RubyGems - crypt_keeper - Versions diffs - 1.0.0 → 1.0.1 - Mend

crypt_keeper 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/crypt_keeper/log_subscriber/postgres_pgp.rb +27 -7
data/lib/crypt_keeper/provider/postgres_pgp.rb +23 -3
data/lib/crypt_keeper/version.rb +1 -1
data/spec/crypt_keeper/provider/postgres_pgp_spec.rb +20 -0
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8256a26cb233344e7a8e71791aa528d931657317
-  data.tar.gz: 1ac4af01a5fee7957b611d967c6991bdab5a73d9
+  metadata.gz: 0721f2abe4b641ef62278b76effaa56c2cb42cf7
+  data.tar.gz: b252fa5c0254f644721b50e5dbfbd4696bbe1fdd
 SHA512:
-  metadata.gz: d9e9eecfd9eb95129d439624c4664890474fe9360b2a5097beb66f60b1e05f479192b9300530a703c0d38d6945c56c4def5c1a108b5d79099abba7fa5fd6dc35
-  data.tar.gz: c41b3baa8a72c0114702162fcdb857b145bdd668b7139cb391d600f48fa0888fa9a152b190815a00526b7a093ac636366df657b38b371e47893c7c85804ffb36
+  metadata.gz: 9f84ddf6b8f31d846d3d154dddabaf1a34eb6c5093cf014c228ff61d43957ff8ab0baa9bb5c92fa8b4531a3a769586fb5b37b793e988ae0d1c9208d467bcdaee
+  data.tar.gz: cc33b4af5ae25d8e011767510c99004ad1dcf653c067a552d8661b684660b71afa07d7f8b87947da540e27d67b1a0e6f111539a63355d5d906814228eaf1a064

data/lib/crypt_keeper/log_subscriber/postgres_pgp.rb CHANGED Viewed

@@ -4,23 +4,43 @@ require 'active_support/lazy_load_hooks'
 module CryptKeeper
   module LogSubscriber
     module PostgresPgp
+      FILTER = /(\(*)pgp_(sym|pub)_(?<operation>decrypt|encrypt)(\(+.*\)+)/im
       # Public: Prevents sensitive data from being logged
       #
       # event - An ActiveSupport::Notifications::Event
       #
       # Returns a boolean.
       def sql(event)
-        filter  = /(\(*)pgp_(sym|pub)_(?<operation>decrypt|encrypt)(\(+.*\)+)/im
-        payload = event.payload[:sql]
-          .encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+        payload = crypt_keeper_payload_parse(event.payload[:sql])
+        return if CryptKeeper.silence_logs? && payload =~ FILTER
-        return if CryptKeeper.silence_logs? && payload =~ filter
+        event.payload[:sql] = crypt_keeper_filter_postgres_log(payload)
+        super(event)
+      end
-        event.payload[:sql] = payload.gsub(filter) do |_|
+      private
+      # Private: Parses the payload to UTF.
+      #
+      # payload - the payload string
+      #
+      # Returns a string.
+      def crypt_keeper_payload_parse(payload)
+        payload.encode('UTF-8', 'binary',
+          invalid: :replace, undef: :replace, replace: '')
+      end
+      # Private: Filters the payload.
+      #
+      # payload - the payload string
+      #
+      # Returns a string.
+      def crypt_keeper_filter_postgres_log(payload)
+        payload.gsub(FILTER) do |_|
           "#{$~[:operation]}([FILTERED])"
         end
-        super(event)
       end
     end
   end

data/lib/crypt_keeper/provider/postgres_pgp.rb CHANGED Viewed

@@ -4,6 +4,7 @@ module CryptKeeper
   module Provider
     class PostgresPgp < Base
       include CryptKeeper::Helper::SQL
+      include CryptKeeper::LogSubscriber::PostgresPgp
       attr_accessor :key
       attr_accessor :pgcrypto_options
@@ -25,18 +26,37 @@ module CryptKeeper
       #
       # Returns an encrypted string
       def encrypt(value)
-        escape_and_execute_sql(["SELECT pgp_sym_encrypt(?, ?, ?)", value.to_s, key, pgcrypto_options])['pgp_sym_encrypt']
+        rescue_invalid_statement do
+          escape_and_execute_sql(["SELECT pgp_sym_encrypt(?, ?, ?)",
+            value.to_s, key, pgcrypto_options])['pgp_sym_encrypt']
+        end
       end
       # Public: Decrypts a string
       #
       # Returns a plaintext string
       def decrypt(value)
-        escape_and_execute_sql(["SELECT pgp_sym_decrypt(?, ?)", value, key])['pgp_sym_decrypt']
+        rescue_invalid_statement do
+          escape_and_execute_sql(["SELECT pgp_sym_decrypt(?, ?)",
+            value, key])['pgp_sym_decrypt']
+        end
       end
       def search(records, field, criteria)
-        records.where("(pgp_sym_decrypt(cast(\"#{field}\" AS bytea), ?) = ?)", key, criteria)
+        records.where("(pgp_sym_decrypt(cast(\"#{field}\" AS bytea), ?) = ?)",
+          key, criteria)
+      end
+      private
+      # Private: Rescues and filters invalid statement errors. Run the code
+      # within a block for it to be rescued.
+      def rescue_invalid_statement
+        yield
+      rescue ActiveRecord::StatementInvalid => e
+        message = crypt_keeper_payload_parse(e.message)
+        message = crypt_keeper_filter_postgres_log(message)
+        raise ActiveRecord::StatementInvalid, message
       end
     end
   end

data/lib/crypt_keeper/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module CryptKeeper
-  VERSION = "1.0.0"
+  VERSION = "1.0.1"
 end

data/spec/crypt_keeper/provider/postgres_pgp_spec.rb CHANGED Viewed

@@ -28,11 +28,31 @@ describe CryptKeeper::Provider::PostgresPgp do
       specify { expect(subject.encrypt(integer_plain_text)).to_not eq(integer_plain_text) }
       specify { expect(subject.encrypt(integer_plain_text)).to_not be_empty }
     end
+    it "filters StatementInvalid errors" do
+      subject.pgcrypto_options = "invalid"
+      begin
+        subject.encrypt(plain_text)
+      rescue ActiveRecord::StatementInvalid => e
+        expect(e.message).to_not include("invalid")
+        expect(e.message).to_not include(ENCRYPTION_PASSWORD)
+      end
+    end
   end
   describe "#decrypt" do
     specify { expect(subject.decrypt(cipher_text)).to eq(plain_text) }
     specify { expect(subject.decrypt(integer_cipher_text)).to eq(integer_plain_text.to_s) }
+    it "filters StatementInvalid errors" do
+      begin
+        subject.decrypt("invalid")
+      rescue ActiveRecord::StatementInvalid => e
+        expect(e.message).to_not include("invalid")
+        expect(e.message).to_not include(ENCRYPTION_PASSWORD)
+      end
+    end
   end
   describe "#search" do

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: crypt_keeper
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Justin Mazzi