RubyGems - tanker-identity - Versions diffs - 2.16.0 → 3.0.0 - Mend

tanker-identity 2.16.0 → 3.0.0

Files changed (6) hide show

checksums.yaml +4 -4
data/README.md +3 -3
data/lib/tanker/crypto.rb +15 -0
data/lib/tanker/identity.rb +58 -40
data/lib/tanker/identity/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eaf24a9b2ca81ada5f0aff245b7ea9f0ca23a2d1a88ed8c3a0d218a6dc5e6117
-  data.tar.gz: 44760ddbaeb52ad9f0abea1e59b59a40798a4eccd357a7f86d0320a66c288266
+  metadata.gz: 538f757e41dcface55b1025098af3e75bb52303547e5665ae8ad118f80d447eb
+  data.tar.gz: ab2746f68ae1ecc15e8c0900ec382b49a01508270dfc5e7217503221c19cb168
 SHA512:
-  metadata.gz: b89085b6da9ca29614a65461cdfa266170742b24bb1039304719a6afc60691b6b7b84dd9258924e4940852c59012fbce9d03e2d964b570c78dbfe81a105bde89
-  data.tar.gz: 0f7e2d82bbca7cae450f0b041dd860ba1bbae351f3ac15b55f4e0d6e6ef014ae4f193ddbcf0f454ca58b44c347d5777d66bb84176863df3419edd9a671a03bd3
+  metadata.gz: 9b1cbeae3ffc99ab33c8f65602a1d40c72d31108a273e98e403652f95e5596cce27f778c33154372f77e764fbc879008c497969ab52f3cde19ece5139e97c57a
+  data.tar.gz: 76881380c77649b73eb2d9f3d68f28e21ecc6055da620155c20ad67e9181de55380be53b5f44b9eb60c22a6d4469cd123fa5faf53e92803f1639618544f2f010

data/README.md CHANGED Viewed

@@ -10,7 +10,7 @@ Identity generation in Ruby for the [Tanker SDK](https://docs.tanker.io/latest/)
 This gem requires Ruby v2.5 or greater (transitive requirement from [rbnacl](https://github.com/crypto-rb/rbnacl)).
-If still on an older version of Ruby, use `tanker-identity` with the [`603b35f8` commit ref](https://github.com/TankerHQ/identity-ruby/tree/603b35f8e1ca889c4862e8f9c1e54632a38b32b6).
+Older Ruby versions are not supported.
 ## Installation
@@ -21,7 +21,7 @@ Before going further, please follow [instructions to install libsodium](https://
 Then, add this line to your application's Gemfile:
 ```ruby
-gem 'tanker-identity', git: 'https://github.com/TankerHQ/identity-ruby' #, ref: '<commit>'
+gem 'tanker-identity', 'X.Y.Z'
 ```
 Finally, execute:
@@ -48,7 +48,7 @@ The unique ID of a user in your application.
 <br><br>
 ```ruby
-Tanker::Identity.create_provisional_identity(app_id, email)
+Tanker::Identity.create_provisional_identity(app_id, 'email', email)
 ```
 Create a Tanker provisional identity. It allows you to share a resource with a user who does not have an account in your application yet.

data/lib/tanker/crypto.rb CHANGED Viewed

@@ -7,12 +7,27 @@ module Tanker
     class InvalidSignature < StandardError; end
     HASH_MIN_SIZE = RbNaCl::Hash::Blake2b::BYTES_MIN # 16
+    BLOCK_HASH_SIZE = 32
     def self.generichash(input, size)
       binary_input = input.dup.force_encoding(Encoding::ASCII_8BIT)
       RbNaCl::Hash.blake2b(binary_input, digest_size: size)
     end
+    def self.hash_user_id(app_id, user_id)
+      binary_user_id = user_id.dup.force_encoding(Encoding::ASCII_8BIT)
+      Crypto.generichash(binary_user_id + app_id, BLOCK_HASH_SIZE)
+    end
+    def self.hashed_provisional_email(email)
+      Base64.strict_encode64(Crypto.generichash(email, BLOCK_HASH_SIZE))
+    end
+    def self.hashed_provisional_value(value, private_signature_key)
+      secret_salt = Crypto.generichash(Base64.strict_decode64(private_signature_key), BLOCK_HASH_SIZE)
+      Base64.strict_encode64(Crypto.generichash(secret_salt + value, BLOCK_HASH_SIZE))
+    end
     # We need this static method since a RbNaCl::SigningKey instance can't be
     # directly initialized with a given private_signature_key
     def self.sign_detached(message, private_signature_key)

data/lib/tanker/identity.rb CHANGED Viewed

@@ -9,16 +9,10 @@ module Tanker
     APP_SECRET_SIZE = 64
     APP_PUBLIC_KEY_SIZE = 32
     AUTHOR_SIZE = 32
-    BLOCK_HASH_SIZE = 32
     USER_SECRET_SIZE = 32
     private
-    def self.hash_user_id(app_id, user_id)
-      binary_user_id = user_id.dup.force_encoding(Encoding::ASCII_8BIT)
-      Crypto.generichash(binary_user_id + app_id, BLOCK_HASH_SIZE)
-    end
     def self.user_secret(hashed_user_id)
       random_bytes = Crypto.random_bytes(USER_SECRET_SIZE - 1)
       check = Crypto.generichash(random_bytes + hashed_user_id, Crypto::HASH_MIN_SIZE)
@@ -27,9 +21,7 @@ module Tanker
     def self.assert_string_values(hash)
       hash.each_pair do |key, value|
-        unless value.is_a?(String)
-          raise TypeError.new("expected #{key} to be a String but was a #{value.class}")
-        end
+        raise TypeError, "expected #{key} to be a String but was a #{value.class}" unless value.is_a?(String)
       end
     end
@@ -37,7 +29,7 @@ module Tanker
       block_nature = APP_CREATION_NATURE.chr(Encoding::ASCII_8BIT)
       none_author = 0.chr(Encoding::ASCII_8BIT) * AUTHOR_SIZE
       app_public_key = app_secret[-APP_PUBLIC_KEY_SIZE..-1]
-      Crypto.generichash(block_nature + none_author + app_public_key, BLOCK_HASH_SIZE)
+      Crypto.generichash(block_nature + none_author + app_public_key, Crypto::BLOCK_HASH_SIZE)
     end
     public
@@ -52,55 +44,61 @@ module Tanker
     def self.create_identity(b64_app_id, b64_app_secret, user_id)
       assert_string_values({
-        app_id: b64_app_id,
-        app_secret: b64_app_secret,
-        user_id: user_id
-      })
+                             app_id: b64_app_id,
+                             app_secret: b64_app_secret,
+                             user_id: user_id
+                           })
       app_id = Base64.strict_decode64(b64_app_id)
       app_secret = Base64.strict_decode64(b64_app_secret)
-      raise ArgumentError.new("Invalid app_id") if app_id.bytesize != BLOCK_HASH_SIZE
-      raise ArgumentError.new("Invalid app_secret") if app_secret.bytesize != APP_SECRET_SIZE
-      raise ArgumentError.new("Invalid (app_id, app_secret) combination") if app_id != generate_app_id(app_secret)
+      raise ArgumentError, "Invalid app_id" if app_id.bytesize != Crypto::BLOCK_HASH_SIZE
+      raise ArgumentError, "Invalid app_secret" if app_secret.bytesize != APP_SECRET_SIZE
+      raise ArgumentError, "Invalid (app_id, app_secret) combination" if app_id != generate_app_id(app_secret)
-      hashed_user_id = hash_user_id(app_id, user_id)
+      hashed_user_id = Crypto.hash_user_id(app_id, user_id)
       signature_keypair = Crypto.generate_signature_keypair
       message = signature_keypair[:public_key] + hashed_user_id
       signature = Crypto.sign_detached(message, app_secret)
       serialize({
-        trustchain_id: Base64.strict_encode64(app_id),
-        target: 'user',
-        value: Base64.strict_encode64(hashed_user_id),
-        delegation_signature: Base64.strict_encode64(signature),
-        ephemeral_public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
-        ephemeral_private_signature_key: Base64.strict_encode64(signature_keypair[:private_key]),
-        user_secret: Base64.strict_encode64(user_secret(hashed_user_id))
-      })
+                  trustchain_id: Base64.strict_encode64(app_id),
+                  target: 'user',
+                  value: Base64.strict_encode64(hashed_user_id),
+                  delegation_signature: Base64.strict_encode64(signature),
+                  ephemeral_public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
+                  ephemeral_private_signature_key: Base64.strict_encode64(signature_keypair[:private_key]),
+                  user_secret: Base64.strict_encode64(user_secret(hashed_user_id))
+                })
     end
-    def self.create_provisional_identity(b64_app_id, email)
+    def self.create_provisional_identity(b64_app_id, target, value)
       assert_string_values({
-        app_id: b64_app_id,
-        email: email
-      })
+                             app_id: b64_app_id,
+                             target: target,
+                             value: value
+                           })
+      valid_targets = %w[email phone_number]
+      unless valid_targets.include? target
+        raise ArgumentError, "expected #{target} to be one of #{valid_targets.join(', ')}"
+      end
       app_id = Base64.strict_decode64(b64_app_id)
-      raise ArgumentError.new("Invalid app_id") if app_id.bytesize != BLOCK_HASH_SIZE
+      raise ArgumentError, "Invalid app_id" if app_id.bytesize != Crypto::BLOCK_HASH_SIZE
       encryption_keypair = Crypto.generate_encryption_keypair
       signature_keypair = Crypto.generate_signature_keypair
       serialize({
-        trustchain_id: b64_app_id,
-        target: 'email',
-        value: email,
-        public_encryption_key: Base64.strict_encode64(encryption_keypair[:public_key]),
-        private_encryption_key: Base64.strict_encode64(encryption_keypair[:private_key]),
-        public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
-        private_signature_key: Base64.strict_encode64(signature_keypair[:private_key])
-      })
+                  trustchain_id: b64_app_id,
+                  target: target,
+                  value: value,
+                  public_encryption_key: Base64.strict_encode64(encryption_keypair[:public_key]),
+                  private_encryption_key: Base64.strict_encode64(encryption_keypair[:private_key]),
+                  public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
+                  private_signature_key: Base64.strict_encode64(signature_keypair[:private_key])
+                })
     end
     def self.get_public_identity(serialized_identity)
@@ -117,9 +115,29 @@ module Tanker
       public_identity = {}
       public_keys.each { |key| public_identity[key] = identity.fetch(key) }
+      if identity['target'] == 'email'
+        public_identity['target'] = 'hashed_email'
+        public_identity['value'] = Crypto.hashed_provisional_email(public_identity['value'])
+      elsif identity['target'] != 'user'
+        public_identity['target'] = 'hashed_' + public_identity['target']
+        public_identity['value'] = Crypto.hashed_provisional_value(public_identity['value'],
+                                                                   identity['private_signature_key'])
+      end
       serialize(public_identity)
     rescue KeyError # failed fetch
-      raise ArgumentError.new('Not a valid Tanker identity')
+      raise ArgumentError, 'Not a valid Tanker identity'
+    end
+    def self.upgrade_identity(serialized_identity)
+      assert_string_values({ identity: serialized_identity })
+      identity = deserialize(serialized_identity)
+      if identity['target'] == 'email' && !identity.key?('private_encryption_key')
+        identity['target'] = 'hashed_email'
+        identity['value'] = Crypto.hashed_provisional_email(identity['value'])
+      end
+      serialize(identity)
     end
   end
 end

data/lib/tanker/identity/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module Tanker
   module Identity
-    VERSION = '2.16.0'
+    VERSION = '3.0.0'
   end
   def self.const_missing(name)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tanker-identity
 version: !ruby/object:Gem::Version
-  version: 2.16.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Tanker Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-21 00:00:00.000000000 Z
+date: 2021-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rbnacl