RubyGems - ubiq-security - Versions diffs - 1.0.0 → 1.0.5 - Mend

ubiq-security 1.0.0 → 1.0.5

Files changed (12) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 20d4dacbe17d8162ab7d308069b82e2b54b89cf7a7253763919742ef350597e3
-  data.tar.gz: 370015b19528bc6a81678e3b0f7f270b0524b6309f23dc6087d04256edad1e27
+  metadata.gz: 729b8860bf9bec12fd7185973e265accb516232460ee85dcf862a556d7008c53
+  data.tar.gz: 1b93971fda83f73f28e74adda5ae631c86f7fc826ae31f786f5e716f726351aa
 SHA512:
-  metadata.gz: 7ed8203d50dbe828d649af7decc40f300f1b2b5d74e912db9119e84444c840dc45a8fcc1c8e0b3fa49a8d7a6ebf73fbb9ce935e7244c1669d9d072af61674c52
-  data.tar.gz: ddd4e2690d2d47a737fda60d53524d9b57eec456410f14f5e4a56cb61e447e632f6c7a70bc0cc2dfc5126b95191df739dd6484089e07e6126f2d848989b28841
+  metadata.gz: fd5b18aaf1ede170f03511a2352bf324a9cbe137507eca720c2fe0b00c8e25124a7dc963ba583621d16911a15bc42b988d2f650cf6edcbb252dc34aeb2b7a614
+  data.tar.gz: 3a083c6fe5d1e1f29102adf845a0356ef0f4951f592a49d627bf381c360789fd7d43c9f5dd819cd0e63ec21a271e8586e8100c9e1bb556772bb8780c59d310ad

data/CHANGELOG.md ADDED

@@ -0,0 +1,9 @@
+# Changelog
+## 1.0.5 - 2020-09-23
+* Remove dead code
+* Pass client library name and version to server
+* Added AAD information to ciphers for encrypt and decrypy
+## 1.0.1 - 2020-08-20
+* Initial Version

data/README.md CHANGED

@@ -7,7 +7,7 @@ to encrypt and decrypt data
 ## Documentation
-See the [Ruby API docs](https://ubiqsecurity.com/docs/api?lang=ruby).
+See the [Ruby API docs][apidocs].
@@ -31,8 +31,11 @@ To build and install directly from a clone of the gitlab repository source:
 ```sh
 git clone https://gitlab.com/ubiqsecurity/ubiq-ruby.git
 cd ubiq-ruby
-rake install:local
+bundle install
+gem build ubiq-security.gemspec
+gem install ./ubiq-security*.gem
 ```
+You may need to run the `gem install` commands above using sudo.
 ## Usage
@@ -78,12 +81,11 @@ credentials = Credentials(access_key_id = "...", secret_signing_key = "...", sec
 ### Encrypt a simple block of data
-Pass credentials and data into the encryption function.  The encrypted data
-will be returned.
+Pass credentials and data into the encryption function.  The encrypted data will be returned.
 ```ruby
-require "ubiq-security"
+require 'ubiq-security'
 include Ubiq
 encrypted_data = encrypt(credentials, plaintext_data)
@@ -92,11 +94,10 @@ encrypted_data = encrypt(credentials, plaintext_data)
 ### Decrypt a simple block of data
-Pass credentials and encrypted data into the decryption function.  The plaintext data
-will be returned.
+Pass credentials and encrypted data into the decryption function.  The plaintext data will be returned.
 ```ruby
-require "ubiq-security"
+require 'ubiq-security'
 include Ubiq
 plaintext_data = decrypt(credentials, encrypted_data)
@@ -113,7 +114,7 @@ plaintext_data = decrypt(credentials, encrypted_data)
 ```ruby
-require "ubiq-security"
+require 'ubiq-security'
 include Ubiq
 # Process 1 MiB of plaintext data at a time
@@ -129,7 +130,7 @@ BLOCK_SIZE = 1024 * 1024
    # Loop until the end of the input file is reached
     until infile.eof?
       chunk = infile.read BLOCK_SIZE
-      encrypted_data += encryption.update(chunk))
+      encrypted_data += encryption.update(chunk)
     end
     # Make sure any additional encrypted data is retrieved from encryption instance
     encrypted_data += encryption.end()
@@ -148,7 +149,7 @@ BLOCK_SIZE = 1024 * 1024
 ```ruby
-require "ubiq-security"
+require 'ubiq-security'
 include Ubiq
 # Process 1 MiB of encrypted data at a time
@@ -160,7 +161,7 @@ BLOCK_SIZE = 1024 * 1024
     decryption = Decryption(credentials)
     # Start the decryption and get any header information
-    plaintext_data = decryption.begin())
+    plaintext_data = decryption.begin()
     # Loop until the end of the input file is reached
     until infile.eof?
@@ -181,8 +182,8 @@ BLOCK_SIZE = 1024 * 1024
 [bundler]: https://bundler.io
 [rubygems]: https://rubygems.org
 [gem]: https://rubygems.org/gems/uniq-security
-[dashboard]:https://dev.ubiqsecurity.com/docs/dashboard
+[dashboard]:https://dashboard.ubiqsecurity.com/
 [credentials]:https://dev.ubiqsecurity.com/docs/how-to-create-api-keys
+[apidocs]:https://dev.ubiqsecurity.com/docs/api

data/lib/ubiq-security.rb CHANGED

@@ -13,10 +13,9 @@
 #
 #     https://ubiqsecurity.com/legal
-require "ubiq/version"
-require "ubiq/encrypt"
-require "ubiq/decrypt"
-require "ubiq/credentials"
+# frozen_string_literal: true
+require 'ubiq/version'
+require 'ubiq/encrypt'
+require 'ubiq/decrypt'
+require 'ubiq/credentials'

data/lib/ubiq/algo.rb CHANGED

@@ -14,56 +14,81 @@
 #     https://ubiqsecurity.com/legal
 #
-require "active_support/all"
+# frozen_string_literal: true
+require 'active_support/all'
 require 'openssl'
 module Ubiq
+  # Class to provide some basic information mapping between an
+  # encryption algorithm name and the cooresponding
+  # key size, initialization vector length, and tag
-class Algo
+  class Algo
-  def set_algo
-    @algorithm = {
-      "aes-256-gcm"=>{
-        id:0,
-        algorithm: OpenSSL::Cipher::AES256,
-        mode: OpenSSL::Cipher::AES256.new(:GCM),
-        key_length: 32,
-        iv_length: 12,
-        tag_length: 16
-      },
-    }
-  end
+    UBIQ_HEADER_V0_FLAG_AAD = 0b00000001
-  def get_algo(name)
-    set_algo[name]
-  end
+    def set_algo
+      @algorithm = {
+        'aes-256-gcm' => {
+          id: 0,
+          algorithm: OpenSSL::Cipher::AES256,
+          mode: OpenSSL::Cipher::AES256.new(:GCM),
+          key_length: 32,
+          iv_length: 12,
+          tag_length: 16
+        },
+        'aes-128-gcm' => {
+          id: 1,
+          algorithm: OpenSSL::Cipher::AES128,
+          mode: OpenSSL::Cipher::AES128.new(:GCM),
+          key_length: 16,
+          iv_length: 12,
+          tag_length: 16
+        }
+      }
+    end
-  def encryptor(obj,key, iv=nil)
-    # key : A byte string containing the key to be used with this encryption
-    # If the caller specifies the initialization vector, it must be
-    # the correct length and, if so, will be used. If it is not
-    # specified, the function will generate a new one
+    def find_alg(id)
+      set_algo.each do |k,v|
+        if v[:id] == id
+           return k
+         end
+      end
+      "unknown"
+    end
+    def get_algo(name)
+      set_algo[name]
+    end
-    cipher = obj[:mode]
-    raise RuntimeError, 'Invalid key length' if key.length != obj[:key_length]
+    def encryptor(obj, key, iv = nil)
+      # key : A byte string containing the key to be used with this encryption
+      # If the caller specifies the initialization vector, it must be
+      # the correct length and, if so, will be used. If it is not
+      # specified, the function will generate a new one
-    raise RuntimeError, 'Invalid initialization vector length' if (iv!= nil and iv.length != obj[:iv_length])
-    cipher.encrypt
-    cipher.key = key
-    iv = cipher.random_iv
-    return cipher, iv
-  end
+      raise RuntimeError, 'Invalid key length' if key.length != obj[:key_length]
-  def decryptor(obj, key, iv)
-    cipher = obj[:mode]
-    raise RuntimeError, 'Invalid key length' if key.length != obj[:key_length]
+      raise RuntimeError, 'Invalid initialization vector length' if !iv.nil? && iv.length != obj[:iv_length]
-    raise RuntimeError, 'Invalid initialization vector length' if (iv!= nil and iv.length != obj[:iv_length])
-    cipher = obj[:mode]
-    cipher.decrypt
-    cipher.key = key
-    cipher.iv = iv
-    return cipher
+      cipher = obj[:mode]
+      cipher.encrypt
+      cipher.key = key
+      iv = cipher.random_iv
+      return cipher, iv
+    end
+    def decryptor(obj, key, iv)
+      raise RuntimeError, 'Invalid key length' if key.length != obj[:key_length]
+      raise RuntimeError, 'Invalid initialization vector length' if !iv.nil? && iv.length != obj[:iv_length]
+      cipher = obj[:mode]
+      cipher.decrypt
+      cipher.key = key
+      cipher.iv = iv
+      return cipher
+    end
   end
 end
-end

data/lib/ubiq/auth.rb CHANGED

@@ -13,87 +13,93 @@
 #
 #     https://ubiqsecurity.com/legal
 #
-require "active_support/all"
-module Ubiq
+# frozen_string_literal: true
+require 'active_support/all'
-class Auth
+module Ubiq
   # HTTP Authentication for the Ubiq Platform
   # This module implements HTTP authentication for the Ubiq platform
   # via message signing as described by the IETF httpbis-message-signatures
   # draft specification.
-  def self.build_headers(papi, sapi, endpoint, query, host, http_method)
-    # This function calculates the signature for the message, adding the Signature header
-    # to contain the data. Certain HTTP headers are required for
-    # signature calculation and will be added by this code as
-    # necessary. The constructed headers object is returned
-    # the '(request-target)' is part of the signed data.
-    # it's value is 'http_method path?query'
-    reqt = "#{http_method} #{endpoint}"
-    # The time at which the signature was created expressed as the unix epoch
-    created = Time.now.to_i
-    # the Digest header is always included/overridden by
-    # this code. it is a hash of the body of the http message
-    # and is always present even if the body is empty
-    hash_sha512 = OpenSSL::Digest::SHA512.new
-    hash_sha512 << JSON.dump(query)
-    digest = 'SHA-512='+Base64.strict_encode64(hash_sha512.digest)
-    # Initialize the headers object to be returned via this method
-    all_headers = {}
-    # The content type of request
-    all_headers['content-type'] = 'application/json'
-    # The request target calculated above(reqt)
-    all_headers['(request-target)'] = reqt
-    # The date and time in GMT format
-    all_headers['date'] = get_date
-    # The host specified by the caller
-    all_headers['host'] = get_host(host)
-    all_headers['(created)'] = created
-    all_headers['digest'] = digest
-    headers = ['content-type', 'date', 'host', '(created)', '(request-target)', 'digest']
-    # include the specified headers in the hmac calculation. each
-    # header is of the form 'header_name: header value\n'
-    # included headers are also added to an ordered list of headers
-    # which is included in the message
-    hmac = OpenSSL::HMAC.new(sapi, OpenSSL::Digest::SHA512.new)
-    headers.each do |header|
-      if all_headers.key?(header)
-        hmac << "#{header}: #{all_headers[header]}\n"
+  class Auth
+    def self.build_headers(papi, sapi, endpoint, query, host, http_method)
+      # This function calculates the signature for the message, adding the Signature header
+      # to contain the data. Certain HTTP headers are required for
+      # signature calculation and will be added by this code as
+      # necessary. The constructed headers object is returned
+      # the '(request-target)' is part of the signed data.
+      # it's value is 'http_method path?query'
+      reqt = "#{http_method} #{endpoint}"
+      # The time at which the signature was created expressed as the unix epoch
+      created = Time.now.to_i
+      # the Digest header is always included/overridden by
+      # this code. it is a hash of the body of the http message
+      # and is always present even if the body is empty
+      hash_sha512 = OpenSSL::Digest::SHA512.new
+      hash_sha512 << JSON.dump(query)
+      digest = 'SHA-512=' + Base64.strict_encode64(hash_sha512.digest)
+      # Initialize the headers object to be returned via this method
+      all_headers = {}
+      all_headers['user-agent'] = 'ubiq-ruby/' + Ubiq::VERSION
+      # The content type of request
+      all_headers['content-type'] = 'application/json'
+      # The request target calculated above(reqt)
+      all_headers['(request-target)'] = reqt
+      # The date and time in GMT format
+      all_headers['date'] = get_date
+      # The host specified by the caller
+      all_headers['host'] = get_host(host)
+      all_headers['(created)'] = created
+      all_headers['digest'] = digest
+      headers = ['content-type', 'date', 'host', '(created)', '(request-target)', 'digest']
+      # include the specified headers in the hmac calculation. each
+      # header is of the form 'header_name: header value\n'
+      # included headers are also added to an ordered list of headers
+      # which is included in the message
+      hmac = OpenSSL::HMAC.new(sapi, OpenSSL::Digest::SHA512.new)
+      headers.each do |header|
+        if all_headers.key?(header)
+          hmac << "#{header}: #{all_headers[header]}\n"
+        end
       end
-    end
-    all_headers.delete('(created)')
-    all_headers.delete('(request-target)')
-    all_headers.delete('host')
-    # Build the Signature header itself
-    all_headers['signature']  = 'keyId="' + papi + '"'
-    all_headers['signature'] += ', algorithm="hmac-sha512"'
-    all_headers['signature'] += ', created=' + created.to_s
-    all_headers['signature'] += ', headers="' + headers.join(" ") + '"'
-    all_headers['signature'] += ', signature="'
-    all_headers['signature'] += Base64.strict_encode64(hmac.digest)
-    all_headers['signature'] += '"'
-    return all_headers
-  end
+      all_headers.delete('(created)')
+      all_headers.delete('(request-target)')
+      all_headers.delete('host')
+      # Build the Signature header itself
+      all_headers['signature']  = 'keyId="' + papi + '"'
+      all_headers['signature'] += ', algorithm="hmac-sha512"'
+      all_headers['signature'] += ', created=' + created.to_s
+      all_headers['signature'] += ', headers="' + headers.join(' ') + '"'
+      all_headers['signature'] += ', signature="'
+      all_headers['signature'] += Base64.strict_encode64(hmac.digest)
+      all_headers['signature'] += '"'
+      return all_headers
+    end
-  def self.get_host(host)
-    uri = URI(host)
-    return "#{uri.hostname}:#{uri.port}"
-  end
+    # Only want to return port in the URI if the
+    # host contained one, otherwise let gateway resolve it
+    def self.get_host(host)
+      uri = URI(host)
+      ret = uri.hostname.to_s
+      ret += ":#{uri.port}" if host.match(/:[0-9]+/)
+      ret
+    end
-  def self.get_date
-    DateTime.now.in_time_zone('GMT').strftime("%a, %d %b %Y") + " " + DateTime.now.in_time_zone('GMT').strftime("%H:%M:%S") + " GMT"
+    def self.get_date
+      DateTime.now.in_time_zone('GMT').strftime('%a, %d %b %Y') + ' ' +
+        DateTime.now.in_time_zone('GMT').strftime('%H:%M:%S') + ' GMT'
+    end
   end
-end
 end

data/lib/ubiq/credentials.rb CHANGED

@@ -13,93 +13,109 @@
 #
 #     https://ubiqsecurity.com/legal
 #
+# frozen_string_literal: true
 require 'configparser'
 require 'rb-readline'
 require 'byebug'
+require_relative './host.rb'
-module Ubiq
-class CredentialsInfo
-  def initialize(access_key_id, secret_signing_key, secret_crypto_access_key, host)
-    @access_key_id = access_key_id
-    @secret_signing_key = secret_signing_key
-    @secret_crypto_access_key = secret_crypto_access_key
-    @host = host
-  end
+module Ubiq
+  # Access Credentials used by the library to validate service calls
+  class CredentialsInfo
+    def initialize(access_key_id, secret_signing_key, secret_crypto_access_key, host)
+      @access_key_id = access_key_id
+      @secret_signing_key = secret_signing_key
+      @secret_crypto_access_key = secret_crypto_access_key
+      @host = host
+    end
-  def set_attributes
-    return OpenStruct.new(access_key_id: @access_key_id, secret_signing_key: @secret_signing_key, secret_crypto_access_key: @secret_crypto_access_key, host: @host)
+    def set_attributes
+      return OpenStruct.new(
+        access_key_id: @access_key_id,
+        secret_signing_key: @secret_signing_key,
+        secret_crypto_access_key: @secret_crypto_access_key,
+        host: @host
+        )
+    end
   end
-end
-class ConfigCredentials < CredentialsInfo
-  def initialize(config_file, profile)
-    # If config file is not found
-    if config_file != nil and !File.exists?(config_file)
-      raise RuntimeError, "Unable to open config file #{config_file} or contains missing values"
+  # Class to load a credentials file or the default
+  # and read the credentials from either a supplied
+  # profile or use the default
+  class ConfigCredentials < CredentialsInfo
+    def initialize(config_file, profile)
+      # If config file is not found
+      if !config_file.nil? && !File.exist?(config_file)
+        raise RuntimeError, "Unable to open config file #{config_file} or contains missing values"
+      end
+      if config_file.nil?
+        config_file = '~/.ubiq/credentials'
+      end
+      # If config file is found
+      if File.exist?(File.expand_path(config_file))
+        @creds = load_config_file(config_file, profile)
+      end
     end
-    if config_file == nil
-      config_file = "~/.ubiq/credentials"
+    def get_attributes
+      return @creds
     end
-    # If config file is found
-    if File.exists?(File.expand_path(config_file))
-      @creds = load_config_file(config_file, profile)
-    end
-  end
+    def load_config_file(file, profile)
+      config = ConfigParser.new(File.expand_path(file))
-  def get_attributes
-    return @creds
-  end
+      # Create empty dictionaries for the default and supplied profile
+      p = {}
+      d = {}
-  def load_config_file(file, profile)
-    config = ConfigParser.new(File.expand_path(file))
+      # get the default profile if there is one
+      if config['default'].present?
+        d = config['default']
+      end
-    # Create empty dictionaries for the default and supplied profile
-    p = {}
-    d = {}
+      if !d.key?('SERVER')
+        d['SERVER'] = Ubiq::UBIQ_HOST
+      end
-    # get the default profile if there is one
-    if config['default'].present?
-      d = config['default']
-    end
+      # get the supplied profile if there is one
+      if config[profile].present?
+        p = config[profile]
+      end
-    # get the supplied profile if there is one
-    if config[profile].present?
-      p = config[profile]
-    end
+      # Use given profile if it is available, otherwise use default.
+      access_key_id = p.key?('ACCESS_KEY_ID') ? p['ACCESS_KEY_ID'] : d['ACCESS_KEY_ID']
+      secret_signing_key = p.key?('SECRET_SIGNING_KEY') ? p['SECRET_SIGNING_KEY'] : d['SECRET_SIGNING_KEY']
+      secret_crypto_access_key = p.key?('SECRET_CRYPTO_ACCESS_KEY') ? p['SECRET_CRYPTO_ACCESS_KEY'] : d['SECRET_CRYPTO_ACCESS_KEY']
+      host = p.key?('SERVER') ? p['SERVER'] : d['SERVER']
-    # Use given profile if it is available, otherwise use default.
-    access_key_id = p.key?('ACCESS_KEY_ID') ? p['ACCESS_KEY_ID'] : d['ACCESS_KEY_ID']
-    secret_signing_key = p.key?('SECRET_SIGNING_KEY') ? p['SECRET_SIGNING_KEY'] : d['SECRET_SIGNING_KEY']
-    secret_crypto_access_key = p.key?('SECRET_CRYPTO_ACCESS_KEY') ? p['SECRET_CRYPTO_ACCESS_KEY'] : d['SECRET_CRYPTO_ACCESS_KEY']
-    host = p.key?('SERVER') ? p['SERVER'] : d['SERVER']
+      # If the provided host does not contain http protocol then add to it
+      if !host.include?('http://') && !host.include?('https://')
+        host = 'https://' + host
+      end
-    # If the provided host does not contain http protocol then add to it
-    if !host.include?('http://') and !host.include?('https://')
-      host = 'https://' + host
+      return CredentialsInfo.new(access_key_id, secret_signing_key, secret_crypto_access_key, host).set_attributes
     end
-    return CredentialsInfo.new(access_key_id, secret_signing_key, secret_crypto_access_key, host).set_attributes
   end
-end
-class Credentials < CredentialsInfo
-  def initialize(papi, sapi, srsa, host)
-    @access_key_id = papi.present? ? papi : ENV['UBIQ_ACCESS_KEY_ID']
-    @secret_signing_key = sapi.present? ? sapi : ENV['UBIQ_SECRET_SIGNING_KEY']
-    @secret_crypto_access_key = srsa.present? ? srsa : ENV['UBIQ_SECRET_CRYPTO_ACCESS_KEY']
-    @host = host.present? ? host : ENV['UBIQ_SERVER']
-  end
+  # Class where the credentials can be explicitly set or
+  # will use the Environment variables instead
+  class Credentials < CredentialsInfo
+    def initialize(papi, sapi, srsa, host)
+      @access_key_id = papi.present? ? papi : ENV['UBIQ_ACCESS_KEY_ID']
+      @secret_signing_key = sapi.present? ? sapi : ENV['UBIQ_SECRET_SIGNING_KEY']
+      @secret_crypto_access_key = srsa.present? ? srsa : ENV['UBIQ_SECRET_CRYPTO_ACCESS_KEY']
+      @host = host.present? ? host : ENV['UBIQ_SERVER']
+    end
-  @creds = CredentialsInfo.new(@access_key_id, @secret_signing_key, @secret_crypto_access_key, @host).set_attributes
+    @creds = CredentialsInfo.new(@access_key_id, @secret_signing_key, @secret_crypto_access_key, @host).set_attributes
-  def get_attributes
-    return @creds
+    def get_attributes
+      return @creds
+    end
   end
 end
-end