zuora_connect 3.1.0 → 3.1.1.pre.c

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 689c9d74cda46ebd41a5d98dba982700dd365fa3746378276ceb0da4f5d0c493
-  data.tar.gz: 719e7beb03b156986160f8fa881960a7b7231b706c9a6bcd50af1788d622a125
+  metadata.gz: ef73a28bd87609cedef16023f75320765d7b38b3e3417be5b5000be410596127
+  data.tar.gz: 62440f4e6e5ae219f40d9dc5b927b896cd26214cb9693191629929594c9f349a
 SHA512:
-  metadata.gz: 4f905b5518a0b7e556d3cf4a45e73e86b149a4b95d111a315e46a2f91e9a07b43b2e9b77f0bd1c34e6fbf5848d321b64615ec612fc907b7f3fb9fd2f56944be3
-  data.tar.gz: a61a9c662b80a4d8af8a98f6eeef2be56b79cc9bc0853ae36a57ce22a59dde8bae5a7ab1b175aedec703743b6ccae8e81f2e565b028a23cdda9b7dce7544eb1a
+  metadata.gz: fe0dc6bf317c0ff0e76d069db2abd158175527cd5b971065b6c84d79412971c4fbab8ad5141bd4525497d41e38ca2b99c0760f662791a920955770692e278ef5
+  data.tar.gz: f15d374ed1aaa037ca1764d71f468eac6019b6515ac0a41f20835e732adc0dc9651b893f8f5f18b2a494e2e54f083be7dda77b9a6863dbd53a1d39f13e7cb221

data/app/models/zuora_connect/app_instance_base.rb

@@ -187,7 +187,7 @@ module ZuoraConnect
           raise ZuoraConnect::Exceptions::HoldingPattern if holding_pattern && !self.mark_for_refresh
           self.refresh(session: session)
 
-        elsif session["#{self.id}::task_data"].blank?
+        elsif session["#{self.id}::task_data"].blank? && !ZuoraConnect.configuration.local_task_data
           self.new_session_message = "REFRESHING - Task Data Blank"
           ZuoraConnect.logger.debug(self.new_session_message)
           raise ZuoraConnect::Exceptions::HoldingPattern if holding_pattern && !self.mark_for_refresh
@@ -353,8 +353,10 @@ module ZuoraConnect
     end
 
     def fetch_connect_data(session: {})
+      refresh_count ||= 0
       self.check_oauth_state
-      response = HTTParty.get(ZuoraConnect.configuration.url + "/api/#{self.api_version}/tools/tasks/#{self.id}.json",:body => {:access_token => self.access_token})
+      request_url = ZuoraConnect.configuration.url + "/api/#{self.api_version}/tools/tasks/#{self.id}.json"
+      response = HTTParty.get(request_url,:body => {:access_token => self.access_token})
 
       if response.code == 200
         begin
@@ -367,45 +369,43 @@ module ZuoraConnect
         self.set_backup_creds
         self.save(validate: false) if self.changed?
       else
-        raise ZuoraConnect::Exceptions::ConnectCommunicationError.new("Error Communicating with Connect", response.body, response.code)
+        raise ZuoraConnect::Exceptions::ConnectCommunicationError.new("Error communicating with Connect for '#{request_url}' with #{response.code}", response.body, response.code)
+      end
+    rescue *(ZuoraAPI::Login::CONNECTION_EXCEPTIONS + ZuoraAPI::Login::CONNECTION_READ_EXCEPTIONS) => ex
+      refresh_count += 1
+      if refresh_count < 3
+        sleep(10)
+        ZuoraConnect.logger.debug("REFRESH TASK - Connection Failure Retrying(#{refresh_count})", ex, self.default_ougai_items)
+        retry
+      else
+        ZuoraConnect.logger.fatal("REFRESH TASK - Connection Failed", ex)
+        raise
+      end
+    rescue ZuoraConnect::Exceptions::ConnectCommunicationError => ex
+      refresh_count += 1
+      if refresh_count < 3
+        ZuoraConnect.logger.debug("REFRESH TASK - Communication Failure Retrying(#{refresh_count})", ex, self.default_ougai_items)
+        self.refresh_oauth if ex.code == 401
+        retry
+      else
+        ZuoraConnect.logger.fatal("REFRESH TASK - Communication Failed #{ex.code}", ex, self.default_ougai_items)
+        raise
       end
     end
 
-
     def refresh(session: {})
       refresh_count ||= 0
       skip_connect ||= ZuoraConnect.configuration.skip_connect
-      begin
-        #Check how app was deployed
-        if !self.auto_deployed? && (!skip_connect || self['zuora_logins'].blank?)
-          self.fetch_connect_data(session: session)
-        else
-          self.build_task(task_data: self.zuora_logins, session: session)
-        end
-        self.last_refresh = Time.now.to_i
-        self.cache_app_instance
-        self.reset_mark_for_refresh
-      rescue *(ZuoraAPI::Login::CONNECTION_EXCEPTIONS + ZuoraAPI::Login::CONNECTION_READ_EXCEPTIONS) => ex
-        refresh_count += 1
-        if refresh_count < 3
-          sleep(10)
-          ZuoraConnect.logger.debug("REFRESH TASK - Connection Failure Retrying(#{refresh_count})", ex, self.default_ougai_items)
-          retry
-        else
-          ZuoraConnect.logger.fatal("REFRESH TASK - Connection Failed", ex)
-          raise
-        end
-      rescue ZuoraConnect::Exceptions::ConnectCommunicationError => ex
-        refresh_count += 1
-        if refresh_count < 3
-          ZuoraConnect.logger.debug("REFRESH TASK - Communication Failure Retrying(#{refresh_count})", ex, self.default_ougai_items)
-          self.refresh_oauth if ex.code == 401
-          retry
-        else
-          ZuoraConnect.logger.fatal("REFRESH TASK - Communication Failed #{ex.code}", ex, self.default_ougai_items)
-          raise
-        end
+      #Check how app was deployed
+      if !self.auto_deployed? && (!skip_connect || self['zuora_logins'].blank?)
+        self.fetch_connect_data(session: session)
+      else
+        self.build_task(task_data: self.zuora_logins, session: session)
       end
+      self.last_refresh = Time.now.to_i
+      self.cache_app_instance
+      self.reset_mark_for_refresh
+     
     rescue => ex
       refresh_count += 1
       if self['zuora_logins'].present? && refresh_count < 3
@@ -416,10 +416,6 @@ module ZuoraConnect
       raise
     end
 
-    def aws_secrets
-      (Rails.application.secrets.aws || {}).transform_keys { |key| key.to_s }
-    end
-
     #### START KMS ENCRYPTION Methods ####
       def set_backup_creds
         if self.kms_key.present? && self.kms_key.match(/^arn:aws:.*/) && self.task_data.present?
@@ -435,14 +431,105 @@ module ZuoraConnect
 
       def zuora_logins
         raise  ZuoraConnect::Exceptions::ConnectCommunicationError.new("Zuora Logins is blank, cannot decrypt.") if super.blank?
-        return JSON.parse(kms_decrypt(super))
+        return JSON.parse(kms_decrypt(super, field_name: :zuora_logins))
+      end
+
+      def kms_client
+        @kms_client ||= Aws::KMS::Client.new({region: aws_secrets['AWS_REGION'], credentials: self.aws_auth_client}.delete_if { |k, v| v.blank? })
+        return @kms_client
+      end
+
+      def decrypted_data_key
+        $cleartextkey ||= kms_client.decrypt(ciphertext_blob: Base64.strict_decode64(encrypted_data_key)).plaintext
+        return $cleartextkey
+      end
+
+      def aws_secrets
+        (Rails.application.secrets.aws || {}).transform_keys { |key| key.to_s }
+      end
+
+      def connect_secrets
+        (Rails.application.secrets.connect || {}).transform_keys { |key| key.to_s }
+      end
+
+      def kms_key(raise_on_blank: false)
+        kms_value = ENV['AWS_KMS_ARN'] || aws_secrets['AWS_KMS_ARN']
+        raise ZuoraConnect::Exceptions::Error.new("Missing KMS key") if raise_on_blank && kms_value.blank?
+        return kms_value
       end
 
-      def kms_decrypt(value)
+      def iv_key
+        iv_key_value = ENV['IV_KEY'] || connect_secrets['IV_KEY']
+        #Create new one 'Base64.strict_encode64(OpenSSL::Cipher.new('AES-256-CBC').random_iv)'
+        raise ZuoraConnect::Exceptions::Error.new("Missing IV cipher key") if iv_key_value.blank?
+        return iv_key_value
+      end
+
+      def encrypted_data_key
+        #Base64.strict_encode64(kms_client.generate_data_key(key_id: kms_key, key_spec: 'AES_256').ciphertext_blob)
+        encrypted_data_key_value = ENV['ENCRYPTED_DATA_KEY'] || connect_secrets['ENCRYPTED_DATA_KEY']
+        raise ZuoraConnect::Exceptions::Error.new("Missing encrypted data key 'ENCRYPTED_DATA_KEY'.") if encrypted_data_key_value.blank?
+        return encrypted_data_key_value
+      end 
+
+      def aws_auth_client
+        if Rails.env.to_s == 'development'
+          return Aws::Credentials.new(aws_secrets['AWS_ACCESS_KEY_ID'], aws_secrets['AWS_SECRET_ACCESS_KEY'])
+        else
+          return nil
+        end
+      end
+
+      def fetch_cipher(type)
+        raise "Type must be set to 'encrypt' or 'decrypt'" if !['decrypt','encrypt'].include?(type)
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.send(type)
+        cipher.key = self.decrypted_data_key
+        cipher.iv = Base64.strict_decode64(self.iv_key)
+        return cipher
+      end
+
+      def kms_decrypt(value, field_name: nil, encryption_type: ZuoraConnect.configuration.encryption_type)
         kms_tries ||= 0
-        kms_client = Aws::KMS::Client.new({region: aws_secrets['AWS_REGION'], credentials: self.aws_auth_client}.delete_if { |k, v| v.blank? })
-        resp = kms_client.decrypt({ciphertext_blob: [value].pack("H*") })
-        return resp.plaintext
+        original_encryption_type ||= encryption_type.dup
+      
+        case encryption_type
+        when :direct
+          result = kms_client.decrypt(ciphertext_blob: [value].pack("H*") ).plaintext 
+          #Update original encryption
+          if original_encryption_type != encryption_type && field_name.present?
+            ZuoraConnect.logger.debug("Updating encryption to '#{original_encryption_type}', from '#{encryption_type}' for field '#{field_name}'", self.default_ougai_items)
+            self.update_column(field_name, self.kms_encrypt(result, encryption_type: original_encryption_type))
+          end
+
+          return result
+        when :envelope
+          cipher = fetch_cipher('decrypt') 
+          result = cipher.update(Base64.strict_decode64(value)) + cipher.final
+
+          #Update original encryption
+          if original_encryption_type != encryption_type && field_name.present?
+            ZuoraConnect.logger.debug("Updating encryption to '#{original_encryption_type}', from '#{encryption_type}' for field '#{field_name}'", self.default_ougai_items)
+            self.update_column(field_name, self.kms_encrypt(result, encryption_type: original_encryption_type))
+          end
+          return result
+        else
+          ZuoraConnect::Exceptions::Error.new("Invalid encryption method '#{encryption_type}'.")
+        end
+      rescue ArgumentError => ex
+        if ex.message == 'invalid base64' && encryption_type == :envelope && (kms_tries += 1) < 3
+          ZuoraConnect.logger.warn("Fallback to encryption 'direct', from '#{encryption_type}'", ex, self.default_ougai_items)
+          encryption_type = :direct 
+          retry
+        end
+        raise#Add protection when decrypting
+      rescue Aws::KMS::Errors::InvalidCiphertextException => ex
+        if encryption_type == :direct && (kms_tries += 1) < 3
+          ZuoraConnect.logger.warn("Fallback to encryption 'envelope', from '#{encryption_type}'", ex, self.default_ougai_items)
+          encryption_type = :envelope 
+          retry
+        end
+        raise
       rescue *AWS_AUTH_ERRORS => ex
         if (kms_tries += 1) < 3
           Rails.logger.warn(AWS_AUTH_ERRORS_MSG, ex)
@@ -453,12 +540,20 @@ module ZuoraConnect
         end
       end
 
-      def kms_encrypt(value)
+      def kms_encrypt(value, encryption_type: ZuoraConnect.configuration.encryption_type)
         kms_tries ||= 0
-        kms_client = Aws::KMS::Client.new({region: aws_secrets['AWS_REGION'], credentials: self.aws_auth_client}.delete_if {|k,v| v.blank? })
-
-        resp = kms_client.encrypt({key_id: kms_key, plaintext: value})
-        return resp.ciphertext_blob.unpack('H*').first
+        case encryption_type
+        when :direct
+          resp = kms_client.encrypt({key_id: kms_key(raise_on_blank: true), plaintext: value})
+          return resp.ciphertext_blob.unpack('H*').first
+        when :envelope
+          cipher = fetch_cipher('encrypt')
+          value = cipher.update(value.to_s)
+          value << cipher.final
+          return Base64.strict_encode64(value)
+        else
+          ZuoraConnect::Exceptions::Error.new("Invalid encryption method '#{encryption_type}'.")
+        end
       rescue *AWS_AUTH_ERRORS => ex
         if (kms_tries += 1) < 3
           Rails.logger.warn(AWS_AUTH_ERRORS_MSG, ex)
@@ -468,18 +563,6 @@ module ZuoraConnect
           raise
         end
       end
-
-      def kms_key
-        return ENV['AWS_KMS_ARN'] || aws_secrets['AWS_KMS_ARN']
-      end
-
-      def aws_auth_client
-        if Rails.env.to_s == 'development'
-          return Aws::Credentials.new(aws_secrets['AWS_ACCESS_KEY_ID'], aws_secrets['AWS_SECRET_ACCESS_KEY'])
-        else
-          return nil
-        end
-      end
     #### END KMS ENCRYPTION Methods ####
 
     #### START Metrics Methods ####
@@ -505,9 +588,13 @@ module ZuoraConnect
       def build_task(task_data: {}, session: {})
         session = {} if session.blank?
         self.task_data = task_data
+        if self.task_data.blank? &&  ZuoraConnect.configuration.local_task_data
+          self.task_data = self.zuora_logins
+        end
+       
         self.mode = self.task_data["mode"]
 
-        if task_data['id'].to_s != self.id.to_s
+        if self.task_data['id'].to_s != self.id.to_s
           raise ZuoraConnect::Exceptions::MissMatch.new("Wrong Instance Identifier/Lookup")
         end
 
@@ -545,7 +632,7 @@ module ZuoraConnect
         raise
       rescue => ex
         ZuoraConnect.logger.error("Build Task Error", ex)
-        ZuoraConnect.logger.error("Task Data: #{task_data}") if task_data.present?
+        ZuoraConnect.logger.error("Task Data: #{self.task_data}") if self.task_data.present?
         if session.present?
           ZuoraConnect.logger.error("Task Session: #{session.to_h}")  if session.methods.include?(:to_h)
           ZuoraConnect.logger.error("Task Session: #{session.to_hash}") if session.methods.include?(:to_hash)
@@ -796,19 +883,19 @@ module ZuoraConnect
           if login.tenant_type == "Zuora"
             if login.available_entities.size > 1 && Rails.application.config.session_store != ActionDispatch::Session::CookieStore
               login.available_entities.each do |entity_key|
-                session["#{self.id}::#{key}::#{entity_key}:current_session"]            = login.client(entity_key).current_session            if login.client.respond_to?(:current_session)
-                session["#{self.id}::#{key}::#{entity_key}:bearer_token"]               = login.client(entity_key).bearer_token               if login.client.respond_to?(:bearer_token)
-                session["#{self.id}::#{key}::#{entity_key}:oauth_session_expires_at"]   = login.client(entity_key).oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at)
+                session["#{self.id}::#{key}::#{entity_key}:current_session"]            = login.client(entity_key).current_session            if login.client.respond_to?(:current_session) && login.client(entity_key).current_session.present?
+                session["#{self.id}::#{key}::#{entity_key}:bearer_token"]               = login.client(entity_key).bearer_token               if login.client.respond_to?(:bearer_token) && login.client(entity_key).bearer_token.present?
+                session["#{self.id}::#{key}::#{entity_key}:oauth_session_expires_at"]   = login.client(entity_key).oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at) && login.client(entity_key).oauth_session_expires_at.present?
               end
             else
-              session["#{self.id}::#{key}:current_session"]             = login.client.current_session            if login.client.respond_to?(:current_session)
-              session["#{self.id}::#{key}:bearer_token"]                = login.client.bearer_token               if login.client.respond_to?(:bearer_token)
-              session["#{self.id}::#{key}:oauth_session_expires_at"]    = login.client.oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at)
+              session["#{self.id}::#{key}:current_session"]             = login.client.current_session            if login.client.respond_to?(:current_session) && login.client.current_session.present?
+              session["#{self.id}::#{key}:bearer_token"]                = login.client.bearer_token               if login.client.respond_to?(:bearer_token) && login.client.bearer_token.present?
+              session["#{self.id}::#{key}:oauth_session_expires_at"]    = login.client.oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at) && login.client.oauth_session_expires_at.present?
             end
           end
         end
 
-        session["#{self.id}::task_data"] = self.task_data
+        session["#{self.id}::task_data"] = self.task_data if !ZuoraConnect.configuration.local_task_data
 
         #Redis is not defined strip out old data
         if !defined?(Redis.current)
@@ -848,6 +935,9 @@ module ZuoraConnect
         else
           begin
             return JSON.parse(encryptor.decrypt_and_verify(CGI::unescape(data)))
+          rescue ActiveSupport::MessageEncryptor::InvalidMessage => ex
+            Rails.logger.error('Error Decrypting', ex, self.default_ougai_items) if log_fatal && !Rails.env.test?
+            return JSON.parse(encryptor.decrypt_and_verify(data))
           rescue ActiveSupport::MessageVerifier::InvalidSignature => ex
             ZuoraConnect.logger.error("Error Decrypting", ex, self.default_ougai_items) if log_fatal
             return rescue_return

data/config/initializers/redis.rb

@@ -11,6 +11,15 @@ class RedisFlash
   end
 end
 
+class Redis
+  def self.current
+    @current ||= Redis.new()
+  end
+  def self.current=(redis)
+    @current = redis
+  end
+end
+
 if defined?(Redis.current)
   Redis.current = Redis.new(:id => "#{ZuoraObservability::Env.full_process_name(process_name: 'Redis')}", :url => redis_url, :timeout => 6, :reconnect_attempts => 2)
   browser_urls['Redis'] = { "url" => redis_url }

data/db/migrate/20190520232224_add_environment_fields.rb

@@ -9,5 +9,8 @@ class AddEnvironmentFields < ActiveRecord::Migration[5.0]
     if column_exists? :zuora_connect_app_instances, :organizations
       change_column :zuora_connect_app_instances, :organizations, :jsonb, default: [] 
     end
+    unless column_exists? :zuora_connect_app_instances, :zuora_global_tenant_id
+      add_column :zuora_connect_app_instances, :zuora_global_tenant_id, :text, default: ""
+    end
   end
 end

data/lib/tasks/zuora_connect_tasks.rake

@@ -1,24 +1,16 @@
-# desc "Explaining what the task does"
-# task :connect do
-#   # Task goes here
-# end
-
 namespace :db do
   desc 'Also create shared_extensions Schema'
   task :extensions => :environment  do
     # Create Schema
-    ActiveRecord::Base.connection.execute 'CREATE SCHEMA IF NOT EXISTS shared_extensions;'
-    # Enable Hstore
-    ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS HSTORE SCHEMA shared_extensions;'
-    # Enable UUID-OSSP
-    ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp" SCHEMA shared_extensions;'
+    at_exit {
+      ActiveRecord::Base.connection.execute 'CREATE SCHEMA IF NOT EXISTS shared_extensions;'
+      # Enable Hstore
+      ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS HSTORE SCHEMA shared_extensions;'
+      # Enable UUID-OSSP
+      ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp" SCHEMA shared_extensions;'
+    } 
   end
 end
 
-Rake::Task["db:create"].enhance do
-  Rake::Task["db:extensions"].invoke
-end
-
-Rake::Task["db:test:purge"].enhance do
-  Rake::Task["db:extensions"].invoke
-end
+Rake::Task["db:create"].enhance [:extensions]
+Rake::Task["db:test:purge"].enhance  [:extensions]

data/lib/zuora_connect/configuration.rb

@@ -7,7 +7,7 @@ module ZuoraConnect
 
     attr_accessor :oauth_client_id, :oauth_client_secret, :oauth_client_redirect_uri
 
-    attr_accessor :dev_mode_logins, :dev_mode_options, :dev_mode_mode, :dev_mode_appinstance, :dev_mode_user, :dev_mode_pass, :dev_mode_admin, :dev_mode_secret_access_key,:dev_mode_access_key_id,:aws_region, :s3_bucket_name, :s3_folder_name, :insert_migrations, :skip_connect
+    attr_accessor :dev_mode_logins, :dev_mode_options, :dev_mode_mode, :dev_mode_appinstance, :dev_mode_user, :dev_mode_pass, :dev_mode_admin, :dev_mode_secret_access_key,:dev_mode_access_key_id,:aws_region, :s3_bucket_name, :s3_folder_name, :insert_migrations, :skip_connect, :encryption_type, :local_task_data
 
     def initialize
       @default_locale = :en
@@ -21,6 +21,8 @@ module ZuoraConnect
       @blpop_queue = false
       @insert_migrations = true
       @skip_connect = false
+      @encryption_type = :direct
+      @local_task_data = false
 
       # Setting the app name for telegraf write
       @enable_metrics = false

data/lib/zuora_connect/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ZuoraConnect
-  VERSION = "3.1.0"
+  VERSION = "3.1.1-c"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zuora_connect
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.1.1.pre.c
 platform: ruby
 authors:
 - Connect Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-23 00:00:00.000000000 Z
+date: 2022-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: apartment
@@ -452,9 +452,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.3.7
 signing_key: