vault-rails 0.1.2 → 0.2.0

data/lib/vault/rails.rb

@@ -3,29 +3,58 @@ require "vault"
 require "base64"
 require "json"
 
+require_relative "encrypted_model"
+require_relative "rails/configurable"
+require_relative "rails/errors"
+require_relative "rails/serializer"
+require_relative "rails/version"
+
 module Vault
-  class << self
-    # The name of this application.
+  module Rails
+    extend Vault::Rails::Configurable
+
+    # The list of serializers.
     #
-    # @return [String]
-    attr_writer :application
+    # @return [Hash<Symbol, Module>]
+    SERIALIZERS = {
+      json: Vault::Rails::JSONSerializer,
+    }.freeze
 
-    # The name of the application. This must be set or an error will be
-    # returned.
+    # The default encoding.
     #
     # @return [String]
-    def application
-      if !defined?(@application) || @application.nil?
-        raise RuntimeError, "Must set `Vault.application'!"
+    DEFAULT_ENCODING = "utf-8".freeze
+
+    # The warning string to print when running in development mode.
+    DEV_WARNING = "[vault-rails] Using in-memory cipher - this is not secure " \
+      "and should never be used in production-like environments!".freeze
+
+    # API client object based off the configured options in
+    # {Vault::Configurable}.
+    #
+    # @return [Vault::Client]
+    def self.client
+      if !defined?(@client) || !@client.same_options?(options)
+        @client = Vault::Client.new(options)
       end
+      return @client
+    end
 
-      return @application
+    # Delegate all methods to the client object, essentially making the module
+    # object behave like a {Vault::Client}.
+    def self.method_missing(m, *args, &block)
+      if client.respond_to?(m)
+        client.public_send(m, *args, &block)
+      else
+        super
+      end
     end
-  end
 
-  autoload :EncryptedModel, "vault/encrypted_model"
+    # Delegating `respond_to` to the {Vault::Client}.
+    def self.respond_to_missing?(m, include_private = false)
+      client.respond_to?(m) || super
+    end
 
-  module Rails
     # Encrypt the given plaintext data using the provided mount and key.
     #
     # @param [String] path
@@ -34,15 +63,28 @@ module Vault
     #   the key to encrypt at
     # @param [String] plaintext
     #   the plaintext to encrypt
+    # @param [Vault::Client] client
+    #   the Vault client to use
     #
     # @return [String]
     #   the encrypted cipher text
-    def self.encrypt(path, key, plaintext)
-      route  = File.join(path, "encrypt", key)
-      secret = Vault.logical.write(route,
-        plaintext: Base64.strict_encode64(plaintext),
-      )
-      return secret.data[:ciphertext]
+    def self.encrypt(path, key, plaintext, client = self.client)
+      if plaintext.blank?
+        return plaintext
+      end
+
+      path = path.to_s if !path.is_a?(String)
+      key  = key.to_s if !key.is_a?(String)
+
+      with_retries do
+        if self.enabled?
+          result = self.vault_encrypt(path, key, plaintext, client)
+        else
+          result = self.memory_encrypt(path, key, plaintext, client)
+        end
+
+        return self.force_encoding(result)
+      end
     end
 
     # Decrypt the given ciphertext data using the provided mount and key.
@@ -53,13 +95,133 @@ module Vault
     #   the key to decrypt at
     # @param [String] ciphertext
     #   the ciphertext to decrypt
+    # @param [Vault::Client] client
+    #   the Vault client to use
     #
     # @return [String]
     #   the decrypted plaintext text
-    def self.decrypt(path, key, ciphertext)
+    def self.decrypt(path, key, ciphertext, client = self.client)
+      if ciphertext.blank?
+        return ciphertext
+      end
+
+      path = path.to_s if !path.is_a?(String)
+      key  = key.to_s if !key.is_a?(String)
+
+      with_retries do
+        if self.enabled?
+          result = self.vault_decrypt(path, key, ciphertext, client)
+        else
+          result = self.memory_decrypt(path, key, ciphertext, client)
+        end
+
+        return self.force_encoding(result)
+      end
+    end
+
+    # Get the serializer that corresponds to the given key. If the key does not
+    # correspond to a known serializer, an exception will be raised.
+    #
+    # @param [#to_sym] key
+    #   the name of the serializer
+    #
+    # @return [~Serializer]
+    def self.serializer_for(key)
+      key = key.to_sym if !key.is_a?(Symbol)
+
+      if serializer = SERIALIZERS[key]
+        return serializer
+      else
+        raise Vault::Rails::UnknownSerializerError.new(key)
+      end
+    end
+
+    private
+
+    # Perform in-memory encryption. This is useful for testing and development.
+    def self.memory_encrypt(path, key, plaintext, client)
+      log_warning(DEV_WARNING)
+
+      return nil if plaintext.nil?
+
+      cipher = OpenSSL::Cipher::AES.new(128, :CBC)
+      cipher.encrypt
+      cipher.key = memory_key_for(path, key)
+      return Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
+    end
+
+    # Perform in-memory decryption. This is useful for testing and development.
+    def self.memory_decrypt(path, key, ciphertext, client)
+      log_warning(DEV_WARNING)
+
+      return nil if ciphertext.nil?
+
+      cipher = OpenSSL::Cipher::AES.new(128, :CBC)
+      cipher.decrypt
+      cipher.key = memory_key_for(path, key)
+      return cipher.update(Base64.strict_decode64(ciphertext)) + cipher.final
+    end
+
+    # Perform encryption using Vault. This will raise exceptions if Vault is
+    # unavailable.
+    def self.vault_encrypt(path, key, plaintext, client)
+      return nil if plaintext.nil?
+
+      route  = File.join(path, "encrypt", key)
+      secret = client.logical.write(route,
+        plaintext: Base64.strict_encode64(plaintext),
+      )
+      return secret.data[:ciphertext]
+    end
+
+    # Perform decryption using Vault. This will raise exceptions if Vault is
+    # unavailable.
+    def self.vault_decrypt(path, key, ciphertext, client)
+      return nil if ciphertext.nil?
+
       route  = File.join(path, "decrypt", key)
-      secret = Vault.logical.write(route, ciphertext: ciphertext)
+      secret = client.logical.write(route, ciphertext: ciphertext)
       return Base64.strict_decode64(secret.data[:plaintext])
     end
+
+    # The symmetric key for the given params.
+    # @return [String]
+    def self.memory_key_for(path, key)
+      return Base64.strict_encode64("#{path}/#{key}".ljust(32, "x"))
+    end
+
+    # Forces the encoding into the default Rails encoding and returns the
+    # newly encoded string.
+    # @return [String]
+    def self.force_encoding(str)
+      encoding = ::Rails.application.config.encoding || DEFAULT_ENCODING
+      str.force_encoding(encoding).encode(encoding)
+    end
+
+    private
+
+    def self.with_retries(client = self.client, &block)
+      exceptions = [Vault::HTTPConnectionError, Vault::HTTPServerError]
+      options = {
+        attempts: self.retry_attempts,
+        base:     self.retry_base,
+        max_wait: self.retry_max_wait,
+      }
+
+      client.with_retries(exceptions, options) do |i, e|
+        if !e.nil?
+          log_warning "[vault-rails] (#{i}) An error occurred when trying to " \
+            "communicate with Vault: #{e.message}"
+        end
+
+        yield
+      end
+    end
+
+    def self.log_warning(msg)
+      if defined?(::Rails) && ::Rails.logger != nil
+        ::Rails.logger.warn { msg }
+      end
+    end
   end
 end

data/lib/vault/rails/configurable.rb

@@ -0,0 +1,98 @@
+module Vault
+  module Rails
+    module Configurable
+      include Vault::Configurable
+
+      # The name of the Vault::Rails application.
+      #
+      # @raise [RuntimeError]
+      #   if the application has not been set
+      #
+      # @return [String]
+      def application
+        if !defined?(@application) || @application.nil?
+          raise RuntimeError, "Must set `Vault::Rails#application'!"
+        end
+        return @application
+      end
+
+      # Set the name of the application.
+      #
+      # @param [String] val
+      def application=(val)
+        @application = val
+      end
+
+      # Whether the connection to Vault is enabled. The default value is `false`,
+      # which means vault-rails will perform in-memory encryption/decryption and
+      # not attempt to talk to a reail Vault server. This is useful for
+      # development and testing.
+      #
+      # @return [true, false]
+      def enabled?
+        if !defined?(@enabled) || @enabled.nil?
+          return false
+        end
+        return @enabled
+      end
+
+      # Sets whether Vault is enabled. Users can set this in an initializer
+      # depending on their Rails environment.
+      #
+      # @example
+      #   Vault.configure do |vault|
+      #     vault.enabled = Rails.env.production?
+      #   end
+      #
+      # @return [true, false]
+      def enabled=(val)
+        @enabled = !!val
+      end
+
+      # Gets the number of retry attempts.
+      #
+      # @return [Fixnum]
+      def retry_attempts
+        @retry_attempts ||= 0
+      end
+
+      # Sets the number of retry attempts. Please see the Vault documentation
+      # for more information.
+      #
+      # @param [Fixnum] val
+      def retry_attempts=(val)
+        @retry_attempts = val
+      end
+
+      # Gets the number of retry attempts.
+      #
+      # @return [Fixnum]
+      def retry_base
+        @retry_base ||= Vault::Defaults::RETRY_BASE
+      end
+
+      # Sets the retry interval. Please see the Vault documentation for more
+      # information.
+      #
+      # @param [Fixnum] val
+      def retry_base=(val)
+        @retry_base = val
+      end
+
+      # Gets the retry maximum wait.
+      #
+      # @return [Fixnum]
+      def retry_max_wait
+        @retry_max_wait ||= Vault::Defaults::RETRY_MAX_WAIT
+      end
+
+      # Sets the naximum amount of time for a single retry. Please see the Vault
+      # documentation for more information.
+      #
+      # @param [Fixnum] val
+      def retry_max_wait=(val)
+        @retry_max_wait = val
+      end
+    end
+  end
+end

data/lib/vault/rails/errors.rb

@@ -0,0 +1,19 @@
+module Vault
+  module Rails
+    class VaultRailsError < RuntimeError; end
+
+    class UnknownSerializerError < VaultRailsError
+      def initialize(key)
+        super <<-EOH
+  Unknown Vault serializer `:#{key}'. Valid serializers are:
+
+      #{SERIALIZERS.keys.sort.map(&:inspect).join(", ")}
+
+  Please refer to the documentation for more examples.
+  EOH
+      end
+    end
+
+    class ValidationFailedError < VaultRailsError; end
+  end
+end

data/lib/vault/rails/serializer.rb

@@ -0,0 +1,33 @@
+module Vault
+  module Rails
+    module JSONSerializer
+      DECODE_OPTIONS = {
+        max_nested:       false,
+        create_additions: false,
+      }.freeze
+
+      def self.encode(raw)
+        self._init!
+
+        raw = {} if raw.nil?
+
+        JSON.fast_generate(raw)
+      end
+
+      def self.decode(raw)
+        self._init!
+
+        return {} if raw.nil? || raw.empty?
+        JSON.parse(raw, DECODE_OPTIONS)
+      end
+
+      protected
+
+      def self._init!
+        return if defined?(@_init)
+        require "json"
+        @_init = true
+      end
+    end
+  end
+end

data/lib/vault/rails/version.rb

@@ -1,5 +1,5 @@
 module Vault
   module Rails
-    VERSION = "0.1.2"
+    VERSION = "0.2.0"
   end
 end

data/spec/dummy/app/models/person.rb

@@ -1,8 +1,24 @@
+require "binary_serializer"
+
 class Person < ActiveRecord::Base
   include Vault::EncryptedModel
+
   vault_attribute :ssn
+
   vault_attribute :credit_card,
     encrypted_column: :cc_encrypted,
     path: "credit-secrets",
     key: "people_credit_cards"
+
+  vault_attribute :details,
+    serialize: :json
+
+  vault_attribute :business_card,
+    serialize: BinarySerializer
+
+  vault_attribute :favorite_color,
+    encode: ->(raw) { "xxx#{raw}xxx" },
+    decode: ->(raw) { raw && raw[3...-3] }
+
+  vault_attribute :non_ascii
 end

data/spec/dummy/config/initializers/vault.rb

@@ -2,8 +2,9 @@ require "vault/rails"
 
 require_relative "../../../support/vault_server"
 
-Vault.configure do |vault|
+Vault::Rails.configure do |vault|
   vault.application = "dummy"
   vault.address     = RSpec::VaultServer.address
   vault.token       = RSpec::VaultServer.token
+  vault.enabled     = true
 end

data/spec/dummy/db/migrate/20150428220101_create_people.rb

@@ -4,6 +4,10 @@ class CreatePeople < ActiveRecord::Migration
       t.string :name
       t.string :ssn_encrypted
       t.string :cc_encrypted
+      t.string :details_encrypted
+      t.string :business_card_encrypted
+      t.string :favorite_color_encrypted
+      t.string :non_ascii_encrypted
 
       t.timestamps null: false
     end