/
vault.ex
376 lines (294 loc) · 9.7 KB
/
vault.ex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
defmodule Cloak.Vault do
@moduledoc """
Encrypts and decrypts data, using a configured cipher.
## Create Your Vault
Define a module in your application that uses `Cloak.Vault`.
defmodule MyApp.Vault do
use Cloak.Vault, otp_app: :my_app
end
## Configuration
The `:otp_app` option should point to an OTP application that has the vault
configuration.
For example, the vault:
defmodule MyApp.Vault do
use Cloak.Vault, otp_app: :my_app
end
Could be configured with Mix configuration like so:
config :my_app, MyApp.Vault,
json_library: Jason,
ciphers: [
default: {Cloak.Ciphers.AES.GCM, tag: "AES.GCM.V1", key: <<...>>}
]
The configuration options are:
- `:json_library`: Used to convert data types like lists and maps into
binary so that they can be encrypted. (Default: `Jason`)
- :ciphers: a list of `Cloak.Cipher` modules the following format:
{:label, {CipherModule, opts}}
**The first configured cipher in the list is the default for encrypting
all new data, regardless of its label.** This behaviour can be overridden
on a field-by-field basis.
The `opts` are specific to each cipher module. Check their
codumentation for what each cipher requires.
- `Cloak.Ciphers.AES.GCM`
- `Cloak.Ciphers.AES.CTR`
### Runtime Configuration
Because Vaults are GenServers, they can be configured at runtime using the
`init/1` callback. This allows you to easily fetch values like environment
variables in a reliable way.
The configuration from the `:otp_app` is passed as the first argument to the
callback, allowing you to append to or change it at will.
defmodule MyApp.Vault do
use Cloak.Vault, otp_app: :my_app
@impl GenServer
def init(config) do
config =
Keyword.put(config, :ciphers, [
default: {Cloak.Ciphers.AES.GCM, tag: "AES.GCM.V1", key: decode_env!("CLOAK_KEY")}
])
{:ok, config}
end
defp decode_env!(var) do
var
|> System.get_env()
|> Base.decode64!()
end
end
You can also pass configuration to vaults via `start_link/1`:
MyApp.Vault.start_link(ciphers: [
default: {Cloak.Ciphers.AES.GCM, tag: "AES.GCM.V1", key: key}
])
## Supervision
Because Vaults are `GenServer`s, you'll need to add your vault to your
supervision tree in `application.ex` or whichever supervisor you prefer.
children = [
MyApp.Vault
]
If you want to pass in configuration values at runtime, you can do so:
children = [
{MyApp.Vault, ciphers: [...]}
]
## Usage
You can use the vault directly by calling its functions.
MyApp.Vault.encrypt("plaintext")
# => {:ok, <<...>>}
MyApp.Vault.decrypt(ciphertext)
# => {:ok, "plaintext"}
See the documented callbacks below for the functions you can call.
### Performance Notes
Vaults are not bottlenecks. They simply store configuration in an ETS table
named after the Vault, e.g. `MyApp.Vault.Config`. All encryption and
decryption is performed in your local process, reading configuration from
the vault's ETS table.
"""
@type plaintext :: binary
@type ciphertext :: binary
@type label :: atom
@doc """
Encrypts a binary using the first configured cipher in the vault's
configured `:ciphers` list.
"""
@callback encrypt(plaintext) :: {:ok, ciphertext} | {:error, Exception.t()}
@doc """
Like `encrypt/1`, but raises any errors.
"""
@callback encrypt!(plaintext) :: ciphertext | no_return
@doc """
Encrypts a binary using the vault's configured cipher with the
corresponding label.
"""
@callback encrypt(plaintext, label) :: {:ok, ciphertext} | {:error, Exception.t()}
@doc """
Like `encrypt/2`, but raises any errors.
"""
@callback encrypt!(plaintext, label) :: ciphertext | no_return
@doc """
Decrypts a binary with the configured cipher that generated the binary.
Automatically detects which cipher to use, based on the ciphertext.
"""
@callback decrypt(ciphertext) :: {:ok, plaintext} | {:error, Exception.t()}
@doc """
Like `decrypt/1`, but raises any errors.
"""
@callback decrypt!(ciphertext) :: plaintext | no_return
@doc """
The JSON library the vault uses to convert maps and lists into
JSON binaries before encryption.
"""
@callback json_library :: module
defmacro __using__(opts) do
otp_app = Keyword.fetch!(opts, :otp_app)
quote location: :keep do
use GenServer
@behaviour Cloak.Vault
@otp_app unquote(otp_app)
@table_name :"#{__MODULE__}.Config"
###
# GenServer
###
def start_link(config \\ []) do
# Merge passed in configuration with otp_app configuration
app_config = Application.get_env(@otp_app, __MODULE__, [])
config = Keyword.merge(app_config, config)
case GenServer.start_link(__MODULE__, config, name: __MODULE__) do
{:ok, pid} ->
# Ensure that the configuration is saved
GenServer.call(pid, :save_config, 10_000)
# Return the pid
{:ok, pid}
other ->
other
end
end
# Users can override init/1 to customize the configuration
# of the vault during startup
@impl GenServer
def init(config) do
{:ok, config}
end
# Cache the results of the `init` configuration callback in
# the application configuration for this Vault.
@impl GenServer
def handle_call(:save_config, _from, config) do
Cloak.Vault.save_config(@table_name, config)
{:reply, :ok, config}
end
# If a hot upgrade occurs, rerun the `init` callback to
# refresh the configuration in case it changed
@impl GenServer
def code_change(_vsn, config, _extra) do
config = init(config)
Cloak.Vault.save_config(@table_name, config)
{:ok, config}
end
###
# Encrypt/Decrypt functions
###
@impl Cloak.Vault
def encrypt(plaintext) do
with {:ok, config} <- Cloak.Vault.read_config(@table_name) do
Cloak.Vault.encrypt(config, plaintext)
end
end
@impl Cloak.Vault
def encrypt!(plaintext) do
case Cloak.Vault.read_config(@table_name) do
{:ok, config} ->
Cloak.Vault.encrypt!(config, plaintext)
{:error, error} ->
raise error
end
end
@impl Cloak.Vault
def encrypt(plaintext, label) do
with {:ok, config} <- Cloak.Vault.read_config(@table_name) do
Cloak.Vault.encrypt(config, plaintext, label)
end
end
@impl Cloak.Vault
def encrypt!(plaintext, label) do
case Cloak.Vault.read_config(@table_name) do
{:ok, config} ->
Cloak.Vault.encrypt!(config, plaintext, label)
{:error, error} ->
raise error
end
end
@impl Cloak.Vault
def decrypt(ciphertext) do
with {:ok, config} <- Cloak.Vault.read_config(@table_name) do
Cloak.Vault.decrypt(config, ciphertext)
end
end
@impl Cloak.Vault
def decrypt!(ciphertext) do
case Cloak.Vault.read_config(@table_name) do
{:ok, config} ->
Cloak.Vault.decrypt!(config, ciphertext)
{:error, error} ->
raise error
end
end
@impl Cloak.Vault
def json_library do
with {:ok, config} <- Cloak.Vault.read_config(@table_name) do
Keyword.get(config, :json_library, Jason)
end
end
defoverridable(Module.definitions_in(__MODULE__))
end
end
@doc false
def save_config(table_name, config) do
if :ets.info(table_name) == :undefined do
:ets.new(table_name, [:named_table, :protected])
end
:ets.insert(table_name, {:config, config})
end
@doc false
def read_config(table_name) do
[{:config, config} | _] = :ets.lookup(table_name, :config)
{:ok, config}
rescue
ArgumentError ->
{:error, Cloak.VaultNotStarted.exception(table_name)}
end
@doc false
def encrypt(config, plaintext) do
with [{_label, {module, opts}} | _ciphers] <- config[:ciphers] do
module.encrypt(plaintext, opts)
else
_ ->
{:error, Cloak.InvalidConfig.exception("could not encrypt due to missing configuration")}
end
end
@doc false
def encrypt!(config, plaintext) do
case encrypt(config, plaintext) do
{:ok, ciphertext} ->
ciphertext
{:error, error} ->
raise error
end
end
@doc false
def encrypt(config, plaintext, label) do
case config[:ciphers][label] do
nil ->
{:error, Cloak.MissingCipher.exception(vault: config[:vault], label: label)}
{module, opts} ->
module.encrypt(plaintext, opts)
end
end
@doc false
def encrypt!(config, plaintext, label) do
case encrypt(config, plaintext, label) do
{:ok, ciphertext} ->
ciphertext
{:error, error} ->
raise error
end
end
@doc false
def decrypt(config, ciphertext) do
case find_module_to_decrypt(config, ciphertext) do
nil ->
{:error, Cloak.MissingCipher.exception(vault: config[:vault], ciphertext: ciphertext)}
{_label, {module, opts}} ->
module.decrypt(ciphertext, opts)
end
end
@doc false
def decrypt!(config, ciphertext) do
case decrypt(config, ciphertext) do
{:ok, plaintext} ->
plaintext
{:error, error} ->
raise error
end
end
defp find_module_to_decrypt(config, ciphertext) do
Enum.find(config[:ciphers], fn {_label, {module, opts}} ->
module.can_decrypt?(ciphertext, opts)
end)
end
end