active_encryption 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3e69b6310ad07f84103d31671cdea752e0bd85a396f92a3505d2f2b99b8c7a7f
+  data.tar.gz: 5241fcd166545fe26cf890d6bd65a39ff980f8d827a2b9a1c69f4ad92710c920
+SHA512:
+  metadata.gz: 721cdb68e2a9f525d77874da1bca8912d128a119d900c68a3aec87bfcfd373b544a75453f439707dda956490cb93512527c45419b5b7d838386822d0611167aa
+  data.tar.gz: 62d23edf54e20fc6e30ee8fe4974e3436076d31a3e63a59d37c765792082f722edeaf0b2b3731da20a2a48e00f49449ff06b57c30eeb713b097c3d88ea67b24c

checksums.yaml.gz.sig

@@ -0,0 +1,3 @@
+����o�^0�otʜ8��9"����"���n�$8��rkމ�Q�Y߹��
+دK_%��;xe�(gm�2���?BVP|����V�e��"1��hi!F�z@d�+���|M�n��E-��&y��,�����|=[�F@�z+��j�0���N�6f�,�mk��~������!������\�f����M�bV�~h�H֓�]�
+ѭt`�h���I0���Y6�#���	/���a3�/#ya�l��{e��0��vk��]��a�a�ȍ��Z���

data/.editorconfig

@@ -0,0 +1,10 @@
+# see http://editorconfig.org/
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+insert_final_newline = true

data/.gitignore

@@ -0,0 +1,13 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/active_encryption-*.gem
+/Gemfile.lock
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,4 @@
+require:
+  - rubocop-rspec
+Metrics/BlockLength:
+  ExcludedMethods: ['describe', 'context'] # Rspec DSL has long blocks

data/.travis.yml

@@ -0,0 +1,21 @@
+---
+env:
+  global:
+    - CC_TEST_REPORTER_ID=84bb987517388fd3f106f685b088598f34db2dced78783e4c12963f1a475f3ae
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6
+  - 2.5
+  - 2.4
+  - 2.3
+before_install: gem install bundler -v 2.0.2
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+script:
+  - bundle exec rspec
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/CHANGELOG.md

@@ -0,0 +1,20 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+
+
+## 0.1.0 2019-07-19
+
+- Add signature to gem releases
+- Add Rails generator to create default initializer and encryption_settings.yml
+- Add ActiveRecord adapter
+- Add ActiveEncryption::Encryptable concern to (en|de)crypt object attributes
+- Add ActiveEncryption::Encryptor to abstract ActiveSupport::MessageEncryptor
+- Add DSL to configure the gem
+- Add encryption setting records and YAML-based store to persist them
+- Basic gem skeleton

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at community@zircode.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Zircode Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,208 @@
+# ActiveEncryption
+
+ActiveEncryption transparently encrypt (and decrypt!) attributes. It works with any class, but it's primarly intended to be used with ActiveRecord models. Under the hood, it doesn't reinvent the wheel and uses the tried and tested ActiveSupport::MessageEncryptor.
+
+[![Build Status](https://travis-ci.com/Zircode/active_encryption.svg?branch=master)](https://travis-ci.com/Zircode/active_encryption) [![Test Coverage](https://api.codeclimate.com/v1/badges/08c66b215b98a395a0b8/test_coverage)](https://codeclimate.com/github/Zircode/active_encryption/test_coverage) [![Maintainability](https://api.codeclimate.com/v1/badges/08c66b215b98a395a0b8/maintainability)](https://codeclimate.com/github/Zircode/active_encryption/maintainability) [![security](https://hakiri.io/github/Zircode/active_encryption/master.svg)](https://hakiri.io/github/Zircode/active_encryption/master)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'active_encryption'
+```
+
+And then execute:
+
+```shell
+bundle
+```
+
+Or install it yourself as:
+
+```shell
+gem install active_encryption
+```
+
+### Security
+
+ActiveEncryption is cryptographically signed. To be sure the gem you install
+hasn’t been tampered with:
+
+Add my public key (if you haven’t already) as a trusted certificate
+
+```shell
+gem cert --add <(curl -Ls https://raw.github.com/Zircode/active_encryption/master/certs/garnu.pem)
+gem install active_encryption -P MediumSecurity
+```
+
+The ``MediumSecurity`` trust profile will verify signed gems, but allow the
+installation of unsigned dependencies.
+
+This is necessary because not all of dependencies are signed, so we cannot use
+``HighSecurity``.
+
+### Rails
+
+ActiveEncryption works with Ruby on Rails 5.0 or higher.
+
+Run the generator:
+
+```shell
+rails generate active_encryption:install
+```
+
+The generator creates two files:
+
+ - an initializer: ``config/initializers/active_encryption.rb``
+ - a encryption setting YAML file: ``config/encryption_settings.yml``
+
+## Usage
+
+```ruby
+class User
+  encrypted_attr :ssn
+end
+```
+
+Or if you're using ActiveRecord:
+
+```ruby
+class User < ApplicationRecord
+  encrypted_attr :ssn
+end
+```
+
+In this example, ActiveEncryption assumes that you have an attribute
+``ssn_encrypted``.
+Therefore, you might need a database migration:
+
+```ruby
+class CreateUsers < ActiveRecord::Migration[5.0]
+  def change
+    create_table :users do |t|
+      t.string :ssn_encrypted
+
+      t.timestamps
+    end
+  end
+end
+```
+
+When storing your encrypted data, please consider the length requirements
+of the database column where you're storing the encrypted data.
+
+## Configuration
+
+If you're using Rails, the generator created an initializer
+``config/initializers/active_encryption.rb``, otherwise you need to create
+similar file to configure ActiveEncryption:
+
+```ruby
+# frozen_string_literal: true
+
+ActiveEncryption.configure do |config|
+  # Store containing the encryption settings
+  # Use "config/encryption_settings.yml" to store the settings:
+  config.encryption_setting_store =
+    ActiveEncryption::EncryptionSetting::YamlStore.new(
+      '/path/encryption_settings.yml' # CHANGE ME
+    )
+
+  # ID of the encryption setting to use by default:
+  config.default_encryption_setting_id = :default
+end
+```
+
+You also need a ``encryption_settings.yml`` file:
+
+```yaml
+# WARNING: Changing these encryption settings prevents the decryption
+# of already encrypted data.
+
+# Default encryption setting
+default:
+  # secret: must be a cryptographically random string.
+  # The secret is hashed with PBKDF2 to generate the encryption key.
+  #
+  # You can generate one with:
+  # - "rails secret"
+  # - SecureRandom.hex(64)
+  # - or, SecureRandom.urlsafe_base64(64)
+  #
+  ## WARNING ##
+  # The secret value should NOT be stored in this file directly.
+  # You should instead refer to where the secret value is stored
+  # e.g. refer to Rails credentials/secrets, an environment variable or
+  # a KMS/HSM, etc.
+  secret: <%= ENV['SECRET_KEY'] %>
+  # Salt used to generate the encryption key based on the secret
+  secret_salt: 'ActiveEncryption salt: RANDOM_SALT' # CHANGE ME
+  # Number of iterations for PBKDF2 on the secret.
+  secret_iterations: 65536
+  # Cipher to use. Can be any cipher returned by OpenSSL::Cipher.ciphers.
+  cipher: aes-256-gcm
+  # Digest to use to sign. Default is SHA1. Recommended is SHA256.
+  # Ignored when using an AEAD cipher like 'aes-256-gcm'.
+  digest: SHA256
+```
+
+### Attribute options
+
+``encrypted_attr`` accepts options to override the settings in
+``encryption_settings.yml``.
+
+For example, you can override the ``secret`` and ``cipher`` with options:
+
+```ruby
+encrypted_attr :ssn, secret: 'some secret', cipher: 'aes-128-gcm'
+```
+
+### Encryption setting
+
+The following attributes are configurable in an encryption setting:
+
+| Attribute       | Description | Default value |
+|-----------------|-------------|---------------|
+| ``cipher``      | String with the encryption cipher to use. Can be any cipher returned by OpenSSL::Cipher.ciphers. | 'aes-256-gcm' |
+| ``digest``      | String with the digest to use to sign. Ignored when using an AEAD cipher like 'aes-256-gcm'. | 'SHA1' |
+| ``id``          | Unique ID to identify an encryption setting. It can be an Integer, String, or Symbol. | nil |
+| ``key``         | Cryptographicaly random binary string of the exact size required by the cipher. E.g. 'aes-256-gcm' requires 32 bytes (256 bits). Can be generated with ``SecureRandom.bytes(32)``. It is STRONGLY recommended NOT to set this directly but to use a secret for key derivation. | nil |
+| ``purpose``     | Confines the encrypted attribute to a specific purpose. See https://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html#method-i-encrypt_and_sign | nil |
+| ``secret``      | String used to derive an encryption key with PBKDF2. Can be generated with ``SecureRandom.hex(64)`` or ``SecureRandom.urlsafe_base64(64)``. | nil |
+| ``secret_iterations`` | Number of iterations of PBKDF2 to derive the key from the secret. See https://api.rubyonrails.org/classes/ActiveSupport/KeyGenerator.html | 65536 |
+| ``secret_salt`` | Salt for PBKDF2 to derive the key from the secret. | 'ActiveEncryption default key salt' |
+| ``serializer``  | Object serializer to use. E.g.: 'YAML'. | Marshal |
+
+Keys or secrets must NEVER be stored in version control (e.g. git) or in the
+database in an unencrypted form.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`rake spec` to run the tests. You can also run `bin/console` for an interactive
+prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+To release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push git
+commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on
+[GitHub](https://github.com/Zircode/active_encryption). This project is intended
+to be a safe, welcoming space for collaboration, and contributors are expected
+to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of
+conduct.
+
+## License
+
+The gem is available as open source under the terms of the
+[MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the ActiveEncryption project’s codebases, issue trackers,
+chat rooms and mailing lists is expected to follow the
+[code of conduct](https://github.com/Zircode/active_encryption/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/active_encryption.gemspec

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'active_encryption/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'active_encryption'
+  spec.version       = ActiveEncryption::VERSION
+  spec.authors       = ['Arnaud Germis']
+  spec.email         = ['hello@zircode.com', 'arnaud@zircode.com']
+
+  spec.summary       = <<~SUMMARY
+    ActiveEncryption transparently encrypt (and decrypt!) attributes with\
+    ActiveSupport::MessageEncryptor
+  SUMMARY
+  spec.homepage      = 'https://github.com/Zircode/active_encryption'
+  spec.license       = 'MIT'
+
+  spec.metadata['homepage_uri']    = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/Zircode/active_encryption'
+  spec.metadata['changelog_uri']   = 'https://github.com/Zircode/active_encryption/CHANGELOG.md'
+  spec.metadata['bug_tracker_uri'] = 'https://github.com/Zircode/active_encryption/issues'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added
+  # into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0")
+                     .reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+  spec.cert_chain    = ['certs/garnu.pem']
+  if $PROGRAM_NAME =~ /gem\z/
+    spec.signing_key = File.expand_path('~/.ssh/gem-private_key.pem')
+  end
+  spec.required_ruby_version = '>= 2.3'
+
+  spec.add_dependency 'activesupport', '>= 5.0.0', '<= 6.1'
+  spec.add_dependency 'railties', '>= 5.0.0', '<= 6.1'
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'reek', '~> 5.4.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.72.0'
+  spec.add_development_dependency 'rubocop-rspec', '~> 1.33.0'
+  spec.add_development_dependency 'simplecov', '~> 0.17.0'
+end

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'active_encryption'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require 'pry'
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/certs/garnu.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEODCCAqCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhhcm5h
+dWQvREM9emlyY29kZS9EQz1jb20wHhcNMTkwNzE4MTQ0OTE4WhcNMjAwNzE3MTQ0
+OTE4WjAjMSEwHwYDVQQDDBhhcm5hdWQvREM9emlyY29kZS9EQz1jb20wggGiMA0G
+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDltdBv6MnjmokVZEkhubGk0NfEiU4C
+WZZLNgN+FpyK5VNDvGvs8+OTusYCw07HFkhKVF2T+3A1XlYZKOXozCFBoQtL5ted
+Nxy8yo874kcF5M6EV22np8/SefOJrpk4Wgvz4xdwT24LjZpmLHWFPXuVuqI4LZ7Q
+Eh6sjVfG1h0SBSF8RjCCmEXONsz+ceDWvBKdBUSYfVt0HGmDSXYJByF4I8onkeUc
+xxmLCu8VxZvnHrEw94BRPiEI1oUJ+3etNu2MYcK3pnLc+p9zYQ/NjS0Bsa423fmZ
+5K0Z4qiN550vccPZxRoMk9eiZHL8dN+ZgxG4+2o+ouCYRkLnkCyDR4rr7zLIcojo
+53iJqFF8cJtkectMOhNOO9jh/FMsJZnKWBzJ4/J3xHSLz4gD4/47WSwjAJ4tLHGC
+4VpzfD53vdr3i5RvB7bv3QiePUR2vV5AUap2S7TKJ+ojQVoh7TfJP3N5nwVspQkh
+C3goXVkz5Op9TkLN3oUGqnveL9nC4y6e180CAwEAAaN3MHUwCQYDVR0TBAIwADAL
+BgNVHQ8EBAMCBLAwHQYDVR0OBBYEFBNAzBaMirBd5+1xszQeddjvuLdCMB0GA1Ud
+EQQWMBSBEmFybmF1ZEB6aXJjb2RlLmNvbTAdBgNVHRIEFjAUgRJhcm5hdWRAemly
+Y29kZS5jb20wDQYJKoZIhvcNAQELBQADggGBAGvmnHTVKwGAlqB93/QZ19MBUrFm
+vIxkoWYi/GlZnJGsApFwZtOsNaAFxYIVfAR7fZjQtCB7B6ZyERZF+m8J3tC23eTG
+PadrSjz3SPbFJlCIqJ0NllSvx5E+98b9pq9tIyaeFbYnII1qoy+SIiWOurVS4dWr
+dkmUsJvxyNJ+3yoVt568UFSf/YZ88GaabEAL5JFwXIpv/cxaej9M2bALPkP7HUm/
+rgSmTctYicJomzzQ5LSLhdVSV+z5w2L5roIu5bPEQJyWIj6pZCthACPMR/emsLQ2
+T9JFyENPrM2CUtwBaLQacRInp5zRWueDKIf0I+vNjRKu5PwEeePVn2VlkcQTuhUT
+Vgg0CeGsGrJdcSohxH13t3gx4QXH0SA+4HPW7uqEeIQLwmBA56nCi6jAgTGAZhjX
+UsJ7gUgNcBEuCAwgXmVzhEQ50pTMVRAL2cQKqnFkqehpRJ+78n+psW480iLqmjq3
+GzWvrPCkKt17EBe3MSjjMsq80n5C1eaKRQA9Vw==
+-----END CERTIFICATE-----

data/lib/active_encryption.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'active_encryption/version'
+require 'active_encryption/configuration'
+require 'active_encryption/adapters'
+
+# The top-level ActiveEncryption module isolates the gem from the host
+# application.
+module ActiveEncryption
+  include Configuration
+  # The ActiveEncryption::Error is the base class for ActiveEncryption errors.
+  class Error < StandardError; end
+end

data/lib/active_encryption/adapters.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'active_encryption/encryptable'
+require 'active_encryption/adapters/active_record'

data/lib/active_encryption/adapters/active_record.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ActiveEncryption
+  module Adapters
+    # Encapsulates the ActiveRecord adapter
+    class ActiveRecord
+      def initialize
+        ActiveSupport.on_load(:active_record) do
+          extend ActiveEncryption::Encryptable
+        end
+      end
+    end
+  end
+end
+
+ActiveEncryption::Adapters::ActiveRecord.new

data/lib/active_encryption/configuration.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'active_encryption/configuration/store'
+
+module ActiveEncryption
+  # The ActiveEncryption::Configuration module contains classes and methods
+  # to configure the gem.
+  #
+  # Usage:
+  #  ActiveEncryption.configure |config|
+  #    config.option_1 = true
+  #    config.option_2 = false
+  #  end
+  #
+  module Configuration
+    def self.included(klass)
+      klass.extend ClassMethods
+    end
+
+    # ClassMethods contains the class methods to extend when the module
+    # is included in ActiveEncryption.
+    module ClassMethods
+      def config
+        @config ||= Store.new
+      end
+
+      def configure
+        yield config
+      end
+    end
+  end
+end

data/lib/active_encryption/configuration/store.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'active_encryption/encryption_setting/yaml_store'
+
+module ActiveEncryption
+  module Configuration
+    # The ActiveEncryption::Configuration::Store class stores the gem
+    # configuration.
+    class Store
+      DEFAULTS = {
+        encryption_setting_store: nil,
+        default_encryption_setting_id: :default
+      }.freeze
+
+      attr_accessor(*DEFAULTS.keys)
+
+      def initialize
+        reset
+      end
+
+      def reset
+        DEFAULTS.each do |key, value|
+          public_send("#{key}=", value)
+        end
+      end
+    end
+  end
+end

data/lib/active_encryption/encryptable.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'active_encryption/encryptable/instance_methods_on_activation'
+
+module ActiveEncryption
+  # The ActiveEncryption::Encryptable encapsulates methods and classes to
+  # make a model attribute encryptable.
+  #
+  # Usage:
+  #
+  #  class MyModel
+  #    extend ActiveEncryption::Encryptable
+  #    encrypted_attr :my_attribute
+  #  end
+  #
+  module Encryptable
+    def encrypted_attr(attribute_name, options = {})
+      include InstanceMethodsOnActivation.new(attribute_name, options)
+    end
+
+    # :reek:UtilityFunction should be ok for ClassMethod modules?
+    def encryption_setting
+      config = ActiveEncryption.config
+      store  = config.encryption_setting_store
+      id     = config.default_encryption_setting_id
+      store.find(id)
+    end
+  end
+end

data/lib/active_encryption/encryptable/instance_methods_on_activation.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require 'active_encryption/encryptor'
+
+module ActiveEncryption
+  module Encryptable
+    # InstanceMethodsOnActivation adds instance methods for the attribute
+    # "attribute_name" to the including class.
+    class InstanceMethodsOnActivation < Module
+      def initialize(attribute_name, options)
+        define_generic_methods
+        define_attribute_accessors(attribute_name, options)
+      end
+
+      def define_generic_methods
+        define_encrypt
+        define_decrypt
+      end
+
+      def define_encrypt
+        define_method('encrypt') do |attribute_name, unencrypted_value|
+          setting = send("#{attribute_name}_encryption_setting")
+          encryptor = send("#{attribute_name}_encryptor")
+          encrypted_value = encryptor.encrypt(
+            unencrypted_value,
+            purpose: setting.purpose
+          )
+          send("#{attribute_name}_encrypted=", encrypted_value)
+        end
+      end
+
+      def define_decrypt
+        define_method('decrypt') do |attribute_name|
+          encrypted_value = send("#{attribute_name}_encrypted")
+          return nil unless encrypted_value
+
+          setting = send("#{attribute_name}_encryption_setting")
+          send("#{attribute_name}_encryptor")
+            .decrypt(encrypted_value, purpose: setting.purpose)
+        end
+      end
+
+      def define_attribute_accessors(attribute_name, options = {})
+        define_attribute_encryption_setting(attribute_name, options)
+        define_attribute_encryptor(attribute_name)
+        define_attribute_setter(attribute_name)
+        define_attribute_getter(attribute_name)
+      end
+
+      def define_attribute_encryption_setting(attribute_name, options = {})
+        define_method("#{attribute_name}_encryption_setting") do
+          instance_variable_name = "@#{attribute_name}_encryption_setting"
+          instance_variable = instance_variable_get(instance_variable_name)
+          return instance_variable if instance_variable
+
+          instance_variable_set(
+            instance_variable_name,
+            EncryptionSetting::Record.merge(self.class.encryption_setting,
+                                            options)
+          )
+        end
+      end
+
+      def define_attribute_encryptor(attribute_name)
+        define_method("#{attribute_name}_encryptor") do
+          instance_variable_name = "@#{attribute_name}_encryptor"
+          instance_variable_get(instance_variable_name) ||
+            instance_variable_set(
+              instance_variable_name,
+              Encryptor.new(
+                send("#{attribute_name}_encryption_setting")
+              )
+            )
+        end
+      end
+
+      def define_attribute_setter(attribute_name)
+        define_method("#{attribute_name}=") do |unencrypted_value|
+          # Save unencrypted value in instance variable to not have to
+          # decrypt a freshly encrypted value.
+          instance_variable_set("@#{attribute_name}", unencrypted_value)
+          unless unencrypted_value
+            return send("#{attribute_name}_encrypted=", nil)
+          end
+
+          encrypt(attribute_name, unencrypted_value)
+          unencrypted_value
+        end
+      end
+
+      def define_attribute_getter(attribute_name)
+        define_method(attribute_name) do
+          # Check if an instance variable with the decrypted value already
+          # exist to save decryption time. Otherwise, call the generic
+          # #decrypt method.
+          instance_variable = instance_variable_get("@#{attribute_name}")
+          return instance_variable if instance_variable
+
+          decrypted_value = decrypt(attribute_name)
+          # Save the result to not have to decrypt it again.
+          instance_variable_set("@#{attribute_name}", decrypted_value)
+        end
+      end
+    end
+  end
+end

data/lib/active_encryption/encryption_setting/key.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'active_support/key_generator'
+require 'active_support/message_encryptor'
+
+module ActiveEncryption
+  module EncryptionSetting
+    # The ActiveEncryption::EncryptionSetting::Key class wraps around
+    # ActiveSupport::KeyGenerator
+    class Key
+      DEFAULT_SALT = 'ActiveEncryption default key salt'
+
+      attr_reader :salt, :iterations
+
+      def initialize(secret, salt: nil, cipher: nil, iterations: nil)
+        salt ||= DEFAULT_SALT
+        @salt       = salt
+        @cipher     = cipher
+        @iterations = iterations
+        @generator  = ActiveSupport::KeyGenerator.new(
+          secret,
+          iterations: iterations
+        )
+      end
+
+      def value
+        @generator.generate_key(salt, length)
+      end
+
+      def cipher
+        @cipher ||= ActiveSupport::MessageEncryptor.default_cipher
+      end
+
+      def length
+        ActiveSupport::MessageEncryptor.key_len(cipher)
+      end
+    end
+  end
+end

data/lib/active_encryption/encryption_setting/record.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'active_encryption/encryption_setting/key'
+
+module ActiveEncryption
+  module EncryptionSetting
+    # The ActiveEncryption::EncryptionSetting::Record contains the required
+    # settings for encrypting and decrypting content.
+    class Record
+      ATTRIBUTES = %i[cipher digest id key purpose secret
+                      secret_iterations secret_salt serializer].freeze
+
+      attr_reader(*ATTRIBUTES)
+
+      def self.to_h(record)
+        if record.is_a?(Hash)
+          record.slice(*ATTRIBUTES)
+        else
+          ATTRIBUTES.each_with_object({}) do |name, attributes|
+            attributes[name] = record.public_send(name)
+          end
+        end
+      end
+
+      def self.merge(base_record, higher_priority_record)
+        new(
+          to_h(base_record)
+            .merge(key: nil) # reset the computed key
+            .merge(
+              to_h(higher_priority_record)
+            )
+        )
+      end
+
+      def initialize(attributes)
+        ATTRIBUTES.each do |name|
+          instance_variable_set("@#{name}", attributes[name])
+        end
+
+        @serializer = Object.const_get(@serializer) if @serializer.is_a?(String)
+      end
+
+      def key
+        @key ||= Key.new(
+          secret,
+          cipher: cipher,
+          salt: secret_salt,
+          iterations: secret_iterations
+        ).value
+      end
+
+      def to_h
+        self.class.to_h(self)
+      end
+    end
+  end
+end

data/lib/active_encryption/encryption_setting/yaml_store.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'erb'
+require 'yaml'
+require 'active_encryption/encryption_setting/record'
+require 'active_support/core_ext/hash'
+
+module ActiveEncryption
+  module EncryptionSetting
+    # The ActiveEncryption::EncryptionSetting::YamlStore class retrieve
+    # ActiveEncryption::EncryptionSetting::Record from a YAML file.
+    class YamlStore
+      attr_reader :file_path
+
+      def initialize(file_path)
+        @file_path = file_path
+      end
+
+      def find(id)
+        id = id.to_sym
+        attributes = content[id]
+        return nil unless attributes
+
+        attributes[:id] = id
+        Record.new(attributes)
+      end
+
+      def content
+        @content ||= parse_file.deep_symbolize_keys
+      end
+
+      private
+
+      def parse_file
+        YAML.safe_load(ERB.new(File.read(file_path)).result)
+      end
+    end
+  end
+end

data/lib/active_encryption/encryptor.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'active_support/message_encryptor'
+
+module ActiveEncryption
+  # The ActiveEncryption::Encryptor is an abstraction class around
+  # ActiveSupport::MessageEncryptor
+  #
+  # Usage:
+  #
+  # encryptor = ActiveEncryption::Encryptor.new(encryption_setting)
+  # encrypted_data = encryptor.encrypt(data)
+  # data = encryptor.decrypt(encrypted_data)
+  #
+  class Encryptor
+    attr_reader :encryption_setting
+
+    def initialize(encryption_setting, service = nil)
+      @encryption_setting = encryption_setting
+      @service = service
+    end
+
+    # :reek:LongParameterList is required to map to encrypt_and_sign
+    def encrypt(data, expires_at: nil, expires_in: nil, purpose: nil)
+      return nil unless data
+
+      service.encrypt_and_sign(
+        data,
+        expires_at: expires_at,
+        expires_in: expires_in,
+        purpose: purpose
+      )
+    end
+
+    def decrypt(data, purpose: nil)
+      return nil unless data
+
+      service.decrypt_and_verify(
+        data,
+        purpose: purpose
+      )
+    end
+
+    private
+
+    def service
+      @service ||= ActiveSupport::MessageEncryptor.new(
+        encryption_setting.key,
+        cipher: encryption_setting.cipher,
+        digest: encryption_setting.digest,
+        serializer: encryption_setting.serializer
+      )
+    end
+  end
+end

data/lib/active_encryption/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ActiveEncryption
+  VERSION = '0.1.0'
+end

data/lib/generators/active_encryption/install_generator.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'rails/generators/base'
+
+module ActiveEncryption
+  module Generators
+    # Generator to install ActiveEncryption in a Rails application.
+    #
+    # Usage:
+    #
+    #  ``rails generate active_encryption:install``
+    #
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __dir__)
+
+      desc <<~DESCRIPTION
+        Creates a ActiveEncryption initializer and copy\
+        encryption_settings.yml file to your application.
+      DESCRIPTION
+
+      def copy_initializer
+        copy_file(
+          'active_encryption.rb',
+          Rails.root.join('config', 'initializers', 'active_encryption.rb')
+        )
+      end
+
+      def copy_encryption_settings
+        file_path = Rails.root.join('config', 'encryption_settings.yml')
+        copy_file 'encryption_settings.yml', file_path
+        gsub_file file_path,
+                  '*RANDOM_SALT*',
+                  SecureRandom.urlsafe_base64(4)
+      end
+    end
+  end
+end

data/lib/generators/templates/active_encryption.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Be sure to restart your server when you modify this file.
+
+ActiveEncryption.configure do |config|
+  # Store containing the encryption settings
+  # Use "config/encryption_settings.yml" to store the settings:
+  config.encryption_setting_store =
+    ActiveEncryption::EncryptionSetting::YamlStore.new(
+      Rails.root.join('config', 'encryption_settings.yml')
+    )
+
+  # ID of the encryption setting to use by default:
+  # config.default_encryption_setting_id = :default
+end

data/lib/generators/templates/encryption_settings.yml

@@ -0,0 +1,34 @@
+# WARNING: Changing these encryption settings prevents the decryption
+# of already encrypted data.
+
+# Default encryption setting
+default:
+  # secret: must be a cryptographically random string.
+  # The secret is hashed with PBKDF2 to generate the encryption key.
+  #
+  # You can generate one with:
+  # - "rails secret"
+  # - SecureRandom.hex(64)
+  # - or, SecureRandom.urlsafe_base64(64)
+  #
+  ## WARNING ##
+  # The secret value should NOT be stored in this file directly.
+  # You should instead refer to where the secret value is stored
+  # e.g. refer to Rails credentials/secrets, an environment variable or
+  # a KMS/HSM, etc.
+  secret: <%= Rails.application.credentials.secret_key_base %>
+  # Salt used to generate the encryption key based on the secret
+  secret_salt: 'ActiveEncryption salt: *RANDOM_SALT*'
+  # Number of iterations for PBKDF2 on the secret.
+  secret_iterations: <%= Rails.env.test? ? 1 : 2**16 %>
+  # Cipher to use. Can be any cipher returned by OpenSSL::Cipher.ciphers.
+  cipher: aes-256-gcm
+  # Digest to use to sign. Default is SHA1. Recommended is SHA256.
+  # Ignored when using an AEAD cipher like 'aes-256-gcm'.
+  # digest: SHA256
+
+# my_other_setting:
+#   secret: <%= Rails.application.credentials.active_encryption_key1 %>
+#   secret_salt: 'ActiveEncryption salt: *RANDOM_SALT*'
+#   secret_iterations: <%= Rails.env.test? ? 1 : 2**16 %>
+#   cipher: aes-128-gcm

metadata

@@ -0,0 +1,242 @@
+--- !ruby/object:Gem::Specification
+name: active_encryption
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Arnaud Germis
+autorequire: 
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEODCCAqCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhhcm5h
+  dWQvREM9emlyY29kZS9EQz1jb20wHhcNMTkwNzE4MTQ0OTE4WhcNMjAwNzE3MTQ0
+  OTE4WjAjMSEwHwYDVQQDDBhhcm5hdWQvREM9emlyY29kZS9EQz1jb20wggGiMA0G
+  CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDltdBv6MnjmokVZEkhubGk0NfEiU4C
+  WZZLNgN+FpyK5VNDvGvs8+OTusYCw07HFkhKVF2T+3A1XlYZKOXozCFBoQtL5ted
+  Nxy8yo874kcF5M6EV22np8/SefOJrpk4Wgvz4xdwT24LjZpmLHWFPXuVuqI4LZ7Q
+  Eh6sjVfG1h0SBSF8RjCCmEXONsz+ceDWvBKdBUSYfVt0HGmDSXYJByF4I8onkeUc
+  xxmLCu8VxZvnHrEw94BRPiEI1oUJ+3etNu2MYcK3pnLc+p9zYQ/NjS0Bsa423fmZ
+  5K0Z4qiN550vccPZxRoMk9eiZHL8dN+ZgxG4+2o+ouCYRkLnkCyDR4rr7zLIcojo
+  53iJqFF8cJtkectMOhNOO9jh/FMsJZnKWBzJ4/J3xHSLz4gD4/47WSwjAJ4tLHGC
+  4VpzfD53vdr3i5RvB7bv3QiePUR2vV5AUap2S7TKJ+ojQVoh7TfJP3N5nwVspQkh
+  C3goXVkz5Op9TkLN3oUGqnveL9nC4y6e180CAwEAAaN3MHUwCQYDVR0TBAIwADAL
+  BgNVHQ8EBAMCBLAwHQYDVR0OBBYEFBNAzBaMirBd5+1xszQeddjvuLdCMB0GA1Ud
+  EQQWMBSBEmFybmF1ZEB6aXJjb2RlLmNvbTAdBgNVHRIEFjAUgRJhcm5hdWRAemly
+  Y29kZS5jb20wDQYJKoZIhvcNAQELBQADggGBAGvmnHTVKwGAlqB93/QZ19MBUrFm
+  vIxkoWYi/GlZnJGsApFwZtOsNaAFxYIVfAR7fZjQtCB7B6ZyERZF+m8J3tC23eTG
+  PadrSjz3SPbFJlCIqJ0NllSvx5E+98b9pq9tIyaeFbYnII1qoy+SIiWOurVS4dWr
+  dkmUsJvxyNJ+3yoVt568UFSf/YZ88GaabEAL5JFwXIpv/cxaej9M2bALPkP7HUm/
+  rgSmTctYicJomzzQ5LSLhdVSV+z5w2L5roIu5bPEQJyWIj6pZCthACPMR/emsLQ2
+  T9JFyENPrM2CUtwBaLQacRInp5zRWueDKIf0I+vNjRKu5PwEeePVn2VlkcQTuhUT
+  Vgg0CeGsGrJdcSohxH13t3gx4QXH0SA+4HPW7uqEeIQLwmBA56nCi6jAgTGAZhjX
+  UsJ7gUgNcBEuCAwgXmVzhEQ50pTMVRAL2cQKqnFkqehpRJ+78n+psW480iLqmjq3
+  GzWvrPCkKt17EBe3MSjjMsq80n5C1eaKRQA9Vw==
+  -----END CERTIFICATE-----
+date: 2019-07-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: reek
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.4.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.72.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.72.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.33.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.33.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+description: 
+email:
+- hello@zircode.com
+- arnaud@zircode.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".editorconfig"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- active_encryption.gemspec
+- bin/console
+- bin/setup
+- certs/garnu.pem
+- lib/active_encryption.rb
+- lib/active_encryption/adapters.rb
+- lib/active_encryption/adapters/active_record.rb
+- lib/active_encryption/configuration.rb
+- lib/active_encryption/configuration/store.rb
+- lib/active_encryption/encryptable.rb
+- lib/active_encryption/encryptable/instance_methods_on_activation.rb
+- lib/active_encryption/encryption_setting/key.rb
+- lib/active_encryption/encryption_setting/record.rb
+- lib/active_encryption/encryption_setting/yaml_store.rb
+- lib/active_encryption/encryptor.rb
+- lib/active_encryption/version.rb
+- lib/generators/active_encryption/install_generator.rb
+- lib/generators/templates/active_encryption.rb
+- lib/generators/templates/encryption_settings.yml
+homepage: https://github.com/Zircode/active_encryption
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/Zircode/active_encryption
+  source_code_uri: https://github.com/Zircode/active_encryption
+  changelog_uri: https://github.com/Zircode/active_encryption/CHANGELOG.md
+  bug_tracker_uri: https://github.com/Zircode/active_encryption/issues
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: ActiveEncryption transparently encrypt (and decrypt!) attributes with    ActiveSupport::MessageEncryptor
+test_files: []