active_cipher_storage 1.0.2 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +34 -6
- data/CONTRIBUTING.md +0 -1
- data/README.md +185 -187
- data/lib/active_cipher_storage/adapters/s3_adapter.rb +11 -7
- data/lib/active_cipher_storage/blob_metadata.rb +16 -47
- data/lib/active_cipher_storage/configuration.rb +59 -26
- data/lib/active_cipher_storage/engine.rb +1 -17
- data/lib/active_cipher_storage/errors.rb +2 -2
- data/lib/active_cipher_storage/multipart_upload.rb +12 -10
- data/lib/active_cipher_storage/providers/aws_kms_provider.rb +22 -38
- data/lib/active_cipher_storage/providers/base.rb +2 -13
- data/lib/active_cipher_storage/providers/env_provider.rb +11 -34
- data/lib/active_cipher_storage/stream_cipher.rb +5 -2
- data/lib/active_cipher_storage/version.rb +1 -1
- data/lib/active_cipher_storage.rb +0 -2
- data/lib/active_storage/service/active_cipher_storage_service.rb +181 -4
- metadata +2 -4
- data/lib/active_cipher_storage/adapters/active_storage_service.rb +0 -140
- data/lib/active_cipher_storage/key_rotation.rb +0 -121
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a7be8276c5d35fdb04507dc28393359978c61f96c02d34e68241e7850f890d03
|
|
4
|
+
data.tar.gz: d2989e928d470c23443ec09e9d09a731a240fe177c38e18ee80c5439a94d4cc0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 201051afeef8762eb3f8562224de9f0b76f74acf61a51b195d2a8eaf458d78cf716c8b1fa99c662479113061140bd4d6867ad25400dd6f7248ccd9df51375d5f
|
|
7
|
+
data.tar.gz: b919b79931e8f8162646e7e291909c6e6ccc35d7681b4a42788d028e206078154cd00ec05cf73419ffd7d80b598dbf1b203b117f11d05219a63e346988cbc13d
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,37 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.0.0] - 2026-06-01
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- **`Configuration#provider_options`**: keyword options for built-in providers are forwarded to **`EnvProvider.new`** / **`AwsKmsProvider.new`** (`Hash`/`OrderedOptions`, no separate `aws_kms` / `env_provider` accessors).
|
|
15
|
+
- **Breaking:** **`EnvProvider`** now accepts **`encryption_key:`** directly; pass **`provider_options[:encryption_key] = ENV.fetch("ACTIVE_CIPHER_MASTER_KEY")`** instead of configuring an env-var name.
|
|
16
|
+
- Provider **`String`** aliases **`"aws:kms"`**, **`"env"`**, and related spellings (see **`Configuration`**).
|
|
17
|
+
- **`AwsKmsProvider`** accepts **`endpoint`**, **`access_key_id`**, **`secret_access_key`**, builds **`Aws::KMS::Client`** internally; **`key_id:`** is required (configure via **`provider_options`** or pass a custom instance).
|
|
18
|
+
|
|
19
|
+
### Changed
|
|
20
|
+
|
|
21
|
+
- **Breaking:** Global **`Configuration#chunk_size`** removed — pass **`chunk_size`** into **`StreamCipher`**, **`S3Adapter`**, **`EncryptedMultipartUpload`**, and the **`ActiveCipherStorage`** Active Storage service (`storage.yml`).
|
|
22
|
+
- **Breaking:** Built-in provider config is **`provider_options`** only (removed **`#aws_kms`** / **`#env_provider`**). **`AwsKmsProvider`** no longer reads **`ENV`** for KMS settings; set **`provider_options`** from your app.
|
|
23
|
+
- **Blob metadata:** Rescue **`StandardError`** only; re-raise in **`Rails.env.development?`** so misconfiguration surfaces during development.
|
|
24
|
+
- **Engine:** Remove global **`ActiveSupport::LogSubscriber.logger`** assignment (host apps use **`Rails.logger`** / **`ActiveStorage.logger`**).
|
|
25
|
+
- **Engine:** Load **`ActiveStorage::Service::ActiveCipherStorageService`** directly from the Rails Active Storage hook.
|
|
26
|
+
- **`ActiveCipherStorageService`:** Raise **`NotImplementedError`** for **`path_for`** when the inner service does not implement it (e.g. S3).
|
|
27
|
+
|
|
28
|
+
### Removed
|
|
29
|
+
|
|
30
|
+
- **`ActiveCipherStorage::KeyRotation`** and related rotation orchestration.
|
|
31
|
+
- **Breaking:** Legacy **`ActiveCipherStorage::Adapters::ActiveStorageService`** alias and **`active_cipher_storage/active_storage_integration`** shim.
|
|
32
|
+
- **`ActiveCipherStorageService#rekey`**, **`BlobMetadata.blobs_for`**, **`BlobMetadata.update_after_rotation`**.
|
|
33
|
+
- Provider methods **`wrap_data_key`** and **`rotate_data_key`** from **`Providers::Base`**, **`EnvProvider`**, and **`AwsKmsProvider`**. Key or provider changes are left to the application (e.g. AWS KMS, custom jobs).
|
|
34
|
+
|
|
35
|
+
## [1.0.3] - 2026-04-25
|
|
36
|
+
|
|
37
|
+
### Changed
|
|
38
|
+
|
|
39
|
+
- Update the README with clearer usage guidance and improved readability.
|
|
40
|
+
|
|
10
41
|
## [1.0.2] - 2026-04-25
|
|
11
42
|
|
|
12
43
|
### Changed
|
|
@@ -19,11 +50,6 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
|
|
|
19
50
|
|
|
20
51
|
- Back gem configuration with Rails-style ActiveSupport options while preserving the existing public configuration API.
|
|
21
52
|
- Document the Active Storage upload encryption flag and plaintext read compatibility behavior.
|
|
22
|
-
|
|
23
|
-
### Fixed
|
|
24
|
-
|
|
25
|
-
- Reject reordered streaming frames and trailing bytes after the final encrypted frame.
|
|
26
|
-
- Validate S3 multipart chunk sizes before upload so invalid part sizes fail early.
|
|
27
53
|
- Mark plaintext Active Storage uploads explicitly when encryption is disabled.
|
|
28
54
|
|
|
29
55
|
## [1.0.0] - 2026-04-25
|
|
@@ -39,7 +65,9 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
|
|
|
39
65
|
- Header-only key rotation for re-wrapping encrypted DEKs.
|
|
40
66
|
- Unit and integration coverage for crypto, providers, Active Storage, S3, multipart upload, streaming, metadata, and key rotation.
|
|
41
67
|
|
|
42
|
-
[Unreleased]: https://github.com/codebyjass/active-cipher-storage/compare/
|
|
68
|
+
[Unreleased]: https://github.com/codebyjass/active-cipher-storage/compare/v2.0.0...HEAD
|
|
69
|
+
[2.0.0]: https://github.com/codebyjass/active-cipher-storage/compare/v1.0.3...v2.0.0
|
|
70
|
+
[1.0.3]: https://github.com/codebyjass/active-cipher-storage/compare/v1.0.2...v1.0.3
|
|
43
71
|
[1.0.2]: https://github.com/codebyjass/active-cipher-storage/compare/v1.0.1...v1.0.2
|
|
44
72
|
[1.0.1]: https://github.com/codebyjass/active-cipher-storage/compare/v1.0.0...v1.0.1
|
|
45
73
|
[1.0.0]: https://github.com/codebyjass/active-cipher-storage/releases/tag/v1.0.0
|
data/CONTRIBUTING.md
CHANGED
|
@@ -33,7 +33,6 @@ Use focused tests for:
|
|
|
33
33
|
- Active Storage legacy plaintext fallback.
|
|
34
34
|
- S3 multipart and streaming behavior.
|
|
35
35
|
- Provider error handling.
|
|
36
|
-
- Key rotation behavior.
|
|
37
36
|
|
|
38
37
|
Security-sensitive fixes should include a regression test that fails without the fix.
|
|
39
38
|
|