vault-rails 0.3.2 → 0.7.1

data/lib/vault/rails.rb

@@ -6,7 +6,7 @@ require "json"
 require_relative "encrypted_model"
 require_relative "rails/configurable"
 require_relative "rails/errors"
-require_relative "rails/serializer"
+require_relative "rails/json_serializer"
 require_relative "rails/version"
 
 module Vault
@@ -26,6 +26,7 @@ module Vault
     # The warning string to print when running in development mode.
     DEV_WARNING = "[vault-rails] Using in-memory cipher - this is not secure " \
       "and should never be used in production-like environments!".freeze
+    DEV_PREFIX = "vault:dev:".freeze
 
     class << self
       # API client object based off the configured options in {Configurable}.
@@ -72,7 +73,7 @@ module Vault
       #
       # @return [String]
       #   the encrypted cipher text
-      def encrypt(path, key, plaintext, client = self.client)
+      def encrypt(path, key, plaintext, client: self.client, context: nil)
         if plaintext.blank?
           return plaintext
         end
@@ -82,9 +83,9 @@ module Vault
 
         with_retries do
           if self.enabled?
-            result = self.vault_encrypt(path, key, plaintext, client)
+            result = self.vault_encrypt(path, key, plaintext, client: client, context: context)
           else
-            result = self.memory_encrypt(path, key, plaintext, client)
+            result = self.memory_encrypt(path, key, plaintext, client: client, context: context)
           end
 
           return self.force_encoding(result)
@@ -104,7 +105,7 @@ module Vault
       #
       # @return [String]
       #   the decrypted plaintext text
-      def decrypt(path, key, ciphertext, client = self.client)
+      def decrypt(path, key, ciphertext, client: self.client, context: nil)
         if ciphertext.blank?
           return ciphertext
         end
@@ -114,9 +115,9 @@ module Vault
 
         with_retries do
           if self.enabled?
-            result = self.vault_decrypt(path, key, ciphertext, client)
+            result = self.vault_decrypt(path, key, ciphertext, client: client, context: context)
           else
-            result = self.memory_decrypt(path, key, ciphertext, client)
+            result = self.memory_decrypt(path, key, ciphertext, client: client, context: context)
           end
 
           return self.force_encoding(result)
@@ -140,58 +141,101 @@ module Vault
         end
       end
 
+      def transform_encode(plaintext, opts={})
+        return plaintext if plaintext&.empty?
+        request_opts = {}
+        request_opts[:value] = plaintext
+
+        if opts[:transformation]
+          request_opts[:transformation] = opts[:transformation]
+        end
+
+        role_name = transform_role_name(opts)
+        client.transform.encode(role_name: role_name, **request_opts)
+      end
+
+      def transform_decode(ciphertext, opts={})
+        return ciphertext if ciphertext&.empty?
+        request_opts = {}
+        request_opts[:value] = ciphertext
+
+        if opts[:transformation]
+          request_opts[:transformation] = opts[:transformation]
+        end
+
+        role_name = transform_role_name(opts)
+        puts request_opts
+        client.transform.decode(role_name: role_name, **request_opts)
+      end
+
+
       protected
 
       # Perform in-memory encryption. This is useful for testing and development.
-      def memory_encrypt(path, key, plaintext, client)
+      def memory_encrypt(path, key, plaintext, client: , context: nil)
         log_warning(DEV_WARNING) if self.in_memory_warnings_enabled?
 
         return nil if plaintext.nil?
 
         cipher = OpenSSL::Cipher::AES.new(128, :CBC)
         cipher.encrypt
-        cipher.key = memory_key_for(path, key)
-        return Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
+        cipher.key = memory_key_for(path, key, context: context)
+        return DEV_PREFIX + Base64.strict_encode64(cipher.update(plaintext) + cipher.final)
       end
 
       # Perform in-memory decryption. This is useful for testing and development.
-      def memory_decrypt(path, key, ciphertext, client)
+      def memory_decrypt(path, key, ciphertext, client: , context: nil)
         log_warning(DEV_WARNING) if self.in_memory_warnings_enabled?
 
         return nil if ciphertext.nil?
 
+        raise Vault::Rails::InvalidCiphertext.new(ciphertext) if !ciphertext.start_with?(DEV_PREFIX)
+        data = ciphertext[DEV_PREFIX.length..-1]
+
         cipher = OpenSSL::Cipher::AES.new(128, :CBC)
         cipher.decrypt
-        cipher.key = memory_key_for(path, key)
-        return cipher.update(Base64.strict_decode64(ciphertext)) + cipher.final
+        cipher.key = memory_key_for(path, key, context: context)
+        return cipher.update(Base64.strict_decode64(data)) + cipher.final
+      end
+
+      # The symmetric key for the given params.
+      # @return [String]
+      def memory_key_for(path, key, context: nil)
+        md5 = OpenSSL::Digest::MD5.new
+        md5 << path
+        md5 << key
+        md5 << context if context
+        md5.digest
       end
 
       # Perform encryption using Vault. This will raise exceptions if Vault is
       # unavailable.
-      def vault_encrypt(path, key, plaintext, client)
+      def vault_encrypt(path, key, plaintext, client: , context: nil)
         return nil if plaintext.nil?
 
-        route  = File.join(path, "encrypt", key)
-        secret = client.logical.write(route,
-          plaintext: Base64.strict_encode64(plaintext),
-        )
+        route = File.join(path, "encrypt", key)
+
+        data = { plaintext: Base64.strict_encode64(plaintext) }
+        data[:context] = Base64.strict_encode64(context) if context
+
+        secret = client.logical.write(route, data)
+
         return secret.data[:ciphertext]
       end
 
       # Perform decryption using Vault. This will raise exceptions if Vault is
       # unavailable.
-      def vault_decrypt(path, key, ciphertext, client)
+      def vault_decrypt(path, key, ciphertext, client: , context: nil)
         return nil if ciphertext.nil?
 
-        route  = File.join(path, "decrypt", key)
-        secret = client.logical.write(route, ciphertext: ciphertext)
-        return Base64.strict_decode64(secret.data[:plaintext])
-      end
+        route = File.join(path, "decrypt", key)
 
-      # The symmetric key for the given params.
-      # @return [String]
-      def memory_key_for(path, key)
-        return Base64.strict_encode64("#{path}/#{key}".ljust(32, "x"))
+        data = { ciphertext: ciphertext }
+        data[:context] = Base64.strict_encode64(context) if context
+
+        secret = client.logical.write(route, data)
+
+        return Base64.strict_decode64(secret.data[:plaintext])
       end
 
       # Forces the encoding into the default Rails encoding and returns the
@@ -227,6 +271,10 @@ module Vault
           ::Rails.logger.warn { msg }
         end
       end
+
+      def transform_role_name(opts)
+        opts[:role] || self.default_role_name || self.application
+      end
     end
   end
 end

data/lib/vault/rails/configurable.rb

@@ -10,10 +10,13 @@ module Vault
       #
       # @return [String]
       def application
-        if !defined?(@application) || @application.nil?
-          raise RuntimeError, "Must set `Vault::Rails#application'!"
+        if defined?(@application) && !@application.nil?
+          return @application
         end
-        return @application
+        if ENV.has_key?("VAULT_RAILS_APPLICATION")
+          return ENV["VAULT_RAILS_APPLICATION"]
+        end
+        raise RuntimeError, "Must set `Vault::Rails#application'!"
       end
 
       # Set the name of the application.
@@ -30,10 +33,13 @@ module Vault
       #
       # @return [true, false]
       def enabled?
-        if !defined?(@enabled) || @enabled.nil?
-          return false
+        if defined?(@enabled) && !@enabled.nil?
+          return @enabled
+        end
+        if ENV.has_key?("VAULT_RAILS_ENABLED")
+          return (ENV["VAULT_RAILS_ENABLED"] == "true")
         end
-        return @enabled
+        return false
       end
 
       # Sets whether Vault is enabled. Users can set this in an initializer
@@ -112,13 +118,27 @@ module Vault
         @retry_max_wait ||= Vault::Defaults::RETRY_MAX_WAIT
       end
 
-      # Sets the naximum amount of time for a single retry. Please see the Vault
+      # Sets the maximum amount of time for a single retry. Please see the Vault
       # documentation for more information.
       #
       # @param [Fixnum] val
       def retry_max_wait=(val)
         @retry_max_wait = val
       end
+
+      # Gets the default role name.
+      #
+      # @return [String]
+      def default_role_name
+        @default_role_name
+      end
+
+      # Sets the default role to use with various plugins.
+      #
+      # @param [String] val
+      def default_role_name=(val)
+        @default_role_name = val
+      end
     end
   end
 end

data/lib/vault/rails/errors.rb

@@ -14,6 +14,14 @@ module Vault
       end
     end
 
+    class InvalidCiphertext < VaultRailsError
+      def initialize(ciphertext)
+        super <<~EOH
+          Invalid ciphertext: `#{ciphertext}'.
+        EOH
+      end
+    end
+
     class ValidationFailedError < VaultRailsError; end
   end
 end

data/lib/vault/rails/{serializer.rb → json_serializer.rb}

@@ -7,17 +7,16 @@ module Vault
       }.freeze
 
       def self.encode(raw)
-        self._init!
-
-        raw = {} if raw.nil?
+        _init!
 
         JSON.fast_generate(raw)
       end
 
       def self.decode(raw)
-        self._init!
+        _init!
+
+        return nil if raw == nil || raw == ""
 
-        return {} if raw.nil? || raw.empty?
         JSON.parse(raw, DECODE_OPTIONS)
       end
 

data/lib/vault/rails/version.rb

@@ -1,5 +1,5 @@
 module Vault
   module Rails
-    VERSION = "0.3.2"
+    VERSION = "0.7.1"
   end
 end

data/spec/dummy/app/models/lazy_person.rb

@@ -25,4 +25,24 @@ class LazyPerson < ActiveRecord::Base
     decode: ->(raw) { raw && raw[3...-3] }
 
   vault_attribute :non_ascii
+
+  vault_attribute :default,
+    default: "abc123"
+
+  vault_attribute :default_with_serializer,
+    serialize: :json,
+    default: {}
+
+  vault_attribute :context_string,
+    context: "production"
+
+  vault_attribute :context_symbol,
+    context: :encryption_context
+
+  vault_attribute :context_proc,
+    context: ->(record) { record.encryption_context }
+
+  def encryption_context
+    "user_#{id}"
+  end
 end

data/spec/dummy/app/models/lazy_single_person.rb

@@ -0,0 +1,18 @@
+
+class LazySinglePerson < ActiveRecord::Base
+  include Vault::EncryptedModel
+
+  self.table_name = "people"
+
+  vault_lazy_decrypt!
+  vault_single_decrypt!
+
+  vault_attribute :ssn
+
+  vault_attribute :credit_card,
+    encrypted_column: :cc_encrypted
+
+  def encryption_context
+    "user_#{id}"
+  end
+end

data/spec/dummy/app/models/person.rb

@@ -21,5 +21,40 @@ class Person < ActiveRecord::Base
     decode: ->(raw) { raw && raw[3...-3] }
 
   vault_attribute :non_ascii
-end
 
+  vault_attribute :default,
+    default: "abc123"
+
+  vault_attribute :default_with_serializer,
+    serialize: :json,
+    default: {}
+
+  vault_attribute :context_string,
+    context: "production"
+
+  vault_attribute :context_symbol,
+    context: :encryption_context
+
+  vault_attribute :context_proc,
+    context: ->(record) { record.encryption_context }
+
+  vault_attribute :transform_ssn,
+    transform_secret: {
+      transformation: "social_sec"
+    }
+
+  vault_attribute :bad_transform,
+    transform_secret: {
+      transformation: "foobar_transformation"
+    }
+
+  vault_attribute :bad_role_transform,
+    transform_secret: {
+      transformation: "social_sec",
+      role: "foobar_role"
+    }
+
+  def encryption_context
+    "user_#{id}"
+  end
+end

data/spec/dummy/config/environments/development.rb

@@ -16,9 +16,6 @@ Rails.application.configure do
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
-  # Print deprecation notices to the Rails logger.
-  config.active_support.deprecation = :log
-
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
@@ -36,4 +33,9 @@ Rails.application.configure do
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
+  # Use native SQLite integers as booleans in Rails 5.2+
+  if ActiveRecord.gem_version >= Gem::Version.new("5.2")
+    config.active_record.sqlite3.represent_boolean_as_integer = true
+  end
 end

data/spec/dummy/config/environments/test.rb

@@ -36,9 +36,11 @@ Rails.application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  # Print deprecation notices to the stderr.
-  config.active_support.deprecation = :stderr
-
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
+  # Use native SQLite integers as booleans in Rails 5.2+
+  if ActiveRecord.gem_version >= Gem::Version.new("5.2")
+    config.active_record.sqlite3.represent_boolean_as_integer = true
+  end
 end

data/spec/dummy/db/migrate/20150428220101_create_people.rb

@@ -1,4 +1,4 @@
-class CreatePeople < ActiveRecord::Migration
+class CreatePeople < ActiveRecord::Migration[4.2]
   def change
     create_table :people do |t|
       t.string :name
@@ -8,6 +8,12 @@ class CreatePeople < ActiveRecord::Migration
       t.string :business_card_encrypted
       t.string :favorite_color_encrypted
       t.string :non_ascii_encrypted
+      t.string :default_encrypted
+      t.string :default_with_serializer_encrypted
+      t.string :context_string_encrypted
+      t.string :context_symbol_encrypted
+      t.string :context_proc_encrypted
+      t.string :transform_ssn_encrypted
 
       t.timestamps null: false
     end

data/spec/dummy/db/schema.rb

@@ -1,28 +1,33 @@
-# encoding: UTF-8
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `rails
+# db:schema:load`. When creating a new database, `rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150428220101) do
+ActiveRecord::Schema.define(version: 2015_04_28_220101) do
 
   create_table "people", force: :cascade do |t|
-    t.string   "name"
-    t.string   "ssn_encrypted"
-    t.string   "cc_encrypted"
-    t.string   "details_encrypted"
-    t.string   "business_card_encrypted"
-    t.string   "favorite_color_encrypted"
-    t.string   "non_ascii_encrypted"
-    t.datetime "created_at",               null: false
-    t.datetime "updated_at",               null: false
+    t.string "name"
+    t.string "ssn_encrypted"
+    t.string "cc_encrypted"
+    t.string "details_encrypted"
+    t.string "business_card_encrypted"
+    t.string "favorite_color_encrypted"
+    t.string "non_ascii_encrypted"
+    t.string "default_encrypted"
+    t.string "default_with_serializer_encrypted"
+    t.string "context_string_encrypted"
+    t.string "context_symbol_encrypted"
+    t.string "context_proc_encrypted"
+    t.string "transform_ssn_encrypted"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
   end
 
 end