attr_encrypted 1.4.0 → 2.0.0

data/lib/attr_encrypted/adapters/active_record.rb

@@ -18,9 +18,7 @@ if defined?(ActiveRecord::Base)
             attr_encrypted_options[:encode] = true
 
             class << self
-              alias_method :attr_encryptor, :attr_encrypted
               alias_method_chain :method_missing, :attr_encrypted
-              alias_method :undefine_attribute_methods, :reset_column_information if ::ActiveRecord::VERSION::STRING < "3"
             end
 
             def perform_attribute_assignment(method, new_attributes, *args)
@@ -31,7 +29,7 @@ if defined?(ActiveRecord::Base)
             end
             private :perform_attribute_assignment
 
-            if ::ActiveRecord::VERSION::STRING < "3.0" || ::ActiveRecord::VERSION::STRING > "3.1"
+            if ::ActiveRecord::VERSION::STRING > "3.1"
               def assign_attributes_with_attr_encrypted(*args)
                 perform_attribute_assignment :assign_attributes_without_attr_encrypted, *args
               end
@@ -69,10 +67,10 @@ if defined?(ActiveRecord::Base)
             # We add accessor methods of the db columns to the list of instance
             # methods returned to let ActiveRecord define the accessor methods
             # for the db columns
-            
+
             # Use with_connection so the connection doesn't stay pinned to the thread.
             connected = ::ActiveRecord::Base.connection_pool.with_connection(&:active?) rescue false
-            
+
             if connected && table_exists?
               columns_hash.keys.inject(super) {|instance_methods, column_name| instance_methods.concat [column_name.to_sym, :"#{column_name}="]}
             else
@@ -85,13 +83,13 @@ if defined?(ActiveRecord::Base)
           #
           # NOTE: This only works when the <tt>:key</tt> option is specified as a string (see the README)
           #
-          # This is useful for encrypting fields like email addresses. Your user's email addresses 
+          # This is useful for encrypting fields like email addresses. Your user's email addresses
           # are encrypted in the database, but you can still look up a user by email for logging in
           #
           # Example
           #
           #   class User < ActiveRecord::Base
-          #     attr_encrypted :email, :key => 'secret key'
+          #     attr_encrypted :email, key: 'secret key'
           #   end
           #
           #   User.find_by_email_and_password('test@example.com', 'testing')
@@ -101,8 +99,9 @@ if defined?(ActiveRecord::Base)
             if match = /^(find|scoped)_(all_by|by)_([_a-zA-Z]\w*)$/.match(method.to_s)
               attribute_names = match.captures.last.split('_and_')
               attribute_names.each_with_index do |attribute, index|
-                if attr_encrypted?(attribute)
+                if attr_encrypted?(attribute) && encrypted_attributes[attribute.to_sym][:mode] == :single_iv_and_salt
                   args[index] = send("encrypt_#{attribute}", args[index])
+                  warn "DEPRECATION WARNING: This feature will be removed in the next major release."
                   attribute_names[index] = encrypted_attributes[attribute.to_sym][:attribute]
                 end
               end
@@ -114,5 +113,6 @@ if defined?(ActiveRecord::Base)
     end
   end
 
+  ActiveRecord::Base.extend AttrEncrypted
   ActiveRecord::Base.extend AttrEncrypted::Adapters::ActiveRecord
 end

data/lib/attr_encrypted/adapters/data_mapper.rb

@@ -11,6 +11,7 @@ if defined?(DataMapper)
 
         def included_with_attr_encrypted(base)
           included_without_attr_encrypted(base)
+          base.extend AttrEncrypted
           base.attr_encrypted_options[:encode] = true
         end
       end

data/lib/attr_encrypted/adapters/sequel.rb

@@ -9,5 +9,6 @@ if defined?(Sequel)
     end
   end
 
+  Sequel::Model.extend AttrEncrypted
   Sequel::Model.extend AttrEncrypted::Adapters::Sequel
 end

data/lib/attr_encrypted/version.rb

@@ -1,8 +1,8 @@
 module AttrEncrypted
   # Contains information about this gem's version
   module Version
-    MAJOR = 1
-    MINOR = 4
+    MAJOR = 2
+    MINOR = 0
     PATCH = 0
 
     # Returns a version string by joining <tt>MAJOR</tt>, <tt>MINOR</tt>, and <tt>PATCH</tt> with <tt>'.'</tt>

data/test/active_record_test.rb

@@ -1,4 +1,4 @@
-require File.expand_path('../test_helper', __FILE__)
+require_relative 'test_helper'
 
 ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => ':memory:'
 
@@ -28,6 +28,12 @@ def create_tables
       create_table :prime_ministers do |t|
         t.string :encrypted_name
       end
+      create_table :addresses do |t|
+        t.binary :encrypted_street
+        t.binary :encrypted_street_iv
+        t.binary :encrypted_zipcode
+        t.string :mode
+      end
     end
   end
 end
@@ -36,7 +42,6 @@ end
 create_tables
 
 ActiveRecord::MissingAttributeError = ActiveModel::MissingAttributeError unless defined?(ActiveRecord::MissingAttributeError)
-ActiveRecord::Base.logger = Logger.new(nil) if ::ActiveRecord::VERSION::STRING < "3.0"
 
 if ::ActiveRecord::VERSION::STRING > "4.0"
   module Rack
@@ -51,15 +56,9 @@ end
 class Person < ActiveRecord::Base
   self.attr_encrypted_options[:mode] = :per_attribute_iv_and_salt
   attr_encrypted :email, :key => SECRET_KEY
-  attr_encrypted :credentials, :key => Proc.new { |user| Encryptor.encrypt(:value => user.salt, :key => SECRET_KEY) }, :marshal => true
+  attr_encrypted :credentials, :key => Proc.new { |user| Encryptor.encrypt(:value => user.salt, :key => SECRET_KEY, iv: SecureRandom.random_bytes(12)) }, :marshal => true
 
-  if ActiveRecord::VERSION::STRING < "3"
-    def after_initialize
-      initialize_salt_and_credentials
-    end
-  else
-    after_initialize :initialize_salt_and_credentials
-  end
+  after_initialize :initialize_salt_and_credentials
 
   protected
 
@@ -75,7 +74,7 @@ end
 
 class PersonWithProcMode < Person
   attr_encrypted :email,       :key => SECRET_KEY, :mode => Proc.new { :per_attribute_iv_and_salt }
-  attr_encrypted :credentials, :key => SECRET_KEY, :mode => Proc.new { :single_iv_and_salt }
+  attr_encrypted :credentials, :key => SECRET_KEY, :mode => Proc.new { :single_iv_and_salt }, insecure_mode: true
 end
 
 class Account < ActiveRecord::Base
@@ -85,23 +84,30 @@ end
 
 class PersonWithSerialization < ActiveRecord::Base
   self.table_name = 'people'
-  attr_encrypted :email, :key => 'a secret key'
+  attr_encrypted :email, :key => SECRET_KEY
   serialize :password
 end
 
 class UserWithProtectedAttribute < ActiveRecord::Base
   self.table_name = 'users'
-  attr_encrypted :password, :key => 'a secret key'
+  attr_encrypted :password, :key => SECRET_KEY
   attr_protected :is_admin if ::ActiveRecord::VERSION::STRING < "4.0"
 end
 
 class PersonUsingAlias < ActiveRecord::Base
   self.table_name = 'people'
-  attr_encryptor :email, :key => 'a secret key'
+  attr_encryptor :email, :key => SECRET_KEY
 end
 
 class PrimeMinister < ActiveRecord::Base
-  attr_encrypted :name, :marshal => true, :key => 'SECRET_KEY'
+  attr_encrypted :name, :marshal => true, :key => SECRET_KEY
+end
+
+class Address < ActiveRecord::Base
+  self.attr_encrypted_options[:marshal] = false
+  self.attr_encrypted_options[:encode] = false
+  attr_encrypted :street, encode_iv: false, key: SECRET_KEY
+  attr_encrypted :zipcode, key: SECRET_KEY, mode: Proc.new { |address| address.mode.to_sym }, insecure_mode: true
 end
 
 class ActiveRecordTest < Minitest::Test
@@ -116,14 +122,14 @@ class ActiveRecordTest < Minitest::Test
     @person = Person.create :email => 'test@example.com'
     refute_nil @person.encrypted_email
     refute_equal @person.email, @person.encrypted_email
-    assert_equal @person.email, Person.find(:first).email
+    assert_equal @person.email, Person.first.email
   end
 
   def test_should_marshal_and_encrypt_credentials
     @person = Person.create
     refute_nil @person.encrypted_credentials
     refute_equal @person.credentials, @person.encrypted_credentials
-    assert_equal @person.credentials, Person.find(:first).credentials
+    assert_equal @person.credentials, Person.first.credentials
   end
 
   def test_should_encode_by_default
@@ -155,6 +161,7 @@ class ActiveRecordTest < Minitest::Test
   end
 
   def test_should_set_attributes_regardless_of_arguments_order
+    # minitest does not implement `assert_nothing_raised` https://github.com/seattlerb/minitest/issues/112
     Account.new.attributes = { :password => "password" , :key => SECRET_KEY }
   end
 
@@ -263,7 +270,7 @@ class ActiveRecordTest < Minitest::Test
 
     refute_nil user.encrypted_email
     refute_equal user.email, user.encrypted_email
-    assert_equal user.email, PersonUsingAlias.find(:first).email
+    assert_equal user.email, PersonUsingAlias.first.email
   end
 
   # See https://github.com/attr-encrypted/attr_encrypted/issues/68
@@ -278,4 +285,19 @@ class ActiveRecordTest < Minitest::Test
     assert_equal pm, result
     assert_equal 'Winston Churchill', pm.name
   end
+
+  def test_should_save_encrypted_data_as_binary
+    street = '123 Elm'
+    address = Address.new(street: street)
+    address.save!
+    refute_equal address.encrypted_street, street
+    assert_equal Address.first.street, street
+  end
+
+  def test_should_evaluate_proc_based_mode
+    street = '123 Elm'
+    zipcode = '12345'
+    address = Address.new(street: street, zipcode: zipcode, mode: :single_iv_and_salt)
+    assert_nil address.encrypted_zipcode_iv
+  end
 end

data/test/attr_encrypted_test.rb

@@ -1,5 +1,5 @@
 # encoding: UTF-8
-require File.expand_path('../test_helper', __FILE__)
+require_relative 'test_helper'
 
 class SillyEncryptor
   def self.silly_encrypt(options)
@@ -12,6 +12,7 @@ class SillyEncryptor
 end
 
 class User
+  extend AttrEncrypted
   self.attr_encrypted_options[:key] = Proc.new { |user| SECRET_KEY } # default key
   self.attr_encrypted_options[:mode] = :per_attribute_iv_and_salt
 
@@ -33,7 +34,8 @@ class User
   attr_accessor :salt
   attr_accessor :should_encrypt
 
-  def initialize
+  def initialize(email: nil)
+    self.email = email
     self.salt = Time.now.to_i.to_s
     self.should_encrypt = true
   end
@@ -48,19 +50,40 @@ class Admin < User
 end
 
 class SomeOtherClass
+  extend AttrEncrypted
   def self.call(object)
     object.class
   end
 end
 
+class YetAnotherClass
+  extend AttrEncrypted
+  self.attr_encrypted_options[:encode_iv] = false
+
+  attr_encrypted :email, :key => SECRET_KEY
+  attr_encrypted :phone_number, :key => SECRET_KEY, mode: Proc.new { |thing| thing.mode }, encode_iv: Proc.new { |thing| thing.encode_iv }, encode_salt: Proc.new { |thing| thing.encode_salt }
+
+  def initialize(email: nil, encode_iv: 'm', encode_salt: 'm', mode: :per_attribute_iv_and_salt)
+    self.email = email
+    @encode_iv = encode_iv
+    @encode_salt = encode_salt
+    @mode = mode
+  end
+
+  attr_reader :encode_iv, :encode_salt, :mode
+end
+
 class AttrEncryptedTest < Minitest::Test
+  def setup
+    @iv = SecureRandom.random_bytes(12)
+  end
 
   def test_should_store_email_in_encrypted_attributes
     assert User.encrypted_attributes.include?(:email)
   end
 
   def test_should_not_store_salt_in_encrypted_attributes
-    assert !User.encrypted_attributes.include?(:salt)
+    refute User.encrypted_attributes.include?(:salt)
   end
 
   def test_attr_encrypted_should_return_true_for_email
@@ -88,16 +111,16 @@ class AttrEncryptedTest < Minitest::Test
   end
 
   def test_should_not_encrypt_nil_value
-    assert_nil User.encrypt_email(nil)
+    assert_nil User.encrypt_email(nil, iv: @iv)
   end
 
   def test_should_not_encrypt_empty_string
-    assert_equal '', User.encrypt_email('')
+    assert_equal '', User.encrypt_email('', iv: @iv)
   end
 
   def test_should_encrypt_email
-    refute_nil User.encrypt_email('test@example.com')
-    refute_equal 'test@example.com', User.encrypt_email('test@example.com')
+    refute_nil User.encrypt_email('test@example.com', iv: @iv)
+    refute_equal 'test@example.com', User.encrypt_email('test@example.com', iv: @iv)
   end
 
   def test_should_encrypt_email_when_modifying_the_attr_writer
@@ -105,48 +128,52 @@ class AttrEncryptedTest < Minitest::Test
     assert_nil @user.encrypted_email
     @user.email = 'test@example.com'
     refute_nil @user.encrypted_email
-    assert_equal User.encrypt_email('test@example.com'), @user.encrypted_email
+    iv = @user.encrypted_email_iv.unpack('m').first
+    salt = @user.encrypted_email_salt[1..-1].unpack('m').first
+    assert_equal User.encrypt_email('test@example.com', iv: iv, salt: salt), @user.encrypted_email
   end
 
   def test_should_not_decrypt_nil_value
-    assert_nil User.decrypt_email(nil)
+    assert_nil User.decrypt_email(nil, iv: @iv)
   end
 
   def test_should_not_decrypt_empty_string
-    assert_equal '', User.decrypt_email('')
+    assert_equal '', User.decrypt_email('', iv: @iv)
   end
 
   def test_should_decrypt_email
-    encrypted_email = User.encrypt_email('test@example.com')
+    encrypted_email = User.encrypt_email('test@example.com', iv: @iv)
     refute_equal 'test@test.com', encrypted_email
-    assert_equal 'test@example.com', User.decrypt_email(encrypted_email)
+    assert_equal 'test@example.com', User.decrypt_email(encrypted_email, iv: @iv)
   end
 
   def test_should_decrypt_email_when_reading
     @user = User.new
     assert_nil @user.email
-    @user.encrypted_email = User.encrypt_email('test@example.com')
+    iv = @user.encrypted_email_iv.unpack('m').first
+    salt = @user.encrypted_email_salt[1..-1].unpack('m').first
+    @user.encrypted_email = User.encrypt_email('test@example.com', iv: iv, salt: salt)
     assert_equal 'test@example.com', @user.email
   end
 
   def test_should_encrypt_with_encoding
-    assert_equal User.encrypt_with_encoding('test'), [User.encrypt_without_encoding('test')].pack('m')
+    assert_equal User.encrypt_with_encoding('test', iv: @iv), [User.encrypt_without_encoding('test', iv: @iv)].pack('m')
   end
 
   def test_should_decrypt_with_encoding
-    encrypted = User.encrypt_with_encoding('test')
-    assert_equal 'test', User.decrypt_with_encoding(encrypted)
-    assert_equal User.decrypt_with_encoding(encrypted), User.decrypt_without_encoding(encrypted.unpack('m').first)
+    encrypted = User.encrypt_with_encoding('test', iv: @iv)
+    assert_equal 'test', User.decrypt_with_encoding(encrypted, iv: @iv)
+    assert_equal User.decrypt_with_encoding(encrypted, iv: @iv), User.decrypt_without_encoding(encrypted.unpack('m').first, iv: @iv)
   end
 
   def test_should_encrypt_with_custom_encoding
-    assert_equal User.encrypt_with_encoding('test'), [User.encrypt_without_encoding('test')].pack('m')
+    assert_equal User.encrypt_with_encoding('test', iv: @iv), [User.encrypt_without_encoding('test', iv: @iv)].pack('m')
   end
 
   def test_should_decrypt_with_custom_encoding
-    encrypted = User.encrypt_with_encoding('test')
-    assert_equal 'test', User.decrypt_with_encoding(encrypted)
-    assert_equal User.decrypt_with_encoding(encrypted), User.decrypt_without_encoding(encrypted.unpack('m').first)
+    encrypted = User.encrypt_with_encoding('test', iv: @iv)
+    assert_equal 'test', User.decrypt_with_encoding(encrypted, iv: @iv)
+    assert_equal User.decrypt_with_encoding(encrypted, iv: @iv), User.decrypt_without_encoding(encrypted.unpack('m').first, iv: @iv)
   end
 
   def test_should_encrypt_with_marshaling
@@ -164,7 +191,7 @@ class AttrEncryptedTest < Minitest::Test
     assert_nil @user.ssn_encrypted
     @user.ssn = 'testing'
     refute_nil @user.ssn_encrypted
-    encrypted =  Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.ssn_encrypted_iv.unpack("m").first, :salt => @user.ssn_encrypted_salt )
+    encrypted =  Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.ssn_encrypted_iv.unpack("m").first, :salt => @user.ssn_encrypted_salt.unpack("m").first )
     assert_equal encrypted, @user.ssn_encrypted
   end
 
@@ -173,7 +200,7 @@ class AttrEncryptedTest < Minitest::Test
     assert_nil @user.crypted_password_test
     @user.password = 'testing'
     refute_nil @user.crypted_password_test
-    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.crypted_password_test_iv.unpack("m").first, :salt =>  @user.crypted_password_test_salt)
+    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.crypted_password_test_iv.unpack("m").first, :salt =>  @user.crypted_password_test_salt.unpack("m").first)
     assert_equal encrypted, @user.crypted_password_test
   end
 
@@ -182,7 +209,7 @@ class AttrEncryptedTest < Minitest::Test
     assert_nil @user.crypted_password_test
     @user.password = 'testing'
     refute_nil @user.crypted_password_test
-    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.crypted_password_test_iv.unpack("m").first, :salt => @user.crypted_password_test_salt)
+    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.crypted_password_test_iv.unpack("m").first, :salt => @user.crypted_password_test_salt.unpack("m").first)
     assert_equal encrypted, @user.crypted_password_test
   end
 
@@ -201,23 +228,24 @@ class AttrEncryptedTest < Minitest::Test
   end
 
   def test_should_evaluate_a_symbol_option
-    assert_equal Object, Object.new.send(:evaluate_attr_encrypted_option, :class)
+    assert_equal SomeOtherClass, SomeOtherClass.new.send(:evaluate_attr_encrypted_option, :class)
   end
 
   def test_should_evaluate_a_proc_option
-    assert_equal Object, Object.new.send(:evaluate_attr_encrypted_option, proc { |object| object.class })
+    assert_equal SomeOtherClass, SomeOtherClass.new.send(:evaluate_attr_encrypted_option, proc { |object| object.class })
   end
 
   def test_should_evaluate_a_lambda_option
-    assert_equal Object, Object.new.send(:evaluate_attr_encrypted_option, lambda { |object| object.class })
+    assert_equal SomeOtherClass, SomeOtherClass.new.send(:evaluate_attr_encrypted_option, lambda { |object| object.class })
   end
 
   def test_should_evaluate_a_method_option
-    assert_equal Object, Object.new.send(:evaluate_attr_encrypted_option, SomeOtherClass.method(:call))
+    assert_equal SomeOtherClass, SomeOtherClass.new.send(:evaluate_attr_encrypted_option, SomeOtherClass.method(:call))
   end
 
   def test_should_return_a_string_option
-    assert_equal 'Object', Object.new.send(:evaluate_attr_encrypted_option, 'Object')
+    class_string = 'SomeOtherClass'
+    assert_equal class_string, SomeOtherClass.new.send(:evaluate_attr_encrypted_option, class_string)
   end
 
   def test_should_encrypt_with_true_if
@@ -225,7 +253,7 @@ class AttrEncryptedTest < Minitest::Test
     assert_nil @user.encrypted_with_true_if
     @user.with_true_if = 'testing'
     refute_nil @user.encrypted_with_true_if
-    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.encrypted_with_true_if_iv.unpack("m").first, :salt => @user.encrypted_with_true_if_salt)
+    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.encrypted_with_true_if_iv.unpack("m").first, :salt => @user.encrypted_with_true_if_salt.unpack("m").first)
     assert_equal encrypted, @user.encrypted_with_true_if
   end
 
@@ -242,7 +270,7 @@ class AttrEncryptedTest < Minitest::Test
     assert_nil @user.encrypted_with_false_unless
     @user.with_false_unless = 'testing'
     refute_nil @user.encrypted_with_false_unless
-    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.encrypted_with_false_unless_iv.unpack("m").first, :salt => @user.encrypted_with_false_unless_salt)
+    encrypted = Encryptor.encrypt(:value => 'testing', :key => SECRET_KEY, :iv => @user.encrypted_with_false_unless_iv.unpack("m").first, :salt => @user.encrypted_with_false_unless_salt.unpack("m").first)
     assert_equal encrypted,  @user.encrypted_with_false_unless
   end
 
@@ -261,11 +289,6 @@ class AttrEncryptedTest < Minitest::Test
   def test_should_always_reset_options
     @user = User.new
     @user.with_if_changed = "encrypt_stuff"
-    @user.stubs(:instance_variable_get).returns(nil)
-    @user.stubs(:instance_variable_set).raises("BadStuff")
-    assert_raises RuntimeError do
-      @user.with_if_changed
-    end
 
     @user = User.new
     @user.should_encrypt = false
@@ -275,9 +298,9 @@ class AttrEncryptedTest < Minitest::Test
   end
 
   def test_should_cast_values_as_strings_before_encrypting
-    string_encrypted_email = User.encrypt_email('3')
-    assert_equal string_encrypted_email, User.encrypt_email(3)
-    assert_equal '3', User.decrypt_email(string_encrypted_email)
+    string_encrypted_email = User.encrypt_email('3', iv: @iv)
+    assert_equal string_encrypted_email, User.encrypt_email(3, iv: @iv)
+    assert_equal '3', User.decrypt_email(string_encrypted_email, iv: @iv)
   end
 
   def test_should_create_query_accessor
@@ -296,12 +319,18 @@ class AttrEncryptedTest < Minitest::Test
     refute_equal @user.encrypted_email_iv, @user.crypted_password_test_iv
   end
 
+  def test_should_generate_iv_per_attribute_by_default
+    thing = YetAnotherClass.new(email: 'thing@thing.com')
+    refute_nil thing.encrypted_email_iv
+  end
+
   def test_should_vary_iv_per_instance
     @user1 = User.new
     @user1.email = 'email@example.com'
     @user2 = User.new
     @user2.email = 'email@example.com'
     refute_equal @user1.encrypted_email_iv, @user2.encrypted_email_iv
+    refute_equal @user1.encrypted_email, @user2.encrypted_email
   end
 
   def test_should_vary_salt_per_attribute
@@ -319,6 +348,11 @@ class AttrEncryptedTest < Minitest::Test
     refute_equal @user1.encrypted_email_salt, @user2.encrypted_email_salt
   end
 
+  def test_should_not_generate_salt_per_attribute_by_default
+    thing = YetAnotherClass.new(email: 'thing@thing.com')
+    assert_nil thing.encrypted_email_salt
+  end
+
   def test_should_decrypt_second_record
     @user1 = User.new
     @user1.email = 'test@example.com'
@@ -328,4 +362,32 @@ class AttrEncryptedTest < Minitest::Test
 
     assert_equal 'test@example.com', @user1.decrypt(:email, @user1.encrypted_email)
   end
+
+  def test_should_specify_the_default_algorithm
+    assert YetAnotherClass.encrypted_attributes[:email][:algorithm]
+    assert_equal YetAnotherClass.encrypted_attributes[:email][:algorithm], 'aes-256-gcm'
+  end
+
+  def test_should_not_encode_iv_when_encode_iv_is_false
+    email = 'thing@thing.com'
+    thing = YetAnotherClass.new(email: email)
+    refute thing.encrypted_email_iv =~ base64_encoding_regex
+    assert_equal thing.email, email
+  end
+
+  def test_should_base64_encode_iv_by_default
+    phone_number = '555-555-5555'
+    thing = YetAnotherClass.new
+    thing.phone_number = phone_number
+    assert thing.encrypted_phone_number_iv =~ base64_encoding_regex
+    assert_equal thing.phone_number, phone_number
+  end
+
+  def test_should_generate_unique_iv_for_every_encrypt_operation
+    user = User.new
+    user.email = 'initial_value@test.com'
+    original_iv = user.encrypted_email_iv
+    user.email = 'revised_value@test.com'
+    refute_equal original_iv, user.encrypted_email_iv
+  end
 end