uint8,
+             :type, :uint8,
+             :verification_key, :pointer,
+             :email_verification, CEmailVerification,
+             :passphrase, :pointer,
+             :oidc_id_token, :pointer
+
+      TYPE_EMAIL = 1
+      TYPE_PASSPHRASE = 2
+      TYPE_VERIFICATION_KEY = 3
+      TYPE_OIDC_ID_TOKEN = 4
+
+      def initialize(verification)
+        unless verification.is_a? Tanker::Verification
+          raise TypeError, 'Verification argument is not a Tanker::Verification'
+        end
+
+        # Note: Instance variables are required to keep the CStrings alive
+        case verification
+        when Tanker::EmailVerification
+          self[:type] = TYPE_EMAIL
+          self[:email_verification] = CEmailVerification.new verification.email, verification.verification_code
+        when Tanker::PassphraseVerification
+          @passphrase = CTanker.new_cstring verification.passphrase
+          self[:type] = TYPE_PASSPHRASE
+          self[:passphrase] = @passphrase
+        when Tanker::VerificationKeyVerification
+          @verification_key = CTanker.new_cstring verification.verification_key
+          self[:type] = TYPE_VERIFICATION_KEY
+          self[:verification_key] = @verification_key
+        when Tanker::OIDCIDTokenVerification
+          @oidc_id_token = CTanker.new_cstring verification.oidc_id_token
+          self[:type] = TYPE_OIDC_ID_TOKEN
+          self[:oidc_id_token] = @oidc_id_token
+        else
+          raise ArgumentError, 'Unknown Tanker::Verification type!'
+        end
+
+        self[:version] = 3
+      end
+    end
+  end
+end