attr_keyring 0.5.4 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2af6cd51b5b53137780ac69ddf709a3e0b6f31c4381e0425be63579fce0be85d
-  data.tar.gz: 6c3ac6b0b56ecceeecce9e098d8424f5659d8c5d75d26201f87cc669accfe478
+  metadata.gz: 4a1335e867e0b79f0f8082b6cceaa30e40feeb7a9cb140dbb133989ad47af66f
+  data.tar.gz: fa5803034ce08ff55f515fc87e774eeb16b96597e229f55266bfdafd51225dd0
 SHA512:
-  metadata.gz: 151441f7e84eb4145206b96635b07b2e55f83eabe7f855fe03a0e880d65030c9165a5bf09646066ecfd6ef28e0de6b90be8449831858893cf325b6d8b2068027
-  data.tar.gz: 4b7bb84692b69a794ac42ca1e5674f6c00659de1c77dcfa0f00111f6d6537719e9cf2ed93122562b79d8f9b8a47ff572b0330410c724065c4d5cfab22d8efa28
+  metadata.gz: 1d2bc02c88a3871191cc41e32707452f1df9c50040991a8b09394d06a7a06d83a84b3574ac2e1e291e41cb8525d190213e31066eb9922440bbbe3426271829eb
+  data.tar.gz: '00086d53fd3bd74cc0ab4a1e5b511b02ddb081dc01531df75999461200c15b5e87069e0b38eb62f5c353ed121cb8f4657ec1e130aebfc0d254528a9365896389'

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+---
+github: [fnando]
+custom: ["https://www.paypal.me/nandovieira/🍕"]

data/.github/dependabot.yml

@@ -0,0 +1,15 @@
+---
+# Documentation:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: "daily"

data/.github/workflows/tests.yml

@@ -0,0 +1,68 @@
+---
+name: Tests
+
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+    inputs: {}
+
+jobs:
+  build:
+    name: Tests with Ruby ${{ matrix.ruby }} with ${{ matrix.gemfile }}
+    runs-on: "ubuntu-latest"
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.7", "3.0", "3.1"]
+        gemfile:
+          - gemfiles/7_0.gemfile
+          - gemfiles/6_1.gemfile
+          - gemfiles/6_0.gemfile
+
+    services:
+      postgres:
+        image: postgres:11.5
+        ports: ["5432:5432"]
+        options:
+          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@v3.0.2
+
+      - uses: actions/cache@v3.0.1
+        with:
+          path: vendor/bundle
+          key: >
+            ${{ runner.os }}-${{ matrix.ruby }}-gems-${{
+            hashFiles('**/attr_keyring.gemspec') }}
+          restore-keys: >
+            ${{ runner.os }}-${{ matrix.ruby }}-gems-${{
+            hashFiles('**/attr_keyring.gemspec') }}
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Install PostgreSQL 11 client
+        run: |
+          sudo apt-get -yqq install libpq-dev
+
+      - name: Install gem dependencies
+        env:
+          BUNDLE_GEMFILE: ${{ matrix.gemfile }}
+        run: |
+          gem install bundler
+          bundle config path vendor/bundle
+          bundle update --jobs 4 --retry 3
+
+      - name: Run Tests
+        env:
+          PGHOST: localhost
+          PGUSER: postgres
+          BUNDLE_GEMFILE: ${{ matrix.gemfile }}
+        run: |
+          psql -U postgres -c "create database test"
+          bundle exec rake

data/.rubocop.yml

@@ -3,12 +3,15 @@ inherit_gem:
   rubocop-fnando: .rubocop.yml
 
 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 2.5
+  Exclude:
+    - vendor/**/*
+    - gemfiles/**/*
 
 Metrics/AbcSize:
   Enabled: false
 
-Metrics/LineLength:
+Layout/LineLength:
   Exclude:
     - test/**/*
 

data/README.md

@@ -1,16 +1,21 @@
-![attr_keyring: Simple encryption-at-rest with key rotation support for Ruby.](https://raw.githubusercontent.com/fnando/attr_keyring/master/attr_keyring.png)
+![attr_keyring: Simple encryption-at-rest with key rotation support for Ruby.](https://raw.githubusercontent.com/fnando/attr_keyring/main/attr_keyring.png)
 
 <p align="center">
-  <a href="https://travis-ci.org/fnando/attr_keyring"><img src="https://travis-ci.org/fnando/attr_keyring.svg" alt="Travis-CI"></a>
+  <a href="https://github.com/fnando/attr_keyring/actions?query=workflow%3ATests"><img src="https://github.com/fnando/attr_keyring/workflows/Tests/badge.svg" alt="Tests"></a>
   <a href="https://codeclimate.com/github/fnando/attr_keyring"><img src="https://codeclimate.com/github/fnando/attr_keyring/badges/gpa.svg" alt="Code Climate"></a>
-  <a href="https://codeclimate.com/github/fnando/attr_keyring/coverage"><img src="https://codeclimate.com/github/fnando/attr_keyring/badges/coverage.svg" alt="Test Coverage"></a>
   <a href="https://rubygems.org/gems/attr_keyring"><img src="https://img.shields.io/gem/v/attr_keyring.svg" alt="Gem"></a>
   <a href="https://rubygems.org/gems/attr_keyring"><img src="https://img.shields.io/gem/dt/attr_keyring.svg" alt="Gem"></a>
 </p>
 
-N.B.: attr_keyring is *not* for encrypting passwords--for that, you should use something like [bcrypt](https://github.com/codahale/bcrypt-ruby). It's meant for encrypting sensitive data you will need to access in plain text (e.g. storing OAuth token from users). Passwords do not fall in that category.
+N.B.: attr_keyring is not for encrypting passwords--for that, you should use
+something like [bcrypt](https://github.com/codahale/bcrypt-ruby). It's meant for
+encrypting sensitive data you will need to access in plain text (e.g. storing
+OAuth token from users). Passwords do not fall in that category.
 
-This library is heavily inspired by [attr_vault](https://github.com/uhoh-itsmaciek/attr_vault), and can read encrypted messages if you encode them in base64 (e.g. `Base64.strict_encode64(encrypted_by_attr_vault)`).
+This library is heavily inspired by
+[attr_vault](https://github.com/uhoh-itsmaciek/attr_vault), and can read
+encrypted messages if you encode them in base64 (e.g.
+`Base64.strict_encode64(encrypted_by_attr_vault)`).
 
 ## Installation
 
@@ -36,7 +41,10 @@ Or install it yourself as:
 gem "attr_keyring"
 require "keyring"
 
-keyring = Keyring.new("1" => "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M=")
+keyring = Keyring.new(
+  {"1" => "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M="},
+  digest_salt: "<custom salt>"
+)
 
 # STEP 1: Encrypt message using latest encryption key.
 encrypted, keyring_id, digest = keyring.encrypt("super secret")
@@ -52,30 +60,37 @@ puts "✉️ #{decrypted}"
 
 #### Change encryption algorithm
 
-You can choose between `AES-128-CBC`, `AES-192-CBC` and `AES-256-CBC`. By default, `AES-128-CBC` will be used.
-
-To specify the encryption algorithm, set the `encryption` option. The following example uses `AES-256-CBC`.
+You can choose between `AES-128-CBC`, `AES-192-CBC` and `AES-256-CBC`. By
+default, `AES-128-CBC` will be used.
 
-```js
-import { keyring } from "@fnando/keyring";
+To specify the encryption algorithm, set the `encryption` option. The following
+example uses `AES-256-CBC`.
 
-const keys = {"1": "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M="};
-const encryptor = keyring(keys, {encryption: "aes-256-cbc"});
+```ruby
+keyring = Keyring.new(
+  "1" => "uDiMcWVNTuz//naQ88sOcN+E40CyBRGzGTT7OkoBS6M=",
+  encryptor: Keyring::Encryptor::AES::AES256CBC,
+  digest_salt: "<custom salt>"
+)
 ```
 
 ### Configuration
 
 As far as database schema goes:
 
-1. You'll need a column to track the key that was used for encryption; by default it's called `keyring_id`.
-2. Every encrypted columns must follow the name `encrypted_<column name>`.
-3. Optionally, you can also have a `<column name>_digest` to help with searching (see Lookup section below).
+1. You'll need a column to track the key that was used for encryption; by
+   default it's called `keyring_id`.
+2. Every encrypted column must follow the name `encrypted_<column name>`.
+3. Optionally, you can also have a `<column name>_digest` to help with searching
+   (see Lookup section below).
 
-As far as model configuration goes, they're pretty similar, as you can see below:
+As far as model configuration goes, they're pretty similar, as you can see
+below:
 
 #### ActiveRecord
 
-From Rails 5+, ActiveRecord models now inherit from `ApplicationRecord` instead. This is how you set it up:
+From Rails 5+, ActiveRecord models now inherit from `ApplicationRecord` instead.
+This is how you set it up:
 
 ```ruby
 class ApplicationRecord < ActiveRecord::Base
@@ -86,7 +101,8 @@ end
 
 #### Sequel
 
-Sequel doesn't have an abstract model class (but it could), so you can set up the model class directly like the following:
+Sequel doesn't have an abstract model class (but it could), so you can set up
+the model class directly like the following:
 
 ```ruby
 class User < Sequel::Model
@@ -96,16 +112,20 @@ end
 
 ### Defining encrypted attributes
 
-To set up your model, you have to define the keyring (set of encryption keys) and the attributes that will be encrypted. Both ActiveRecord and Sequel have the same API, so the examples below work for both ORMs.
+To set up your model, you have to define the keyring (set of encryption keys)
+and the attributes that will be encrypted. Both ActiveRecord and Sequel have the
+same API, so the examples below work for both ORMs.
 
 ```ruby
 class User < ApplicationRecord
-  attr_keyring ENV["USER_KEYRING"]
+  attr_keyring ENV["USER_KEYRING"],
+               digest_salt: "<custom salt>"
   attr_encrypt :twitter_oauth_token, :social_security_number
 end
 ```
 
-The code above will encrypt your columns with the current key. If you're updating a record, then the column will be migrated to the latest key available.
+The code above will encrypt your columns with the current key. If you're
+updating a record, then the column will be migrated to the latest key available.
 
 You can use the model as you would normally do.
 
@@ -124,22 +144,44 @@ user.encrypted_email
 #=> WG8Epo0ABz0Z1X5gX7kttc98w9Ei59B5uXGK36Zin9G0VqbxX3naOWOm4RI6w6Uu
 ```
 
+If you want to store a hash, you can use the `encoder:` option.
+
+```ruby
+class User < ApplicationRecord
+  attr_keyring ENV["USER_KEYRING"],
+               digest_salt: "<custom salt>"
+
+  attr_encrypt :data, encoder: JSON
+end
+```
+
+An encoder is just an object that responds to the methods `dump(data)` and
+`parse(data)`, just like the `JSON` interface. Alternatively, you can use
+`AttrKeyring::Encoders::JSON`, which returns hashes with symbolized keys.
+
 ### Encryption
 
-By default, AES-128-CBC is the algorithm used for encryption. This algorithm uses 16 bytes keys, but you're required to use a key that's double the size because half of that keys will be used to generate the HMAC. The first 16 bytes will be used as the encryption key, and the last 16 bytes will be used to generate the HMAC.
+By default, AES-128-CBC is the algorithm used for encryption. This algorithm
+uses 16 bytes keys, but you're required to use a key that's double the size
+because half of that keys will be used to generate the HMAC. The first 16 bytes
+will be used as the encryption key, and the last 16 bytes will be used to
+generate the HMAC.
 
-Using random data base64-encoded is the recommended way. You can easily generate keys by using the following command:
+Using random data base64-encoded is the recommended way. You can easily generate
+keys by using the following command:
 
 ```console
 $ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64 -A
 qUjOJFgZsZbTICsN0TMkKqUvSgObYxnkHDsazTqE5tM=
 ```
 
-Include the result of this command in the `value` section of the key description in the keyring. Half this key is used for encryption, and half for the HMAC.
+Include the result of this command in the `value` section of the key description
+in the keyring. Half this key is used for encryption, and half for the HMAC.
 
 #### Key size
 
-The key size depends on the algorithm being used. The key size should be double the size as half of it is used for HMAC computation.
+The key size depends on the algorithm being used. The key size should be double
+the size as half of it is used for HMAC computation.
 
 - `aes-128-cbc`: 16 bytes (encryption) + 16 bytes (HMAC).
 - `aes-192-cbc`: 24 bytes (encryption) + 24 bytes (HMAC).
@@ -147,13 +189,25 @@ The key size depends on the algorithm being used. The key size should be double
 
 #### About the encrypted message
 
-Initialization vectors (IV) should be unpredictable and unique; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages unencrypted. It may sound contradictory that something has to be unpredictable and unique, but does not have to be secret; it is important to remember that an attacker must not be able to predict ahead of time what a given IV will be.
+Initialization vectors (IV) should be unpredictable and unique; ideally, they
+will be cryptographically random. They do not have to be secret: IVs are
+typically just added to ciphertext messages unencrypted. It may sound
+contradictory that something has to be unpredictable and unique, but does not
+have to be secret; it is important to remember that an attacker must not be able
+to predict ahead of time what a given IV will be.
 
-With that in mind, _attr_keyring_ uses `base64(hmac(unencrypted iv + encrypted message) + unencrypted iv + encrypted message)` as the final message. If you're planning to migrate from other encryption mechanisms or read encrypted values from the database without using _attr_keyring_, make sure you account for this. The HMAC is 32-bytes long and the IV is 16-bytes long.
+With that in mind, _attr_keyring_ uses
+`base64(hmac(unencrypted iv + encrypted message) + unencrypted iv + encrypted message)`
+as the final message. If you're planning to migrate from other encryption
+mechanisms or read encrypted values from the database without using
+_attr_keyring_, make sure you account for this. The HMAC is 32-bytes long and
+the IV is 16-bytes long.
 
 ### Keyring
 
-Keys are managed through a keyring--a short JSON document describing your encryption keys. The keyring must be a JSON object mapping numeric ids of the keys to the key values. A keyring must have at least one key. For example:
+Keys are managed through a keyring--a short JSON document describing your
+encryption keys. The keyring must be a JSON object mapping numeric ids of the
+keys to the key values. A keyring must have at least one key. For example:
 
 ```json
 {
@@ -162,24 +216,30 @@ Keys are managed through a keyring--a short JSON document describing your encryp
 }
 ```
 
-The `id` is used to track which key encrypted which piece of data; a key with a larger id is assumed to be newer. The value is the actual bytes of the encryption key.
+The `id` is used to track which key encrypted which piece of data; a key with a
+larger id is assumed to be newer. The value is the actual bytes of the
+encryption key.
 
 #### Dynamically loading keyring
 
-If you're using Rails 5.2+, you can use credentials to define your keyring. Your `credentials.yml` must be define like the following:
+If you're using Rails 5.2+, you can use credentials to define your keyring. Your
+`credentials.yml` must be define like the following:
 
 ```yaml
+---
 user_keyring:
-  1: "QSXyoiRDPoJmfkJUZ4hJeQ=="
-  2: "r6AfOeilPDJomFsiOXLdfQ=="
+  "1": "QSXyoiRDPoJmfkJUZ4hJeQ=="
+  "2": "r6AfOeilPDJomFsiOXLdfQ=="
 ```
 
-Then you can setup your model by using `attr_keyring Rails.application.credentials.user_keyring`.
+Then you can setup your model by using
+`attr_keyring Rails.application.credentials.user_keyring`.
 
-Other possibilities (e.g. the keyring file is provided by configuration management):
+Other possibilities (e.g. the keyring file is provided by configuration
+management):
 
-- `attr_keyring YAML.load_file(keyring_file)`
-- `attr_keyring JSON.parse(File.read(keyring_file))`.
+- `attr_keyring YAML.load_file(keyring_file), digest_salt: "<custom salt>"`
+- `attr_keyring JSON.parse(File.read(keyring_file)), digest_salt: "<custom salt>"`.
 
 ### Lookup
 
@@ -189,17 +249,25 @@ One tricky aspect of encryption is looking up records by known secret. E.g.,
 User.where(email: "john@example.com")
 ```
 
-is trivial with plain text fields, but impossible with the model defined as above.
+is trivial with plain text fields, but impossible with the model defined as
+above.
 
-If a column `<attribute>_digest` exists, then a SHA1 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
+If a column `<attribute>_digest` exists, then a SHA1 digest from the value will
+be saved. This will allow you to lookup by that value instead and add unique
+indexes. You don't have to use a hashing salt, but it's highly recommended; this
+way you can avoid leaking your users' info via rainbow tables.
 
 ```ruby
-User.where(email: Digest::SHA1.hexdigest("john@example.com"))
+User.where(email: User.keyring.digest("john@example.com")).first
 ```
 
 ### Key Rotation
 
-Because attr_keyring uses a keyring, with access to multiple keys at once, key rotation is fairly straightforward: if you add a key to the keyring with a higher id than any other key, that key will automatically be used for encryption when records are either created or updated. Any keys that are no longer in use can be safely removed from the keyring.
+Because attr_keyring uses a keyring, with access to multiple keys at once, key
+rotation is fairly straightforward: if you add a key to the keyring with a
+higher id than any other key, that key will automatically be used for encryption
+when records are either created or updated. Any keys that are no longer in use
+can be safely removed from the keyring.
 
 To check if an existing key with id `123` is still in use, run:
 
@@ -208,7 +276,8 @@ To check if an existing key with id `123` is still in use, run:
 User.where(keyring_id: 123).empty?
 ```
 
-You may not want to wait for records to be updated (e.g. key leaking). In that case, you can rollout a key rotation:
+You may not want to wait for records to be updated (e.g. key leaking). In that
+case, you can rollout a key rotation:
 
 ```ruby
 User.where(keyring_id: 1234).find_each do |user|
@@ -218,12 +287,18 @@ end
 
 ### What if I don't use ActiveRecord/Sequel?
 
-You can also leverage the encryption mechanism of `attr_keyring` totally decoupled from ActiveRecord/Sequel. First, make sure you load `keyring` instead. Then you can create a keyring to encrypt/decrypt strings, without even touching the database.
+You can also leverage the encryption mechanism of `attr_keyring` totally
+decoupled from ActiveRecord/Sequel. First, make sure you load `keyring` instead.
+Then you can create a keyring to encrypt/decrypt strings, without even touching
+the database.
 
 ```ruby
 require "keyring"
 
-keyring = Keyring.new("1" => "QSXyoiRDPoJmfkJUZ4hJeQ==")
+keyring = Keyring.new(
+  {"1" => "QSXyoiRDPoJmfkJUZ4hJeQ=="},
+  digest_salt: "<custom salt>"
+)
 
 encrypted, keyring_id, digest = keyring.encrypt("super secret")
 
@@ -244,26 +319,41 @@ puts decrypted
 
 ### Exchange data with Node.js
 
-If you use Node.js, you may be interested in <https://github.com/fnando/keyring-node>, which is able to read and write messages using the same format.
+If you use Node.js, you may be interested in
+<https://github.com/fnando/keyring-node>, which is able to read and write
+messages using the same format.
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`rake test` to run the tests. You can also run `bin/console` for an interactive
+prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To install this gem onto your local machine, run `bundle exec rake install`. To
+release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push
+git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/fnando/attr_keyring. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/fnando/attr_keyring. This project is intended to be a safe,
+welcoming space for collaboration, and contributors are expected to adhere to
+the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the
+[MIT License](https://opensource.org/licenses/MIT).
 
 ## Icon
 
-Icon made by [Icongeek26](https://www.flaticon.com/authors/icongeek26) from [Flaticon](https://www.flaticon.com/) is licensed by Creative Commons BY 3.0.
+Icon made by [Icongeek26](https://www.flaticon.com/authors/icongeek26) from
+[Flaticon](https://www.flaticon.com/) is licensed by Creative Commons BY 3.0.
 
 ## Code of Conduct
 
-Everyone interacting in the attr_keyring project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/fnando/attr_keyring/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the attr_keyring project’s codebases, issue trackers,
+chat rooms and mailing lists is expected to follow the
+[code of conduct](https://github.com/fnando/attr_keyring/blob/main/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -16,4 +16,4 @@ task(:rubocop) do
   RuboCop::CLI.new.run(["--config", File.join(__dir__, ".rubocop.yml")])
 end
 
-task :default => [:test, :rubocop] # rubocop:disable Style/HashSyntax, Style/SymbolArray
+task default: %i[test rubocop]

data/attr_keyring.gemspec

@@ -12,15 +12,14 @@ Gem::Specification.new do |spec|
   spec.description   = spec.summary
   spec.homepage      = "https://github.com/fnando/attr_keyring"
   spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
 
-  # Specify which files should be added to the gem when it is released.
-  # The `git ls-files -z` loads the files in the RubyGem that have been added
-  # into git.
-  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`
       .split("\x0")
       .reject {|f| f.match(%r{^(test|spec|features)/}) }
   end
+
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) {|f| File.basename(f) }
   spec.require_paths = ["lib"]

data/gemfiles/{5_2.gemfile → 6_1.gemfile}

@@ -2,4 +2,4 @@
 
 source "https://rubygems.org"
 gemspec path: ".."
-gem "activerecord", "~> 5.2.0"
+gem "activerecord", "~> 6.1.0"

data/gemfiles/7_0.gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+gemspec path: ".."
+gem "activerecord", "~> 7.0.0.rc1"

data/lib/attr_keyring/active_record.rb

@@ -21,7 +21,7 @@ module AttrKeyring
           def reload(options = nil)
             instance = super
 
-            self.class.encrypted_attributes.each do |attribute|
+            self.class.encrypted_attributes.each do |attribute, _options|
               clear_decrypted_column_cache(attribute)
             end
 

data/lib/attr_keyring/encoders/json_encoder.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module AttrKeyring
+  module Encoders
+    module JSONEncoder
+      def self.dump(data)
+        ::JSON.dump(data)
+      end
+
+      def self.parse(data)
+        ::JSON.parse(data, symbolize_names: true)
+      end
+    end
+  end
+end

data/lib/attr_keyring/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AttrKeyring
-  VERSION = "0.5.4"
+  VERSION = "0.7.0"
 end

data/lib/attr_keyring.rb

@@ -3,6 +3,7 @@
 module AttrKeyring
   require "attr_keyring/version"
   require "keyring"
+  require "attr_keyring/encoders/json_encoder"
 
   def self.active_record
     require "attr_keyring/active_record"
@@ -20,13 +21,11 @@ module AttrKeyring
       include InstanceMethods
 
       class << self
-        attr_accessor :encrypted_attributes
-        attr_accessor :keyring
-        attr_accessor :keyring_column_name
+        attr_accessor :encrypted_attributes, :keyring, :keyring_column_name
       end
 
-      self.encrypted_attributes = []
-      self.keyring = Keyring.new({})
+      self.encrypted_attributes = {}
+      self.keyring = Keyring.new({}, digest_salt: "")
       self.keyring_column_name = :keyring_id
     end
   end
@@ -40,15 +39,16 @@ module AttrKeyring
       subclass.keyring_column_name = keyring_column_name
     end
 
-    def attr_keyring(keyring, encryptor: Keyring::Encryptor::AES::AES128CBC)
-      self.keyring = Keyring.new(keyring, encryptor)
+    def attr_keyring(keyring, options = {})
+      self.keyring = Keyring.new(keyring, options)
     end
 
-    def attr_encrypt(*attributes)
-      self.encrypted_attributes ||= []
-      encrypted_attributes.push(*attributes)
+    def attr_encrypt(*attributes, encoder: nil)
+      self.encrypted_attributes ||= {}
 
       attributes.each do |attribute|
+        encrypted_attributes[attribute.to_sym] = {encoder: encoder}
+
         define_attr_encrypt_writer(attribute)
         define_attr_encrypt_reader(attribute)
       end
@@ -72,6 +72,8 @@ module AttrKeyring
       clear_decrypted_column_cache(attribute)
       return reset_encrypted_column(attribute) unless encryptable_value?(value)
 
+      encoder = self.class.encrypted_attributes[attribute][:encoder]
+      value = encoder.dump(value) if encoder
       value = value.to_s
 
       previous_keyring_id = public_send(self.class.keyring_column_name)
@@ -88,6 +90,7 @@ module AttrKeyring
 
     private def attr_decrypt_column(attribute)
       cache_name = :"@#{attribute}"
+
       if instance_variable_defined?(cache_name)
         return instance_variable_get(cache_name)
       end
@@ -101,6 +104,9 @@ module AttrKeyring
         public_send(self.class.keyring_column_name)
       )
 
+      encoder = self.class.encrypted_attributes[attribute][:encoder]
+      decrypted_value = encoder.parse(decrypted_value) if encoder
+
       instance_variable_set(cache_name, decrypted_value)
     end
 
@@ -125,10 +131,13 @@ module AttrKeyring
 
       keyring_id = self.class.keyring.current_key.id
 
-      self.class.encrypted_attributes.each do |attribute|
+      self.class.encrypted_attributes.each do |attribute, options|
         value = public_send(attribute)
         next unless encryptable_value?(value)
 
+        encoder = options[:encoder]
+        value = encoder.dump(value) if encoder
+
         encrypted_value, _, digest = self.class.keyring.encrypt(value)
 
         public_send("encrypted_#{attribute}=", encrypted_value)

data/lib/keyring/encryptor/aes.rb

@@ -38,7 +38,10 @@ module Keyring
           expected_hmac = hmac_digest(key.signing_key, encrypted_payload)
 
           unless verify_signature(expected_hmac, hmac)
-            raise InvalidAuthentication, "Expected HMAC to be #{Base64.strict_encode64(expected_hmac)}; got #{Base64.strict_encode64(hmac)} instead" # rubocop:disable Metrics/LineLength
+            raise InvalidAuthentication,
+                  "Expected HMAC to be " \
+                  "#{Base64.strict_encode64(expected_hmac)}; " \
+                  "got #{Base64.strict_encode64(hmac)} instead"
           end
 
           cipher.iv = iv

data/lib/keyring/key.rb

@@ -5,7 +5,7 @@ module Keyring
     attr_reader :id, :signing_key, :encryption_key
 
     def initialize(id, key, key_size)
-      @id = Integer(id)
+      @id = Integer(id.to_s)
       @key_size = key_size
       @encryption_key, @signing_key = parse_key(key)
     end
@@ -20,7 +20,7 @@ module Keyring
       secret = decode_key(key, expected_key_size)
 
       unless secret.bytesize == expected_key_size
-        raise InvalidSecret, "Secret must be #{expected_key_size} bytes, instead got #{secret.bytesize}" # rubocop:disable Metrics/LineLength
+        raise InvalidSecret, "Secret must be #{expected_key_size} bytes, instead got #{secret.bytesize}" # rubocop:disable Layout/LineLength
       end
 
       signing_key = secret[0...@key_size]

data/lib/keyring.rb

@@ -12,10 +12,19 @@ module Keyring
   InvalidSecret = Class.new(StandardError)
   EmptyKeyring = Class.new(StandardError)
   InvalidAuthentication = Class.new(StandardError)
+  MissingDigestSalt = Class.new(StandardError) do
+    def message
+      %w[
+        Please provide :digest_salt;
+        you can disable this error by explicitly passing an empty string.
+      ].join(" ")
+    end
+  end
 
   class Base
-    def initialize(keyring, encryptor)
-      @encryptor = encryptor
+    def initialize(keyring, options)
+      @encryptor = options[:encryptor]
+      @digest_salt = options[:digest_salt]
       @keyring = keyring.map do |id, value|
         Key.new(id, value, @encryptor.key_size)
       end
@@ -44,13 +53,12 @@ module Keyring
 
     def encrypt(message, keyring_id = nil)
       keyring_id ||= current_key&.id
-      digest = Digest::SHA1.hexdigest(message)
       key = self[keyring_id]
 
       [
         @encryptor.encrypt(key, message),
         keyring_id,
-        digest
+        digest(message)
       ]
     end
 
@@ -58,9 +66,19 @@ module Keyring
       key = self[keyring_id]
       @encryptor.decrypt(key, message)
     end
+
+    def digest(message)
+      Digest::SHA1.hexdigest("#{message}#{@digest_salt}")
+    end
   end
 
-  def self.new(keyring, encryptor = Encryptor::AES::AES128CBC)
-    Base.new(keyring, encryptor)
+  def self.new(keyring, options = {})
+    options = {
+      encryptor: Encryptor::AES::AES128CBC
+    }.merge(options)
+
+    raise MissingDigestSalt if options[:digest_salt].nil?
+
+    Base.new(keyring, options)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: attr_keyring
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.7.0
 platform: ruby
 authors:
 - Nando Vieira
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-11-27 00:00:00.000000000 Z
+date: 2022-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -185,9 +185,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/tests.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -201,10 +203,12 @@ files:
 - examples/active_record_sample.rb
 - examples/keyring_sample.rb
 - examples/sequel_sample.rb
-- gemfiles/5_2.gemfile
 - gemfiles/6_0.gemfile
+- gemfiles/6_1.gemfile
+- gemfiles/7_0.gemfile
 - lib/attr_keyring.rb
 - lib/attr_keyring/active_record.rb
+- lib/attr_keyring/encoders/json_encoder.rb
 - lib/attr_keyring/sequel.rb
 - lib/attr_keyring/version.rb
 - lib/keyring.rb
@@ -214,7 +218,7 @@ homepage: https://github.com/fnando/attr_keyring
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -222,15 +226,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: Simple encryption-at-rest plugin for ActiveRecord.
 test_files: []

data/.travis.yml

@@ -1,25 +0,0 @@
----
-
-language: ruby
-cache: bundler
-sudo: false
-notifications:
-  email: false
-rvm:
-  - 2.6.5
-  - 2.5.7
-services:
-  - postgresql
-gemfiles:
-  - gemfiles/6_0.gemfile
-  - gemfiles/5_2.gemfile
-before_script:
-  - createdb test
-  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
-  - chmod +x ./cc-test-reporter
-  - "./cc-test-reporter before-build"
-after_script:
-  - "./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT"
-env:
-  global:
-    secure: c0y7opFgX78UQL0dVq2gciMr3Ca4y4Aw4cSbQMnUwGecwuzOPUhjV98yy4b6EpQ0bLVbVcSPtx/PCVV750nxJPQsz9tWS0yGxQPBXuh2w0AX+ErYJVYaF6+hTjovEiHB86Q9g8YCD29CIMLZs2yeUrB+ORJWQcuAn8fw475Zskk8d8BWqR8CDdonFKlwS0Bx6rOqkyVy0JiNbOM4+trV/RzrNC+dc1geqOo45ceTYiGzkkMU1XANjNhzl/v0DYtCWLF/Dj1s8da96btqU6msZDfsBM73zKWtu0KJMnzqa8Ba4Tjc39kd2ro6Zb22cELBdXOFBvNCAEjbmZIaJ2OC45fES1OGZnB66SjAScdVdxKy2jOWjlFvrRiHu3Zrbl5tFTEaJ/PMHueQn4AzneK1wU2kzjq5iCwBZtMp/iJtCvz0V6qBt77qJe65YuENhcj26cDMqQkhKd0QBTWNs8r02KY3HFKcprgM+2TXxVSvfDu2cbiMInvc3K+uFNnEbu/1piTyStKWGd64WHixV6CEFpHxLU04IUNB62mSvUZtZ6V782X9kawoRyUg6lWvXmnGUUvczdJdpSR5/3gVXOWHireYy/qA6Zqoup27PPoaNgnKCa/fWvN/aJDvrGJb9OWpiK8DGi6T35V5gtDF+vd8mVzyPnYJznlWLgA5m7FSzLg=