attr_secure 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a9f970443168e1a32a5bdb022ef5e74acedc5803
-  data.tar.gz: a247cfc9a807256e6f8003346d28c08ffb4c4b5a
+  metadata.gz: 3e6810f8e6b2500a0fd71a8d2cd2755bbab0759f
+  data.tar.gz: b9d9017ec05194584f60af544a3564ba1f26cfc1
 SHA512:
-  metadata.gz: 7b204d25fcbab4c785c7993d8fb65dade0369d73b10c27cbfbf39020a97020ac3809800148b2039bd586d268c9bac113ee26c755648763728dad23a6279eb438
-  data.tar.gz: e9c3c0dbb2a835e38ea9e970e0d561ecb41964f8d418522de45469c38e51193c81b3e464b42c9c495fb29d2feb96df23cb76cd6cc693cce81cc46259d74e989f
+  metadata.gz: df04a6247b167ff02122d97de4498cf2c89d2b3277799382985bab5e5a97f920a7b4847fb5ff789513da857a56252b5137145f548affed24fa7afcf1516d011f
+  data.tar.gz: 05418d708166a33ee050a171cdbe422373f54c1130e4f17334c12d5d93dc3fba9291a4052151136617e99457d6cefb5ebc4faddde5ec0b10c92ac0d483b1e49b

data/README.md

@@ -38,16 +38,22 @@ Or install it yourself as:
 
 ## Usage
 
-To make an model attribute secure, first create a key:
+To make an model attribute secure, first you need a secure key:
 
     dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
 
-and add it to your environment as `ATTR_SECURE_SECRET`.
-Then mark an attribute as secure:
+There's a number of ways of setting a key for a given attribute.  The easiest is to default the key via the environment.  
+Setting the environment variable `ATTR_SECURE_SECRET` to a secret value will secure all attributes with the same key.
 
-    attr_secure :my_attribute
+Alternatively, if you want to use different keys for different attributes you can do this too:
 
-and read and write as normal (see above example)
+    attr_secure :my_attribute, :secret => "EKq88AMFeRLqEx5knUcoJ4LOnrv52d7hfAFgEKMoDKzqNei4m7kbu"
+    
+If you would like your key dependent on something else, a lambda is OK too:
+
+    attr_secure :my_attribute, :secret => lambda {|record| record.user.secret }
+    
+Remember kids, it's not a good idea to hard-code secrets.
 
 Note: You will want to set your table columns for encrypted values to :text or
 similar.  Encrypted values are long.

data/lib/attr_secure.rb

@@ -1,38 +1,53 @@
 require "attr_secure/version"
-require 'fernet'
+require 'attr_secure/secure'
+require 'attr_secure/secret'
 
 require 'attr_secure/adapters/ruby'
 require 'attr_secure/adapters/active_record'
 require 'attr_secure/adapters/sequel'
 
-Fernet::Configuration.run do |config|
-  config.enforce_ttl = false
-end
-
 module AttrSecure
   #
   # All the available adapters.
   # The order in this list matters, as only the first valid adapter will be used
   #
   ADAPTERS = [
-    AttrSecure::Adapters::Sequel,
     AttrSecure::Adapters::ActiveRecord,
+    AttrSecure::Adapters::Sequel,
     AttrSecure::Adapters::Ruby
   ]
 
-  def attr_secure(attribute, encryption_class = Secure.new)
+  # Generates attr_accessors that encrypt and decrypt attributes transparently
+  def attr_secure(*attributes)
+    options = {
+      :encryption_class => Secure,
+      :secret_class     => Secret,
+      :env              => ENV
+    }.merge!(attributes.last.is_a?(Hash) ? attributes.pop : {})
+
+    attribute = attributes.first
+
     define_method("#{attribute}=") do |value|
-      encrypted_value = encryption_class.encrypt(value.nil? ? nil : value)
-      self.class.attr_secure_adapter.write_attribute self, attribute, encrypted_value
+      adapter = self.class.attr_secure_adapter
+      secret  = options[:secret_class].new(options).call(self)
+      crypter = options[:encryption_class].new(secret)
+      value   = crypter.encrypt(value)
+
+      adapter.write_attribute self, attribute, value
     end
 
     define_method("#{attribute}") do
-      encrypted_value = self.class.attr_secure_adapter.read_attribute(self, attribute)
-      encryption_class.decrypt encrypted_value
+      adapter = self.class.attr_secure_adapter
+      secret  = options[:secret_class].new(options).call(self)
+      crypter = options[:encryption_class].new(secret)
+      value   = adapter.read_attribute(self, attribute)
+
+      crypter.decrypt value
     end
   end
 
   def attr_secure_adapter
     ADAPTERS.find {|a| a.valid?(self) }
   end
+
 end

data/lib/attr_secure/adapters/active_record.rb

@@ -1,5 +1,3 @@
-require 'attr_secure/secure'
-
 module AttrSecure
   module Adapters
     module ActiveRecord

data/lib/attr_secure/adapters/ruby.rb

@@ -1,5 +1,3 @@
-require 'attr_secure/secure'
-
 module AttrSecure
   module Adapters
     module Ruby

data/lib/attr_secure/adapters/sequel.rb

@@ -1,5 +1,3 @@
-require 'attr_secure/secure'
-
 module AttrSecure
   module Adapters
     module Sequel
@@ -9,11 +7,11 @@ module AttrSecure
       end
 
       def self.write_attribute(object, attribute, value)
-        object[attribute] = value
+        object[attribute.to_sym] = value
       end
 
       def self.read_attribute(object, attribute)
-        object[attribute]
+        object[attribute.to_sym]
       end
     end
   end

data/lib/attr_secure/secret.rb

@@ -0,0 +1,23 @@
+module AttrSecure
+  class Secret
+
+    def initialize(options)
+      @secret, @env = options.values_at(:secret, :env)
+    end
+
+    def call(object=nil)
+      if secret.respond_to?(:call)
+        secret.call(object)
+      else
+        secret || env!('ATTR_SECURE_SECRET')
+      end
+    end
+
+    private
+    attr_reader :secret, :env
+
+    def env!(key)
+      env.fetch(key) { raise("Missing ENV(#{key})") }
+    end
+  end
+end

data/lib/attr_secure/secure.rb

@@ -1,30 +1,27 @@
+require 'fernet'
+
+Fernet::Configuration.run do |config|
+  config.enforce_ttl = false
+end
+
 module AttrSecure
   class Secure
-    attr_reader :env
+    attr_reader :secret
 
-    def initialize(env=ENV)
-      @env = env
+    def initialize(secret)
+      @secret = secret
     end
 
     def encrypt(value)
-      Fernet.generate(attr_secure_secret) do |generator|
+      Fernet.generate(secret) do |generator|
         generator.data = { value: value }
       end
     end
 
     def decrypt(value)
       return nil if value.nil?
-      verifier = Fernet.verifier(attr_secure_secret, value)
+      verifier = Fernet.verifier(secret, value)
       verifier.data['value'] if verifier.valid?
     end
-
-    private
-    def env!(key)
-      env.fetch(key) { raise("Missing ENV(#{key})") }
-    end
-
-    def attr_secure_secret
-      env!('ATTR_SECURE_SECRET')
-    end
   end
 end

data/lib/attr_secure/version.rb

@@ -1,3 +1,3 @@
 module AttrSecure
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/spec/adapters/active_record_spec.rb

@@ -1,30 +1,34 @@
 require 'spec_helper'
 
 describe AttrSecure::Adapters::ActiveRecord do
-  let(:described)   { Class.new(ActiveRecord::Base) }
-  subject           { described.new }
-  let(:secure_mock) { double(AttrSecure::Secure) }
+  let(:described) { Class.new(ActiveRecord::Base) }
+  subject         { described.new }
 
   before do
     described.table_name = 'fake_database'
-    described.extend(AttrSecure)
-    described.attr_secure :title, secure_mock
   end
 
-  it 'has active record as it\'s adapter' do
-    expect(described.attr_secure_adapter).to eq(AttrSecure::Adapters::ActiveRecord)
+  describe "valid?" do
+    it "should be valid" do
+      expect(described_class.valid?(described)).to be_true
+    end
+
+    it "should not be valid" do
+      expect(described_class.valid?(String)).to be_false
+    end
   end
 
-  it 'encrypts' do
-    secure_mock.should_receive(:encrypt).with('hello').and_return('encrypted')
-    subject.title = 'hello'
-    expect(subject.attributes['title']).to eq('encrypted')
+  describe "write attribute" do
+    it "should write an attribute" do
+      described_class.write_attribute(subject, 'title', 'hello')
+      expect(subject.title).to eq('hello')
+    end
   end
 
-  it 'decrypts' do
-    secure_mock.should_receive(:encrypt).with('hello').and_return('encrypted')
-    subject.title = 'hello'
-    secure_mock.should_receive(:decrypt).with('encrypted').and_return('decrypted')
-    expect(subject.title).to eq('decrypted')
+  describe "read attribute" do
+    it "should read an instance variable" do
+      subject.title = 'world'
+      expect(described_class.read_attribute(subject, 'title')).to eq('world')
+    end
   end
 end

data/spec/adapters/ruby_spec.rb

@@ -1,29 +1,25 @@
 require 'spec_helper'
 
 describe AttrSecure::Adapters::Ruby do
-  let(:described)   { Class.new }
-  subject           { described.new }
-  let(:secure_mock) { double(AttrSecure::Secure) }
+  subject { Class.new }
 
-  before do
-    described.extend(AttrSecure)
-    described.attr_secure :foo, secure_mock
+  describe "valid?" do
+    it "should be valid all the time" do
+      expect(described_class.valid?(String)).to be_true
+    end
   end
 
-  it 'has ruby as it\'s adapter' do
-    expect(described.attr_secure_adapter).to eq(AttrSecure::Adapters::Ruby)
+  describe "write attribute" do
+    it "should set the instance variable" do
+      described_class.write_attribute(subject, 'secure', 'hello')
+      expect(subject.instance_variable_get("@secure")).to eql('hello')
+    end
   end
 
-  it 'encrypts' do
-    secure_mock.should_receive(:encrypt).with('hello').and_return('encrypted')
-    subject.foo = 'hello'
-    expect(subject.instance_variable_get(:@foo)).to eq('encrypted')
-  end
-
-  it 'decrypts' do
-    secure_mock.should_receive(:encrypt).with('hello').and_return('encrypted')
-    subject.foo = 'hello'
-    secure_mock.should_receive(:decrypt).with('encrypted').and_return('decrypted')
-    expect(subject.foo).to eq('decrypted')
+  describe "read attribute" do
+    it "should read an instance variable" do
+      subject.instance_variable_set("@secure", 'world')
+      expect(described_class.read_attribute(subject, 'secure')).to eq('world')
+    end
   end
 end

data/spec/adapters/sequel_spec.rb

@@ -1,30 +1,34 @@
 require 'spec_helper'
 
 describe AttrSecure::Adapters::Sequel do
-  let(:described)   { Class.new(Sequel::Model) }
-  subject           { described.new }
-  let(:secure_mock) { double(AttrSecure::Secure) }
+  let(:described) { Class.new(Sequel::Model) }
+  subject         { described.new }
 
   before do
     described.set_dataset(:fake_database)
-    described.extend(AttrSecure)
-    described.attr_secure :title, secure_mock
   end
 
-  it 'has sequel as it\'s adapter' do
-    expect(described.attr_secure_adapter).to eq(AttrSecure::Adapters::Sequel)
+  describe "valid?" do
+    it "should be valid" do
+      expect(described_class.valid?(described)).to be_true
+    end
+
+    it "should not be valid" do
+      expect(described_class.valid?(String)).to be_false
+    end
   end
 
-  it 'encrypts' do
-    secure_mock.should_receive(:encrypt).with('hello').and_return('encrypted')
-    subject.title = 'hello'
-    expect(subject.values[:title]).to eq('encrypted')
+  describe "write attribute" do
+    it "should write an attribute" do
+      described_class.write_attribute(subject, 'title', 'hello')
+      expect(subject.title).to eq('hello')
+    end
   end
 
-  it 'decrypts' do
-    secure_mock.should_receive(:encrypt).with('hello').and_return('encrypted')
-    subject.title = 'hello'
-    secure_mock.should_receive(:decrypt).with('encrypted').and_return('decrypted')
-    expect(subject.title).to eq('decrypted')
+  describe "read attribute" do
+    it "should read an instance variable" do
+      subject.title = 'world'
+      expect(described_class.read_attribute(subject, 'title')).to eq('world')
+    end
   end
 end

data/spec/attr_secure_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+describe AttrSecure do
+  describe "reading and writing attributes" do
+    subject           { described.new }
+    let(:described)   { Class.new }
+    let(:secure_mock) { double(AttrSecure::Secure) }
+    let(:secret_mock) { double(AttrSecure::Secret) }
+    let(:crypter)     { mock(:secure_crypter) }
+    let(:adapter)     { mock(:adapter) }
+
+    before do
+      described.extend(AttrSecure)
+      described.attr_secure :foo,
+        encryption_class: secure_mock,
+        secret_class:     secret_mock
+
+      secret_mock.stub_chain(:new, :call).and_return('secret token')
+      secure_mock.should_receive(:new).with('secret token').and_return(crypter)
+      described.stub(:attr_secure_adapter).and_return(adapter)
+    end
+
+    describe "set the attribute" do
+      it "should set the attribute encrypted" do
+        crypter.should_receive(:encrypt).with('decrypted').and_return('encrypted')
+        adapter.should_receive(:write_attribute).with(subject, :foo, 'encrypted')
+        subject.foo = 'decrypted'
+      end
+    end
+
+    describe "read the attribute" do
+      it "should read an encrypted attribute" do
+        adapter.should_receive(:read_attribute).with(subject, :foo).and_return('encrypted')
+        crypter.should_receive(:decrypt).with('encrypted').and_return('decrypted')
+        expect(subject.foo).to eq('decrypted')
+      end
+    end
+  end
+
+  describe "retrieving the adapter" do
+    describe "ruby" do
+      subject { Class.new }
+
+      before do
+        subject.extend(AttrSecure)
+      end
+
+      it "should get the adapter" do
+        expect(subject.attr_secure_adapter).to eq(AttrSecure::Adapters::Ruby)
+      end
+    end
+
+    describe "active record" do
+      subject { Class.new(ActiveRecord::Base) }
+
+      before do
+        subject.extend(AttrSecure)
+      end
+
+      it "should get the adapter" do
+        expect(subject.attr_secure_adapter).to eq(AttrSecure::Adapters::ActiveRecord)
+      end
+    end
+
+    describe "ruby" do
+      subject { Class.new(Sequel::Model) }
+
+      before do
+        subject.extend(AttrSecure)
+      end
+
+      it "should get the adapter" do
+        expect(subject.attr_secure_adapter).to eq(AttrSecure::Adapters::Sequel)
+      end
+    end
+  end
+end

data/spec/secret_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe AttrSecure::Secret do
+  let(:env)     { {'ATTR_SECURE_SECRET' => 'environment secret' } }
+  let(:options) { {secret: secret, env: env} }
+  subject       { described_class.new(options) }
+
+  describe "with a nil secret" do
+    let(:secret) { nil }
+
+    it "should use the env variable" do
+      expect(subject.call).to eq('environment secret')
+    end
+  end
+
+  describe "with a string secret" do
+    let(:secret) { 'string secret' }
+
+    it "should use the string" do
+      expect(subject.call).to eq('string secret')
+    end
+  end
+
+  describe "with a lambda secret" do
+    let(:secret) { lambda {|o| o } }
+
+    it "should use the lambda" do
+      expect(subject.call('lambda secret')).to eq('lambda secret')
+    end
+  end
+end

data/spec/secure_spec.rb

@@ -1,8 +1,8 @@
 require 'spec_helper'
 
 describe AttrSecure::Secure do
-  subject     { described_class.new({'ATTR_SECURE_SECRET' => token}) }
-  let(:token) { 'fWSvpC6Eh1/FFE1TUgXpcEzMmmGc9IZSqoexzEslzKI=' }
+  subject      { described_class.new(secret) }
+  let(:secret) { 'fWSvpC6Eh1/FFE1TUgXpcEzMmmGc9IZSqoexzEslzKI=' }
 
   describe 'encrypt' do
     it "should encrypt a string" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: attr_secure
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Neil Middleton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-04 00:00:00.000000000 Z
+date: 2013-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -112,11 +112,14 @@ files:
 - lib/attr_secure/adapters/active_record.rb
 - lib/attr_secure/adapters/ruby.rb
 - lib/attr_secure/adapters/sequel.rb
+- lib/attr_secure/secret.rb
 - lib/attr_secure/secure.rb
 - lib/attr_secure/version.rb
 - spec/adapters/active_record_spec.rb
 - spec/adapters/ruby_spec.rb
 - spec/adapters/sequel_spec.rb
+- spec/attr_secure_spec.rb
+- spec/secret_spec.rb
 - spec/secure_spec.rb
 - spec/spec_helper.rb
 - spec/support/load_active_record.rb
@@ -149,6 +152,8 @@ test_files:
 - spec/adapters/active_record_spec.rb
 - spec/adapters/ruby_spec.rb
 - spec/adapters/sequel_spec.rb
+- spec/attr_secure_spec.rb
+- spec/secret_spec.rb
 - spec/secure_spec.rb
 - spec/spec_helper.rb
 - spec/support/load_active_record.rb