deidentify 2.5.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9eca693cc144bd94344c12561d0728028b6ce0ccb840cb5beeb71239a8345d5c
+  data.tar.gz: 27f33aa54b6f9a017b68da0b0bdbbf4c53a5bd7f1b6739742c235d008032461f
+SHA512:
+  metadata.gz: 98cff4920b7254d44a6df1aa8c3d5802753d74244707b05bbd625f8af18aefa09c5cd3f25c70a6f6174be293f095a647d1534e64eeb5bf73765458f465c743fc
+  data.tar.gz: 529987f6564b6dd8b52cdbfa01a1b6432c3d431c8482621c16baef665cbaef6fd79455022a400e141ad4842fde8d1ec31a1a0a715623199ac51a6fa01a8f6839

data/lib/deidentify/base_hash.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class BaseHash
+    def self.call(old_value, length: nil)
+      return old_value unless old_value.present?
+
+      salt = Deidentify.configuration.salt
+
+      raise Deidentify::Error, 'You must specify the salting value in the configuration' if salt.blank?
+
+      hash = Digest::SHA256.hexdigest(old_value + salt)
+
+      hash = hash[0, length] if length.present? && length < hash.length
+
+      hash
+    end
+  end
+end

data/lib/deidentify/configuration.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class Configuration
+    attr_accessor :salt, :scope
+
+    def initialize
+      @salt = nil
+      @scope = scope
+    end
+  end
+end

data/lib/deidentify/delete.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class Delete
+    def self.call(_old_value)
+      nil
+    end
+  end
+end

data/lib/deidentify/delocalize_ip.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class DelocalizeIp
+    def self.call(old_ip, mask_length: nil)
+      return old_ip unless old_ip.present?
+
+      addr = IPAddr.new(old_ip)
+      addr.mask(mask_length || default_mask(addr)).to_s
+    end
+
+    def self.default_mask(addr)
+      addr.ipv4? ? 24 : 48
+    end
+  end
+end

data/lib/deidentify/error.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class Error < StandardError
+  end
+end

data/lib/deidentify/hash_email.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class HashEmail
+    # 63 is the longest domain that is still acceptable for URI::MailTo::EMAILS_REGEXP
+    MAX_DOMAIN_LENGTH = 63
+
+    def self.call(old_email, length: 255)
+      return old_email unless old_email.present?
+
+      half_length = (length - 1) / 2 # the -1 is to account for the @ symbol
+
+      name, domain = old_email.split('@')
+
+      hashed_name = Deidentify::BaseHash.call(name, length: half_length)
+      hashed_domain = Deidentify::BaseHash.call(domain, length: [half_length, MAX_DOMAIN_LENGTH].min)
+
+      "#{hashed_name}@#{hashed_domain}"
+    end
+  end
+end

data/lib/deidentify/hash_url.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class HashUrl
+    def self.call(old_url, length: 255)
+      return old_url unless old_url.present?
+
+      uri = URI.parse(old_url)
+      uri = URI.parse("http://#{old_url}") if uri.scheme.nil?
+
+      hash_length = calculate_hash_length(uri, length)
+
+      hash_host(uri, hash_length)
+      hash_path(uri, hash_length)
+      hash_query(uri, hash_length)
+      hash_fragment(uri, hash_length)
+
+      uri.to_s
+    end
+
+    def self.calculate_hash_length(uri, length)
+      number_of_hashes = [uri.host, uri.path, uri.query, uri.fragment].reject(&:blank?).size
+
+      (length - 'https:///?#'.length) / number_of_hashes
+    end
+
+    def self.hash_host(uri, hash_length)
+      uri.host = Deidentify::BaseHash.call(uri.host, length: hash_length)
+    end
+
+    def self.hash_path(uri, hash_length)
+      uri.path = "/#{Deidentify::BaseHash.call(remove_slash(uri.path), length: hash_length)}" if uri.path.present?
+    end
+
+    def self.remove_slash(path)
+      path[1..]
+    end
+
+    def self.hash_query(uri, hash_length)
+      uri.query = Deidentify::BaseHash.call(uri.query, length: hash_length) if uri.query.present?
+    end
+
+    def self.hash_fragment(uri, hash_length)
+      uri.fragment = Deidentify::BaseHash.call(uri.fragment, length: hash_length) if uri.fragment.present?
+    end
+  end
+end

data/lib/deidentify/keep.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class Keep
+    def self.call(old_value)
+      old_value
+    end
+  end
+end

data/lib/deidentify/replace.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Deidentify
+  class Replace
+    def self.call(old_value, new_value:, keep_nil: true)
+      return old_value if old_value.blank? && keep_nil
+
+      new_value
+    end
+  end
+end

data/lib/deidentify.rb

@@ -0,0 +1,177 @@
+# frozen_string_literal: true
+
+require 'deidentify/configuration'
+require 'deidentify/replace'
+require 'deidentify/delete'
+require 'deidentify/base_hash'
+require 'deidentify/hash_email'
+require 'deidentify/hash_url'
+require 'deidentify/delocalize_ip'
+require 'deidentify/keep'
+require 'deidentify/error'
+
+module Deidentify
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+  end
+
+  extend ::ActiveSupport::Concern
+
+  POLICY_MAP = {
+    replace: Deidentify::Replace,
+    delete: Deidentify::Delete,
+    hash: Deidentify::BaseHash,
+    hash_email: Deidentify::HashEmail,
+    hash_url: Deidentify::HashUrl,
+    keep: Deidentify::Keep,
+    delocalize_ip: Deidentify::DelocalizeIp
+  }.freeze
+
+  included do
+    class_attribute :deidentify_configuration
+    self.deidentify_configuration = {}
+
+    class_attribute :associations_to_deidentify
+    self.associations_to_deidentify = []
+
+    define_model_callbacks :deidentify
+    after_deidentify :deidentify_associations!, if: -> { associations_to_deidentify.present? }
+  end
+
+  module ClassMethods
+    def deidentify(column, method:, **options)
+      unless POLICY_MAP.keys.include?(method) || method.respond_to?(:call)
+        raise Deidentify::Error, 'you must specify a valid deidentification method'
+      end
+
+      deidentify_configuration[column] = [method, options]
+    end
+
+    def deidentify_associations(*associations)
+      self.associations_to_deidentify += associations
+    end
+  end
+
+  def deidentify!(validate: true)
+    scope = Deidentify.configuration.scope
+    return self if scope && scope.call(self.class).find_by(id: id).nil?
+
+    recursive_deidentify!(validate: validate, deidentified_objects: [])
+  end
+
+  def deidentify_attributes
+    deidentify_configuration.each_pair do |col, config|
+      deidentify_column(col, config)
+    end
+  end
+
+  protected
+
+  def recursive_deidentify!(validate:, deidentified_objects:)
+    @validate = validate
+    @deidentified_objects = deidentified_objects
+
+    return if @deidentified_objects.include?(self)
+
+    ActiveRecord::Base.transaction do
+      run_callbacks(:deidentify) do
+        deidentify_attributes
+
+        write_attribute(:deidentified_at, Time.current) if respond_to?(:deidentified_at)
+
+        @deidentified_objects << self
+
+        save!(validate: validate)
+      end
+    end
+  end
+
+  private
+
+  def deidentify_column(column, config)
+    policy, options = Array(config)
+    old_value = read_attribute(column)
+
+    new_value = if policy.respond_to? :call
+                  policy.call(self)
+                else
+                  POLICY_MAP[policy].call(old_value, **options)
+                end
+
+    write_attribute(column, new_value)
+  end
+
+  def deidentify_associations!
+    associations_to_deidentify.each do |association_name|
+      association = self.class.reflect_on_association(association_name)
+
+      if association.nil?
+        raise Deidentify::Error, "undefined association #{association_name} in #{self.class.name} deidentification"
+      end
+
+      scope = Deidentify.configuration.scope
+      if scope
+        deidentify_associations_with_scope!(association_name, association, scope)
+      else
+        deidentify_associations_without_scope!(association_name, association)
+      end
+    end
+  end
+
+  def deidentify_associations_without_scope!(association_name, association)
+    if association.collection?
+      deidentify_many!(send(association_name))
+    else
+      deidentify_one!(send(association_name))
+    end
+  end
+
+  def deidentify_associations_with_scope!(association_name, association, configuration_scope)
+    if association.collection?
+      # eg. has_many :bubbles, -> { popped }
+      # This will call configuration_scope.call(self.bubbles).merge(popped)
+      class_query = class_query(association.scope, configuration_scope, send(association_name))
+
+      deidentify_many!(class_query)
+    else
+      class_query = class_query(association.scope, configuration_scope, association.klass)
+
+      if association.has_one?
+        # eg. (bubble) has_one :party, -> { birthday }
+        # This will call configuration_scope.call(Party).merge(birthday).find_by(bubble_id: id)
+        deidentify_one!(class_query.find_by("#{association.foreign_key} = #{send(:id)}"))
+      else
+        # eg. belongs_to :party, -> { birthday }
+        # This will call configuration_scope.call(Party).merge(birthday).find_by(id: party_id)
+        deidentify_one!(class_query.find_by(id: send(association.foreign_key)))
+      end
+    end
+  end
+
+  def class_query(association_scope, configuration_scope, klass_or_association)
+    if association_scope.nil?
+      configuration_scope.call(klass_or_association)
+    else
+      # Use both the configuration scope and the scope from the association.
+      # Unfortunately the order here matters so something in the association_scope
+      # will take precedence over the configuration scope.
+      configuration_scope.call(klass_or_association).merge(association_scope)
+    end
+  end
+
+  def deidentify_many!(records)
+    records.each do |record|
+      record.recursive_deidentify!(validate: @validate, deidentified_objects: @deidentified_objects)
+    end
+  end
+
+  def deidentify_one!(record)
+    record&.recursive_deidentify!(validate: @validate, deidentified_objects: @deidentified_objects)
+  end
+end

data/lib/generators/deidentify/configure_for_generator.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+module Deidentify
+  module Generators
+    class ConfigureForGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __dir__)
+
+      argument :model, type: :string, banner: 'model name'
+      class_option :file_path, type: :string, default: ''
+
+      def call
+        template 'module_template.rb', File.join(module_path, "#{klass.underscore}_policy.rb")
+
+        insert_into_file(
+          model_path,
+          "\n  include Deidentify::#{namespace_model}Policy",
+          after: "#{klass} < ApplicationRecord"
+        )
+      end
+
+      private
+
+      def namespace_model
+        if file_path.present?
+          file_path.split('/').map(&:camelcase).join('::')
+        else
+          model
+        end
+      end
+
+      def model_path
+        path = if file_path.present?
+                 file_path
+               else
+                 full_path.map(&:underscore).join('/')
+               end
+
+        "app/models/#{path}.rb"
+      end
+
+      def module_path
+        path = if file_path.present?
+                 file_path.split('/')
+               else
+                 full_path.map(&:underscore)
+               end
+
+        path = path[0...-1].join('/') # remove the class name
+
+        "app/concerns/deidentify/#{path}"
+      end
+
+      def klass
+        full_path.last
+      end
+
+      def full_path
+        @full_path ||= model.split('::')
+      end
+
+      def file_path
+        options['file_path'].split('.').first # remove the .rb if it exists
+      end
+    end
+  end
+end

data/lib/generators/templates/module_template.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Deidentify::<%= namespace_model %>Policy
+  extend ActiveSupport::Concern
+  include Deidentify
+
+  included do
+<% model.constantize.column_names.each do |name| -%>
+    deidentify :<%= name %>, method: :keep
+<% end -%>
+  end
+end

metadata

@@ -0,0 +1,67 @@
+--- !ruby/object:Gem::Specification
+name: deidentify
+version: !ruby/object:Gem::Version
+  version: 2.5.0
+platform: ruby
+authors:
+- Lucy Dement
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-08-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.0
+description: A gem to allow deidentification of certain fields
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/deidentify.rb
+- lib/deidentify/base_hash.rb
+- lib/deidentify/configuration.rb
+- lib/deidentify/delete.rb
+- lib/deidentify/delocalize_ip.rb
+- lib/deidentify/error.rb
+- lib/deidentify/hash_email.rb
+- lib/deidentify/hash_url.rb
+- lib/deidentify/keep.rb
+- lib/deidentify/replace.rb
+- lib/generators/deidentify/configure_for_generator.rb
+- lib/generators/templates/module_template.rb
+homepage:
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.6'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Deidentify a rails model
+test_files: []