padrino-framework | Padrino is a full-stack ruby framework built upon Sinatra | Firewall library
kandi X-RAY | padrino-framework Summary
kandi X-RAY | padrino-framework Summary
Padrino is a full-stack ruby framework built upon Sinatra.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Creates a new Rack application .
- Require that the given file has been loaded .
- Maps the routes to the router
- Tries to load the file if not already exists
- Render a template .
- Returns an array of all the sources in the source_source .
- Initialize a new App instance
- Adds a part part to the parts of the part part part .
- Adds a part to this part .
- Configure shipping method
padrino-framework Key Features
padrino-framework Examples and Code Snippets
Community Discussions
Trending Discussions on padrino-framework
QUESTION
I need to know that the plaintext
/ciphertext
being sent to Google CloudKMS, and the public/private key used to authenticate, are secure in transit, but I don't know how to prove that.
As per KMS docs, I created a service account, downloaded the JSON key file, and have hooked it up via the environment variable GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account-key.json
.
I am using the google-api-client gem (at version 0.10.3
, released 13 months old, because I can't install mime-types >= 3.0
whilst using padrino-mailer: see this commit), have tested the Google::Apis::CloudkmsV1::CloudKMSService
methods encrypt_crypto_key
and decrypt_crypto_key
, and they're working nicely.
I have tried reading through the source code of the google-api-client, googleauth, and signet gems. All I'm certain of is:
- The JSON key file is loaded and the
private_key
value is used to makeOpenSSL::PKey::RSA.new
here Signet::OAuth2::Client
is given the RSA key assigning_key
in this file
I would consider the security proven if the JSON key file is used to encrypt the string sent through encrypt_crypto_key
on the calling server, and likewise to decrypt the string received by decrypt_crypto_key
, and the CloudKMS server on the other end behaves similarly. This is what I'm assuming the library does – End-to-end encryption – but I must see it to believe it. I attempted to view the traffic in Wireshark but couldn't make any sense of it (maybe that fact proves it? I don't know )
Can anyone help me prove or disprove this method of calling CloudKMS to encrypt/decrypt user data – using the google-api-client gem with a JSON key file downloaded as per the docs – is secure?
Related: for those of you who are interested, the CloudKMS API is on the roadmap to be included in the newer google-cloud gem.
...ANSWER
Answered 2018-May-01 at 14:24The communications between your client and Google are secured via TLS. You can see in Wireshark that the communications are on port 443 and that a TLS connection is negotiated.
Your requests are authenticated using OAuth. In this case (using a service account from outside of GCP), this is done using the flow documented in Using OAuth 2.0 for Server to Server Applications:
- you are responsible for provisioning your off-GCP app with the private key issued to the service account you wish to assert;
- it then uses that private key to sign a JWT and submit it to Google's OAuth server;
- Google replies with an OAuth access token which is a bearer credential which identifies the service account in question;
- You then provide that access token with your requests to KMS to identify the entity making the requests as the service account and using its authority;
- KMS and GCP then use that identity to evaluate IAM access controls to determine whether particular operations are authorized.
This is secured end-to-end (the TLS connection is end-to-end security since the parties to the communication—your service and Google—are the TLS endpoints). Since your question seems to be "are these requests secure in transit, and how can I show this", I think it's sufficient to show that a TLS connection is being negotiated, Wireshark should be able to show you this. (Your connection library also needs to be doing a suitable PKI evaluation of the presented certificate; validating that this is taking place correctly is a little more involved, but it's a reasonable thing to trust is happening correctly if you investigate the tools you're using and their assertions around certificate validation).
Best wishes and thanks for using GCP and Cloud KMS. Let us know if you have any further questions.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install padrino-framework
On a UNIX-like operating system, using your system’s package manager is easiest. However, the packaged Ruby version may not be the newest one. There is also an installer for Windows. Managers help you to switch between multiple Ruby versions on your system. Installers can be used to install a specific or multiple Ruby versions. Please refer ruby-lang.org for more information.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page