attr_encrypted 3.1.0 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f602391484e3437daae62ddb60596f0b4cbc83e0
-  data.tar.gz: 5e407d7e299a43380057a2f0fe816da3a6ad1fca
+SHA256:
+  metadata.gz: 36ebe1f889eadcc15b60089547792d023a5b32e4877a17789da28bc2ca33b3c1
+  data.tar.gz: 54540410056e0b49d7cc6af2077af4e45cf06aef354e0780757b93ff4af1e134
 SHA512:
-  metadata.gz: 77b697d9e450d6baae65fb3ed339824b8bf730898296f172c2ae6b4e0bd7368add0da29c76596b9bbf71d298fccd038195f7ffb7d153ffaeaf2aabc7bfc60f9f
-  data.tar.gz: 211f1c52e7f0505d55eef59f06bb139f47fb1ae0158b39a643b5c7c5251865f13b871ab7b3194d44cd2fc6a128e86a5c6b9c8669bab6d2870a7914ed5dacb6c3
+  metadata.gz: 55a0639ffee8def55645e2444d063ab18df7030f74404289735b2e9329ff65461ac0af3dab29248c337f9b5344aeb7c78d72f3d9155edabde689997c519c88b2
+  data.tar.gz: 22af4440292a3950cb2ca1ab4ed795972626fb974b962d5dc86ebec5492fb7f3a83b691d2432d691d39de66df0a244bfce31576af0b58ab65881b8faf1db8323

data/.travis.yml

@@ -1,60 +1,22 @@
-sudo: false
 language: ruby
+dist: focal
+os: linux
 cache: bundler
 rvm:
-  - 2.0
-  - 2.1
-  - 2.2.2
-  - 2.3.0
-  - 2.4.0
-  - 2.5.0
-  - rbx
+  - 2.6.10
+  - 2.7.6
 env:
-  - ACTIVERECORD=3.0.0
-  - ACTIVERECORD=3.1.0
-  - ACTIVERECORD=3.2.0
-  - ACTIVERECORD=4.0.0
-  - ACTIVERECORD=4.1.0
-  - ACTIVERECORD=4.2.0
-  - ACTIVERECORD=5.0.0
   - ACTIVERECORD=5.1.1
-matrix:
+  - ACTIVERECORD=5.2.8
+  - ACTIVERECORD=6.0.6
+  - ACTIVERECORD=6.1.7
+  - ACTIVERECORD=7.0.4
+jobs:
+  fast_finish: false
   exclude:
-    - rvm: 2.0
-      env: ACTIVERECORD=5.0.0
-    - rvm: 2.0
-      env: ACTIVERECORD=5.1.1
-    - rvm: 2.1
-      env: ACTIVERECORD=5.0.0
-    - rvm: 2.1
-      env: ACTIVERECORD=5.1.1
-    - rvm: 2.4.0
-      env: ACTIVERECORD=3.0.0
-    - rvm: 2.4.0
-      env: ACTIVERECORD=3.1.0
-    - rvm: 2.4.0
-      env: ACTIVERECORD=3.2.0
-    - rvm: 2.4.0
-      env: ACTIVERECORD=4.0.0
-    - rvm: 2.4.0
-      env: ACTIVERECORD=4.1.0
-    - rvm: 2.5.0
-      env: ACTIVERECORD=3.0.0
-    - rvm: 2.5.0
-      env: ACTIVERECORD=3.1.0
-    - rvm: 2.5.0
-      env: ACTIVERECORD=3.2.0
-    - rvm: 2.5.0
-      env: ACTIVERECORD=4.0.0
-    - rvm: 2.5.0
-      env: ACTIVERECORD=4.1.0
-    - rvm: rbx
-      env: ACTIVERECORD=5.0.0
-    - rvm: rbx
-      env: ACTIVERECORD=5.1.1
-  allow_failures:
-    - rvm: rbx
-  fast_finish: true
+    - rvm: 2.6.10
+      env: ACTIVERECORD=7.0.4
+
 addons:
   code_climate:
     repo_token: a90435ed4954dd6e9f3697a20c5bc3754f67d94703f870e8fc7b00f69f5b2d06

data/CHANGELOG.md

@@ -1,6 +1,14 @@
-# attr_encrypted #
+# attr_encrypted
+
+## 4.0.0
+
+* Added: Support for Ruby >= 3.0.
+* Added: Rails 7 support.
+* Changed: Using `#encrypted_attributes` is no longer supported. Instead, use `#attr_encrypted_encrypted_attributes` to avoid
+  collision with Active Record 7 native encryption.
+
+## 3.1.0
 
-## 3.1.0 ##
 * Added: Abitilty to encrypt empty values. (@tamird)
 * Added: MIT license
 * Added: MRI 2.5.x support (@saghaulor)
@@ -11,23 +19,28 @@
 * Fixed: Only check empty on strings, allows for encrypting non-string type objects
 * Fixed: Fixed how accessors for db columns are defined in the ActiveRecord adapter, preventing premature definition. (@nagachika)
 
-## 3.0.3 ##
+## 3.0.3
+
 * Fixed: attr_was would decrypt the attribute upon every call. This is inefficient and introduces problems when the options change between decrypting an old value and encrypting a new value; for example, when rotating the encryption key. As such, the new approach caches the decrypted value of the old encrypted value such that the old options are no longer needed. (@johnny-lai) (@saghaulor)
 
-## 3.0.2 ##
+## 3.0.2
+
 * Changed: Removed alias_method_chain for compatibility with Rails v5.x (@grosser)
 * Changed: Updated Travis build matrix to include Rails 5. (@saghaulor) (@connorshea)
 * Changed: Removed `.silence_stream` from tests as it has been removed from Rails 5. (@sblackstone)
 
-## 3.0.1 ##
+## 3.0.1
+
 * Fixed: attr_was method no longer calls undefined methods. (@saghaulor)
 
-## 3.0.0 ##
+## 3.0.0
+
 * Changed: Updated gemspec to use Encryptor v3.0.0. (@saghaulor)
 * Changed: Updated README with instructions related to moving from v2.0.0 to v3.0.0. (@saghaulor)
 * Fixed: ActiveModel::Dirty methods in the ActiveRecord adapter. (@saghaulor)
 
-## 2.0.0 ##
+## 2.0.0
+
 * Added: Now using Encryptor v2.0.0 (@saghaulor)
 * Added: Options are copied to the instance. (@saghaulor)
 * Added: Operation option is set during encryption/decryption to allow options to be evaluated in the context of the current operation. (@saghaulor)
@@ -48,51 +61,62 @@
 * Removed: Support for Rails < 3.x (@saghaulor)
 * Removed: Unnecessary use of `alias_method` from ActiveRecord adapter. (@saghaulor)
 
-## 1.4.0 ##
+## 1.4.0
+
 * Added: ActiveModel::Dirty#attribute_was (@saghaulor)
 * Added: ActiveModel::Dirty#attribute_changed? (@mwean)
 
-## 1.3.5 ##
+## 1.3.5
+
 * Changed: Fixed gemspec to explicitly depend on Encryptor v1.3.0 (@saghaulor)
 * Fixed: Evaluate `:mode` option as a symbol or proc. (@cheynewallace)
 
-## 1.3.4 ##
+## 1.3.4
+
 * Added: ActiveRecord::Base.reload support. (@rcook)
 * Fixed: ActiveRecord adapter no longer forces attribute hashes to be string-keyed. (@tamird)
 * Fixed: Mass assignment protection in ActiveRecord 4. (@tamird)
 * Changed: Now using rubygems over https. (@tamird)
 * Changed: Let ActiveRecord define attribute methods. (@saghaulor)
 
-## 1.3.3 ##
+## 1.3.3
+
 * Added: Alias attr_encryptor and attr_encrpted. (@Billy Monk)
 
-## 1.3.2 ##
+## 1.3.2
+
 * Fixed: Bug regarding strong parameters. (@S. Brent Faulkner)
 * Fixed: Bug regarding loading per instance IV and salt. (@S. Brent Faulkner)
 * Fixed: Bug regarding assigning nil. (@S. Brent Faulkner)
 * Added: Support for protected attributes. (@S. Brent Faulkner)
 * Added: Support for ActiveRecord 4. (@S. Brent Faulkner)
 
-## 1.3.1 ##
+## 1.3.1
+
 * Added: Support for Rails 2.3.x and 3.1.x. (@S. Brent Faulkner)
 
-## 1.3.0 ##
+## 1.3.0
+
 * Fixed: Serialization bug. (@Billy Monk)
 * Added: Support for :per_attribute_iv_and_salt mode. (@rcook)
 * Fixed: Added dependencies to gemspec. (@jmazzi)
 
-## 1.2.1 ##
+## 1.2.1
+
 * Added: Force encoding when not marshaling. (@mosaicxm)
 * Fixed: Issue specifying multiple attributes on the same line. (@austintaylor)
 * Added: Typecasting to String before encryption (@shuber)
 * Added: `"#{attribute}?"` method. (@shuber)
 
-## 1.2.0 ##
+## 1.2.0
+
 * Changed: General code refactoring (@shuber)
 
-## 1.1.2 ##
+## 1.1.2
+
 * No significant changes
 
-## 1.1.1 ##
+## 1.1.1
+
 * Changled: Updated README. (@shuber)
 * Added: `before_type_cast` alias to ActiveRecord adapter. (@shuber)

data/README.md

@@ -1,4 +1,5 @@
 # attr_encrypted
+
 [![Build Status](https://secure.travis-ci.org/attr-encrypted/attr_encrypted.svg)](https://travis-ci.org/attr-encrypted/attr_encrypted) [![Test Coverage](https://codeclimate.com/github/attr-encrypted/attr_encrypted/badges/coverage.svg)](https://codeclimate.com/github/attr-encrypted/attr_encrypted/coverage) [![Code Climate](https://codeclimate.com/github/attr-encrypted/attr_encrypted/badges/gpa.svg)](https://codeclimate.com/github/attr-encrypted/attr_encrypted) [![Gem Version](https://badge.fury.io/rb/attr_encrypted.svg)](https://badge.fury.io/rb/attr_encrypted) [![security](https://hakiri.io/github/attr-encrypted/attr_encrypted/master.svg)](https://hakiri.io/github/attr-encrypted/attr_encrypted/master)
 
 Generates attr_accessors that transparently encrypt and decrypt attributes.
@@ -11,7 +12,7 @@ It works with ANY class, however, you get a few extra features when you're using
 Add attr_encrypted to your gemfile:
 
 ```ruby
-  gem "attr_encrypted", "~> 3.0.0"
+  gem "attr_encrypted"
 ```
 
 Then install the gem:
@@ -87,6 +88,12 @@ Create or modify the table that your model uses to add a column with the `encryp
 
 You can use a string or binary column type. (See the encode option section below for more info)
 
+If you use the same key for each record, add a unique index on the IV. Repeated IVs with AES-GCM (the default algorithm) allow an attacker to recover the key.
+
+```ruby
+  add_index :users, :encrypted_ssn_iv, unique: true
+```
+
 ### Specifying the encrypted attribute name
 
 By default, the encrypted attribute name is `encrypted_#{attribute}` (e.g. `attr_encrypted :email` would create an attribute named `encrypted_email`). So, if you're storing the encrypted attribute in the database, you need to make sure the `encrypted_#{attribute}` field exists in your table. You have a couple of options if you want to name your attribute or db column something else, see below for more details.
@@ -403,7 +410,7 @@ Then modify your models using attr\_encrypted to account for the changes in defa
 
 ## Upgrading from attr_encrypted v2.x to v3.x
 
-A bug was discovered in Encryptor v2.0.0 that inccorectly set the IV when using an AES-\*-GCM algorithm. Unfornately fixing this major security issue results in the inability to decrypt records encrypted using an AES-*-GCM algorithm from Encryptor v2.0.0. Please see [Upgrading to Encryptor v3.0.0](https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300) for more info.
+A bug was discovered in Encryptor v2.0.0 that incorrectly set the IV when using an AES-\*-GCM algorithm. Unfornately fixing this major security issue results in the inability to decrypt records encrypted using an AES-*-GCM algorithm from Encryptor v2.0.0. Please see [Upgrading to Encryptor v3.0.0](https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300) for more info.
 
 It is strongly advised that you re-encrypt your data encrypted with Encryptor v2.0.0. However, you'll have to take special care to re-encrypt. To decrypt data encrypted with Encryptor v2.0.0 using an AES-\*-GCM algorithm you can use the `:v2_gcm_iv` option.
 
@@ -414,7 +421,7 @@ It is recommended that you implement a strategy to insure that you do not mix th
     attr_encrypted :ssn, key: :encryption_key, v2_gcm_iv: is_decrypting?(:ssn)
 
     def is_decrypting?(attribute)
-      encrypted_attributes[attribute][:operation] == :decrypting
+      attr_encrypted_encrypted_attributes[attribute][:operation] == :decrypting
     end
   end
 
@@ -431,7 +438,7 @@ It is recommended that you implement a strategy to insure that you do not mix th
 While choosing to encrypt at the attribute level is the most secure solution, it is not without drawbacks. Namely, you cannot search the encrypted data, and because you can't search it, you can't index it either. You also can't use joins on the encrypted data. Data that is securely encrypted is effectively noise. So any operations that rely on the data not being noise will not work. If you need to do any of the aforementioned operations, please consider using database and file system encryption along with transport encryption as it moves through your stack.
 
 #### Data leaks
-Please also consider where your data leaks. If you're using attr_encrypted with Rails, it's highly likely that this data will enter your app as a request parameter. You'll want to be sure that you're filtering your request params from you logs or else your data is sitting in the clear in your logs. [Parameter Filtering in Rails](http://apidock.com/rails/ActionDispatch/Http/FilterParameters) Please also consider other possible leak points.
+Please also consider where your data leaks. If you're using attr_encrypted with Rails, it's highly likely that this data will enter your app as a request parameter. You'll want to be sure that you're filtering your request params from your logs or else your data is sitting in the clear in your logs. [Parameter Filtering in Rails](http://apidock.com/rails/ActionDispatch/Http/FilterParameters) Please also consider other possible leak points.
 
 #### Storage requirements
 When storing your encrypted data, please consider the length requirements of the db column that you're storing the cipher text in. Older versions of Mysql attempt to 'help' you by truncating strings that are too large for the column. When this happens, you will not be able to decrypt your data. [MySQL Strict Trans](http://www.davidpashley.com/2009/02/15/silently-truncated/)
@@ -440,7 +447,7 @@ When storing your encrypted data, please consider the length requirements of the
 It is advisable to also store metadata regarding the circumstances of your encrypted data. Namely, you should store information about the key used to encrypt your data, as well as the algorithm. Having this metadata with every record will make key rotation and migrating to a new algorithm signficantly easier. It will allow you to continue to decrypt old data using the information provided in the metadata and new data can be encrypted using your new key and algorithm of choice.
 
 #### Enforcing the IV as a nonce
-On a related note, most alorithms require that your IV be unique for every record and key combination. You can enforce this using composite unique indexes on your IV and encryption key name/id column. [RFC 5084](https://tools.ietf.org/html/rfc5084#section-1.5)
+On a related note, most algorithms require that your IV be unique for every record and key combination. You can enforce this using composite unique indexes on your IV and encryption key name/id column. [RFC 5084](https://tools.ietf.org/html/rfc5084#section-1.5)
 
 #### Unique key per record
 Lastly, while the `:per_attribute_iv_and_salt` mode is more secure than `:per_attribute_iv` mode because it uses a unique key per record, it uses a PBKDF function which introduces a huge performance hit (175x slower by my benchmarks). There are other ways of deriving a unique key per record that would be much faster.

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rake/testtask'
 require 'rdoc/task'
 require "bundler/gem_tasks"

data/attr_encrypted.gemspec

@@ -19,15 +19,12 @@ Gem::Specification.new do |s|
   s.homepage = 'http://github.com/attr-encrypted/attr_encrypted'
   s.license = 'MIT'
 
-  s.has_rdoc = false
-  s.rdoc_options = ['--line-numbers', '--inline-source', '--main', 'README.rdoc']
-
   s.require_paths = ['lib']
 
   s.files      = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- test/*`.split("\n")
 
-  s.required_ruby_version = '>= 2.0.0'
+  s.required_ruby_version = '>= 2.6.0'
 
   s.add_dependency('encryptor', ['~> 3.0.0'])
   # support for testing with specific active record version
@@ -42,27 +39,18 @@ Gem::Specification.new do |s|
   s.add_development_dependency('rake')
   s.add_development_dependency('minitest')
   s.add_development_dependency('sequel')
-  if RUBY_VERSION < '2.1.0'
-    s.add_development_dependency('nokogiri', '< 1.7.0')
-    s.add_development_dependency('public_suffix', '< 3.0.0')
-  end
   if defined?(RUBY_ENGINE) && RUBY_ENGINE.to_sym == :jruby
     s.add_development_dependency('activerecord-jdbcsqlite3-adapter')
     s.add_development_dependency('jdbc-sqlite3', '< 3.8.7') # 3.8.7 is nice and broke
   else
-    s.add_development_dependency('sqlite3')
+    s.add_development_dependency('sqlite3', '= 1.5.4')
   end
   s.add_development_dependency('dm-sqlite-adapter')
+  s.add_development_dependency('pry')
   s.add_development_dependency('simplecov')
   s.add_development_dependency('simplecov-rcov')
-  s.add_development_dependency("codeclimate-test-reporter", '<= 0.6.0')
-
-  s.cert_chain  = ['certs/saghaulor.pem']
-  s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/
 
-  s.post_install_message = "\n\n\nWARNING: Several insecure default options and features were deprecated in attr_encrypted v2.0.0.\n
-Additionally, there was a bug in Encryptor v2.0.0 that insecurely encrypted data when using an AES-*-GCM algorithm.\n
-This bug was fixed but introduced breaking changes between v2.x and v3.x.\n
-Please see the README for more information regarding upgrading to attr_encrypted v3.0.0.\n\n\n"
+  s.post_install_message = "\n\n\nWARNING: Using `#encrypted_attributes` is no longer supported. Instead, use `#attr_encrypted_encrypted_attributes` to avoid
+  collision with Active Record 7 native encryption.\n\n\n"
 
 end

data/checksum/attr_encrypted-3.1.0.gem.sha256

@@ -0,0 +1 @@
+4f0682604714ed4599cf00771ad27e82f0b51b0ed8644af51a43d21fbe129b59

data/checksum/attr_encrypted-3.1.0.gem.sha512

@@ -0,0 +1 @@
+dc757a50c53175dc05adbfccb25b536f7f1a060c7bd626bfc72ff577479c6fe28d3b65747033276bd4bce3dad741b67235f3e01ea61409f6c67959da65df445b

data/lib/attr_encrypted/adapters/active_record.rb

@@ -1,7 +1,11 @@
+# frozen_string_literal: true
+
 if defined?(ActiveRecord::Base)
   module AttrEncrypted
     module Adapters
       module ActiveRecord
+        RAILS_VERSION = Gem::Version.new(::ActiveRecord::VERSION::STRING).freeze
+
         def self.extended(base) # :nodoc:
           base.class_eval do
 
@@ -9,7 +13,7 @@ if defined?(ActiveRecord::Base)
             alias_method :reload_without_attr_encrypted, :reload
             def reload(*args, &block)
               result = reload_without_attr_encrypted(*args, &block)
-              self.class.encrypted_attributes.keys.each do |attribute_name|
+              self.class.attr_encrypted_encrypted_attributes.keys.each do |attribute_name|
                 instance_variable_set("@#{attribute_name}", nil)
               end
               result
@@ -25,12 +29,12 @@ if defined?(ActiveRecord::Base)
             def perform_attribute_assignment(method, new_attributes, *args)
               return if new_attributes.blank?
 
-              send method, new_attributes.reject { |k, _|  self.class.encrypted_attributes.key?(k.to_sym) }, *args
-              send method, new_attributes.reject { |k, _| !self.class.encrypted_attributes.key?(k.to_sym) }, *args
+              send method, new_attributes.reject { |k, _|  self.class.attr_encrypted_encrypted_attributes.key?(k.to_sym) }, *args
+              send method, new_attributes.reject { |k, _| !self.class.attr_encrypted_encrypted_attributes.key?(k.to_sym) }, *args
             end
             private :perform_attribute_assignment
 
-            if ::ActiveRecord::VERSION::STRING > "3.1"
+            if Gem::Requirement.new('> 3.1').satisfied_by?(RAILS_VERSION)
               alias_method :assign_attributes_without_attr_encrypted, :assign_attributes
               def assign_attributes(*args)
                 perform_attribute_assignment :assign_attributes_without_attr_encrypted, *args
@@ -51,21 +55,15 @@ if defined?(ActiveRecord::Base)
             super
             options = attrs.extract_options!
             attr = attrs.pop
-            attribute attr if ::ActiveRecord::VERSION::STRING >= "5.1.0"
-            options.merge! encrypted_attributes[attr]
+            attribute attr
+            options.merge! attr_encrypted_encrypted_attributes[attr]
 
             define_method("#{attr}_was") do
               attribute_was(attr)
             end
 
-            if ::ActiveRecord::VERSION::STRING >= "4.1"
-              define_method("#{attr}_changed?") do |options = {}|
-                attribute_changed?(attr, options)
-              end
-            else
-              define_method("#{attr}_changed?") do
-                  attribute_changed?(attr)
-              end
+            define_method("#{attr}_changed?") do |options = {}|
+              attribute_changed?(attr, **options)
             end
 
             define_method("#{attr}_change") do
@@ -73,6 +71,19 @@ if defined?(ActiveRecord::Base)
             end
 
             define_method("#{attr}_with_dirtiness=") do |value|
+              ## Source: https://github.com/priyankatapar/attr_encrypted/commit/7e8702bd5418c927a39d8dd72c0adbea522d5663
+              # In ActiveRecord 5.2+, due to changes to the way virtual
+              # attributes are handled, @attributes[attr].value is nil which
+              # breaks attribute_was. Setting it here returns us to the expected
+              # behavior.
+              if RAILS_VERSION >= Gem::Version.new(5.2)
+                # This is needed support attribute_was before a record has
+                # been saved
+                @attributes.write_cast_value(attr.to_s, __send__(attr)) if value != __send__(attr)
+                # This is needed to support attribute_was after a record has
+                # been saved
+                @attributes.write_from_user(attr.to_s, value) if value != __send__(attr)
+              end
               attribute_will_change!(attr) if value != __send__(attr)
               __send__("#{attr}_without_dirtiness=", value)
             end
@@ -120,10 +131,10 @@ if defined?(ActiveRecord::Base)
             if match = /^(find|scoped)_(all_by|by)_([_a-zA-Z]\w*)$/.match(method.to_s)
               attribute_names = match.captures.last.split('_and_')
               attribute_names.each_with_index do |attribute, index|
-                if attr_encrypted?(attribute) && encrypted_attributes[attribute.to_sym][:mode] == :single_iv_and_salt
+                if attr_encrypted?(attribute) && attr_encrypted_encrypted_attributes[attribute.to_sym][:mode] == :single_iv_and_salt
                   args[index] = send("encrypt_#{attribute}", args[index])
                   warn "DEPRECATION WARNING: This feature will be removed in the next major release."
-                  attribute_names[index] = encrypted_attributes[attribute.to_sym][:attribute]
+                  attribute_names[index] = attr_encrypted_encrypted_attributes[attribute.to_sym][:attribute]
                 end
               end
               method = "#{match.captures[0]}_#{match.captures[1]}_#{attribute_names.join('_and_')}".to_sym
@@ -134,6 +145,8 @@ if defined?(ActiveRecord::Base)
     end
   end
 
-  ActiveRecord::Base.extend AttrEncrypted
-  ActiveRecord::Base.extend AttrEncrypted::Adapters::ActiveRecord
+  ActiveSupport.on_load(:active_record) do
+    extend AttrEncrypted
+    extend AttrEncrypted::Adapters::ActiveRecord
+  end
 end

data/lib/attr_encrypted/adapters/data_mapper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if defined?(DataMapper)
   module AttrEncrypted
     module Adapters
@@ -19,4 +21,4 @@ if defined?(DataMapper)
   end
 
   DataMapper::Resource.extend AttrEncrypted::Adapters::DataMapper
-end
+end

data/lib/attr_encrypted/adapters/sequel.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if defined?(Sequel)
   module AttrEncrypted
     module Adapters
@@ -11,4 +13,4 @@ if defined?(Sequel)
 
   Sequel::Model.extend AttrEncrypted
   Sequel::Model.extend AttrEncrypted::Adapters::Sequel
-end
+end

data/lib/attr_encrypted/version.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module AttrEncrypted
   # Contains information about this gem's version
   module Version
-    MAJOR = 3
-    MINOR = 1
+    MAJOR = 4
+    MINOR = 0
     PATCH = 0
 
     # Returns a version string by joining <tt>MAJOR</tt>, <tt>MINOR</tt>, and <tt>PATCH</tt> with <tt>'.'</tt>

data/lib/attr_encrypted.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'encryptor'
 
 # Adds attr_accessors that encrypt and decrypt an object's attributes
@@ -8,7 +10,7 @@ module AttrEncrypted
     base.class_eval do
       include InstanceMethods
       attr_writer :attr_encrypted_options
-      @attr_encrypted_options, @encrypted_attributes = {}, {}
+      @attr_encrypted_options, @attr_encrypted_encrypted_attributes = {}, {}
     end
   end
 
@@ -158,11 +160,11 @@ module AttrEncrypted
       end
 
       define_method(attribute) do
-        instance_variable_get("@#{attribute}") || instance_variable_set("@#{attribute}", decrypt(attribute, send(encrypted_attribute_name)))
+        instance_variable_get("@#{attribute}") || instance_variable_set("@#{attribute}", attr_encrypted_decrypt(attribute, send(encrypted_attribute_name)))
       end
 
       define_method("#{attribute}=") do |value|
-        send("#{encrypted_attribute_name}=", encrypt(attribute, value))
+        send("#{encrypted_attribute_name}=", attr_encrypted_encrypt(attribute, value))
         instance_variable_set("@#{attribute}", value)
       end
 
@@ -171,7 +173,7 @@ module AttrEncrypted
         value.respond_to?(:empty?) ? !value.empty? : !!value
       end
 
-      encrypted_attributes[attribute.to_sym] = options.merge(attribute: encrypted_attribute_name)
+      self.attr_encrypted_encrypted_attributes[attribute.to_sym] = options.merge(attribute: encrypted_attribute_name)
     end
   end
 
@@ -221,7 +223,7 @@ module AttrEncrypted
   #   User.attr_encrypted?(:name)  # false
   #   User.attr_encrypted?(:email) # true
   def attr_encrypted?(attribute)
-    encrypted_attributes.has_key?(attribute.to_sym)
+    attr_encrypted_encrypted_attributes.has_key?(attribute.to_sym)
   end
 
   # Decrypts a value for the attribute specified
@@ -232,9 +234,9 @@ module AttrEncrypted
   #     attr_encrypted :email
   #   end
   #
-  #   email = User.decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
-  def decrypt(attribute, encrypted_value, options = {})
-    options = encrypted_attributes[attribute.to_sym].merge(options)
+  #   email = User.attr_encrypted_decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
+  def attr_encrypted_decrypt(attribute, encrypted_value, options = {})
+    options = attr_encrypted_encrypted_attributes[attribute.to_sym].merge(options)
     if options[:if] && !options[:unless] && not_empty?(encrypted_value)
       encrypted_value = encrypted_value.unpack(options[:encode]).first if options[:encode]
       value = options[:encryptor].send(options[:decrypt_method], options.merge!(value: encrypted_value))
@@ -258,9 +260,9 @@ module AttrEncrypted
   #     attr_encrypted :email
   #   end
   #
-  #   encrypted_email = User.encrypt(:email, 'test@example.com')
-  def encrypt(attribute, value, options = {})
-    options = encrypted_attributes[attribute.to_sym].merge(options)
+  #   encrypted_email = User.attr_encrypted_encrypt(:email, 'test@example.com')
+  def attr_encrypted_encrypt(attribute, value, options = {})
+    options = attr_encrypted_encrypted_attributes[attribute.to_sym].merge(options)
     if options[:if] && !options[:unless] && (options[:allow_empty_value] || not_empty?(value))
       value = options[:marshal] ? options[:marshaler].send(options[:dump_method], value) : value.to_s
       encrypted_value = options[:encryptor].send(options[:encrypt_method], options.merge!(value: value))
@@ -284,9 +286,9 @@ module AttrEncrypted
   #     attr_encrypted :email, key: 'my secret key'
   #   end
   #
-  #   User.encrypted_attributes # { email: { attribute: 'encrypted_email', key: 'my secret key' } }
-  def encrypted_attributes
-    @encrypted_attributes ||= superclass.encrypted_attributes.dup
+  #   User.attr_encrypted_encrypted_attributes # { email: { attribute: 'encrypted_email', key: 'my secret key' } }
+  def attr_encrypted_encrypted_attributes
+    @attr_encrypted_encrypted_attributes ||= superclass.attr_encrypted_encrypted_attributes.dup
   end
 
   # Forwards calls to :encrypt_#{attribute} or :decrypt_#{attribute} to the corresponding encrypt or decrypt method
@@ -301,7 +303,7 @@ module AttrEncrypted
   #   User.encrypt_email('SOME_ENCRYPTED_EMAIL_STRING')
   def method_missing(method, *arguments, &block)
     if method.to_s =~ /^((en|de)crypt)_(.+)$/ && attr_encrypted?($3)
-      send($1, $3, *arguments)
+      send("attr_encrypted_#{$1}", $3, *arguments)
     else
       super
     end
@@ -323,10 +325,10 @@ module AttrEncrypted
     #
     #  @user = User.new('some-secret-key')
     #  @user.decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
-    def decrypt(attribute, encrypted_value)
-      encrypted_attributes[attribute.to_sym][:operation] = :decrypting
-      encrypted_attributes[attribute.to_sym][:value_present] = self.class.not_empty?(encrypted_value)
-      self.class.decrypt(attribute, encrypted_value, evaluated_attr_encrypted_options_for(attribute))
+    def attr_encrypted_decrypt(attribute, encrypted_value)
+      attr_encrypted_encrypted_attributes[attribute.to_sym][:operation] = :decrypting
+      attr_encrypted_encrypted_attributes[attribute.to_sym][:value_present] = self.class.not_empty?(encrypted_value)
+      self.class.attr_encrypted_decrypt(attribute, encrypted_value, evaluated_attr_encrypted_options_for(attribute))
     end
 
     # Encrypts a value for the attribute specified using options evaluated in the current object's scope
@@ -343,18 +345,22 @@ module AttrEncrypted
     #  end
     #
     #  @user = User.new('some-secret-key')
-    #  @user.encrypt(:email, 'test@example.com')
-    def encrypt(attribute, value)
-      encrypted_attributes[attribute.to_sym][:operation] = :encrypting
-      encrypted_attributes[attribute.to_sym][:value_present] = self.class.not_empty?(value)
-      self.class.encrypt(attribute, value, evaluated_attr_encrypted_options_for(attribute))
+    #  @user.attr_encrypted_encrypt(:email, 'test@example.com')
+    def attr_encrypted_encrypt(attribute, value)
+      attr_encrypted_encrypted_attributes[attribute.to_sym][:operation] = :encrypting
+      attr_encrypted_encrypted_attributes[attribute.to_sym][:value_present] = self.class.not_empty?(value)
+      self.class.attr_encrypted_encrypt(attribute, value, evaluated_attr_encrypted_options_for(attribute))
     end
 
     # Copies the class level hash of encrypted attributes with virtual attribute names as keys
     # and their corresponding options as values to the instance
     #
-    def encrypted_attributes
-      @encrypted_attributes ||= self.class.encrypted_attributes.dup
+    def attr_encrypted_encrypted_attributes
+      @attr_encrypted_encrypted_attributes ||= begin
+        duplicated= {}
+        self.class.attr_encrypted_encrypted_attributes.map { |key, value| duplicated[key] = value.dup }
+        duplicated
+      end
     end
 
     protected
@@ -362,15 +368,21 @@ module AttrEncrypted
       # Returns attr_encrypted options evaluated in the current object's scope for the attribute specified
       def evaluated_attr_encrypted_options_for(attribute)
         evaluated_options = Hash.new
-        attribute_option_value = encrypted_attributes[attribute.to_sym][:attribute]
-        encrypted_attributes[attribute.to_sym].map do |option, value|
-          evaluated_options[option] = evaluate_attr_encrypted_option(value)
+        attributes = attr_encrypted_encrypted_attributes[attribute.to_sym]
+        attribute_option_value = attributes[:attribute]
+
+        [:if, :unless, :value_present, :allow_empty_value].each do |option|
+          evaluated_options[option] = evaluate_attr_encrypted_option(attributes[option])
         end
 
         evaluated_options[:attribute] = attribute_option_value
 
         evaluated_options.tap do |options|
           if options[:if] && !options[:unless] && options[:value_present] || options[:allow_empty_value]
+            (attributes.keys - evaluated_options.keys).each do |option|
+              options[option] = evaluate_attr_encrypted_option(attributes[option])
+            end
+
             unless options[:mode] == :single_iv_and_salt
               load_iv_for_attribute(attribute, options)
             end