attr_encrypted 1.4.0 → 2.0.0

data/test/sequel_test.rb

@@ -1,4 +1,4 @@
-require File.expand_path('../test_helper', __FILE__)
+require_relative 'test_helper'
 
 DB.create_table :humans do
   primary_key :id

data/test/test_helper.rb

@@ -1,35 +1,42 @@
-if RUBY_VERSION >= '1.9.3'
-  require 'simplecov'
-  require 'simplecov-rcov'
+require 'simplecov'
+require 'simplecov-rcov'
+require "codeclimate-test-reporter"
 
-  SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new(
+  [
     SimpleCov::Formatter::HTMLFormatter,
     SimpleCov::Formatter::RcovFormatter,
+    CodeClimate::TestReporter::Formatter
   ]
+)
 
-  SimpleCov.start do
-    add_filter 'test'
-  end
+SimpleCov.start do
+  add_filter 'test'
 end
 
+CodeClimate::TestReporter.start
+
 require 'minitest/autorun'
-require 'digest/sha2'
-require 'rubygems'
-gem 'activerecord', ENV['ACTIVE_RECORD_VERSION'] if ENV['ACTIVE_RECORD_VERSION']
+
+# Rails 4.0.x pins to an old minitest
+unless defined?(MiniTest::Test)
+  MiniTest::Test = MiniTest::Unit::TestCase
+end
+
 require 'active_record'
 require 'data_mapper'
+require 'digest/sha2'
 require 'sequel'
-require 'mocha/test_unit'
 
 $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $:.unshift(File.dirname(__FILE__))
 require 'attr_encrypted'
 
-puts "\nTesting with ActiveRecord #{ActiveRecord::VERSION::STRING rescue ENV['ACTIVE_RECORD_VERSION']}"
-
-Minitest::Test = Minitest::Unit::TestCase if ActiveRecord::VERSION::STRING >= '4.0.0'
-
-DB = Sequel.sqlite
+DB = if defined?(RUBY_ENGINE) && RUBY_ENGINE.to_sym == :jruby
+  Sequel.jdbc('jdbc:sqlite::memory:')
+else
+  Sequel.sqlite
+end
 
 # The :after_initialize hook was removed in Sequel 4.0
 # and had been deprecated for a while before that:
@@ -37,5 +44,8 @@ DB = Sequel.sqlite
 # This plugin re-enables it.
 Sequel::Model.plugin :after_initialize
 
-SECRET_KEY = 4.times.map { Digest::SHA256.hexdigest((Time.now.to_i * rand(5)).to_s) }.join
+SECRET_KEY = SecureRandom.random_bytes(32)
 
+def base64_encoding_regex
+  /^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: attr_encrypted
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Sean Huber
@@ -10,7 +10,29 @@ authors:
 - Stephen Aghaulor
 autorequire: 
 bindir: bin
-cert_chain: []
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMRIwEAYDVQQDDAlzYWdo
+  YXVsb3IxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkWA2Nv
+  bTAeFw0xNjAxMTEyMjQyMDFaFw0xNzAxMTAyMjQyMDFaMEAxEjAQBgNVBAMMCXNh
+  Z2hhdWxvcjEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPyLGQBGRYD
+  Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0xdQYk2GwCpQ1n/
+  n2mPVYHLYqU5TAn/82t5kbqBUWjbcj8tHAi41tJ19+fT/hH0dog8JHvho1zmOr71
+  ZIqreJQo60TqP6oE9a5HncUpjqbRp7tOmHo9E+mOW1yT4NiXqFf1YINExQKy2XND
+  WPQ+T50ZNUsGMfHFWB4NAymejRWXlOEY3bvKW0UHFeNmouP5he51TjoP8uCc9536
+  4AIWVP/zzzjwrFtC7av7nRw4Y+gX2bQjrkK2k2JS0ejiGzKBIEMJejcI2B+t79zT
+  kUQq9SFwp2BrKSIy+4kh4CiF20RT/Hfc1MbvTxSIl/bbIxCYEOhmtHExHi0CoCWs
+  YCGCXQIDAQABo3kwdzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQU
+  SCpVzSBvYbO6B3oT3n3RCZmurG8wHgYDVR0RBBcwFYETc2FnaGF1bG9yQGdtYWls
+  LmNvbTAeBgNVHRIEFzAVgRNzYWdoYXVsb3JAZ21haWwuY29tMA0GCSqGSIb3DQEB
+  BQUAA4IBAQAeiGdC3e0WiZpm0cF/b7JC6hJYXC9Yv9VsRAWD9ROsLjFKwOhmonnc
+  +l/QrmoTjMakYXBCai/Ca3L+k5eRrKilgyITILsmmFxK8sqPJXUw2Jmwk/dAky6x
+  hHKVZAofT1OrOOPJ2USoZyhR/VI8epLaD5wUmkVDNqtZWviW+dtRa55aPYjRw5Pj
+  wuj9nybhZr+BbEbmZE//2nbfkM4hCuMtxxxilPrJ22aYNmeWU0wsPpDyhPYxOUgU
+  ZjeLmnSDiwL6doiP5IiwALH/dcHU67ck3NGf6XyqNwQrrmtPY0mv1WVVL4Uh+vYE
+  kHoFzE2no0BfBg78Re8fY69P5yES5ncC
+  -----END CERTIFICATE-----
 date: 2016-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -19,14 +41,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -42,19 +64,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: datamapper
   requirement: !ruby/object:Gem::Requirement
@@ -70,33 +92,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: addressable
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.3.7
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.3.7
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: mocha
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
@@ -140,21 +162,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.2.2
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.2.2
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: simplecov-rcov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -168,7 +190,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov-rcov
+  name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -183,7 +205,7 @@ dependencies:
         version: '0'
 description: Generates attr_accessors that encrypt and decrypt attributes transparently
 email:
-- shuber@huberry.com
+- seah@shuber.io
 - sbfaulkner@gmail.com
 - billy.monk@gmail.com
 - saghaulor@gmail.com
@@ -191,9 +213,15 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitignore"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
 - MIT-LICENSE
-- README.rdoc
+- README.md
 - Rakefile
+- attr_encrypted.gemspec
+- certs/saghaulor.pem
 - lib/attr_encrypted.rb
 - lib/attr_encrypted/adapters/active_record.rb
 - lib/attr_encrypted/adapters/data_mapper.rb
@@ -214,7 +242,13 @@ files:
 homepage: http://github.com/attr-encrypted/attr_encrypted
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message: |2+
+
+
+
+  WARNING: Several insecure default options and features have been deprecated in attr_encrypted v2.0.0. Please see the README for more details.
+
+
 rdoc_options:
 - "--line-numbers"
 - "--inline-source"
@@ -226,7 +260,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

metadata.gz.sig

@@ -0,0 +1,2 @@
+�7$	��nK4��닊x��W���h�ꘑ���88��h�1a��F�D.�X��$~b؛�
+2/.J�ڐ\�H�;F]��	���_����JkpQ�

data/README.rdoc

@@ -1,344 +0,0 @@
-= attr_encrypted {<img src="https://travis-ci.org/attr-encrypted/attr_encrypted.png" />}[https://travis-ci.org/attr-encrypted/attr_encrypted]
-
-Generates attr_accessors that encrypt and decrypt attributes transparently
-
-It works with ANY class, however, you get a few extra features when you're using it with <tt>ActiveRecord</tt>, <tt>DataMapper</tt>, or <tt>Sequel</tt>
-
-
-== Installation
-
-  gem install attr_encrypted
-
-
-== Usage
-
-=== Basic
-
-Encrypting attributes has never been easier:
-
-  class User
-    attr_accessor :name
-    attr_encrypted :ssn, :key => 'a secret key'
-  
-    def load
-      # loads the stored data
-    end
-  
-    def save
-      # saves the :name and :encrypted_ssn attributes somewhere (e.g. filesystem, database, etc)
-    end
-  end
-  
-  @user = User.new
-  @user.ssn = '123-45-6789'
-  @user.encrypted_ssn # returns the encrypted version of :ssn
-  @user.save
-  
-  @user = User.load
-  @user.ssn # decrypts :encrypted_ssn and returns '123-45-6789'
-
-The <tt>attr_encrypted</tt> method is also aliased as <tt>attr_encryptor</tt> to conform to Ruby's <tt>attr_</tt> naming conventions. I should have called this project <tt>attr_encryptor</tt> but it was too late when I realized it ='(.
-
-=== Adding required columns via database migration
-
-By default, <tt>attr_encrypted</tt> uses the <tt>:single_iv_and_salt</tt>
-encryption mode for compatibility with previous versions of the gem. This mode
-uses a single IV and salt for each encrypted column. Create or modify your model
-to add a column with the <tt>encrypted_</tt> prefix (which can be modified, see
-below), e.g. <tt>encrypted_ssn</tt> via a migration like the following:
-
-  create_table :users do |t|
-    t.string :name
-    t.string :encrypted_ssn
-    t.timestamps
-  end
-
-For enhanced security, you can use the <tt>:per_attribute_iv_and_salt</tt> mode.
-This requires additional <tt>_salt</tt> and <tt>_iv</tt> columns with the
-<tt>encrypted_</tt> prefix as follows and generates a unique salt and IV per
-attribute:
-
-  create_table :users do |t|
-    t.string :name
-    t.string :encrypted_ssn
-    t.string :encrypted_ssn_salt
-    t.string :encrypted_ssn_iv
-    t.string :domain
-    t.timestamps
-  end
-
-This mode is enabled by specifying a value of <tt>:per_attribute_iv_and_salt</tt>
-via the <tt>:mode</tt> option as follows:
-
-  class User
-    attr_accessor :name
-    attr_encrypted :ssn, :key => 'a secret key', :mode => :per_attribute_iv_and_salt
-  end
-
-Note that there are alternatives to storing the IV and salt in separate columns:
-for example, see here[https://github.com/attr-encrypted/attr_encrypted/issues/118#issuecomment-45806629].
-Note that migration from the old encryption scheme to the new is nontrivial. One
-approach is described here[http://jjasonclark.com/switching_from_attr_encrypted_to_attr_encryptor],
-though these instructions describe the now-defunct <tt>attr_encryptor</tt> gem
-whose functionality has been merged into this project.
-
-=== Specifying the encrypted attribute name
-
-By default, the encrypted attribute name is <tt>encrypted_#{attribute}</tt> (e.g. <tt>attr_encrypted :email</tt> would create an attribute named <tt>encrypted_email</tt>). So, if you're storing the encrypted attribute in the database, you need to make sure the <tt>encrypted_#{attribute}</tt> field exists in your table. You have a couple of options if you want to name your attribute something else.
-
-
-==== The <tt>:attribute</tt> option
-
-You can simply pass the name of the encrypted attribute as the <tt>:attribute</tt> option:
-
-  class User
-    attr_encrypted :email, :key => 'a secret key', :attribute => 'email_encrypted'
-  end
-
-This would generate an attribute named <tt>email_encrypted</tt>
-
-
-==== The <tt>:prefix</tt> and <tt>:suffix</tt> options
-
-If you're planning on encrypting a few different attributes and you don't like the <tt>encrypted_#{attribute}</tt> naming convention then you can specify your own:
-
-  class User
-    attr_encrypted :email, :credit_card, :ssn, :key => 'a secret key', :prefix => 'secret_', :suffix => '_crypted'
-  end
-
-This would generate the following attributes: <tt>secret_email_crypted</tt>, <tt>secret_credit_card_crypted</tt>, and <tt>secret_ssn_crypted</tt>.
-
-
-=== Encryption keys
-
-Although a <tt>:key</tt> option may not be required (see custom encryptor below), it has a few special features
-
-
-==== Unique keys for each attribute
-
-You can specify unique keys for each attribute if you'd like:
-
-  class User
-    attr_encrypted :email, :key => 'a secret key'
-    attr_encrypted :ssn, :key => 'a different secret key'
-  end
-
-
-==== Symbols representing instance methods as keys
-
-If your class has an instance method that determines the encryption key to use, simply pass a symbol representing it like so:
-
-  class User
-    attr_encrypted :email, :key => :encryption_key
-  
-    def encryption_key
-      # does some fancy logic and returns an encryption key
-    end
-  end
-
-
-==== Procs as keys
-
-You can pass a proc/lambda object as the <tt>:key</tt> option as well:
-
-  class User
-    attr_encrypted :email, :key => proc { |user| user.key }
-  end
-
-This can be used to create asymmetrical encryption by requiring users to provide their own encryption keys.
-
-
-=== Conditional encrypting
-
-There may be times that you want to only encrypt when certain conditions are met. For example maybe you're using rails and you don't want to encrypt 
-attributes when you're in development mode. You can specify conditions like this:
-
-  class User < ActiveRecord::Base
-    attr_encrypted :email, :key => 'a secret key', :unless => Rails.env.development?
-  end
-
-You can specify both <tt>:if</tt> and <tt>:unless</tt> options. If you pass a symbol representing an instance method then the result of the method will be evaluated. Any objects that respond to <tt>:call</tt> are evaluated as well.
-
-
-=== Custom encryptor
-
-The <tt>Encryptor</tt> (see http://github.com/shuber/encryptor) class is used by default. You may use your own custom encryptor by specifying
-the <tt>:encryptor</tt>, <tt>:encrypt_method</tt>, and <tt>:decrypt_method</tt> options
-
-Lets suppose you'd like to use this custom encryptor class:
-
-  class SillyEncryptor
-    def self.silly_encrypt(options)
-      (options[:value] + options[:secret_key]).reverse
-    end
-  
-    def self.silly_decrypt(options)
-      options[:value].reverse.gsub(/#{options[:secret_key]}$/, '')
-    end
-  end
-
-Simply set up your class like so:
-
-  class User
-    attr_encrypted :email, :secret_key => 'a secret key', :encryptor => SillyEncryptor, :encrypt_method => :silly_encrypt, :decrypt_method => :silly_decrypt
-  end
-
-Any options that you pass to <tt>attr_encrypted</tt> will be passed to the encryptor along with the <tt>:value</tt> option which contains the string to encrypt/decrypt. Notice it uses <tt>:secret_key</tt> instead of <tt>:key</tt>.
-
-
-=== Custom algorithms
-
-The default <tt>Encryptor</tt> uses the standard ruby OpenSSL library. It's default algorithm is <tt>aes-256-cbc</tt>. You can modify this by passing the <tt>:algorithm</tt> option to the <tt>attr_encrypted</tt> call like so:
-
-  class User
-    attr_encrypted :email, :key => 'a secret key', :algorithm => 'bf'
-  end
-
-Run <tt>openssl list-cipher-commands</tt> to view a list of algorithms supported on your platform. See http://github.com/shuber/encryptor for more information.
-
-  aes-128-cbc
-  aes-128-ecb
-  aes-192-cbc
-  aes-192-ecb
-  aes-256-cbc
-  aes-256-ecb
-  base64
-  bf
-  bf-cbc
-  bf-cfb
-  bf-ecb
-  bf-ofb
-  cast
-  cast-cbc
-  cast5-cbc
-  cast5-cfb
-  cast5-ecb
-  cast5-ofb
-  des
-  des-cbc
-  des-cfb
-  des-ecb
-  des-ede
-  des-ede-cbc
-  des-ede-cfb
-  des-ede-ofb
-  des-ede3
-  des-ede3-cbc
-  des-ede3-cfb
-  des-ede3-ofb
-  des-ofb
-  des3
-  desx
-  idea
-  idea-cbc
-  idea-cfb
-  idea-ecb
-  idea-ofb
-  rc2
-  rc2-40-cbc
-  rc2-64-cbc
-  rc2-cbc
-  rc2-cfb
-  rc2-ecb
-  rc2-ofb
-  rc4
-  rc4-40
-
-
-=== Default options
-
-Let's imagine that you have a few attributes that you want to encrypt with different keys, but you don't like the <tt>encrypted_#{attribute}</tt> naming convention. Instead of having to define your class like this:
-
-  class User
-    attr_encrypted :email, :key => 'a secret key', :prefix => '', :suffix => '_crypted'
-    attr_encrypted :ssn, :key => 'a different secret key', :prefix => '', :suffix => '_crypted'
-    attr_encrypted :credit_card, :key => 'another secret key', :prefix => '', :suffix => '_crypted'
-  end
-
-You can simply define some default options like so:
-
-  class User
-    attr_encrypted_options.merge!(:prefix => '', :suffix => '_crypted')
-    attr_encrypted :email, :key => 'a secret key'
-    attr_encrypted :ssn, :key => 'a different secret key'
-    attr_encrypted :credit_card, :key => 'another secret key'
-  end
-
-This should help keep your classes clean and DRY.
-
-
-=== Encoding
-
-You're probably going to be storing your encrypted attributes somehow (e.g. filesystem, database, etc) and may run into some issues trying to store a weird
-encrypted string. I've had this problem myself using MySQL. You can simply pass the <tt>:encode</tt> option to automatically encode/decode when encrypting/decrypting.
-
-  class User
-    attr_encrypted :email, :key => 'some secret key', :encode => true
-  end
-
-The default encoding is <tt>m*</tt> (base64). You can change this by setting <tt>:encode => 'some encoding'</tt>. See the <tt>Array#pack</tt> method at http://www.ruby-doc.org/core/classes/Array.html#M002245 for more encoding options.
-
-
-=== Marshaling
-
-You may want to encrypt objects other than strings (e.g. hashes, arrays, etc). If this is the case, simply pass the <tt>:marshal</tt> option to automatically marshal when encrypting/decrypting.
-
-  class User
-    attr_encrypted :credentials, :key => 'some secret key', :marshal => true
-  end
-
-You may also optionally specify <tt>:marshaler</tt>, <tt>:dump_method</tt>, and <tt>:load_method</tt> if you want to use something other than the default <tt>Marshal</tt> object.
-
-
-=== Encrypt/decrypt attribute methods
-
-If you use the same key to encrypt every record (per attribute) like this:
-
-  class User
-    attr_encrypted :email, :key => 'a secret key'
-  end
-
-Then you'll have these two class methods available for each attribute: <tt>User.encrypt_email(email_to_encrypt)</tt> and <tt>User.decrypt_email(email_to_decrypt)</tt>. This can be useful when you're using <tt>ActiveRecord</tt> (see below).
-
-
-=== ActiveRecord
-
-If you're using this gem with <tt>ActiveRecord</tt>, you get a few extra features:
-
-
-==== Default options
-
-For your convenience, the <tt>:encode</tt> option is set to true by default since you'll be storing everything in a database.
-
-
-==== Dynamic find_by_ and scoped_by_ methods
-
-Let's say you'd like to encrypt your user's email addresses, but you also need a way for them to login. Simply set up your class like so:
-
-  class User < ActiveRecord::Base
-    attr_encrypted :email, :key => 'a secret key'
-    attr_encrypted :password, :key => 'some other secret key'
-  end
-
-You can now lookup and login users like so:
-
-  User.find_by_email_and_password('test@example.com', 'testing')
-
-The call to <tt>find_by_email_and_password</tt> is intercepted and modified to <tt>find_by_encrypted_email_and_encrypted_password('ENCRYPTED EMAIL', 'ENCRYPTED PASSWORD')</tt>. The dynamic scope methods like <tt>scoped_by_email_and_password</tt> work the same way.
-
-NOTE: This only works if all records are encrypted with the same encryption key (per attribute).
-
-
-=== DataMapper and Sequel
-
-Just like the default options for <tt>ActiveRecord</tt>, the <tt>:encode</tt> option is set to true by default since you'll be storing everything in a database.
-
-
-== Note on Patches/Pull Requests
-
-* Fork the project.
-* Make your feature addition or bug fix.
-* Add tests for it. This is important so I don't break it in a
-  future version unintentionally.
-* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-* Send me a pull request. Bonus points for topic branches.