First release 0.0.1

Author: ghn

.gitignore

@@ -0,0 +1,5 @@
+*.pyc
+build/*
+dist/*
+*.egg-info/
+.eggs/*

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 digitalepidemiologylab
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,27 @@
+# Rails ActiveRecord encryption for python
+
+Rails 7 introduced a new option in ActiveRecord to encrypt data.
+
+This library aims at decrypting the data with a simple interface.
+
+## Usage
+
+1. Find your credentials `primary_key` and `key_derivation_salt` (those generated by Rails `bin/rails db:encryption:init` - see RoR docs linked below)
+1. Add the package `pip install git+ssh://git@github.com/digitalepidemiologylab/rails_ar_encryption.git`
+1. Use it
+
+```
+from rails_ar_encryption import derive_key, decrypt
+
+# step 1 - derive the encryption key
+key = derive_key(primary_key, key_derivation_salt)
+
+# step 2 - decrypt message (message is the full payload generated by Rails)
+clear_text = decrypt(message, key)
+```
+
+Have a look at a working [example](example.py).
+
+## Notes
+
+* [Rails active record encryption](https://edgeguides.rubyonrails.org/active_record_encryption.html)

example.py

@@ -0,0 +1,11 @@
+from rails_ar_encryption.base import derive_key, decrypt
+
+# RUN TEST
+password = "ptJvigCRrrlKX29kU4bx80FUmxmjUej0"
+salt = "dMoxVXAxoRrnOutfiPyeYqtfMiFICTva"
+message = {"p":"SY0Ky7wFH3i6s73Bi7LL2cI=","h":{"iv":"mr7kZJHH2DOYZDM6","at":"qlrSLDRNH0qpB9/ATlHbQg=="}}
+
+key = derive_key(password, salt)
+clear_text = decrypt(message, key)
+
+print("Decrypted data is => {}".format(clear_text))

rails_ar_encryption/__init__.py

@@ -0,0 +1 @@
+from .base import derive_key, decrypt

rails_ar_encryption/base.py

@@ -0,0 +1,27 @@
+from base64 import b64decode
+from Crypto.Cipher import AES
+from Crypto.Hash import SHA1
+from Crypto.Protocol.KDF import PBKDF2
+
+def decrypt(message, key):
+ """
+ Decrypt message just like it's done on Rails side, see:
+ https://github.com/rails/rails/blob/main/activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb
+ """
+ headers = message["h"]
+ 
+ ciphertext = b64decode(message["p"])
+ nonce = b64decode(headers["iv"])
+ tag = b64decode(headers["at"])
+
+ cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
+
+ return cipher.decrypt_and_verify(ciphertext, tag).decode()
+
+
+def derive_key(password, salt):
+ """"
+ Derive the key just like it's done on Rails side, see:
+ https://github.com/rails/rails/blob/main/activesupport/lib/active_support/key_generator.rb#L39
+ """
+ return PBKDF2(password, salt, 32, count=2**16, hmac_hash_module=SHA1)

setup.py

@@ -0,0 +1,20 @@
+from setuptools import setup, find_packages
+
+with open("README.md", "r", encoding = "utf-8") as fh:
+ long_description = fh.read()
+
+setup(
+ name="rails-ar-encryption",
+ version="0.0.1",
+ author="ghn",
+ description="Decrypts Rails payload.",
+ long_description = long_description,
+ long_description_content_type = "text/markdown",
+ packages=find_packages(),
+ include_package_data=True,
+ install_requires=["pycryptodome"],
+ classifiers=[
+ "Programming Language :: Python :: 3",
+ ],
+ python_requires='>=3.6'
+)