RubyGems - blind_index - Versions diffs - 2.3.1 → 2.3.2 - Mend

blind_index 2.3.1 → 2.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f12b2d12aee6d6e6dd8952118b308cb9d21de0628c1f3bd6e2f60170f04397d5
-  data.tar.gz: 0e40d8e7ec91d6c8caed22b1c378bd17ef4ad3d56a8359f3e85565d98b1c25b4
+  metadata.gz: 5a8f12336176bc78927ea8f645fa707e872db1a4523ee00ea5e43e5b6663db19
+  data.tar.gz: fb0eab6db99944ab6e249f26e2f5f01846127732d23443944a11e2d3bcd05b59
 SHA512:
-  metadata.gz: d312ab5862bbcf0b7aaa5be36f1cc4eac962a1da65d6bb45cc3842f545a441c252654b5809a8de9fc3f66c2c4a8400d4c6cb2134ef576b0d3133d833acfffdf9
-  data.tar.gz: 669f352fb9d01441c4cffffe67eb8ab086db2443a9c7ef50b3d9cf00a353ad65f34d88d87e1ff4e7e4e05a510058b41315cfb1f066b5111655bdfd77ebe64553
+  metadata.gz: 170b3ce8ee37f46f930c9bc7a16d828bf86c2653d215b05b1d34c93d0f60f1cb6f246f201095be33cff78e2f1c8de440987177e55462f1f5c662fd9b4616ffc7
+  data.tar.gz: 35690b9711146af73d4dfc4d8b92d7f1562619d2a98212ce9c2d4f6edafc4a785ae2458c5455c12c2fb312d986b1fb0f4df34883987ec1a4840fa49436e3ff26

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## 2.3.2 (2023-04-26)
+- Added `key_table` and `key_attribute` options
 ## 2.3.1 (2022-09-06)
 - Fixed error with `backfill` when `bidx_attribute` is a symbol

data/README.md CHANGED Viewed

@@ -224,17 +224,27 @@ Finally, drop the old column.
 ## Key Separation
-The master key is used to generate unique keys for each blind index. This technique comes from [CipherSweet](https://ciphersweet.paragonie.com/internals/key-hierarchy). The table name and blind index column name are both used in this process. If you need to rename a table with blind indexes, or a blind index column itself, get the key:
+The master key is used to generate unique keys for each blind index. This technique comes from [CipherSweet](https://ciphersweet.paragonie.com/internals/key-hierarchy). The table name and blind index column name are both used in this process.
+You can get an individual key with:
 ```ruby
 BlindIndex.index_key(table: "users", bidx_attribute: "email_bidx")
 ```
-And set it directly before renaming:
+To rename a table with blind indexes, use:
 ```ruby
 class User < ApplicationRecord
-  blind_index :email, key: ENV["USER_EMAIL_BLIND_INDEX_KEY"]
+  blind_index :email, key_table: "original_table"
+end
+```
+To rename a blind index column, use:
+```ruby
+class User < ApplicationRecord
+  blind_index :email, key_attribute: "original_column"
 end
 ```
@@ -346,6 +356,28 @@ class User < ApplicationRecord
 end
 ```
+## Compatibility
+You can generate blind indexes from other languages as well. For Python, you can use [argon2-cffi](https://github.com/hynek/argon2-cffi).
+```python
+from argon2.low_level import Type, hash_secret_raw
+from base64 import b64encode
+key = '289737bab72fa97b1f4b081cef00d7b7d75034bcf3183c363feaf3e6441777bc'
+value = 'test@example.org'
+bidx = b64encode(hash_secret_raw(
+    secret=value.encode(),
+    salt=bytes.fromhex(key),
+    time_cost=3,
+    memory_cost=2**12,
+    parallelism=1,
+    hash_len=32,
+    type=Type.ID
+))
+```
 ## Alternatives
 One alternative to blind indexing is to use a deterministic encryption scheme, like [AES-SIV](https://github.com/miscreant/miscreant). In this approach, the encrypted data will be the same for matches. We recommend blind indexing over deterministic encryption because:
@@ -363,105 +395,6 @@ One alternative to blind indexing is to use a deterministic encryption scheme, l
 - Better Lockbox integration - no need to generate a separate key
 - There’s a new gem for Argon2 that has no dependencies and (officially) supports Windows
-### 1.0.0
-1.0.0 brings a number of improvements. Here are a few to be aware of:
-- Argon2id is the default algorithm for stronger security
-- You can use a master key instead of individual keys for each column
-- Columns no longer have an `encrypted_` prefix
-For existing fields, add:
-```ruby
-class User < ApplicationRecord
-  blind_index :email, legacy: true
-end
-```
-#### Optional
-To rotate to new fields that use Argon2id and a master key, generate a master key:
-```ruby
-BlindIndex.generate_key
-```
-And set `ENV["BLIND_INDEX_MASTER_KEY"]` or `BlindIndex.master_key`.
-Add a new column without the `encrypted_` prefix:
-```ruby
-add_column :users, :email_bidx, :string
-add_index :users, :email_bidx # unique: true if needed
-```
-And add to your model
-```ruby
-class User < ApplicationRecord
-  blind_index :email, key: ENV["USER_EMAIL_BLIND_INDEX_KEY"], legacy: true, rotate: {}
-end
-```
-> For more sensitive fields, use `rotate: {slow: true}`
-This will keep the new column synced going forward. Next, backfill the data:
-```ruby
-User.unscoped.where(email_bidx: nil).find_each do |user|
-  user.compute_rotated_email_bidx
-  user.save(validate: false)
-end
-```
-Then update your model
-```ruby
-class User < ApplicationRecord
-  blind_index :email
-end
-```
-> For more sensitive fields, add `slow: true`
-Finally, drop the old column.
-### 0.3.0
-This version introduces a breaking change to enforce secure key generation. An error is thrown if your blind index key isn’t both binary and 32 bytes.
-We recommend rotating your key if it doesn’t meet this criteria. You can generate a new key in the Rails console with:
-```ruby
-SecureRandom.hex(32)
-```
-Update your model to convert the hex key to binary.
-```ruby
-class User < ApplicationRecord
-  blind_index :email, key: [ENV["USER_EMAIL_BLIND_INDEX_KEY"]].pack("H*")
-end
-```
-And recompute the blind index.
-```ruby
-User.unscoped.find_each do |user|
-  user.compute_email_bidx
-  user.save(validate: false)
-end
-```
-To continue without rotating, set:
-```ruby
-class User < ApplicationRecord
-  blind_index :email, insecure_key: true
-end
-```
 ## History
 View the [changelog](https://github.com/ankane/blind_index/blob/master/CHANGELOG.md)

data/lib/blind_index/model.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module BlindIndex
         # check here so we validate rotate options as well
         unknown_keywords = options.keys - [:algorithm, :attribute, :bidx_attribute,
           :callback, :cost, :encode, :expression, :insecure_key, :iterations, :key,
-          :legacy, :master_key, :size, :slow, :version]
+          :key_attribute, :key_table, :legacy, :master_key, :size, :slow, :version]
         raise ArgumentError, "unknown keywords: #{unknown_keywords.join(", ")}" if unknown_keywords.any?
         attribute = options[:attribute] || name
@@ -33,7 +33,7 @@ module BlindIndex
         class_method_name = :"generate_#{name}_bidx"
         key = options[:key]
-        key ||= -> { BlindIndex.index_key(table: try(:table_name) || collection_name.to_s, bidx_attribute: bidx_attribute, master_key: options[:master_key], encode: false) }
+        key ||= -> { BlindIndex.index_key(table: options[:key_table] || try(:table_name) || collection_name.to_s, bidx_attribute: options[:key_attribute] || bidx_attribute, master_key: options[:master_key], encode: false) }
         class_eval do
           activerecord = defined?(ActiveRecord) && self < ActiveRecord::Base

data/lib/blind_index/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module BlindIndex
-  VERSION = "2.3.1"
+  VERSION = "2.3.2"
 end

data/lib/blind_index.rb CHANGED Viewed

@@ -6,10 +6,10 @@ require "argon2/kdf"
 require "openssl"
 # modules
-require "blind_index/backfill"
-require "blind_index/key_generator"
-require "blind_index/model"
-require "blind_index/version"
+require_relative "blind_index/backfill"
+require_relative "blind_index/key_generator"
+require_relative "blind_index/model"
+require_relative "blind_index/version"
 module BlindIndex
   class Error < StandardError; end
@@ -137,7 +137,7 @@ module BlindIndex
 end
 ActiveSupport.on_load(:active_record) do
-  require "blind_index/extensions"
+  require_relative "blind_index/extensions"
   extend BlindIndex::Model
   ActiveRecord::TableMetadata.prepend(BlindIndex::Extensions::TableMetadata)
@@ -147,7 +147,7 @@ ActiveSupport.on_load(:active_record) do
 end
 ActiveSupport.on_load(:mongoid) do
-  require "blind_index/mongoid"
+  require_relative "blind_index/mongoid"
   Mongoid::Document::ClassMethods.include(BlindIndex::Model)
   Mongoid::Criteria.prepend(BlindIndex::Mongoid::Criteria)
   Mongoid::Validatable::UniquenessValidator.prepend(BlindIndex::Mongoid::UniquenessValidator)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: blind_index
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.3.2
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-06 00:00:00.000000000 Z
+date: 2023-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -73,7 +73,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Securely search encrypted database fields