attr_encrypted 3.0.2 → 3.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4f35a7b7559ac43fbc20bf110b06c48457195c35
-  data.tar.gz: a99c8beb7a082c64d21f123aeb5c342dffbb80c2
+  metadata.gz: 5c1a2bcf5e2b7fc8937e96cb0fcd99926bd98d1e
+  data.tar.gz: 40112aef07bda5ba8145b2fb634a9bdbfea34d7a
 SHA512:
-  metadata.gz: 25d196cdd13c8c8f0b677583e734cd85e5eea7cf148c33c9317d9bc966481dd549a5513d1f89ac598e53086a4913ba2873184830d57dbc5b740413464397e89e
-  data.tar.gz: 344729a1eb162560e4519b851e0a736f81dddaad4c652338b1af568549d7ba5036c1a7f935b01a7805a1da4972aeb054ffa7b3980e571213ca10a08b75227e8b
+  metadata.gz: cbb4fb1d4fa7e22f791139ab1b9a96324cbb8e07f7e8472561a3dd0ce1fcb0a7c048c0ba413b5bccb876dade09f9528ccc7d23caa4378de3da8ef2c540ba76ad
+  data.tar.gz: ef6b487235f2f92ccdf73de3c806b3b3f9161c2ebcd78b2102e1975edc3150cda28a7b458136a051100e939a271b2e92ca690cd38360ec5c43c9c33db22dc1f4

data/CHANGELOG.md

@@ -1,5 +1,8 @@
 # attr_encrypted #
 
+## 3.0.3 ##
+* Fixed: attr_was would decrypt the attribute upon every call. This is inefficient and introduces problems when the options change between decrypting an old value and encrypting a new value; for example, when rotating the encryption key. As such, the new approach caches the decrypted value of the old encrypted value such that the old options are no longer needed. (@johnny-lai) (@saghaulor)
+
 ## 3.0.2 ##
 * Changed: Removed alias_method_chain for compatibility with Rails v5.x (@grosser)
 * Changed: Updated Travis build matrix to include Rails 5. (@saghaulor) (@connorshea)

data/checksum/attr_encrypted-3.0.2.gem.sha256

@@ -0,0 +1 @@
+c1256b459336d4a2012a0d0c70ce5cd3dac46acb5e78da6f77f6f104cb1e8b7b

data/checksum/attr_encrypted-3.0.2.gem.sha512

@@ -0,0 +1 @@
+dca0c8a729974c0e26fde4cd4216c7d0f66d9eca9f6cf0ccca64999f5180a00bf7c05b630c1d420ec1673141a2923946e8bd28b12e711faf64a4cd42c7a3ac9e

data/lib/attr_encrypted/adapters/active_record.rb

@@ -53,22 +53,32 @@ if defined?(ActiveRecord::Base)
             attr = attrs.pop
             options.merge! encrypted_attributes[attr]
 
-            define_method("#{attr}_changed?") do
-              if send("#{options[:attribute]}_changed?")
-                send(attr) != send("#{attr}_was")
+            define_method("#{attr}_was") do
+              attribute_was(attr)
+            end
+
+            if ::ActiveRecord::VERSION::STRING >= "4.1"
+              define_method("#{attr}_changed?") do |options = {}|
+                attribute_changed?(attr, options)
+              end
+            else
+              define_method("#{attr}_changed?") do
+                  attribute_changed?(attr)
               end
             end
 
-            define_method("#{attr}_was") do
-              attr_was_options = { operation: :decrypting }
-              attr_was_options[:iv]= send("#{options[:attribute]}_iv_was") if respond_to?("#{options[:attribute]}_iv_was")
-              attr_was_options[:salt]= send("#{options[:attribute]}_salt_was") if respond_to?("#{options[:attribute]}_salt_was")
-              encrypted_attributes[attr].merge!(attr_was_options)
-              evaluated_options = evaluated_attr_encrypted_options_for(attr)
-              [:iv, :salt, :operation].each { |key| encrypted_attributes[attr].delete(key) }
-              self.class.decrypt(attr, send("#{options[:attribute]}_was"), evaluated_options)
+            define_method("#{attr}_change") do
+              attribute_change(attr)
+            end
+
+            define_method("#{attr}_with_dirtiness=") do |value|
+              attribute_will_change!(attr) if value != __send__(attr)
+              __send__("#{attr}_without_dirtiness=", value)
             end
 
+            alias_method "#{attr}_without_dirtiness=", "#{attr}="
+            alias_method "#{attr}=", "#{attr}_with_dirtiness="
+
             alias_method "#{attr}_before_type_cast", attr
           end
 

data/lib/attr_encrypted/version.rb

@@ -3,7 +3,7 @@ module AttrEncrypted
   module Version
     MAJOR = 3
     MINOR = 0
-    PATCH = 2
+    PATCH = 3
 
     # Returns a version string by joining <tt>MAJOR</tt>, <tt>MINOR</tt>, and <tt>PATCH</tt> with <tt>'.'</tt>
     #

data/test/active_record_test.rb

@@ -19,6 +19,7 @@ def create_tables
       t.string :encrypted_password
       t.string :encrypted_password_iv
       t.string :encrypted_password_salt
+      t.binary :key
     end
     create_table :users do |t|
       t.string :login
@@ -80,8 +81,20 @@ class PersonWithProcMode < Person
 end
 
 class Account < ActiveRecord::Base
-  attr_accessor :key
-  attr_encrypted :password, key: Proc.new {|account| account.key}
+  ACCOUNT_ENCRYPTION_KEY = SecureRandom.base64(32)
+  attr_encrypted :password, key: :password_encryption_key
+
+  def encrypting?(attr)
+    encrypted_attributes[attr][:operation] == :encrypting
+  end
+
+  def password_encryption_key
+    if encrypting?(:password)
+      self.key = ACCOUNT_ENCRYPTION_KEY
+    else
+      self.key
+    end
+  end
 end
 
 class PersonWithSerialization < ActiveRecord::Base
@@ -117,7 +130,6 @@ class ActiveRecordTest < Minitest::Test
   def setup
     ActiveRecord::Base.connection.tables.each { |table| ActiveRecord::Base.connection.drop_table(table) }
     create_tables
-    Account.create!(key: SECRET_KEY, password: "password")
   end
 
   def test_should_encrypt_email
@@ -167,12 +179,6 @@ class ActiveRecordTest < Minitest::Test
     Account.new.attributes = { password: "password", key: SECRET_KEY }
   end
 
-  def test_should_preserve_hash_key_type
-    hash = { foo: 'bar' }
-    account = Account.create!(key: hash)
-    assert_equal account.key, hash
-  end
-
   def test_should_create_changed_predicate
     person = Person.create!(email: 'test@example.com')
     refute person.email_changed?
@@ -198,6 +204,23 @@ class ActiveRecordTest < Minitest::Test
     assert_equal old_zipcode, address.zipcode_was
   end
 
+  def test_attribute_was_works_when_options_for_old_encrypted_value_are_different_than_options_for_new_encrypted_value
+    pw = 'password'
+    crypto_key = SecureRandom.base64(32)
+    old_iv = SecureRandom.random_bytes(12)
+    account = Account.create
+    encrypted_value = Encryptor.encrypt(value: pw, iv: old_iv, key: crypto_key)
+    Account.where(id: account.id).update_all(key: crypto_key, encrypted_password_iv: [old_iv].pack('m'), encrypted_password: [encrypted_value].pack('m'))
+    account = Account.find(account.id)
+    assert_equal pw, account.password
+    account.password = pw.reverse
+    assert_equal pw, account.password_was
+    account.save
+    account.reload
+    assert_equal Account::ACCOUNT_ENCRYPTION_KEY, account.key
+    assert_equal pw.reverse, account.password
+  end
+
   if ::ActiveRecord::VERSION::STRING > "4.0"
     def test_should_assign_attributes
       @user = UserWithProtectedAttribute.new(login: 'login', is_admin: false)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: attr_encrypted
 version: !ruby/object:Gem::Version
-  version: 3.0.2
+  version: 3.0.3
 platform: ruby
 authors:
 - Sean Huber
@@ -33,7 +33,7 @@ cert_chain:
   ZjeLmnSDiwL6doiP5IiwALH/dcHU67ck3NGf6XyqNwQrrmtPY0mv1WVVL4Uh+vYE
   kHoFzE2no0BfBg78Re8fY69P5yES5ncC
   -----END CERTIFICATE-----
-date: 2016-07-15 00:00:00.000000000 Z
+date: 2016-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
@@ -226,6 +226,8 @@ files:
 - checksum/attr_encrypted-3.0.0.gem.sha512
 - checksum/attr_encrypted-3.0.1.gem.sha256
 - checksum/attr_encrypted-3.0.1.gem.sha512
+- checksum/attr_encrypted-3.0.2.gem.sha256
+- checksum/attr_encrypted-3.0.2.gem.sha512
 - lib/attr_encrypted.rb
 - lib/attr_encrypted/adapters/active_record.rb
 - lib/attr_encrypted/adapters/data_mapper.rb