activerecord-cipherstash-pg-adapter 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 434fd7249bd70c44846fa14a0d1ece70776c0ef79ee4632ca39f15b6036e49dd
-  data.tar.gz: b54aa489eb0053e8a065dc7d938cc35f7ced39b3c0cd06d41b13a55b7494c080
+  metadata.gz: f49b439e9bfe2874fc67bf0f4064ba66a3659a9e67b207e156ddb2b3cf8c5bb2
+  data.tar.gz: 02347f9e3efe1f15da8dd6c11e8745c424d7dd9f65b493640ea57f41370dd7b3
 SHA512:
-  metadata.gz: 7ad1fb8b78eb0ca2bf4796c1096dfbc58ab2efa4b435d9f5f70db0dbe0a7fbcf5399944ea969a75da2754d04116930061fbadb2e95afa61b014c622b26214e25
-  data.tar.gz: b8b577f348e757cb2c0da27096d3475f14dbe9d9a555d80d8e1e8e25fdd7238713509167abbeaaff4129d5b939dfc7df4d3f49cd5ab992a92975eea54e387646
+  metadata.gz: 703fb309bb186e2350856b0f5fabae1e373685e13552afb53cfb04fb2630866f271cbbf2efebe305e9a06bc5f62dbc3808379d2037286e4af42a9052bae8185a
+  data.tar.gz: 5885728f591239c6f6893dbd9f2b19bb75976bd01237fedb24a9fcf42804ce78315b5da1831af0cf35961ea6210c072fc28c520bfbc703157cd163dc369a9c60

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 ## [Unreleased]
 
+## [0.6.0] - 2023-04-20
+
+### Changed
+
+- Updated the adapter name constant to be the same as the ActiveRecord PostgreSQL adapter.
+
+### Fixed
+
+- Logic around Rails credentials taking precedence over local env vars.
+
+## [0.5.0] - 2023-04-19
+
+### Added
+
+- Support for Rails credentials to set the required driver environment variables.
+
+### Fixed
+
+- Hide internal CipherStash columns.
+
 ## [0.4.0] - 2023-04-06
 
 ### Changed

data/lib/active_record/connection_adapters/6.1/postgres_cipherstash_adapter.rb

@@ -3,6 +3,7 @@
 require "active_support/core_ext/object/try"
 require "active_record/connection_adapters/abstract_adapter"
 require "active_record/connection_adapters/statement_pool"
+require "active_record/connection_adapters/cipherstash_column_mapper"
 
 require_relative "./cipherstash_pg/column"
 require_relative "./cipherstash_pg/database_statements"
@@ -52,7 +53,7 @@ module ActiveRecord
 
   module ConnectionAdapters
     class CipherStashPGAdapter < AbstractAdapter
-      ADAPTER_NAME = "CipherStash PostgreSQL"
+      ADAPTER_NAME = "PostgreSQL"
 
       class << self
         def new_client(conn_params)
@@ -805,19 +806,31 @@ module ActiveRecord
         # Query implementation notes:
         #  - format_type includes the column size constraint, e.g. varchar(50)
         #  - ::regclass is a function that gives the id for a table name
+        #
+        # NOTE: this method has been modified from the original version that was lifted
+        # from ActiveRecord's PostgreSQL adapter. The query is untouched, but
+        # `CipherStashColumnMapper` is custom. See the docs in `CipherStashColumnMapper`
+        # for details.
+        #
+        # Original source:
+        # https://github.com/rails/rails/blob/main/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb#L1009-L1041
         def column_definitions(table_name)
-          query(<<~SQL, "SCHEMA")
-              SELECT a.attname, format_type(a.atttypid, a.atttypmod),
-                     pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod,
-                     c.collname, col_description(a.attrelid, a.attnum) AS comment
-                FROM pg_attribute a
-                LEFT JOIN pg_attrdef d ON a.attrelid = d.adrelid AND a.attnum = d.adnum
-                LEFT JOIN pg_type t ON a.atttypid = t.oid
-                LEFT JOIN pg_collation c ON a.attcollation = c.oid AND a.attcollation <> t.typcollation
-               WHERE a.attrelid = #{quote(quote_table_name(table_name))}::regclass
-                 AND a.attnum > 0 AND NOT a.attisdropped
-               ORDER BY a.attnum
-          SQL
+          column_definitions =
+            query(<<~SQL, "SCHEMA")
+                SELECT a.attname, format_type(a.atttypid, a.atttypmod),
+                      pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod,
+                      c.collname, col_description(a.attrelid, a.attnum) AS comment,
+                      #{supports_virtual_columns? ? 'attgenerated' : quote('')} as attgenerated
+                  FROM pg_attribute a
+                  LEFT JOIN pg_attrdef d ON a.attrelid = d.adrelid AND a.attnum = d.adnum
+                  LEFT JOIN pg_type t ON a.atttypid = t.oid
+                  LEFT JOIN pg_collation c ON a.attcollation = c.oid AND a.attcollation <> t.typcollation
+                WHERE a.attrelid = #{quote(quote_table_name(table_name))}::regclass
+                  AND a.attnum > 0 AND NOT a.attisdropped
+                ORDER BY a.attnum
+            SQL
+
+          CipherStashColumnMapper.map_column_definitions(column_definitions)
         end
 
         def extract_table_ref_from_insert_sql(sql)

data/lib/active_record/connection_adapters/7.0/postgres_cipherstash_adapter.rb

@@ -3,6 +3,7 @@
 require "active_support/core_ext/object/try"
 require "active_record/connection_adapters/abstract_adapter"
 require "active_record/connection_adapters/statement_pool"
+require "active_record/connection_adapters/cipherstash_column_mapper"
 
 require_relative "./cipherstash_pg/column"
 require_relative "./cipherstash_pg/database_statements"
@@ -53,7 +54,7 @@ module ActiveRecord
 
   module ConnectionAdapters
     class CipherStashPGAdapter < AbstractAdapter
-      ADAPTER_NAME = "CipherStash PostgreSQL"
+      ADAPTER_NAME = "PostgreSQL"
 
       class << self
         def new_client(conn_params)
@@ -911,20 +912,31 @@ module ActiveRecord
         # Query implementation notes:
         #  - format_type includes the column size constraint, e.g. varchar(50)
         #  - ::regclass is a function that gives the id for a table name
+        #
+        # NOTE: this method has been modified from the original version that was lifted
+        # from ActiveRecord's PostgreSQL adapter. The query is untouched, but
+        # `CipherStashColumnMapper` is custom. See the docs in `CipherStashColumnMapper`
+        # for details.
+        #
+        # Original source:
+        # https://github.com/rails/rails/blob/main/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb#L1009-L1041
         def column_definitions(table_name)
-          query(<<~SQL, "SCHEMA")
-              SELECT a.attname, format_type(a.atttypid, a.atttypmod),
-                     pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod,
-                     c.collname, col_description(a.attrelid, a.attnum) AS comment,
-                     #{supports_virtual_columns? ? 'attgenerated' : quote('')} as attgenerated
-                FROM pg_attribute a
-                LEFT JOIN pg_attrdef d ON a.attrelid = d.adrelid AND a.attnum = d.adnum
-                LEFT JOIN pg_type t ON a.atttypid = t.oid
-                LEFT JOIN pg_collation c ON a.attcollation = c.oid AND a.attcollation <> t.typcollation
-               WHERE a.attrelid = #{quote(quote_table_name(table_name))}::regclass
-                 AND a.attnum > 0 AND NOT a.attisdropped
-               ORDER BY a.attnum
-          SQL
+          column_definitions =
+            query(<<~SQL, "SCHEMA")
+                SELECT a.attname, format_type(a.atttypid, a.atttypmod),
+                      pg_get_expr(d.adbin, d.adrelid), a.attnotnull, a.atttypid, a.atttypmod,
+                      c.collname, col_description(a.attrelid, a.attnum) AS comment,
+                      #{supports_virtual_columns? ? 'attgenerated' : quote('')} as attgenerated
+                  FROM pg_attribute a
+                  LEFT JOIN pg_attrdef d ON a.attrelid = d.adrelid AND a.attnum = d.adnum
+                  LEFT JOIN pg_type t ON a.atttypid = t.oid
+                  LEFT JOIN pg_collation c ON a.attcollation = c.oid AND a.attcollation <> t.typcollation
+                WHERE a.attrelid = #{quote(quote_table_name(table_name))}::regclass
+                  AND a.attnum > 0 AND NOT a.attisdropped
+                ORDER BY a.attnum
+            SQL
+
+          CipherStashColumnMapper.map_column_definitions(column_definitions)
         end
 
         def extract_table_ref_from_insert_sql(sql)

data/lib/active_record/connection_adapters/cipherstash_column_mapper.rb

@@ -0,0 +1,52 @@
+require "set"
+
+module ActiveRecord
+  module ConnectionAdapters
+    # A module for mapping CipherStash internal columns to columns that ActiveRecord can work with.
+    #
+    # @private
+    class CipherStashColumnMapper
+      ENCRYPTED_INDEX_COLUMN_REGEX = /^__.+_(match|ore|unique)$/
+      ENCRYPTED_SOURCE_COLUMN_REGEX = /^__(.+)_encrypted$/
+
+      class << self
+        # Maps the given column definitions by filtering out CipherStash internal columns. This method
+        # also adds in plaintext columns if necessary (for example, when using the driver in "encrypted"
+        # mode after the original plaintext columns have been dropped).
+        def map_column_definitions(column_definitions)
+          all_column_names = column_definitions.map(&:first).to_set
+
+          column_definitions
+            .reject { |column_definition| encrypted_index_column?(column_definition) }
+            .map { |column_definition| maybe_rename_source_column(column_definition, all_column_names) }
+            .reject { |column_definition| encrypted_source_column?(column_definition) }
+        end
+
+        private
+
+          def encrypted_index_column?(column_definition)
+            ENCRYPTED_INDEX_COLUMN_REGEX =~ column_name(column_definition)
+          end
+
+          def encrypted_source_column?(column_definition)
+            ENCRYPTED_SOURCE_COLUMN_REGEX =~ column_name(column_definition)
+          end
+
+          def column_name(column_definition)
+            column_definition.first
+          end
+
+          def maybe_rename_source_column(column_definition, all_column_names)
+            column_name, *rest = column_definition
+            match = column_name.match(ENCRYPTED_SOURCE_COLUMN_REGEX)
+
+            if match && !all_column_names.include?(match.captures.first)
+              [match.captures.first, *rest]
+            else
+              column_definition
+            end
+          end
+      end
+    end
+  end
+end

data/lib/active_record/connection_adapters/postgres_cipherstash_adapter.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 #
 # Why the funky filename
-# (lib/active_record/connection_adapters/cipherstash_pg_adapter.rb)
+# (lib/active_record/connection_adapters/postgres_cipherstash_adapter.rb)
 # that doesn't match the gem structure? It's to hook into Rails.
 #
 # See this chunk from:

data/lib/activerecord-cipherstash-pg-adapter.rb

@@ -11,6 +11,33 @@ module ActiveRecord
         rake_tasks do
           load "cipherstash_tasks.rake"
         end
+
+        initializer "postgres_cipherstash_adapter.configure" do
+          if defined?(Rails.application.credentials)
+            cs_credentials = Rails.application.credentials.try(:cipherstash)
+
+            client_id = cs_credentials&.fetch(:client_id, nil)
+            client_key = cs_credentials&.fetch(:client_key, nil)
+            workspace_id = cs_credentials&.fetch(:workspace_id, nil)
+            client_access_key = cs_credentials&.fetch(:client_access_key, nil)
+
+            unless client_id.nil?
+              ENV["CS_CLIENT_ID"] = client_id
+            end
+
+            unless client_key.nil?
+              ENV["CS_CLIENT_KEY"] = client_key
+            end
+
+            unless workspace_id.nil?
+              ENV["CS_WORKSPACE_ID"] = workspace_id
+            end
+
+            unless client_access_key.nil?
+              ENV["CS_CLIENT_ACCESS_KEY"] = client_access_key
+            end
+          end
+        end
       end
 
       # Method to install CipherStash custom ORE types

data/lib/version.rb

@@ -1,3 +1,3 @@
 module ActiveRecord
-  CIPHERSTASH_PG_ADAPTER_VERSION = "0.4.0"
+  CIPHERSTASH_PG_ADAPTER_VERSION = "0.6.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activerecord-cipherstash-pg-adapter
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Robin Howard
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-04-06 00:00:00.000000000 Z
+date: 2023-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -135,6 +135,7 @@ files:
 - lib/active_record/connection_adapters/7.0/cipherstash_pg/type_metadata.rb
 - lib/active_record/connection_adapters/7.0/cipherstash_pg/utils.rb
 - lib/active_record/connection_adapters/7.0/postgres_cipherstash_adapter.rb
+- lib/active_record/connection_adapters/cipherstash_column_mapper.rb
 - lib/active_record/connection_adapters/cipherstash_pg/database_extensions.rb
 - lib/active_record/connection_adapters/cipherstash_pg/database_tasks.rb
 - lib/active_record/connection_adapters/postgres_cipherstash_adapter.rb
@@ -148,7 +149,7 @@ metadata:
   homepage_uri: https://github.com/cipherstash/activerecord-cipherstash-pg-adapter
   source_code_uri: https://github.com/cipherstash/activerecord-cipherstash-pg-adapter.git
   changelog_uri: https://github.com/cipherstash/activerecord-cipherstash-pg-adapter/blob/main/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -164,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.7
-signing_key: 
+signing_key:
 specification_version: 4
 summary: CipherStash PostgreSQL adapter for ActiveRecord.
 test_files: []