activerecord 6.1.7.4 → 7.0.6

data/lib/active_record/encryption/encryptor.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "zlib"
+require "active_support/core_ext/numeric"
+
+module ActiveRecord
+  module Encryption
+    # An encryptor exposes the encryption API that ActiveRecord::Encryption::EncryptedAttributeType
+    # uses for encrypting and decrypting attribute values.
+    #
+    # It interacts with a KeyProvider for getting the keys, and delegate to
+    # ActiveRecord::Encryption::Cipher the actual encryption algorithm.
+    class Encryptor
+      # Encrypts +clean_text+ and returns the encrypted result
+      #
+      # Internally, it will:
+      #
+      # 1. Create a new ActiveRecord::Encryption::Message
+      # 2. Compress and encrypt +clean_text+ as the message payload
+      # 3. Serialize it with +ActiveRecord::Encryption.message_serializer+ (+ActiveRecord::Encryption::SafeMarshal+
+      #    by default)
+      # 4. Encode the result with Base 64
+      #
+      # === Options
+      #
+      # [:key_provider]
+      #   Key provider to use for the encryption operation. It will default to
+      #   +ActiveRecord::Encryption.key_provider+ when not provided.
+      #
+      # [:cipher_options]
+      #   Cipher-specific options that will be passed to the Cipher configured in
+      #   +ActiveRecord::Encryption.cipher+
+      def encrypt(clear_text, key_provider: default_key_provider, cipher_options: {})
+        clear_text = force_encoding_if_needed(clear_text) if cipher_options[:deterministic]
+
+        validate_payload_type(clear_text)
+        serialize_message build_encrypted_message(clear_text, key_provider: key_provider, cipher_options: cipher_options)
+      end
+
+      # Decrypts a +clean_text+ and returns the result as clean text
+      #
+      # === Options
+      #
+      # [:key_provider]
+      #   Key provider to use for the encryption operation. It will default to
+      #   +ActiveRecord::Encryption.key_provider+ when not provided
+      #
+      # [:cipher_options]
+      #   Cipher-specific options that will be passed to the Cipher configured in
+      #   +ActiveRecord::Encryption.cipher+
+      def decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {})
+        message = deserialize_message(encrypted_text)
+        keys = key_provider.decryption_keys(message)
+        raise Errors::Decryption unless keys.present?
+        uncompress_if_needed(cipher.decrypt(message, key: keys.collect(&:secret), **cipher_options), message.headers.compressed)
+      rescue *(ENCODING_ERRORS + DECRYPT_ERRORS)
+        raise Errors::Decryption
+      end
+
+      # Returns whether the text is encrypted or not
+      def encrypted?(text)
+        deserialize_message(text)
+        true
+      rescue Errors::Encoding, *DECRYPT_ERRORS
+        false
+      end
+
+      private
+        DECRYPT_ERRORS = [OpenSSL::Cipher::CipherError, Errors::EncryptedContentIntegrity, Errors::Decryption]
+        ENCODING_ERRORS = [EncodingError, Errors::Encoding]
+        THRESHOLD_TO_JUSTIFY_COMPRESSION = 140.bytes
+
+        def default_key_provider
+          ActiveRecord::Encryption.key_provider
+        end
+
+        def validate_payload_type(clear_text)
+          unless clear_text.is_a?(String)
+            raise ActiveRecord::Encryption::Errors::ForbiddenClass, "The encryptor can only encrypt string values (#{clear_text.class})"
+          end
+        end
+
+        def cipher
+          ActiveRecord::Encryption.cipher
+        end
+
+        def build_encrypted_message(clear_text, key_provider:, cipher_options:)
+          key = key_provider.encryption_key
+
+          clear_text, was_compressed = compress_if_worth_it(clear_text)
+          cipher.encrypt(clear_text, key: key.secret, **cipher_options).tap do |message|
+            message.headers.add(key.public_tags)
+            message.headers.compressed = true if was_compressed
+          end
+        end
+
+        def serialize_message(message)
+          serializer.dump(message)
+        end
+
+        def deserialize_message(message)
+          raise Errors::Encoding unless message.is_a?(String)
+          serializer.load message
+        rescue ArgumentError, TypeError, Errors::ForbiddenClass
+          raise Errors::Encoding
+        end
+
+        def serializer
+          ActiveRecord::Encryption.message_serializer
+        end
+
+        # Under certain threshold, ZIP compression is actually worse that not compressing
+        def compress_if_worth_it(string)
+          if string.bytesize > THRESHOLD_TO_JUSTIFY_COMPRESSION
+            [compress(string), true]
+          else
+            [string, false]
+          end
+        end
+
+        def compress(data)
+          Zlib::Deflate.deflate(data).tap do |compressed_data|
+            compressed_data.force_encoding(data.encoding)
+          end
+        end
+
+        def uncompress_if_needed(data, compressed)
+          if compressed
+            uncompress(data)
+          else
+            data
+          end
+        end
+
+        def uncompress(data)
+          Zlib::Inflate.inflate(data).tap do |uncompressed_data|
+            uncompressed_data.force_encoding(data.encoding)
+          end
+        end
+
+        def force_encoding_if_needed(value)
+          if forced_encoding_for_deterministic_encryption && value && value.encoding != forced_encoding_for_deterministic_encryption
+            value.encode(forced_encoding_for_deterministic_encryption, invalid: :replace, undef: :replace)
+          else
+            value
+          end
+        end
+
+        def forced_encoding_for_deterministic_encryption
+          ActiveRecord::Encryption.config.forced_encoding_for_deterministic_encryption
+        end
+    end
+  end
+end

data/lib/active_record/encryption/envelope_encryption_key_provider.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # Implements a simple envelope encryption approach where:
+    #
+    # * It generates a random data-encryption key for each encryption operation.
+    # * It stores the generated key along with the encrypted payload. It encrypts this key
+    #   with the master key provided in the +active_record_encryption.primary_key+ credential.
+    #
+    # This provider can work with multiple master keys. It will use the last one for encrypting.
+    #
+    # When +config.active_record.encryption.store_key_references+ is true, it will also store a reference to
+    # the specific master key that was used to encrypt the data-encryption key. When not set,
+    # it will try all the configured master keys looking for the right one, in order to
+    # return the right decryption key.
+    class EnvelopeEncryptionKeyProvider
+      def encryption_key
+        random_secret = generate_random_secret
+        ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
+          key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
+          key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
+        end
+      end
+
+      def decryption_keys(encrypted_message)
+        secret = decrypt_data_key(encrypted_message)
+        secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
+      end
+
+      def active_primary_key
+        @active_primary_key ||= primary_key_provider.encryption_key
+      end
+
+      private
+        def encrypt_data_key(random_secret)
+          ActiveRecord::Encryption.cipher.encrypt(random_secret, key: active_primary_key.secret)
+        end
+
+        def decrypt_data_key(encrypted_message)
+          encrypted_data_key = encrypted_message.headers.encrypted_data_key
+          key = primary_key_provider.decryption_keys(encrypted_message)&.collect(&:secret)
+          ActiveRecord::Encryption.cipher.decrypt encrypted_data_key, key: key if key
+        end
+
+        def primary_key_provider
+          @primary_key_provider ||= DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.primary_key)
+        end
+
+        def generate_random_secret
+          ActiveRecord::Encryption.key_generator.generate_random_key
+        end
+    end
+  end
+end

data/lib/active_record/encryption/errors.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    module Errors
+      class Base < StandardError; end
+      class Encoding < Base; end
+      class Decryption < Base; end
+      class Encryption < Base; end
+      class Configuration < Base; end
+      class ForbiddenClass < Base; end
+      class EncryptedContentIntegrity < Base; end
+    end
+  end
+end

data/lib/active_record/encryption/extended_deterministic_queries.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # Automatically expand encrypted arguments to support querying both encrypted and unencrypted data
+    #
+    # Active Record \Encryption supports querying the db using deterministic attributes. For example:
+    #
+    #   Contact.find_by(email_address: "jorge@hey.com")
+    #
+    # The value "jorge@hey.com" will get encrypted automatically to perform the query. But there is
+    # a problem while the data is being encrypted. This won't work. During that time, you need these
+    # queries to be:
+    #
+    #   Contact.find_by(email_address: [ "jorge@hey.com", "<encrypted jorge@hey.com>" ])
+    #
+    # This patches ActiveRecord to support this automatically. It addresses both:
+    #
+    # * ActiveRecord::Base - Used in <tt>Contact.find_by_email_address(...)</tt>
+    # * ActiveRecord::Relation - Used in <tt>Contact.internal.find_by_email_address(...)</tt>
+    #
+    # ActiveRecord::Base relies on ActiveRecord::Relation (ActiveRecord::QueryMethods) but it does
+    # some prepared statements caching. That's why we need to intercept +ActiveRecord::Base+ as soon
+    # as it's invoked (so that the proper prepared statement is cached).
+    #
+    # When modifying this file run performance tests in +test/performance/extended_deterministic_queries_performance_test.rb+ to
+    #   make sure performance overhead is acceptable.
+    #
+    # We will extend this to support previous "encryption context" versions in future iterations
+    #
+    # @TODO Experimental. Support for every kind of query is pending
+    # @TODO It should not patch anything if not needed (no previous schemes or no support for previous encryption schemes)
+    module ExtendedDeterministicQueries
+      def self.install_support
+        ActiveRecord::Relation.prepend(RelationQueries)
+        ActiveRecord::Base.include(CoreQueries)
+        ActiveRecord::Encryption::EncryptedAttributeType.prepend(ExtendedEncryptableType)
+        Arel::Nodes::HomogeneousIn.prepend(InWithAdditionalValues)
+      end
+
+      module EncryptedQueryArgumentProcessor
+        extend ActiveSupport::Concern
+
+        private
+          def process_encrypted_query_arguments(args, check_for_additional_values)
+            if args.is_a?(Array) && (options = args.first).is_a?(Hash)
+              self.deterministic_encrypted_attributes&.each do |attribute_name|
+                type = type_for_attribute(attribute_name)
+                if !type.previous_types.empty? && value = options[attribute_name]
+                  options[attribute_name] = process_encrypted_query_argument(value, check_for_additional_values, type)
+                end
+              end
+            end
+          end
+
+          def process_encrypted_query_argument(value, check_for_additional_values, type)
+            return value if check_for_additional_values && value.is_a?(Array) && value.last.is_a?(AdditionalValue)
+
+            case value
+            when String, Array
+              list = Array(value)
+              list + list.flat_map do |each_value|
+                if check_for_additional_values && each_value.is_a?(AdditionalValue)
+                  each_value
+                else
+                  additional_values_for(each_value, type)
+                end
+              end
+            else
+              value
+            end
+          end
+
+          def additional_values_for(value, type)
+            type.previous_types.collect do |additional_type|
+              AdditionalValue.new(value, additional_type)
+            end
+          end
+      end
+
+      module RelationQueries
+        include EncryptedQueryArgumentProcessor
+
+        def where(*args)
+          process_encrypted_query_arguments_if_needed(args)
+          super
+        end
+
+        def exists?(*args)
+          process_encrypted_query_arguments_if_needed(args)
+          super
+        end
+
+        def find_or_create_by(attributes, &block)
+          find_by(attributes.dup) || create(attributes, &block)
+        end
+
+        def find_or_create_by!(attributes, &block)
+          find_by(attributes.dup) || create!(attributes, &block)
+        end
+
+        private
+          def process_encrypted_query_arguments_if_needed(args)
+            process_encrypted_query_arguments(args, true) unless self.deterministic_encrypted_attributes&.empty?
+          end
+      end
+
+      module CoreQueries
+        extend ActiveSupport::Concern
+
+        class_methods do
+          include EncryptedQueryArgumentProcessor
+
+          def find_by(*args)
+            process_encrypted_query_arguments(args, false) unless self.deterministic_encrypted_attributes&.empty?
+            super
+          end
+        end
+      end
+
+      class AdditionalValue
+        attr_reader :value, :type
+
+        def initialize(value, type)
+          @type = type
+          @value = process(value)
+        end
+
+        private
+          def process(value)
+            type.serialize(value)
+          end
+      end
+
+      module ExtendedEncryptableType
+        def serialize(data)
+          if data.is_a?(AdditionalValue)
+            data.value
+          else
+            super
+          end
+        end
+      end
+
+      module InWithAdditionalValues
+        def proc_for_binds
+          -> value { ActiveModel::Attribute.with_cast_value(attribute.name, value, encryption_aware_type_caster) }
+        end
+
+        def encryption_aware_type_caster
+          if attribute.type_caster.is_a?(ActiveRecord::Encryption::EncryptedAttributeType)
+            attribute.type_caster.cast_type
+          else
+            attribute.type_caster
+          end
+        end
+      end
+    end
+  end
+end

data/lib/active_record/encryption/extended_deterministic_uniqueness_validator.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    module ExtendedDeterministicUniquenessValidator
+      def self.install_support
+        ActiveRecord::Validations::UniquenessValidator.prepend(EncryptedUniquenessValidator)
+      end
+
+      module EncryptedUniquenessValidator
+        def validate_each(record, attribute, value)
+          super(record, attribute, value)
+
+          klass = record.class
+          klass.deterministic_encrypted_attributes&.each do |attribute_name|
+            encrypted_type = klass.type_for_attribute(attribute_name)
+            [ encrypted_type, *encrypted_type.previous_types ].each do |type|
+              encrypted_value = type.serialize(value)
+              ActiveRecord::Encryption.without_encryption do
+                super(record, attribute, encrypted_value)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/active_record/encryption/key.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # A key is a container for a given +secret+
+    #
+    # Optionally, it can include +public_tags+. These tags are meant to be stored
+    # in clean (public) and can be used, for example, to include information that
+    # references the key for a future retrieval operation.
+    class Key
+      attr_reader :secret, :public_tags
+
+      def initialize(secret)
+        @secret = secret
+        @public_tags = Properties.new
+      end
+
+      def self.derive_from(password)
+        secret = ActiveRecord::Encryption.key_generator.derive_key_from(password)
+        ActiveRecord::Encryption::Key.new(secret)
+      end
+
+      def id
+        Digest::SHA1.hexdigest(secret).first(4)
+      end
+    end
+  end
+end

data/lib/active_record/encryption/key_generator.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module ActiveRecord
+  module Encryption
+    # Utility for generating and deriving random keys.
+    class KeyGenerator
+      # Returns a random key. The key will have a size in bytes of +:length+ (configured +Cipher+'s length by default)
+      def generate_random_key(length: key_length)
+        SecureRandom.random_bytes(length)
+      end
+
+      # Returns a random key in hexadecimal format. The key will have a size in bytes of +:length+ (configured +Cipher+'s
+      # length by default)
+      #
+      # Hexadecimal format is handy for representing keys as printable text. To maximize the space of characters used, it is
+      # good practice including not printable characters. Hexadecimal format ensures that generated keys are representable with
+      # plain text
+      #
+      # To convert back to the original string with the desired length:
+      #
+      #   [ value ].pack("H*")
+      def generate_random_hex_key(length: key_length)
+        generate_random_key(length: length).unpack("H*")[0]
+      end
+
+      # Derives a key from the given password. The key will have a size in bytes of +:length+ (configured +Cipher+'s length
+      # by default)
+      #
+      # The generated key will be salted with the value of +ActiveRecord::Encryption.key_derivation_salt+
+      def derive_key_from(password, length: key_length)
+        ActiveSupport::KeyGenerator.new(password).generate_key(ActiveRecord::Encryption.config.key_derivation_salt, length)
+      end
+
+      private
+        def key_length
+          @key_length ||= ActiveRecord::Encryption.cipher.key_length
+        end
+    end
+  end
+end

data/lib/active_record/encryption/key_provider.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # A +KeyProvider+ serves keys:
+    #
+    # * An encryption key
+    # * A list of potential decryption keys. Serving multiple decryption keys supports rotation-schemes
+    #   where new keys are added but old keys need to continue working
+    class KeyProvider
+      def initialize(keys)
+        @keys = Array(keys)
+      end
+
+      # Returns the first key in the list as the active key to perform encryptions
+      #
+      # When +ActiveRecord::Encryption.config.store_key_references+ is true, the key will include
+      # a public tag referencing the key itself. That key will be stored in the public
+      # headers of the encrypted message
+      def encryption_key
+        @encryption_key ||= @keys.last.tap do |key|
+          key.public_tags.encrypted_data_key_id = key.id if ActiveRecord::Encryption.config.store_key_references
+        end
+
+        @encryption_key
+      end
+
+      # Returns the list of decryption keys
+      #
+      # When the message holds a reference to its encryption key, it will return an array
+      # with that key. If not, it will return the list of keys.
+      def decryption_keys(encrypted_message)
+        if encrypted_message.headers.encrypted_data_key_id
+          keys_grouped_by_id[encrypted_message.headers.encrypted_data_key_id]
+        else
+          @keys
+        end
+      end
+
+      private
+        def keys_grouped_by_id
+          @keys_grouped_by_id ||= @keys.group_by(&:id)
+        end
+    end
+  end
+end

data/lib/active_record/encryption/message.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # A message defines the structure of the data we store in encrypted attributes. It contains:
+    #
+    # * An encrypted payload
+    # * A list of unencrypted headers
+    #
+    # See Encryptor#encrypt
+    class Message
+      attr_accessor :payload, :headers
+
+      def initialize(payload: nil, headers: {})
+        validate_payload_type(payload)
+
+        @payload = payload
+        @headers = Properties.new(headers)
+      end
+
+      def ==(other_message)
+        payload == other_message.payload && headers == other_message.headers
+      end
+
+      private
+        def validate_payload_type(payload)
+          unless payload.is_a?(String) || payload.nil?
+            raise ActiveRecord::Encryption::Errors::ForbiddenClass, "Only string payloads allowed"
+          end
+        end
+    end
+  end
+end

data/lib/active_record/encryption/message_serializer.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # A message serializer that serializes +Messages+ with JSON.
+    #
+    # The generated structure is pretty simple:
+    #
+    #   {
+    #     p: <payload>,
+    #     h: {
+    #       header1: value1,
+    #       header2: value2,
+    #       ...
+    #     }
+    #   }
+    #
+    # Both the payload and the header values are encoded with Base64
+    # to prevent JSON parsing errors and encoding issues when
+    # storing the resulting serialized data.
+    class MessageSerializer
+      def load(serialized_content)
+        data = JSON.parse(serialized_content)
+        parse_message(data, 1)
+      rescue JSON::ParserError
+        raise ActiveRecord::Encryption::Errors::Encoding
+      end
+
+      def dump(message)
+        raise ActiveRecord::Encryption::Errors::ForbiddenClass unless message.is_a?(ActiveRecord::Encryption::Message)
+        JSON.dump message_to_json(message)
+      end
+
+      private
+        def parse_message(data, level)
+          validate_message_data_format(data, level)
+          ActiveRecord::Encryption::Message.new(payload: decode_if_needed(data["p"]), headers: parse_properties(data["h"], level))
+        end
+
+        def validate_message_data_format(data, level)
+          if level > 2
+            raise ActiveRecord::Encryption::Errors::Decryption, "More than one level of hash nesting in headers is not supported"
+          end
+
+          unless data.is_a?(Hash) && data.has_key?("p")
+            raise ActiveRecord::Encryption::Errors::Decryption, "Invalid data format: hash without payload"
+          end
+        end
+
+        def parse_properties(headers, level)
+          ActiveRecord::Encryption::Properties.new.tap do |properties|
+            headers&.each do |key, value|
+              properties[key] = value.is_a?(Hash) ? parse_message(value, level + 1) : decode_if_needed(value)
+            end
+          end
+        end
+
+        def message_to_json(message)
+          {
+            p: encode_if_needed(message.payload),
+            h: headers_to_json(message.headers)
+          }
+        end
+
+        def headers_to_json(headers)
+          headers.transform_values do |value|
+            value.is_a?(ActiveRecord::Encryption::Message) ? message_to_json(value) : encode_if_needed(value)
+          end
+        end
+
+        def encode_if_needed(value)
+          if value.is_a?(String)
+            ::Base64.strict_encode64 value
+          else
+            value
+          end
+        end
+
+        def decode_if_needed(value)
+          if value.is_a?(String)
+            ::Base64.strict_decode64(value)
+          else
+            value
+          end
+        rescue ArgumentError, TypeError
+          raise Errors::Encoding
+        end
+    end
+  end
+end

data/lib/active_record/encryption/null_encryptor.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    # An encryptor that won't decrypt or encrypt. It will just return the passed
+    # values
+    class NullEncryptor
+      def encrypt(clean_text, key_provider: nil, cipher_options: {})
+        clean_text
+      end
+
+      def decrypt(encrypted_text, key_provider: nil, cipher_options: {})
+        encrypted_text
+      end
+
+      def encrypted?(text)
+        false
+      end
+    end
+  end
+end