From e2d6cbb86a27fcbf42a7cb88119be9302cdf957f Mon Sep 17 00:00:00 2001 From: Jonathan Hooper Date: Tue, 24 Jul 2018 10:46:37 -0500 Subject: [PATCH] Write 2L KMS encrypted sessions **Why**: We are moving away from the user access keys in favor of 2L-KMS which involves aes encrypted ciphertexts wrapped by KMS --- .../encryptors/session_encryptor.rb | 6 +++- .../encryptors/session_encryptor_spec.rb | 29 +++++++++---------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/app/services/encryption/encryptors/session_encryptor.rb b/app/services/encryption/encryptors/session_encryptor.rb index df9b39b73ec..496871d8b3f 100644 --- a/app/services/encryption/encryptors/session_encryptor.rb +++ b/app/services/encryption/encryptors/session_encryptor.rb @@ -3,7 +3,11 @@ module Encryptors class SessionEncryptor include Encodable - delegate :encrypt, to: :deprecated_encryptor + def encrypt(plaintext) + aes_ciphertext = AesEncryptor.new.encrypt(plaintext, aes_encryption_key) + kms_ciphertext = KmsClient.new.encrypt(aes_ciphertext) + encode(kms_ciphertext) + end def decrypt(ciphertext) return deprecated_encryptor.decrypt(ciphertext) if legacy?(ciphertext) diff --git a/spec/services/encryption/encryptors/session_encryptor_spec.rb b/spec/services/encryption/encryptors/session_encryptor_spec.rb index 95efbf641aa..6d5cd79fd4e 100644 --- a/spec/services/encryption/encryptors/session_encryptor_spec.rb +++ b/spec/services/encryption/encryptors/session_encryptor_spec.rb @@ -4,15 +4,19 @@ let(:plaintext) { '{ "foo": "bar" }' } describe '#encrypt' do - it 'returns ciphertext created by the deprecated session encryptor' do - expected_ciphertext = '123abc' - - deprecated_encryptor = Encryption::Encryptors::DeprecatedSessionEncryptor.new - expect(deprecated_encryptor).to receive(:encrypt). - with(plaintext). - and_return(expected_ciphertext) - expect(Encryption::Encryptors::DeprecatedSessionEncryptor).to receive(:new). - and_return(deprecated_encryptor) + it 'returns a KMS wrapped AES encrypted ciphertext' do + aes_encryptor = instance_double(Encryption::Encryptors::AesEncryptor) + kms_client = instance_double(Encryption::KmsClient) + allow(aes_encryptor).to receive(:encrypt). + with(plaintext, Figaro.env.session_encryption_key[0...32]). + and_return('aes output') + allow(kms_client).to receive(:encrypt). + with('aes output'). + and_return('kms output') + allow(Encryption::Encryptors::AesEncryptor).to receive(:new).and_return(aes_encryptor) + allow(Encryption::KmsClient).to receive(:new).and_return(kms_client) + + expected_ciphertext = Base64.strict_encode64('kms output') ciphertext = subject.encrypt(plaintext) @@ -30,12 +34,7 @@ end context 'with a 2L-KMS ciphertext' do - let(:ciphertext) do - key = Figaro.env.session_encryption_key[0...32] - aes_ciphertext = Encryption::Encryptors::AesEncryptor.new.encrypt(plaintext, key) - kms_ciphertext = Encryption::KmsClient.new.encrypt(aes_ciphertext) - Base64.strict_encode64(kms_ciphertext) - end + let(:ciphertext) { Encryption::Encryptors::SessionEncryptor.new.encrypt(plaintext) } it 'decrypts the ciphertext' do expect(subject.decrypt(ciphertext)).to eq(plaintext)