activerecord 5.2.8 → 7.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of activerecord might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +1393 -587
- data/MIT-LICENSE +3 -1
- data/README.rdoc +7 -5
- data/examples/performance.rb +1 -1
- data/lib/active_record/aggregations.rb +10 -9
- data/lib/active_record/association_relation.rb +22 -12
- data/lib/active_record/associations/alias_tracker.rb +19 -16
- data/lib/active_record/associations/association.rb +122 -47
- data/lib/active_record/associations/association_scope.rb +24 -24
- data/lib/active_record/associations/belongs_to_association.rb +67 -49
- data/lib/active_record/associations/belongs_to_polymorphic_association.rb +16 -7
- data/lib/active_record/associations/builder/association.rb +52 -23
- data/lib/active_record/associations/builder/belongs_to.rb +44 -61
- data/lib/active_record/associations/builder/collection_association.rb +17 -19
- data/lib/active_record/associations/builder/has_and_belongs_to_many.rb +17 -41
- data/lib/active_record/associations/builder/has_many.rb +10 -3
- data/lib/active_record/associations/builder/has_one.rb +35 -3
- data/lib/active_record/associations/builder/singular_association.rb +5 -3
- data/lib/active_record/associations/collection_association.rb +59 -50
- data/lib/active_record/associations/collection_proxy.rb +32 -23
- data/lib/active_record/associations/disable_joins_association_scope.rb +59 -0
- data/lib/active_record/associations/foreign_association.rb +20 -0
- data/lib/active_record/associations/has_many_association.rb +27 -14
- data/lib/active_record/associations/has_many_through_association.rb +26 -19
- data/lib/active_record/associations/has_one_association.rb +52 -37
- data/lib/active_record/associations/has_one_through_association.rb +6 -6
- data/lib/active_record/associations/join_dependency/join_association.rb +44 -22
- data/lib/active_record/associations/join_dependency/join_part.rb +5 -5
- data/lib/active_record/associations/join_dependency.rb +97 -62
- data/lib/active_record/associations/preloader/association.rb +220 -60
- data/lib/active_record/associations/preloader/batch.rb +48 -0
- data/lib/active_record/associations/preloader/branch.rb +147 -0
- data/lib/active_record/associations/preloader/through_association.rb +85 -40
- data/lib/active_record/associations/preloader.rb +44 -105
- data/lib/active_record/associations/singular_association.rb +9 -17
- data/lib/active_record/associations/through_association.rb +4 -4
- data/lib/active_record/associations.rb +207 -66
- data/lib/active_record/asynchronous_queries_tracker.rb +60 -0
- data/lib/active_record/attribute_assignment.rb +17 -19
- data/lib/active_record/attribute_methods/before_type_cast.rb +19 -8
- data/lib/active_record/attribute_methods/dirty.rb +141 -47
- data/lib/active_record/attribute_methods/primary_key.rb +22 -27
- data/lib/active_record/attribute_methods/query.rb +6 -10
- data/lib/active_record/attribute_methods/read.rb +15 -55
- data/lib/active_record/attribute_methods/serialization.rb +77 -18
- data/lib/active_record/attribute_methods/time_zone_conversion.rb +16 -18
- data/lib/active_record/attribute_methods/write.rb +18 -37
- data/lib/active_record/attribute_methods.rb +90 -153
- data/lib/active_record/attributes.rb +38 -12
- data/lib/active_record/autosave_association.rb +50 -50
- data/lib/active_record/base.rb +23 -18
- data/lib/active_record/callbacks.rb +159 -44
- data/lib/active_record/coders/yaml_column.rb +12 -3
- data/lib/active_record/connection_adapters/abstract/connection_handler.rb +292 -0
- data/lib/active_record/connection_adapters/abstract/connection_pool/queue.rb +209 -0
- data/lib/active_record/connection_adapters/abstract/connection_pool/reaper.rb +76 -0
- data/lib/active_record/connection_adapters/abstract/connection_pool.rb +92 -464
- data/lib/active_record/connection_adapters/abstract/database_limits.rb +5 -51
- data/lib/active_record/connection_adapters/abstract/database_statements.rb +209 -164
- data/lib/active_record/connection_adapters/abstract/query_cache.rb +38 -22
- data/lib/active_record/connection_adapters/abstract/quoting.rb +103 -82
- data/lib/active_record/connection_adapters/abstract/savepoints.rb +3 -3
- data/lib/active_record/connection_adapters/abstract/schema_creation.rb +140 -110
- data/lib/active_record/connection_adapters/abstract/schema_definitions.rb +236 -94
- data/lib/active_record/connection_adapters/abstract/schema_dumper.rb +16 -5
- data/lib/active_record/connection_adapters/abstract/schema_statements.rb +456 -159
- data/lib/active_record/connection_adapters/abstract/transaction.rb +169 -78
- data/lib/active_record/connection_adapters/abstract_adapter.rb +367 -162
- data/lib/active_record/connection_adapters/abstract_mysql_adapter.rb +311 -327
- data/lib/active_record/connection_adapters/column.rb +33 -11
- data/lib/active_record/connection_adapters/deduplicable.rb +29 -0
- data/lib/active_record/connection_adapters/legacy_pool_manager.rb +35 -0
- data/lib/active_record/connection_adapters/mysql/column.rb +1 -1
- data/lib/active_record/connection_adapters/mysql/database_statements.rb +113 -45
- data/lib/active_record/connection_adapters/mysql/explain_pretty_printer.rb +1 -2
- data/lib/active_record/connection_adapters/mysql/quoting.rb +71 -5
- data/lib/active_record/connection_adapters/mysql/schema_creation.rb +34 -10
- data/lib/active_record/connection_adapters/mysql/schema_definitions.rb +48 -32
- data/lib/active_record/connection_adapters/mysql/schema_dumper.rb +25 -8
- data/lib/active_record/connection_adapters/mysql/schema_statements.rb +143 -19
- data/lib/active_record/connection_adapters/mysql/type_metadata.rb +14 -9
- data/lib/active_record/connection_adapters/mysql2_adapter.rb +63 -22
- data/lib/active_record/connection_adapters/pool_config.rb +73 -0
- data/lib/active_record/connection_adapters/pool_manager.rb +47 -0
- data/lib/active_record/connection_adapters/postgresql/column.rb +53 -28
- data/lib/active_record/connection_adapters/postgresql/database_statements.rb +56 -63
- data/lib/active_record/connection_adapters/postgresql/oid/array.rb +1 -2
- data/lib/active_record/connection_adapters/postgresql/oid/bit.rb +1 -4
- data/lib/active_record/connection_adapters/postgresql/oid/cidr.rb +3 -5
- data/lib/active_record/connection_adapters/postgresql/oid/date.rb +10 -2
- data/lib/active_record/connection_adapters/postgresql/oid/date_time.rb +15 -2
- data/lib/active_record/connection_adapters/postgresql/oid/enum.rb +0 -1
- data/lib/active_record/connection_adapters/postgresql/oid/hstore.rb +54 -16
- data/lib/active_record/connection_adapters/postgresql/oid/interval.rb +49 -0
- data/lib/active_record/connection_adapters/postgresql/oid/legacy_point.rb +3 -4
- data/lib/active_record/connection_adapters/postgresql/oid/macaddr.rb +25 -0
- data/lib/active_record/connection_adapters/postgresql/oid/oid.rb +1 -1
- data/lib/active_record/connection_adapters/postgresql/oid/point.rb +3 -4
- data/lib/active_record/connection_adapters/postgresql/oid/range.rb +25 -7
- data/lib/active_record/connection_adapters/postgresql/oid/specialized_string.rb +1 -1
- data/lib/active_record/connection_adapters/postgresql/oid/timestamp.rb +15 -0
- data/lib/active_record/connection_adapters/postgresql/oid/timestamp_with_time_zone.rb +30 -0
- data/lib/active_record/connection_adapters/postgresql/oid/type_map_initializer.rb +26 -12
- data/lib/active_record/connection_adapters/postgresql/oid/uuid.rb +15 -3
- data/lib/active_record/connection_adapters/postgresql/oid.rb +4 -0
- data/lib/active_record/connection_adapters/postgresql/quoting.rb +89 -52
- data/lib/active_record/connection_adapters/postgresql/referential_integrity.rb +34 -2
- data/lib/active_record/connection_adapters/postgresql/schema_creation.rb +39 -4
- data/lib/active_record/connection_adapters/postgresql/schema_definitions.rb +128 -91
- data/lib/active_record/connection_adapters/postgresql/schema_dumper.rb +25 -1
- data/lib/active_record/connection_adapters/postgresql/schema_statements.rb +149 -113
- data/lib/active_record/connection_adapters/postgresql/type_metadata.rb +31 -26
- data/lib/active_record/connection_adapters/postgresql/utils.rb +0 -1
- data/lib/active_record/connection_adapters/postgresql_adapter.rb +386 -182
- data/lib/active_record/connection_adapters/schema_cache.rb +161 -22
- data/lib/active_record/connection_adapters/sql_type_metadata.rb +17 -6
- data/lib/active_record/connection_adapters/sqlite3/database_statements.rb +152 -0
- data/lib/active_record/connection_adapters/sqlite3/quoting.rb +65 -18
- data/lib/active_record/connection_adapters/sqlite3/schema_creation.rb +5 -1
- data/lib/active_record/connection_adapters/sqlite3/schema_statements.rb +92 -26
- data/lib/active_record/connection_adapters/sqlite3_adapter.rb +251 -204
- data/lib/active_record/connection_adapters/statement_pool.rb +0 -1
- data/lib/active_record/connection_adapters.rb +53 -0
- data/lib/active_record/connection_handling.rb +292 -38
- data/lib/active_record/core.rb +385 -158
- data/lib/active_record/counter_cache.rb +8 -30
- data/lib/active_record/database_configurations/connection_url_resolver.rb +100 -0
- data/lib/active_record/database_configurations/database_config.rb +83 -0
- data/lib/active_record/database_configurations/hash_config.rb +154 -0
- data/lib/active_record/database_configurations/url_config.rb +53 -0
- data/lib/active_record/database_configurations.rb +256 -0
- data/lib/active_record/delegated_type.rb +250 -0
- data/lib/active_record/destroy_association_async_job.rb +36 -0
- data/lib/active_record/disable_joins_association_relation.rb +39 -0
- data/lib/active_record/dynamic_matchers.rb +4 -5
- data/lib/active_record/encryption/cipher/aes256_gcm.rb +98 -0
- data/lib/active_record/encryption/cipher.rb +53 -0
- data/lib/active_record/encryption/config.rb +44 -0
- data/lib/active_record/encryption/configurable.rb +61 -0
- data/lib/active_record/encryption/context.rb +35 -0
- data/lib/active_record/encryption/contexts.rb +72 -0
- data/lib/active_record/encryption/derived_secret_key_provider.rb +12 -0
- data/lib/active_record/encryption/deterministic_key_provider.rb +14 -0
- data/lib/active_record/encryption/encryptable_record.rb +208 -0
- data/lib/active_record/encryption/encrypted_attribute_type.rb +140 -0
- data/lib/active_record/encryption/encrypted_fixtures.rb +38 -0
- data/lib/active_record/encryption/encrypting_only_encryptor.rb +12 -0
- data/lib/active_record/encryption/encryptor.rb +155 -0
- data/lib/active_record/encryption/envelope_encryption_key_provider.rb +55 -0
- data/lib/active_record/encryption/errors.rb +15 -0
- data/lib/active_record/encryption/extended_deterministic_queries.rb +160 -0
- data/lib/active_record/encryption/extended_deterministic_uniqueness_validator.rb +28 -0
- data/lib/active_record/encryption/key.rb +28 -0
- data/lib/active_record/encryption/key_generator.rb +42 -0
- data/lib/active_record/encryption/key_provider.rb +46 -0
- data/lib/active_record/encryption/message.rb +33 -0
- data/lib/active_record/encryption/message_serializer.rb +90 -0
- data/lib/active_record/encryption/null_encryptor.rb +21 -0
- data/lib/active_record/encryption/properties.rb +76 -0
- data/lib/active_record/encryption/read_only_null_encryptor.rb +24 -0
- data/lib/active_record/encryption/scheme.rb +99 -0
- data/lib/active_record/encryption.rb +55 -0
- data/lib/active_record/enum.rb +130 -51
- data/lib/active_record/errors.rb +129 -23
- data/lib/active_record/explain.rb +10 -6
- data/lib/active_record/explain_registry.rb +11 -6
- data/lib/active_record/explain_subscriber.rb +1 -1
- data/lib/active_record/fixture_set/file.rb +22 -15
- data/lib/active_record/fixture_set/model_metadata.rb +32 -0
- data/lib/active_record/fixture_set/render_context.rb +17 -0
- data/lib/active_record/fixture_set/table_row.rb +187 -0
- data/lib/active_record/fixture_set/table_rows.rb +46 -0
- data/lib/active_record/fixtures.rb +206 -490
- data/lib/active_record/future_result.rb +139 -0
- data/lib/active_record/gem_version.rb +3 -3
- data/lib/active_record/inheritance.rb +104 -37
- data/lib/active_record/insert_all.rb +278 -0
- data/lib/active_record/integration.rb +69 -18
- data/lib/active_record/internal_metadata.rb +24 -9
- data/lib/active_record/legacy_yaml_adapter.rb +3 -36
- data/lib/active_record/locking/optimistic.rb +41 -26
- data/lib/active_record/locking/pessimistic.rb +18 -8
- data/lib/active_record/log_subscriber.rb +46 -35
- data/lib/active_record/middleware/database_selector/resolver/session.rb +48 -0
- data/lib/active_record/middleware/database_selector/resolver.rb +88 -0
- data/lib/active_record/middleware/database_selector.rb +82 -0
- data/lib/active_record/middleware/shard_selector.rb +60 -0
- data/lib/active_record/migration/command_recorder.rb +96 -44
- data/lib/active_record/migration/compatibility.rb +246 -64
- data/lib/active_record/migration/join_table.rb +1 -2
- data/lib/active_record/migration.rb +266 -187
- data/lib/active_record/model_schema.rb +165 -52
- data/lib/active_record/nested_attributes.rb +17 -19
- data/lib/active_record/no_touching.rb +11 -4
- data/lib/active_record/null_relation.rb +2 -7
- data/lib/active_record/persistence.rb +467 -92
- data/lib/active_record/query_cache.rb +21 -4
- data/lib/active_record/query_logs.rb +138 -0
- data/lib/active_record/querying.rb +51 -24
- data/lib/active_record/railtie.rb +224 -57
- data/lib/active_record/railties/console_sandbox.rb +2 -4
- data/lib/active_record/railties/controller_runtime.rb +31 -36
- data/lib/active_record/railties/databases.rake +369 -101
- data/lib/active_record/readonly_attributes.rb +15 -0
- data/lib/active_record/reflection.rb +170 -137
- data/lib/active_record/relation/batches/batch_enumerator.rb +44 -14
- data/lib/active_record/relation/batches.rb +46 -37
- data/lib/active_record/relation/calculations.rb +168 -96
- data/lib/active_record/relation/delegation.rb +37 -52
- data/lib/active_record/relation/finder_methods.rb +79 -58
- data/lib/active_record/relation/from_clause.rb +5 -1
- data/lib/active_record/relation/merger.rb +50 -51
- data/lib/active_record/relation/predicate_builder/array_handler.rb +13 -13
- data/lib/active_record/relation/predicate_builder/association_query_value.rb +5 -9
- data/lib/active_record/relation/predicate_builder/basic_object_handler.rb +1 -2
- data/lib/active_record/relation/predicate_builder/polymorphic_array_value.rb +11 -10
- data/lib/active_record/relation/predicate_builder/range_handler.rb +3 -23
- data/lib/active_record/relation/predicate_builder/relation_handler.rb +1 -1
- data/lib/active_record/relation/predicate_builder.rb +58 -46
- data/lib/active_record/relation/query_attribute.rb +9 -10
- data/lib/active_record/relation/query_methods.rb +685 -208
- data/lib/active_record/relation/record_fetch_warning.rb +9 -11
- data/lib/active_record/relation/spawn_methods.rb +10 -10
- data/lib/active_record/relation/where_clause.rb +108 -64
- data/lib/active_record/relation.rb +515 -151
- data/lib/active_record/result.rb +78 -42
- data/lib/active_record/runtime_registry.rb +9 -13
- data/lib/active_record/sanitization.rb +29 -44
- data/lib/active_record/schema.rb +37 -31
- data/lib/active_record/schema_dumper.rb +74 -23
- data/lib/active_record/schema_migration.rb +7 -9
- data/lib/active_record/scoping/default.rb +62 -17
- data/lib/active_record/scoping/named.rb +17 -32
- data/lib/active_record/scoping.rb +70 -41
- data/lib/active_record/secure_token.rb +16 -8
- data/lib/active_record/serialization.rb +6 -4
- data/lib/active_record/signed_id.rb +116 -0
- data/lib/active_record/statement_cache.rb +49 -6
- data/lib/active_record/store.rb +88 -9
- data/lib/active_record/suppressor.rb +13 -17
- data/lib/active_record/table_metadata.rb +42 -43
- data/lib/active_record/tasks/database_tasks.rb +352 -94
- data/lib/active_record/tasks/mysql_database_tasks.rb +37 -39
- data/lib/active_record/tasks/postgresql_database_tasks.rb +41 -39
- data/lib/active_record/tasks/sqlite_database_tasks.rb +14 -17
- data/lib/active_record/test_databases.rb +24 -0
- data/lib/active_record/test_fixtures.rb +287 -0
- data/lib/active_record/timestamp.rb +44 -34
- data/lib/active_record/touch_later.rb +23 -22
- data/lib/active_record/transactions.rb +67 -128
- data/lib/active_record/translation.rb +3 -3
- data/lib/active_record/type/adapter_specific_registry.rb +34 -19
- data/lib/active_record/type/hash_lookup_type_map.rb +34 -2
- data/lib/active_record/type/internal/timezone.rb +2 -2
- data/lib/active_record/type/serialized.rb +7 -4
- data/lib/active_record/type/time.rb +10 -0
- data/lib/active_record/type/type_map.rb +17 -21
- data/lib/active_record/type/unsigned_integer.rb +0 -1
- data/lib/active_record/type.rb +9 -5
- data/lib/active_record/type_caster/connection.rb +15 -15
- data/lib/active_record/type_caster/map.rb +8 -8
- data/lib/active_record/validations/associated.rb +2 -3
- data/lib/active_record/validations/numericality.rb +35 -0
- data/lib/active_record/validations/uniqueness.rb +39 -31
- data/lib/active_record/validations.rb +4 -3
- data/lib/active_record.rb +209 -32
- data/lib/arel/alias_predication.rb +9 -0
- data/lib/arel/attributes/attribute.rb +33 -0
- data/lib/arel/collectors/bind.rb +29 -0
- data/lib/arel/collectors/composite.rb +39 -0
- data/lib/arel/collectors/plain_string.rb +20 -0
- data/lib/arel/collectors/sql_string.rb +27 -0
- data/lib/arel/collectors/substitute_binds.rb +35 -0
- data/lib/arel/crud.rb +48 -0
- data/lib/arel/delete_manager.rb +32 -0
- data/lib/arel/errors.rb +9 -0
- data/lib/arel/expressions.rb +29 -0
- data/lib/arel/factory_methods.rb +49 -0
- data/lib/arel/filter_predications.rb +9 -0
- data/lib/arel/insert_manager.rb +48 -0
- data/lib/arel/math.rb +45 -0
- data/lib/arel/nodes/and.rb +32 -0
- data/lib/arel/nodes/ascending.rb +23 -0
- data/lib/arel/nodes/binary.rb +126 -0
- data/lib/arel/nodes/bind_param.rb +44 -0
- data/lib/arel/nodes/case.rb +55 -0
- data/lib/arel/nodes/casted.rb +62 -0
- data/lib/arel/nodes/comment.rb +29 -0
- data/lib/arel/nodes/count.rb +12 -0
- data/lib/arel/nodes/delete_statement.rb +44 -0
- data/lib/arel/nodes/descending.rb +23 -0
- data/lib/arel/nodes/equality.rb +15 -0
- data/lib/arel/nodes/extract.rb +24 -0
- data/lib/arel/nodes/false.rb +16 -0
- data/lib/arel/nodes/filter.rb +10 -0
- data/lib/arel/nodes/full_outer_join.rb +8 -0
- data/lib/arel/nodes/function.rb +45 -0
- data/lib/arel/nodes/grouping.rb +11 -0
- data/lib/arel/nodes/homogeneous_in.rb +76 -0
- data/lib/arel/nodes/in.rb +15 -0
- data/lib/arel/nodes/infix_operation.rb +92 -0
- data/lib/arel/nodes/inner_join.rb +8 -0
- data/lib/arel/nodes/insert_statement.rb +37 -0
- data/lib/arel/nodes/join_source.rb +20 -0
- data/lib/arel/nodes/matches.rb +18 -0
- data/lib/arel/nodes/named_function.rb +23 -0
- data/lib/arel/nodes/node.rb +51 -0
- data/lib/arel/nodes/node_expression.rb +13 -0
- data/lib/arel/nodes/ordering.rb +27 -0
- data/lib/arel/nodes/outer_join.rb +8 -0
- data/lib/arel/nodes/over.rb +15 -0
- data/lib/arel/nodes/regexp.rb +16 -0
- data/lib/arel/nodes/right_outer_join.rb +8 -0
- data/lib/arel/nodes/select_core.rb +67 -0
- data/lib/arel/nodes/select_statement.rb +41 -0
- data/lib/arel/nodes/sql_literal.rb +19 -0
- data/lib/arel/nodes/string_join.rb +11 -0
- data/lib/arel/nodes/table_alias.rb +31 -0
- data/lib/arel/nodes/terminal.rb +16 -0
- data/lib/arel/nodes/true.rb +16 -0
- data/lib/arel/nodes/unary.rb +44 -0
- data/lib/arel/nodes/unary_operation.rb +20 -0
- data/lib/arel/nodes/unqualified_column.rb +22 -0
- data/lib/arel/nodes/update_statement.rb +46 -0
- data/lib/arel/nodes/values_list.rb +9 -0
- data/lib/arel/nodes/window.rb +126 -0
- data/lib/arel/nodes/with.rb +11 -0
- data/lib/arel/nodes.rb +71 -0
- data/lib/arel/order_predications.rb +13 -0
- data/lib/arel/predications.rb +258 -0
- data/lib/arel/select_manager.rb +276 -0
- data/lib/arel/table.rb +117 -0
- data/lib/arel/tree_manager.rb +60 -0
- data/lib/arel/update_manager.rb +48 -0
- data/lib/arel/visitors/dot.rb +298 -0
- data/lib/arel/visitors/mysql.rb +99 -0
- data/lib/arel/visitors/postgresql.rb +110 -0
- data/lib/arel/visitors/sqlite.rb +38 -0
- data/lib/arel/visitors/to_sql.rb +955 -0
- data/lib/arel/visitors/visitor.rb +45 -0
- data/lib/arel/visitors.rb +13 -0
- data/lib/arel/window_predications.rb +9 -0
- data/lib/arel.rb +55 -0
- data/lib/rails/generators/active_record/application_record/application_record_generator.rb +0 -1
- data/lib/rails/generators/active_record/application_record/templates/application_record.rb.tt +1 -1
- data/lib/rails/generators/active_record/migration/migration_generator.rb +3 -5
- data/lib/rails/generators/active_record/migration/templates/create_table_migration.rb.tt +3 -1
- data/lib/rails/generators/active_record/migration/templates/migration.rb.tt +7 -5
- data/lib/rails/generators/active_record/migration.rb +19 -2
- data/lib/rails/generators/active_record/model/model_generator.rb +39 -2
- data/lib/rails/generators/active_record/model/templates/abstract_base_class.rb.tt +7 -0
- data/lib/rails/generators/active_record/model/templates/model.rb.tt +10 -1
- data/lib/rails/generators/active_record/model/templates/module.rb.tt +2 -2
- data/lib/rails/generators/active_record/multi_db/multi_db_generator.rb +16 -0
- data/lib/rails/generators/active_record/multi_db/templates/multi_db.rb.tt +44 -0
- metadata +162 -32
- data/lib/active_record/attribute_decorators.rb +0 -90
- data/lib/active_record/collection_cache_key.rb +0 -53
- data/lib/active_record/connection_adapters/connection_specification.rb +0 -287
- data/lib/active_record/connection_adapters/determine_if_preparable_visitor.rb +0 -33
- data/lib/active_record/define_callbacks.rb +0 -22
- data/lib/active_record/relation/predicate_builder/base_handler.rb +0 -19
- data/lib/active_record/relation/where_clause_factory.rb +0 -34
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
# An +ActiveModel::Type+ that encrypts/decrypts strings of text.
|
|
6
|
+
#
|
|
7
|
+
# This is the central piece that connects the encryption system with +encrypts+ declarations in the
|
|
8
|
+
# model classes. Whenever you declare an attribute as encrypted, it configures an +EncryptedAttributeType+
|
|
9
|
+
# for that attribute.
|
|
10
|
+
class EncryptedAttributeType < ::ActiveRecord::Type::Text
|
|
11
|
+
include ActiveModel::Type::Helpers::Mutable
|
|
12
|
+
|
|
13
|
+
attr_reader :scheme, :cast_type
|
|
14
|
+
|
|
15
|
+
delegate :key_provider, :downcase?, :deterministic?, :previous_schemes, :with_context, :fixed?, to: :scheme
|
|
16
|
+
delegate :accessor, to: :cast_type
|
|
17
|
+
|
|
18
|
+
# === Options
|
|
19
|
+
#
|
|
20
|
+
# * <tt>:scheme</tt> - A +Scheme+ with the encryption properties for this attribute.
|
|
21
|
+
# * <tt>:cast_type</tt> - A type that will be used to serialize (before encrypting) and deserialize
|
|
22
|
+
# (after decrypting). +ActiveModel::Type::String+ by default.
|
|
23
|
+
def initialize(scheme:, cast_type: ActiveModel::Type::String.new, previous_type: false)
|
|
24
|
+
super()
|
|
25
|
+
@scheme = scheme
|
|
26
|
+
@cast_type = cast_type
|
|
27
|
+
@previous_type = previous_type
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def deserialize(value)
|
|
31
|
+
cast_type.deserialize decrypt(value)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def serialize(value)
|
|
35
|
+
if serialize_with_oldest?
|
|
36
|
+
serialize_with_oldest(value)
|
|
37
|
+
else
|
|
38
|
+
serialize_with_current(value)
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def changed_in_place?(raw_old_value, new_value)
|
|
43
|
+
old_value = raw_old_value.nil? ? nil : deserialize(raw_old_value)
|
|
44
|
+
old_value != new_value
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def previous_types # :nodoc:
|
|
48
|
+
@previous_types ||= {} # Memoizing on support_unencrypted_data so that we can tweak it during tests
|
|
49
|
+
@previous_types[support_unencrypted_data?] ||= build_previous_types_for(previous_schemes_including_clean_text)
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
private
|
|
53
|
+
def previous_schemes_including_clean_text
|
|
54
|
+
previous_schemes.including((clean_text_scheme if support_unencrypted_data?)).compact
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def previous_types_without_clean_text
|
|
58
|
+
@previous_types_without_clean_text ||= build_previous_types_for(previous_schemes)
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
def build_previous_types_for(schemes)
|
|
62
|
+
schemes.collect do |scheme|
|
|
63
|
+
EncryptedAttributeType.new(scheme: scheme, previous_type: true)
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def previous_type?
|
|
68
|
+
@previous_type
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def decrypt(value)
|
|
72
|
+
with_context do
|
|
73
|
+
encryptor.decrypt(value, **decryption_options) unless value.nil?
|
|
74
|
+
end
|
|
75
|
+
rescue ActiveRecord::Encryption::Errors::Base => error
|
|
76
|
+
if previous_types_without_clean_text.blank?
|
|
77
|
+
handle_deserialize_error(error, value)
|
|
78
|
+
else
|
|
79
|
+
try_to_deserialize_with_previous_encrypted_types(value)
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
def try_to_deserialize_with_previous_encrypted_types(value)
|
|
84
|
+
previous_types.each.with_index do |type, index|
|
|
85
|
+
break type.deserialize(value)
|
|
86
|
+
rescue ActiveRecord::Encryption::Errors::Base => error
|
|
87
|
+
handle_deserialize_error(error, value) if index == previous_types.length - 1
|
|
88
|
+
end
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
def handle_deserialize_error(error, value)
|
|
92
|
+
if error.is_a?(Errors::Decryption) && support_unencrypted_data?
|
|
93
|
+
value
|
|
94
|
+
else
|
|
95
|
+
raise error
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def serialize_with_oldest?
|
|
100
|
+
@serialize_with_oldest ||= fixed? && previous_types_without_clean_text.present?
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
def serialize_with_oldest(value)
|
|
104
|
+
previous_types.first.serialize(value)
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
def serialize_with_current(value)
|
|
108
|
+
casted_value = cast_type.serialize(value)
|
|
109
|
+
casted_value = casted_value&.downcase if downcase?
|
|
110
|
+
encrypt(casted_value.to_s) unless casted_value.nil?
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
def encrypt(value)
|
|
114
|
+
with_context do
|
|
115
|
+
encryptor.encrypt(value, **encryption_options)
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
def encryptor
|
|
120
|
+
ActiveRecord::Encryption.encryptor
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
def support_unencrypted_data?
|
|
124
|
+
ActiveRecord::Encryption.config.support_unencrypted_data && !previous_type?
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
def encryption_options
|
|
128
|
+
@encryption_options ||= { key_provider: key_provider, cipher_options: { deterministic: deterministic? } }.compact
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
def decryption_options
|
|
132
|
+
@decryption_options ||= { key_provider: key_provider }.compact
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
def clean_text_scheme
|
|
136
|
+
@clean_text_scheme ||= ActiveRecord::Encryption::Scheme.new(downcase: downcase?, encryptor: ActiveRecord::Encryption::NullEncryptor.new)
|
|
137
|
+
end
|
|
138
|
+
end
|
|
139
|
+
end
|
|
140
|
+
end
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
module EncryptedFixtures
|
|
6
|
+
def initialize(fixture, model_class)
|
|
7
|
+
@clean_values = {}
|
|
8
|
+
encrypt_fixture_data(fixture, model_class)
|
|
9
|
+
process_preserved_original_columns(fixture, model_class)
|
|
10
|
+
super
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
private
|
|
14
|
+
def encrypt_fixture_data(fixture, model_class)
|
|
15
|
+
model_class&.encrypted_attributes&.each do |attribute_name|
|
|
16
|
+
if clean_value = fixture[attribute_name.to_s]
|
|
17
|
+
@clean_values[attribute_name.to_s] = clean_value
|
|
18
|
+
|
|
19
|
+
type = model_class.type_for_attribute(attribute_name)
|
|
20
|
+
encrypted_value = type.serialize(clean_value)
|
|
21
|
+
fixture[attribute_name.to_s] = encrypted_value
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def process_preserved_original_columns(fixture, model_class)
|
|
27
|
+
model_class&.encrypted_attributes&.each do |attribute_name|
|
|
28
|
+
if source_attribute_name = model_class.source_attribute_from_preserved_attribute(attribute_name)
|
|
29
|
+
clean_value = @clean_values[source_attribute_name.to_s]
|
|
30
|
+
type = model_class.type_for_attribute(attribute_name)
|
|
31
|
+
encrypted_value = type.serialize(clean_value)
|
|
32
|
+
fixture[attribute_name.to_s] = encrypted_value
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
# An encryptor that can encrypt data but can't decrypt it.
|
|
6
|
+
class EncryptingOnlyEncryptor < Encryptor
|
|
7
|
+
def decrypt(encrypted_text, key_provider: nil, cipher_options: {})
|
|
8
|
+
encrypted_text
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "openssl"
|
|
4
|
+
require "zlib"
|
|
5
|
+
require "active_support/core_ext/numeric"
|
|
6
|
+
|
|
7
|
+
module ActiveRecord
|
|
8
|
+
module Encryption
|
|
9
|
+
# An encryptor exposes the encryption API that +ActiveRecord::Encryption::EncryptedAttributeType+
|
|
10
|
+
# uses for encrypting and decrypting attribute values.
|
|
11
|
+
#
|
|
12
|
+
# It interacts with a +KeyProvider+ for getting the keys, and delegate to
|
|
13
|
+
# +ActiveRecord::Encryption::Cipher+ the actual encryption algorithm.
|
|
14
|
+
class Encryptor
|
|
15
|
+
# Encrypts +clean_text+ and returns the encrypted result
|
|
16
|
+
#
|
|
17
|
+
# Internally, it will:
|
|
18
|
+
#
|
|
19
|
+
# 1. Create a new +ActiveRecord::Encryption::Message+
|
|
20
|
+
# 2. Compress and encrypt +clean_text+ as the message payload
|
|
21
|
+
# 3. Serialize it with +ActiveRecord::Encryption.message_serializer+ (+ActiveRecord::Encryption::SafeMarshal+
|
|
22
|
+
# by default)
|
|
23
|
+
# 4. Encode the result with Base 64
|
|
24
|
+
#
|
|
25
|
+
# === Options
|
|
26
|
+
#
|
|
27
|
+
# [:key_provider]
|
|
28
|
+
# Key provider to use for the encryption operation. It will default to
|
|
29
|
+
# +ActiveRecord::Encryption.key_provider+ when not provided
|
|
30
|
+
#
|
|
31
|
+
# [:cipher_options]
|
|
32
|
+
# +Cipher+-specific options that will be passed to the Cipher configured in
|
|
33
|
+
# +ActiveRecord::Encryption.cipher+
|
|
34
|
+
def encrypt(clear_text, key_provider: default_key_provider, cipher_options: {})
|
|
35
|
+
clear_text = force_encoding_if_needed(clear_text) if cipher_options[:deterministic]
|
|
36
|
+
|
|
37
|
+
validate_payload_type(clear_text)
|
|
38
|
+
serialize_message build_encrypted_message(clear_text, key_provider: key_provider, cipher_options: cipher_options)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
# Decrypts a +clean_text+ and returns the result as clean text
|
|
42
|
+
#
|
|
43
|
+
# === Options
|
|
44
|
+
#
|
|
45
|
+
# [:key_provider]
|
|
46
|
+
# Key provider to use for the encryption operation. It will default to
|
|
47
|
+
# +ActiveRecord::Encryption.key_provider+ when not provided
|
|
48
|
+
#
|
|
49
|
+
# [:cipher_options]
|
|
50
|
+
# +Cipher+-specific options that will be passed to the Cipher configured in
|
|
51
|
+
# +ActiveRecord::Encryption.cipher+
|
|
52
|
+
def decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {})
|
|
53
|
+
message = deserialize_message(encrypted_text)
|
|
54
|
+
keys = key_provider.decryption_keys(message)
|
|
55
|
+
raise Errors::Decryption unless keys.present?
|
|
56
|
+
uncompress_if_needed(cipher.decrypt(message, key: keys.collect(&:secret), **cipher_options), message.headers.compressed)
|
|
57
|
+
rescue *(ENCODING_ERRORS + DECRYPT_ERRORS)
|
|
58
|
+
raise Errors::Decryption
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
# Returns whether the text is encrypted or not
|
|
62
|
+
def encrypted?(text)
|
|
63
|
+
deserialize_message(text)
|
|
64
|
+
true
|
|
65
|
+
rescue Errors::Encoding, *DECRYPT_ERRORS
|
|
66
|
+
false
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
private
|
|
70
|
+
DECRYPT_ERRORS = [OpenSSL::Cipher::CipherError, Errors::EncryptedContentIntegrity, Errors::Decryption]
|
|
71
|
+
ENCODING_ERRORS = [EncodingError, Errors::Encoding]
|
|
72
|
+
THRESHOLD_TO_JUSTIFY_COMPRESSION = 140.bytes
|
|
73
|
+
|
|
74
|
+
def default_key_provider
|
|
75
|
+
ActiveRecord::Encryption.key_provider
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def validate_payload_type(clear_text)
|
|
79
|
+
unless clear_text.is_a?(String)
|
|
80
|
+
raise ActiveRecord::Encryption::Errors::ForbiddenClass, "The encryptor can only encrypt string values (#{clear_text.class})"
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
def cipher
|
|
85
|
+
ActiveRecord::Encryption.cipher
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
def build_encrypted_message(clear_text, key_provider:, cipher_options:)
|
|
89
|
+
key = key_provider.encryption_key
|
|
90
|
+
|
|
91
|
+
clear_text, was_compressed = compress_if_worth_it(clear_text)
|
|
92
|
+
cipher.encrypt(clear_text, key: key.secret, **cipher_options).tap do |message|
|
|
93
|
+
message.headers.add(key.public_tags)
|
|
94
|
+
message.headers.compressed = true if was_compressed
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
def serialize_message(message)
|
|
99
|
+
serializer.dump(message)
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
def deserialize_message(message)
|
|
103
|
+
raise Errors::Encoding unless message.is_a?(String)
|
|
104
|
+
serializer.load message
|
|
105
|
+
rescue ArgumentError, TypeError, Errors::ForbiddenClass
|
|
106
|
+
raise Errors::Encoding
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
def serializer
|
|
110
|
+
ActiveRecord::Encryption.message_serializer
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
# Under certain threshold, ZIP compression is actually worse that not compressing
|
|
114
|
+
def compress_if_worth_it(string)
|
|
115
|
+
if string.bytesize > THRESHOLD_TO_JUSTIFY_COMPRESSION
|
|
116
|
+
[compress(string), true]
|
|
117
|
+
else
|
|
118
|
+
[string, false]
|
|
119
|
+
end
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
def compress(data)
|
|
123
|
+
Zlib::Deflate.deflate(data).tap do |compressed_data|
|
|
124
|
+
compressed_data.force_encoding(data.encoding)
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
def uncompress_if_needed(data, compressed)
|
|
129
|
+
if compressed
|
|
130
|
+
uncompress(data)
|
|
131
|
+
else
|
|
132
|
+
data
|
|
133
|
+
end
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
def uncompress(data)
|
|
137
|
+
Zlib::Inflate.inflate(data).tap do |uncompressed_data|
|
|
138
|
+
uncompressed_data.force_encoding(data.encoding)
|
|
139
|
+
end
|
|
140
|
+
end
|
|
141
|
+
|
|
142
|
+
def force_encoding_if_needed(value)
|
|
143
|
+
if forced_encoding_for_deterministic_encryption && value && value.encoding != forced_encoding_for_deterministic_encryption
|
|
144
|
+
value.encode(forced_encoding_for_deterministic_encryption, invalid: :replace, undef: :replace)
|
|
145
|
+
else
|
|
146
|
+
value
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
def forced_encoding_for_deterministic_encryption
|
|
151
|
+
ActiveRecord::Encryption.config.forced_encoding_for_deterministic_encryption
|
|
152
|
+
end
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
end
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
# Implements a simple envelope encryption approach where:
|
|
6
|
+
#
|
|
7
|
+
# * It generates a random data-encryption key for each encryption operation
|
|
8
|
+
# * It stores the generated key along with the encrypted payload. It encrypts this key
|
|
9
|
+
# with the master key provided in the credential +active_record.encryption.master key+
|
|
10
|
+
#
|
|
11
|
+
# This provider can work with multiple master keys. It will use the last one for encrypting.
|
|
12
|
+
#
|
|
13
|
+
# When `config.store_key_references` is true, it will also store a reference to
|
|
14
|
+
# the specific master key that was used to encrypt the data-encryption key. When not set,
|
|
15
|
+
# it will try all the configured master keys looking for the right one, in order to
|
|
16
|
+
# return the right decryption key.
|
|
17
|
+
class EnvelopeEncryptionKeyProvider
|
|
18
|
+
def encryption_key
|
|
19
|
+
random_secret = generate_random_secret
|
|
20
|
+
ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
|
|
21
|
+
key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
|
|
22
|
+
key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def decryption_keys(encrypted_message)
|
|
27
|
+
secret = decrypt_data_key(encrypted_message)
|
|
28
|
+
secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def active_primary_key
|
|
32
|
+
@active_primary_key ||= primary_key_provider.encryption_key
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
private
|
|
36
|
+
def encrypt_data_key(random_secret)
|
|
37
|
+
ActiveRecord::Encryption.cipher.encrypt(random_secret, key: active_primary_key.secret)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def decrypt_data_key(encrypted_message)
|
|
41
|
+
encrypted_data_key = encrypted_message.headers.encrypted_data_key
|
|
42
|
+
key = primary_key_provider.decryption_keys(encrypted_message)&.collect(&:secret)
|
|
43
|
+
ActiveRecord::Encryption.cipher.decrypt encrypted_data_key, key: key if key
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def primary_key_provider
|
|
47
|
+
@primary_key_provider ||= DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.primary_key)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def generate_random_secret
|
|
51
|
+
ActiveRecord::Encryption.key_generator.generate_random_key
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
module Errors
|
|
6
|
+
class Base < StandardError; end
|
|
7
|
+
class Encoding < Base; end
|
|
8
|
+
class Decryption < Base; end
|
|
9
|
+
class Encryption < Base; end
|
|
10
|
+
class Configuration < Base; end
|
|
11
|
+
class ForbiddenClass < Base; end
|
|
12
|
+
class EncryptedContentIntegrity < Base; end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,160 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
# Automatically expand encrypted arguments to support querying both encrypted and unencrypted data
|
|
6
|
+
#
|
|
7
|
+
# Active Record Encryption supports querying the db using deterministic attributes. For example:
|
|
8
|
+
#
|
|
9
|
+
# Contact.find_by(email_address: "jorge@hey.com")
|
|
10
|
+
#
|
|
11
|
+
# The value "jorge@hey.com" will get encrypted automatically to perform the query. But there is
|
|
12
|
+
# a problem while the data is being encrypted. This won't work. During that time, you need these
|
|
13
|
+
# queries to be:
|
|
14
|
+
#
|
|
15
|
+
# Contact.find_by(email_address: [ "jorge@hey.com", "<encrypted jorge@hey.com>" ])
|
|
16
|
+
#
|
|
17
|
+
# This patches ActiveRecord to support this automatically. It addresses both:
|
|
18
|
+
#
|
|
19
|
+
# * ActiveRecord::Base: Used in +Contact.find_by_email_address(...)+
|
|
20
|
+
# * ActiveRecord::Relation: Used in +Contact.internal.find_by_email_address(...)+
|
|
21
|
+
#
|
|
22
|
+
# +ActiveRecord::Base+ relies on +ActiveRecord::Relation+ (+ActiveRecord::QueryMethods+) but it does
|
|
23
|
+
# some prepared statements caching. That's why we need to intercept +ActiveRecord::Base+ as soon
|
|
24
|
+
# as it's invoked (so that the proper prepared statement is cached).
|
|
25
|
+
#
|
|
26
|
+
# When modifying this file run performance tests in +test/performance/extended_deterministic_queries_performance_test.rb+ to
|
|
27
|
+
# make sure performance overhead is acceptable.
|
|
28
|
+
#
|
|
29
|
+
# We will extend this to support previous "encryption context" versions in future iterations
|
|
30
|
+
#
|
|
31
|
+
# @TODO Experimental. Support for every kind of query is pending
|
|
32
|
+
# @TODO It should not patch anything if not needed (no previous schemes or no support for previous encryption schemes)
|
|
33
|
+
module ExtendedDeterministicQueries
|
|
34
|
+
def self.install_support
|
|
35
|
+
ActiveRecord::Relation.prepend(RelationQueries)
|
|
36
|
+
ActiveRecord::Base.include(CoreQueries)
|
|
37
|
+
ActiveRecord::Encryption::EncryptedAttributeType.prepend(ExtendedEncryptableType)
|
|
38
|
+
Arel::Nodes::HomogeneousIn.prepend(InWithAdditionalValues)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
module EncryptedQueryArgumentProcessor
|
|
42
|
+
extend ActiveSupport::Concern
|
|
43
|
+
|
|
44
|
+
private
|
|
45
|
+
def process_encrypted_query_arguments(args, check_for_additional_values)
|
|
46
|
+
if args.is_a?(Array) && (options = args.first).is_a?(Hash)
|
|
47
|
+
self.deterministic_encrypted_attributes&.each do |attribute_name|
|
|
48
|
+
type = type_for_attribute(attribute_name)
|
|
49
|
+
if !type.previous_types.empty? && value = options[attribute_name]
|
|
50
|
+
options[attribute_name] = process_encrypted_query_argument(value, check_for_additional_values, type)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def process_encrypted_query_argument(value, check_for_additional_values, type)
|
|
57
|
+
return value if check_for_additional_values && value.is_a?(Array) && value.last.is_a?(AdditionalValue)
|
|
58
|
+
|
|
59
|
+
case value
|
|
60
|
+
when String, Array
|
|
61
|
+
list = Array(value)
|
|
62
|
+
list + list.flat_map do |each_value|
|
|
63
|
+
if check_for_additional_values && each_value.is_a?(AdditionalValue)
|
|
64
|
+
each_value
|
|
65
|
+
else
|
|
66
|
+
additional_values_for(each_value, type)
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
else
|
|
70
|
+
value
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def additional_values_for(value, type)
|
|
75
|
+
type.previous_types.collect do |additional_type|
|
|
76
|
+
AdditionalValue.new(value, additional_type)
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
module RelationQueries
|
|
82
|
+
include EncryptedQueryArgumentProcessor
|
|
83
|
+
|
|
84
|
+
def where(*args)
|
|
85
|
+
process_encrypted_query_arguments_if_needed(args)
|
|
86
|
+
super
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
def exists?(*args)
|
|
90
|
+
process_encrypted_query_arguments_if_needed(args)
|
|
91
|
+
super
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
def find_or_create_by(attributes, &block)
|
|
95
|
+
find_by(attributes.dup) || create(attributes, &block)
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
def find_or_create_by!(attributes, &block)
|
|
99
|
+
find_by(attributes.dup) || create!(attributes, &block)
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
private
|
|
103
|
+
def process_encrypted_query_arguments_if_needed(args)
|
|
104
|
+
process_encrypted_query_arguments(args, true) unless self.deterministic_encrypted_attributes&.empty?
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
module CoreQueries
|
|
109
|
+
extend ActiveSupport::Concern
|
|
110
|
+
|
|
111
|
+
class_methods do
|
|
112
|
+
include EncryptedQueryArgumentProcessor
|
|
113
|
+
|
|
114
|
+
def find_by(*args)
|
|
115
|
+
process_encrypted_query_arguments(args, false) unless self.deterministic_encrypted_attributes&.empty?
|
|
116
|
+
super
|
|
117
|
+
end
|
|
118
|
+
end
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
class AdditionalValue
|
|
122
|
+
attr_reader :value, :type
|
|
123
|
+
|
|
124
|
+
def initialize(value, type)
|
|
125
|
+
@type = type
|
|
126
|
+
@value = process(value)
|
|
127
|
+
end
|
|
128
|
+
|
|
129
|
+
private
|
|
130
|
+
def process(value)
|
|
131
|
+
type.serialize(value)
|
|
132
|
+
end
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
module ExtendedEncryptableType
|
|
136
|
+
def serialize(data)
|
|
137
|
+
if data.is_a?(AdditionalValue)
|
|
138
|
+
data.value
|
|
139
|
+
else
|
|
140
|
+
super
|
|
141
|
+
end
|
|
142
|
+
end
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
module InWithAdditionalValues
|
|
146
|
+
def proc_for_binds
|
|
147
|
+
-> value { ActiveModel::Attribute.with_cast_value(attribute.name, value, encryption_aware_type_caster) }
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
def encryption_aware_type_caster
|
|
151
|
+
if attribute.type_caster.is_a?(ActiveRecord::Encryption::EncryptedAttributeType)
|
|
152
|
+
attribute.type_caster.cast_type
|
|
153
|
+
else
|
|
154
|
+
attribute.type_caster
|
|
155
|
+
end
|
|
156
|
+
end
|
|
157
|
+
end
|
|
158
|
+
end
|
|
159
|
+
end
|
|
160
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
module ExtendedDeterministicUniquenessValidator
|
|
6
|
+
def self.install_support
|
|
7
|
+
ActiveRecord::Validations::UniquenessValidator.prepend(EncryptedUniquenessValidator)
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
module EncryptedUniquenessValidator
|
|
11
|
+
def validate_each(record, attribute, value)
|
|
12
|
+
super(record, attribute, value)
|
|
13
|
+
|
|
14
|
+
klass = record.class
|
|
15
|
+
klass.deterministic_encrypted_attributes&.each do |attribute_name|
|
|
16
|
+
encrypted_type = klass.type_for_attribute(attribute_name)
|
|
17
|
+
[ encrypted_type, *encrypted_type.previous_types ].each do |type|
|
|
18
|
+
encrypted_value = type.serialize(value)
|
|
19
|
+
ActiveRecord::Encryption.without_encryption do
|
|
20
|
+
super(record, attribute, encrypted_value)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveRecord
|
|
4
|
+
module Encryption
|
|
5
|
+
# A key is a container for a given +secret+
|
|
6
|
+
#
|
|
7
|
+
# Optionally, it can include +public_tags+. These tags are meant to be stored
|
|
8
|
+
# in clean (public) and can be used, for example, to include information that
|
|
9
|
+
# references the key for a future retrieval operation.
|
|
10
|
+
class Key
|
|
11
|
+
attr_reader :secret, :public_tags
|
|
12
|
+
|
|
13
|
+
def initialize(secret)
|
|
14
|
+
@secret = secret
|
|
15
|
+
@public_tags = Properties.new
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def self.derive_from(password)
|
|
19
|
+
secret = ActiveRecord::Encryption.key_generator.derive_key_from(password)
|
|
20
|
+
ActiveRecord::Encryption::Key.new(secret)
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def id
|
|
24
|
+
Digest::SHA1.hexdigest(secret).first(4)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "securerandom"
|
|
4
|
+
|
|
5
|
+
module ActiveRecord
|
|
6
|
+
module Encryption
|
|
7
|
+
# Utility for generating and deriving random keys.
|
|
8
|
+
class KeyGenerator
|
|
9
|
+
# Returns a random key. The key will have a size in bytes of +:length+ (configured +Cipher+'s length by default)
|
|
10
|
+
def generate_random_key(length: key_length)
|
|
11
|
+
SecureRandom.random_bytes(length)
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
# Returns a random key in hexadecimal format. The key will have a size in bytes of +:length+ (configured +Cipher+'s
|
|
15
|
+
# length by default)
|
|
16
|
+
#
|
|
17
|
+
# Hexadecimal format is handy for representing keys as printable text. To maximize the space of characters used, it is
|
|
18
|
+
# good practice including not printable characters. Hexadecimal format ensures that generated keys are representable with
|
|
19
|
+
# plain text
|
|
20
|
+
#
|
|
21
|
+
# To convert back to the original string with the desired length:
|
|
22
|
+
#
|
|
23
|
+
# [ value ].pack("H*")
|
|
24
|
+
def generate_random_hex_key(length: key_length)
|
|
25
|
+
generate_random_key(length: length).unpack("H*")[0]
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
# Derives a key from the given password. The key will have a size in bytes of +:length+ (configured +Cipher+'s length
|
|
29
|
+
# by default)
|
|
30
|
+
#
|
|
31
|
+
# The generated key will be salted with the value of +ActiveRecord::Encryption.key_derivation_salt+
|
|
32
|
+
def derive_key_from(password, length: key_length)
|
|
33
|
+
ActiveSupport::KeyGenerator.new(password).generate_key(ActiveRecord::Encryption.config.key_derivation_salt, length)
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
private
|
|
37
|
+
def key_length
|
|
38
|
+
@key_length ||= ActiveRecord::Encryption.cipher.key_length
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|