Ability to encrypt/decrypt array bodies (#5)

* Added ability to encrypt/decrypt array bodies + clean-up
* Fixed sonar scan not running on pull requests

Author: ech0s7r

.github/workflows/sonar.yml

@@ -9,7 +9,7 @@ name: Sonar
   schedule:
     - cron: 0 16 * * *
 jobs:
-  test:
+  sonarcloud:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -40,11 +40,6 @@ jobs:
           SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
         run: |
           sonar-scanner-3.3.0.1492/bin/sonar-scanner \
-            -Dsonar.projectName=client-encryption-ruby \
-            -Dsonar.projectKey=Mastercard_client-encryption-ruby \
-            -Dsonar.organization=mastercard \
             -Dsonar.sources=./lib \
             -Dsonar.tests=./test \
-            -Dsonar.ruby.coverage.reportPaths=coverage/.resultset.json \
-            -Dsonar.host.url=https://sonarcloud.io \
-            -Dsonar.login=$SONAR_TOKEN
+            -Dsonar.ruby.coverage.reportPaths=coverage/.resultset.json

lib/mcapi/encryption/crypto/crypto.rb

@@ -37,8 +37,8 @@ def initialize(config)
       #
       # Generate encryption parameters.
       #
-      # @param [String] iv IV to use instead to generate a random IV
-      # @param [String] secret_key Secret Key to use instead to generate a random key
+      # @param [String,nil] iv IV to use instead to generate a random IV
+      # @param [String,nil] secret_key Secret Key to use instead to generate a random key
       #
       # @return [Hash] hash with the generated encryption parameters
       #
@@ -70,8 +70,8 @@ def new_encryption_params(iv = nil, secret_key = nil)
       # If +iv+, +secret_key+, +encryption_params+ and +encoding+ are not provided, randoms will be generated.
       #
       # @param [String] data json string to encrypt
-      # @param [String] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
-      # @param [String] (optional) encryption_params encryption parameters
+      # @param [String,nil] (optional) iv Initialization vector to use to create the cipher, if not provided generate a random one
+      # @param [String,nil] (optional) encryption_params encryption parameters
       # @param [String] encoding encoding to use for the encrypted bytes (hex or base64)
       #
       # @return [String] encrypted data
@@ -103,11 +103,12 @@ def encrypt_data(data:, iv: nil, secret_key: nil, encryption_params: nil, encodi
       # @param [String] iv Initialization vector to use to create the Decipher
       # @param [String] encrypted_key Encrypted key to use to decrypt the data
       #                 (the key is the decrypted using the provided PrivateKey)
+      # @param [String] oaep_hashing_alg OAEP Algorithm to use
       #
       # @return [String] Decrypted JSON object
       #
-      def decrypt_data(encrypted_data, iv, encrypted_key)
-        md = Utils.create_message_digest(@oaep_hashing_alg)
+      def decrypt_data(encrypted_data, iv, encrypted_key, oaep_hashing_alg)
+        md = Utils.create_message_digest(oaep_hashing_alg)
         decrypted_key = @private_key.private_decrypt_oaep(Utils.decode(encrypted_key, @encoding), '', md, md)
         aes = OpenSSL::Cipher::AES.new(decrypted_key.size * 8, :CBC)
         aes.decrypt
@@ -121,7 +122,7 @@ def decrypt_data(encrypted_data, iv, encrypted_key)
       #
       # Compute the fingerprint for the provided public key
       #
-      # @param [String] type: +certificate+ or +publickey+
+      # @param [Hash] type: +certificate+ or +publickey+
       #
       # @return [String] the computed fingerprint encoded using the configured encoding
       #

lib/mcapi/encryption/field_level_encryption.rb

@@ -13,7 +13,7 @@ class FieldLevelEncryption
       #
       # Create a new instance with the provided configuration
       #
-      # @param [Object] config Configuration object
+      # @param [Hash] config Configuration object
       #
       def initialize(config)
         @config = config
@@ -27,7 +27,7 @@ def initialize(config)
       # Encrypt parts of a HTTP request using the given config
       #
       # @param [String] endpoint HTTP URL for the current call
-      # @param [Object] header HTTP header
+      # @param [Object|nil] header HTTP header
       # @param [String,Hash] body HTTP body
       #
       # @return [Hash] Hash with two keys:
@@ -37,19 +37,20 @@ def initialize(config)
       def encrypt(endpoint, header, body)
         body = JSON.parse(body) if body.is_a?(String)
         config = config?(endpoint)
+        body_map = body
         if config
           if !@is_with_header
-            config['toEncrypt'].each do |v|
+            body_map = config['toEncrypt'].map do |v|
               encrypt_with_body(v, body)
             end
           else
             enc_params = @crypto.new_encryption_params
-            config['toEncrypt'].each do |v|
+            body_map = config['toEncrypt'].map do |v|
               body = encrypt_with_header(v, enc_params, header, body)
             end
           end
         end
-        { header: header, body: body.json }
+        { header: header, body: config ? compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
       end
 
       #
@@ -62,9 +63,10 @@ def encrypt(endpoint, header, body)
       def decrypt(response)
         response = JSON.parse(response)
         config = config?(response['request']['url'])
+        body_map = response
         if config
           if !@is_with_header
-            config['toDecrypt'].each do |v|
+            body_map = config['toDecrypt'].map do |v|
               decrypt_with_body(v, response['body'])
             end
           else
@@ -74,6 +76,7 @@ def decrypt(response)
             end
           end
         end
+        response['body'] = compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
         JSON.generate(response)
       end
 
@@ -82,14 +85,19 @@ def decrypt(response)
       def encrypt_with_body(path, body)
         elem = elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
-        McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
-        McAPI::Utils.delete_node(path['element'], body) if path['element'] != "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+        body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        unless json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+          McAPI::Utils.delete_node(path['element'], body)
+        end
+        body
       end
 
       def encrypt_with_header(path, enc_params, header, body)
         elem = elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]), encryption_params: enc_params)
         body = { path['obj'] => { @config['encryptedValueFieldName'] => encrypted_data[@config['encryptedValueFieldName']] } }
         set_header(header, enc_params)
@@ -99,9 +107,11 @@ def encrypt_with_header(path, enc_params, header, body)
       def decrypt_with_body(path, body)
         elem = elem_from_path(path['element'], body)
         return unless elem && elem[:node]
+
         decrypted = @crypto.decrypt_data(elem[:node][@config['encryptedValueFieldName']],
-                                 elem[:node][@config['ivFieldName']],
-                                 elem[:node][@config['encryptedKeyFieldName']])
+                                         elem[:node][@config['ivFieldName']],
+                                         elem[:node][@config['encryptedKeyFieldName']],
+                                         elem[:node][@config['oaepHashingAlgorithmFieldName']])
         begin
           decrypted = JSON.parse(decrypted)
         rescue JSON::ParserError
@@ -116,7 +126,8 @@ def decrypt_with_header(path, elem, response)
         response['body'].clear
         response['body'] = JSON.parse(@crypto.decrypt_data(encrypted_data,
                                                            response['headers'][@config['ivHeaderName']][0],
-                                                           response['headers'][@config['encryptedKeyHeaderName']][0]))
+                                                           response['headers'][@config['encryptedKeyHeaderName']][0],
+                                                           response['headers'][@config['oaepHashingAlgorithmHeaderName']][0]))
       end
 
       def elem_from_path(path, obj)
@@ -125,7 +136,7 @@ def elem_from_path(path, obj)
         if path && !paths.empty?
           paths.each do |e|
             parent = obj
-            obj = obj[e]
+            obj = json_root?(e) ? obj : obj[e]
           end
         end
         { node: obj, parent: parent }
@@ -147,6 +158,18 @@ def set_header(header, params)
         header[@config['oaepHashingAlgorithmHeaderName']] = params[:oaepHashingAlgorithm].sub('-', '')
         header[@config['publicKeyFingerprintHeaderName']] = params[:publicKeyFingerprint]
       end
+
+      def json_root?(elem)
+        elem == '$'
+      end
+
+      def compute_body(config_param, body_map)
+        encryption_param?(config_param, body_map) ? body_map[0] : yield
+      end
+
+      def encryption_param?(enc_param, body_map)
+        enc_param.length == 1 && body_map.length == 1
+      end
     end
   end
 end

lib/mcapi/encryption/openapi_interceptor.rb

@@ -15,7 +15,7 @@ class << self
         # adding encryption/decryption capabilities for the request/response payload.
         #
         # @param [Object] swagger_client OpenAPI service client (it can be generated by the swagger code generator)
-        # @param [Object] config configuration object describing which field to enable encryption/decryption
+        # @param [Hash] config configuration object describing which field to enable encryption/decryption
         #
         def install_field_level_encryption(swagger_client, config)
           fle = McAPI::Encryption::FieldLevelEncryption.new(config)
@@ -45,7 +45,7 @@ def hook_call_api(fle)
         def hook_deserialize(fle)
           self.class.send :define_method, :init_deserialize do |client|
             client.define_singleton_method(:deserialize) do |response, return_type|
-              if response && response.body
+              if response&.body
                 endpoint = response.request.base_url.sub client.config.base_url, ''
                 to_decrypt = { headers: McAPI::Utils.parse_header(response.options[:response_headers]),
                                request: { url: endpoint },

lib/mcapi/encryption/utils/openssl_rsa_oaep.rb

@@ -51,7 +51,7 @@ def check_oaep_mgf1(str, label = '', md = nil, mgf1md = nil)
       em = str.bytes
       raise OpenSSL::PKey::RSAError if em.size < 2 * mdlen + 2
 
-      # Keep constant calculation even if the text is invaid in order to avoid attacks.
+      # Keep constant calculation even if the text is invalid in order to avoid attacks.
       good = secure_byte_is_zero(em[0])
       masked_seed = em[1...1 + mdlen].pack('C*')
       masked_db = em[1 + mdlen...em.size].pack('C*')

lib/mcapi/encryption/utils/utils.rb

@@ -66,22 +66,27 @@ def self.contains(config, props)
     def self.mutate_obj_prop(path, value, obj, src_path = nil, properties = [])
       tmp = obj
       prev = nil
-      return unless path
+      return obj unless path
 
       delete_node(src_path, obj, properties) if src_path
       paths = path.split('.')
-      paths.each do |e|
-        tmp[e] = {} unless tmp[e]
-        prev = tmp
-        tmp = tmp[e]
+      unless path == '$'
+        paths.each do |e|
+          tmp[e] = {} unless tmp[e]
+          prev = tmp
+          tmp = tmp[e]
+        end
       end
       elem = path.split('.').pop
-      if value.is_a?(Hash) && !value.is_a?(Array)
+      if elem == '$'
+        obj = value # replace root
+      elsif value.is_a?(Hash) && !value.is_a?(Array)
         prev[elem] = {} unless prev[elem].is_a?(Hash)
         override_props(prev[elem], value)
       else
         prev[elem] = value
       end
+      obj
     end
 
     def self.override_props(target, obj)
@@ -105,6 +110,7 @@ def self.delete_node(path, obj, properties = [])
         obj = obj[e]
         prev.delete(to_delete) if obj && index == paths.size - 1
       end
+      obj.keys.each { |e| obj.delete(e) } if paths.length == 1 && paths[0] == '$'
       properties.each { |e| obj.delete(e) } if paths.empty?
     end
 

sonar-project.properties

@@ -0,0 +1,4 @@
+sonar.projectKey=Mastercard_client-encryption-ruby
+sonar.organization=mastercard
+sonar.projectName=client-encryption-ruby
+sonar.host.url=https://sonarcloud.io

test/mock/config.json

@@ -29,6 +29,36 @@
           "obj": "foo"
         }
       ]
+    },
+    {
+      "path": "/array-resp$",
+      "toEncrypt": [
+        {
+          "element": "$",
+          "obj": "$"
+        }
+      ],
+      "toDecrypt": [
+        {
+          "element": "$",
+          "obj": "$"
+        }
+      ]
+    },
+    {
+      "path": "/array-resp2",
+      "toEncrypt": [
+        {
+          "element": "$",
+          "obj": "$"
+        }
+      ],
+      "toDecrypt": [
+        {
+          "element": "$",
+          "obj": "path.to.foo"
+        }
+      ]
     }
   ],
   "oaepPaddingDigestAlgorithm": "SHA-512",

test/test_crypto_cryptography.rb

@@ -20,7 +20,8 @@ def test_encrypt_valid_obj_key_and_iv
   def test_decrypt_valid_obj
     resp = @crypto.decrypt_data('3590b63d1520a57bd4cd1414a7a75f47d65f99e1427d6cfe744d72ee60f2b232',
                                 '6f38f3ecd8b92c2fd2537a7235deb9a8',
-                                'e283a661efa235fbc5e7243b7b78914a7f33574eb66cc1854829f7debfce4163f3ce86ad2c3ed2c8fe97b2258ab8a158281147698b7fddf5e82544b0b637353d2c204798f014112a5e278db0b29ad852b1417dc761593fad3f0a1771797771796dc1e8ae916adaf3f4486aa79af9d4028bc8d17399d50c80667ea73a8a5d1341a9160f9422aaeb0b4667f345ea637ac993e80a452cb8341468483b7443f764967264aaebb2cad4513e4922d076a094afebcf1c71b53ba3cfedb736fa2ca5de5c1e2aa88b781d30c27debd28c2f5d83e89107d5214e3bb3fe186412d78cefe951e384f236e55cd3a67fb13c0d6950f097453f76e7679143bd4e62d986ce9dc770')
+                                'e283a661efa235fbc5e7243b7b78914a7f33574eb66cc1854829f7debfce4163f3ce86ad2c3ed2c8fe97b2258ab8a158281147698b7fddf5e82544b0b637353d2c204798f014112a5e278db0b29ad852b1417dc761593fad3f0a1771797771796dc1e8ae916adaf3f4486aa79af9d4028bc8d17399d50c80667ea73a8a5d1341a9160f9422aaeb0b4667f345ea637ac993e80a452cb8341468483b7443f764967264aaebb2cad4513e4922d076a094afebcf1c71b53ba3cfedb736fa2ca5de5c1e2aa88b781d30c27debd28c2f5d83e89107d5214e3bb3fe186412d78cefe951e384f236e55cd3a67fb13c0d6950f097453f76e7679143bd4e62d986ce9dc770',
+                                'SHA-512')
     assert_equal resp, '{"text":"message"}'
   end
 
@@ -37,7 +38,8 @@ def test_decrypt3_aes
       # iv
       'fb2057968fa06067b6ab4c732c32cbcd',
       # key
-      '7686c2472f8d53175074dd2830b4f875753343e59eec16a131f26e9e8026c3052993d8c9ad6eba04048f6a54b64160a13da28333816dfc178db2ed30068519d211c84fd7edc79838b58e97bb688b46215614308760e49d2fec95bfdf0570ce9fc5cdf814dca0dfface3d67b24b743d6003a072a882c1662ee24a9adf8b4d5825b5be74e6b73f9d08a8a2099a3fb875240ada002397c47be8a71c74e864bf8b1654365ddd2efe7b2ee44a75e08979993bfc1727cb8304607e295cab2e2dd8a8776e9678e8b9653b7e831d7b50a08d5ed1ac8c15f2933bcefef8d5b160d3a296bbdeac9d355879c0f8fc97860e17537465534095581374e9f29b1c10c7e860a638'
+      '7686c2472f8d53175074dd2830b4f875753343e59eec16a131f26e9e8026c3052993d8c9ad6eba04048f6a54b64160a13da28333816dfc178db2ed30068519d211c84fd7edc79838b58e97bb688b46215614308760e49d2fec95bfdf0570ce9fc5cdf814dca0dfface3d67b24b743d6003a072a882c1662ee24a9adf8b4d5825b5be74e6b73f9d08a8a2099a3fb875240ada002397c47be8a71c74e864bf8b1654365ddd2efe7b2ee44a75e08979993bfc1727cb8304607e295cab2e2dd8a8776e9678e8b9653b7e831d7b50a08d5ed1ac8c15f2933bcefef8d5b160d3a296bbdeac9d355879c0f8fc97860e17537465534095581374e9f29b1c10c7e860a638',
+      'SHA-256'
     )
     resp = JSON.parse(resp)
     assert !resp['mapping'].nil?