Class: KmsEncrypted::Box

Inherits:

Object

• Object
• KmsEncrypted::Box

Defined in:

lib/kms_encrypted/box.rb

Instance Attribute Summary

• #key_id ⇒ Object readonly

  Returns the value of attribute key_id.

• #previous_versions ⇒ Object readonly

  Returns the value of attribute previous_versions.

• #version ⇒ Object readonly

  Returns the value of attribute version.

Instance Method Summary

• #decrypt(ciphertext, context: nil) ⇒ Object
• #encrypt(plaintext, context: nil) ⇒ Object
• #initialize(key_id: nil, version: nil, previous_versions: nil) ⇒ Box constructor

  A new instance of Box.

Constructor Details

#initialize(key_id: nil, version: nil, previous_versions: nil) ⇒ Box

Returns a new instance of Box.

# File 'lib/kms_encrypted/box.rb', line 5

def initialize(key_id: nil, version: nil, previous_versions: nil)
  @key_id = key_id || KmsEncrypted.key_id
  @version = version || 1
  @previous_versions = previous_versions || {}
end

Instance Attribute Details

#key_id ⇒ Object (readonly)

Returns the value of attribute key_id.

# File 'lib/kms_encrypted/box.rb', line 3

def key_id
  @key_id
end

#previous_versions ⇒ Object (readonly)

Returns the value of attribute previous_versions.

# File 'lib/kms_encrypted/box.rb', line 3

def previous_versions
  @previous_versions
end

#version ⇒ Object (readonly)

Returns the value of attribute version.

# File 'lib/kms_encrypted/box.rb', line 3

def version
  @version
end

Instance Method Details

#decrypt(ciphertext, context: nil) ⇒ Object

# File 'lib/kms_encrypted/box.rb', line 18

def decrypt(ciphertext, context: nil)
  m = /\Av(\d+):/.match(ciphertext)
  if m
    version = m[1].to_i
    ciphertext = ciphertext.sub("v#{version}:", "")
  else
    version = 1
    legacy_context = true

    # legacy
    if ciphertext.start_with?("$gc$")
      _, _, short_key_id, ciphertext = ciphertext.split("$", 4)

      # restore key, except for cryptoKeyVersion
      stored_key_id = decode64(short_key_id).split("/")[0..3]
      stored_key_id.insert(0, "projects")
      stored_key_id.insert(2, "locations")
      stored_key_id.insert(4, "keyRings")
      stored_key_id.insert(6, "cryptoKeys")
      key_id = stored_key_id.join("/")
    elsif ciphertext.start_with?("vault:")
      ciphertext = Base64.encode64(ciphertext)
    end
  end

  key_id ||= version_key_id(version)
  ciphertext = decode64(ciphertext)
  context = version_context(context, version)

  KmsEncrypted::Client.new(
    key_id: key_id,
    data_key: true,
    legacy_context: legacy_context
  ).decrypt(ciphertext, context: context)
end

#encrypt(plaintext, context: nil) ⇒ Object

# File 'lib/kms_encrypted/box.rb', line 11

def encrypt(plaintext, context: nil)
  context = version_context(context, version)
  key_id = version_key_id(version)
  ciphertext = KmsEncrypted::Client.new(key_id: key_id, data_key: true).encrypt(plaintext, context: context)
  "v#{version}:#{encode64(ciphertext)}"
end