Pull slosilo library to Conjur

.dockerignore

@@ -17,11 +17,14 @@ coverage
 demo
 dev
 docker
+gems/slosilo/Gemfile.lock
+gems/slosilo/spec/reports
 log
 package
 run
 spec/reports
 spec/reports-audit
+
 tmp
 
 # Ignore directories that are only relevant in gh

.gitignore

@@ -73,4 +73,24 @@ conjur_git_commit
 # AuthnOIDC V2 w/ Identity setup
 dev/policies/authenticators/authn-oidc/identity-users.yml
 
+gem/slosilo/*.gem
+gem/slosilo/*.rbc
+gem/slosilo/.bundle
+gem/slosilo/.yardoc
+gem/slosilo/InstalledFiles
+gem/slosilo/_yardoc
+gem/slosilo/coverage
+gem/slosilo/doc/
+gem/slosilo/lib/bundler/man
+gem/slosilo/pkg
+gem/slosilo/rdoc
+gem/slosilo/spec/reports
+gem/slosilo/test/tmp
+gem/slosilo/test/version_tmp
+gem/slosilo/tmp
+gem/slosilo/.rvmrc
+gem/slosilo/.project
+gem/slosilo/.kateproject.d
+gem/slosilo/.idea
+
 VERSION

Gemfile

@@ -36,7 +36,7 @@ gem 'bcrypt'
 gem 'gli', require: false
 gem 'listen'
 gem 'rexml', '~> 3.2'
-gem 'slosilo', '~> 3.0'
+gem 'slosilo',  path: 'gems/slosilo'
 
 # Explicitly required as there are vulnerabilities in older versions
 gem "ffi", ">= 1.9.24"

Gemfile.lock

@@ -13,6 +13,11 @@ PATH
       activesupport (>= 4.2)
       safe_yaml
 
+PATH
+  remote: gems/slosilo
+  specs:
+    slosilo (3.0.1)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -445,7 +450,6 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    slosilo (3.0.1)
     spring (2.1.0)
     spring-commands-cucumber (1.0.1)
       spring (>= 0.9.1)
@@ -568,7 +572,7 @@ DEPENDENCIES
   sequel-postgres-schemata
   sequel-rails
   simplecov
-  slosilo (~> 3.0)
+  slosilo!
   spring
   spring-commands-cucumber
   spring-commands-rspec

gems/slosilo/.kateproject

@@ -0,0 +1,4 @@
+{
+  "name": "Slosilo"
+, "files": [ { "git": 1 } ]
+}

gems/slosilo/CHANGELOG.md

@@ -0,0 +1,25 @@
+# v3.0.1
+
+ * The symmetric cipher class now encrypts and decrypts in a thread-safe manner.
+   [cyberark/slosilo#31](https://github.com/cyberark/slosilo/pull/31)
+
+# v3.0.0
+
+* Transition to Ruby 3. Consuming projects based on Ruby 2 shall use slosilo V2.X.X.
+
+# v2.2.2
+
+* Add rake task `slosilo:recalculate_fingerprints` which rehashes the fingerprints in the keystore.
+**Note**: After migrating the slosilo keystore, run the above rake task to ensure the fingerprints are correctly hashed.
+
+# v2.2.1
+
+* Use SHA256 algorithm instead of MD5 for public key fingerprints.
+
+# v2.1.1
+
+* Add support for JWT-formatted tokens, with arbitrary expiration.
+
+# v2.0.1
+
+* Fixes a bug that occurs when signing tokens containing Unicode data

gems/slosilo/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing Workflow
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

gems/slosilo/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in slosilo.gemspec
+gemspec

gems/slosilo/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

gems/slosilo/README.md

@@ -0,0 +1,152 @@
+# Slosilo
+
+Slosilo is providing a ruby interface to some cryptographic primitives:
+- symmetric encryption,
+- a mixin for easy encryption of object attributes,
+- asymmetric encryption and signing,
+- a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
+- a keystore in files.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'slosilo'
+
+And then execute:
+
+    $ bundle
+
+## Compatibility
+
+Version 3.0 introduced full transition to Ruby 3.
+Consumers who use slosilo in Ruby 2 projects, shall use slosilo V2.X.X.
+
+Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
+for authenticated encryption. It allows you to provide AAD on all symmetric
+encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
+
+This means you'll have to migrate all your existing data. There's no easy way to
+do this currently provided; it's recommended to create a database migration and
+put relevant code fragments in it directly. (This will also have the benefit of making
+the migration self-contained.)
+
+Since symmetric encryption is used in processing asymetrically encrypted messages,
+this incompatibility extends to those too.
+
+## Usage
+
+### Symmetric encryption
+
+```ruby
+sym = Slosilo::Symmetric.new
+key = sym.random_key
+# additional authenticated data
+message_id = "message 001"
+ciphertext = sym.encrypt "secret message", key: key, aad: message_id
+```
+
+```ruby
+sym = Slosilo::Symmetric.new
+message = sym.decrypt ciphertext, key: key, aad: message_id
+```
+
+### Encryption mixin
+
+```ruby
+require 'slosilo'
+
+class Foo
+  attr_accessor :foo
+  attr_encrypted :foo, aad: :id
+
+  def raw_foo
+    @foo
+  end
+
+  def id
+    "unique record id"
+  end
+end
+
+Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
+
+obj = Foo.new
+obj.foo = "bar"
+obj.raw_foo # => "\xC4\xEF\x87\xD3b\xEA\x12\xDF\xD0\xD4hk\xEDJ\v\x1Cr\xF2#\xA3\x11\xA4*k\xB7\x8F\x8F\xC2\xBD\xBB\xFF\xE3"
+obj.foo # => "bar"
+```
+
+You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
+
+### Asymmetric encryption and signing
+
+```ruby
+private_key = Slosilo::Key.new
+public_key = private_key.public
+```
+
+#### Key dumping
+```ruby
+k = public_key.to_s # => "-----BEGIN PUBLIC KEY----- ...
+(Slosilo::Key.new k) == public_key # => true
+```
+
+#### Encryption
+
+```ruby
+encrypted = public_key.encrypt_message "eagle one sees many clouds"
+# => "\xA3\x1A\xD2\xFC\xB0 ...
+
+public_key.decrypt_message encrypted
+# => OpenSSL::PKey::RSAError: private key needed.
+
+private_key.decrypt_message encrypted
+# => "eagle one sees many clouds"
+```
+
+#### Signing
+
+```ruby
+token = private_key.signed_token "missile launch not authorized"
+# => {"data"=>"missile launch not authorized", "timestamp"=>"2014-10-13 12:41:25 UTC", "signature"=>"bSImk...DzV3o", "key"=>"455f7ac42d2d483f750b4c380761821d"}
+
+public_key.token_valid? token # => true
+
+token["data"] = "missile launch authorized"
+public_key.token_valid? token # => false
+```
+
+### Keystore
+
+```ruby
+Slosilo::encryption_key = ENV['SLOSILO_KEY']
+Slosilo.adapter = Slosilo::Adapters::FileAdapter.new "~/.keys"
+
+Slosilo[:own] = Slosilo::Key.new
+Slosilo[:their] = Slosilo::Key.new File.read("foo.pem")
+
+msg = Slosilo[:their].encrypt_message 'bar'
+p Slosilo[:own].signed_token msg
+```
+
+### Keystore in database
+
+Add a migration to create the necessary table:
+
+    require 'slosilo/adapters/sequel_adapter/migration'
+
+Remember to migrate your database
+
+    $ rake db:migrate
+
+Then
+```ruby
+Slosilo.adapter = Slosilo::Adapters::SequelAdapter.new
+```
+
+## Contributing
+
+We welcome contributions of all kinds to this repository. For instructions on
+how to get started and descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).

gems/slosilo/Rakefile

@@ -0,0 +1,17 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError
+  $stderr.puts "RSpec Rake tasks not available in environment #{ENV['RACK_ENV']}"
+end
+
+task :jenkins do
+  require 'ci/reporter/rake/rspec'
+  Rake::Task["ci:setup:rspec"].invoke
+  Rake::Task["spec"].invoke
+end
+
+task :default => :spec

gems/slosilo/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at [email protected].
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

gems/slosilo/dev/Dockerfile.dev

@@ -0,0 +1,7 @@
+FROM ruby
+
+COPY ./ /src/
+
+WORKDIR /src
+
+RUN bundle

gems/slosilo/dev/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+  dev:
+    build:
+      context: ..
+      dockerfile: dev/Dockerfile.dev
+    volumes:
+      - ../:/src

gems/slosilo/lib/slosilo.rb

@@ -0,0 +1,13 @@
+require "slosilo/jwt"
+require "slosilo/version"
+require "slosilo/keystore"
+require "slosilo/symmetric"
+require "slosilo/attr_encrypted"
+require "slosilo/random"
+require "slosilo/errors"
+
+if defined? Sequel
+  require 'slosilo/adapters/sequel_adapter'
+  Slosilo::adapter = Slosilo::Adapters::SequelAdapter.new
+end
+Dir[File.join(File.dirname(__FILE__), 'tasks/*.rake')].each { |ext| load ext } if defined?(Rake)