activerecord 7.0.8.7 → 7.1.5.1

data/lib/active_record/encryption/auto_filtered_parameters.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module ActiveRecord
+  module Encryption
+    class AutoFilteredParameters
+      def initialize(app)
+        @app = app
+        @attributes_by_class = Concurrent::Map.new
+        @collecting = true
+
+        install_collecting_hook
+      end
+
+      def enable
+        apply_collected_attributes
+        @collecting = false
+      end
+
+      private
+        attr_reader :app
+
+        def install_collecting_hook
+          ActiveRecord::Encryption.on_encrypted_attribute_declared do |klass, attribute|
+            attribute_was_declared(klass, attribute)
+          end
+        end
+
+        def attribute_was_declared(klass, attribute)
+          if collecting?
+            collect_for_later(klass, attribute)
+          else
+            apply_filter(klass, attribute)
+          end
+        end
+
+        def apply_collected_attributes
+          @attributes_by_class.each do |klass, attributes|
+            attributes.each do |attribute|
+              apply_filter(klass, attribute)
+            end
+          end
+        end
+
+        def collecting?
+          @collecting
+        end
+
+        def collect_for_later(klass, attribute)
+          @attributes_by_class[klass] ||= Concurrent::Array.new
+          @attributes_by_class[klass] << attribute
+        end
+
+        def apply_filter(klass, attribute)
+          filter = [("#{klass.model_name.element}" if klass.name), attribute.to_s].compact.join(".")
+          unless excluded_from_filter_parameters?(filter)
+            app.config.filter_parameters << filter unless app.config.filter_parameters.include?(filter)
+            klass.filter_attributes += [ attribute ]
+          end
+        end
+
+        def excluded_from_filter_parameters?(filter_parameter)
+          ActiveRecord::Encryption.config.excluded_from_filter_parameters.find { |excluded_filter| excluded_filter.to_s == filter_parameter }
+        end
+    end
+  end
+end

data/lib/active_record/encryption/cipher/aes256_gcm.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "openssl"
-require "base64"
 
 module ActiveRecord
   module Encryption
@@ -80,6 +79,10 @@ module ActiveRecord
           raise ActiveRecord::Encryption::Errors::Decryption
         end
 
+        def inspect # :nodoc:
+          "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
+        end
+
         private
           def generate_iv(cipher, clear_text)
             if @deterministic

data/lib/active_record/encryption/config.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
+require "openssl"
+
 module ActiveRecord
   module Encryption
     # Container of configuration options
     class Config
-      attr_accessor :primary_key, :deterministic_key, :store_key_references, :key_derivation_salt,
+      attr_accessor :primary_key, :deterministic_key, :store_key_references, :key_derivation_salt, :hash_digest_class,
                     :support_unencrypted_data, :encrypt_fixtures, :validate_column_size, :add_to_filter_parameters,
                     :excluded_from_filter_parameters, :extend_queries, :previous_schemes, :forced_encoding_for_deterministic_encryption
 
@@ -21,6 +23,27 @@ module ActiveRecord
         end
       end
 
+      def support_sha1_for_non_deterministic_encryption=(value)
+        if value && has_primary_key?
+          sha1_key_generator = ActiveRecord::Encryption::KeyGenerator.new(hash_digest_class: OpenSSL::Digest::SHA1)
+          sha1_key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(primary_key, key_generator: sha1_key_generator)
+          add_previous_scheme key_provider: sha1_key_provider
+        end
+      end
+
+      %w(key_derivation_salt primary_key deterministic_key).each do |key|
+        silence_redefinition_of_method "has_#{key}?"
+        define_method("has_#{key}?") do
+          instance_variable_get(:"@#{key}").presence
+        end
+
+        silence_redefinition_of_method key
+        define_method(key) do
+          public_send("has_#{key}?") or
+            raise Errors::Configuration, "Missing Active Record encryption credential: active_record_encryption.#{key}"
+        end
+      end
+
       private
         def set_defaults
           self.store_key_references = false
@@ -31,6 +54,7 @@ module ActiveRecord
           self.excluded_from_filter_parameters = []
           self.previous_schemes = []
           self.forced_encoding_for_deterministic_encryption = Encoding::UTF_8
+          self.hash_digest_class = OpenSSL::Digest::SHA1
 
           # TODO: Setting to false for now as the implementation is a bit experimental
           self.extend_queries = false

data/lib/active_record/encryption/configurable.rb

@@ -17,24 +17,29 @@ module ActiveRecord
           delegate name, to: :context
         end
 
-        def configure(primary_key:, deterministic_key:, key_derivation_salt:, **properties) # :nodoc:
+        def configure(primary_key: nil, deterministic_key: nil, key_derivation_salt: nil, **properties) # :nodoc:
           config.primary_key = primary_key
           config.deterministic_key = deterministic_key
           config.key_derivation_salt = key_derivation_salt
 
-          context.key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(primary_key)
+          # Set the default for this property here instead of in +Config#set_defaults+ as this needs
+          # to happen *after* the keys have been set.
+          properties[:support_sha1_for_non_deterministic_encryption] = true if properties[:support_sha1_for_non_deterministic_encryption].nil?
 
           properties.each do |name, value|
-            [:context, :config].each do |configurable_object_name|
-              configurable_object = ActiveRecord::Encryption.send(configurable_object_name)
-              configurable_object.send "#{name}=", value if configurable_object.respond_to?("#{name}=")
-            end
+            ActiveRecord::Encryption.config.send "#{name}=", value if ActiveRecord::Encryption.config.respond_to?("#{name}=")
+          end
+
+          ActiveRecord::Encryption.reset_default_context
+
+          properties.each do |name, value|
+            ActiveRecord::Encryption.context.send "#{name}=", value if ActiveRecord::Encryption.context.respond_to?("#{name}=")
           end
         end
 
         # Register callback to be invoked when an encrypted attribute is declared.
         #
-        # === Example:
+        # === Example
         #
         #   ActiveRecord::Encryption.on_encrypted_attribute_declared do |klass, attribute_name|
         #     ...
@@ -49,18 +54,6 @@ module ActiveRecord
             block.call(klass, name)
           end
         end
-
-        def install_auto_filtered_parameters_hook(application) # :nodoc:
-          ActiveRecord::Encryption.on_encrypted_attribute_declared do |klass, encrypted_attribute_name|
-            filter_parameter = [("#{klass.model_name.element}" if klass.name), encrypted_attribute_name.to_s].compact.join(".")
-            application.config.filter_parameters << filter_parameter unless excluded_from_filter_parameters?(filter_parameter)
-          end
-        end
-
-        private
-          def excluded_from_filter_parameters?(filter_parameter)
-            ActiveRecord::Encryption.config.excluded_from_filter_parameters.find { |excluded_filter| excluded_filter.to_s == filter_parameter }
-          end
       end
     end
   end

data/lib/active_record/encryption/context.rb

@@ -12,9 +12,7 @@ module ActiveRecord
     class Context
       PROPERTIES = %i[ key_provider key_generator cipher message_serializer encryptor frozen_encryption ]
 
-      PROPERTIES.each do |name|
-        attr_accessor name
-      end
+      attr_accessor(*PROPERTIES)
 
       def initialize
         set_defaults
@@ -22,6 +20,11 @@ module ActiveRecord
 
       alias frozen_encryption? frozen_encryption
 
+      silence_redefinition_of_method :key_provider
+      def key_provider
+        @key_provider ||= build_default_key_provider
+      end
+
       private
         def set_defaults
           self.frozen_encryption = false
@@ -30,6 +33,10 @@ module ActiveRecord
           self.encryptor = ActiveRecord::Encryption::Encryptor.new
           self.message_serializer = ActiveRecord::Encryption::MessageSerializer.new
         end
+
+        def build_default_key_provider
+          ActiveRecord::Encryption::DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.primary_key)
+        end
     end
   end
 end

data/lib/active_record/encryption/contexts.rb

@@ -14,7 +14,7 @@ module ActiveRecord
       extend ActiveSupport::Concern
 
       included do
-        mattr_reader :default_context, default: Context.new
+        mattr_accessor :default_context, default: Context.new
         thread_mattr_accessor :custom_contexts
       end
 
@@ -66,6 +66,10 @@ module ActiveRecord
         def current_custom_context
           self.custom_contexts&.last
         end
+
+        def reset_default_context
+          self.default_context = Context.new
+        end
       end
     end
   end

data/lib/active_record/encryption/derived_secret_key_provider.rb

@@ -4,9 +4,15 @@ module ActiveRecord
   module Encryption
     # A KeyProvider that derives keys from passwords.
     class DerivedSecretKeyProvider < KeyProvider
-      def initialize(passwords)
-        super(Array(passwords).collect { |password| Key.derive_from(password) })
+      def initialize(passwords, key_generator: ActiveRecord::Encryption.key_generator)
+        super(Array(passwords).collect { |password| derive_key_from(password, using: key_generator) })
       end
+
+      private
+        def derive_key_from(password, using: key_generator)
+          secret = using.derive_key_from(password)
+          ActiveRecord::Encryption::Key.new(secret)
+        end
     end
   end
 end

data/lib/active_record/encryption/encryptable_record.rb

@@ -28,8 +28,12 @@ module ActiveRecord
         #   initialization vector based on the encrypted content. This means that the same content will generate
         #   the same ciphertexts. This enables querying encrypted text with Active Record. Deterministic encryption
         #   will use the oldest encryption scheme to encrypt new data by default. You can change this by setting
-        #   +deterministic: { fixed: false }+. That will make it use the newest encryption scheme for encrypting new
+        #   <tt>deterministic: { fixed: false }</tt>. That will make it use the newest encryption scheme for encrypting new
         #   data.
+        # * <tt>:support_unencrypted_data</tt> - If `config.active_record.encryption.support_unencrypted_data` is +true+,
+        #   you can set this to +false+ to opt out of unencrypted data support for this attribute. This is useful for
+        #   scenarios where you encrypt one column, and want to disable support for unencrypted data without having to tweak
+        #   the global setting.
         # * <tt>:downcase</tt> - When true, it converts the encrypted content to downcase automatically. This allows to
         #   effectively ignore case when querying data. Notice that the case is lost. Use +:ignore_case+ if you are interested
         #   in preserving it.
@@ -42,13 +46,11 @@ module ActiveRecord
         # * <tt>:previous</tt> - List of previous encryption schemes. When provided, they will be used in order when trying to read
         #   the attribute. Each entry of the list can contain the properties supported by #encrypts. Also, when deterministic
         #   encryption is used, they will be used to generate additional ciphertexts to check in the queries.
-        def encrypts(*names, key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties)
+        def encrypts(*names, key_provider: nil, key: nil, deterministic: false, support_unencrypted_data: nil, downcase: false, ignore_case: false, previous: [], **context_properties)
           self.encrypted_attributes ||= Set.new # not using :default because the instance would be shared across classes
-          scheme = scheme_for key_provider: key_provider, key: key, deterministic: deterministic, downcase: downcase, \
-              ignore_case: ignore_case, previous: previous, **context_properties
 
           names.each do |name|
-            encrypt_attribute name, scheme
+            encrypt_attribute name, key_provider: key_provider, key: key, deterministic: deterministic, support_unencrypted_data: support_unencrypted_data, downcase: downcase, ignore_case: ignore_case, previous: previous, **context_properties
           end
         end
 
@@ -61,32 +63,35 @@ module ActiveRecord
 
         # Given a attribute name, it returns the name of the source attribute when it's a preserved one.
         def source_attribute_from_preserved_attribute(attribute_name)
-          attribute_name.to_s.sub(ORIGINAL_ATTRIBUTE_PREFIX, "") if /^#{ORIGINAL_ATTRIBUTE_PREFIX}/.match?(attribute_name)
+          attribute_name.to_s.sub(ORIGINAL_ATTRIBUTE_PREFIX, "") if attribute_name.start_with?(ORIGINAL_ATTRIBUTE_PREFIX)
         end
 
         private
-          def scheme_for(key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties)
+          def scheme_for(key_provider: nil, key: nil, deterministic: false, support_unencrypted_data: nil, downcase: false, ignore_case: false, previous: [], **context_properties)
             ActiveRecord::Encryption::Scheme.new(key_provider: key_provider, key: key, deterministic: deterministic,
-                                                 downcase: downcase, ignore_case: ignore_case, **context_properties).tap do |scheme|
+              support_unencrypted_data: support_unencrypted_data, downcase: downcase, ignore_case: ignore_case, **context_properties).tap do |scheme|
               scheme.previous_schemes = global_previous_schemes_for(scheme) +
-                Array.wrap(previous).collect { |scheme_config| ActiveRecord::Encryption::Scheme.new(**scheme_config) }
+              Array.wrap(previous).collect { |scheme_config| ActiveRecord::Encryption::Scheme.new(**scheme_config) }
             end
           end
 
           def global_previous_schemes_for(scheme)
-            ActiveRecord::Encryption.config.previous_schemes.collect do |previous_scheme|
-              scheme.merge(previous_scheme)
+            ActiveRecord::Encryption.config.previous_schemes.filter_map do |previous_scheme|
+              scheme.merge(previous_scheme) if scheme.compatible_with?(previous_scheme)
             end
           end
 
-          def encrypt_attribute(name, attribute_scheme)
+          def encrypt_attribute(name, key_provider: nil, key: nil, deterministic: false, support_unencrypted_data: nil, downcase: false, ignore_case: false, previous: [], **context_properties)
             encrypted_attributes << name.to_sym
 
             attribute name do |cast_type|
-              ActiveRecord::Encryption::EncryptedAttributeType.new scheme: attribute_scheme, cast_type: cast_type
+              scheme = scheme_for key_provider: key_provider, key: key, deterministic: deterministic, support_unencrypted_data: support_unencrypted_data, \
+                downcase: downcase, ignore_case: ignore_case, previous: previous, **context_properties
+
+              ActiveRecord::Encryption::EncryptedAttributeType.new(scheme: scheme, cast_type: cast_type, default: columns_hash[name.to_s]&.default)
             end
 
-            preserve_original_encrypted(name) if attribute_scheme.ignore_case?
+            preserve_original_encrypted(name) if ignore_case
             ActiveRecord::Encryption.encrypted_attribute_was_declared(self, name)
           end
 
@@ -139,12 +144,22 @@ module ActiveRecord
 
       # Returns whether a given attribute is encrypted or not.
       def encrypted_attribute?(attribute_name)
-        ActiveRecord::Encryption.encryptor.encrypted? ciphertext_for(attribute_name)
+        name = attribute_name.to_s
+        name = self.class.attribute_aliases[name] || name
+
+        return false unless self.class.encrypted_attributes&.include? name.to_sym
+
+        type = type_for_attribute(name)
+        type.encrypted? read_attribute_before_type_cast(name)
       end
 
       # Returns the ciphertext for +attribute_name+.
       def ciphertext_for(attribute_name)
-        read_attribute_before_type_cast(attribute_name)
+        if encrypted_attribute?(attribute_name)
+          read_attribute_before_type_cast(attribute_name)
+        else
+          read_attribute_for_database(attribute_name)
+        end
       end
 
       # Encrypts all the encryptable attributes and saves the changes.
@@ -160,6 +175,15 @@ module ActiveRecord
       private
         ORIGINAL_ATTRIBUTE_PREFIX = "original_"
 
+        def _create_record(attribute_names = self.attribute_names)
+          if has_encrypted_attributes?
+            # Always persist encrypted attributes, because an attribute might be
+            # encrypting a column default value.
+            attribute_names |= self.class.encrypted_attributes.map(&:to_s)
+          end
+          super
+        end
+
         def encrypt_attributes
           validate_encryption_allowed
 
@@ -188,12 +212,12 @@ module ActiveRecord
         end
 
         def build_decrypt_attribute_assignments
-          Array(self.class.encrypted_attributes).collect do |attribute_name|
+          Array(self.class.encrypted_attributes).to_h do |attribute_name|
             type = type_for_attribute(attribute_name)
             encrypted_value = ciphertext_for(attribute_name)
             new_value = type.deserialize(encrypted_value)
             [attribute_name, new_value]
-          end.to_h
+          end
         end
 
         def cant_modify_encrypted_attributes_when_frozen

data/lib/active_record/encryption/encrypted_attribute_type.rb

@@ -20,11 +20,16 @@ module ActiveRecord
       # * <tt>:scheme</tt> - A +Scheme+ with the encryption properties for this attribute.
       # * <tt>:cast_type</tt> - A type that will be used to serialize (before encrypting) and deserialize
       #   (after decrypting). ActiveModel::Type::String by default.
-      def initialize(scheme:, cast_type: ActiveModel::Type::String.new, previous_type: false)
+      def initialize(scheme:, cast_type: ActiveModel::Type::String.new, previous_type: false, default: nil)
         super()
         @scheme = scheme
         @cast_type = cast_type
         @previous_type = previous_type
+        @default = default
+      end
+
+      def cast(value)
+        cast_type.cast(value)
       end
 
       def deserialize(value)
@@ -39,6 +44,10 @@ module ActiveRecord
         end
       end
 
+      def encrypted?(value)
+        with_context { encryptor.encrypted? value }
+      end
+
       def changed_in_place?(raw_old_value, new_value)
         old_value = raw_old_value.nil? ? nil : deserialize(raw_old_value)
         old_value != new_value
@@ -49,6 +58,10 @@ module ActiveRecord
         @previous_types[support_unencrypted_data?] ||= build_previous_types_for(previous_schemes_including_clean_text)
       end
 
+      def support_unencrypted_data?
+        ActiveRecord::Encryption.config.support_unencrypted_data && scheme.support_unencrypted_data? && !previous_type?
+      end
+
       private
         def previous_schemes_including_clean_text
           previous_schemes.including((clean_text_scheme if support_unencrypted_data?)).compact
@@ -70,7 +83,13 @@ module ActiveRecord
 
         def decrypt(value)
           with_context do
-            encryptor.decrypt(value, **decryption_options) unless value.nil?
+            unless value.nil?
+              if @default && @default == value
+                value
+              else
+                encryptor.decrypt(value, **decryption_options)
+              end
+            end
           end
         rescue ActiveRecord::Encryption::Errors::Base => error
           if previous_types_without_clean_text.blank?
@@ -120,16 +139,12 @@ module ActiveRecord
           ActiveRecord::Encryption.encryptor
         end
 
-        def support_unencrypted_data?
-          ActiveRecord::Encryption.config.support_unencrypted_data && !previous_type?
-        end
-
         def encryption_options
-          @encryption_options ||= { key_provider: key_provider, cipher_options: { deterministic: deterministic? } }.compact
+          { key_provider: key_provider, cipher_options: { deterministic: deterministic? } }.compact
         end
 
         def decryption_options
-          @decryption_options ||= { key_provider: key_provider }.compact
+          { key_provider: key_provider }.compact
         end
 
         def clean_text_scheme

data/lib/active_record/encryption/extended_deterministic_queries.rb

@@ -19,101 +19,112 @@ module ActiveRecord
     # * ActiveRecord::Base - Used in <tt>Contact.find_by_email_address(...)</tt>
     # * ActiveRecord::Relation - Used in <tt>Contact.internal.find_by_email_address(...)</tt>
     #
-    # ActiveRecord::Base relies on ActiveRecord::Relation (ActiveRecord::QueryMethods) but it does
-    # some prepared statements caching. That's why we need to intercept +ActiveRecord::Base+ as soon
-    # as it's invoked (so that the proper prepared statement is cached).
-    #
-    # When modifying this file run performance tests in +test/performance/extended_deterministic_queries_performance_test.rb+ to
-    #   make sure performance overhead is acceptable.
-    #
-    # We will extend this to support previous "encryption context" versions in future iterations
-    #
-    # @TODO Experimental. Support for every kind of query is pending
-    # @TODO It should not patch anything if not needed (no previous schemes or no support for previous encryption schemes)
+    # This module is included if `config.active_record.encryption.extend_queries` is `true`.
     module ExtendedDeterministicQueries
       def self.install_support
+        # ActiveRecord::Base relies on ActiveRecord::Relation (ActiveRecord::QueryMethods) but it does
+        # some prepared statements caching. That's why we need to intercept +ActiveRecord::Base+ as soon
+        # as it's invoked (so that the proper prepared statement is cached).
         ActiveRecord::Relation.prepend(RelationQueries)
         ActiveRecord::Base.include(CoreQueries)
         ActiveRecord::Encryption::EncryptedAttributeType.prepend(ExtendedEncryptableType)
-        Arel::Nodes::HomogeneousIn.prepend(InWithAdditionalValues)
       end
 
-      module EncryptedQueryArgumentProcessor
-        extend ActiveSupport::Concern
+      # When modifying this file run performance tests in
+      # +activerecord/test/cases/encryption/performance/extended_deterministic_queries_performance_test.rb+
+      # to make sure performance overhead is acceptable.
+      #
+      # @TODO We will extend this to support previous "encryption context" versions in future iterations
+      # @TODO Experimental. Support for every kind of query is pending
+      # @TODO It should not patch anything if not needed (no previous schemes or no support for previous encryption schemes)
+
+      module EncryptedQuery # :nodoc:
+        class << self
+          def process_arguments(owner, args, check_for_additional_values)
+            return args if owner.deterministic_encrypted_attributes&.empty?
 
-        private
-          def process_encrypted_query_arguments(args, check_for_additional_values)
             if args.is_a?(Array) && (options = args.first).is_a?(Hash)
-              self.deterministic_encrypted_attributes&.each do |attribute_name|
-                type = type_for_attribute(attribute_name)
+              options = options.transform_keys do |key|
+                if key.is_a?(Array)
+                  key.map(&:to_s)
+                else
+                  key.to_s
+                end
+              end
+              args[0] = options
+
+              owner.deterministic_encrypted_attributes&.each do |attribute_name|
+                attribute_name = attribute_name.to_s
+                type = owner.type_for_attribute(attribute_name)
                 if !type.previous_types.empty? && value = options[attribute_name]
                   options[attribute_name] = process_encrypted_query_argument(value, check_for_additional_values, type)
                 end
               end
             end
-          end
 
-          def process_encrypted_query_argument(value, check_for_additional_values, type)
-            return value if check_for_additional_values && value.is_a?(Array) && value.last.is_a?(AdditionalValue)
+            args
+          end
 
-            case value
-            when String, Array
-              list = Array(value)
-              list + list.flat_map do |each_value|
-                if check_for_additional_values && each_value.is_a?(AdditionalValue)
-                  each_value
-                else
-                  additional_values_for(each_value, type)
+          private
+            def process_encrypted_query_argument(value, check_for_additional_values, type)
+              return value if check_for_additional_values && value.is_a?(Array) && value.last.is_a?(AdditionalValue)
+
+              case value
+              when String, Array
+                list = Array(value)
+                list + list.flat_map do |each_value|
+                  if check_for_additional_values && each_value.is_a?(AdditionalValue)
+                    each_value
+                  else
+                    additional_values_for(each_value, type)
+                  end
                 end
+              else
+                value
               end
-            else
-              value
             end
-          end
 
-          def additional_values_for(value, type)
-            type.previous_types.collect do |additional_type|
-              AdditionalValue.new(value, additional_type)
+            def additional_values_for(value, type)
+              type.previous_types.collect do |additional_type|
+                AdditionalValue.new(value, additional_type)
+              end
             end
-          end
+        end
       end
 
       module RelationQueries
-        include EncryptedQueryArgumentProcessor
-
         def where(*args)
-          process_encrypted_query_arguments_if_needed(args)
-          super
+          super(*EncryptedQuery.process_arguments(self, args, true))
         end
 
         def exists?(*args)
-          process_encrypted_query_arguments_if_needed(args)
-          super
+          super(*EncryptedQuery.process_arguments(self, args, true))
         end
 
-        def find_or_create_by(attributes, &block)
-          find_by(attributes.dup) || create(attributes, &block)
-        end
+        def scope_for_create
+          return super unless klass.deterministic_encrypted_attributes&.any?
 
-        def find_or_create_by!(attributes, &block)
-          find_by(attributes.dup) || create!(attributes, &block)
-        end
+          scope_attributes = super
+          wheres = where_values_hash
 
-        private
-          def process_encrypted_query_arguments_if_needed(args)
-            process_encrypted_query_arguments(args, true) unless self.deterministic_encrypted_attributes&.empty?
+          klass.deterministic_encrypted_attributes.each do |attribute_name|
+            attribute_name = attribute_name.to_s
+            values = wheres[attribute_name]
+            if values.is_a?(Array) && values[1..].all?(AdditionalValue)
+              scope_attributes[attribute_name] = values.first
+            end
           end
+
+          scope_attributes
+        end
       end
 
       module CoreQueries
         extend ActiveSupport::Concern
 
         class_methods do
-          include EncryptedQueryArgumentProcessor
-
           def find_by(*args)
-            process_encrypted_query_arguments(args, false) unless self.deterministic_encrypted_attributes&.empty?
-            super
+            super(*EncryptedQuery.process_arguments(self, args, false))
           end
         end
       end
@@ -141,20 +152,6 @@ module ActiveRecord
           end
         end
       end
-
-      module InWithAdditionalValues
-        def proc_for_binds
-          -> value { ActiveModel::Attribute.with_cast_value(attribute.name, value, encryption_aware_type_caster) }
-        end
-
-        def encryption_aware_type_caster
-          if attribute.type_caster.is_a?(ActiveRecord::Encryption::EncryptedAttributeType)
-            attribute.type_caster.cast_type
-          else
-            attribute.type_caster
-          end
-        end
-      end
     end
   end
 end

data/lib/active_record/encryption/extended_deterministic_uniqueness_validator.rb

@@ -12,9 +12,9 @@ module ActiveRecord
           super(record, attribute, value)
 
           klass = record.class
-          klass.deterministic_encrypted_attributes&.each do |attribute_name|
-            encrypted_type = klass.type_for_attribute(attribute_name)
-            [ encrypted_type, *encrypted_type.previous_types ].each do |type|
+          if klass.deterministic_encrypted_attributes&.include?(attribute)
+            encrypted_type = klass.type_for_attribute(attribute)
+            encrypted_type.previous_types.each do |type|
               encrypted_value = type.serialize(value)
               ActiveRecord::Encryption.without_encryption do
                 super(record, attribute, encrypted_value)