ubiq-security 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 20d4dacbe17d8162ab7d308069b82e2b54b89cf7a7253763919742ef350597e3
+  data.tar.gz: 370015b19528bc6a81678e3b0f7f270b0524b6309f23dc6087d04256edad1e27
+SHA512:
+  metadata.gz: 7ed8203d50dbe828d649af7decc40f300f1b2b5d74e912db9119e84444c840dc45a8fcc1c8e0b3fa49a8d7a6ebf73fbb9ce935e7244c1669d9d072af61674c52
+  data.tar.gz: ddd4e2690d2d47a737fda60d53524d9b57eec456410f14f5e4a56cb61e447e632f6c7a70bc0cc2dfc5126b95191df739dd6484089e07e6126f2d848989b28841

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at support@ubiqsecurity.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [https://contributor-covenant.org/version/1/4][version]
+
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,10 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in ubiq.gemspec
+gemspec
+
+  gem "rake", "~> 12.0"
+  gem "rspec", "~> 3.0"
+  gem "rb-readline"
+  gem "httparty"
+

data/LICENSE.txt

@@ -0,0 +1,17 @@
+
+ Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+
+ NOTICE:  All information contained herein is, and remains the property
+ of Ubiq Security, Inc. The intellectual and technical concepts contained
+ herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+ covered by U.S. and Foreign Patents, patents in process, and are
+ protected by trade secret or copyright law. Dissemination of this
+ information or reproduction of this material is strictly forbidden
+ unless prior written permission is obtained from Ubiq Security, Inc.
+
+ Your use of the software is expressly conditioned upon the terms
+ and conditions available at:
+
+     https://ubiqsecurity.com/legal
+
+

data/README.md

@@ -0,0 +1,188 @@
+# Ubiq Security Ruby Library
+
+The Ubiq Security Ruby library provides convenient interaction with the
+Ubiq Security Platform API from applications written in the Ruby language.
+It includes a pre-defined set of classes that will provide simple interfaces
+to encrypt and decrypt data
+
+## Documentation
+
+See the [Ruby API docs](https://ubiqsecurity.com/docs/api?lang=ruby).
+
+
+
+## Installation
+
+
+To install using [Bundler][bundler] add the following to your project's Gemfile
+
+```ruby
+gem ubiq-security
+```
+
+To manually install `ubiq-security` via [Rubygems][rubygems] simply use gem to install it:
+
+```sh
+gem install ubiq-security
+```
+
+To build and install directly from a clone of the gitlab repository source:
+
+```sh
+git clone https://gitlab.com/ubiqsecurity/ubiq-ruby.git
+cd ubiq-ruby
+rake install:local
+```
+
+
+## Usage
+
+The library needs to be configured with your account credentials which is
+available in your [Ubiq Dashboard][dashboard] [Credentials][credentials].   The credentials can be 
+explicitly set, set using environment variables, loaded from an explicit file
+or read from the default location [~/.ubiq/credentials]
+
+```ruby
+require 'ubiq-security'
+include Ubiq
+```
+
+### Read credentials from a specific file and use a specific profile 
+```ruby
+credentials = ConfigCredentials.new( "some-credential-file", "some-profile").get_attributes
+```
+
+
+### Read credentials from ~/.ubiq/credentials and use the default profile
+```ruby
+credentials = ConfigCredentials.new().get_attributes
+```
+
+
+### Use the following environment variables to set the credential values
+UBIQ_ACCESS_KEY_ID  
+UBIQ_SECRET_SIGNING_KEY  
+UBIQ_SECRET_CRYPTO_ACCESS_KEY  
+```ruby
+credentials = Credentials()
+```
+
+
+### Explicitly set the credentials
+```ruby
+credentials = Credentials(access_key_id = "...", secret_signing_key = "...", secret_crypto_access_key = "...")
+```
+
+
+
+
+### Encrypt a simple block of data
+
+Pass credentials and data into the encryption function.  The encrypted data
+will be returned.
+
+
+```ruby
+require "ubiq-security"
+include Ubiq
+
+encrypted_data = encrypt(credentials, plaintext_data)
+```
+
+
+### Decrypt a simple block of data
+
+Pass credentials and encrypted data into the decryption function.  The plaintext data
+will be returned.
+
+```ruby
+require "ubiq-security"
+include Ubiq
+
+plaintext_data = decrypt(credentials, encrypted_data)
+```
+
+
+### Encrypt a large data element where data is loaded in chunks
+
+- Create an encryption object using the credentials.
+- Call the encryption instance begin method
+- Call the encryption instance update method repeatedly until all the data is processed
+- Call the encryption instance end method
+- Call the encryption instance close method
+
+
+```ruby
+require "ubiq-security"
+include Ubiq
+
+# Process 1 MiB of plaintext data at a time
+BLOCK_SIZE = 1024 * 1024
+
+# Rest of the program
+....
+   encryption = Encryption.new(credentials, 1)
+
+   # Write out the header information
+   encrypted_data = encryption.begin()
+    
+   # Loop until the end of the input file is reached
+    until infile.eof?
+      chunk = infile.read BLOCK_SIZE
+      encrypted_data += encryption.update(chunk))
+    end
+    # Make sure any additional encrypted data is retrieved from encryption instance
+    encrypted_data += encryption.end()
+   
+    # Make sure to release any resources used during the encryption process
+    encryption.close()
+```
+
+### Decrypt a large data element where data is loaded in chunks
+
+- Create an instance of the decryption object using the credentials.
+- Call the decryption instance begin method
+- Call the decryption instance update method repeatedly until all the data is processed
+- Call the decryption instance end method
+- Call the decryption instance close method
+
+
+```ruby
+require "ubiq-security"
+include Ubiq
+
+# Process 1 MiB of encrypted data at a time
+BLOCK_SIZE = 1024 * 1024
+
+# Rest of the program
+....
+
+    decryption = Decryption(credentials)
+
+    # Start the decryption and get any header information
+    plaintext_data = decryption.begin())
+
+    # Loop until the end of the input file is reached
+    until infile.eof?
+      chunk = infile.read BLOCK_SIZE
+      plaintext_data += decryption.update(chunk)
+    end
+    
+    # Make sure an additional plaintext data is retrieved from decryption instance
+    plaintext_data += decryption.end()
+    
+    # Make sure to release any resources used during the decryption process
+    decryption.close()
+```
+
+
+
+
+[bundler]: https://bundler.io
+[rubygems]: https://rubygems.org
+[gem]: https://rubygems.org/gems/uniq-security
+[dashboard]:https://dev.ubiqsecurity.com/docs/dashboard
+[credentials]:https://dev.ubiqsecurity.com/docs/how-to-create-api-keys
+
+
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/ubiq-security.rb

@@ -0,0 +1,22 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+
+require "ubiq/version"
+require "ubiq/encrypt"
+require "ubiq/decrypt"
+require "ubiq/credentials"
+
+
+

data/lib/ubiq/algo.rb

@@ -0,0 +1,69 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+
+require "active_support/all"
+require 'openssl'
+
+module Ubiq
+
+class Algo
+
+  def set_algo
+    @algorithm = {
+      "aes-256-gcm"=>{
+        id:0,
+        algorithm: OpenSSL::Cipher::AES256,
+        mode: OpenSSL::Cipher::AES256.new(:GCM),
+        key_length: 32,
+        iv_length: 12,
+        tag_length: 16
+      },
+    }
+  end
+
+  def get_algo(name)
+    set_algo[name]
+  end
+
+  def encryptor(obj,key, iv=nil)
+    # key : A byte string containing the key to be used with this encryption
+    # If the caller specifies the initialization vector, it must be
+    # the correct length and, if so, will be used. If it is not
+    # specified, the function will generate a new one
+
+    cipher = obj[:mode]
+    raise RuntimeError, 'Invalid key length' if key.length != obj[:key_length]
+
+    raise RuntimeError, 'Invalid initialization vector length' if (iv!= nil and iv.length != obj[:iv_length])
+    cipher.encrypt
+    cipher.key = key
+    iv = cipher.random_iv
+    return cipher, iv
+  end
+
+  def decryptor(obj, key, iv)
+    cipher = obj[:mode]
+    raise RuntimeError, 'Invalid key length' if key.length != obj[:key_length]
+
+    raise RuntimeError, 'Invalid initialization vector length' if (iv!= nil and iv.length != obj[:iv_length])
+    cipher = obj[:mode]
+    cipher.decrypt
+    cipher.key = key
+    cipher.iv = iv
+    return cipher
+  end
+end
+end

data/lib/ubiq/auth.rb

@@ -0,0 +1,99 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+require "active_support/all"
+
+module Ubiq
+
+class Auth
+  # HTTP Authentication for the Ubiq Platform
+
+  # This module implements HTTP authentication for the Ubiq platform
+  # via message signing as described by the IETF httpbis-message-signatures
+  # draft specification.
+
+  def self.build_headers(papi, sapi, endpoint, query, host, http_method)
+
+    # This function calculates the signature for the message, adding the Signature header
+    # to contain the data. Certain HTTP headers are required for
+    # signature calculation and will be added by this code as
+    # necessary. The constructed headers object is returned
+
+    # the '(request-target)' is part of the signed data.
+    # it's value is 'http_method path?query'
+    reqt = "#{http_method} #{endpoint}"
+
+    # The time at which the signature was created expressed as the unix epoch
+    created = Time.now.to_i
+
+    # the Digest header is always included/overridden by
+    # this code. it is a hash of the body of the http message
+    # and is always present even if the body is empty
+    hash_sha512 = OpenSSL::Digest::SHA512.new
+    hash_sha512 << JSON.dump(query)
+    digest = 'SHA-512='+Base64.strict_encode64(hash_sha512.digest)
+
+    # Initialize the headers object to be returned via this method
+    all_headers = {}
+    # The content type of request
+    all_headers['content-type'] = 'application/json'
+    # The request target calculated above(reqt)
+    all_headers['(request-target)'] = reqt
+    # The date and time in GMT format
+    all_headers['date'] = get_date
+    # The host specified by the caller
+    all_headers['host'] = get_host(host)
+    all_headers['(created)'] = created
+    all_headers['digest'] = digest
+    headers = ['content-type', 'date', 'host', '(created)', '(request-target)', 'digest']
+
+    # include the specified headers in the hmac calculation. each
+    # header is of the form 'header_name: header value\n'
+    # included headers are also added to an ordered list of headers
+    # which is included in the message
+    hmac = OpenSSL::HMAC.new(sapi, OpenSSL::Digest::SHA512.new)
+    headers.each do |header|
+      if all_headers.key?(header)
+        hmac << "#{header}: #{all_headers[header]}\n"
+      end
+    end
+
+    all_headers.delete('(created)')
+    all_headers.delete('(request-target)')
+    all_headers.delete('host')
+
+    # Build the Signature header itself
+    all_headers['signature']  = 'keyId="' + papi + '"'
+    all_headers['signature'] += ', algorithm="hmac-sha512"'
+    all_headers['signature'] += ', created=' + created.to_s
+    all_headers['signature'] += ', headers="' + headers.join(" ") + '"'
+    all_headers['signature'] += ', signature="'
+    all_headers['signature'] += Base64.strict_encode64(hmac.digest)
+    all_headers['signature'] += '"'
+
+    return all_headers
+  end
+
+  def self.get_host(host)
+    uri = URI(host)
+    return "#{uri.hostname}:#{uri.port}"
+  end
+
+  def self.get_date
+    DateTime.now.in_time_zone('GMT').strftime("%a, %d %b %Y") + " " + DateTime.now.in_time_zone('GMT').strftime("%H:%M:%S") + " GMT"
+  end
+
+end
+end

data/lib/ubiq/credentials.rb

@@ -0,0 +1,105 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+require 'configparser'
+require 'rb-readline'
+require 'byebug'
+
+module Ubiq
+
+class CredentialsInfo
+
+  def initialize(access_key_id, secret_signing_key, secret_crypto_access_key, host)
+    @access_key_id = access_key_id
+    @secret_signing_key = secret_signing_key
+    @secret_crypto_access_key = secret_crypto_access_key
+    @host = host
+  end
+
+  def set_attributes
+    return OpenStruct.new(access_key_id: @access_key_id, secret_signing_key: @secret_signing_key, secret_crypto_access_key: @secret_crypto_access_key, host: @host)    
+  end
+end
+
+
+class ConfigCredentials < CredentialsInfo
+  def initialize(config_file, profile)
+    # If config file is not found
+    if config_file != nil and !File.exists?(config_file)
+      raise RuntimeError, "Unable to open config file #{config_file} or contains missing values"
+    end
+
+    if config_file == nil
+      config_file = "~/.ubiq/credentials"
+    end
+
+    # If config file is found
+    if File.exists?(File.expand_path(config_file))
+      @creds = load_config_file(config_file, profile)
+    end
+  end
+
+  def get_attributes
+    return @creds
+  end
+
+  def load_config_file(file, profile)
+    config = ConfigParser.new(File.expand_path(file))
+
+    # Create empty dictionaries for the default and supplied profile
+    p = {}
+    d = {}
+
+    # get the default profile if there is one
+    if config['default'].present?
+      d = config['default']
+    end
+
+    # get the supplied profile if there is one
+    if config[profile].present?
+      p = config[profile]
+    end    
+
+    # Use given profile if it is available, otherwise use default.
+    access_key_id = p.key?('ACCESS_KEY_ID') ? p['ACCESS_KEY_ID'] : d['ACCESS_KEY_ID']
+    secret_signing_key = p.key?('SECRET_SIGNING_KEY') ? p['SECRET_SIGNING_KEY'] : d['SECRET_SIGNING_KEY']
+    secret_crypto_access_key = p.key?('SECRET_CRYPTO_ACCESS_KEY') ? p['SECRET_CRYPTO_ACCESS_KEY'] : d['SECRET_CRYPTO_ACCESS_KEY']
+    host = p.key?('SERVER') ? p['SERVER'] : d['SERVER']
+
+    # If the provided host does not contain http protocol then add to it
+    if !host.include?('http://') and !host.include?('https://')
+      host = 'https://' + host
+    end
+    
+    return CredentialsInfo.new(access_key_id, secret_signing_key, secret_crypto_access_key, host).set_attributes
+  end
+end
+
+class Credentials < CredentialsInfo
+
+  def initialize(papi, sapi, srsa, host)
+    @access_key_id = papi.present? ? papi : ENV['UBIQ_ACCESS_KEY_ID']
+    @secret_signing_key = sapi.present? ? sapi : ENV['UBIQ_SECRET_SIGNING_KEY']
+    @secret_crypto_access_key = srsa.present? ? srsa : ENV['UBIQ_SECRET_CRYPTO_ACCESS_KEY']
+    @host = host.present? ? host : ENV['UBIQ_SERVER']
+  end
+
+  @creds = CredentialsInfo.new(@access_key_id, @secret_signing_key, @secret_crypto_access_key, @host).set_attributes
+
+  def get_attributes
+    return @creds
+  end
+end
+end

data/lib/ubiq/decrypt.rb

@@ -0,0 +1,268 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+require 'rb-readline'
+require 'byebug'
+require 'httparty'
+require "active_support/all"
+require_relative './auth.rb'
+require_relative './algo.rb'
+require_relative './encrypt.rb'
+require 'webrick'
+
+module Ubiq
+
+class Decryption
+  def initialize(creds)
+    # Initialize the decryption module object
+    # Set the credentials in instance varibales to be used among methods
+    # the server to which to make the request
+    raise RuntimeError, 'Some of your credentials are missing, please check!' if !validate_creds(creds)
+    @host = creds.host.blank? ? UBIQ_HOST : creds.host
+
+    # The client's public API key (used to identify the client to the server
+    @papi = creds.access_key_id
+
+    # The client's secret API key (used to authenticate HTTP requests)
+    @sapi = creds.secret_signing_key
+
+    # The client's secret RSA encryption key/password (used to decrypt the client's RSA key from the server). This key is not retained by this object.
+    @srsa = creds.secret_crypto_access_key
+
+    @decryption_ready = true
+    @decryption_started = false
+
+  end
+
+  def endpoint_base
+    @host + '/api/v0'
+  end
+
+  def endpoint
+    '/api/v0/decryption/key'
+  end
+
+  def begin
+    # Begin the decryption process
+
+    # This interface does not take any cipher text in its arguments
+    # in an attempt to maintain an API that corresponds to the
+    # encryption object. In doing so, the work that can take place
+    # in this function is limited. without any data, there is no
+    # way to determine which key is in use or decrypt any data.
+    #
+    # this function simply throws an error if starting an decryption
+    # while one is already in progress, and initializes the internal
+    # buffer    
+
+    raise RuntimeError, 'Decryption is not ready' if !@decryption_ready
+
+    raise RuntimeError, 'Decryption Already Started' if @decryption_started
+
+    raise RuntimeError, 'Decryption already in progress' if @key.present? and @key.key?("dec")
+    @decryption_started = true
+    @data = ''
+  end
+
+  def update(data)
+    # Decryption of cipher text is performed here
+    # Cipher text must be passed to this function in the order in which it was output from the encryption.update function.
+
+    # Each encryption has a header on it that identifies the algorithm
+    # used  and an encryption of the data key that was used to encrypt
+    # the original plain text. there is no guarantee how much of that
+    # data will be passed to this function or how many times this
+    # function will be called to process all of the data. to that end,
+    # this function buffers data internally, when it is unable to
+    # process it.
+    #
+    # The function buffers data internally until the entire header is
+    # received. once the header has been received, the encrypted data
+    # key is sent to the server for decryption. after the header has
+    # been successfully handled, this function always decrypts all of
+    # the data in its internal buffer *except* for however many bytes
+    # are specified by the algorithm's tag size. see the end() function
+    # for details.
+
+    raise RuntimeError, 'Decryption is not Started' if !@decryption_started
+
+    # Append the incoming data in the internal data buffer
+    @data  = @data + data
+
+    # if there is no key or 'dec' member of key, then the code is still trying to build a complete header
+    if !@key.present? or !@key.key?("dec")
+      struct_length = [1,1,1,1,1].pack('CCCCn').length
+      packed_struct = @data[0...struct_length]
+
+      # Does the buffer contain enough of the header to
+      # determine the lengths of the initialization vector
+      # and the key?
+      if @data.length > struct_length
+        # Unpack the values packed in encryption
+        version, flag_for_later, algorithm_id, iv_length, key_length = packed_struct.unpack('CCCCn')
+
+        # verify flag and version are 0
+        raise RuntimeError, 'invalid encryption header' if version != 0 or flag_for_later != 0
+
+        # Does the buffer contain the entire header?
+        if @data.length > struct_length + iv_length + key_length
+          # Extract the initialization vector
+          iv = @data[struct_length...iv_length + struct_length]
+          # Extract the encryped key
+          encrypted_key = @data[struct_length + iv_length...key_length + struct_length + iv_length]
+          # Remove the header from the buffer
+          @data = @data[struct_length + iv_length + key_length..-1]
+
+          # generate a local identifier for the key
+          hash_sha512 = OpenSSL::Digest::SHA512.new
+          hash_sha512 << encrypted_key
+          client_id = hash_sha512.digest
+
+          if @key.present?
+            if @key['client_id'] != client_id
+              close()
+            end
+          end
+
+          # IF key object not exists, request a new one from the server
+          if !@key.present?
+            url = endpoint_base + "/decryption/key"
+            query = {encrypted_data_key: Base64.strict_encode64(encrypted_key)}
+            headers = Auth.build_headers(@papi, @sapi, endpoint, query, @host, 'post')
+
+            response = HTTParty.post(
+              url,
+              body: query.to_json,
+              headers: headers
+            )
+
+            # Response status is 200 OK
+            if response.code == WEBrick::HTTPStatus::RC_OK
+              @key = {}
+              @key['finger_print'] = response['key_fingerprint']
+              @key['client_id'] = client_id
+              @key['session'] = response['encryption_session']
+
+              @key['algorithm'] = 'aes-256-gcm'
+
+              encrypted_private_key = response['encrypted_private_key']
+              # Decrypt the encryped private key using SRSA
+              private_key = OpenSSL::PKey::RSA.new(encrypted_private_key,@srsa)
+
+              wrapped_data_key = response['wrapped_data_key']
+              # Decode WDK from base64 format
+              wdk = Base64.strict_decode64(wrapped_data_key)
+              # Use private key to decrypt the wrapped data key
+              dk = private_key.private_decrypt(wdk,OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+
+              @key['raw'] = dk
+              @key['uses'] = 0
+            else
+              # Raise the error if response is not 200
+              raise RuntimeError, "HTTPError Response: Expected 201, got #{response.code}"
+            end
+          end
+
+          # If the key object exists, create a new decryptor
+          # with the initialization vector from the header and
+          # the decrypted key (which is either new from the
+          # server or cached from the previous decryption). in
+          # either case, increment the key usage
+
+          if @key.present?
+            @algo = Algo.new.get_algo(@key['algorithm'])
+            @key['dec'] = Algo.new.decryptor(@algo, @key['raw'], iv)
+            @key['uses'] += 1            
+          end
+        end
+      end
+    end
+
+    # if the object has a key and a decryptor, then decrypt whatever
+    # data is in the buffer, less any data that needs to be saved to
+    # serve as the tag.
+    plain_text = ''
+    if @key.present? and @key.key?("dec")
+      size = @data.length - @algo[:tag_length]
+      if size > 0
+        plain_text = @key['dec'].update(@data[0..size-1])
+        @data = @data[size..-1]
+      end
+      return plain_text
+    end
+
+  end
+
+  def end
+    raise RuntimeError, 'Decryption is not Started' if !@decryption_started
+    # The update function always maintains tag-size bytes in
+    # the buffer because this function provides no data parameter.
+    # by the time the caller calls this function, all data must
+    # have already been input to the decryption object.    
+    
+    sz = @data.length - @algo[:tag_length]
+
+    raise RuntimeError, 'Invalid Tag!' if sz < 0
+    if sz == 0
+      @key['dec'].auth_tag = @data
+      begin
+        pt = @key['dec'].final
+        # Delete the decryptor context
+        @key.delete('dec')
+        # Return the decrypted plain data
+        @decryption_started = false
+        return pt
+      rescue Exception => e
+        print 'Invalid cipher data or tag!'
+        return ''
+      end
+    end    
+  end
+
+  def close
+    raise RuntimeError, 'Decryption currently running' if @decryption_started
+    # Reset the internal state of the decryption object
+    if @key.present?
+      if @key['uses'] > 0
+        query_url = "#{endpoint}/#{@key['finger_print']}/#{@key['session']}"
+        url = "#{endpoint_base}/decryption/key/#{@key['finger_print']}/#{@key['session']}"
+        query = {uses: @key['uses']}
+        headers = Auth.build_headers(@papi, @sapi, query_url, query, @host, 'patch')
+        response = HTTParty.patch(
+          url,
+          body: query.to_json,
+          headers: headers
+        )
+        remove_instance_variable(:@data)
+        remove_instance_variable(:@key)
+      end
+    end
+  end
+
+end
+
+def decrypt(creds, data)
+  begin
+    dec = Decryption.new(creds)
+    res = dec.begin() + dec.update(data) + dec.end()
+    dec.close()
+  rescue
+    dec.close() if dec
+    raise 
+  end
+  return res
+
+end
+end

data/lib/ubiq/encrypt.rb

@@ -0,0 +1,207 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+require 'rb-readline'
+require 'byebug'
+require 'httparty'
+require "active_support/all"
+require_relative './auth.rb'
+require_relative './algo.rb'
+require 'webrick'
+
+module Ubiq
+
+# Ubiq Encryption object
+# This object represents a single data encryption key and can be used to encrypt several  separate plain texts using the same key
+class Encryption  
+  def initialize(creds, uses)
+    
+    raise RuntimeError, 'Some of your credentials are missing, please check!' if !validate_creds(creds)
+
+    # Set host, either the default or the one given by caller
+    @host = creds.host.blank? ? UBIQ_HOST : creds.host
+
+    # Set the credentials in instance varibales to be used among methods
+    # The client's public API key (used to identify the client to the server
+    @papi = creds.access_key_id
+
+    # The client's secret API key (used to authenticate HTTP requests)
+    @sapi = creds.secret_signing_key
+
+    # The client's secret RSA encryption key/password (used to decrypt the client's RSA key from the server). This key is not retained by this object.
+    @srsa = creds.secret_crypto_access_key
+
+    # Build the endpoint URL
+    url = endpoint_base + '/encryption/key'
+
+    # Build the Request Body with the number of uses of key
+    query = {uses: uses}
+
+    # Retrieve the necessary headers to make the request using Auth Object
+    headers = Auth.build_headers(@papi, @sapi, endpoint, query, @host,'post')
+
+    @encryption_started = false
+    @encryption_ready = true
+
+    # Request a new encryption key from the server. if the request
+    # fails, the function raises a HTTPError indicating
+    # the status code returned by the server. this exception is
+    # propagated back to the caller
+
+    begin
+      response = HTTParty.post(
+        url,
+        body: query.to_json,
+        headers: headers
+      )
+    rescue HTTParty::Error
+      raise RuntimeError, 'Cant reach server'
+    end
+
+    # Response status is 201 Created
+    if response.code == WEBrick::HTTPStatus::RC_CREATED
+      # The code below largely assumes that the server returns
+      # a json object that contains the members and is formatted
+      # according to the Ubiq REST specification.
+
+      # Build the key object
+      @key = {}
+      @key['id'] = response['key_fingerprint']
+      @key['session'] = response['encryption_session']
+      @key['security_model'] = response['security_model']
+      @key['algorithm'] = response['security_model']['algorithm'].downcase
+      @key['max_uses'] = response['max_uses']
+      @key['uses'] = 0
+      @key['encrypted'] = Base64.strict_decode64(response['encrypted_data_key'])
+
+      # Get encrypted private key from response body
+      encrypted_private_key = response['encrypted_private_key']
+      # Get wrapped data key from response body
+      wrapped_data_key = response['wrapped_data_key']
+      # Decrypt the encryped private key using @srsa supplied
+      private_key = OpenSSL::PKey::RSA.new(encrypted_private_key,@srsa)
+      # Decode WDK from base64 format
+      wdk = Base64.strict_decode64(wrapped_data_key)
+      # Use private key to decrypt the wrapped data key
+      dk = private_key.private_decrypt(wdk,OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+      @key['raw'] = dk
+      # Build the algorithm object
+      @algo = Algo.new.get_algo(@key['algorithm'])
+    else
+      # Raise the error if response is not 201
+      raise RuntimeError, "HTTPError Response: Expected 201, got #{response.code}"
+    end
+
+  end
+
+  def begin
+    # Begin the encryption process
+
+    # When this function is called, the encryption object increments
+    # the number of uses of the key and creates a new internal context
+    # to be used to encrypt the data.
+    # If the encryption object is not yet ready to be used, throw an error
+    raise RuntimeError, 'Encryption not ready' if !@encryption_ready
+
+    # if Encryption cipher context already exists
+    raise RuntimeError, 'Encryption already in progress' if @encryption_started
+    # If max uses > uses  
+    raise RuntimeError, 'Maximum key uses exceeded' if @key['uses'] >= @key['max_uses']
+    @key['uses'] += 1
+    # create a new Encryption context and initialization vector
+    @enc , @iv = Algo.new.encryptor(@algo, @key['raw'])
+
+    # Pack the result into bytes to get a byte string
+    struct = [0, 0, @algo[:id], @iv.length, @key['encrypted'].length].pack('CCCCn')
+    @encryption_started = true
+    return struct + @iv + @key['encrypted']
+  end
+
+  def update(data)
+    raise RuntimeError, 'Encryption is not Started' if !@encryption_started
+    # Encryption of some plain text is perfomed here
+    # Any cipher text produced by the operation is returned
+    @enc.update(data)
+  end
+
+  def end
+    raise RuntimeError, 'Encryption is not Started' if !@encryption_started
+    # This function finalizes the encryption (producing the final
+    # cipher text for the encryption, if necessary) and adds any
+    # authentication information (if required by the algorithm).
+    # Any data produced is returned by the function.
+
+    # Finalize an encryption
+    res = @enc.final
+    if @algo[:tag_length] != 0
+      # Add the tag to the cipher text
+      res+= @enc.auth_tag
+    end
+    @encryption_started = false
+    # Return the encrypted result
+    return res
+  end
+
+  def close
+    raise RuntimeError, 'Encryption currently running' if @encryption_started
+    # If the key was used less times than was requested, send an update to the server
+    if @key['uses'] < @key['max_uses']
+      query_url = "#{endpoint}/#{@key['id']}/#{@key['session']}"
+        url = "#{endpoint_base}/encryption/key/#{@key['id']}/#{@key['session']}"
+        query = {actual: @key['uses'], requested: @key['max_uses']}
+        headers = Auth.build_headers(@papi, @sapi, query_url, query, @host, 'patch')
+        response = HTTParty.patch(
+          url,
+          body: query.to_json,
+          headers: headers
+        )
+        remove_instance_variable(:@key)
+      @encryption_ready = false;
+    end
+  end
+
+  def endpoint_base
+    @host + '/api/v0'
+  end
+
+  def endpoint
+    '/api/v0/encryption/key'
+  end
+
+  def validate_creds(credentials)
+    # This method checks for the presence of the credentials
+    !credentials.access_key_id.blank? and !credentials.secret_signing_key.blank? and !credentials.secret_crypto_access_key.blank?    
+  end
+
+end
+
+def validate_creds(credentials)
+  # This method checks for the presence of the credentials
+  !credentials.access_key_id.blank? and !credentials.secret_signing_key.blank? and !credentials.secret_crypto_access_key.blank?    
+end
+
+def encrypt(creds, data)
+  begin
+    enc = Encryption.new(creds, 1)
+    res = enc.begin() + enc.update(data) + enc.end()
+    enc.close()
+  rescue
+    enc.close() if enc
+    raise 
+  end
+  return res
+end
+
+end

data/lib/ubiq/host.rb

@@ -0,0 +1,18 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+module Ubiq
+   UBIQ_HOST = 'api.ubiqsecurity.com:8811'
+end

data/lib/ubiq/version.rb

@@ -0,0 +1,22 @@
+# Copyright 2020 Ubiq Security, Inc., Proprietary and All Rights Reserved.
+#
+# NOTICE:  All information contained herein is, and remains the property
+# of Ubiq Security, Inc. The intellectual and technical concepts contained
+# herein are proprietary to Ubiq Security, Inc. and its suppliers and may be
+# covered by U.S. and Foreign Patents, patents in process, and are
+# protected by trade secret or copyright law. Dissemination of this
+# information or reproduction of this material is strictly forbidden
+# unless prior written permission is obtained from Ubiq Security, Inc.
+#
+# Your use of the software is expressly conditioned upon the terms
+# and conditions available at:
+#
+#     https://ubiqsecurity.com/legal
+#
+
+# frozen_string_literal: true
+
+module Ubiq
+  VERSION = "1.0.0"
+end
+

data/ubiq-security.gemspec

@@ -0,0 +1,30 @@
+require_relative 'lib/ubiq/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "ubiq-security"
+  spec.version       = Ubiq::VERSION
+  spec.authors       = ["Ubiq Security, Inc."]
+  spec.email         = ["support@ubiqsecurity.com"]
+
+  spec.summary       = %q{Ruby Client Library for accessing the Ubiq Platform}
+  spec.description   = "Provide data encryption to any application with a couple of API calls.  " \
+                       "See https://www.ubiqsecurity.com for details."
+  spec.homepage      = "https://dev.ubiqsecurity.com/docs/ruby-library"
+  spec.license       = "Nonstandard"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://gitlab.com/ubiqsecurity/ubiq-ruby"
+  spec.metadata["changelog_uri"] = "https://gitlab.com/ubiqsecurity/ubiq-ruby/-/blob/master/README.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|example)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.add_runtime_dependency 'rb-readline', '~> 0.2', '>= 0.2'
+  spec.add_runtime_dependency 'httparty', '~> 0.15', '>= 0.15'
+end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: ubiq-security
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Ubiq Security, Inc.
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-08-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rb-readline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.15'
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.15'
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+description: Provide data encryption to any application with a couple of API calls.  See
+  https://www.ubiqsecurity.com for details.
+email:
+- support@ubiqsecurity.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/ubiq-security.rb
+- lib/ubiq/algo.rb
+- lib/ubiq/auth.rb
+- lib/ubiq/credentials.rb
+- lib/ubiq/decrypt.rb
+- lib/ubiq/encrypt.rb
+- lib/ubiq/host.rb
+- lib/ubiq/version.rb
+- ubiq-security.gemspec
+homepage: https://dev.ubiqsecurity.com/docs/ruby-library
+licenses:
+- Nonstandard
+metadata:
+  homepage_uri: https://dev.ubiqsecurity.com/docs/ruby-library
+  source_code_uri: https://gitlab.com/ubiqsecurity/ubiq-ruby
+  changelog_uri: https://gitlab.com/ubiqsecurity/ubiq-ruby/-/blob/master/README.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Ruby Client Library for accessing the Ubiq Platform
+test_files: []