blind_index 0.3.2 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe8410b6e972d6fe7aa37648396462b1e2a70358813e97db153d62ed5ac3fbad
-  data.tar.gz: 37d9baa7fb293ee2aa6e0a9fb5d253f8d0c7a83807dade72a8ac532825dc0220
+  metadata.gz: 26d5a803099fa8b408065a43056697f24eaf10a89c6a778979e5bdd8d54bbb5e
+  data.tar.gz: '0288069afcdd54f3f3917ef25177550bd3c912333aca346d1ae77d0d237eb5ce'
 SHA512:
-  metadata.gz: c647598d872e02b829377d5436442f0d929575722ee3330396c773d4dea556aabf74083e4868923fb597478df5648487fbfa26361eb6a341b1709dea3bb2e137
-  data.tar.gz: 1a9c501115e25cecf73e59ccb7ee5b23c96ccb01c81e4a62e48c1858546cf67a9c83f4f482cbf212ca2f38de559bbb668c39bf90a131ede9732eb4e390f45d3b
+  metadata.gz: 1f062a2b9d1aa2d251dd38b6c815423afa146a34df0825d655bd9ac0ea666af9d0382d958995c7899e16a729b15e7e3d696d661485a246220e93bade67104641
+  data.tar.gz: 1478bb3716c6ad099e42ed95b286d7aa5a13c6be7f75d4ec6e7d5c82898c95d1fc7db2537d53c6daa5754ad398579bca5e924a60551423402e064f24b52ee2ff

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+- Added support for string keys in finders
+
 ## 0.3.2
 
 - Added support for dynamic finders

data/README.md

@@ -4,7 +4,7 @@ Securely search encrypted database fields
 
 Designed for use with [attr_encrypted](https://github.com/attr-encrypted/attr_encrypted)
 
-Here’s a [full example](https://shorts.dokkuapp.com/securing-user-emails-in-rails/) of how to use it with Devise
+Here’s a [full example](https://ankane.org/securing-user-emails-in-rails) of how to use it with Devise
 
 [![Build Status](https://travis-ci.org/ankane/blind_index.svg?branch=master)](https://travis-ci.org/ankane/blind_index)
 
@@ -42,7 +42,7 @@ class User < ApplicationRecord
 end
 ```
 
-We use environment variables to store the keys as hex-encoded strings ([dotenv](https://github.com/bkeepers/dotenv) is great for this). *Do not commit them to source control.* Generate one key for encryption and one key for hashing. You can generate keys in the Rails console with:
+We use environment variables to store the keys as hex-encoded strings ([dotenv](https://github.com/bkeepers/dotenv) is great for this). [Here’s an explanation](https://ankane.org/encryption-keys) of why `pack` is used. *Do not commit them to source control.* Generate one key for encryption and one key for hashing. You can generate keys in the Rails console with:
 
 ```ruby
 SecureRandom.hex(32)
@@ -118,12 +118,36 @@ class User < ApplicationRecord
 end
 ```
 
+*Requires ActiveRecord 5.1+*
+
+## Multiple Columns
+
+You can also use virtual attributes to index data from multiple columns:
+
+```ruby
+class User < ApplicationRecord
+  attribute :initials
+
+  # must come before blind_index method
+  before_validation :set_initials, if: -> { changes.key?(:first_name) || changes.key?(:last_name) }
+  blind_index :initials, ...
+
+  def set_initials
+    self.initials = "#{first_name[0]}#{last_name[0]}"
+  end
+end
+```
+
+*Requires ActiveRecord 5.1+*
+
 ## Fixtures
 
-You can use blind indexes in fixtures with:
+You can use encrypted attributes and blind indexes in fixtures with:
 
 ```yml
 test_user:
+  encrypted_email: <%= User.encrypt_email("test@example.org", iv: Base64.decode64("0000000000000000")) %>
+  encrypted_email_iv: "0000000000000000"
   encrypted_email_bidx: <%= User.compute_email_bidx("test@example.org").inspect %>
 ```
 
@@ -179,6 +203,46 @@ class User < ApplicationRecord
 end
 ```
 
+## Key Rotation
+
+To rotate keys without downtime, add a new column:
+
+```ruby
+add_column :users, :encrypted_email_v2_bidx, :string
+add_index :users, :encrypted_email_v2_bidx
+```
+
+And add to your model
+
+```ruby
+class User < ApplicationRecord
+  blind_index :email, key: [ENV["EMAIL_BLIND_INDEX_KEY"]].pack("H*")
+  blind_index :email_v2, attribute: :email, key: [ENV["EMAIL_V2_BLIND_INDEX_KEY"]].pack("H*")
+end
+```
+
+Backfill the data
+
+```ruby
+User.find_each do |user|
+  user.compute_email_v2_bidx
+  user.save!
+end
+```
+
+Then update your model
+
+```ruby
+class User < ApplicationRecord
+  blind_index :email, bidx_attribute: :encrypted_email_v2_bidx, key: [ENV["EMAIL_V2_BLIND_INDEX_KEY"]].pack("H*")
+
+  # remove this line after dropping column
+  self.ignored_columns = ["encrypted_email_bidx"]
+end
+```
+
+Finally, drop the old column.
+
 ## Reference
 
 By default, blind indexes are encoded in Base64. Set a different encoding with:

data/lib/blind_index/extensions.rb

@@ -6,7 +6,7 @@ module BlindIndex
         new_hash = super
         if has_blind_indexes?
           hash.each do |key, _|
-            if (bi = klass.blind_indexes[key]) && !new_hash[key].is_a?(ActiveRecord::StatementCache::Substitute)
+            if key.respond_to?(:to_sym) && (bi = klass.blind_indexes[key.to_sym]) && !new_hash[key].is_a?(ActiveRecord::StatementCache::Substitute)
               new_hash[bi[:bidx_attribute]] = BlindIndex.generate_bidx(new_hash.delete(key), bi)
             end
           end
@@ -29,7 +29,7 @@ module BlindIndex
         new_hash = super
         if has_blind_indexes?(klass)
           hash.each do |key, _|
-            if (bi = klass.blind_indexes[key]) && !new_hash[key].is_a?(ActiveRecord::StatementCache::Substitute)
+            if key.respond_to?(:to_sym) && (bi = klass.blind_indexes[key.to_sym]) && !new_hash[key].is_a?(ActiveRecord::StatementCache::Substitute)
               new_hash[bi[:bidx_attribute]] = BlindIndex.generate_bidx(new_hash.delete(key), bi)
             end
           end

data/lib/blind_index/model.rb

@@ -49,7 +49,12 @@ module BlindIndex
         end
 
         if callback
-          before_validation method_name, if: -> { changes.key?(attribute.to_s) }
+          if ActiveRecord::VERSION::STRING >= "5.1"
+            before_validation method_name, if: :"will_save_change_to_#{attribute}?"
+          else
+            before_validation method_name, if: -> { changes.key?(attribute.to_s) }
+          end
+
         end
 
         # use include so user can override

data/lib/blind_index/version.rb

@@ -1,3 +1,3 @@
 module BlindIndex
-  VERSION = "0.3.2"
+  VERSION = "0.3.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: blind_index
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.3
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
-bindir: exe
+bindir: bin
 cert_chain: []
-date: 2018-06-18 00:00:00.000000000 Z
+date: 2018-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -151,22 +151,14 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 description: 
-email:
-- andrew@chartkick.com
+email: andrew@chartkick.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".travis.yml"
 - CHANGELOG.md
-- Gemfile
 - LICENSE.txt
 - README.md
-- Rakefile
-- bin/console
-- bin/setup
-- blind_index.gemspec
 - lib/blind_index.rb
 - lib/blind_index/extensions.rb
 - lib/blind_index/model.rb
@@ -183,7 +175,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -191,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Securely search encrypted database fields

data/.gitignore

@@ -1,9 +0,0 @@
-/.bundle/
-/.yardoc
-/_yardoc/
-/coverage/
-/doc/
-/pkg/
-/spec/reports/
-/tmp/
-*.lock

data/.travis.yml

@@ -1,14 +0,0 @@
-language: ruby
-rvm: 2.4.2
-gemfile:
-  - Gemfile
-  - test/gemfiles/activerecord51.gemfile
-  - test/gemfiles/activerecord50.gemfile
-  - test/gemfiles/activerecord42.gemfile
-sudo: false
-before_install: gem install bundler
-script: bundle exec rake test
-notifications:
-  email:
-    on_success: never
-    on_failure: change

data/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-# Specify your gem's dependencies in blind_index.gemspec
-gemspec

data/Rakefile

@@ -1,56 +0,0 @@
-require "bundler/gem_tasks"
-require "rake/testtask"
-
-Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
-  t.test_files = FileList["test/**/*_test.rb"]
-  t.warning = false
-end
-
-task default: :test
-
-namespace :benchmark do
-  task :algorithms do
-    require "securerandom"
-    require "benchmark/ips"
-    require "blind_index"
-    require "scrypt"
-    require "argon2"
-
-    key = SecureRandom.random_bytes(32)
-    value = "secret"
-
-    Benchmark.ips do |x|
-      x.report("pbkdf2_hmac") { BlindIndex.generate_bidx(value, key: key, algorithm: :pbkdf2_hmac) }
-      x.report("scrypt") { BlindIndex.generate_bidx(value, key: key, algorithm: :scrypt) }
-      x.report("argon2") { BlindIndex.generate_bidx(value, key: key, algorithm: :argon2) }
-    end
-  end
-
-  task :queries do
-    require "benchmark/ips"
-    require "active_record"
-    require "blind_index"
-
-    ActiveRecord::Base.establish_connection adapter: "sqlite3", database: ":memory:"
-
-    ActiveRecord::Migration.create_table :users do
-    end
-
-    ActiveRecord::Migration.create_table :cities do
-    end
-
-    class User < ActiveRecord::Base
-      blind_index :email
-    end
-
-    class City < ActiveRecord::Base
-    end
-
-    Benchmark.ips do |x|
-      x.report("no index") { City.where(id: 1).first }
-      x.report("index") { User.where(id: 1).first }
-    end
-  end
-end

data/bin/console

@@ -1,14 +0,0 @@
-#!/usr/bin/env ruby
-
-require "bundler/setup"
-require "blind_index"
-
-# You can add fixtures and/or initialization code here to make experimenting
-# with your gem easier. You can also use a different console, if you like.
-
-# (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
-# Pry.start
-
-require "irb"
-IRB.start(__FILE__)

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here

data/blind_index.gemspec

@@ -1,34 +0,0 @@
-
-lib = File.expand_path("../lib", __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "blind_index/version"
-
-Gem::Specification.new do |spec|
-  spec.name          = "blind_index"
-  spec.version       = BlindIndex::VERSION
-  spec.authors       = ["Andrew Kane"]
-  spec.email         = ["andrew@chartkick.com"]
-
-  spec.summary       = "Securely search encrypted database fields"
-  spec.homepage      = "https://github.com/ankane/blind_index"
-  spec.license       = "MIT"
-
-  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features)/})
-  end
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-
-  spec.add_dependency "activesupport", ">= 4.2"
-
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "minitest"
-  spec.add_development_dependency "attr_encrypted"
-  spec.add_development_dependency "activerecord"
-  spec.add_development_dependency "sqlite3"
-  spec.add_development_dependency "scrypt"
-  spec.add_development_dependency "argon2"
-  spec.add_development_dependency "benchmark-ips"
-end