active_storage_encryption 0.2.2 → 0.3.0

data/lib/active_storage_encryption.rb

@@ -10,6 +10,7 @@ module ActiveStorageEncryption
   autoload :EncryptedDiskService, __dir__ + "/active_storage_encryption/encrypted_disk_service.rb"
   autoload :EncryptedMirrorService, __dir__ + "/active_storage_encryption/encrypted_mirror_service.rb"
   autoload :EncryptedS3Service, __dir__ + "/active_storage_encryption/encrypted_s3_service.rb"
+  autoload :EncryptedGCSService, __dir__ + "/active_storage_encryption/encrypted_gcs_service.rb"
   autoload :Overrides, __dir__ + "/active_storage_encryption/overrides.rb"
 
   class IncorrectEncryptionKey < ArgumentError

data/test/dummy/app/models/user.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class User < ApplicationRecord
+  has_one_attached :file, service: :encrypted_disk
+end

data/test/dummy/config/environments/test.rb

@@ -42,6 +42,8 @@ Rails.application.configure do
   # Tell Active Support which deprecation messages to disallow.
   config.active_support.disallowed_deprecation_warnings = []
 
+  config.active_storage.service = :test
+
   # Raises error for missing translations.
   # config.i18n.raise_on_missing_translations = true
 

data/test/dummy/config/storage.yml

@@ -19,3 +19,6 @@ encrypted_mirror:
     - encrypted_disk
   mirrors:
     - test
+
+encrypted_gcs_service:
+  service: EncryptedGCS

data/test/dummy/db/migrate/20250428093315_create_users.rb

@@ -0,0 +1,7 @@
+class CreateUsers < ActiveRecord::Migration[7.2]
+  def change
+    create_table :users do |t|
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/schema.rb

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -12,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2025_03_04_023853) do
+ActiveRecord::Schema[7.2].define(version: 2025_04_28_093315) do
   create_table "active_storage_attachments", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
@@ -42,6 +40,11 @@ ActiveRecord::Schema[7.2].define(version: 2025_03_04_023853) do
     t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true
   end
 
+  create_table "users", force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"
   add_foreign_key "active_storage_variant_records", "active_storage_blobs", column: "blob_id"
 end

data/test/lib/encrypted_gcs_service_test.rb

@@ -0,0 +1,201 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class ActiveStorageEncryption::EncryptedGCSServiceTest < ActiveSupport::TestCase
+  def config
+    {
+      project_id: "sandbox-ci-25b8",
+      bucket: "sandbox-ci-testing-secure-documents",
+      private_url_policy: "stream"
+    }
+  end
+
+  setup do
+    if ENV["GOOGLE_APPLICATION_CREDENTIALS"].blank?
+      skip "You need GOOGLE_APPLICATION_CREDENTIALS set in your env and it needs to point to the JSON keyfile for GCS"
+    end
+
+    @textfile = StringIO.new("Secure document that needs to be stored encrypted.")
+    @textfile2 = StringIO.new("While being neatly organized all in a days work aat the job.")
+    @service = ActiveStorageEncryption::EncryptedGCSService.new(**config)
+    @service.name = "encrypted_gcs_service"
+
+    @encryption_key = ActiveStorage::Blob.generate_random_encryption_key
+    @gcs_key_length_range = (0...ActiveStorageEncryption::EncryptedGCSService::GCS_ENCRYPTION_KEY_LENGTH_BYTES) # 32 bytes
+  end
+
+  def run_id
+    # We use a shared GCS bucket, and multiple runs of the test suite may write into it at the same time.
+    # To prevent clobbering and conflicts, assign a "test run ID" and mix it into the object keys. Keep that
+    # value stable across the test suite.
+    @test_suite_run_id ||= SecureRandom.base36(10)
+  end
+
+  def test_encrypted_question_method
+    assert @service.encrypted?
+  end
+
+  def test_forbids_private_urls_with_disabled_policy
+    @service.private_url_policy = :disable
+
+    rng = Random.new(Minitest.seed)
+    key = "#{run_id}-streamed-key-#{rng.hex(4)}"
+    encryption_key = Random.bytes(68)
+    plaintext_upload_bytes = rng.bytes(425)
+    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+
+    # ActiveStorage wraps the passed filename in a wrapper thingy
+    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
+
+    assert_raises(ActiveStorageEncryption::StreamingDisabled) do
+      @service.url(key, filename: filename_with_sanitization, blob_byte_size: plaintext_upload_bytes.bytesize, content_type: "binary/octet-stream", disposition: "inline", encryption_key:, expires_in: 10.seconds)
+    end
+  end
+
+  def test_exists
+    rng = Random.new(Minitest.seed)
+
+    key = "#{run_id}-encrypted-exists-key-#{rng.hex(4)}"
+    encryption_key = rng.bytes(47) # Make it bigger than required, to ensure the service truncates it
+    plaintext_upload_bytes = rng.bytes(1024)
+
+    assert_nothing_raised { @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:) }
+    refute @service.exist?(key + "-definitely-not-present")
+    assert @service.exist?(key)
+  end
+
+  def test_generates_private_streaming_urls_with_streaming_policy
+    @service.private_url_policy = :stream
+
+    rng = Random.new(Minitest.seed)
+    key = "#{run_id}-streamed-key-#{rng.hex(4)}"
+    encryption_key = Random.bytes(68)
+    plaintext_upload_bytes = rng.bytes(425)
+    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+
+    # The streaming URL generation uses Rails routing, so it needs
+    # ActiveStorage::Current.url_options to be set
+    # We need to use a hostname for ActiveStorage which is in the Rails authorized hosts.
+    # see https://stackoverflow.com/a/60573259/153886
+    ActiveStorage::Current.url_options = {
+      host: "www.example.com",
+      protocol: "https"
+    }
+
+    # ActiveStorage wraps the passed filename in a wrapper thingy
+    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
+    url = @service.url(key, blob_byte_size: plaintext_upload_bytes.bytesize,
+      filename: filename_with_sanitization, content_type: "binary/octet-stream",
+      disposition: "inline", encryption_key:, expires_in: 10.seconds)
+    assert url.include?("/active-storage-encryption/blob/")
+  end
+
+  def test_generates_private_urls_with_require_headers_policy
+    @service.private_url_policy = :require_headers
+
+    rng = Random.new(Minitest.seed)
+    key = "#{run_id}-streamed-key-#{rng.hex(4)}"
+    encryption_key = Random.bytes(68)
+    plaintext_upload_bytes = rng.bytes(425)
+    @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+
+    # ActiveStorage wraps the passed filename in a wrapper thingy
+    filename_with_sanitization = ActiveStorage::Filename.new("temp.bin")
+    url = @service.url(key, blob_byte_size: plaintext_upload_bytes.bytesize,
+      filename: filename_with_sanitization, content_type: "binary/octet-stream",
+      disposition: "inline", encryption_key:, expires_in: 240.seconds)
+
+    query_params_hash = URI.decode_www_form(URI.parse(url).query).to_h
+
+    # Downcased header names for this test since that's what we get back from signing process.
+    expected_headers = ["x-goog-encryption-algorithm", "x-goog-encryption-key", "x-goog-encryption-key-sha256"]
+    signed_headers = query_params_hash["X-Goog-SignedHeaders"].split(";")
+    assert expected_headers.all? { |header| header.in?(signed_headers) }
+
+    uri = URI(url)
+    req = Net::HTTP::Get.new(uri)
+    res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http|
+      http.request(req)
+    }
+    assert_equal "400", res.code
+
+    # TODO make this a headers_for_private_download like in the s3 service
+    download_headers = {
+      "content-type" => "binary/octet-stream",
+      "Content-Disposition" => "inline; filename=\"temp.bin\"; filename*=UTF-8''temp.bin",
+      "x-goog-encryption-algorithm" => "AES256",
+      "x-goog-encryption-key" => Base64.strict_encode64(encryption_key[@gcs_key_length_range]),
+      "x-goog-encryption-key-sha256" => Digest::SHA256.base64digest(encryption_key[@gcs_key_length_range])
+    }
+    download_headers.each_pair { |key, value| req[key] = value }
+
+    res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http|
+      http.request(req)
+    }
+    assert_equal "200", res.code
+    assert_equal plaintext_upload_bytes, res.body
+  end
+
+  def test_basic_gcs_readback
+    rng = Random.new(Minitest.seed)
+
+    key = "#{run_id}-encrypted-key-#{rng.hex(4)}"
+    encryption_key = rng.bytes(47) # Make it bigger than required, to ensure the service truncates it
+    plaintext_upload_bytes = rng.bytes(1024)
+
+    assert_nothing_raised do
+      @service.upload(key, StringIO.new(plaintext_upload_bytes), encryption_key:)
+    end
+    readback = @service.download(key, encryption_key:)
+    assert_equal readback, plaintext_upload_bytes
+  end
+
+  def test_accepts_direct_upload_with_signature_and_headers
+    rng = Random.new(Minitest.seed)
+
+    key = "#{run_id}-encrypted-key-direct-upload-#{rng.hex(4)}"
+    encryption_key = rng.bytes(47) # Make it bigger than required, to ensure the service truncates it
+    plaintext_upload_bytes = rng.bytes(1024)
+
+    url = @service.url_for_direct_upload(key,
+      encryption_key:,
+      expires_in: 5.minutes.to_i,
+      content_type: "binary/octet-stream",
+      content_length: plaintext_upload_bytes.bytesize,
+      checksum: Digest::MD5.base64digest(plaintext_upload_bytes))
+
+    query_params_hash = URI.decode_www_form(URI.parse(url).query).to_h
+
+    # Downcased header names for this test since that's what we get back from signing process.
+    expected_headers = ["content-md5", "x-goog-encryption-algorithm", "x-goog-encryption-key", "x-goog-encryption-key-sha256"]
+    signed_headers = query_params_hash["X-Goog-SignedHeaders"].split(";")
+    assert expected_headers.all? { |header| header.in?(signed_headers) }
+
+    assert_equal "300", query_params_hash["X-Goog-Expires"]
+
+    should_be_headers = {
+      "Content-Type" => "binary/octet-stream",
+      "Content-MD5" => Digest::MD5.base64digest(plaintext_upload_bytes),
+      "x-goog-encryption-algorithm" => "AES256",
+      "x-goog-encryption-key" => Base64.strict_encode64(encryption_key[@gcs_key_length_range]),
+      "x-goog-encryption-key-sha256" => Digest::SHA256.base64digest(encryption_key[@gcs_key_length_range])
+    }
+
+    headers = @service.headers_for_direct_upload(key,
+      encryption_key:,
+      content_type: "binary/octet-stream",
+      content_length: plaintext_upload_bytes.bytesize,
+      checksum: Digest::MD5.base64digest(plaintext_upload_bytes))
+
+    assert_equal should_be_headers.sort, headers.sort
+
+    res = Net::HTTP.put(URI(url), plaintext_upload_bytes, headers)
+    assert_equal "200", res.code
+
+    assert_equal plaintext_upload_bytes, @service.download(key, encryption_key:)
+
+    @service.delete(key)
+    refute @service.exist?(key)
+  end
+end

data/test/lib/encrypted_s3_service_test.rb

@@ -235,7 +235,10 @@ class ActiveStorageEncryption::EncryptedS3ServiceTest < ActiveSupport::TestCase
   # Read the objects from something slow, so that threads may switch between one another
   class SnoozyStringIO < StringIO
     def read(n = nil, outbuf = nil)
-      sleep(rand((0.1..0.2)))
+      sleep_from = 0.1
+      sleep_to = 0.2
+      delay_s = rand(sleep_from..sleep_to)
+      sleep(delay_s)
       super
     end
   end

data/test/lib/overrides_test.rb

@@ -0,0 +1,349 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class ActiveStorageEncryption::OverridesTest < ActiveSupport::TestCase
+  include ActiveJob::TestHelper
+
+  setup do
+    ActiveStorage::Current.url_options = {
+      host: "www.example.com",
+      protocol: "https"
+    }
+  end
+
+  def test_encryption_key_is_set_on_encrypted_service_before_saving
+    blob = ActiveStorage::Blob.create!(
+      key: "yoyo",
+      filename: "test.txt",
+      byte_size: 10,
+      checksum: "abab",
+      metadata: {"identified" => true},
+      content_type: "text/plain",
+      encryption_key: "blabla",
+      service_name: "encrypted_disk"
+    )
+
+    assert blob.valid?
+    blob.encryption_key = nil
+    refute blob.valid?
+    assert_equal ["Encryption key must be present for this service"], blob.errors.full_messages
+  end
+
+  def test_attach_download_and_destroy_with_encryption_works
+    user = User.create!
+    with_uploadable_random_file do |file|
+      user.file.attach(io: file, filename: "test.txt")
+    end
+    assert user.file.url.include?("/active-storage-encryption/blob/")
+    assert user.file.blob.encryption_key
+    with_uploadable_random_file do |file|
+      assert_equal file.size, user.file.blob.byte_size
+    end
+    with_uploadable_random_file do |file|
+      assert_equal file.read, user.file.download
+    end
+    user.file.destroy
+    user.reload
+    refute user.file.attached?
+  end
+
+  def test_generate_random_encryption_key_is_long_enough
+    key = ActiveStorage::Blob.generate_random_encryption_key
+    assert_equal 48, key.size
+    assert_equal Encoding::BINARY, key.encoding
+  end
+
+  def test_service_encrypted
+    blob = ActiveStorage::Blob.create!(service_name: :encrypted_disk, checksum: "yoyo", encryption_key: "haha", filename: "test", key: "hahahaha", byte_size: 50)
+    assert blob.service_encrypted?
+    blob_2 = ActiveStorage::Blob.create!(service_name: :test, checksum: "yoyo", filename: "test", key: "ok", byte_size: 50)
+    refute blob_2.service_encrypted?
+  end
+
+  def test_create_before_direct_upload_works_with_encryption_and_without
+    blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_before_direct_upload!(
+        filename: "test_upload",
+        byte_size: file.size,
+        checksum: "something",
+        metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    assert_raises ActiveStorage::FileNotFoundError do
+      blob.download
+    end
+
+    assert blob.service_encrypted?
+    assert blob.encryption_key
+
+    blob_2 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_before_direct_upload!(
+        filename: "test_upload_2",
+        byte_size: file.size,
+        checksum: "something",
+        metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+    refute blob_2.service_encrypted?
+    refute blob_2.encryption_key
+  end
+
+  def test_create_and_upload_works_with_encryption_and_without
+    encrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload",
+        metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+
+    assert encrypted_blob.service_encrypted?
+    assert encrypted_blob.url.include?("/active-storage-encryption/blob/")
+    assert encrypted_blob.encryption_key
+    with_uploadable_random_file do |file|
+      assert_equal file.size, encrypted_blob.byte_size
+    end
+    with_uploadable_random_file do |file|
+      assert_equal file.read, encrypted_blob.download
+    end
+
+    unencrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload_2",
+        metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+
+    refute unencrypted_blob.service_encrypted?
+    assert unencrypted_blob.url.include?("/rails/active_storage/disk/")
+    refute unencrypted_blob.encryption_key
+    with_uploadable_random_file do |file|
+      assert_equal file.size, unencrypted_blob.byte_size
+    end
+    with_uploadable_random_file do |file|
+      assert_equal file.read, unencrypted_blob.download
+    end
+  end
+
+  def test_open_temp_reads_the_content_of_the_blob_with_encryption_and_without
+    encrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload",
+        metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+
+    with_uploadable_random_file do |file|
+      encrypted_blob.open do |b|
+        assert_equal file.read, b.read
+      end
+    end
+
+    unencrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload_2",
+        metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+
+    with_uploadable_random_file do |file|
+      unencrypted_blob.open do |b|
+        assert_equal file.read, b.read
+      end
+    end
+  end
+
+  def test_can_download_a_chunk_with_encryption_and_without
+    encrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload",
+        metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+
+    chunk = encrypted_blob.download_chunk(0..5.bytes)
+    with_uploadable_random_file do |file|
+      assert_equal chunk, file.read(6)
+    end
+
+    unencrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload_2",
+        metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+
+    chunk = unencrypted_blob.download_chunk(0..5.bytes)
+    with_uploadable_random_file do |file|
+      assert_equal chunk, file.read(6)
+    end
+  end
+
+  def test_serializable_hash_works_with_encryption_and_without
+    encrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload",
+        metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    encrypted_blob_hash = {
+      "id" => encrypted_blob.id,
+      "key" => encrypted_blob.key,
+      "filename" => encrypted_blob.filename,
+      "content_type" => encrypted_blob.content_type,
+      "metadata" => encrypted_blob.metadata,
+      "service_name" => encrypted_blob.service_name,
+      "byte_size" => encrypted_blob.byte_size,
+      "checksum" => encrypted_blob.checksum,
+      "created_at" => encrypted_blob.created_at
+    }
+    assert_equal encrypted_blob_hash.sort, encrypted_blob.serializable_hash.sort
+
+    unencrypted_blob = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file,
+        filename: "test_upload_2",
+        metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    unencrypted_blob_hash = {
+      "id" => unencrypted_blob.id,
+      "key" => unencrypted_blob.key,
+      "filename" => unencrypted_blob.filename,
+      "content_type" => encrypted_blob.content_type,
+      "metadata" => unencrypted_blob.metadata,
+      "service_name" => unencrypted_blob.service_name,
+      "byte_size" => unencrypted_blob.byte_size,
+      "checksum" => unencrypted_blob.checksum,
+      "created_at" => unencrypted_blob.created_at
+    }
+    assert_equal unencrypted_blob_hash, unencrypted_blob.serializable_hash
+  end
+
+  def test_instance_compose_works_with_encryption_and_without
+    rng = Random.new(Minitest.seed)
+
+    encrypted_blob_1 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload", metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    encrypted_blob_2 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload_2", metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    new_encrypted_blob = ActiveStorage::Blob.create_before_direct_upload!(
+      key: "new_blob_key", filename: "combined_test_upload",
+      metadata: {"identified" => true}, content_type: "plain/text",
+      checksum: "okok",
+      byte_size: encrypted_blob_1.byte_size + encrypted_blob_2.byte_size,
+      encryption_key: rng.bytes(68),
+      service_name: "encrypted_disk"
+    )
+    new_encrypted_blob.compose([encrypted_blob_1.key, encrypted_blob_2.key], source_encryption_keys: [encrypted_blob_1.encryption_key, encrypted_blob_2.encryption_key])
+    with_uploadable_random_file do |file|
+      assert_equal file.read * 2, new_encrypted_blob.download
+    end
+
+    unencrypted_blob_1 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload_3", metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+    unencrypted_blob_2 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload_4", metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+    new_unencrypted_blob = ActiveStorage::Blob.create_before_direct_upload!(
+      key: "new_blob_key_2", filename: "combined_test_upload",
+      metadata: {"identified" => true}, content_type: "plain/text",
+      checksum: "okok",
+      byte_size: unencrypted_blob_1.byte_size + unencrypted_blob_2.byte_size
+    )
+    new_unencrypted_blob.compose([unencrypted_blob_1.key, unencrypted_blob_2.key])
+    with_uploadable_random_file do |file|
+      assert_equal file.read * 2, new_unencrypted_blob.download
+    end
+  end
+
+  def test_class_compose_works_with_and_without_encryption
+    rng = Random.new(Minitest.seed)
+
+    encrypted_blob_1 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload", metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    encrypted_blob_2 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload_2", metadata: {"identified" => true},
+        service_name: "encrypted_disk"
+      )
+    end
+    new_enc_blob = ActiveStorage::Blob.compose(
+      [encrypted_blob_1, encrypted_blob_2],
+      content_type: "text/plain",
+      filename: "composed_blob",
+      metadata: {"identified" => true},
+      key: "new_enc_blob",
+      service_name: "encrypted_disk",
+      encryption_key: rng.bytes(68)
+    )
+    with_uploadable_random_file do |file|
+      assert_equal file.read * 2, new_enc_blob.download
+    end
+
+    unencrypted_blob_1 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload_3", metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+    unencrypted_blob_2 = with_uploadable_random_file do |file|
+      ActiveStorage::Blob.create_and_upload!(
+        io: file, filename: "test_upload_4", metadata: {"identified" => true},
+        service_name: "test"
+      )
+    end
+    new_unencrypted_blob = ActiveStorage::Blob.compose(
+      [unencrypted_blob_1, unencrypted_blob_2],
+      key: "new_unencblob_key_2", filename: "combined_test_upload_2",
+      metadata: {"identified" => true}, service_name: "test"
+    )
+    with_uploadable_random_file do |file|
+      assert_equal file.read * 2, new_unencrypted_blob.download
+    end
+  end
+
+  private
+
+  def with_uploadable_random_file(size = 128, &blk)
+    rng = Random.new(Minitest.seed)
+    plaintext_upload_bytes = rng.bytes(size)
+    StringIO.open(plaintext_upload_bytes, "rb", &blk)
+  end
+end