vault-rails 0.0.11 → 0.1.0

data/Rakefile

@@ -1,2 +1,18 @@
-require "bundler"
-Bundler::GemHelper.install_tasks
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/lib/vault/encrypted_model.rb

@@ -0,0 +1,112 @@
+module Vault
+  module EncryptedModel
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Creates an attribute that is read and written using Vault.
+      #
+      # @example
+      #
+      #   class Person < ActiveRecord::Base
+      #     include Vault::EncryptedModel
+      #     vault_attribute :ssn
+      #   end
+      #
+      #   person = Person.new
+      #   person.ssn = "123-45-6789"
+      #   person.save
+      #   person.encrypted_ssn #=> "vault:v0:6hdPkhvyL6..."
+      #
+      # @param [Symbol] column
+      #   the column that is encrypted
+      # @param [Hash] options
+      #
+      # @option options [Symbol] :encrypted_column
+      #   the name of the encrypted column (default: +#{column}_encrypted+)
+      # @option options [String] :path
+      #   the path to the transit backend (default: +transit+)
+      # @option options [String] :key
+      #   the name of the encryption key (default: +#{app}_#{table}_#{column}+)
+      def vault_attribute(column, options = {})
+        encrypted_column = options[:encrypted_column] || "#{column}_encrypted"
+        path = options[:path] || "transit"
+        key = options[:key] || "#{Vault.application}_#{table_name}_#{column}"
+
+        class_eval <<-EOH, __FILE__, __LINE__ + 1
+          def #{column}
+            value = instance_variable_get(:@#{column})
+            return value if !value.nil?
+
+            encrypted = read_attribute(:#{encrypted_column})
+            return nil if encrypted.nil?
+
+            path = File.join("v1", "#{path}", "decrypt", "#{key}")
+            response = Vault.put(path, JSON.fast_generate(
+              ciphertext: encrypted,
+            ))
+            secret = Vault::Secret.decode(response)
+            plaintext = Base64.decode64(secret.data[:plaintext])
+
+            instance_variable_set(:@#{column}, plaintext)
+          end
+
+          def #{column}=(value)
+            path = File.join("v1", "#{path}", "encrypt", "#{key}")
+            response = Vault.put(path, JSON.fast_generate(
+              plaintext: Base64.encode64(value),
+            ))
+            secret = Vault::Secret.decode(response)
+            ciphertext = secret.data[:ciphertext]
+
+            write_attribute(:#{encrypted_column}, ciphertext)
+            instance_variable_set(:@#{column}, value)
+          end
+
+          def #{column}?
+            read_attribute(:#{encrypted_column}).present?
+          end
+        EOH
+
+        _vault_ensure_mounted!(path)
+        _vault_ensure_key!(path, key)
+        _vault_attributes.store(column.to_sym, true)
+
+        self
+      end
+
+      # The list of Vault attributes.
+      #
+      # @return [Hash]
+      def _vault_attributes
+        @vault_attributes ||= {}
+      end
+
+      # Ensure the proper transit backend is mounted at the given path.
+      #
+      # @return [true]
+      def _vault_ensure_mounted!(path)
+        mounts = Vault.sys.mounts
+        return true if mounts[path.to_s.chomp("/").to_sym]
+
+        Vault.sys.mount(path, :transit)
+        return true
+      end
+
+      # Ensure a key exists for the transit backend at the given path.
+      #
+      # @return [true]
+      def _vault_ensure_key!(path, key)
+        key_path = File.join("v1", path, "keys", key)
+
+        begin
+          Vault.get(key_path)
+        rescue => e
+          raise if e.code != 404
+          Vault.post(key_path, nil)
+        end
+
+        return true
+      end
+    end
+  end
+end

data/lib/vault/rails.rb

@@ -0,0 +1,30 @@
+require "vault"
+
+require "base64"
+require "json"
+
+module Vault
+  class << self
+    # The name of this application.
+    #
+    # @return [String]
+    attr_writer :application
+
+    # The name of the application. This must be set or an error will be
+    # returned.
+    #
+    # @return [String]
+    def application
+      if !defined?(@application) || @application.nil?
+        raise RuntimeError, "Must set `Vault.application'!"
+      end
+
+      return @application
+    end
+  end
+
+  autoload :EncryptedModel, "vault/encrypted_model"
+
+  module Rails
+  end
+end

data/lib/vault/rails/version.rb

@@ -1,5 +1,5 @@
 module Vault
   module Rails
-    VERSION = "0.0.11"
+    VERSION = "0.1.0"
   end
 end

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/spec/dummy/app/models/person.rb

@@ -0,0 +1,8 @@
+class Person < ActiveRecord::Base
+  include Vault::EncryptedModel
+  vault_attribute :ssn
+  vault_attribute :credit_card,
+    encrypted_column: :cc_encrypted,
+    path: "credit-secrets",
+    key: "people_credit_cards"
+end

data/spec/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application

data/spec/dummy/config/application.rb

@@ -0,0 +1,29 @@
+require File.expand_path('../boot', __FILE__)
+
+# Pick the frameworks you want:
+require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+# require "action_view/railtie"
+# require "sprockets/railtie"
+require "rails/test_unit/railtie"
+
+Bundler.require(*Rails.groups)
+require "vault"
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end
+

data/spec/dummy/config/boot.rb

@@ -0,0 +1,5 @@
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+$LOAD_PATH.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/config/database.yml

@@ -0,0 +1,12 @@
+default: &default
+  adapter: sqlite3
+  pool: 5
+  timeout: 5000
+
+development:
+  <<: *default
+  database: db/development.sqlite3
+
+test:
+  <<: *default
+  database: db/test.sqlite3

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,37 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Raise an error on page load if there are pending migrations.
+  config.active_record.migration_error = :page_load
+
+  # Debug mode disables concatenation and preprocessing of assets.
+  # This option may cause significant delays in view rendering with a large
+  # number of complex assets.
+  config.assets.debug = true
+
+  # Adds additional error checking when serving assets at runtime.
+  # Checks for improperly declared sprockets dependencies.
+  # Raises helpful error messages.
+  config.assets.raise_runtime_errors = true
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/spec/dummy/config/environments/test.rb

@@ -0,0 +1,39 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_assets  = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/spec/dummy/config/initializers/assets.rb

@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+# Version of your assets, change this if you want to expire all your assets.
+Rails.application.config.assets.version = '1.0'
+
+# Precompile additional assets.
+# application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+# Rails.application.config.assets.precompile += %w( search.js )

data/spec/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/dummy/config/initializers/cookies_serializer.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/spec/dummy/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/spec/dummy/config/initializers/inflections.rb

@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

data/spec/dummy/config/initializers/mime_types.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf

data/spec/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_dummy_session'

data/spec/dummy/config/initializers/vault.rb

@@ -0,0 +1,9 @@
+require "vault/rails"
+
+require_relative "../../../support/vault_server"
+
+Vault.configure do |vault|
+  vault.application = "dummy"
+  vault.address     = RSpec::VaultServer.address
+  vault.token       = RSpec::VaultServer.token
+end

data/spec/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end
+
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#  self.include_root_in_json = true
+# end

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"