RubyGems - attr_keyring - Versions diffs - 0.3.1 → 0.4.0 - Mend

attr_keyring 0.3.1 → 0.4.0

Files changed (22) hide show

checksums.yaml +4 -4
data/.rubocop.yml +3 -0
data/.travis.yml +1 -0
data/Gemfile.lock +14 -8
data/README.md +64 -50
data/Rakefile +1 -0
data/attr_keyring.gemspec +4 -2
data/examples/active_record_sample.rb +85 -0
data/examples/keyring_sample.rb +18 -0
data/examples/sequel_sample.rb +83 -0
data/lib/attr_keyring.rb +106 -25
data/lib/attr_keyring/active_record.rb +18 -75
data/lib/attr_keyring/sequel.rb +21 -0
data/lib/attr_keyring/version.rb +1 -1
data/lib/keyring.rb +61 -0
data/lib/keyring/encryptor/aes.rb +57 -0
data/lib/{attr_keyring → keyring}/key.rb +1 -1
metadata +40 -10
data/lib/attr_keyring/encryptor/aes.rb +0 -32
data/lib/attr_keyring/encryptor/aes_128_cbc.rb +0 -9
data/lib/attr_keyring/encryptor/aes_256_cbc.rb +0 -9
data/lib/attr_keyring/keyring.rb +0 -37

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 74bd2df52ec8dcaf0295310f9755c36ff64a9185b6ef80a45470173de5a3bd19
-  data.tar.gz: 3471acffc4bcc55ef81ee715e8c4363d00c95f6b81cb559fb123d4f28cbb13f0
+  metadata.gz: 1b5e38839a79e65282d4964fefb09e9c9c53cf1cf4d85852c0a8405d89928074
+  data.tar.gz: 9a667ea4f855d5affb9f4612dbfdaa40d8330f4803d59fc9004c61062fce84cd
 SHA512:
-  metadata.gz: 06277ed16d197dc8910b40960b85784072bf6fc4c544b95e59c13044a7cc02c514eec014aea016004039cbfbbfaa87adece295eb0b81e36ecf83de593ee05e01
-  data.tar.gz: 00a790ac4d5d5bae7fa76c4a6023281fcf58b71839b22efb173e1d3fbe7ac65aa630ff2f8b877baead2e24c394584ec4e799f877e461e7e9ca8bc04ccd5bcb39
+  metadata.gz: 23229cced01974f35114c55a2d725b9e112f2021c0d3ddffe59cd8d64b25ffc84bf56131276941a879fe7970e414704d6ce4af5f2f5407205603fdb5cef596fd
+  data.tar.gz: 372331b1209502523de2e3282d6af0b0ff888f514c11762f4c0a270ff4b057a4aca952b7f2e8507a6fef04bd8cb24edc420a7f46a73f183afaaae1be1fbf7026

data/.rubocop.yml CHANGED Viewed

@@ -68,3 +68,6 @@ Style/AccessModifierDeclarations:
 Style/Alias:
   EnforcedStyle: prefer_alias_method
+Style/TrailingUnderscoreVariable:
+  Enabled: false

data/.travis.yml CHANGED Viewed

@@ -6,6 +6,7 @@ notifications:
 rvm:
 - 2.5.3
 before_script:
+- createdb test
 - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
 - chmod +x ./cc-test-reporter
 - "./cc-test-reporter before-build"

data/Gemfile.lock CHANGED Viewed

@@ -1,8 +1,7 @@
 PATH
   remote: .
   specs:
-    attr_keyring (0.3.1)
-      activerecord
+    attr_keyring (0.4.0)
 GEM
   remote: https://rubygems.org/
@@ -23,19 +22,23 @@ GEM
     awesome_print (1.8.0)
     byebug (10.0.2)
     coderay (1.1.2)
-    concurrent-ruby (1.1.3)
+    concurrent-ruby (1.1.4)
     docile (1.3.1)
-    i18n (1.1.1)
+    i18n (1.2.0)
       concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.1)
     json (2.1.0)
+    metaclass (0.0.4)
     method_source (0.9.2)
     minitest (5.11.3)
     minitest-utils (0.4.4)
       minitest
+    mocha (1.7.0)
+      metaclass (~> 0.0.1)
     parallel (1.12.1)
     parser (2.5.3.0)
       ast (~> 2.4.0)
+    pg (1.1.3)
     powerpack (0.1.2)
     pry (0.12.2)
       coderay (~> 1.1.0)
@@ -52,8 +55,8 @@ GEM
       pry (~> 0.9)
       slop (~> 3.0)
     rainbow (3.0.0)
-    rake (12.3.1)
-    rubocop (0.60.0)
+    rake (12.3.2)
+    rubocop (0.61.1)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.5, != 2.5.1.1)
@@ -62,13 +65,13 @@ GEM
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.4.0)
     ruby-progressbar (1.10.0)
+    sequel (5.15.0)
     simplecov (0.16.1)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     slop (3.6.0)
-    sqlite3 (1.3.13)
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
@@ -78,14 +81,17 @@ PLATFORMS
   ruby
 DEPENDENCIES
+  activerecord
   attr_keyring!
   bundler
   minitest-utils
+  mocha
+  pg
   pry-meta
   rake
   rubocop
+  sequel
   simplecov
-  sqlite3
 BUNDLED WITH
    1.17.1

data/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-![attr_keyring: Simple encryption-at-rest with key rotation support for ActiveRecord.](https://raw.githubusercontent.com/fnando/attr_keyring/master/attr_keyring.png)
+![attr_keyring: Simple encryption-at-rest with key rotation support for Ruby.](https://raw.githubusercontent.com/fnando/attr_keyring/master/attr_keyring.png)
 <p align="center">
   <a href="https://travis-ci.org/fnando/attr_keyring"><img src="https://travis-ci.org/fnando/attr_keyring.svg" alt="Travis-CI"></a>
@@ -30,45 +30,42 @@ Or install it yourself as:
 ## Usage
-### Model Configuration
+### Configuration
-#### Migration
+As far as database schema goes:
 1. You'll need a column to track the key that was used for encryption; by default it's called `keyring_id`.
 2. Every encrypted columns must follow the name `encrypted_<column name>`.
 3. Optionally, you can also have a `<column name>_digest` to help with searching (see Lookup section below).
-The following example shows how to create a column `twitter_oauth_token` without the digest, and another one called `social_security_number` with the digest column.
-```ruby
-class CreateUsers < ActiveRecord::Migration[5.2]
-  def change
-    create_table :users do |t|
-      t.citext :email, null: false
-      t.timestamps
-      # The following columns are used for encryption.
-      t.binary :encrypted_twitter_oauth_token
-      t.binary :encrypted_social_security_number
-      t.text :social_security_number_digest
-      t.integer :keyring_id
-    end
-    add_index :users, :email, unique: true
-    add_index :users, :social_security_number_digest, unique: true
-  end
-end
-```
+As far as model configuration goes, they're pretty similar, as you can see below:
 #### ActiveRecord
+From Rails 5+, ActiveRecord models now inherit from `ApplicationRecord` instead. This is how you set it up:
 ```ruby
 class ApplicationRecord < ActiveRecord::Base
   self.abstract_class = true
+  include AttrKeyring.active_record
+end
+```
+#### Sequel
-  include AttrKeyring
+Sequel doesn't have an abstract model class (but it could), so you can set up the model class directly like the following:
+```ruby
+class User < Sequel::Model
+  include AttrKeyring.sequel
 end
+```
+### Defining encrypted attributes
+To set up your model, you have to define the keyring (set of encryption keys) and the attributes that will be encrypted. Both ActiveRecord and Sequel have the same API, so the examples below work for both ORMs.
+```ruby
 class User < ApplicationRecord
   attr_keyring ENV["USER_KEYRING"]
   attr_encrypt :twitter_oauth_token, :social_security_number
@@ -81,30 +78,17 @@ You can use the model as you would normally do.
 ```ruby
 user = User.create(
-  email: "john@example.com",
-  twitter_oauth_token: "TOKEN",
-  social_security_number: "SSN"
+  email: "john@example.com"
 )
-user.twitter_oauth_token
-#=> TOKEN
+user.email
+#=> john@example.com
 user.keyring_id
 #=> 1
-user.encrypted_twitter_oauth_token
-#=> "\xF0\xFD\xE3\x98\x98\xBBBp\xCCV45\x17\xA8\xF2r\x99\xC8W\xB2i\xD0;\xC2>7[\xF0R\xAC\x00s\x8F\x82QW{\x0F\x01\x88\x86\x03w\x0E\xCBJ\xC6q"
-```
-You may want to store a Base64 version instead of binary data (e.g. `jsonb` column with `store_accessor`). In this case, you may specify the option `encode: true`.
-```ruby
-class User < ApplicationRecord
-  store_accessor :meta, :twitter_oauth_token
-  attr_keyring ENV["USER_KEYRING"]
-  attr_encrypt :twitter_oauth_token, encode: true
-end
+user.encrypted_email
+#=> WG8Epo0ABz0Z1X5gX7kttc98w9Ei59B5uXGK36Zin9G0VqbxX3naOWOm4RI6w6Uu
 ```
 ### Encryption
@@ -126,11 +110,11 @@ class User < ApplicationRecord
 end
 ```
-To generate keys, use `bs=32` instead.
+#### Key size
-```console
-$ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
-```
+- `aes-128-cbc`: 16 bytes.
+- `aes-192-cbc`: 24 bytes.
+- `aes-256-cbc`: 32 bytes.
 #### About the encrypted message
@@ -173,15 +157,15 @@ Other possibilities (e.g. the keyring file is provided by configuration manageme
 One tricky aspect of encryption is looking up records by known secret. E.g.,
 ```ruby
-User.where(twitter_oauth_token: "241F596D-79FF-4C08-921A-A19E533B4F52")
+User.where(email: "john@example.com")
 ```
 is trivial with plain text fields, but impossible with the model defined as above.
-If add a column `<attribute>_digest` exists, then a SHA1 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
+If a column `<attribute>_digest` exists, then a SHA1 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
 ```ruby
-User.where(twitter_oauth_token_digest: Digest::SHA1.hexdigest("241F596D-79FF-4C08-921A-A19E533B4F52"))
+User.where(email: Digest::SHA1.hexdigest("john@example.com"))
 ```
 ### Key Rotation
@@ -203,6 +187,36 @@ User.where(keyring_id: 1234).find_each do |user|
 end
 ```
+### What if I don't use ActiveRecord/Sequel?
+You can also leverage the encryption mechanism of `attr_keyring` totally decoupled from ActiveRecord/Sequel. First, make sure you load `keyring` instead. Then you can create a keyring to encrypt/decrypt strings, without even touching the database.
+```ruby
+require "keyring"
+keyring = Keyring.new("1" => "QSXyoiRDPoJmfkJUZ4hJeQ==")
+encrypted, keyring_id, digest = keyring.encrypt("super secret")
+puts encrypted
+#=> encrypted: +mOWmIWKMV01nCm076OBnzgPGhWAZqNs8Etaad/0s3I=
+puts keyring_id
+#=> 1
+puts digest
+#=> e24fe0dea7f9abe8cbb192702578715079689a3e
+decrypted = keyring.decrypt(encrypted, keyring_id)
+puts decrypted
+#=> super secret
+```
+### Exchange data with Node.js
+If you use Node.js, you may be interested in <https://github.com/fnando/keyring-node>, which is able to read and write messages using the same format.
 ## Development
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/Rakefile CHANGED Viewed

@@ -5,6 +5,7 @@ Rake::TestTask.new(:test) do |t|
   t.libs << "test"
   t.libs << "lib"
   t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
 end
 desc "Run rubocop"

data/attr_keyring.gemspec CHANGED Viewed

@@ -20,12 +20,14 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) {|f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "activerecord"
+  spec.add_development_dependency "activerecord"
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "minitest-utils"
+  spec.add_development_dependency "mocha"
+  spec.add_development_dependency "pg"
   spec.add_development_dependency "pry-meta"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rubocop"
+  spec.add_development_dependency "sequel"
   spec.add_development_dependency "simplecov"
-  spec.add_development_dependency "sqlite3"
 end

data/examples/active_record_sample.rb ADDED Viewed

@@ -0,0 +1,85 @@
+require "bundler/inline"
+require "stringio"
+gemfile do
+  source "https://rubygems.org"
+  gem "sqlite3"
+  gem "activerecord", require: "active_record"
+  gem "attr_keyring",
+      path: File.expand_path("..", __dir__)
+end
+ActiveRecord::Base.establish_connection "sqlite3::memory:"
+begin
+  previous_stdout = $stdout
+  $stdout = StringIO.new
+  ActiveRecord::Schema.define(version: 0) do
+    create_table :users do |t|
+      t.binary :encrypted_email, null: false
+      t.text :email_digest, null: false
+      t.integer :keyring_id, null: false
+    end
+    add_index :users, :email_digest, unique: true
+  end
+ensure
+  $stdout = previous_stdout
+end
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+  include AttrKeyring.active_record
+end
+class User < ApplicationRecord
+  attr_keyring "1" => "QSXyoiRDPoJmfkJUZ4hJeQ=="
+  attr_encrypt :email
+  validates_uniqueness_of :email_digest
+end
+john = User.create(email: "john@example.com")
+puts "👱‍ attributes"
+puts john.email
+puts john.email_digest
+puts john.encrypted_email
+puts john.keyring_id
+puts
+puts "🔁 rotate key"
+User.keyring["2"] = "r6AfOeilPDJomFsiOXLdfQ=="
+puts john.keyring_rotate!
+puts
+puts "👱‍ attributes (after key rotation)"
+puts john.email
+puts john.email_digest
+puts john.encrypted_email
+puts john.keyring_id
+puts
+puts "👨 assign new email"
+puts john.update(email: "jdoe@example.com")
+puts john.email
+puts john.email_digest
+puts john.encrypted_email
+puts john.keyring_id
+puts
+puts "🔎 search by email digest"
+user = User.find_by_email_digest(Digest::SHA1.hexdigest("jdoe@example.com"))
+puts user.email
+puts user == john
+puts
+puts "❌ duplicated email address"
+copycat = User.create(email: john.email)
+p copycat.errors.to_h
+puts
+puts "🔑 retrieve latest key from keyring"
+puts User.keyring.current_key

data/examples/keyring_sample.rb ADDED Viewed

@@ -0,0 +1,18 @@
+require "bundler/inline"
+gemfile do
+  gem "attr_keyring",
+      require: "keyring",
+      path: File.expand_path("..", __dir__)
+end
+keyring = Keyring.new("1" => "QSXyoiRDPoJmfkJUZ4hJeQ==")
+encrypted, keyring_id, digest = keyring.encrypt("super secret")
+puts encrypted
+puts keyring_id
+puts digest
+decrypted = keyring.decrypt(encrypted, keyring_id)
+puts decrypted

data/examples/sequel_sample.rb ADDED Viewed

@@ -0,0 +1,83 @@
+require "bundler/inline"
+require "stringio"
+gemfile do
+  source "https://rubygems.org"
+  gem "sqlite3"
+  gem "sequel"
+  gem "pry-meta"
+  gem "attr_keyring",
+      path: File.expand_path("..", __dir__)
+end
+Sequel.extension :migration
+DB = Sequel.sqlite
+Sequel.migration do
+  up do
+    create_table(:users) do
+      primary_key :id
+      String :encrypted_email, null: false
+      String :email_digest, null: false
+      Integer :keyring_id, null: false
+    end
+  end
+end.apply(DB, :up)
+class User < Sequel::Model
+  include AttrKeyring.sequel
+  plugin :validation_helpers
+  attr_keyring "1" => "QSXyoiRDPoJmfkJUZ4hJeQ=="
+  attr_encrypt :email
+  def validate
+    super
+    validates_unique :email_digest
+  end
+end
+john = User.create(email: "john@example.com")
+puts "👱‍ attributes"
+puts john.email
+puts john.email_digest
+puts john.encrypted_email
+puts john.keyring_id
+puts
+puts "🔁 rotate key"
+User.keyring["2"] = "r6AfOeilPDJomFsiOXLdfQ=="
+puts john.keyring_rotate!
+puts
+puts "👱‍ attributes (after key rotation)"
+puts john.email
+puts john.email_digest
+puts john.encrypted_email
+puts john.keyring_id
+puts
+puts "👨 assign new email"
+puts john.update(email: "jdoe@example.com")
+puts john.email
+puts john.email_digest
+puts john.encrypted_email
+puts john.keyring_id
+puts
+puts "🔎 search by email digest"
+user = User.first(email_digest: Digest::SHA1.hexdigest("jdoe@example.com"))
+puts user.email
+puts user == john
+puts
+puts "❌ duplicated email address"
+copycat = User.new(email: john.email)
+puts copycat.valid?
+p copycat.errors.to_h
+puts
+puts "🔑 retrieve latest key from keyring"
+puts User.keyring.current_key

data/lib/attr_keyring.rb CHANGED Viewed

@@ -1,41 +1,122 @@
 module AttrKeyring
-  require "active_record"
-  require "openssl"
-  require "digest/sha1"
   require "attr_keyring/version"
-  require "attr_keyring/active_record"
-  require "attr_keyring/keyring"
-  require "attr_keyring/key"
-  require "attr_keyring/encryptor/aes"
-  require "attr_keyring/encryptor/aes_128_cbc"
-  require "attr_keyring/encryptor/aes_256_cbc"
+  require "keyring"
+  def self.active_record
+    require "attr_keyring/active_record"
+    ::AttrKeyring::ActiveRecord
+  end
-  UnknownKey = Class.new(StandardError)
-  InvalidSecret = Class.new(StandardError)
+  def self.sequel
+    require "attr_keyring/sequel"
+    ::AttrKeyring::Sequel
+  end
-  def self.included(target)
+  def self.setup(target)
     target.class_eval do
-      extend AttrKeyring::ActiveRecord::ClassMethods
-      include AttrKeyring::ActiveRecord::InstanceMethods
+      extend ClassMethods
+      include InstanceMethods
       class << self
-        attr_accessor :keyring_attrs
+        attr_accessor :encrypted_attributes
         attr_accessor :keyring
+        attr_accessor :keyring_column_name
+      end
-        def inherited(subclass)
-          super
+      self.encrypted_attributes = []
+      self.keyring = Keyring.new({})
+      self.keyring_column_name = :keyring_id
+    end
+  end
+  module ClassMethods
+    def inherited(subclass)
+      super
+      subclass.encrypted_attributes = encrypted_attributes.dup
+      subclass.keyring = keyring
+      subclass.keyring_column_name = keyring_column_name
+    end
-          subclass.keyring_attrs = {}
-          subclass.keyring = Keyring.new({})
-        end
+    def attr_keyring(keyring, encryptor: Keyring::Encryptor::AES::AES128CBC)
+      self.keyring = Keyring.new(keyring, encryptor)
+    end
+    def attr_encrypt(*attributes)
+      self.encrypted_attributes ||= []
+      encrypted_attributes.push(*attributes)
+      attributes.each do |attribute|
+        define_attr_encrypt_writer(attribute)
+        define_attr_encrypt_reader(attribute)
       end
+    end
-      cattr_accessor :keyring_column_name, default: "keyring_id"
-      self.keyring_attrs = {}
-      self.keyring = Keyring.new({})
+    def define_attr_encrypt_writer(attribute)
+      define_method("#{attribute}=") do |value|
+        attr_encrypt_column(attribute, value)
+      end
+    end
+    def define_attr_encrypt_reader(attribute)
+      define_method(attribute) do
+        attr_decrypt_column(attribute)
+      end
+    end
+  end
+  module InstanceMethods
+    private def attr_encrypt_column(attribute, value)
+      clear_decrypted_column_cache(attribute)
+      return reset_encrypted_column(attribute) unless value
+      value = value.to_s
+      previous_keyring_id = public_send(self.class.keyring_column_name)
+      encrypted_value, keyring_id, digest = self.class.keyring.encrypt(value, previous_keyring_id)
+      public_send("#{self.class.keyring_column_name}=", keyring_id)
+      public_send("encrypted_#{attribute}=", encrypted_value)
+      public_send("#{attribute}_digest=", digest) if respond_to?("#{attribute}_digest=")
+    end
+    private def attr_decrypt_column(attribute)
+      cache_name = :"@#{attribute}"
+      return instance_variable_get(cache_name) if instance_variable_defined?(cache_name)
+      encrypted_value = public_send("encrypted_#{attribute}")
+      return unless encrypted_value
+      decrypted_value = self.class.keyring.decrypt(encrypted_value, public_send(self.class.keyring_column_name))
+      instance_variable_set(cache_name, decrypted_value)
+    end
+    private def clear_decrypted_column_cache(attribute)
+      cache_name = :"@#{attribute}"
+      remove_instance_variable(cache_name) if instance_variable_defined?(cache_name)
+    end
+    private def reset_encrypted_column(attribute)
+      public_send("encrypted_#{attribute}=", nil)
+      public_send("#{attribute}_digest=", nil) if respond_to?("#{attribute}_digest=")
+      nil
+    end
+    private def migrate_to_latest_encryption_key
+      keyring_id = self.class.keyring.current_key.id
+      self.class.encrypted_attributes.each do |attribute|
+        value = public_send(attribute)
+        next if value.nil?
+        encrypted_value, _, digest = self.class.keyring.encrypt(value)
+        public_send("encrypted_#{attribute}=", encrypted_value)
+        public_send("#{attribute}_digest=", digest) if respond_to?("#{attribute}_digest")
+      end
-      before_save :migrate_to_latest_encryption_key
+      public_send("#{self.class.keyring_column_name}=", keyring_id)
     end
   end
 end

data/lib/attr_keyring/active_record.rb CHANGED Viewed

@@ -1,87 +1,30 @@
+require "active_record"
 module AttrKeyring
   module ActiveRecord
-    module ClassMethods
-      def attr_keyring(keyring, encryptor: Encryptor::AES128CBC)
-        self.keyring = Keyring.new(keyring, encryptor)
-      end
+    def self.included(target)
+      AttrKeyring.setup(target)
-      def attr_encrypt(*attributes, encode: true)
-        self.keyring_attrs ||= {}
-        attributes.each do |attribute|
-          keyring_attrs[attribute.to_sym] = {encode: encode}
-        end
+      target.class_eval do
+        before_save :migrate_to_latest_encryption_key
-        attributes.each do |attribute|
-          define_attr_encrypt_writer(attribute)
-          define_attr_encrypt_reader(attribute)
+        def keyring_rotate!
+          migrate_to_latest_encryption_key
+          save!
         end
       end
-      def define_attr_encrypt_writer(attribute)
-        define_method("#{attribute}=") do |value|
-          return attr_reset_column(attribute) if value.nil?
+      target.prepend(
+        Module.new do
+          def reload(options = nil)
+            super
-          options = self.class.keyring_attrs.fetch(attribute)
-          stored_keyring_id = public_send(keyring_column_name)
-          keyring_id = stored_keyring_id || self.class.keyring.current_key&.id
-          encrypted_value = self.class.keyring.encrypt(value, keyring_id)
-          encrypted_value = Base64.strict_encode64(encrypted_value) if options[:encode]
-          public_send("#{keyring_column_name}=", keyring_id) unless stored_keyring_id
-          public_send("encrypted_#{attribute}=", encrypted_value)
-          attr_encrypt_digest(attribute, value)
+            self.class.encrypted_attributes.each do |attribute|
+              clear_decrypted_column_cache(attribute)
+            end
+          end
         end
-      end
-      def define_attr_encrypt_reader(attribute)
-        define_method(attribute) do
-          encrypted_value = public_send("encrypted_#{attribute}")
-          return unless encrypted_value
-          options = self.class.keyring_attrs.fetch(attribute)
-          encrypted_value = Base64.strict_decode64(encrypted_value) if options[:encode]
-          keyring_id = public_send(keyring_column_name)
-          value = self.class.keyring.decrypt(encrypted_value, keyring_id)
-          value
-        end
-      end
-    end
-    module InstanceMethods
-      private def attr_reset_column(attribute)
-        public_send("encrypted_#{attribute}=", nil)
-        public_send("#{attribute}_digest=", nil) if respond_to?("#{attribute}_digest=")
-        nil
-      end
-      private def attr_encrypt_digest(attribute, value)
-        digest_column = "#{attribute}_digest"
-        public_send("#{digest_column}=", Digest::SHA1.hexdigest(value)) if respond_to?(digest_column)
-      end
-      private def migrate_to_latest_encryption_key
-        keyring_id = self.class.keyring.current_key.id
-        self.class.keyring_attrs.each do |attribute, options|
-          value = public_send(attribute)
-          next if value.nil?
-          encrypted_value = self.class.keyring.encrypt(value, keyring_id)
-          encrypted_value = Base64.strict_encode64(encrypted_value) if options[:encode]
-          public_send("encrypted_#{attribute}=", encrypted_value)
-          attr_encrypt_digest(attribute, value)
-        end
-        public_send("#{keyring_column_name}=", keyring_id)
-      end
-      def keyring_rotate!
-        migrate_to_latest_encryption_key
-        save! if changed?
-      end
+      )
     end
   end
 end

data/lib/attr_keyring/sequel.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require "sequel"
+module AttrKeyring
+  module Sequel
+    def self.included(target)
+      AttrKeyring.setup(target)
+      target.class_eval do
+        def before_save
+          super
+          migrate_to_latest_encryption_key
+        end
+        def keyring_rotate!
+          migrate_to_latest_encryption_key
+          save
+        end
+      end
+    end
+  end
+end

data/lib/attr_keyring/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AttrKeyring
-  VERSION = "0.3.1".freeze
+  VERSION = "0.4.0".freeze
 end

data/lib/keyring.rb ADDED Viewed

@@ -0,0 +1,61 @@
+module Keyring
+  require "openssl"
+  require "base64"
+  require "digest/sha1"
+  require "keyring/key"
+  require "keyring/encryptor/aes"
+  UnknownKey = Class.new(StandardError)
+  InvalidSecret = Class.new(StandardError)
+  EmptyKeyring = Class.new(StandardError)
+  class Base
+    def initialize(keyring, encryptor)
+      @encryptor = encryptor
+      @keyring = keyring.map do |id, value|
+        Key.new(id, value, @encryptor.key_size)
+      end
+    end
+    def current_key
+      @keyring.max_by(&:id)
+    end
+    def [](id)
+      raise EmptyKeyring, "keyring doesn't have any keys" if @keyring.empty?
+      key = @keyring.find {|k| k.id == id.to_i }
+      return key if key
+      raise UnknownKey, "key=#{id} is not available on keyring"
+    end
+    def []=(id, value)
+      @keyring << Key.new(id, value, @encryptor.key_size)
+    end
+    def clear
+      @keyring.clear
+    end
+    def encrypt(message, keyring_id = nil)
+      keyring_id ||= current_key&.id
+      digest = Digest::SHA1.hexdigest(message)
+      [
+        @encryptor.encrypt(self[keyring_id].value, message),
+        keyring_id,
+        digest
+      ]
+    end
+    def decrypt(message, keyring_id)
+      @encryptor.decrypt(self[keyring_id].value, message)
+    end
+  end
+  def self.new(keyring, encryptor = Encryptor::AES::AES128CBC)
+    Base.new(keyring, encryptor)
+  end
+end

data/lib/keyring/encryptor/aes.rb ADDED Viewed

@@ -0,0 +1,57 @@
+module Keyring
+  module Encryptor
+    module AES
+      class Base
+        def self.build_cipher
+          OpenSSL::Cipher.new(cipher_name)
+        end
+        def self.key_size
+          @key_size ||= build_cipher.key_len
+        end
+        def self.encrypt(key, message)
+          cipher = build_cipher
+          cipher.encrypt
+          iv = cipher.random_iv
+          cipher.iv  = iv
+          cipher.key = key
+          encrypted = cipher.update(message) + cipher.final
+          Base64.strict_encode64("#{iv}#{encrypted}")
+        end
+        def self.decrypt(key, message)
+          cipher = build_cipher
+          cipher.decrypt
+          message = Base64.strict_decode64(message)
+          iv = message[0...cipher.iv_len]
+          encrypted = message[cipher.iv_len..-1]
+          cipher.iv = iv
+          cipher.key = key
+          cipher.update(encrypted) + cipher.final
+        end
+      end
+      class AES128CBC < Base
+        def self.cipher_name
+          "AES-128-CBC"
+        end
+      end
+      class AES192CBC < Base
+        def self.cipher_name
+          "AES-192-CBC"
+        end
+      end
+      class AES256CBC < Base
+        def self.cipher_name
+          "AES-256-CBC"
+        end
+      end
+    end
+  end
+end

data/lib/{attr_keyring → keyring}/key.rb RENAMED Viewed

@@ -1,4 +1,4 @@
-module AttrKeyring
+module Keyring
   class Key
     attr_reader :id, :value

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: attr_keyring
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Nando Vieira
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-12-09 00:00:00.000000000 Z
+date: 2018-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -17,7 +17,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -52,6 +52,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry-meta
   requirement: !ruby/object:Gem::Requirement
@@ -95,7 +123,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -109,7 +137,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -143,14 +171,16 @@ files:
 - attr_keyring.svg
 - bin/console
 - bin/setup
+- examples/active_record_sample.rb
+- examples/keyring_sample.rb
+- examples/sequel_sample.rb
 - lib/attr_keyring.rb
 - lib/attr_keyring/active_record.rb
-- lib/attr_keyring/encryptor/aes.rb
-- lib/attr_keyring/encryptor/aes_128_cbc.rb
-- lib/attr_keyring/encryptor/aes_256_cbc.rb
-- lib/attr_keyring/key.rb
-- lib/attr_keyring/keyring.rb
+- lib/attr_keyring/sequel.rb
 - lib/attr_keyring/version.rb
+- lib/keyring.rb
+- lib/keyring/encryptor/aes.rb
+- lib/keyring/key.rb
 homepage: https://github.com/fnando/attr_keyring
 licenses:
 - MIT

data/lib/attr_keyring/encryptor/aes.rb DELETED Viewed

@@ -1,32 +0,0 @@
-module AttrKeyring
-  module Encryptor
-    class AES
-      def self.build_cipher
-        OpenSSL::Cipher.new(cipher_name)
-      end
-      def self.key_size
-        @key_size ||= build_cipher.key_len
-      end
-      def self.encrypt(key, message)
-        cipher = build_cipher
-        cipher.encrypt
-        iv = cipher.random_iv
-        cipher.iv  = iv
-        cipher.key = key
-        iv + cipher.update(message) + cipher.final
-      end
-      def self.decrypt(key, message)
-        cipher = build_cipher
-        cipher.decrypt
-        iv = message[0...cipher.iv_len]
-        encrypted = message[cipher.iv_len..-1]
-        cipher.iv = iv
-        cipher.key = key
-        cipher.update(encrypted) + cipher.final
-      end
-    end
-  end
-end

data/lib/attr_keyring/encryptor/aes_128_cbc.rb DELETED Viewed

@@ -1,9 +0,0 @@
-module AttrKeyring
-  module Encryptor
-    class AES128CBC < AES
-      def self.cipher_name
-        "AES-128-CBC"
-      end
-    end
-  end
-end

data/lib/attr_keyring/encryptor/aes_256_cbc.rb DELETED Viewed

@@ -1,9 +0,0 @@
-module AttrKeyring
-  module Encryptor
-    class AES256CBC < AES
-      def self.cipher_name
-        "AES-256-CBC"
-      end
-    end
-  end
-end

data/lib/attr_keyring/keyring.rb DELETED Viewed

@@ -1,37 +0,0 @@
-module AttrKeyring
-  class Keyring
-    def initialize(keyring, encryptor = Encryptor::AES128CBC)
-      @encryptor = encryptor
-      @keyring = keyring.map do |id, value|
-        Key.new(id, value, @encryptor.key_size)
-      end
-    end
-    def current_key
-      @keyring.max_by(&:id)
-    end
-    def [](id)
-      key = @keyring.find {|k| k.id == id.to_i }
-      return key if key
-      raise UnknownKey, "key=#{id} is not available on keyring"
-    end
-    def []=(id, value)
-      @keyring << Key.new(id, value, @encryptor.key_size)
-    end
-    def clear
-      @keyring.clear
-    end
-    def encrypt(message, keyring_id = current_key.id)
-      @encryptor.encrypt(self[keyring_id].value, message)
-    end
-    def decrypt(message, keyring_id)
-      @encryptor.decrypt(self[keyring_id].value, message)
-    end
-  end
-end