RubyGems - zuora_connect - Versions diffs - 3.1.0 → 3.1.1.pre.a - Mend

zuora_connect 3.1.0 → 3.1.1.pre.a

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/app/models/zuora_connect/app_instance_base.rb +129 -38
data/config/initializers/redis.rb +9 -0
data/db/migrate/20190520232224_add_environment_fields.rb +3 -0
data/lib/tasks/zuora_connect_tasks.rake +9 -17
data/lib/zuora_connect/configuration.rb +3 -1
data/lib/zuora_connect/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 689c9d74cda46ebd41a5d98dba982700dd365fa3746378276ceb0da4f5d0c493
-  data.tar.gz: 719e7beb03b156986160f8fa881960a7b7231b706c9a6bcd50af1788d622a125
+  metadata.gz: 575850a90d1e2c6aaca6a638ce4c353f337c617d3ff1460731b48a208d8942c1
+  data.tar.gz: 5e2a26d1ff920f57243bca6cd1de689158d0c996bb31b6c3793c9d004572d248
 SHA512:
-  metadata.gz: 4f905b5518a0b7e556d3cf4a45e73e86b149a4b95d111a315e46a2f91e9a07b43b2e9b77f0bd1c34e6fbf5848d321b64615ec612fc907b7f3fb9fd2f56944be3
-  data.tar.gz: a61a9c662b80a4d8af8a98f6eeef2be56b79cc9bc0853ae36a57ce22a59dde8bae5a7ab1b175aedec703743b6ccae8e81f2e565b028a23cdda9b7dce7544eb1a
+  metadata.gz: e5592409632f985f3db6c42c2cc4c28e86ad7daed2f359ef08e4cb503efdef0095388a62f48832a1498f9ce7d7f8bdccc0155af1a4d68dc32412ae061dec45c4
+  data.tar.gz: 12c7cdb0591645a712ee19ead68473d8a67763c8b88dcb02e9b2195112577b898636079c681a164ea6e3bbd1d03a37c0af5c7941caa93946ef391fbf7ba69ef1

data/app/models/zuora_connect/app_instance_base.rb CHANGED Viewed

@@ -187,7 +187,7 @@ module ZuoraConnect
           raise ZuoraConnect::Exceptions::HoldingPattern if holding_pattern && !self.mark_for_refresh
           self.refresh(session: session)
-        elsif session["#{self.id}::task_data"].blank?
+        elsif session["#{self.id}::task_data"].blank? && !ZuoraConnect.configuration.local_task_data
           self.new_session_message = "REFRESHING - Task Data Blank"
           ZuoraConnect.logger.debug(self.new_session_message)
           raise ZuoraConnect::Exceptions::HoldingPattern if holding_pattern && !self.mark_for_refresh
@@ -354,7 +354,8 @@ module ZuoraConnect
     def fetch_connect_data(session: {})
       self.check_oauth_state
-      response = HTTParty.get(ZuoraConnect.configuration.url + "/api/#{self.api_version}/tools/tasks/#{self.id}.json",:body => {:access_token => self.access_token})
+      request_url = ZuoraConnect.configuration.url + "/api/#{self.api_version}/tools/tasks/#{self.id}.json"
+      response = HTTParty.get(request_url,:body => {:access_token => self.access_token})
       if response.code == 200
         begin
@@ -367,7 +368,7 @@ module ZuoraConnect
         self.set_backup_creds
         self.save(validate: false) if self.changed?
       else
-        raise ZuoraConnect::Exceptions::ConnectCommunicationError.new("Error Communicating with Connect", response.body, response.code)
+        raise ZuoraConnect::Exceptions::ConnectCommunicationError.new("Error communicating with Connect for '#{request_url}' with #{response.code}", response.body, response.code)
       end
     end
@@ -416,10 +417,6 @@ module ZuoraConnect
       raise
     end
-    def aws_secrets
-      (Rails.application.secrets.aws || {}).transform_keys { |key| key.to_s }
-    end
     #### START KMS ENCRYPTION Methods ####
       def set_backup_creds
         if self.kms_key.present? && self.kms_key.match(/^arn:aws:.*/) && self.task_data.present?
@@ -435,14 +432,105 @@ module ZuoraConnect
       def zuora_logins
         raise  ZuoraConnect::Exceptions::ConnectCommunicationError.new("Zuora Logins is blank, cannot decrypt.") if super.blank?
-        return JSON.parse(kms_decrypt(super))
+        return JSON.parse(kms_decrypt(super, field_name: :zuora_logins))
+      end
+      def kms_client
+        @kms_client ||= Aws::KMS::Client.new({region: aws_secrets['AWS_REGION'], credentials: self.aws_auth_client}.delete_if { |k, v| v.blank? })
+        return @kms_client
+      end
+      def decrypted_data_key
+        $cleartextkey ||= kms_client.decrypt(ciphertext_blob: Base64.strict_decode64(encrypted_data_key)).plaintext
+        return $cleartextkey
+      end
+      def aws_secrets
+        (Rails.application.secrets.aws || {}).transform_keys { |key| key.to_s }
+      end
+      def connect_secrets
+        (Rails.application.secrets.connect || {}).transform_keys { |key| key.to_s }
+      end
+      def kms_key(raise_on_blank: false)
+        kms_value = ENV['AWS_KMS_ARN'] || aws_secrets['AWS_KMS_ARN']
+        raise ZuoraConnect::Exceptions::Error.new("Missing KMS key") if raise_on_blank && kms_value.blank?
+        return kms_value
+      end
+      def iv_key
+        iv_key_value = ENV['IV_KEY'] || connect_secrets['IV_KEY']
+        #Create new one 'Base64.strict_encode64(OpenSSL::Cipher.new('AES-256-CBC').random_iv)'
+        raise ZuoraConnect::Exceptions::Error.new("Missing IV cipher key") if iv_key_value.blank?
+        return iv_key_value
+      end
+      def encrypted_data_key
+        #Base64.strict_encode64(kms_client.generate_data_key(key_id: kms_key, key_spec: 'AES_256').ciphertext_blob)
+        encrypted_data_key_value = ENV['ENCRYPTED_DATA_KEY'] || connect_secrets['ENCRYPTED_DATA_KEY']
+        raise ZuoraConnect::Exceptions::Error.new("Missing encrypted data key 'ENCRYPTED_DATA_KEY'.") if encrypted_data_key_value.blank?
+        return encrypted_data_key_value
+      end
+      def aws_auth_client
+        if Rails.env.to_s == 'development'
+          return Aws::Credentials.new(aws_secrets['AWS_ACCESS_KEY_ID'], aws_secrets['AWS_SECRET_ACCESS_KEY'])
+        else
+          return nil
+        end
+      end
+      def fetch_cipher(type)
+        raise "Type must be set to 'encrypt' or 'decrypt'" if !['decrypt','encrypt'].include?(type)
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.send(type)
+        cipher.key = self.decrypted_data_key
+        cipher.iv = Base64.strict_decode64(self.iv_key)
+        return cipher
       end
-      def kms_decrypt(value)
+      def kms_decrypt(value, field_name: nil, encryption_type: ZuoraConnect.configuration.encryption_type)
         kms_tries ||= 0
-        kms_client = Aws::KMS::Client.new({region: aws_secrets['AWS_REGION'], credentials: self.aws_auth_client}.delete_if { |k, v| v.blank? })
-        resp = kms_client.decrypt({ciphertext_blob: [value].pack("H*") })
-        return resp.plaintext
+        original_encryption_type ||= encryption_type.dup
+        case encryption_type
+        when :direct
+          result = kms_client.decrypt(ciphertext_blob: [value].pack("H*") ).plaintext
+          #Update original encryption
+          if original_encryption_type != encryption_type && field_name.present?
+            ZuoraConnect.logger.debug("Updating encryption to '#{original_encryption_type}', from '#{encryption_type}' for field '#{field_name}'", self.default_ougai_items)
+            self.update_column(field_name, self.kms_encrypt(result, encryption_type: original_encryption_type))
+          end
+          return result
+        when :envelope
+          cipher = fetch_cipher('decrypt')
+          result = cipher.update(Base64.strict_decode64(value)) + cipher.final
+          #Update original encryption
+          if original_encryption_type != encryption_type && field_name.present?
+            ZuoraConnect.logger.debug("Updating encryption to '#{original_encryption_type}', from '#{encryption_type}' for field '#{field_name}'", self.default_ougai_items)
+            self.update_column(field_name, self.kms_encrypt(result, encryption_type: original_encryption_type))
+          end
+          return result
+        else
+          ZuoraConnect::Exceptions::Error.new("Invalid encryption method '#{encryption_type}'.")
+        end
+      rescue ArgumentError => ex
+        if ex.message == 'invalid base64' && encryption_type == :envelope && (kms_tries += 1) < 3
+          ZuoraConnect.logger.warn("Fallback to encryption 'direct', from '#{encryption_type}'", ex, self.default_ougai_items)
+          encryption_type = :direct
+          retry
+        end
+        raise#Add protection when decrypting
+      rescue Aws::KMS::Errors::InvalidCiphertextException => ex
+        if encryption_type == :direct && (kms_tries += 1) < 3
+          ZuoraConnect.logger.warn("Fallback to encryption 'envelope', from '#{encryption_type}'", ex, self.default_ougai_items)
+          encryption_type = :envelope
+          retry
+        end
+        raise
       rescue *AWS_AUTH_ERRORS => ex
         if (kms_tries += 1) < 3
           Rails.logger.warn(AWS_AUTH_ERRORS_MSG, ex)
@@ -453,12 +541,20 @@ module ZuoraConnect
         end
       end
-      def kms_encrypt(value)
+      def kms_encrypt(value, encryption_type: ZuoraConnect.configuration.encryption_type)
         kms_tries ||= 0
-        kms_client = Aws::KMS::Client.new({region: aws_secrets['AWS_REGION'], credentials: self.aws_auth_client}.delete_if {|k,v| v.blank? })
-        resp = kms_client.encrypt({key_id: kms_key, plaintext: value})
-        return resp.ciphertext_blob.unpack('H*').first
+        case encryption_type
+        when :direct
+          resp = kms_client.encrypt({key_id: kms_key(raise_on_blank: true), plaintext: value})
+          return resp.ciphertext_blob.unpack('H*').first
+        when :envelope
+          cipher = fetch_cipher('encrypt')
+          value = cipher.update(value.to_s)
+          value << cipher.final
+          return Base64.strict_encode64(value)
+        else
+          ZuoraConnect::Exceptions::Error.new("Invalid encryption method '#{encryption_type}'.")
+        end
       rescue *AWS_AUTH_ERRORS => ex
         if (kms_tries += 1) < 3
           Rails.logger.warn(AWS_AUTH_ERRORS_MSG, ex)
@@ -468,18 +564,6 @@ module ZuoraConnect
           raise
         end
       end
-      def kms_key
-        return ENV['AWS_KMS_ARN'] || aws_secrets['AWS_KMS_ARN']
-      end
-      def aws_auth_client
-        if Rails.env.to_s == 'development'
-          return Aws::Credentials.new(aws_secrets['AWS_ACCESS_KEY_ID'], aws_secrets['AWS_SECRET_ACCESS_KEY'])
-        else
-          return nil
-        end
-      end
     #### END KMS ENCRYPTION Methods ####
     #### START Metrics Methods ####
@@ -505,9 +589,13 @@ module ZuoraConnect
       def build_task(task_data: {}, session: {})
         session = {} if session.blank?
         self.task_data = task_data
+        if self.task_data.blank? &&  ZuoraConnect.configuration.local_task_data
+          self.task_data = self.zuora_logins
+        end
         self.mode = self.task_data["mode"]
-        if task_data['id'].to_s != self.id.to_s
+        if self.task_data['id'].to_s != self.id.to_s
           raise ZuoraConnect::Exceptions::MissMatch.new("Wrong Instance Identifier/Lookup")
         end
@@ -545,7 +633,7 @@ module ZuoraConnect
         raise
       rescue => ex
         ZuoraConnect.logger.error("Build Task Error", ex)
-        ZuoraConnect.logger.error("Task Data: #{task_data}") if task_data.present?
+        ZuoraConnect.logger.error("Task Data: #{self.task_data}") if self.task_data.present?
         if session.present?
           ZuoraConnect.logger.error("Task Session: #{session.to_h}")  if session.methods.include?(:to_h)
           ZuoraConnect.logger.error("Task Session: #{session.to_hash}") if session.methods.include?(:to_hash)
@@ -796,19 +884,19 @@ module ZuoraConnect
           if login.tenant_type == "Zuora"
             if login.available_entities.size > 1 && Rails.application.config.session_store != ActionDispatch::Session::CookieStore
               login.available_entities.each do |entity_key|
-                session["#{self.id}::#{key}::#{entity_key}:current_session"]            = login.client(entity_key).current_session            if login.client.respond_to?(:current_session)
-                session["#{self.id}::#{key}::#{entity_key}:bearer_token"]               = login.client(entity_key).bearer_token               if login.client.respond_to?(:bearer_token)
-                session["#{self.id}::#{key}::#{entity_key}:oauth_session_expires_at"]   = login.client(entity_key).oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at)
+                session["#{self.id}::#{key}::#{entity_key}:current_session"]            = login.client(entity_key).current_session            if login.client.respond_to?(:current_session) && login.client(entity_key).current_session.present?
+                session["#{self.id}::#{key}::#{entity_key}:bearer_token"]               = login.client(entity_key).bearer_token               if login.client.respond_to?(:bearer_token) && login.client(entity_key).bearer_token.present?
+                session["#{self.id}::#{key}::#{entity_key}:oauth_session_expires_at"]   = login.client(entity_key).oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at) && login.client(entity_key).oauth_session_expires_at.present?
               end
             else
-              session["#{self.id}::#{key}:current_session"]             = login.client.current_session            if login.client.respond_to?(:current_session)
-              session["#{self.id}::#{key}:bearer_token"]                = login.client.bearer_token               if login.client.respond_to?(:bearer_token)
-              session["#{self.id}::#{key}:oauth_session_expires_at"]    = login.client.oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at)
+              session["#{self.id}::#{key}:current_session"]             = login.client.current_session            if login.client.respond_to?(:current_session) && login.client.current_session.present?
+              session["#{self.id}::#{key}:bearer_token"]                = login.client.bearer_token               if login.client.respond_to?(:bearer_token) && login.client.bearer_token.present?
+              session["#{self.id}::#{key}:oauth_session_expires_at"]    = login.client.oauth_session_expires_at   if login.client.respond_to?(:oauth_session_expires_at) && login.client.oauth_session_expires_at.present?
             end
           end
         end
-        session["#{self.id}::task_data"] = self.task_data
+        session["#{self.id}::task_data"] = self.task_data if !ZuoraConnect.configuration.local_task_data
         #Redis is not defined strip out old data
         if !defined?(Redis.current)
@@ -848,6 +936,9 @@ module ZuoraConnect
         else
           begin
             return JSON.parse(encryptor.decrypt_and_verify(CGI::unescape(data)))
+          rescue ActiveSupport::MessageEncryptor::InvalidMessage => ex
+            Rails.logger.error('Error Decrypting', ex, self.default_ougai_items) if log_fatal && !Rails.env.test?
+            return JSON.parse(encryptor.decrypt_and_verify(data))
           rescue ActiveSupport::MessageVerifier::InvalidSignature => ex
             ZuoraConnect.logger.error("Error Decrypting", ex, self.default_ougai_items) if log_fatal
             return rescue_return

data/config/initializers/redis.rb CHANGED Viewed

@@ -11,6 +11,15 @@ class RedisFlash
   end
 end
+class Redis
+  def self.current
+    @current ||= Redis.new()
+  end
+  def self.current=(redis)
+    @current = redis
+  end
+end
 if defined?(Redis.current)
   Redis.current = Redis.new(:id => "#{ZuoraObservability::Env.full_process_name(process_name: 'Redis')}", :url => redis_url, :timeout => 6, :reconnect_attempts => 2)
   browser_urls['Redis'] = { "url" => redis_url }

data/db/migrate/20190520232224_add_environment_fields.rb CHANGED Viewed

@@ -9,5 +9,8 @@ class AddEnvironmentFields < ActiveRecord::Migration[5.0]
     if column_exists? :zuora_connect_app_instances, :organizations
       change_column :zuora_connect_app_instances, :organizations, :jsonb, default: []
     end
+    unless column_exists? :zuora_connect_app_instances, :zuora_global_tenant_id
+      add_column :zuora_connect_app_instances, :zuora_global_tenant_id, :text, default: ""
+    end
   end
 end

data/lib/tasks/zuora_connect_tasks.rake CHANGED Viewed

@@ -1,24 +1,16 @@
-# desc "Explaining what the task does"
-# task :connect do
-#   # Task goes here
-# end
 namespace :db do
   desc 'Also create shared_extensions Schema'
   task :extensions => :environment  do
     # Create Schema
-    ActiveRecord::Base.connection.execute 'CREATE SCHEMA IF NOT EXISTS shared_extensions;'
-    # Enable Hstore
-    ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS HSTORE SCHEMA shared_extensions;'
-    # Enable UUID-OSSP
-    ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp" SCHEMA shared_extensions;'
+    at_exit {
+      ActiveRecord::Base.connection.execute 'CREATE SCHEMA IF NOT EXISTS shared_extensions;'
+      # Enable Hstore
+      ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS HSTORE SCHEMA shared_extensions;'
+      # Enable UUID-OSSP
+      ActiveRecord::Base.connection.execute 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp" SCHEMA shared_extensions;'
+    }
   end
 end
-Rake::Task["db:create"].enhance do
-  Rake::Task["db:extensions"].invoke
-end
-Rake::Task["db:test:purge"].enhance do
-  Rake::Task["db:extensions"].invoke
-end
+Rake::Task["db:create"].enhance [:extensions]
+Rake::Task["db:test:purge"].enhance  [:extensions]

data/lib/zuora_connect/configuration.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module ZuoraConnect
     attr_accessor :oauth_client_id, :oauth_client_secret, :oauth_client_redirect_uri
-    attr_accessor :dev_mode_logins, :dev_mode_options, :dev_mode_mode, :dev_mode_appinstance, :dev_mode_user, :dev_mode_pass, :dev_mode_admin, :dev_mode_secret_access_key,:dev_mode_access_key_id,:aws_region, :s3_bucket_name, :s3_folder_name, :insert_migrations, :skip_connect
+    attr_accessor :dev_mode_logins, :dev_mode_options, :dev_mode_mode, :dev_mode_appinstance, :dev_mode_user, :dev_mode_pass, :dev_mode_admin, :dev_mode_secret_access_key,:dev_mode_access_key_id,:aws_region, :s3_bucket_name, :s3_folder_name, :insert_migrations, :skip_connect, :encryption_type, :local_task_data
     def initialize
       @default_locale = :en
@@ -21,6 +21,8 @@ module ZuoraConnect
       @blpop_queue = false
       @insert_migrations = true
       @skip_connect = false
+      @encryption_type = :direct
+      @local_task_data = false
       # Setting the app name for telegraf write
       @enable_metrics = false

data/lib/zuora_connect/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module ZuoraConnect
-  VERSION = "3.1.0"
+  VERSION = "3.1.1-a"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zuora_connect
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.1.1.pre.a
 platform: ruby
 authors:
 - Connect Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-23 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: apartment
@@ -452,9 +452,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.3.7
 signing_key: