attr_encrypted 3.0.0 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 7818979e143dc8810acdc45dfe6ae67273be455d
-  data.tar.gz: 734c97e4b7d4109b40f4f6bdf7c34aace6e3be3b
+SHA256:
+  metadata.gz: 36ebe1f889eadcc15b60089547792d023a5b32e4877a17789da28bc2ca33b3c1
+  data.tar.gz: 54540410056e0b49d7cc6af2077af4e45cf06aef354e0780757b93ff4af1e134
 SHA512:
-  metadata.gz: 6d8458d63ccd20fbeb9ae4d79689e0a90d3007bd0a212c428c9b95b44d20f39c5e038215bac1e5c7af1138f2517faf7a96973167b213be289a6b5fc7c1b75918
-  data.tar.gz: 57201322d4c3dcbf30bf5c74f931b47bf6478626e925620497fc842d87c393aeb507d277c92f524ff233d515acafad1d367ecb3427250ace7d125a9e3ecb1ab8
+  metadata.gz: 55a0639ffee8def55645e2444d063ab18df7030f74404289735b2e9329ff65461ac0af3dab29248c337f9b5344aeb7c78d72f3d9155edabde689997c519c88b2
+  data.tar.gz: 22af4440292a3950cb2ca1ab4ed795972626fb974b962d5dc86ebec5492fb7f3a83b691d2432d691d39de66df0a244bfce31576af0b58ab65881b8faf1db8323

data/.travis.yml

@@ -1,24 +1,22 @@
-sudo: false
 language: ruby
+dist: focal
+os: linux
 cache: bundler
 rvm:
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3.0
-  - rbx
+  - 2.6.10
+  - 2.7.6
 env:
-  - ACTIVERECORD=3.0.0
-  - ACTIVERECORD=3.1.0
-  - ACTIVERECORD=3.2.0
-  - ACTIVERECORD=4.0.0
-  - ACTIVERECORD=4.1.0
-  - ACTIVERECORD=4.2.0
-matrix:
+  - ACTIVERECORD=5.1.1
+  - ACTIVERECORD=5.2.8
+  - ACTIVERECORD=6.0.6
+  - ACTIVERECORD=6.1.7
+  - ACTIVERECORD=7.0.4
+jobs:
+  fast_finish: false
   exclude:
-  allow_failures:
-    - rvm: rbx
-  fast_finish: true
+    - rvm: 2.6.10
+      env: ACTIVERECORD=7.0.4
+
 addons:
   code_climate:
     repo_token: a90435ed4954dd6e9f3697a20c5bc3754f67d94703f870e8fc7b00f69f5b2d06

data/CHANGELOG.md

@@ -1,11 +1,46 @@
-# attr_encrypted #
+# attr_encrypted
+
+## 4.0.0
+
+* Added: Support for Ruby >= 3.0.
+* Added: Rails 7 support.
+* Changed: Using `#encrypted_attributes` is no longer supported. Instead, use `#attr_encrypted_encrypted_attributes` to avoid
+  collision with Active Record 7 native encryption.
+
+## 3.1.0
+
+* Added: Abitilty to encrypt empty values. (@tamird)
+* Added: MIT license
+* Added: MRI 2.5.x support (@saghaulor)
+* Fixed: No long generate IV and salt if value is empty, unless :allow_empty_value options is passed. (@saghaulor)
+* Fixed: Only generate IV and salt when :if and :unless options evaluate such that encryption should be performed. (@saghaulor)
+* Fixed: Private methods are correctly evaluated as options. (@saghaulor)
+* Fixed: Mark virtual attributes for Rails 5.x compatibility (@grosser)
+* Fixed: Only check empty on strings, allows for encrypting non-string type objects
+* Fixed: Fixed how accessors for db columns are defined in the ActiveRecord adapter, preventing premature definition. (@nagachika)
+
+## 3.0.3
+
+* Fixed: attr_was would decrypt the attribute upon every call. This is inefficient and introduces problems when the options change between decrypting an old value and encrypting a new value; for example, when rotating the encryption key. As such, the new approach caches the decrypted value of the old encrypted value such that the old options are no longer needed. (@johnny-lai) (@saghaulor)
+
+## 3.0.2
+
+* Changed: Removed alias_method_chain for compatibility with Rails v5.x (@grosser)
+* Changed: Updated Travis build matrix to include Rails 5. (@saghaulor) (@connorshea)
+* Changed: Removed `.silence_stream` from tests as it has been removed from Rails 5. (@sblackstone)
+
+## 3.0.1
+
+* Fixed: attr_was method no longer calls undefined methods. (@saghaulor)
+
+## 3.0.0
 
-## 3.0.0 ##
 * Changed: Updated gemspec to use Encryptor v3.0.0. (@saghaulor)
 * Changed: Updated README with instructions related to moving from v2.0.0 to v3.0.0. (@saghaulor)
 * Fixed: ActiveModel::Dirty methods in the ActiveRecord adapter. (@saghaulor)
 
-## 2.0.0 ##
+## 2.0.0
+
 * Added: Now using Encryptor v2.0.0 (@saghaulor)
 * Added: Options are copied to the instance. (@saghaulor)
 * Added: Operation option is set during encryption/decryption to allow options to be evaluated in the context of the current operation. (@saghaulor)
@@ -26,51 +61,62 @@
 * Removed: Support for Rails < 3.x (@saghaulor)
 * Removed: Unnecessary use of `alias_method` from ActiveRecord adapter. (@saghaulor)
 
-## 1.4.0 ##
+## 1.4.0
+
 * Added: ActiveModel::Dirty#attribute_was (@saghaulor)
 * Added: ActiveModel::Dirty#attribute_changed? (@mwean)
 
-## 1.3.5 ##
+## 1.3.5
+
 * Changed: Fixed gemspec to explicitly depend on Encryptor v1.3.0 (@saghaulor)
 * Fixed: Evaluate `:mode` option as a symbol or proc. (@cheynewallace)
 
-## 1.3.4 ##
+## 1.3.4
+
 * Added: ActiveRecord::Base.reload support. (@rcook)
 * Fixed: ActiveRecord adapter no longer forces attribute hashes to be string-keyed. (@tamird)
 * Fixed: Mass assignment protection in ActiveRecord 4. (@tamird)
 * Changed: Now using rubygems over https. (@tamird)
 * Changed: Let ActiveRecord define attribute methods. (@saghaulor)
 
-## 1.3.3 ##
+## 1.3.3
+
 * Added: Alias attr_encryptor and attr_encrpted. (@Billy Monk)
 
-## 1.3.2 ##
+## 1.3.2
+
 * Fixed: Bug regarding strong parameters. (@S. Brent Faulkner)
 * Fixed: Bug regarding loading per instance IV and salt. (@S. Brent Faulkner)
 * Fixed: Bug regarding assigning nil. (@S. Brent Faulkner)
 * Added: Support for protected attributes. (@S. Brent Faulkner)
 * Added: Support for ActiveRecord 4. (@S. Brent Faulkner)
 
-## 1.3.1 ##
+## 1.3.1
+
 * Added: Support for Rails 2.3.x and 3.1.x. (@S. Brent Faulkner)
 
-## 1.3.0 ##
+## 1.3.0
+
 * Fixed: Serialization bug. (@Billy Monk)
 * Added: Support for :per_attribute_iv_and_salt mode. (@rcook)
 * Fixed: Added dependencies to gemspec. (@jmazzi)
 
-## 1.2.1 ##
+## 1.2.1
+
 * Added: Force encoding when not marshaling. (@mosaicxm)
 * Fixed: Issue specifying multiple attributes on the same line. (@austintaylor)
 * Added: Typecasting to String before encryption (@shuber)
 * Added: `"#{attribute}?"` method. (@shuber)
 
-## 1.2.0 ##
+## 1.2.0
+
 * Changed: General code refactoring (@shuber)
 
-## 1.1.2 ##
+## 1.1.2
+
 * No significant changes
 
-## 1.1.1 ##
+## 1.1.1
+
 * Changled: Updated README. (@shuber)
 * Added: `before_type_cast` alias to ActiveRecord adapter. (@shuber)

data/README.md

@@ -1,4 +1,5 @@
 # attr_encrypted
+
 [![Build Status](https://secure.travis-ci.org/attr-encrypted/attr_encrypted.svg)](https://travis-ci.org/attr-encrypted/attr_encrypted) [![Test Coverage](https://codeclimate.com/github/attr-encrypted/attr_encrypted/badges/coverage.svg)](https://codeclimate.com/github/attr-encrypted/attr_encrypted/coverage) [![Code Climate](https://codeclimate.com/github/attr-encrypted/attr_encrypted/badges/gpa.svg)](https://codeclimate.com/github/attr-encrypted/attr_encrypted) [![Gem Version](https://badge.fury.io/rb/attr_encrypted.svg)](https://badge.fury.io/rb/attr_encrypted) [![security](https://hakiri.io/github/attr-encrypted/attr_encrypted/master.svg)](https://hakiri.io/github/attr-encrypted/attr_encrypted/master)
 
 Generates attr_accessors that transparently encrypt and decrypt attributes.
@@ -11,7 +12,7 @@ It works with ANY class, however, you get a few extra features when you're using
 Add attr_encrypted to your gemfile:
 
 ```ruby
-  gem "attr_encrypted", "~> 3.0.0"
+  gem "attr_encrypted"
 ```
 
 Then install the gem:
@@ -72,7 +73,7 @@ The `attr_encrypted` class method is also aliased as `attr_encryptor` to conform
 
 ### attr_encrypted with database persistence
 
-By default, `attr_encrypted` uses the `:per_attribute_iv` encryption mode. This mode requires a column to store your cipher text and a column to store your IV.
+By default, `attr_encrypted` uses the `:per_attribute_iv` encryption mode. This mode requires a column to store your cipher text and a column to store your IV (initialization vector).
 
 Create or modify the table that your model uses to add a column with the `encrypted_` prefix (which can be modified, see below), e.g. `encrypted_ssn` via a migration like the following:
 
@@ -87,6 +88,12 @@ Create or modify the table that your model uses to add a column with the `encryp
 
 You can use a string or binary column type. (See the encode option section below for more info)
 
+If you use the same key for each record, add a unique index on the IV. Repeated IVs with AES-GCM (the default algorithm) allow an attacker to recover the key.
+
+```ruby
+  add_index :users, :encrypted_ssn_iv, unique: true
+```
+
 ### Specifying the encrypted attribute name
 
 By default, the encrypted attribute name is `encrypted_#{attribute}` (e.g. `attr_encrypted :email` would create an attribute named `encrypted_email`). So, if you're storing the encrypted attribute in the database, you need to make sure the `encrypted_#{attribute}` field exists in your table. You have a couple of options if you want to name your attribute or db column something else, see below for more details.
@@ -145,6 +152,7 @@ The following are the default options used by `attr_encrypted`:
   decrypt_method:    'decrypt',
   mode:              :per_attribute_iv,
   algorithm:         'aes-256-gcm',
+  allow_empty_value: false
 ```
 
 All of the aforementioned options are explained in depth below.
@@ -195,7 +203,7 @@ If you don't like the `encrypted_#{attribute}` naming convention then you can sp
   end
 ```
 
-This would generate the following attributes: `secret_email_crypted`, `secret_credit_card_crypted`, and `secret_ssn_crypted`.
+This would generate the following attribute: `secret_email_crypted`.
 
 
 ### The `:key` option
@@ -296,7 +304,7 @@ You're probably going to be storing your encrypted attributes somehow (e.g. file
   end
 ```
 
-The default encoding is `m` (base64). You can change this by setting `encode: 'some encoding'`. See [`Arrary#pack`](http://ruby-doc.org/core-2.3.0/Array.html#method-i-pack) for more encoding options.
+The default encoding is `m` (base64). You can change this by setting `encode: 'some encoding'`. See [`Array#pack`](http://ruby-doc.org/core-2.3.0/Array.html#method-i-pack) for more encoding options.
 
 
 ### The `:marshal`, `:dump_method`, and `:load_method` options
@@ -311,6 +319,16 @@ You may want to encrypt objects other than strings (e.g. hashes, arrays, etc). I
 
 You may also optionally specify `:marshaler`, `:dump_method`, and `:load_method` if you want to use something other than the default `Marshal` object.
 
+### The `:allow_empty_value` option
+
+You may want to encrypt empty strings or nil so as to not reveal which records are populated and which records are not.
+
+```ruby
+  class User
+    attr_encrypted :credentials, key: 'some secret key', marshal: true, allow_empty_value: true
+  end
+```
+
 
 ## ORMs
 
@@ -392,7 +410,7 @@ Then modify your models using attr\_encrypted to account for the changes in defa
 
 ## Upgrading from attr_encrypted v2.x to v3.x
 
-A bug was discovered in Encryptor v2.0.0 that inccorectly set the IV when using an AES-\*-GCM algorithm. Unfornately fixing this major security issue results in the inability to decrypt records encrypted using an AES-*-GCM algorithm from Encryptor v2.0.0. Please see [Upgrading to Encryptor v3.0.0](https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300) for more info.
+A bug was discovered in Encryptor v2.0.0 that incorrectly set the IV when using an AES-\*-GCM algorithm. Unfornately fixing this major security issue results in the inability to decrypt records encrypted using an AES-*-GCM algorithm from Encryptor v2.0.0. Please see [Upgrading to Encryptor v3.0.0](https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300) for more info.
 
 It is strongly advised that you re-encrypt your data encrypted with Encryptor v2.0.0. However, you'll have to take special care to re-encrypt. To decrypt data encrypted with Encryptor v2.0.0 using an AES-\*-GCM algorithm you can use the `:v2_gcm_iv` option.
 
@@ -400,10 +418,10 @@ It is recommended that you implement a strategy to insure that you do not mix th
 
 ```ruby
   class User
-    attr_encrypted :ssn, key: :encryption_key, v2_gcm_iv: :is_decrypting?(:ssn)
+    attr_encrypted :ssn, key: :encryption_key, v2_gcm_iv: is_decrypting?(:ssn)
 
     def is_decrypting?(attribute)
-      encrypted_atributes[attribute][operation] == :decrypting
+      attr_encrypted_encrypted_attributes[attribute][:operation] == :decrypting
     end
   end
 
@@ -420,7 +438,7 @@ It is recommended that you implement a strategy to insure that you do not mix th
 While choosing to encrypt at the attribute level is the most secure solution, it is not without drawbacks. Namely, you cannot search the encrypted data, and because you can't search it, you can't index it either. You also can't use joins on the encrypted data. Data that is securely encrypted is effectively noise. So any operations that rely on the data not being noise will not work. If you need to do any of the aforementioned operations, please consider using database and file system encryption along with transport encryption as it moves through your stack.
 
 #### Data leaks
-Please also consider where your data leaks. If you're using attr_encrypted with Rails, it's highly likely that this data will enter your app as a request parameter. You'll want to be sure that you're filtering your request params from you logs or else your data is sitting in the clear in your logs. [Parameter Filtering in Rails](http://apidock.com/rails/ActionDispatch/Http/FilterParameters) Please also consider other possible leak points.
+Please also consider where your data leaks. If you're using attr_encrypted with Rails, it's highly likely that this data will enter your app as a request parameter. You'll want to be sure that you're filtering your request params from your logs or else your data is sitting in the clear in your logs. [Parameter Filtering in Rails](http://apidock.com/rails/ActionDispatch/Http/FilterParameters) Please also consider other possible leak points.
 
 #### Storage requirements
 When storing your encrypted data, please consider the length requirements of the db column that you're storing the cipher text in. Older versions of Mysql attempt to 'help' you by truncating strings that are too large for the column. When this happens, you will not be able to decrypt your data. [MySQL Strict Trans](http://www.davidpashley.com/2009/02/15/silently-truncated/)
@@ -429,7 +447,7 @@ When storing your encrypted data, please consider the length requirements of the
 It is advisable to also store metadata regarding the circumstances of your encrypted data. Namely, you should store information about the key used to encrypt your data, as well as the algorithm. Having this metadata with every record will make key rotation and migrating to a new algorithm signficantly easier. It will allow you to continue to decrypt old data using the information provided in the metadata and new data can be encrypted using your new key and algorithm of choice.
 
 #### Enforcing the IV as a nonce
-On a related note, most alorithms require that your IV be unique for every record and key combination. You can enforce this using composite unique indexes on your IV and encryption key name/id column. [RFC 5084](https://tools.ietf.org/html/rfc5084#section-1.5)
+On a related note, most algorithms require that your IV be unique for every record and key combination. You can enforce this using composite unique indexes on your IV and encryption key name/id column. [RFC 5084](https://tools.ietf.org/html/rfc5084#section-1.5)
 
 #### Unique key per record
 Lastly, while the `:per_attribute_iv_and_salt` mode is more secure than `:per_attribute_iv` mode because it uses a unique key per record, it uses a PBKDF function which introduces a huge performance hit (175x slower by my benchmarks). There are other ways of deriving a unique key per record that would be much faster.

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rake/testtask'
 require 'rdoc/task'
 require "bundler/gem_tasks"
@@ -6,6 +8,7 @@ desc 'Test the attr_encrypted gem.'
 Rake::TestTask.new(:test) do |t|
   t.libs << 'lib'
   t.pattern = 'test/**/*_test.rb'
+  t.warning = false
   t.verbose = true
 end
 

data/attr_encrypted.gemspec

@@ -17,16 +17,14 @@ Gem::Specification.new do |s|
   s.authors   = ['Sean Huber', 'S. Brent Faulkner', 'William Monk', 'Stephen Aghaulor']
   s.email    = ['seah@shuber.io', 'sbfaulkner@gmail.com', 'billy.monk@gmail.com', 'saghaulor@gmail.com']
   s.homepage = 'http://github.com/attr-encrypted/attr_encrypted'
-
-  s.has_rdoc = false
-  s.rdoc_options = ['--line-numbers', '--inline-source', '--main', 'README.rdoc']
+  s.license = 'MIT'
 
   s.require_paths = ['lib']
 
   s.files      = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- test/*`.split("\n")
 
-  s.required_ruby_version = '>= 2.0.0'
+  s.required_ruby_version = '>= 2.6.0'
 
   s.add_dependency('encryptor', ['~> 3.0.0'])
   # support for testing with specific active record version
@@ -45,19 +43,14 @@ Gem::Specification.new do |s|
     s.add_development_dependency('activerecord-jdbcsqlite3-adapter')
     s.add_development_dependency('jdbc-sqlite3', '< 3.8.7') # 3.8.7 is nice and broke
   else
-    s.add_development_dependency('sqlite3')
+    s.add_development_dependency('sqlite3', '= 1.5.4')
   end
   s.add_development_dependency('dm-sqlite-adapter')
+  s.add_development_dependency('pry')
   s.add_development_dependency('simplecov')
   s.add_development_dependency('simplecov-rcov')
-  s.add_development_dependency("codeclimate-test-reporter")
-
-  s.cert_chain  = ['certs/saghaulor.pem']
-  s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/
 
-  s.post_install_message = "\n\n\nWARNING: Several insecure default options and features were deprecated in attr_encrypted v2.0.0.\n
-Additionally, there was a bug in Encryptor v2.0.0 that insecurely encrypted data when using an AES-*-GCM algorithm.\n
-This bug was fixed but introduced breaking changes between v2.x and v3.x.\n
-Please see the README for more information regarding upgrading to attr_encrypted v3.0.0.\n\n\n"
+  s.post_install_message = "\n\n\nWARNING: Using `#encrypted_attributes` is no longer supported. Instead, use `#attr_encrypted_encrypted_attributes` to avoid
+  collision with Active Record 7 native encryption.\n\n\n"
 
 end

data/checksum/attr_encrypted-3.0.0.gem.sha256

@@ -0,0 +1 @@
+845fc3cb09a19c3ac76192aba443788f92c880744617bca99b16fd31ce843e07

data/checksum/attr_encrypted-3.0.0.gem.sha512

@@ -0,0 +1 @@
+81a065442258cc3702aab62c7b2307a48ed3e0deb803600d11a7480cce0db7c43fd9929acd2755081042f8989236553fd694b6cb62776bbfc53f9165a22cbca1

data/checksum/attr_encrypted-3.0.1.gem.sha256

@@ -0,0 +1 @@
+33140af4b223177db7a19efb2fa38472a299a745b29ca1c5ba9d3fa947390b77

data/checksum/attr_encrypted-3.0.1.gem.sha512

@@ -0,0 +1 @@
+0c467cab98b9b2eb331f9818323a90ae01392d6cb03cf1f32faccc954d0fc54be65f0fc7bf751b0fce57925eef1c9e2af90181bc40d81ad93e21d15a001c53c6

data/checksum/attr_encrypted-3.0.2.gem.sha256

@@ -0,0 +1 @@
+c1256b459336d4a2012a0d0c70ce5cd3dac46acb5e78da6f77f6f104cb1e8b7b

data/checksum/attr_encrypted-3.0.2.gem.sha512

@@ -0,0 +1 @@
+dca0c8a729974c0e26fde4cd4216c7d0f66d9eca9f6cf0ccca64999f5180a00bf7c05b630c1d420ec1673141a2923946e8bd28b12e711faf64a4cd42c7a3ac9e

data/checksum/attr_encrypted-3.0.3.gem.sha256

@@ -0,0 +1 @@
+6d84c64852c4bbc0926b92fe7a93295671a9e69cb2939b96fb1e4b5e8a5b33b6

data/checksum/attr_encrypted-3.0.3.gem.sha512

@@ -0,0 +1 @@
+0f960e8a2f63c747c273241f7395dcceb0dd8a6f79349bee453db741fc7ea5ceb4342d7d5908e540e3b5acea2216ff38bef8c743e6e7c8559bacb4a731ab27c4

data/checksum/attr_encrypted-3.1.0.gem.sha256

@@ -0,0 +1 @@
+4f0682604714ed4599cf00771ad27e82f0b51b0ed8644af51a43d21fbe129b59

data/checksum/attr_encrypted-3.1.0.gem.sha512

@@ -0,0 +1 @@
+dc757a50c53175dc05adbfccb25b536f7f1a060c7bd626bfc72ff577479c6fe28d3b65747033276bd4bce3dad741b67235f3e01ea61409f6c67959da65df445b

data/lib/attr_encrypted/adapters/active_record.rb

@@ -1,45 +1,50 @@
+# frozen_string_literal: true
+
 if defined?(ActiveRecord::Base)
   module AttrEncrypted
     module Adapters
       module ActiveRecord
+        RAILS_VERSION = Gem::Version.new(::ActiveRecord::VERSION::STRING).freeze
+
         def self.extended(base) # :nodoc:
           base.class_eval do
 
             # https://github.com/attr-encrypted/attr_encrypted/issues/68
-            def reload_with_attr_encrypted(*args, &block)
+            alias_method :reload_without_attr_encrypted, :reload
+            def reload(*args, &block)
               result = reload_without_attr_encrypted(*args, &block)
-              self.class.encrypted_attributes.keys.each do |attribute_name|
+              self.class.attr_encrypted_encrypted_attributes.keys.each do |attribute_name|
                 instance_variable_set("@#{attribute_name}", nil)
               end
               result
             end
-            alias_method_chain :reload, :attr_encrypted
 
             attr_encrypted_options[:encode] = true
 
             class << self
-              alias_method_chain :method_missing, :attr_encrypted
+              alias_method :method_missing_without_attr_encrypted, :method_missing
+              alias_method :method_missing, :method_missing_with_attr_encrypted
             end
 
             def perform_attribute_assignment(method, new_attributes, *args)
               return if new_attributes.blank?
 
-              send method, new_attributes.reject { |k, _|  self.class.encrypted_attributes.key?(k.to_sym) }, *args
-              send method, new_attributes.reject { |k, _| !self.class.encrypted_attributes.key?(k.to_sym) }, *args
+              send method, new_attributes.reject { |k, _|  self.class.attr_encrypted_encrypted_attributes.key?(k.to_sym) }, *args
+              send method, new_attributes.reject { |k, _| !self.class.attr_encrypted_encrypted_attributes.key?(k.to_sym) }, *args
             end
             private :perform_attribute_assignment
 
-            if ::ActiveRecord::VERSION::STRING > "3.1"
-              def assign_attributes_with_attr_encrypted(*args)
+            if Gem::Requirement.new('> 3.1').satisfied_by?(RAILS_VERSION)
+              alias_method :assign_attributes_without_attr_encrypted, :assign_attributes
+              def assign_attributes(*args)
                 perform_attribute_assignment :assign_attributes_without_attr_encrypted, *args
               end
-              alias_method_chain :assign_attributes, :attr_encrypted
             end
 
-            def attributes_with_attr_encrypted=(*args)
+            alias_method :attributes_without_attr_encrypted=, :attributes=
+            def attributes=(*args)
               perform_attribute_assignment :attributes_without_attr_encrypted=, *args
             end
-            alias_method_chain :attributes=, :attr_encrypted
           end
         end
 
@@ -50,22 +55,42 @@ if defined?(ActiveRecord::Base)
             super
             options = attrs.extract_options!
             attr = attrs.pop
-            options.merge! encrypted_attributes[attr]
+            attribute attr
+            options.merge! attr_encrypted_encrypted_attributes[attr]
 
-            define_method("#{attr}_changed?") do
-              if send("#{options[:attribute]}_changed?")
-                send(attr) != send("#{attr}_was")
-              end
+            define_method("#{attr}_was") do
+              attribute_was(attr)
             end
 
-            define_method("#{attr}_was") do
-              iv_and_salt = { iv: send("#{options[:attribute]}_iv_was"), salt: send("#{options[:attribute]}_salt_was"), operation: :decrypting }
-              encrypted_attributes[attr].merge!(iv_and_salt)
-              evaluated_options = evaluated_attr_encrypted_options_for(attr)
-              [:iv, :salt, :operation].each { |key| encrypted_attributes[attr].delete(key) }
-              self.class.decrypt(attr, send("#{options[:attribute]}_was"), evaluated_options)
+            define_method("#{attr}_changed?") do |options = {}|
+              attribute_changed?(attr, **options)
+            end
+
+            define_method("#{attr}_change") do
+              attribute_change(attr)
             end
 
+            define_method("#{attr}_with_dirtiness=") do |value|
+              ## Source: https://github.com/priyankatapar/attr_encrypted/commit/7e8702bd5418c927a39d8dd72c0adbea522d5663
+              # In ActiveRecord 5.2+, due to changes to the way virtual
+              # attributes are handled, @attributes[attr].value is nil which
+              # breaks attribute_was. Setting it here returns us to the expected
+              # behavior.
+              if RAILS_VERSION >= Gem::Version.new(5.2)
+                # This is needed support attribute_was before a record has
+                # been saved
+                @attributes.write_cast_value(attr.to_s, __send__(attr)) if value != __send__(attr)
+                # This is needed to support attribute_was after a record has
+                # been saved
+                @attributes.write_from_user(attr.to_s, value) if value != __send__(attr)
+              end
+              attribute_will_change!(attr) if value != __send__(attr)
+              __send__("#{attr}_without_dirtiness=", value)
+            end
+
+            alias_method "#{attr}_without_dirtiness=", "#{attr}="
+            alias_method "#{attr}=", "#{attr}_with_dirtiness="
+
             alias_method "#{attr}_before_type_cast", attr
           end
 
@@ -74,16 +99,17 @@ if defined?(ActiveRecord::Base)
             # methods returned to let ActiveRecord define the accessor methods
             # for the db columns
 
-            # Use with_connection so the connection doesn't stay pinned to the thread.
-            connected = ::ActiveRecord::Base.connection_pool.with_connection(&:active?) rescue false
-
-            if connected && table_exists?
+            if connected? && table_exists?
               columns_hash.keys.inject(super) {|instance_methods, column_name| instance_methods.concat [column_name.to_sym, :"#{column_name}="]}
             else
               super
             end
           end
 
+          def attribute_instance_methods_as_symbols_available?
+            connected? && table_exists?
+          end
+
           # Allows you to use dynamic methods like <tt>find_by_email</tt> or <tt>scoped_by_email</tt> for
           # encrypted attributes
           #
@@ -105,10 +131,10 @@ if defined?(ActiveRecord::Base)
             if match = /^(find|scoped)_(all_by|by)_([_a-zA-Z]\w*)$/.match(method.to_s)
               attribute_names = match.captures.last.split('_and_')
               attribute_names.each_with_index do |attribute, index|
-                if attr_encrypted?(attribute) && encrypted_attributes[attribute.to_sym][:mode] == :single_iv_and_salt
+                if attr_encrypted?(attribute) && attr_encrypted_encrypted_attributes[attribute.to_sym][:mode] == :single_iv_and_salt
                   args[index] = send("encrypt_#{attribute}", args[index])
                   warn "DEPRECATION WARNING: This feature will be removed in the next major release."
-                  attribute_names[index] = encrypted_attributes[attribute.to_sym][:attribute]
+                  attribute_names[index] = attr_encrypted_encrypted_attributes[attribute.to_sym][:attribute]
                 end
               end
               method = "#{match.captures[0]}_#{match.captures[1]}_#{attribute_names.join('_and_')}".to_sym
@@ -119,6 +145,8 @@ if defined?(ActiveRecord::Base)
     end
   end
 
-  ActiveRecord::Base.extend AttrEncrypted
-  ActiveRecord::Base.extend AttrEncrypted::Adapters::ActiveRecord
+  ActiveSupport.on_load(:active_record) do
+    extend AttrEncrypted
+    extend AttrEncrypted::Adapters::ActiveRecord
+  end
 end

data/lib/attr_encrypted/adapters/data_mapper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if defined?(DataMapper)
   module AttrEncrypted
     module Adapters
@@ -19,4 +21,4 @@ if defined?(DataMapper)
   end
 
   DataMapper::Resource.extend AttrEncrypted::Adapters::DataMapper
-end
+end

data/lib/attr_encrypted/adapters/sequel.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if defined?(Sequel)
   module AttrEncrypted
     module Adapters
@@ -11,4 +13,4 @@ if defined?(Sequel)
 
   Sequel::Model.extend AttrEncrypted
   Sequel::Model.extend AttrEncrypted::Adapters::Sequel
-end
+end

data/lib/attr_encrypted/version.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module AttrEncrypted
   # Contains information about this gem's version
   module Version
-    MAJOR = 3
+    MAJOR = 4
     MINOR = 0
     PATCH = 0