attr_keyring 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a1335e867e0b79f0f8082b6cceaa30e40feeb7a9cb140dbb133989ad47af66f
-  data.tar.gz: fa5803034ce08ff55f515fc87e774eeb16b96597e229f55266bfdafd51225dd0
+  metadata.gz: 48738717eed1a26ac48bc94857c835d729794b22a5d79a55aaa41a0d6fe9d788
+  data.tar.gz: 37f7c705a1cb47d21a3bcab81c0f0d644eb572553c06e117b41e599fdaf14d10
 SHA512:
-  metadata.gz: 1d2bc02c88a3871191cc41e32707452f1df9c50040991a8b09394d06a7a06d83a84b3574ac2e1e291e41cb8525d190213e31066eb9922440bbbe3426271829eb
-  data.tar.gz: '00086d53fd3bd74cc0ab4a1e5b511b02ddb081dc01531df75999461200c15b5e87069e0b38eb62f5c353ed121cb8f4657ec1e130aebfc0d254528a9365896389'
+  metadata.gz: f03879a674680dde8cfddee663e7fee8a0b72132d79022a655635b9a8808a5e29c77515a8e3aeef4f4fe23343e5507191434b0520f357b49c4592155571843b0
+  data.tar.gz: 6bcb69b86dfd9a23389a703f370d62de3c71159faf85534916a97747cda3619cbc1c196cd17878636fc46f9fcdcf0c9872a64d773f4490dec730aa79c6a1e5c3

data/.github/workflows/tests.yml

@@ -14,11 +14,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: ["2.7", "3.0", "3.1"]
+        ruby: ["3.0", "3.1", "3.2"]
         gemfile:
+          - gemfiles/7_1.gemfile
           - gemfiles/7_0.gemfile
           - gemfiles/6_1.gemfile
-          - gemfiles/6_0.gemfile
 
     services:
       postgres:
@@ -29,9 +29,9 @@ jobs:
           --health-retries 5
 
     steps:
-      - uses: actions/checkout@v3.0.2
+      - uses: actions/checkout@v4.1.7
 
-      - uses: actions/cache@v3.0.1
+      - uses: actions/cache@v4.0.2
         with:
           path: vendor/bundle
           key: >

data/.rubocop.yml

@@ -3,20 +3,14 @@ inherit_gem:
   rubocop-fnando: .rubocop.yml
 
 AllCops:
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 3.3
   Exclude:
     - vendor/**/*
     - gemfiles/**/*
 
-Metrics/AbcSize:
-  Enabled: false
-
 Layout/LineLength:
   Exclude:
     - test/**/*
 
-Metrics/MethodLength:
-  Enabled: false
-
-Metrics/ClassLength:
+Minitest/NoAssertions:
   Enabled: false

data/README.md

@@ -60,8 +60,8 @@ puts "✉️ #{decrypted}"
 
 #### Change encryption algorithm
 
-You can choose between `AES-128-CBC`, `AES-192-CBC` and `AES-256-CBC`. By
-default, `AES-128-CBC` will be used.
+You can choose between `AES-128-CBC`, `AES-192-CBC`, `AES-256-CBC`, and
+`AES-256-GCM`. By default, `AES-128-CBC` will be used.
 
 To specify the encryption algorithm, set the `encryption` option. The following
 example uses `AES-256-CBC`.
@@ -186,6 +186,7 @@ the size as half of it is used for HMAC computation.
 - `aes-128-cbc`: 16 bytes (encryption) + 16 bytes (HMAC).
 - `aes-192-cbc`: 24 bytes (encryption) + 24 bytes (HMAC).
 - `aes-256-cbc`: 32 bytes (encryption) + 32 bytes (HMAC).
+- `aes-256-gcm`: 32 bytes (encryption) + 32 bytes (HMAC).
 
 #### About the encrypted message
 

data/attr_keyring.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.description   = spec.summary
   spec.homepage      = "https://github.com/fnando/attr_keyring"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 3.3.0")
 
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`

data/gemfiles/7_0.gemfile

@@ -2,4 +2,4 @@
 
 source "https://rubygems.org"
 gemspec path: ".."
-gem "activerecord", "~> 7.0.0.rc1"
+gem "activerecord", "~> 7.0.0"

data/gemfiles/{6_0.gemfile → 7_1.gemfile}

@@ -2,4 +2,4 @@
 
 source "https://rubygems.org"
 gemspec path: ".."
-gem "activerecord", "~> 6.0.0"
+gem "activerecord", "~> 7.1.0"

data/lib/attr_keyring/active_record.rb

@@ -21,7 +21,7 @@ module AttrKeyring
           def reload(options = nil)
             instance = super
 
-            self.class.encrypted_attributes.each do |attribute, _options|
+            self.class.encrypted_attributes.each_key do |attribute|
               clear_decrypted_column_cache(attribute)
             end
 

data/lib/attr_keyring/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AttrKeyring
-  VERSION = "0.7.0"
+  VERSION = "0.8.0"
 end

data/lib/attr_keyring.rb

@@ -55,7 +55,7 @@ module AttrKeyring
     end
 
     def define_attr_encrypt_writer(attribute)
-      define_method("#{attribute}=") do |value|
+      define_method(:"#{attribute}=") do |value|
         attr_encrypt_column(attribute, value)
       end
     end
@@ -80,12 +80,12 @@ module AttrKeyring
       encrypted_value, keyring_id, digest =
         self.class.keyring.encrypt(value, previous_keyring_id)
 
-      public_send("#{self.class.keyring_column_name}=", keyring_id)
-      public_send("encrypted_#{attribute}=", encrypted_value)
+      public_send(:"#{self.class.keyring_column_name}=", keyring_id)
+      public_send(:"encrypted_#{attribute}=", encrypted_value)
 
-      return unless respond_to?("#{attribute}_digest=")
+      return unless respond_to?(:"#{attribute}_digest=")
 
-      public_send("#{attribute}_digest=", digest)
+      public_send(:"#{attribute}_digest=", digest)
     end
 
     private def attr_decrypt_column(attribute)
@@ -95,7 +95,7 @@ module AttrKeyring
         return instance_variable_get(cache_name)
       end
 
-      encrypted_value = public_send("encrypted_#{attribute}")
+      encrypted_value = public_send(:"encrypted_#{attribute}")
 
       return unless encrypted_value
 
@@ -119,9 +119,9 @@ module AttrKeyring
     end
 
     private def reset_encrypted_column(attribute)
-      public_send("encrypted_#{attribute}=", nil)
-      if respond_to?("#{attribute}_digest=")
-        public_send("#{attribute}_digest=", nil)
+      public_send(:"encrypted_#{attribute}=", nil)
+      if respond_to?(:"#{attribute}_digest=")
+        public_send(:"#{attribute}_digest=", nil)
       end
       nil
     end
@@ -140,14 +140,14 @@ module AttrKeyring
 
         encrypted_value, _, digest = self.class.keyring.encrypt(value)
 
-        public_send("encrypted_#{attribute}=", encrypted_value)
+        public_send(:"encrypted_#{attribute}=", encrypted_value)
 
-        if respond_to?("#{attribute}_digest")
-          public_send("#{attribute}_digest=", digest)
+        if respond_to?(:"#{attribute}_digest")
+          public_send(:"#{attribute}_digest=", digest)
         end
       end
 
-      public_send("#{self.class.keyring_column_name}=", keyring_id)
+      public_send(:"#{self.class.keyring_column_name}=", keyring_id)
     end
 
     private def encryptable_value?(value)

data/lib/keyring/encryptor/aes.rb

@@ -12,29 +12,35 @@ module Keyring
           @key_size ||= build_cipher.key_len
         end
 
+        def self.support_auth_data?
+          false
+        end
+
         def self.encrypt(key, message)
           cipher = build_cipher
           cipher.encrypt
           iv = cipher.random_iv
           cipher.iv  = iv
           cipher.key = key.encryption_key
+          cipher.auth_data = "" if support_auth_data?
           encrypted = cipher.update(message) + cipher.final
-          hmac = hmac_digest(key.signing_key, "#{iv}#{encrypted}")
+          auth_tag = ""
+          auth_tag = cipher.auth_tag if support_auth_data?
+          hmac = hmac_digest(key.signing_key, "#{auth_tag}#{iv}#{encrypted}")
 
-          Base64.strict_encode64("#{hmac}#{iv}#{encrypted}")
+          Base64.strict_encode64("#{hmac}#{auth_tag}#{iv}#{encrypted}")
         end
 
         def self.decrypt(key, message)
           cipher = build_cipher
+          iv_size = cipher.random_iv.size
           cipher.decrypt
 
           message = Base64.strict_decode64(message)
 
           hmac = message[0...32]
-          encrypted_payload = message[32..-1]
-          iv = encrypted_payload[0...16]
-          encrypted = encrypted_payload[16..-1]
 
+          encrypted_payload = message[32..-1]
           expected_hmac = hmac_digest(key.signing_key, encrypted_payload)
 
           unless verify_signature(expected_hmac, hmac)
@@ -44,8 +50,19 @@ module Keyring
                   "got #{Base64.strict_encode64(hmac)} instead"
           end
 
+          auth_tag = ""
+          auth_tag = encrypted_payload[0...16] if support_auth_data?
+          iv = encrypted_payload[auth_tag.size...(auth_tag.size + iv_size)]
+          encrypted = encrypted_payload[(auth_tag.size + iv_size)..-1]
+
           cipher.iv = iv
           cipher.key = key.encryption_key
+
+          if support_auth_data?
+            cipher.auth_data = ""
+            cipher.auth_tag = auth_tag
+          end
+
           cipher.update(encrypted) + cipher.final
         end
 
@@ -80,6 +97,16 @@ module Keyring
           "AES-256-CBC"
         end
       end
+
+      class AES256GCM < Base
+        def self.cipher_name
+          "AES-256-GCM"
+        end
+
+        def self.support_auth_data?
+          true
+        end
+      end
     end
   end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: attr_keyring
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Nando Vieira
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-07-23 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -203,9 +202,9 @@ files:
 - examples/active_record_sample.rb
 - examples/keyring_sample.rb
 - examples/sequel_sample.rb
-- gemfiles/6_0.gemfile
 - gemfiles/6_1.gemfile
 - gemfiles/7_0.gemfile
+- gemfiles/7_1.gemfile
 - lib/attr_keyring.rb
 - lib/attr_keyring/active_record.rb
 - lib/attr_keyring/encoders/json_encoder.rb
@@ -218,7 +217,6 @@ homepage: https://github.com/fnando/attr_keyring
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -226,15 +224,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 3.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Simple encryption-at-rest plugin for ActiveRecord.
 test_files: []