Merge pull request #10 from evervault/deirdre/pro-800-add-outbound-to-ruby-sdk

Adding outbound interception

Author: DeirdreCleary

lib/evervault/client.rb

@@ -1,4 +1,6 @@
 require_relative "http/request"
+require_relative "http/request_handler"
+require_relative "http/request_intercept"
 require_relative "crypto/client"
 require_relative "models/cage_list"
 
@@ -9,30 +11,30 @@ class Client
     def initialize(
       api_key:,
       base_url: "https://api.evervault.com/",
-      cage_run_url: "https://cage.run/",
+      cage_run_url: "https://run.evervault.com/",
+      relay_url: "https://relay.evervault.com:8443",
+      ca_host: "https://ca.evervault.com",
       request_timeout: 30,
-      curve: 'secp256k1'
+      curve: 'prime256v1'
     )
-      @api_key = api_key
-      @base_url = base_url
-      @cage_run_url = cage_run_url
-      @curve = curve
-      @request =
-        Evervault::Http::Request.new(
-          api_key: api_key,
-          timeout: request_timeout,
-          base_url: base_url,
-          cage_run_url: cage_run_url
+      @request = Evervault::Http::Request.new(timeout: request_timeout, api_key: api_key)
+      @intercept = Evervault::Http::RequestIntercept.new(
+        request: @request, ca_host: ca_host, api_key: api_key, relay_url: relay_url
+      )
+      @request_handler =
+        Evervault::Http::RequestHandler.new(
+          request: @request, base_url: base_url, cage_run_url: cage_run_url, cert: @intercept
         )
-      @crypto_client = Evervault::Crypto::Client.new(request: @request, curve: @curve)
+      @crypto_client = Evervault::Crypto::Client.new(request_handler: @request_handler, curve: curve)
+      @intercept.setup()
     end
 
     def encrypt(data)
       @crypto_client.encrypt(data)
     end
 
     def run(cage_name, encrypted_data, options = {})
-      @request.post(cage_name, encrypted_data, options: options, cage_run: true)
+      @request_handler.post(cage_name, encrypted_data, options: options, cage_run: true)
     end
 
     def encrypt_and_run(cage_name, data, options = {})
@@ -45,8 +47,12 @@ def cages
     end
 
     def cage_list
-      cages = @request.get("cages")
+      cages = @request_handler.get("cages")
       @cage_list ||= Evervault::Models::CageList.new(cages: cages["cages"], request: @request)
     end
+
+    def relay(decryption_domains=[])
+      @intercept.setup_domains(decryption_domains)
+    end
   end
 end

lib/evervault/crypto/client.rb

@@ -9,14 +9,14 @@
 module Evervault
   module Crypto
     class Client
-      attr_reader :request
-      def initialize(request:, curve:)
+      attr_reader :request_handler
+      def initialize(request_handler:, curve:)
         @curve = curve
         @p256 = Evervault::Crypto::Curves::P256.new()
         @ev_version = base_64_remove_padding(
             Base64.strict_encode64(EV_VERSION[curve])
         )
-        response = request.get("cages/key")
+        response = request_handler.get("cages/key")
         key = @curve == 'secp256k1' ? 'ecdhKey' : 'ecdhP256Key'
         @team_key = response[key]
       end
@@ -25,6 +25,10 @@ def encrypt(data)
         raise Evervault::Errors::UndefinedDataError.new(
           "Data is required for encryption"
         ) if data.nil? || (data.instance_of?(String) && data.empty?)
+
+        raise Evervault::Errors::UnsupportedEncryptType.new(
+          "Encryption is not supported for #{data.class}"
+        ) if !(encryptable_data?(data) || data.instance_of?(Hash) || data.instance_of?(Array))
 
         traverse_and_encrypt(data)
       end
@@ -59,6 +63,10 @@ def encrypt(data)
         elsif data.instance_of?(Array)
           encrypted_data = data.map { |value| traverse_and_encrypt(value) }
           return encrypted_data
+        else
+          raise Evervault::Errors::UnsupportedEncryptType.new(
+            "Encryption is not supported for #{data.class}"
+          )
         end
         data
       end

lib/evervault/errors/error_map.rb

@@ -3,7 +3,7 @@
 module Evervault
   module Errors
     class ErrorMap
-      def self.raise_errors_on_failure(status_code, body)
+      def self.raise_errors_on_failure(status_code, body, headers)
         return if status_code < 400
         case status_code
         when 404
@@ -13,7 +13,11 @@ def self.raise_errors_on_failure(status_code, body)
         when 401
           raise AuthenticationError.new("Unauthorized")
         when 403
-          raise AuthenticationError.new("Forbidden")
+          if (headers.include? "x-evervault-error-code") && (headers["x-evervault-error-code"] == "forbidden-ip-error")
+            raise ForbiddenIPError.new("IP is not present in Cage whitelist")
+          else
+            raise AuthenticationError.new("Forbidden")
+          end
         when 500
           raise ServerError.new("Server Error")
         when 502

lib/evervault/errors/errors.rb

@@ -23,5 +23,11 @@ class UndefinedDataError < EvervaultError; end
     class InvalidPublicKeyError < EvervaultError; end
 
     class UnexpectedError < EvervaultError; end
+
+    class CertDownloadError < EvervaultError; end
+
+    class UnsupportedEncryptType < EvervaultError; end
+
+    class ForbiddenIPError < EvervaultError; end
   end
 end

lib/evervault/http/request.rb

@@ -6,41 +6,24 @@
 module Evervault
   module Http
     class Request
-      def initialize(api_key:, base_url:, cage_run_url:, timeout:)
-        @api_key = api_key
+      def initialize(timeout:, api_key:)
         @timeout = timeout
-        @base_url = base_url
-        @cage_run_url = cage_run_url
-      end
-
-      def get(path, params = nil)
-        execute(:get, build_url(path), params)
-      end
-
-      def put(path, params)
-        execute(:put, build_url(path), params)
-      end
-
-      def delete(path, params)
-        execute(:delete, build_url(path), params)
-      end
-
-      def post(path, params, options: {}, cage_run: false)
-        execute(:post, build_url(path, cage_run), params, build_cage_run_headers(options, cage_run))
-      end
-
-      private def build_url(path, cage_run = false)
-        return "#{@base_url}#{path}" unless cage_run
-        "#{@cage_run_url}#{path}"
+        @api_key = api_key
       end
 
-      def execute(method, url, params, optional_headers = {})
+      def execute(method, url, params, optional_headers = {}, is_ca = false)
         resp = Faraday.send(method, url) do |req|
             req.body = params.nil? || params.empty? ? nil : params.to_json
             req.headers = build_headers(optional_headers)
+            req.options.timeout = @timeout
         end
-        return JSON.parse(resp.body) if resp.status >= 200 && resp.status <= 300
-        Evervault::Errors::ErrorMap.raise_errors_on_failure(resp.status, resp.body)
+        if resp.status >= 200 && resp.status <= 300
+          if is_ca
+            return resp.body
+          end
+          return JSON.parse(resp.body)
+        end
+        Evervault::Errors::ErrorMap.raise_errors_on_failure(resp.status, resp.body, resp.headers)
       end
 
       private def build_headers(optional_headers)
@@ -49,27 +32,9 @@ def execute(method, url, params, optional_headers = {})
           "Accept": "application/json",
           "Content-Type": "application/json",
           "User-Agent": "evervault-ruby/#{VERSION}",
-          "Api-Key": @api_key
+          "Api-Key": @api_key,
         })
       end
-
-      private def build_cage_run_headers(options, cage_run = false)
-        optional_headers = {}
-        return optional_headers unless cage_run
-        if options.key?(:async)
-          if options[:async]
-            optional_headers["x-async"] = "true"
-          end
-          options.delete(:async)
-        end
-        if options.key?(:version)
-          if options[:version].is_a? Integer
-            optional_headers["x-version-id"] = options[:version].to_s
-          end
-          options.delete(:version)
-        end
-        optional_headers.merge(options)
-      end
     end
   end
 end

lib/evervault/http/request_handler.rb

@@ -0,0 +1,68 @@
+require "faraday"
+require "json"
+require_relative "../version"
+require_relative "../errors/error_map"
+
+module Evervault
+  module Http
+    class RequestHandler
+      def initialize(request:, base_url:, cage_run_url:, cert:)
+        @request = request
+        @base_url = base_url
+        @cage_run_url = cage_run_url
+        @cert = cert
+      end
+
+      def get(path, params = nil)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:get, build_url(path), params)
+      end
+
+      def put(path, params)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:put, build_url(path), params)
+      end
+
+      def delete(path, params)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:delete, build_url(path), params)
+      end
+
+      def post(path, params, options: {}, cage_run: false)
+        if @cert.is_certificate_expired()
+          @cert.setup()
+        end
+        @request.execute(:post, build_url(path, cage_run), params, build_cage_run_headers(options, cage_run))
+      end
+
+      private def build_url(path, cage_run = false)
+        return "#{@base_url}#{path}" unless cage_run
+        "#{@cage_run_url}#{path}"
+      end
+
+      private def build_cage_run_headers(options, cage_run = false)
+        optional_headers = {}
+        return optional_headers unless cage_run
+        if options.key?(:async)
+          if options[:async]
+            optional_headers["x-async"] = "true"
+          end
+          options.delete(:async)
+        end
+        if options.key?(:version)
+          if options[:version].is_a? Integer
+            optional_headers["x-version-id"] = options[:version].to_s
+          end
+          options.delete(:version)
+        end
+        optional_headers.merge(options)
+      end
+    end
+  end
+end