attr_encrypted 2.0.0 → 3.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3a0be3a350e84025ea0cb74994429572c39a46e6
-  data.tar.gz: 9b0fe0406c35007117ed1c0cabca0157410dcc41
+  metadata.gz: 4f35a7b7559ac43fbc20bf110b06c48457195c35
+  data.tar.gz: a99c8beb7a082c64d21f123aeb5c342dffbb80c2
 SHA512:
-  metadata.gz: 7a6cce9239ecf6143d2280c2a2f2e43b37b0a7c99341934984e80eaedc100b0d0d317b9b87be073d1bfd953e3fb997010f9eb16520d1880f2b3ea161c952829e
-  data.tar.gz: a4aa866eb7607d56b5de2ef238163310ac6fd34e0b3595dd99b6e7a18734d7e4c9addd562fbbcc134d38fab255408fd68d7f0a5bc6f8525e241d68e8bcb35edd
+  metadata.gz: 25d196cdd13c8c8f0b677583e734cd85e5eea7cf148c33c9317d9bc966481dd549a5513d1f89ac598e53086a4913ba2873184830d57dbc5b740413464397e89e
+  data.tar.gz: 344729a1eb162560e4519b851e0a736f81dddaad4c652338b1af568549d7ba5036c1a7f935b01a7805a1da4972aeb054ffa7b3980e571213ca10a08b75227e8b

data/.travis.yml

@@ -4,7 +4,7 @@ cache: bundler
 rvm:
   - 2.0
   - 2.1
-  - 2.2
+  - 2.2.2
   - 2.3.0
   - rbx
 env:
@@ -14,8 +14,15 @@ env:
   - ACTIVERECORD=4.0.0
   - ACTIVERECORD=4.1.0
   - ACTIVERECORD=4.2.0
+  - ACTIVERECORD=5.0.0
 matrix:
   exclude:
+    - rvm: 2.0
+      env: ACTIVERECORD=5.0.0
+    - rvm: 2.1
+      env: ACTIVERECORD=5.0.0
+    - rvm: rbx
+      env: ACTIVERECORD=5.0.0
   allow_failures:
     - rvm: rbx
   fast_finish: true

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 # attr_encrypted #
 
+## 3.0.2 ##
+* Changed: Removed alias_method_chain for compatibility with Rails v5.x (@grosser)
+* Changed: Updated Travis build matrix to include Rails 5. (@saghaulor) (@connorshea)
+* Changed: Removed `.silence_stream` from tests as it has been removed from Rails 5. (@sblackstone)
+
+## 3.0.1 ##
+* Fixed: attr_was method no longer calls undefined methods. (@saghaulor)
+
+## 3.0.0 ##
+* Changed: Updated gemspec to use Encryptor v3.0.0. (@saghaulor)
+* Changed: Updated README with instructions related to moving from v2.0.0 to v3.0.0. (@saghaulor)
+* Fixed: ActiveModel::Dirty methods in the ActiveRecord adapter. (@saghaulor)
+
 ## 2.0.0 ##
 * Added: Now using Encryptor v2.0.0 (@saghaulor)
 * Added: Options are copied to the instance. (@saghaulor)

data/README.md

@@ -11,7 +11,7 @@ It works with ANY class, however, you get a few extra features when you're using
 Add attr_encrypted to your gemfile:
 
 ```ruby
-  gem attr_encrypted, "~> 2.0.0"
+  gem "attr_encrypted", "~> 3.0.0"
 ```
 
 Then install the gem:
@@ -37,22 +37,22 @@ If you're using a PORO, you have to do a little bit more work by extending the c
     extend AttrEncrypted
     attr_accessor :name
     attr_encrypted :ssn, key: 'This is a key that is 256 bits!!'
-  
+
     def load
       # loads the stored data
     end
-  
+
     def save
       # saves the :name and :encrypted_ssn attributes somewhere (e.g. filesystem, database, etc)
     end
   end
-  
+
   user = User.new
   user.ssn = '123-45-6789'
   user.ssn # returns the unencrypted object ie. '123-45-6789'
   user.encrypted_ssn # returns the encrypted version of :ssn
   user.save
-  
+
   user = User.load
   user.ssn # decrypts :encrypted_ssn and returns '123-45-6789'
 ```
@@ -242,7 +242,7 @@ Lets suppose you'd like to use this custom encryptor class:
     def self.silly_encrypt(options)
       (options[:value] + options[:secret_key]).reverse
     end
-  
+
     def self.silly_decrypt(options)
       options[:value].reverse.gsub(/#{options[:secret_key]}$/, '')
     end
@@ -374,12 +374,12 @@ Backwards compatibility is supported by providing a special option that is passe
 The `:insecure_mode` option will allow encryptor to ignore the new security requirements. It is strongly advised that if you use this older insecure behavior that you migrate to the newer more secure behavior.
 
 
-## Upgrading from attr_encrypted v1.x to v2.x
+## Upgrading from attr_encrypted v1.x to v3.x
 
 Modify your gemfile to include the new version of attr_encrypted:
 
 ```ruby
-  gem attr_encrypted, "~> 2.0.0"
+  gem attr_encrypted, "~> 3.0.0"
 ```
 
 The update attr_encrypted:
@@ -390,6 +390,30 @@ The update attr_encrypted:
 
 Then modify your models using attr\_encrypted to account for the changes in default options. Specifically, pass in the `:mode` and `:algorithm` options that you were using if you had not previously done so. If your key is insufficient length relative to the algorithm that you use, you should also pass in `insecure_mode: true`; this will prevent Encryptor from raising an exception regarding insufficient key length. Please see the Deprecations sections for more details including an example of how to specify your model with default options from attr_encrypted v1.x.
 
+## Upgrading from attr_encrypted v2.x to v3.x
+
+A bug was discovered in Encryptor v2.0.0 that inccorectly set the IV when using an AES-\*-GCM algorithm. Unfornately fixing this major security issue results in the inability to decrypt records encrypted using an AES-*-GCM algorithm from Encryptor v2.0.0. Please see [Upgrading to Encryptor v3.0.0](https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300) for more info.
+
+It is strongly advised that you re-encrypt your data encrypted with Encryptor v2.0.0. However, you'll have to take special care to re-encrypt. To decrypt data encrypted with Encryptor v2.0.0 using an AES-\*-GCM algorithm you can use the `:v2_gcm_iv` option.
+
+It is recommended that you implement a strategy to insure that you do not mix the encryption implementations of Encryptor. One way to do this is to re-encrypt everything while your application is offline.Another way is to add a column that keeps track of what implementation was used. The path that you choose will depend on your situtation. Below is an example of how you might go about re-encrypting your data.
+
+```ruby
+  class User
+    attr_encrypted :ssn, key: :encryption_key, v2_gcm_iv: :is_decrypting?(:ssn)
+
+    def is_decrypting?(attribute)
+      encrypted_attributes[attribute][:operation] == :decrypting
+    end
+  end
+
+  User.all.each do |user|
+    old_ssn = user.ssn
+    user.ssn= old_ssn
+    user.save
+  end
+```
+
 ## Things to consider before using attr_encrypted
 
 #### Searching, joining, etc

data/attr_encrypted.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = '>= 2.0.0'
 
-  s.add_dependency('encryptor', ['~> 2.0.0'])
+  s.add_dependency('encryptor', ['~> 3.0.0'])
   # support for testing with specific active record version
   activerecord_version = if ENV.key?('ACTIVERECORD')
     "~> #{ENV['ACTIVERECORD']}"
@@ -55,6 +55,9 @@ Gem::Specification.new do |s|
   s.cert_chain  = ['certs/saghaulor.pem']
   s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/
 
-  s.post_install_message = "\n\n\nWARNING: Several insecure default options and features have been deprecated in attr_encrypted v2.0.0. Please see the README for more details.\n\n\n"
+  s.post_install_message = "\n\n\nWARNING: Several insecure default options and features were deprecated in attr_encrypted v2.0.0.\n
+Additionally, there was a bug in Encryptor v2.0.0 that insecurely encrypted data when using an AES-*-GCM algorithm.\n
+This bug was fixed but introduced breaking changes between v2.x and v3.x.\n
+Please see the README for more information regarding upgrading to attr_encrypted v3.0.0.\n\n\n"
 
 end

data/checksum/attr_encrypted-3.0.0.gem.sha256

@@ -0,0 +1 @@
+845fc3cb09a19c3ac76192aba443788f92c880744617bca99b16fd31ce843e07

data/checksum/attr_encrypted-3.0.0.gem.sha512

@@ -0,0 +1 @@
+81a065442258cc3702aab62c7b2307a48ed3e0deb803600d11a7480cce0db7c43fd9929acd2755081042f8989236553fd694b6cb62776bbfc53f9165a22cbca1

data/checksum/attr_encrypted-3.0.1.gem.sha256

@@ -0,0 +1 @@
+33140af4b223177db7a19efb2fa38472a299a745b29ca1c5ba9d3fa947390b77

data/checksum/attr_encrypted-3.0.1.gem.sha512

@@ -0,0 +1 @@
+0c467cab98b9b2eb331f9818323a90ae01392d6cb03cf1f32faccc954d0fc54be65f0fc7bf751b0fce57925eef1c9e2af90181bc40d81ad93e21d15a001c53c6

data/lib/attr_encrypted/adapters/active_record.rb

@@ -6,19 +6,20 @@ if defined?(ActiveRecord::Base)
           base.class_eval do
 
             # https://github.com/attr-encrypted/attr_encrypted/issues/68
-            def reload_with_attr_encrypted(*args, &block)
+            alias_method :reload_without_attr_encrypted, :reload
+            def reload(*args, &block)
               result = reload_without_attr_encrypted(*args, &block)
               self.class.encrypted_attributes.keys.each do |attribute_name|
                 instance_variable_set("@#{attribute_name}", nil)
               end
               result
             end
-            alias_method_chain :reload, :attr_encrypted
 
             attr_encrypted_options[:encode] = true
 
             class << self
-              alias_method_chain :method_missing, :attr_encrypted
+              alias_method :method_missing_without_attr_encrypted, :method_missing
+              alias_method :method_missing, :method_missing_with_attr_encrypted
             end
 
             def perform_attribute_assignment(method, new_attributes, *args)
@@ -30,16 +31,16 @@ if defined?(ActiveRecord::Base)
             private :perform_attribute_assignment
 
             if ::ActiveRecord::VERSION::STRING > "3.1"
-              def assign_attributes_with_attr_encrypted(*args)
+              alias_method :assign_attributes_without_attr_encrypted, :assign_attributes
+              def assign_attributes(*args)
                 perform_attribute_assignment :assign_attributes_without_attr_encrypted, *args
               end
-              alias_method_chain :assign_attributes, :attr_encrypted
             end
 
-            def attributes_with_attr_encrypted=(*args)
+            alias_method :attributes_without_attr_encrypted=, :attributes=
+            def attributes=(*args)
               perform_attribute_assignment :attributes_without_attr_encrypted=, *args
             end
-            alias_method_chain :attributes=, :attr_encrypted
           end
         end
 
@@ -53,11 +54,19 @@ if defined?(ActiveRecord::Base)
             options.merge! encrypted_attributes[attr]
 
             define_method("#{attr}_changed?") do
-              send(attr) != decrypt(attr, send("#{options[:attribute]}_was"))
+              if send("#{options[:attribute]}_changed?")
+                send(attr) != send("#{attr}_was")
+              end
             end
 
             define_method("#{attr}_was") do
-              decrypt(attr, send("#{options[:attribute]}_was")) if send("#{attr}_changed?")
+              attr_was_options = { operation: :decrypting }
+              attr_was_options[:iv]= send("#{options[:attribute]}_iv_was") if respond_to?("#{options[:attribute]}_iv_was")
+              attr_was_options[:salt]= send("#{options[:attribute]}_salt_was") if respond_to?("#{options[:attribute]}_salt_was")
+              encrypted_attributes[attr].merge!(attr_was_options)
+              evaluated_options = evaluated_attr_encrypted_options_for(attr)
+              [:iv, :salt, :operation].each { |key| encrypted_attributes[attr].delete(key) }
+              self.class.decrypt(attr, send("#{options[:attribute]}_was"), evaluated_options)
             end
 
             alias_method "#{attr}_before_type_cast", attr

data/lib/attr_encrypted/version.rb

@@ -1,9 +1,9 @@
 module AttrEncrypted
   # Contains information about this gem's version
   module Version
-    MAJOR = 2
+    MAJOR = 3
     MINOR = 0
-    PATCH = 0
+    PATCH = 2
 
     # Returns a version string by joining <tt>MAJOR</tt>, <tt>MINOR</tt>, and <tt>PATCH</tt> with <tt>'.'</tt>
     #

data/lib/attr_encrypted.rb

@@ -350,7 +350,7 @@ module AttrEncrypted
       def evaluated_attr_encrypted_options_for(attribute)
         evaluated_options = Hash.new
         attribute_option_value = encrypted_attributes[attribute.to_sym][:attribute]
-        self.class.encrypted_attributes[attribute.to_sym].map do |option, value|
+        encrypted_attributes[attribute.to_sym].map do |option, value|
           evaluated_options[option] = evaluate_attr_encrypted_option(value)
         end
 
@@ -383,7 +383,7 @@ module AttrEncrypted
       def load_iv_for_attribute(attribute, options)
         encrypted_attribute_name = options[:attribute]
         encode_iv = options[:encode_iv]
-        iv = send("#{encrypted_attribute_name}_iv")
+        iv = options[:iv] || send("#{encrypted_attribute_name}_iv")
         if options[:operation] == :encrypting
           begin
             iv = generate_iv(options[:algorithm])
@@ -407,7 +407,7 @@ module AttrEncrypted
       def load_salt_for_attribute(attribute, options)
         encrypted_attribute_name = options[:attribute]
         encode_salt = options[:encode_salt]
-        salt = send("#{encrypted_attribute_name}_salt")
+        salt = options[:salt] || send("#{encrypted_attribute_name}_salt")
         if (salt == nil)
           salt = SecureRandom.random_bytes
           salt = prefix_and_encode_salt(salt, encode_salt) if encode_salt

data/test/active_record_test.rb

@@ -1,39 +1,40 @@
 require_relative 'test_helper'
 
-ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => ':memory:'
+ActiveRecord::Base.establish_connection(adapter: 'sqlite3', database: ':memory:')
 
 def create_tables
-  silence_stream(STDOUT) do
-    ActiveRecord::Schema.define(:version => 1) do
-      create_table :people do |t|
-        t.string   :encrypted_email
-        t.string   :password
-        t.string   :encrypted_credentials
-        t.binary   :salt
-        t.string   :encrypted_email_salt
-        t.string   :encrypted_credentials_salt
-        t.string   :encrypted_email_iv
-        t.string   :encrypted_credentials_iv
-      end
-      create_table :accounts do |t|
-        t.string :encrypted_password
-        t.string :encrypted_password_iv
-        t.string :encrypted_password_salt
-      end
-      create_table :users do |t|
-        t.string :login
-        t.string :encrypted_password
-        t.boolean :is_admin
-      end
-      create_table :prime_ministers do |t|
-        t.string :encrypted_name
-      end
-      create_table :addresses do |t|
-        t.binary :encrypted_street
-        t.binary :encrypted_street_iv
-        t.binary :encrypted_zipcode
-        t.string :mode
-      end
+  ActiveRecord::Schema.define(version: 1) do
+    create_table :people do |t|
+      t.string   :encrypted_email
+      t.string   :password
+      t.string   :encrypted_credentials
+      t.binary   :salt
+      t.binary   :key_iv
+      t.string   :encrypted_email_salt
+      t.string   :encrypted_credentials_salt
+      t.string   :encrypted_email_iv
+      t.string   :encrypted_credentials_iv
+    end
+    create_table :accounts do |t|
+      t.string :encrypted_password
+      t.string :encrypted_password_iv
+      t.string :encrypted_password_salt
+    end
+    create_table :users do |t|
+      t.string :login
+      t.string :encrypted_password
+      t.string :encrypted_password_iv
+      t.boolean :is_admin
+    end
+    create_table :prime_ministers do |t|
+      t.string :encrypted_name
+      t.string :encrypted_name_iv
+    end
+    create_table :addresses do |t|
+      t.binary :encrypted_street
+      t.binary :encrypted_street_iv
+      t.binary :encrypted_zipcode
+      t.string :mode
     end
   end
 end
@@ -55,16 +56,17 @@ end
 
 class Person < ActiveRecord::Base
   self.attr_encrypted_options[:mode] = :per_attribute_iv_and_salt
-  attr_encrypted :email, :key => SECRET_KEY
-  attr_encrypted :credentials, :key => Proc.new { |user| Encryptor.encrypt(:value => user.salt, :key => SECRET_KEY, iv: SecureRandom.random_bytes(12)) }, :marshal => true
+  attr_encrypted :email, key: SECRET_KEY
+  attr_encrypted :credentials, key: Proc.new { |user| Encryptor.encrypt(value: user.salt, key: SECRET_KEY, iv: user.key_iv) }, marshal: true
 
   after_initialize :initialize_salt_and_credentials
 
   protected
 
   def initialize_salt_and_credentials
+    self.key_iv ||= SecureRandom.random_bytes(12)
     self.salt ||= Digest::SHA256.hexdigest((Time.now.to_i * rand(1000)).to_s)[0..15]
-    self.credentials ||= { :username => 'example', :password => 'test' }
+    self.credentials ||= { username: 'example', password: 'test' }
   end
 end
 
@@ -73,34 +75,34 @@ class PersonWithValidation < Person
 end
 
 class PersonWithProcMode < Person
-  attr_encrypted :email,       :key => SECRET_KEY, :mode => Proc.new { :per_attribute_iv_and_salt }
-  attr_encrypted :credentials, :key => SECRET_KEY, :mode => Proc.new { :single_iv_and_salt }, insecure_mode: true
+  attr_encrypted :email,       key: SECRET_KEY, mode: Proc.new { :per_attribute_iv_and_salt }
+  attr_encrypted :credentials, key: SECRET_KEY, mode: Proc.new { :single_iv_and_salt }, insecure_mode: true
 end
 
 class Account < ActiveRecord::Base
   attr_accessor :key
-  attr_encrypted :password, :key => Proc.new {|account| account.key}
+  attr_encrypted :password, key: Proc.new {|account| account.key}
 end
 
 class PersonWithSerialization < ActiveRecord::Base
   self.table_name = 'people'
-  attr_encrypted :email, :key => SECRET_KEY
+  attr_encrypted :email, key: SECRET_KEY
   serialize :password
 end
 
 class UserWithProtectedAttribute < ActiveRecord::Base
   self.table_name = 'users'
-  attr_encrypted :password, :key => SECRET_KEY
+  attr_encrypted :password, key: SECRET_KEY
   attr_protected :is_admin if ::ActiveRecord::VERSION::STRING < "4.0"
 end
 
 class PersonUsingAlias < ActiveRecord::Base
   self.table_name = 'people'
-  attr_encryptor :email, :key => SECRET_KEY
+  attr_encryptor :email, key: SECRET_KEY
 end
 
 class PrimeMinister < ActiveRecord::Base
-  attr_encrypted :name, :marshal => true, :key => SECRET_KEY
+  attr_encrypted :name, marshal: true, key: SECRET_KEY
 end
 
 class Address < ActiveRecord::Base
@@ -115,11 +117,11 @@ class ActiveRecordTest < Minitest::Test
   def setup
     ActiveRecord::Base.connection.tables.each { |table| ActiveRecord::Base.connection.drop_table(table) }
     create_tables
-    Account.create!(:key => SECRET_KEY, :password => "password")
+    Account.create!(key: SECRET_KEY, password: "password")
   end
 
   def test_should_encrypt_email
-    @person = Person.create :email => 'test@example.com'
+    @person = Person.create(email: 'test@example.com')
     refute_nil @person.encrypted_email
     refute_equal @person.email, @person.encrypted_email
     assert_equal @person.email, Person.first.email
@@ -143,93 +145,103 @@ class ActiveRecordTest < Minitest::Test
   end
 
   def test_should_encrypt_decrypt_with_iv
-    @person = Person.create :email => 'test@example.com'
+    @person = Person.create(email: 'test@example.com')
     @person2 = Person.find(@person.id)
     refute_nil @person2.encrypted_email_iv
     assert_equal 'test@example.com', @person2.email
   end
 
   def test_should_ensure_attributes_can_be_deserialized
-    @person = PersonWithSerialization.new :email => 'test@example.com', :password => %w(an array of strings)
+    @person = PersonWithSerialization.new(email: 'test@example.com', password: %w(an array of strings))
     @person.save
     assert_equal @person.password, %w(an array of strings)
   end
 
   def test_should_create_an_account_regardless_of_arguments_order
-    Account.create!(:key => SECRET_KEY, :password => "password")
-    Account.create!(:password => "password" , :key => SECRET_KEY)
+    Account.create!(key: SECRET_KEY, password: "password")
+    Account.create!(password: "password" , key: SECRET_KEY)
   end
 
   def test_should_set_attributes_regardless_of_arguments_order
     # minitest does not implement `assert_nothing_raised` https://github.com/seattlerb/minitest/issues/112
-    Account.new.attributes = { :password => "password" , :key => SECRET_KEY }
+    Account.new.attributes = { password: "password", key: SECRET_KEY }
   end
 
   def test_should_preserve_hash_key_type
-    hash = { :foo => 'bar' }
-    account = Account.create!(:key => hash)
+    hash = { foo: 'bar' }
+    account = Account.create!(key: hash)
     assert_equal account.key, hash
   end
 
   def test_should_create_changed_predicate
-    person = Person.create!(:email => 'test@example.com')
-    assert !person.email_changed?
+    person = Person.create!(email: 'test@example.com')
+    refute person.email_changed?
+    person.email = 'test@example.com'
+    refute person.email_changed?
+    person.email = nil
+    assert person.email_changed?
     person.email = 'test2@example.com'
     assert person.email_changed?
   end
 
   def test_should_create_was_predicate
     original_email = 'test@example.com'
-    person = Person.create!(:email => original_email)
-    assert !person.email_was
+    person = Person.create!(email: original_email)
+    assert_equal original_email, person.email_was
     person.email = 'test2@example.com'
-    assert_equal person.email_was, original_email
+    assert_equal original_email, person.email_was
+    old_pm_name = "Winston Churchill"
+    pm = PrimeMinister.create!(name: old_pm_name)
+    assert_equal old_pm_name, pm.name_was
+    old_zipcode = "90210"
+    address = Address.create!(zipcode: old_zipcode, mode: "single_iv_and_salt")
+    assert_equal old_zipcode, address.zipcode_was
   end
 
   if ::ActiveRecord::VERSION::STRING > "4.0"
     def test_should_assign_attributes
-      @user = UserWithProtectedAttribute.new :login => 'login', :is_admin => false
-      @user.attributes = ActionController::Parameters.new(:login => 'modified', :is_admin => true).permit(:login)
+      @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)
+      @user.attributes = ActionController::Parameters.new(login: 'modified', is_admin: true).permit(:login)
       assert_equal 'modified', @user.login
     end
 
     def test_should_not_assign_protected_attributes
-      @user = UserWithProtectedAttribute.new :login => 'login', :is_admin => false
-      @user.attributes = ActionController::Parameters.new(:login => 'modified', :is_admin => true).permit(:login)
+      @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)
+      @user.attributes = ActionController::Parameters.new(login: 'modified', is_admin: true).permit(:login)
       assert !@user.is_admin?
     end
 
     def test_should_raise_exception_if_not_permitted
-      @user = UserWithProtectedAttribute.new :login => 'login', :is_admin => false
+      @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)
       assert_raises ActiveModel::ForbiddenAttributesError do
-        @user.attributes = ActionController::Parameters.new(:login => 'modified', :is_admin => true)
+        @user.attributes = ActionController::Parameters.new(login: 'modified', is_admin: true)
       end
     end
 
     def test_should_raise_exception_on_init_if_not_permitted
       assert_raises ActiveModel::ForbiddenAttributesError do
-        @user = UserWithProtectedAttribute.new ActionController::Parameters.new(:login => 'modified', :is_admin => true)
+        @user = UserWithProtectedAttribute.new ActionController::Parameters.new(login: 'modified', is_admin: true)
       end
     end
   else
     def test_should_assign_attributes
-      @user = UserWithProtectedAttribute.new :login => 'login', :is_admin => false
-      @user.attributes = {:login => 'modified', :is_admin => true}
+      @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)
+      @user.attributes = { login: 'modified', is_admin: true }
       assert_equal 'modified', @user.login
     end
 
     def test_should_not_assign_protected_attributes
-      @user = UserWithProtectedAttribute.new :login => 'login', :is_admin => false
-      @user.attributes = {:login => 'modified', :is_admin => true}
+      @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)
+      @user.attributes = { login: 'modified', is_admin: true }
       assert !@user.is_admin?
     end
 
     def test_should_assign_protected_attributes
-      @user = UserWithProtectedAttribute.new :login => 'login', :is_admin => false
+      @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)
       if ::ActiveRecord::VERSION::STRING > "3.1"
-        @user.send :assign_attributes, {:login => 'modified', :is_admin => true}, :without_protection => true
+        @user.send(:assign_attributes, { login: 'modified', is_admin: true }, without_protection: true)
       else
-        @user.send :attributes=, {:login => 'modified', :is_admin => true}, false
+        @user.send(:attributes=, { login: 'modified', is_admin: true }, false)
       end
       assert @user.is_admin?
     end
@@ -241,7 +253,7 @@ class ActiveRecordTest < Minitest::Test
   end
 
   def test_should_allow_proc_based_mode
-    @person = PersonWithProcMode.create :email => 'test@example.com', :credentials => 'password123'
+    @person = PersonWithProcMode.create(email: 'test@example.com', credentials: 'password123')
 
     # Email is :per_attribute_iv_and_salt
     assert_equal @person.class.encrypted_attributes[:email][:mode].class, Proc
@@ -275,21 +287,21 @@ class ActiveRecordTest < Minitest::Test
 
   # See https://github.com/attr-encrypted/attr_encrypted/issues/68
   def test_should_invalidate_virtual_attributes_on_reload
-    pm = PrimeMinister.new(:name => 'Winston Churchill')
-    pm.save!
-    assert_equal 'Winston Churchill', pm.name
-    pm.name = 'Neville Chamberlain'
-    assert_equal 'Neville Chamberlain', pm.name
+    old_pm_name = 'Winston Churchill'
+    new_pm_name = 'Neville Chamberlain'
+    pm = PrimeMinister.create!(name: old_pm_name)
+    assert_equal old_pm_name, pm.name
+    pm.name = new_pm_name
+    assert_equal new_pm_name, pm.name
 
     result = pm.reload
     assert_equal pm, result
-    assert_equal 'Winston Churchill', pm.name
+    assert_equal old_pm_name, pm.name
   end
 
   def test_should_save_encrypted_data_as_binary
     street = '123 Elm'
-    address = Address.new(street: street)
-    address.save!
+    address = Address.create!(street: street)
     refute_equal address.encrypted_street, street
     assert_equal Address.first.street, street
   end

data/test/compatibility_test.rb

@@ -81,26 +81,24 @@ class CompatibilityTest < Minitest::Test
   private
 
   def create_tables
-    silence_stream(STDOUT) do
-      ActiveRecord::Schema.define(:version => 1) do
-        create_table :nonmarshalling_pets do |t|
-          t.string :name
-          t.string :encrypted_nickname
-          t.string :encrypted_nickname_iv
-          t.string :encrypted_nickname_salt
-          t.string :encrypted_birthdate
-          t.string :encrypted_birthdate_iv
-          t.string :encrypted_birthdate_salt
-        end
-        create_table :marshalling_pets do |t|
-          t.string :name
-          t.string :encrypted_nickname
-          t.string :encrypted_nickname_iv
-          t.string :encrypted_nickname_salt
-          t.string :encrypted_birthdate
-          t.string :encrypted_birthdate_iv
-          t.string :encrypted_birthdate_salt
-        end
+    ActiveRecord::Schema.define(:version => 1) do
+      create_table :nonmarshalling_pets do |t|
+        t.string :name
+        t.string :encrypted_nickname
+        t.string :encrypted_nickname_iv
+        t.string :encrypted_nickname_salt
+        t.string :encrypted_birthdate
+        t.string :encrypted_birthdate_iv
+        t.string :encrypted_birthdate_salt
+      end
+      create_table :marshalling_pets do |t|
+        t.string :name
+        t.string :encrypted_nickname
+        t.string :encrypted_nickname_iv
+        t.string :encrypted_nickname_salt
+        t.string :encrypted_birthdate
+        t.string :encrypted_birthdate_iv
+        t.string :encrypted_birthdate_salt
       end
     end
   end

data/test/legacy_active_record_test.rb

@@ -4,14 +4,12 @@ require_relative 'test_helper'
 ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => ':memory:'
 
 def create_people_table
-  silence_stream(STDOUT) do
-    ActiveRecord::Schema.define(:version => 1) do
-      create_table :legacy_people do |t|
-        t.string   :encrypted_email
-        t.string   :password
-        t.string   :encrypted_credentials
-        t.string   :salt
-      end
+  ActiveRecord::Schema.define(:version => 1) do
+    create_table :legacy_people do |t|
+      t.string   :encrypted_email
+      t.string   :password
+      t.string   :encrypted_credentials
+      t.string   :salt
     end
   end
 end

data/test/legacy_compatibility_test.rb

@@ -73,20 +73,18 @@ class LegacyCompatibilityTest < Minitest::Test
   private
 
   def create_tables
-    silence_stream(STDOUT) do
-      ActiveRecord::Schema.define(:version => 1) do
-        create_table :legacy_nonmarshalling_pets do |t|
-          t.string :name
-          t.string :encrypted_nickname
-          t.string :encrypted_birthdate
-          t.string :salt
-        end
-        create_table :legacy_marshalling_pets do |t|
-          t.string :name
-          t.string :encrypted_nickname
-          t.string :encrypted_birthdate
-          t.string :salt
-        end
+    ActiveRecord::Schema.define(:version => 1) do
+      create_table :legacy_nonmarshalling_pets do |t|
+        t.string :name
+        t.string :encrypted_nickname
+        t.string :encrypted_birthdate
+        t.string :salt
+      end
+      create_table :legacy_marshalling_pets do |t|
+        t.string :name
+        t.string :encrypted_nickname
+        t.string :encrypted_birthdate
+        t.string :salt
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: attr_encrypted
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.2
 platform: ruby
 authors:
 - Sean Huber
@@ -33,7 +33,7 @@ cert_chain:
   ZjeLmnSDiwL6doiP5IiwALH/dcHU67ck3NGf6XyqNwQrrmtPY0mv1WVVL4Uh+vYE
   kHoFzE2no0BfBg78Re8fY69P5yES5ncC
   -----END CERTIFICATE-----
-date: 2016-02-23 00:00:00.000000000 Z
+date: 2016-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -41,14 +41,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 3.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -222,6 +222,10 @@ files:
 - Rakefile
 - attr_encrypted.gemspec
 - certs/saghaulor.pem
+- checksum/attr_encrypted-3.0.0.gem.sha256
+- checksum/attr_encrypted-3.0.0.gem.sha512
+- checksum/attr_encrypted-3.0.1.gem.sha256
+- checksum/attr_encrypted-3.0.1.gem.sha512
 - lib/attr_encrypted.rb
 - lib/attr_encrypted/adapters/active_record.rb
 - lib/attr_encrypted/adapters/data_mapper.rb
@@ -246,7 +250,13 @@ post_install_message: |2+
 
 
 
-  WARNING: Several insecure default options and features have been deprecated in attr_encrypted v2.0.0. Please see the README for more details.
+  WARNING: Several insecure default options and features were deprecated in attr_encrypted v2.0.0.
+
+  Additionally, there was a bug in Encryptor v2.0.0 that insecurely encrypted data when using an AES-*-GCM algorithm.
+
+  This bug was fixed but introduced breaking changes between v2.x and v3.x.
+
+  Please see the README for more information regarding upgrading to attr_encrypted v3.0.0.
 
 
 rdoc_options:

metadata.gz.sig

@@ -1,2 +1,2 @@
-�7$	��nK4��닊x��W���h�ꘑ���88��h�1a��F�D.�X��$~b؛�
-2/.J�ڐ\�H�;F]��	���_����JkpQ�
+.��m�,~1�R��$�ޯ�z��,�\y���.�ή9��\˵XK_M�*)ÄLv��(�~%��s?�2!�:�v�%��f��૖�ƌ!���#ѻ`�{Op�
��;�ɇq�f��e�7��Q�9H��ySs���W���k/e��[a��V���h/�6dz���>r3�GHnU��309�%=<J�
+3
�ai`�yQN�7�CKn���〞�7��B@Sg�yY\�@&�ݴ��e�