Module: BlindIndex

Defined in:
lib/blind_index.rb,
lib/blind_index/model.rb,
lib/blind_index/mongoid.rb,
lib/blind_index/version.rb,
lib/blind_index/backfill.rb,
lib/blind_index/extensions.rb,
lib/blind_index/key_generator.rb

Defined Under Namespace

Modules: Extensions, Model, Mongoid Classes: Backfill, Error, KeyGenerator

Constant Summary collapse

VERSION =
"2.4.0"

Class Attribute Summary collapse

Class Method Summary collapse

Class Attribute Details

.default_optionsObject

Returns the value of attribute default_options.



18
19
20
# File 'lib/blind_index.rb', line 18

def default_options
  @default_options
end

.master_keyObject



23
24
25
# File 'lib/blind_index.rb', line 23

def self.master_key
  @master_key ||= ENV["BLIND_INDEX_MASTER_KEY"] || (defined?(Lockbox.master_key) && Lockbox.master_key)
end

Class Method Details

.backfill(relation, columns: nil, batch_size: 1000) ⇒ Object



134
135
136
# File 'lib/blind_index.rb', line 134

def self.backfill(relation, columns: nil, batch_size: 1000)
  Backfill.new(relation, columns: columns, batch_size: batch_size).perform
end

.decode_key(key, name: "Key") ⇒ Object

Raises:



122
123
124
125
126
127
128
129
130
131
132
# File 'lib/blind_index.rb', line 122

def self.decode_key(key, name: "Key")
  # decode hex key
  if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{64}\z/i
    key = [key].pack("H*")
  end

  raise BlindIndex::Error, "#{name} must be 32 bytes (64 hex digits)" if key.bytesize != 32
  raise BlindIndex::Error, "#{name} must use binary encoding" if key.encoding != Encoding::BINARY

  key
end

.generate_bidx(value, key:, **options) ⇒ Object



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'lib/blind_index.rb', line 27

def self.generate_bidx(value, key:, **options)
  options = {
    encode: true
  }.merge(default_options).merge(options)

  # apply expression
  value = options[:expression].call(value) if options[:expression]

  unless value.nil?
    algorithm = (options[:algorithm] || (options[:legacy] ? :pbkdf2_sha256 : :argon2id)).to_sym
    algorithm = :pbkdf2_sha256 if algorithm == :pbkdf2_hmac
    algorithm = :argon2i if algorithm == :argon2

    key = key.call if key.respond_to?(:call)
    raise BlindIndex::Error, "Missing key for blind index" unless key

    key = key.to_s
    unless options[:insecure_key] && algorithm == :pbkdf2_sha256
      key = decode_key(key)
    end

    # gist to compare algorithm results
    # https://gist.github.com/ankane/fe3ac63fbf1c4550ee12554c664d2b8c
    cost_options = options[:cost] || {}

    # check size
    size = (options[:size] || 32).to_i
    raise BlindIndex::Error, "Size must be between 1 and 32" unless (1..32).include?(size)

    value = value.to_s

    value =
      case algorithm
      when :argon2id
        t = (cost_options[:t] || (options[:slow] ? 4 : 3)).to_i
        # use same bounds as rbnacl
        raise BlindIndex::Error, "t must be between 3 and 10" if t < 3 || t > 10

        # m is memory in kibibytes (1024 bytes)
        m = (cost_options[:m] || (options[:slow] ? 15 : 12)).to_i
        # use same bounds as rbnacl
        raise BlindIndex::Error, "m must be between 3 and 22" if m < 3 || m > 22

        Argon2::KDF.argon2id(value, salt: key, t: t, m: m, p: 1, length: size)
      when :pbkdf2_sha256
        iterations = cost_options[:iterations] || options[:iterations] || (options[:slow] ? 100000 : 10000)
        OpenSSL::PKCS5.pbkdf2_hmac(value, key, iterations, size, "sha256")
      when :argon2i
        t = (cost_options[:t] || 3).to_i
        # use same bounds as rbnacl
        raise BlindIndex::Error, "t must be between 3 and 10" if t < 3 || t > 10

        # m is memory in kibibytes (1024 bytes)
        m = (cost_options[:m] || 12).to_i
        # use same bounds as rbnacl
        raise BlindIndex::Error, "m must be between 3 and 22" if m < 3 || m > 22

        Argon2::KDF.argon2i(value, salt: key, t: t, m: m, p: 1, length: size)
      when :scrypt
        n = cost_options[:n] || 4096
        r = cost_options[:r] || 8
        cp = cost_options[:p] || 1
        SCrypt::Engine.scrypt(value, key, n, r, cp, size)
      else
        raise BlindIndex::Error, "Unknown algorithm"
      end

    encode = options[:encode]
    if encode
      if encode.respond_to?(:call)
        encode.call(value)
      else
        [value].pack(options[:legacy] ? "m" : "m0")
      end
    else
      value
    end
  end
end

.generate_keyObject



107
108
109
110
111
# File 'lib/blind_index.rb', line 107

def self.generate_key
  require "securerandom"
  # force encoding to make JRuby consistent with MRI
  SecureRandom.hex(32).force_encoding(Encoding::US_ASCII)
end

.index_key(table:, bidx_attribute:, master_key: nil, encode: true) ⇒ Object

Raises:



113
114
115
116
117
118
119
120
# File 'lib/blind_index.rb', line 113

def self.index_key(table:, bidx_attribute:, master_key: nil, encode: true)
  master_key ||= BlindIndex.master_key
  raise BlindIndex::Error, "Missing master key" unless master_key

  key = BlindIndex::KeyGenerator.new(master_key).index_key(table: table, bidx_attribute: bidx_attribute)
  key = key.unpack("H*").first if encode
  key
end