Encrypted source URLs suport

DarthSim · DarthSim · commit 8392acd21cd8 · 2022-09-13T16:56:50.000+06:00
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -29,6 +29,9 @@ Style/DoubleNegation:
 Layout/LineLength:
   Max: 100
 
+Metrics/ClassLength:
+  Max: 120
+
 Metrics/BlockLength:
   Exclude:
     - spec/**/*
diff --git a/README.md b/README.md
@@ -98,6 +98,9 @@ end
 - **use_short_options** (`IMGPROXY_USE_SHORT_OPTIONS`) - Use short processing options names (`rs` for `resize`, `g` for `gravity`, etc). Default: true.
 - **base64_encode_urls** (`IMGPROXY_BASE64_ENCODE_URLS`) - Encode source URLs to base64. Default: false.
 - **always_escape_plain_urls** (`IMGPROXY_ALWAYS_ESCAPE_PLAIN_URLS`) - Always escape plain source URLs even when ones don't need to be escaped. Default: false.
+- **source_url_encryption_key** (`IMGPROXY_SOURCE_URL_ENCRYPTION_KEY`) - Hex-encoded source URL encryption key. Default: `nil`.
+- **raw_source_url_encryption_key** (`IMGPROXY_RAW_SOURCE_URL_ENCRYPTION_KEY`) - Raw (not hex-encoded) source URL encryption key. Default: `nil`.
+- **always_encrypt_source_urls** (`IMGPROXY_ALWAYS_ENCRYPT_SOURCE_URLS`) - Always encrypt source URLs. Default: false.
 - **use_s3_urls** (`IMGPROXY_USE_S3_URLS`) - Use `s3://...` source URLs for Active Storage and Shrine attachments stored in Amazon S3. Default: false.
 - **use_gcs_urls** (`IMGPROXY_USE_GCS_URLS`) - Use `gs://...` source URLs for Active Storage and Shrine attachments stored in Google Cloud Storage. Default: false.
 - **gcs_bucket** (`IMGPROXY_GCS_BUCKET`) - Google Cloud Storage bucket name. Default: `nil`.
@@ -328,6 +331,8 @@ Imgproxy.url_for(
 - `base64_encode_url` — per-call redefinition of `base64_encode_urls` config.
 - `escape_plain_url` — per-call redefinition of `always_escape_plain_urls` config.
 - `use_short_options` — per-call redefinition of `use_short_options` config.
+- `encrypt_source_url` - per-call redefinition of `always_encrypt_source_urls` config.
+- `source_url_encryption_iv` - an initialization vector (IV) to be used for the source URL encryption if encryption is needed. If not specified, a random IV is used.
 
 ## Getting the image info
 
@@ -392,6 +397,8 @@ Imgproxy.configure do |config|
     pro.endpoint = "https://pro.imgproxy.com/"
     pro.key = ENV["IMGPROXY_PRO_KEY"]
     pro.salt = ENV["IMGPROXY_PRO_SALT"]
+    pro.source_url_encryption_key = ENV["IMGPROXY_PRO_ENCRYPTION_KEY"]
+    pro.always_encrypt_source_urls = true
   end
 end
 ```
@@ -405,9 +412,11 @@ services:
     endpoint: "https://pro.imgproxy.com/"
     key: <%= ENV["IMGPROXY_PRO_KEY"] %>
     salt: <%= ENV["IMGPROXY_PRO_SALT"] %>
+    source_url_encryption_key: ENV["IMGPROXY_PRO_ENCRYPTION_KEY"]
+    always_encrypt_source_urls: true
 ```
 
-If you don't specify `key`, `salt`, `endpoint`, or `signature_size`, they are inherited from the global configuration.
+If you don't specify `key`, `salt`, `endpoint`, `signature_size`, `source_url_encryption_key`, or `always_encrypt_source_urls`, they are inherited from the global configuration.
 
 Pass the `service` option to `url_for` and `info_url_for`:
 
diff --git a/lib/imgproxy.rb b/lib/imgproxy.rb
@@ -105,6 +105,8 @@ def configure
     # @option options [Boolean] :use_short_options
     # @option options [Boolean] :base64_encode_urls
     # @option options [Boolean] :escape_plain_url
+    # @option options [Boolean] :encrypt_source_url
+    # @option options [Boolean] :source_url_encryption_iv
     # @see https://docs.imgproxy.net/generating_the_url_advanced?id=processing-options
     #   Available imgproxy URL processing options and their arguments
     def url_for(image, options = {})
diff --git a/lib/imgproxy/builder.rb b/lib/imgproxy/builder.rb
@@ -19,6 +19,7 @@ module Imgproxy
   #   builder.url_for("http://images.example.com/images/image2.jpg")
   class Builder
     class UnknownServiceError < StandardError; end
+    class InvalidEncryptionKeyError < StandardError; end
 
     # @param [Hash] options Processing options
     # @see Imgproxy.url_for
@@ -62,15 +63,21 @@ def info_url_for(image)
     attr_reader :service
 
     NEED_ESCAPE_RE = /[@?% ]|[^\p{Ascii}]/.freeze
+    AES_SIZES = { 32 => 256, 24 => 196, 16 => 128 }.freeze
 
+    # rubocop: disable Metrics/AbcSize
     def extract_builder_options(options)
       @service = options.delete(:service)&.to_sym || :default
 
       @use_short_options = not_nil_or(options.delete(:use_short_options), config.use_short_options)
       @base64_encode_url = not_nil_or(options.delete(:base64_encode_url), config.base64_encode_urls)
       @escape_plain_url =
         not_nil_or(options.delete(:escape_plain_url), config.always_escape_plain_urls)
+      @encrypt_source_url =
+        not_nil_or(options.delete(:encrypt_source_url), service_config.always_encrypt_source_urls)
+      @source_url_encryption_iv = options.delete(:source_url_encryption_iv)
     end
+    # rubocop: enable Metrics/AbcSize
 
     def processing_options
       @processing_options ||= @options.map do |key, value|
@@ -81,7 +88,9 @@ def processing_options
     def url(image, ext: nil)
       url = config.url_adapters.url_of(image)
 
-      @base64_encode_url ? base64_url_for(url, ext: ext) : plain_url_for(url, ext: ext)
+      return encrypted_url_for(url, ext: ext) if @encrypt_source_url
+      return base64_url_for(url, ext: ext) if @base64_encode_url
+      plain_url_for(url, ext: ext)
     end
 
     def plain_url_for(url, ext: nil)
@@ -96,10 +105,33 @@ def base64_url_for(url, ext: nil)
       ext ? "#{encoded_url}.#{ext}" : encoded_url
     end
 
+    def encrypted_url_for(url, ext: nil)
+      cipher = build_cipher
+
+      iv = @source_url_encryption_iv || cipher.random_iv
+      cipher.iv = iv
+
+      "enc/#{base64_url_for(iv + cipher.update(url) + cipher.final, ext: ext)}"
+    end
+
     def need_escape_url?(url)
       @escape_plain_url || url.match?(NEED_ESCAPE_RE)
     end
 
+    def build_cipher
+      key = encryption_key.to_s
+
+      aes_size = AES_SIZES.fetch(key.length) do
+        raise InvalidEncryptionKeyError,
+              "Encryption key should be 16/24/32 bytes long, now - #{key.length}"
+      end
+
+      OpenSSL::Cipher::AES.new(aes_size, :CBC).tap do |cipher|
+        cipher.encrypt
+        cipher.key = key
+      end
+    end
+
     def option_alias(name)
       return name unless @use_short_options
 
@@ -135,6 +167,10 @@ def signature_size
       service_config.signature_size
     end
 
+    def encryption_key
+      service_config.raw_source_url_encryption_key
+    end
+
     def not_nil_or(value, fallback)
       value.nil? ? fallback : value
     end
diff --git a/lib/imgproxy/config.rb b/lib/imgproxy/config.rb
@@ -99,6 +99,30 @@ def signature_size=(value)
       service(:default).signature_size = value
     end
 
+    def source_url_encryption_key
+      service(:default).source_url_encryption_key
+    end
+
+    def source_url_encryption_key=(value)
+      service(:default).source_url_encryption_key = value
+    end
+
+    def raw_source_url_encryption_key
+      service(:default).raw_source_url_encryption_key
+    end
+
+    def raw_source_url_encryption_key=(value)
+      service(:default).raw_source_url_encryption_key = value
+    end
+
+    def always_encrypt_source_urls
+      service(:default).always_encrypt_source_urls
+    end
+
+    def always_encrypt_source_urls=(value)
+      service(:default).always_encrypt_source_urls = value
+    end
+
     def service(name)
       services[name.to_sym] ||= services[:default].dup
 
diff --git a/lib/imgproxy/service_config.rb b/lib/imgproxy/service_config.rb
@@ -21,6 +21,15 @@ module Imgproxy
   # @!attribute signature_size
   #   imgproxy signature size. Defaults to 32
   #   @return [String]
+  # @!attribute source_url_encryption_key
+  #   imgproxy hex-encoded source URL encryption key
+  #   @return [String]
+  # @!attribute raw_source_url_encryption_key
+  #   Decoded source URL encryption key
+  #   @return [String]
+  # @!attribute always_encrypt_source_urls
+  #   Always encrypt source URLs. Defaults to false
+  #   @return [String]
   #
   # @see Imgproxy::Config
   class ServiceConfig < Anyway::Config
@@ -33,21 +42,31 @@ class ServiceConfig < Anyway::Config
       :salt,
       :raw_key,
       :raw_salt,
+      :source_url_encryption_key,
+      :raw_source_url_encryption_key,
       signature_size: 32,
+      always_encrypt_source_urls: false,
     )
 
     coerce_types endpoint: :string,
                  key: :string,
                  salt: :string,
                  raw_key: :string,
                  raw_salt: :string,
-                 signature_size: :integer
+                 signature_size: :integer,
+                 source_url_encryption_key: :string,
+                 raw_source_url_encryption_key: :string,
+                 always_encrypt_source_urls: :boolean
 
     alias_method :set_key, :key=
     alias_method :set_raw_key, :raw_key=
     alias_method :set_salt, :salt=
     alias_method :set_raw_salt, :raw_salt=
-    private :set_key, :set_raw_key, :set_salt, :set_raw_salt
+    alias_method :set_source_url_encryption_key, :source_url_encryption_key=
+    alias_method :set_raw_source_url_encryption_key, :raw_source_url_encryption_key=
+
+    private :set_key, :set_raw_key, :set_salt, :set_raw_salt,
+            :set_source_url_encryption_key, :set_raw_source_url_encryption_key
 
     def key=(value)
       value = value&.to_s
@@ -72,5 +91,17 @@ def raw_salt=(value)
       super(value)
       set_salt(value&.unpack("H*")&.first)
     end
+
+    def source_url_encryption_key=(value)
+      value = value&.to_s
+      super(value)
+      set_raw_source_url_encryption_key(value && [value].pack("H*"))
+    end
+
+    def raw_source_url_encryption_key=(value)
+      value = value&.to_s
+      super(value)
+      set_source_url_encryption_key(value&.unpack("H*")&.first)
+    end
   end
 end
diff --git a/spec/imgproxy_spec.rb b/spec/imgproxy_spec.rb
@@ -122,6 +122,7 @@
         format: :webp,
         return_attachment: true,
         expires: Time.at(4810374983),
+        source_url_encryption_iv: "1234567890123456",
       }
     end
 
@@ -595,6 +596,72 @@
         end
       end
     end
+
+    context "when always_encrypt_source_urls config is true" do
+      before do
+        described_class.config.source_url_encryption_key =
+          "1eb5b0e971ad7f45324c1bb15c947cb207c43152fa5c6c7f35c4f36e0c18e0f1"
+        described_class.config.always_encrypt_source_urls = true
+      end
+
+      it "encrypts source URL" do
+        expect(url).to end_with(
+          "/enc/MTIzNDU2Nzg5MDEy/MzQ1Np6L0YlR92XD/i3aaVA5KINDMHKXf/LUaQ1N0ae5N7JjBZ.webp",
+        )
+      end
+
+      context "without encryption key specified" do
+        before { described_class.config.source_url_encryption_key = nil }
+
+        it "rises an error" do
+          expect { url }.to raise_error(Imgproxy::Builder::InvalidEncryptionKeyError)
+        end
+      end
+
+      context "with encryption key of invalid length" do
+        before do
+          described_class.config.source_url_encryption_key =
+            "1eb5b0e971ad7f45324c1bb15c947cb207c43152fa5c6c7f35c4f36e0c18"
+        end
+
+        it "rises an error" do
+          expect { url }.to raise_error(Imgproxy::Builder::InvalidEncryptionKeyError)
+        end
+      end
+    end
+
+    context "when encrypt_source_url option is true" do
+      before do
+        described_class.config.source_url_encryption_key =
+          "1eb5b0e971ad7f45324c1bb15c947cb207c43152fa5c6c7f35c4f36e0c18e0f1"
+        options[:encrypt_source_url] = true
+      end
+
+      it "encrypts source URL" do
+        expect(url).to end_with(
+          "/enc/MTIzNDU2Nzg5MDEy/MzQ1Np6L0YlR92XD/i3aaVA5KINDMHKXf/LUaQ1N0ae5N7JjBZ.webp",
+        )
+      end
+
+      context "without encryption key specified" do
+        before { described_class.config.source_url_encryption_key = nil }
+
+        it "rises an error" do
+          expect { url }.to raise_error(Imgproxy::Builder::InvalidEncryptionKeyError)
+        end
+      end
+
+      context "with encryption key of invalid length" do
+        before do
+          described_class.config.source_url_encryption_key =
+            "1eb5b0e971ad7f45324c1bb15c947cb207c43152fa5c6c7f35c4f36e0c18"
+        end
+
+        it "rises an error" do
+          expect { url }.to raise_error(Imgproxy::Builder::InvalidEncryptionKeyError)
+        end
+      end
+    end
   end
 
   describe ".info_url_for" do
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -41,6 +41,8 @@
       c.use_gcs_urls = false
       c.gcs_bucket = nil
       c.shrine_host = nil
+      c.source_url_encryption_key = nil
+      c.always_encrypt_source_urls = false
 
       c.url_adapters.clear!
     end
