vault-rails 0.3.1 → 0.7.0

data/lib/vault/rails.rb

@@ -6,7 +6,7 @@ require "json"
 require_relative "encrypted_model"
 require_relative "rails/configurable"
 require_relative "rails/errors"
-require_relative "rails/serializer"
+require_relative "rails/json_serializer"
 require_relative "rails/version"
 
 module Vault
@@ -26,6 +26,7 @@ module Vault
     # The warning string to print when running in development mode.
     DEV_WARNING = "[vault-rails] Using in-memory cipher - this is not secure " \
       "and should never be used in production-like environments!".freeze
+    DEV_PREFIX = "vault:dev:".freeze
 
     class << self
       # API client object based off the configured options in {Configurable}.
@@ -72,7 +73,7 @@ module Vault
       #
       # @return [String]
       #   the encrypted cipher text
-      def encrypt(path, key, plaintext, client = self.client)
+      def encrypt(path, key, plaintext, client: self.client, context: nil)
         if plaintext.blank?
           return plaintext
         end
@@ -82,9 +83,9 @@ module Vault
 
         with_retries do
           if self.enabled?
-            result = self.vault_encrypt(path, key, plaintext, client)
+            result = self.vault_encrypt(path, key, plaintext, client: client, context: context)
           else
-            result = self.memory_encrypt(path, key, plaintext, client)
+            result = self.memory_encrypt(path, key, plaintext, client: client, context: context)
           end
 
           return self.force_encoding(result)
@@ -104,7 +105,7 @@ module Vault
       #
       # @return [String]
       #   the decrypted plaintext text
-      def decrypt(path, key, ciphertext, client = self.client)
+      def decrypt(path, key, ciphertext, client: self.client, context: nil)
         if ciphertext.blank?
           return ciphertext
         end
@@ -114,9 +115,9 @@ module Vault
 
         with_retries do
           if self.enabled?
-            result = self.vault_decrypt(path, key, ciphertext, client)
+            result = self.vault_decrypt(path, key, ciphertext, client: client, context: context)
           else
-            result = self.memory_decrypt(path, key, ciphertext, client)
+            result = self.memory_decrypt(path, key, ciphertext, client: client, context: context)
           end
 
           return self.force_encoding(result)
@@ -140,58 +141,101 @@ module Vault
         end
       end
 
+      def transform_encode(plaintext, opts={})
+        return plaintext if plaintext&.empty?
+        request_opts = {}
+        request_opts[:value] = plaintext
+
+        if opts[:transformation]
+          request_opts[:transformation] = opts[:transformation]
+        end
+
+        role_name = transform_role_name(opts)
+        client.transform.encode(role_name: role_name, **request_opts)
+      end
+
+      def transform_decode(ciphertext, opts={})
+        return ciphertext if ciphertext&.empty?
+        request_opts = {}
+        request_opts[:value] = ciphertext
+
+        if opts[:transformation]
+          request_opts[:transformation] = opts[:transformation]
+        end
+
+        role_name = transform_role_name(opts)
+        puts request_opts
+        client.transform.decode(role_name: role_name, **request_opts)
+      end
+
+
       protected
 
       # Perform in-memory encryption. This is useful for testing and development.
-      def memory_encrypt(path, key, plaintext, client)
-        log_warning(DEV_WARNING)
+      def memory_encrypt(path, key, plaintext, client: , context: nil)
+        log_warning(DEV_WARNING) if self.in_memory_warnings_enabled?
 
         return nil if plaintext.nil?
 
         cipher = OpenSSL::Cipher::AES.new(128, :CBC)
         cipher.encrypt
-        cipher.key = memory_key_for(path, key)
-        return Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
+        cipher.key = memory_key_for(path, key, context: context)
+        return DEV_PREFIX + Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
       end
 
       # Perform in-memory decryption. This is useful for testing and development.
-      def memory_decrypt(path, key, ciphertext, client)
-        log_warning(DEV_WARNING)
+      def memory_decrypt(path, key, ciphertext, client: , context: nil)
+        log_warning(DEV_WARNING) if self.in_memory_warnings_enabled?
 
         return nil if ciphertext.nil?
 
+        raise Vault::Rails::InvalidCiphertext.new(ciphertext) if !ciphertext.start_with?(DEV_PREFIX)
+        data = ciphertext[DEV_PREFIX.length..-1]
+
         cipher = OpenSSL::Cipher::AES.new(128, :CBC)
         cipher.decrypt
-        cipher.key = memory_key_for(path, key)
-        return cipher.update(Base64.strict_decode64(ciphertext)) + cipher.final
+        cipher.key = memory_key_for(path, key, context: context)
+        return cipher.update(Base64.strict_decode64(data)) + cipher.final
+      end
+
+      # The symmetric key for the given params.
+      # @return [String]
+      def memory_key_for(path, key, context: nil)
+        md5 = OpenSSL::Digest::MD5.new
+        md5 << path
+        md5 << key
+        md5 << context if context
+        md5.digest
       end
 
       # Perform encryption using Vault. This will raise exceptions if Vault is
       # unavailable.
-      def vault_encrypt(path, key, plaintext, client)
+      def vault_encrypt(path, key, plaintext, client: , context: nil)
         return nil if plaintext.nil?
 
-        route  = File.join(path, "encrypt", key)
-        secret = client.logical.write(route,
-          plaintext: Base64.strict_encode64(plaintext),
-        )
+        route = File.join(path, "encrypt", key)
+
+        data = { plaintext: Base64.strict_encode64(plaintext) }
+        data[:context] = Base64.strict_encode64(context) if context
+
+        secret = client.logical.write(route, data)
+
         return secret.data[:ciphertext]
       end
 
       # Perform decryption using Vault. This will raise exceptions if Vault is
       # unavailable.
-      def vault_decrypt(path, key, ciphertext, client)
+      def vault_decrypt(path, key, ciphertext, client: , context: nil)
         return nil if ciphertext.nil?
 
-        route  = File.join(path, "decrypt", key)
-        secret = client.logical.write(route, ciphertext: ciphertext)
-        return Base64.strict_decode64(secret.data[:plaintext])
-      end
+        route = File.join(path, "decrypt", key)
 
-      # The symmetric key for the given params.
-      # @return [String]
-      def memory_key_for(path, key)
-        return Base64.strict_encode64("#{path}/#{key}".ljust(32, "x"))
+        data = { ciphertext: ciphertext }
+        data[:context] = Base64.strict_encode64(context) if context
+
+        secret = client.logical.write(route, data)
+
+        return Base64.strict_decode64(secret.data[:plaintext])
       end
 
       # Forces the encoding into the default Rails encoding and returns the
@@ -227,6 +271,10 @@ module Vault
           ::Rails.logger.warn { msg }
         end
       end
+
+      def transform_role_name(opts)
+        opts[:role] || self.default_role_name || self.application
+      end
     end
   end
 end

data/lib/vault/rails/configurable.rb

@@ -10,10 +10,13 @@ module Vault
       #
       # @return [String]
       def application
-        if !defined?(@application) || @application.nil?
-          raise RuntimeError, "Must set `Vault::Rails#application'!"
+        if defined?(@application) && !@application.nil?
+          return @application
         end
-        return @application
+        if ENV.has_key?("VAULT_RAILS_APPLICATION")
+          return ENV["VAULT_RAILS_APPLICATION"]
+        end
+        raise RuntimeError, "Must set `Vault::Rails#application'!"
       end
 
       # Set the name of the application.
@@ -25,15 +28,18 @@ module Vault
 
       # Whether the connection to Vault is enabled. The default value is `false`,
       # which means vault-rails will perform in-memory encryption/decryption and
-      # not attempt to talk to a reail Vault server. This is useful for
+      # not attempt to talk to a real Vault server. This is useful for
       # development and testing.
       #
       # @return [true, false]
       def enabled?
-        if !defined?(@enabled) || @enabled.nil?
-          return false
+        if defined?(@enabled) && !@enabled.nil?
+          return @enabled
+        end
+        if ENV.has_key?("VAULT_RAILS_ENABLED")
+          return (ENV["VAULT_RAILS_ENABLED"] == "true")
         end
-        return @enabled
+        return false
       end
 
       # Sets whether Vault is enabled. Users can set this in an initializer
@@ -49,6 +55,32 @@ module Vault
         @enabled = !!val
       end
 
+      # Whether warnings about in-memory ciphers are enabled. The default value
+      # is `true`, which means vault-rails will log a warning for every attempt
+      # to encrypt or decrypt using an in-memory cipher. This is useful for
+      # development and testing.
+      #
+      # @return [true, false]
+      def in_memory_warnings_enabled?
+        if !defined?(@in_memory_warnings_enabled) || @in_memory_warnings_enabled.nil?
+          return true
+        end
+        return @in_memory_warnings_enabled
+      end
+
+      # Sets whether warnings about in-memory ciphers are enabled. Users can set
+      # this in an initializer depending on their Rails environment.
+      #
+      # @example
+      #   Vault.configure do |vault|
+      #     vault.in_memory_warnings_enabled = !Rails.env.test?
+      #   end
+      #
+      # @return [true, false]
+      def in_memory_warnings_enabled=(val)
+        @in_memory_warnings_enabled = val
+      end
+
       # Gets the number of retry attempts.
       #
       # @return [Fixnum]
@@ -86,13 +118,27 @@ module Vault
         @retry_max_wait ||= Vault::Defaults::RETRY_MAX_WAIT
       end
 
-      # Sets the naximum amount of time for a single retry. Please see the Vault
+      # Sets the maximum amount of time for a single retry. Please see the Vault
       # documentation for more information.
       #
       # @param [Fixnum] val
       def retry_max_wait=(val)
         @retry_max_wait = val
       end
+
+      # Gets the default role name.
+      #
+      # @return [String]
+      def default_role_name
+        @default_role_name
+      end
+
+      # Sets the default role to use with various plugins.
+      #
+      # @param [String] val
+      def default_role_name=(val)
+        @default_role_name = val
+      end
     end
   end
 end

data/lib/vault/rails/errors.rb

@@ -14,6 +14,14 @@ module Vault
       end
     end
 
+    class InvalidCiphertext < VaultRailsError
+      def initialize(ciphertext)
+        super <<~EOH
+          Invalid ciphertext: `#{ciphertext}'.
+        EOH
+      end
+    end
+
     class ValidationFailedError < VaultRailsError; end
   end
 end

data/lib/vault/rails/{serializer.rb → json_serializer.rb}

@@ -7,17 +7,16 @@ module Vault
       }.freeze
 
       def self.encode(raw)
-        self._init!
-
-        raw = {} if raw.nil?
+        _init!
 
         JSON.fast_generate(raw)
       end
 
       def self.decode(raw)
-        self._init!
+        _init!
+
+        return nil if raw == nil || raw == ""
 
-        return {} if raw.nil? || raw.empty?
         JSON.parse(raw, DECODE_OPTIONS)
       end
 

data/lib/vault/rails/version.rb

@@ -1,5 +1,5 @@
 module Vault
   module Rails
-    VERSION = "0.3.1"
+    VERSION = "0.7.0"
   end
 end

data/spec/dummy/app/models/lazy_person.rb

@@ -25,4 +25,24 @@ class LazyPerson < ActiveRecord::Base
     decode: ->(raw) { raw && raw[3...-3] }
 
   vault_attribute :non_ascii
+
+  vault_attribute :default,
+    default: "abc123"
+
+  vault_attribute :default_with_serializer,
+    serialize: :json,
+    default: {}
+
+  vault_attribute :context_string,
+    context: "production"
+
+  vault_attribute :context_symbol,
+    context: :encryption_context
+
+  vault_attribute :context_proc,
+    context: ->(record) { record.encryption_context }
+
+  def encryption_context
+    "user_#{id}"
+  end
 end

data/spec/dummy/app/models/lazy_single_person.rb

@@ -0,0 +1,18 @@
+
+class LazySinglePerson < ActiveRecord::Base
+  include Vault::EncryptedModel
+
+  self.table_name = "people"
+
+  vault_lazy_decrypt!
+  vault_single_decrypt!
+
+  vault_attribute :ssn
+
+  vault_attribute :credit_card,
+    encrypted_column: :cc_encrypted
+
+  def encryption_context
+    "user_#{id}"
+  end
+end

data/spec/dummy/app/models/person.rb

@@ -21,5 +21,40 @@ class Person < ActiveRecord::Base
     decode: ->(raw) { raw && raw[3...-3] }
 
   vault_attribute :non_ascii
-end
 
+  vault_attribute :default,
+    default: "abc123"
+
+  vault_attribute :default_with_serializer,
+    serialize: :json,
+    default: {}
+
+  vault_attribute :context_string,
+    context: "production"
+
+  vault_attribute :context_symbol,
+    context: :encryption_context
+
+  vault_attribute :context_proc,
+    context: ->(record) { record.encryption_context }
+
+  vault_attribute :transform_ssn,
+    transform_secret: {
+      transformation: "social_sec"
+    }
+
+  vault_attribute :bad_transform,
+    transform_secret: {
+      transformation: "foobar_transformation"
+    }
+
+  vault_attribute :bad_role_transform,
+    transform_secret: {
+      transformation: "social_sec",
+      role: "foobar_role"
+    }
+
+  def encryption_context
+    "user_#{id}"
+  end
+end

data/spec/dummy/config/environments/development.rb

@@ -16,9 +16,6 @@ Rails.application.configure do
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
-  # Print deprecation notices to the Rails logger.
-  config.active_support.deprecation = :log
-
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
@@ -36,4 +33,9 @@ Rails.application.configure do
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
+  # Use native SQLite integers as booleans in Rails 5.2+
+  if ActiveRecord.gem_version >= Gem::Version.new("5.2")
+    config.active_record.sqlite3.represent_boolean_as_integer = true
+  end
 end

data/spec/dummy/config/environments/test.rb

@@ -36,9 +36,11 @@ Rails.application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  # Print deprecation notices to the stderr.
-  config.active_support.deprecation = :stderr
-
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
+  # Use native SQLite integers as booleans in Rails 5.2+
+  if ActiveRecord.gem_version >= Gem::Version.new("5.2")
+    config.active_record.sqlite3.represent_boolean_as_integer = true
+  end
 end