attr_vault 0.2.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e5fb84d6365f1c3a98cf46d1033cb50a3d15fb84
-  data.tar.gz: e0dec5b5e5a06425a9ec2c84464defe8881132df
+  metadata.gz: 9fcb265c898624cea0181abc4fcc39589e95014e
+  data.tar.gz: 75ea676dfabd0e3fea0c2436d48234539381a789
 SHA512:
-  metadata.gz: 95f82a2d0f96fc20d7b3806c17c2c9cc30424eca24890215b298a9a6d99a78f6263fd3bd9504744460b9f9cdf211511d7e8b653f02e8147002af38fe764835b3
-  data.tar.gz: 9c12a178ecefff35146d55823c95dd16351318fefa1991b0c9c799e26cba941dcbe4613cad8d5158110c41c095e42022143f94860483a8eb5123fa9e14213540
+  metadata.gz: f33061f44368a2c3c30b8d14ed0a80aec258180dde3cc25b2df8c512db396eb491ba86d7ff5fb5a15e84128c5cb2c88f4423c2632fe4876eae2fefa57ceb20aa
+  data.tar.gz: 292c8f1a98d7f472d9faeeda946b593e498ecd3a44d649d3025b6013b59ebaa0a8c96139d18be9f4198a6a4fac4ac0d1b65b87efa96f18128d53b5e8a8001cf8

data/.ruby-version

@@ -1 +1 @@
-2.2.2
+2.4.0

data/.travis.yml

@@ -1,12 +1,13 @@
 language: ruby
 cache: bundler
-before_script: createdb attr_vault
+before_script: createdb -U postgres attr_vault
+dist: trusty
 sudo: false
 script: DATABASE_URL="postgres:///attr_vault" bundle exec rspec
 addons:
-  postgresql: "9.3"
+  postgresql: "9.6"
 env:
 rvm:
-  - 2.2.2
+  - 2.4.0
 notifications:
   email: false

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-ruby '2.2.2'
+ruby '2.4.0'
 
 # Specify your gem's dependencies in attr_vault.gemspec
 gemspec

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    attr_vault (0.2.1)
+    attr_vault (1.0.0)
       pg (~> 0.18)
       sequel (~> 4.13)
 
@@ -32,7 +32,7 @@ DEPENDENCIES
   rspec (~> 3.0)
 
 RUBY VERSION
-   ruby 2.2.2p95
+   ruby 2.4.0p0
 
 BUNDLED WITH
-   1.14.5
+   1.14.4

data/README.md

@@ -49,81 +49,6 @@ key with a larger id is assumed to be newer. The `value` is the actual
 bytes of the encryption key, used for encryption and verification: see
 below.
 
-#### Legacy keyrings
-
-A legacy keyring format is also supported for backwards
-compatibility. The keyring must be a JSON array of objects with the
-fields `id`, `created_at`, and `value`, and also must have at least
-one key:
-
-```json
-[
-  {
-    "id": "1380e471-038e-459a-801d-10e7988ee6a3",
-    "created_at": "2016-02-04 01:55:00+00",
-    "value": "PV8+EHgJlHfsVVVstJHgEo+3OCSn4iJDzqJs55U650Q="
-  }
-]
-```
-
-The `id` must be a uuid. The `created_at` must be an ISO-8601
-timestamp indicating the age of a key relative to the other keys. The
-`value` is the same structure as for a normal keyring.
-
-#### Legacy keyring migration
-
-You can migrate from legacy keyrings to the new format via the
-following process:
-
-Add a new key_id column:
-
-```ruby
-Sequel.migration do
-  change do
-    alter_table(:diary_entries) do
-      add_column :new_key_id, :integer
-    end
-  end
-end
-```
-
-Devise new numeric ids for all in-use keys (based on their
-`created_at` dates), and link the ids with sql like the following:
-
-```sql
-WITH key_map(new_key_id, old_key_id) AS (
-  VALUES (1, 'first-uuid'),
-         (2, 'next-uuid'),
-         (3, '...')
-)
-UPDATE
-  diary_entries
-SET
-  diary_entries.new_key_id = key_map.new_key_id
-FROM
-  key_map
-WHERE
-  diary_entries.key_id = key_map.old_key_id
-```
-
-Rename the new column to be used as the main key id and drop the old
-id column:
-
-```ruby
-Sequel.migration do
-  change do
-    alter_table(:diary_entries) do
-      rename_column :key_id, :old_key_id
-      rename_column :new_key_id, :key_id
-	  set_column_not_null :key_id
-      drop_column :old_key_id, :integer
-    end
-  end
-end
-```
-
-Then change the keyring in your application to use the new numeric
-ids.
 
 ### Encryption and verification
 
@@ -256,8 +181,7 @@ It's safe to use the same name as the name of the encrypted attribute.
 
 Because AttrVault uses a keyring, with access to multiple keys at
 once, key rotation is fairly straightforward: if you add a key to the
-keyring with a higher id than any other key (or more recent
-`created_at` for the legacy keyring format), that key will
+keyring with a higher id than any other key, that key will
 automatically be used for encryption. Any keys that are no longer in
 use can be removed from the keyring.
 

data/lib/attr_vault/keyring.rb

@@ -1,25 +1,19 @@
 module AttrVault
   class Key
-    attr_reader :id, :value, :created_at
+    attr_reader :id, :value
 
-    def initialize(id, value, created_at=nil)
-      if id.nil?
-        raise InvalidKey, "key id required"
-      end
-      if value.nil?
+    def initialize(id, value)
+      if value.nil? || value.empty?
         raise InvalidKey, "key value required"
       end
       begin
         id = Integer(id)
       rescue
-        if created_at.nil?
-          raise InvalidKey, "key created_at required"
-        end
+        raise InvalidKey, "key id must be an integer"
       end
 
       @id = id
       @value = value
-      @created_at = created_at
     end
 
     def digest(data)
@@ -27,7 +21,7 @@ module AttrVault
     end
 
     def to_json(*args)
-      { id: id, value: value, created_at: created_at }.to_json
+      { id: id, value: value }.to_json
     end
   end
 
@@ -39,13 +33,7 @@ module AttrVault
       begin
         candidate_keys = JSON.parse(keyring_data, symbolize_names: true)
 
-        case candidate_keys
-        when Array
-          candidate_keys.each do |k|
-            created_at = Time.parse(k[:created_at]) if k.has_key?(:created_at)
-            keyring.add_key(Key.new(k[:id], k[:value], created_at || Time.now))
-          end
-        when Hash
+        if candidate_keys.is_a?(Hash)
           candidate_keys.each do |key_id, key|
             keyring.add_key(Key.new(key_id.to_s, key))
           end
@@ -84,7 +72,7 @@ module AttrVault
     end
 
     def current_key
-      k = @keys.sort_by(&:created_at).last
+      k = @keys.sort_by(&:id).last
       if k.nil?
         raise KeyringEmpty, "No keys in keyring"
       end
@@ -96,14 +84,9 @@ module AttrVault
     end
 
     def to_json
-      if @keys.all? { |k| k.created_at.nil? }
-        @keys.each_with_object({}) do |k,obj|
-          obj[k.id] = k.value
-        end.to_json
-      else
-        # Assume we are dealing with a legacy keyring
-        @keys.to_json
-      end
+      @keys.each_with_object({}) do |k,obj|
+        obj[k.id] = k.value
+      end.to_json
     end
   end
 end

data/lib/attr_vault/version.rb

@@ -1,3 +1,3 @@
 module AttrVault
-  VERSION = "0.2.1"
+  VERSION = "1.0.0"
 end

data/spec/attr_vault/keyring_spec.rb

@@ -1,25 +1,25 @@
 require "spec_helper"
 require "json"
+require "securerandom"
 
 module AttrVault
   describe Keyring do
 
     describe ".load" do
       let(:key_data) {
-        [
-         { id: SecureRandom.uuid, value: SecureRandom.base64(32), created_at: Time.now },
-         { id: SecureRandom.uuid, value: SecureRandom.base64(32), created_at: Time.now }
-        ]
+        {
+          '1' => SecureRandom.base64(32),
+          '2' => SecureRandom.base64(32),
+        }
       }
 
       it "loads a valid keyring string" do
         keyring = Keyring.load(key_data.to_json)
         expect(keyring).to be_a Keyring
         expect(keyring.keys.count).to eq 2
-        (0..1).each do |i|
-          expect(keyring.keys[i].id).to eq key_data[i][:id]
-          expect(keyring.keys[i].value).to eq key_data[i][:value]
-          expect(keyring.keys[i].created_at).to be_within(60).of(key_data[i][:created_at])
+        key_data.keys.each do |key_id|
+          key = keyring.keys.find { |k| k.id == Integer(key_id) }
+          expect(key.value).to eq key_data[key_id]
         end
       end
 
@@ -28,19 +28,19 @@ module AttrVault
       end
 
       it "rejects unknown formats" do
-        keys = key_data.map do |k|
-          "<key id='#{k[:id]}' value='#{k[:value]}' created_at='#{k[:created_at]}'/>"
-        end
+        keys = key_data.map do |k,v|
+          "<key id='#{k}' value='#{v}'/>"
+        end.join(',')
         expect { Keyring.load("<keys>#{keys}</keys>") }.to raise_error(InvalidKeyring)
       end
 
-      it "rejects keys with missing ids" do
-        key_data[0].delete :id
+      it "rejects keys with missing values" do
+        key_data['1'] = nil
         expect { Keyring.load(key_data) }.to raise_error(InvalidKeyring)
       end
 
-      it "rejects keys with missing values" do
-        key_data[0].delete :value
+      it "rejects keys with empty values" do
+        key_data['1'] = ''
         expect { Keyring.load(key_data) }.to raise_error(InvalidKeyring)
       end
     end
@@ -48,8 +48,8 @@ module AttrVault
 
   describe "#keys" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
-    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
+    let(:k2)      { Key.new(2, ::SecureRandom.base64(32)) }
 
     before do
       keyring.add_key(k1)
@@ -64,8 +64,8 @@ module AttrVault
 
   describe "#fetch" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
-    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
+    let(:k2)      { Key.new(2, ::SecureRandom.base64(32)) }
 
     before do
       keyring.add_key(k1)
@@ -85,8 +85,8 @@ module AttrVault
 
   describe "#has_key?" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
-    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
+    let(:k2)      { Key.new(2, ::SecureRandom.base64(32)) }
 
     before do
       keyring.add_key(k1)
@@ -99,13 +99,13 @@ module AttrVault
     end
 
     it "is false if no such key is present" do
-      expect(keyring.has_key?('867344d2-ac73-493b-9a9e-5fa688ba25ef')).to be false
+      expect(keyring.has_key?(5)).to be false
     end
   end
 
   describe "#add_key" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
 
     it "adds keys" do
       expect(keyring.keys).to be_empty
@@ -116,8 +116,8 @@ module AttrVault
 
   describe "#drop_key" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
-    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
+    let(:k2)      { Key.new(2, ::SecureRandom.base64(32)) }
 
     before do
       keyring.add_key(k1)
@@ -141,8 +141,8 @@ module AttrVault
 
   describe "#to_json" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
-    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
+    let(:k2)      { Key.new(2, ::SecureRandom.base64(32)) }
 
     before do
       keyring.add_key(k1)
@@ -152,27 +152,22 @@ module AttrVault
     it "serializes the keyring to an expected format" do
       keyring_data = keyring.to_json
       reparsed = JSON.parse(keyring_data)
-      expect(reparsed[0]["id"]).to eq k1.id
-      expect(reparsed[0]["value"]).to eq k1.value
-      expect(reparsed[0]["created_at"]).to eq k1.created_at.to_s
-
-      expect(reparsed[1]["id"]).to eq k2.id
-      expect(reparsed[1]["value"]).to eq k2.value
-      expect(reparsed[1]["created_at"]).to eq k2.created_at.to_s
+      expect(reparsed[k1.id.to_s]).to eq k1.value
+      expect(reparsed[k2.id.to_s]).to eq k2.value
     end
   end
 
   describe "#current_key" do
     let(:keyring) { Keyring.new }
-    let(:k1)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now - 3) }
-    let(:k2)      { Key.new(SecureRandom.uuid, SecureRandom.base64(32), Time.now) }
+    let(:k1)      { Key.new(1, ::SecureRandom.base64(32)) }
+    let(:k2)      { Key.new(2, ::SecureRandom.base64(32)) }
 
     before do
       keyring.add_key(k1)
       keyring.add_key(k2)
     end
 
-    it "returns the newest key" do
+    it "returns the key with the largest id" do
       expect(keyring.current_key).to eq k2
     end
 

data/spec/attr_vault_spec.rb

@@ -2,489 +2,454 @@ require 'spec_helper'
 require 'json'
 
 describe AttrVault do
-  [ [ 'numeric', :items, [ 1, 2 ] ],
-    [ 'uuid', :items_legacy,
-      [ 'bf72f2ca-b478-4abf-a077-8eb7e071810f',
-        '5a8d7477-6604-4801-9f1d-d4f412890cc3' ] ] ].each do |desc, table, key_ids|
-
-    describe "with #{desc} key ids" do
-      let(:key_values) do
-        [ 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
-          'hUL1orBBRckZOuSuptRXYMV9lx5Qp54zwFUVwpwTpdk=' ]
+  let(:key_ids) { [ 1, 2 ] }
+  let(:key_values) do
+    [ 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=',
+      'hUL1orBBRckZOuSuptRXYMV9lx5Qp54zwFUVwpwTpdk=' ]
+  end
+
+  def make_keyring(key_ids)
+    Hash[key_ids.zip(key_values)]
+  end
+
+  let(:key1_id) { key_ids.fetch(0) }
+  let(:key1) { keyring[key1_id] }
+
+  let(:key2_id) { key_ids.fetch(1) }
+  let(:key2) { keyring[key2_id] }
+
+  let(:key_id)  { key1_id }
+  let(:key) { key1 }
+
+  let(:old_keyring) do
+    make_keyring(key_ids.take(1))
+  end
+  let(:new_keyring) do
+    make_keyring(key_ids)
+  end
+  let(:keyring) { old_keyring }
+
+  context "with a single encrypted column" do
+    let(:item) do
+      k = keyring.to_json
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
       end
+    end
 
-      def make_keyring(key_ids)
-        paired = key_ids.zip(key_values)
-        if key_ids.all? { |id| id.is_a? Integer }
-          Hash[paired]
-        else
-          result = []
-          paired.each_with_index do |(id,val), i|
-            result << { id: id, created_at: Time.now + (i * 60), value: val }
-          end
-          result
+    context "with a new object" do
+      it "does not affect other attributes" do
+        not_secret = 'jimi hendrix was rather talented'
+        s = item.create(not_secret: not_secret)
+        s.reload
+        expect(s.not_secret).to eq(not_secret)
+        expect(s.this.where(not_secret: not_secret).count).to eq 1
+      end
+
+      it "encrypts non-empty values" do
+        secret = 'lady gaga? also rather talented'
+        s = item.create(secret: secret)
+        s.reload
+        expect(s.secret).to eq(secret)
+        s.columns.each do |col|
+          expect(s.this.where(Sequel.cast(Sequel.cast(col, :text), :bytea) => secret).count).to eq 0
         end
       end
 
-      let(:key1_id) { key_ids.first }
-      let(:key2_id) { key_ids.fetch(1) }
-      let(:key_id)  { key1_id }
+      it "stores empty values as empty" do
+        secret = ''
+        s = item.create(secret: secret)
+        s.reload
+        expect(s.secret).to eq('')
+        expect(s.secret_encrypted).to eq('')
+      end
 
-      let(:old_keyring) do
-        make_keyring(key_ids.take(1))
+      it "stores nil values as nil" do
+        s = item.create(secret: nil)
+        s.reload
+        expect(s.secret).to be_nil
+        expect(s.secret_encrypted).to be_nil
       end
-      let(:new_keyring) do
-        make_keyring(key_ids)
+
+      it "sets fields to empty that were previously not empty" do
+        s = item.create(secret: 'joyce hatto')
+        s.reload
+        s.update(secret: '')
+        s.reload
+        expect(s.secret).to eq ''
+        expect(s.secret_encrypted).not_to be_nil
       end
-      let(:keyring) { old_keyring }
 
-      let(:key1) do
-        if keyring.is_a?(Hash)
-          keyring[key1_id]
-        else
-          keyring.find { |k| k[:id] == key1_id }
-        end
+      it "avoids updating existing values when those do not change" do
+        the_secret = "I'm not saying it was aliens..."
+        s = item.create(secret: the_secret)
+        s.reload
+        s.secret = the_secret
+        expect(s.save_changes).to be_nil
       end
-      let(:key2) do
-        if keyring.is_a?(Hash)
-          keyring[key2_id]
-        else
-          keyring.find { |k| k[:id] == key2_id }
-        end
+
+      it "stores the key id" do
+        secret = 'it was professor plum with the wrench in the library'
+        s = item.create(secret: secret)
+        s.reload
+        expect(s.key_id).to eq(key_id)
       end
-      let(:key) { key1 }
-
-      context "with a single encrypted column" do
-        let(:item) do
-          k = keyring.to_json
-          t = table
-          Class.new(Sequel::Model(t)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret
-          end
-        end
+    end
 
-        context "with a new object" do
-          it "does not affect other attributes" do
-            not_secret = 'jimi hendrix was rather talented'
-            s = item.create(not_secret: not_secret)
-            s.reload
-            expect(s.not_secret).to eq(not_secret)
-            expect(s.this.where(not_secret: not_secret).count).to eq 1
-          end
-
-          it "encrypts non-empty values" do
-            secret = 'lady gaga? also rather talented'
-            s = item.create(secret: secret)
-            s.reload
-            expect(s.secret).to eq(secret)
-            s.columns.each do |col|
-              expect(s.this.where(Sequel.cast(Sequel.cast(col, :text), :bytea) => secret).count).to eq 0
-            end
-          end
-
-          it "stores empty values as empty" do
-            secret = ''
-            s = item.create(secret: secret)
-            s.reload
-            expect(s.secret).to eq('')
-            expect(s.secret_encrypted).to eq('')
-          end
-
-          it "stores nil values as nil" do
-            s = item.create(secret: nil)
-            s.reload
-            expect(s.secret).to be_nil
-            expect(s.secret_encrypted).to be_nil
-          end
-
-          it "sets fields to empty that were previously not empty" do
-            s = item.create(secret: 'joyce hatto')
-            s.reload
-            s.update(secret: '')
-            s.reload
-            expect(s.secret).to eq ''
-            expect(s.secret_encrypted).not_to be_nil
-          end
-
-          it "avoids updating existing values when those do not change" do
-            the_secret = "I'm not saying it was aliens..."
-            s = item.create(secret: the_secret)
-            s.reload
-            s.secret = the_secret
-            expect(s.save_changes).to be_nil
-          end
-
-          it "stores the key id" do
-            secret = 'it was professor plum with the wrench in the library'
-            s = item.create(secret: secret)
-            s.reload
-            expect(s.key_id).to eq(key_id)
-          end
-        end
+    context "with an existing object" do
+      it "does not affect other attributes" do
+        not_secret = 'soylent is not especially tasty'
+        s = item.create
+        s.update(not_secret: not_secret)
+        s.reload
+        expect(s.not_secret).to eq(not_secret)
+        expect(s.this.where(not_secret: not_secret).count).to eq 1
+      end
 
-        context "with an existing object" do
-          it "does not affect other attributes" do
-            not_secret = 'soylent is not especially tasty'
-            s = item.create
-            s.update(not_secret: not_secret)
-            s.reload
-            expect(s.not_secret).to eq(not_secret)
-            expect(s.this.where(not_secret: not_secret).count).to eq 1
-          end
-
-          it "encrypts non-empty values" do
-            secret = 'soylent green is made of people'
-            s = item.create
-            s.update(secret: secret)
-            s.reload
-            expect(s.secret).to eq(secret)
-            s.columns.each do |col|
-              expect(s.this.where(Sequel.cast(Sequel.cast(col, :text), :bytea) => secret).count).to eq 0
-            end
-          end
-
-          it "stores empty values as empty" do
-            s = item.create(secret: "darth vader is luke's father")
-            s.update(secret: '')
-            s.reload
-            expect(s.secret).to eq('')
-            expect(s.secret_encrypted).to eq('')
-          end
-
-          it "leaves nil values as nil" do
-            s = item.create(secret: "dr. crowe was dead all along")
-            s.update(secret: nil)
-            s.reload
-            expect(s.secret).to be_nil
-            expect(s.secret_encrypted).to be_nil
-          end
-
-          it "stores the key id" do
-            secret = 'animal style'
-            s = item.create
-            s.update(secret: secret)
-            s.reload
-            expect(s.key_id).to eq(key_id)
-          end
-
-          it "reads a never-set encrypted field as nil" do
-            s = item.create
-            expect(s.secret).to be_nil
-          end
-
-          it "avoids updating existing values when those do not change" do
-            the_secret = "Satoshi Nakamoto"
-            s = item.create
-            s.update(secret: the_secret)
-            s.secret = the_secret
-            expect(s.save_changes).to be_nil
-          end
-
-          it "reads the correct value for a dirty field before the object is saved" do
-            s = item.create
-            secret = 'mcmurphy is lobotomized =('
-            s.secret = secret
-            expect(s.secret).to eq secret
-          end
+      it "encrypts non-empty values" do
+        secret = 'soylent green is made of people'
+        s = item.create
+        s.update(secret: secret)
+        s.reload
+        expect(s.secret).to eq(secret)
+        s.columns.each do |col|
+          expect(s.this.where(Sequel.cast(Sequel.cast(col, :text), :bytea) => secret).count).to eq 0
         end
       end
 
-      context "with multiple encrypted columns" do
-        let(:key_data) do
-          [ { id: 1,
-              value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' } ].to_json
-        end
-        let(:item) do
-          k = key_data
-          Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret
-            vault_attr :other
-          end
-        end
+      it "stores empty values as empty" do
+        s = item.create(secret: "darth vader is luke's father")
+        s.update(secret: '')
+        s.reload
+        expect(s.secret).to eq('')
+        expect(s.secret_encrypted).to eq('')
+      end
 
-        it "does not clobber other attributes" do
-          secret1 = "superman is really mild-mannered reporter clark kent"
-          secret2 = "batman is really millionaire playboy bruce wayne"
-          s = item.create(secret: secret1)
-          s.reload
-          expect(s.secret).to eq secret1
-          s.update(other: secret2)
-          s.reload
-          expect(s.secret).to eq secret1
-          expect(s.other).to eq secret2
-        end
+      it "leaves nil values as nil" do
+        s = item.create(secret: "dr. crowe was dead all along")
+        s.update(secret: nil)
+        s.reload
+        expect(s.secret).to be_nil
+        expect(s.secret_encrypted).to be_nil
       end
 
-      context "with items encrypted with an older key" do
-        let(:key1_id)  { 1 }
-        let(:key1) do
-          { id: key1_id,
-            value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }
-        end
-        let(:key2_id)  { 2 }
-        let(:key2) do
-          { id: key2_id,
-            value: 'hUL1orBBRckZOuSuptRXYMV9lx5Qp54zwFUVwpwTpdk=' }
-        end
-        let(:partial_keyring) { [key1].to_json }
-        let(:full_keyring)    { [key1, key2].to_json }
-        let(:item1) do
-          k = partial_keyring
-          Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret
-            vault_attr :other
-          end
-        end
-        let(:item2) do
-          k = full_keyring
-          Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret
-            vault_attr :other
-          end
-        end
+      it "stores the key id" do
+        secret = 'animal style'
+        s = item.create
+        s.update(secret: secret)
+        s.reload
+        expect(s.key_id).to eq(key_id)
+      end
 
-        it "rewrites the items using the current key" do
-          secret1 = 'mrs. doubtfire is really a man'
-          secret2 = 'tootsie? also a man'
-          record = item1.create(secret: secret1)
-          expect(record.key_id).to eq key1_id
-          expect(record.secret).to eq secret1
+      it "reads a never-set encrypted field as nil" do
+        s = item.create
+        expect(s.secret).to be_nil
+      end
+
+      it "avoids updating existing values when those do not change" do
+        the_secret = "Satoshi Nakamoto"
+        s = item.create
+        s.update(secret: the_secret)
+        s.secret = the_secret
+        expect(s.save_changes).to be_nil
+      end
 
-          old_secret_encrypted = record.secret_encrypted
+      it "reads the correct value for a dirty field before the object is saved" do
+        s = item.create
+        secret = 'mcmurphy is lobotomized =('
+        s.secret = secret
+        expect(s.secret).to eq secret
+      end
+    end
+  end
 
-          new_key_record = item2[record.id]
-          new_key_record.update(secret: secret2)
-          new_key_record.reload
+  context "with multiple encrypted columns" do
+    let(:key_data) do
+      { "1" => 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }
+    end
+    let(:item) do
+      k = key_data.to_json
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    end
 
-          expect(new_key_record.key_id).to eq key2_id
-          expect(new_key_record.secret).to eq secret2
-          expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
-        end
+    it "does not clobber other attributes" do
+      secret1 = "superman is really mild-mannered reporter clark kent"
+      secret2 = "batman is really millionaire playboy bruce wayne"
+      s = item.create(secret: secret1)
+      s.reload
+      expect(s.secret).to eq secret1
+      s.update(other: secret2)
+      s.reload
+      expect(s.secret).to eq secret1
+      expect(s.other).to eq secret2
+    end
+  end
+
+  context "with items encrypted with an older key" do
+    let(:key1_id)  { 1 }
+    let(:key1) do
+      { key1_id => 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }
+    end
+    let(:key2_id)  { 2 }
+    let(:key2) do
+      { key2_id => 'hUL1orBBRckZOuSuptRXYMV9lx5Qp54zwFUVwpwTpdk=' }
+    end
+    let(:partial_keyring) { key1.to_json }
+    let(:full_keyring)    { key1.merge(key2).to_json }
+    let(:item1) do
+      k = partial_keyring
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    end
+    let(:item2) do
+      k = full_keyring
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    end
 
-        it "rewrites the items using the current key even if they are not updated" do
-          secret1 = 'the planet of the apes is really earth'
-          secret2 = 'the answer is 42'
-          record = item1.create(secret: secret1)
-          expect(record.key_id).to eq key1_id
-          expect(record.secret).to eq secret1
+    it "rewrites the items using the current key" do
+      secret1 = 'mrs. doubtfire is really a man'
+      secret2 = 'tootsie? also a man'
+      record = item1.create(secret: secret1)
+      expect(record.key_id).to eq key1_id
+      expect(record.secret).to eq secret1
 
-          old_secret_encrypted = record.secret_encrypted
+      old_secret_encrypted = record.secret_encrypted
 
-          new_key_record = item2[record.id]
-          new_key_record.update(other: secret2)
-          new_key_record.reload
+      new_key_record = item2[record.id]
+      new_key_record.update(secret: secret2)
+      new_key_record.reload
 
-          expect(new_key_record.key_id).to eq key2_id
-          expect(new_key_record.secret).to eq secret1
-          expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
-          expect(new_key_record.other).to eq secret2
-        end
+      expect(new_key_record.key_id).to eq key2_id
+      expect(new_key_record.secret).to eq secret2
+      expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
+    end
+
+    it "rewrites the items using the current key even if they are not updated" do
+      secret1 = 'the planet of the apes is really earth'
+      secret2 = 'the answer is 42'
+      record = item1.create(secret: secret1)
+      expect(record.key_id).to eq key1_id
+      expect(record.secret).to eq secret1
+
+      old_secret_encrypted = record.secret_encrypted
+
+      new_key_record = item2[record.id]
+      new_key_record.update(other: secret2)
+      new_key_record.reload
+
+      expect(new_key_record.key_id).to eq key2_id
+      expect(new_key_record.secret).to eq secret1
+      expect(new_key_record.secret_encrypted).not_to eq old_secret_encrypted
+      expect(new_key_record.other).to eq secret2
+    end
+  end
+
+  context "with plaintext source fields" do
+    let(:key_id)   { 1 }
+    let(:key_data) do
+      { key_id => 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }.to_json
+    end
+    let(:item1) do
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret
+        vault_attr :other
+      end
+    end
+    let(:item2) do
+      k = key_data
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret, migrate_from_field: :not_secret
+        vault_attr :other, migrate_from_field: :other_not_secret
       end
+    end
 
-      context "with plaintext source fields" do
-        let(:key_id)   { 1 }
-        let(:key_data) do
-          [ { id: key_id,
-              value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' } ].to_json
-        end
-        let(:item1) do
-          k = key_data
-          Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret
-            vault_attr :other
-          end
-        end
-        let(:item2) do
-          k = key_data
-          Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret, migrate_from_field: :not_secret
-            vault_attr :other, migrate_from_field: :other_not_secret
-          end
-        end
+    it "copies a plaintext field to an encrypted field when saving the object" do
+      becomes_secret = 'the location of the lost continent of atlantis'
+      s = item1.create(not_secret: becomes_secret)
+      reloaded = item2[s.id]
+      expect(reloaded.not_secret).to eq becomes_secret
+      reloaded.save
+      reloaded.reload
+      expect(reloaded.not_secret).to be_nil
+      expect(reloaded.secret).to eq becomes_secret
+    end
 
-        it "copies a plaintext field to an encrypted field when saving the object" do
-          becomes_secret = 'the location of the lost continent of atlantis'
-          s = item1.create(not_secret: becomes_secret)
-          reloaded = item2[s.id]
-          expect(reloaded.not_secret).to eq becomes_secret
-          reloaded.save
-          reloaded.reload
-          expect(reloaded.not_secret).to be_nil
-          expect(reloaded.secret).to eq becomes_secret
-        end
+    it "supports converting multiple fields" do
+      becomes_secret1 = 'the location of the fountain of youth'
+      becomes_secret2 = 'the location of the lost city of el dorado'
+      s = item1.create(not_secret: becomes_secret1, other_not_secret: becomes_secret2)
+      reloaded = item2[s.id]
+      expect(reloaded.not_secret).to eq becomes_secret1
+      expect(reloaded.other_not_secret).to eq becomes_secret2
+      reloaded.save
+      reloaded.reload
+      expect(reloaded.not_secret).to be_nil
+      expect(reloaded.secret).to eq becomes_secret1
+      expect(reloaded.other_not_secret).to be_nil
+      expect(reloaded.other).to eq becomes_secret2
+    end
 
-        it "supports converting multiple fields" do
-          becomes_secret1 = 'the location of the fountain of youth'
-          becomes_secret2 = 'the location of the lost city of el dorado'
-          s = item1.create(not_secret: becomes_secret1, other_not_secret: becomes_secret2)
-          reloaded = item2[s.id]
-          expect(reloaded.not_secret).to eq becomes_secret1
-          expect(reloaded.other_not_secret).to eq becomes_secret2
-          reloaded.save
-          reloaded.reload
-          expect(reloaded.not_secret).to be_nil
-          expect(reloaded.secret).to eq becomes_secret1
-          expect(reloaded.other_not_secret).to be_nil
-          expect(reloaded.other).to eq becomes_secret2
-        end
+    it "nils out the plaintext field and persists the encrypted field on save" do
+      becomes_secret = 'the location of all those socks that disappear from the dryer'
+      new_secret = 'the location of pliny the younger drafts'
+      s = item1.create(not_secret: becomes_secret)
+      reloaded = item2[s.id]
+      expect(reloaded.secret).to eq(becomes_secret)
+      reloaded.secret = new_secret
+      expect(reloaded.secret).to eq(new_secret)
+      reloaded.save
+      expect(reloaded.secret).to eq(new_secret)
+      expect(reloaded.not_secret).to be_nil
+    end
+  end
 
-        it "nils out the plaintext field and persists the encrypted field on save" do
-          becomes_secret = 'the location of all those socks that disappear from the dryer'
-          new_secret = 'the location of pliny the younger drafts'
-          s = item1.create(not_secret: becomes_secret)
-          reloaded = item2[s.id]
-          expect(reloaded.secret).to eq(becomes_secret)
-          reloaded.secret = new_secret
-          expect(reloaded.secret).to eq(new_secret)
-          reloaded.save
-          expect(reloaded.secret).to eq(new_secret)
-          expect(reloaded.not_secret).to be_nil
-        end
+  context "with renamed database fields" do
+    let(:key_data) do
+     { '1' => 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }.to_json
+    end
+
+    it "supports renaming the encrypted field" do
+      k = key_data
+      item = Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :classified_info,
+                   encrypted_field: :secret_encrypted
       end
 
-      context "with renamed database fields" do
-        let(:key_data) do
-          [ { id: 1,
-              value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' } ].to_json
-        end
+      secret = "we've secretly replaced the fine coffee they usually serve with Folgers Crystals"
+      s = item.create(classified_info: secret)
+      s.reload
+      expect(s.classified_info).to eq secret
+      expect(s.secret_encrypted).not_to eq secret
+    end
 
-        it "supports renaming the encrypted field" do
-          k = key_data
-          item = Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :classified_info,
-                       encrypted_field: :secret_encrypted
-          end
-
-          secret = "we've secretly replaced the fine coffee they usually serve with Folgers Crystals"
-          s = item.create(classified_info: secret)
-          s.reload
-          expect(s.classified_info).to eq secret
-          expect(s.secret_encrypted).not_to eq secret
-        end
+    it "supports renaming the key id field" do
+      k = key_data
+      item = Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k, key_field: :alt_key_id
+        vault_attr :secret
+      end
 
-        it "supports renaming the key id field" do
-          k = key_data
-          item = Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k, key_field: :alt_key_id
-            vault_attr :secret
-          end
+      secret = "up up down down left right left right b a"
+      s = item.create(secret: secret)
+      s.reload
+      expect(s.secret).to eq secret
+      expect(s.secret_encrypted).not_to eq secret
+      expect(s.alt_key_id).not_to be_nil
+      expect(s.key_id).to be_nil
+    end
+  end
 
-          secret = "up up down down left right left right b a"
-          s = item.create(secret: secret)
-          s.reload
-          expect(s.secret).to eq secret
-          expect(s.secret_encrypted).not_to eq secret
-          expect(s.alt_key_id).not_to be_nil
-          expect(s.key_id).to be_nil
-        end
+  context "with a digest field" do
+    let(:key_id)   { 1 }
+    let(:key) do
+      { key_id => 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }
+    end
+    let(:item) do
+      k = key.to_json
+      Class.new(Sequel::Model(:items)) do
+        include AttrVault
+        vault_keyring k
+        vault_attr :secret, digest_field: :secret_digest
+        vault_attr :other, digest_field: :other_digest
       end
+    end
 
-      context "with a digest field" do
-        let(:key_id)   { 1 }
-        let(:key) do
-          [ { id: key_id,
-              value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' } ]
-        end
-        let(:item) do
-          k = key.to_json
-          Class.new(Sequel::Model(:items)) do
-            include AttrVault
-            vault_keyring k
-            vault_attr :secret, digest_field: :secret_digest
-            vault_attr :other, digest_field: :other_digest
-          end
-        end
+    def test_digest(key, data)
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'),
+                           key[key_id], data)
+    end
 
-        def test_digest(key, data)
-          OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'),
-                               key.first.fetch(:value), data)
-        end
+    def count_matching_digests(item_class, digest_field, secret)
+      item.where({digest_field => item_class.vault_digests(secret)}).count
+    end
 
-        def count_matching_digests(item_class, digest_field, secret)
-          item.where({digest_field => item_class.vault_digests(secret)}).count
-        end
+    it "records the hmac of the plaintext value" do
+      secret = 'snape kills dumbledore'
+      s = item.create(secret: secret)
+      expect(s.secret_digest).to eq(test_digest(key, secret))
+      expect(count_matching_digests(item, :secret_digest, secret)).to eq(1)
+    end
 
-        it "records the hmac of the plaintext value" do
-          secret = 'snape kills dumbledore'
-          s = item.create(secret: secret)
-          expect(s.secret_digest).to eq(test_digest(key, secret))
-          expect(count_matching_digests(item, :secret_digest, secret)).to eq(1)
-        end
+    it "can record multiple digest fields" do
+      secret = 'joffrey kills ned'
+      other_secret = '"gomer pyle" lawrence kills himself'
+      s = item.create(secret: secret, other: other_secret)
+      expect(s.secret_digest).to eq(test_digest(key, secret))
+      expect(s.other_digest).to eq(test_digest(key, other_secret))
+
+      # Check vault_digests feature matching against the database.
+      expect(count_matching_digests(item, :secret_digest, secret)).to eq(1)
+      expect(count_matching_digests(item, :other_digest, other_secret)).to eq(1)
+
+      # Negative tests for mismatched digesting.
+      expect(count_matching_digests(item, :secret_digest, other_secret))
+        .to eq(0)
+      expect(count_matching_digests(item, :other_digest, secret)).to eq(0)
+    end
 
-        it "can record multiple digest fields" do
-          secret = 'joffrey kills ned'
-          other_secret = '"gomer pyle" lawrence kills himself'
-          s = item.create(secret: secret, other: other_secret)
-          expect(s.secret_digest).to eq(test_digest(key, secret))
-          expect(s.other_digest).to eq(test_digest(key, other_secret))
-
-          # Check vault_digests feature matching against the database.
-          expect(count_matching_digests(item, :secret_digest, secret)).to eq(1)
-          expect(count_matching_digests(item, :other_digest, other_secret)).to eq(1)
-
-          # Negative tests for mismatched digesting.
-          expect(count_matching_digests(item, :secret_digest, other_secret))
-            .to eq(0)
-          expect(count_matching_digests(item, :other_digest, secret)).to eq(0)
-        end
+    it "records the digest for an empty field" do
+      s = item.create(secret: '', other: '')
+      expect(s.secret_digest).to eq(test_digest(key, ''))
+      expect(s.other_digest).to eq(test_digest(key, ''))
+    end
 
-        it "records the digest for an empty field" do
-          s = item.create(secret: '', other: '')
-          expect(s.secret_digest).to eq(test_digest(key, ''))
-          expect(s.other_digest).to eq(test_digest(key, ''))
-        end
+    it "records the digest of a nil field" do
+      s = item.create
+      expect(s.secret_digest).to be_nil
+      expect(s.other_digest).to be_nil
+    end
+  end
+end
 
-        it "records the digest of a nil field" do
-          s = item.create
-          expect(s.secret_digest).to be_nil
-          expect(s.other_digest).to be_nil
-        end
-      end
+describe "stress test" do
+  let(:key_id)   { 1 }
+  let(:key_data) do
+    { key_id =>'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' }.to_json
+  end
+  let(:item) do
+    k = key_data
+    Class.new(Sequel::Model(:items)) do
+      include AttrVault
+      vault_keyring k
+      vault_attr :secret
     end
+  end
 
-    describe "stress test" do
-      let(:key_id)   { 1 }
-      let(:key_data) do
-        [ { id: key_id,
-            value: 'aFJDXs+798G7wgS/nap21LXIpm/Rrr39jIVo2m/cdj8=' } ].to_json
-      end
-      let(:item) do
-        k = key_data
-        Class.new(Sequel::Model(:items)) do
-          include AttrVault
-          vault_keyring k
-          vault_attr :secret
+  it "works" do
+    3.times.map do
+      Thread.new do
+        s = item.create(secret: 'that Commander Keen level in DOOM II')
+        1_000.times do
+          new_secret = [ nil, '', 36.times.map { (0..255).to_a.sample.chr }.join('') ].sample
+          s.update(secret: new_secret)
+          s.reload
+          expect(s.secret).to eq new_secret
         end
       end
-
-      it "works" do
-        3.times.map do
-          Thread.new do
-            s = item.create(secret: 'that Commander Keen level in DOOM II')
-            1_000.times do
-              new_secret = [ nil, '', 36.times.map { (0..255).to_a.sample.chr }.join('') ].sample
-              s.update(secret: new_secret)
-              s.reload
-              expect(s.secret).to eq new_secret
-            end
-          end
-        end.map(&:join)
-      end
-    end
+    end.map(&:join)
   end
 end