Module: Legate::Auth::Encryption

Defined in:

lib/legate/auth/encryption.rb

Overview

Provides encryption and decryption utilities for sensitive authentication data. Uses the rbnacl gem for authenticated encryption.

Constant Summary

ENV_KEY_NAME =

Environment variable name for the encryption key

'LEGATE_AUTH_ENCRYPTION_KEY'

ENCRYPTION_HEADER =

Header added to encrypted data for identification

'LGTAUTH'

Class Method Summary

• .decrypt(encrypted_data, key = nil) ⇒ String

  Decrypts sensitive data.

• .encrypt(data, key = nil) ⇒ String

  Encrypts sensitive data.

• .encrypted?(data) ⇒ Boolean

  Checks if the encrypted data is in the expected format.

• .generate_key ⇒ String

  Generates a new random encryption key.

Class Method Details

.decrypt(encrypted_data, key = nil) ⇒ String

Decrypts sensitive data

Parameters:

• encrypted_data (String) —

  The encrypted data to decrypt

• key (String, nil) (defaults to: nil) —

  The encryption key (defaults to the key from environment)

Returns:

• (String) —

  The decrypted data

Raises:

• (LoadError) —

  If the rbnacl gem is not available

• (ArgumentError) —

  If the data is not in the expected format or the key is invalid

# File 'lib/legate/auth/encryption.rb', line 38

def decrypt(encrypted_data, key = nil)
  require_rbnacl
  encryption_key = key || get_encryption_key

  # Check format and remove header
  raise ArgumentError, 'Invalid encrypted data format' unless encrypted_data.to_s.start_with?(ENCRYPTION_HEADER)

  encoded = encrypted_data.to_s[ENCRYPTION_HEADER.length..-1]
  require 'base64'
  encrypted = Base64.strict_decode64(encoded)

  box = create_box(encryption_key)
  box.decrypt(encrypted)
rescue RbNaCl::CryptoError => e
  raise ArgumentError, "Decryption failed: #{e.message}"
rescue ArgumentError => e
  raise ArgumentError, "Invalid Base64 encoding: #{e.message}"
end

.encrypt(data, key = nil) ⇒ String

Encrypts sensitive data

Parameters:

• data (String) —

  The data to encrypt

• key (String, nil) (defaults to: nil) —

  The encryption key (defaults to the key from environment)

Returns:

• (String) —

  The encrypted data in Base64 format with header

Raises:

• (LoadError) —

  If the rbnacl gem is not available

• (ArgumentError) —

  If the encryption key is not available

# File 'lib/legate/auth/encryption.rb', line 22

def encrypt(data, key = nil)
  require_rbnacl
  encryption_key = key || get_encryption_key

  require 'base64'
  box = create_box(encryption_key)
  encrypted = box.encrypt(data.to_s)
  "#{ENCRYPTION_HEADER}#{Base64.strict_encode64(encrypted)}"
end

.encrypted?(data) ⇒ Boolean

Checks if the encrypted data is in the expected format

Parameters:

• data (String) —

  The data to check

Returns:

• (Boolean) —

  True if the data appears to be encrypted

# File 'lib/legate/auth/encryption.rb', line 70

def encrypted?(data)
  data.to_s.start_with?(ENCRYPTION_HEADER)
end

.generate_key ⇒ String

Generates a new random encryption key

Returns:

• (String) —

  A new encryption key in Base64 format

Raises:

• (LoadError) —

  If the rbnacl gem is not available

# File 'lib/legate/auth/encryption.rb', line 60

def generate_key
  require_rbnacl
  require 'base64'
  raw_key = RbNaCl::Random.random_bytes(RbNaCl::SecretBox.key_bytes)
  Base64.strict_encode64(raw_key)
end