vault-rails 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a77c9fca886e05e6f2d085f1d1c2108e3362a008d206064e5096a963ccf20e9f
-  data.tar.gz: 79c838d9af6fb2bbb490b86aa2653267162d00dd8adc9cb2219f4f55c24fb3de
+  metadata.gz: 60cc2b942cbd53163fc7effc3b0f47afc268f203ce079c444635ca9b4f14cc3a
+  data.tar.gz: d1c4e963e55205851a0e866eae50067f0a6c4839b53327ae6bb190d6ba98dd7f
 SHA512:
-  metadata.gz: 393da926db908ac314bef3ed19034634b0f7eef69f36cc4052e36990c03c7fc36194cafdc8eafce61acac758b12218cbdd77aca9f35f345509b918d44abdb68b
-  data.tar.gz: a57640064fa2aafc9193edd65bca73419e1e50cf53177914f27646accc4d8b24dda401e20b1ab3e2b2eab5fe8a8e0cafd963f8a89605c09a75c6d8657cddf773
+  metadata.gz: d08dbab43552537a3380e798efc70ba83694ac6e41bbd3e564c22ae0aead476c9080cf57685b9ac3a4e0719769ff91ce93a72c5bdd64b1a7593700a4306530a8
+  data.tar.gz: 594a5b3017457cee3369553b118ab67a105cabc42d7d6b52c4130953d954ec8063b4d52392088ce67f31a07ed6800134d1a5819c18378b312ede905ce9caea69

data/README.md

@@ -1,9 +1,11 @@
-Vault Rails [![Build Status](https://secure.travis-ci.org/hashicorp/vault-rails.svg?branch=master)](http://travis-ci.org/hashicorp/vault-rails)
+Vault Rails [![Build Status](https://circleci.com/gh/hashicorp/vault-rails.svg?style=shield)](https://circleci.com/gh/hashicorp/vault-rails)
 ===========
 
 Vault is the official Rails plugin for interacting with [Vault](https://vaultproject.io) by HashiCorp.
 
-**The documentation in this README corresponds to the master branch of the Vault Rails plugin. It may contain unreleased features or different APIs than the most recently released version. Please see the Git tag that corresponds to your version of the Vault Rails plugin for the proper documentation.**
+**If you're viewing this README from GitHub on the `master` branch, know that it may contain unreleased features or
+different APIs than the most recently released version. Please see the Git tag that corresponds to your version of the
+Vault Rails plugin for the proper documentation.**
 
 ## Table of Contents
 1. [Quick Start](#quick-start)
@@ -19,7 +21,7 @@ Quick Start
 1. Add to your Gemfile:
 
     ```ruby
-    gem "vault-rails", "~> 0.1", require: false
+    gem "vault-rails", require: false
     ```
 
     and then run the `bundle` command to install.
@@ -81,6 +83,7 @@ Quick Start
     person.save #=> true
     person.ssn_encrypted #=> "vault:v0:EE3EV8P5hyo9h..."
     ```
+- **Note** The unencrypted value will still be saved if the attribute referenced has a corresponding column. (i.e. `ssn` in the case above)
 
 
 Advanced Configuration

data/Rakefile

@@ -11,6 +11,9 @@ Bundler::GemHelper.install_tasks
 APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
 load "rails/tasks/engine.rake"
 
-require "rspec/core/rake_task"
-RSpec::Core::RakeTask.new(:spec)
 task default: :spec
+
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new(:spec) do |t|
+  puts "\n==> Testing with Rails #{Rails::VERSION::STRING} and Ruby #{RUBY_VERSION} <==\n"
+end

data/lib/vault/encrypted_model.rb

@@ -41,31 +41,22 @@ module Vault
       #   a proc to encode the value with
       # @option options [Proc] :decode
       #   a proc to decode the value with
+      # @option options [Hash] :transform_secret
+      #   a hash providing details about the transformation to use,
+      #   this includes the name, and the role to use
       def vault_attribute(attribute, options = {})
-        encrypted_column = options[:encrypted_column] || "#{attribute}_encrypted"
-        path = options[:path] || "transit"
-        key = options[:key] || "#{Vault::Rails.application}_#{table_name}_#{attribute}"
-        context = options[:context]
-        default = options[:default]
-
         # Sanity check options!
         _vault_validate_options!(options)
 
-        # Get the serializer if one was given.
-        serializer = options[:serialize]
+        parsed_opts = if options[:transform_secret]
+                        parse_transform_secret_attributes(attribute, options)
+                      else
+                        parse_transit_attributes(attribute, options)
+                      end
+        parsed_opts[:encrypted_column] = options[:encrypted_column] || "#{attribute}_encrypted"
 
-        # Unless a class or module was given, construct our serializer. (Slass
-        # is a subset of Module).
-        if serializer && !serializer.is_a?(Module)
-          serializer = Vault::Rails.serializer_for(serializer)
-        end
-
-        # See if custom encoding or decoding options were given.
-        if options[:encode] && options[:decode]
-          serializer = Class.new
-          serializer.define_singleton_method(:encode, &options[:encode])
-          serializer.define_singleton_method(:decode, &options[:decode])
-        end
+        # Make a note of this attribute so we can use it in the future (maybe).
+        __vault_attributes[attribute.to_sym] = parsed_opts
 
         self.attribute attribute.to_s, ActiveRecord::Type::Value.new,
           default: nil
@@ -82,7 +73,7 @@ module Vault
 
           # We always set it as changed without comparing with the current value
           # because we allow our held values to be mutated, so we need to assume
-          # that if you call attr=, you want it send back regardless.
+          # that if you call attr=, you want it sent back regardless.
 
           attribute_will_change!("#{attribute}")
           instance_variable_set("@#{attribute}", value)
@@ -98,16 +89,6 @@ module Vault
           instance_variable_get("@#{attribute}").present?
         end
 
-        # Make a note of this attribute so we can use it in the future (maybe).
-        __vault_attributes[attribute.to_sym] = {
-          context: context,
-          default: default,
-          encrypted_column: encrypted_column,
-          key: key,
-          path: path,
-          serializer: serializer
-        }
-
         self
       end
 
@@ -126,6 +107,11 @@ module Vault
             raise Vault::Rails::ValidationFailedError, "Cannot use a " \
               "custom encoder/decoder if a `:serializer' is specified!"
           end
+
+          if options[:transform_secret]
+            raise Vault::Rails::ValidationFailedError, "Cannot use the " \
+              "transform secrets engine with a specified `:serializer'!"
+          end
         end
 
         if options[:encode] && !options[:decode]
@@ -144,6 +130,12 @@ module Vault
               "`:context' must take 1 argument!"
           end
         end
+        if transform_opts = options[:transform_secret]
+          if !transform_opts[:transformation]
+            raise Vault::Rails::VaildationFailedError, "Transform Secrets " \
+              "requires a transformation name!"
+          end
+        end
       end
 
       def vault_lazy_decrypt
@@ -161,6 +153,54 @@ module Vault
       def vault_single_decrypt!
         @vault_single_decrypt = true
       end
+
+      private
+
+      def parse_transform_secret_attributes(attribute, options)
+        opts = {}
+        opts[:transform_secret] = true
+
+        serializer = Class.new
+        serializer.define_singleton_method(:encode) do |raw|
+          return if raw.nil?
+          resp = Vault::Rails.transform_encode(raw, options[:transform_secret])
+          resp.dig(:data, :encoded_value)
+        end
+        serializer.define_singleton_method(:decode) do |raw|
+          return if raw.nil?
+          resp = Vault::Rails.transform_decode(raw, options[:transform_secret])
+          resp.dig(:data, :decoded_value)
+        end
+        opts[:serializer] = serializer
+        opts
+      end
+
+      def parse_transit_attributes(attribute, options)
+        opts = {}
+        opts[:path] = options[:path] || "transit"
+        opts[:key] = options[:key] || "#{Vault::Rails.application}_#{table_name}_#{attribute}"
+        opts[:context] = options[:context]
+        opts[:default] = options[:default]
+
+        # Get the serializer if one was given.
+        serializer = options[:serialize]
+
+        # Unless a class or module was given, construct our serializer. (Slass
+        # is a subset of Module).
+        if serializer && !serializer.is_a?(Module)
+          serializer = Vault::Rails.serializer_for(serializer)
+        end
+
+        # See if custom encoding or decoding options were given.
+        if options[:encode] && options[:decode]
+          serializer = Class.new
+          serializer.define_singleton_method(:encode, &options[:encode])
+          serializer.define_singleton_method(:decode, &options[:decode])
+        end
+
+        opts[:serializer] = serializer
+        opts
+      end
     end
 
     included do
@@ -176,6 +216,12 @@ module Vault
       # before theirs, resulting in attributes that are not persisted.
       after_save :__vault_persist_attributes!
 
+      # Before destroying a record, ensure that all vault attributes have been
+      # decrypted. Otherwise, attempting to read a lazily decrypted attribute
+      # after a destroy will result in a "Can't modify frozen Hash" error when
+      # vault-rails attempts to set the plain-text attribute.
+      before_destroy :__vault_load_attributes!, unless: -> { @__vault_loaded }
+
       # Decrypt all the attributes from Vault.
       # @return [true]
       def __vault_initialize_attributes!
@@ -196,7 +242,7 @@ module Vault
           self.__vault_load_attribute!(attribute, options)
         end
 
-        @__vault_loaded = self.class.__vault_attributes.all? { |attribute, __| instance_variable_get("@#{attribute}") }
+        @__vault_loaded = self.class.__vault_attributes.all? { |attribute, __| instance_variable_defined?("@#{attribute}") }
 
         return true
       end
@@ -209,6 +255,7 @@ module Vault
         column     = options[:encrypted_column]
         context    = options[:context]
         default    = options[:default]
+        transform  = options[:transform_secret]
 
         # Load the ciphertext
         ciphertext = read_attribute(column)
@@ -222,11 +269,18 @@ module Vault
         # Generate context if needed
         generated_context = __vault_generate_context(context)
 
-        # Load the plaintext value
-        plaintext = Vault::Rails.decrypt(
-          path, key, ciphertext,
-          context: generated_context
-        )
+        if transform
+          # If this is a secret encrypted with FPE, we do not need to decrypt with vault
+          # This prevents a double encryption via standard vault encryption and FPE.
+          # FPE is decrypted later as part of the serializer
+          plaintext = ciphertext
+        else
+          # Load the plaintext value
+          plaintext = Vault::Rails.decrypt(
+            path, key, ciphertext,
+            context: generated_context
+          )
+        end
 
         # Deserialize the plaintext value, if a serializer exists
         if serializer
@@ -273,6 +327,7 @@ module Vault
         serializer = options[:serializer]
         column     = options[:encrypted_column]
         context    = options[:context]
+        transform  = options[:transform_secret]
 
         # Only persist changed attributes to minimize requests - this helps
         # minimize the number of requests to Vault.
@@ -297,11 +352,18 @@ module Vault
         # Generate context if needed
         generated_context = __vault_generate_context(context)
 
-        # Generate the ciphertext and store it back as an attribute
-        ciphertext = Vault::Rails.encrypt(
-          path, key, plaintext,
-          context: generated_context
-        )
+        if transform
+          # If this is a secret encrypted with FPE, we should not encrypt it in vault
+          # This prevents a double encryption via standard vault encryption and FPE.
+          # FPE was performed earlier as part of the serialization process.
+          ciphertext = plaintext
+        else
+          # Generate the ciphertext and store it back as an attribute
+          ciphertext = Vault::Rails.encrypt(
+            path, key, plaintext,
+            context: generated_context
+          )
+        end
 
         # Write the attribute back, so that we don't have to reload the record
         # to get the ciphertext

data/lib/vault/rails.rb

@@ -141,6 +141,34 @@ module Vault
         end
       end
 
+      def transform_encode(plaintext, opts={})
+        return plaintext if plaintext&.empty?
+        request_opts = {}
+        request_opts[:value] = plaintext
+
+        if opts[:transformation]
+          request_opts[:transformation] = opts[:transformation]
+        end
+
+        role_name = transform_role_name(opts)
+        client.transform.encode(role_name: role_name, **request_opts)
+      end
+
+      def transform_decode(ciphertext, opts={})
+        return ciphertext if ciphertext&.empty?
+        request_opts = {}
+        request_opts[:value] = ciphertext
+
+        if opts[:transformation]
+          request_opts[:transformation] = opts[:transformation]
+        end
+
+        role_name = transform_role_name(opts)
+        puts request_opts
+        client.transform.decode(role_name: role_name, **request_opts)
+      end
+
+
       protected
 
       # Perform in-memory encryption. This is useful for testing and development.
@@ -243,6 +271,10 @@ module Vault
           ::Rails.logger.warn { msg }
         end
       end
+
+      def transform_role_name(opts)
+        opts[:role] || self.default_role_name || self.application
+      end
     end
   end
 end

data/lib/vault/rails/configurable.rb

@@ -125,6 +125,20 @@ module Vault
       def retry_max_wait=(val)
         @retry_max_wait = val
       end
+
+      # Gets the default role name.
+      #
+      # @return [String]
+      def default_role_name
+        @default_role_name
+      end
+
+      # Sets the default role to use with various plugins.
+      #
+      # @param [String] val
+      def default_role_name=(val)
+        @default_role_name = val
+      end
     end
   end
 end

data/lib/vault/rails/version.rb

@@ -1,5 +1,5 @@
 module Vault
   module Rails
-    VERSION = "0.6.0"
+    VERSION = "0.7.0"
   end
 end

data/spec/dummy/app/models/person.rb

@@ -38,6 +38,22 @@ class Person < ActiveRecord::Base
   vault_attribute :context_proc,
     context: ->(record) { record.encryption_context }
 
+  vault_attribute :transform_ssn,
+    transform_secret: {
+      transformation: "social_sec"
+    }
+
+  vault_attribute :bad_transform,
+    transform_secret: {
+      transformation: "foobar_transformation"
+    }
+
+  vault_attribute :bad_role_transform,
+    transform_secret: {
+      transformation: "social_sec",
+      role: "foobar_role"
+    }
+
   def encryption_context
     "user_#{id}"
   end

data/spec/dummy/config/environments/development.rb

@@ -16,9 +16,6 @@ Rails.application.configure do
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
-  # Print deprecation notices to the Rails logger.
-  config.active_support.deprecation = :log
-
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
@@ -36,4 +33,9 @@ Rails.application.configure do
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
+  # Use native SQLite integers as booleans in Rails 5.2+
+  if ActiveRecord.gem_version >= Gem::Version.new("5.2")
+    config.active_record.sqlite3.represent_boolean_as_integer = true
+  end
 end

data/spec/dummy/config/environments/test.rb

@@ -36,9 +36,11 @@ Rails.application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  # Print deprecation notices to the stderr.
-  config.active_support.deprecation = :stderr
-
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
+  # Use native SQLite integers as booleans in Rails 5.2+
+  if ActiveRecord.gem_version >= Gem::Version.new("5.2")
+    config.active_record.sqlite3.represent_boolean_as_integer = true
+  end
 end

data/spec/dummy/db/migrate/20150428220101_create_people.rb

@@ -13,6 +13,7 @@ class CreatePeople < ActiveRecord::Migration[4.2]
       t.string :context_string_encrypted
       t.string :context_symbol_encrypted
       t.string :context_proc_encrypted
+      t.string :transform_ssn_encrypted
 
       t.timestamps null: false
     end

data/spec/dummy/db/schema.rb

@@ -2,11 +2,11 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `rails
+# db:schema:load`. When creating a new database, `rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.
 
@@ -25,6 +25,7 @@ ActiveRecord::Schema.define(version: 2015_04_28_220101) do
     t.string "context_string_encrypted"
     t.string "context_symbol_encrypted"
     t.string "context_proc_encrypted"
+    t.string "transform_ssn_encrypted"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
   end