effective_obfuscation 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2893d0d095c6f1b6fbdc1d972a225987d42b6c76
+  data.tar.gz: 38c42ee37f546e9c982fba0b02c8ac420fa1d811
+SHA512:
+  metadata.gz: b651ce15257c280d26618bd743c59ec3bd7dbf3b21d9c0eb758440b40296d873fbb2878e93a37ccd086888dcbd1d2ee9a893c357537f797b6d9bf76537879d3d
+  data.tar.gz: 557b20e2d11dc0eea445efd9dd39d21e48eb4ae4be04b357fbd8e85bd8c667d4299ece5c538532303ace640e2a02d62cbb6d70f33d93da0bf539ee3f876159fc

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2014 Code and Effect Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,190 @@
+# Effective Obfuscation
+
+Display unique 10-digit numbers instead of ActiveRecord IDs.  Hides the ID param so curious website visitors are unable to determine your user or order count.
+
+Turn a URL like:
+
+```ruby
+http://example.com/users/3
+```
+
+into something like:
+
+```ruby
+http://example.com/users/2356513904
+```
+
+Sequential ActiveRecord ids become non-sequential, random looking, numeric ids.
+
+```ruby
+# user 7000
+http://example.com/users/5270192353
+# user 7001
+http://example.com/users/7107163820
+# user 7002
+http://example.com/user/3296163828
+```
+
+This is a Rails 4 compatible version of obfuscate_id (https://github.com/namick/obfuscate_id) which also adds totally automatic integration with Rails finder methods.
+
+
+## Getting Started
+
+Add to Gemfile:
+
+```ruby
+gem 'effective_obfuscation', :git => 'https://github.com/code-and-effect/effective_obfuscation.git'
+```
+
+Run the bundle command to install it:
+
+```console
+bundle install
+```
+
+## Usage
+
+### Basic
+
+Add the mixin to an existing model:
+
+```ruby
+class User
+  acts_as_obfuscated
+end
+```
+
+Thats it.  Now URLs for a User will be generated as
+
+```ruby
+http://example.com/users/2356513904
+```
+
+As well, any find(), exists?(), find_by_id(), find_by(), where(:id => params[:id]) and all Arel table finder methods will be automatically translated to lookup the proper underlying ID.
+
+You shouldn't require any changes to your view or controller code. Just Works with InherittedResources and ActiveAdmin.
+
+### Formatting
+
+Because of the underlying ScatterSwap algorithm, the obfuscated IDs must be exactly 10 digits in length.
+
+However, if you'd like to add some formatting to make the 10-digit number more human readable and over-the-phone friendly
+
+```ruby
+class User
+  acts_as_obfuscated :format => '###-####-###'
+end
+```
+
+will generate URLs that look like
+
+```ruby
+http://example.com/users/235-6513-904
+```
+
+Any String.parameterize-able characters will work as long as there are exactly 10 # (hash symbol) characters in the format string somewhere.
+
+
+### ScatterSwap Spin
+
+The Spin value is basically a salt used by the ScatterSwap algorithm to randomize integers.
+
+In this gem, the default spin value is set on a per-model basis.
+
+There is really no reason to change it; however, you can specify the spin value directly if you wish
+
+```ruby
+class User
+  acts_as_obfuscated :spin => 123456789
+end
+```
+
+### General Obfuscation
+
+So maybe you just want access to the underlying ScatterSwap obfuscation algorithm including the additional model-specific formatting.
+
+To obfuscate, pass any number as a string, or an integer
+
+```ruby
+User.obfuscate(43)         # Using acts_as_obfuscated :format => '###-####-###'
+  => "990-5826-174"
+```
+
+And to de-obfuscate, pass any number as a string or an integer
+
+```ruby
+User.deobfuscate("990-5826-174")
+  => 43
+
+User.deobfuscate(9905826174)
+  => 43
+```
+
+### Searching by the Real (Database) ID
+
+By default, all finder method except `find()` will work with both obfuscated and database IDs.
+
+This means,
+
+```ruby
+User.where(:id => "990-5826-174")
+  => User<id: 43>
+```
+
+returns the same User as
+
+```ruby
+User.where(:id => 43)
+  => User<id: 43>
+```
+
+This behaviour is not applied to `find()` because it would allow a user to visit:
+
+http://example.com/users/1
+http://example.com/users/2
+...etc...
+
+and enumerate all users.
+
+Please continue to use @user = User.find(params[:id]) in your controller to prevent route enumeration.
+
+Any other internally used finder methods, `where` and `find_by_id` should respond to both obfuscated and database IDs for maximum compatibility.
+
+## License
+
+MIT License.  Copyright [Code and Effect Inc.](http://www.codeandeffect.com/)
+
+Code and Effect is the product arm of [AgileStyle](http://www.agilestyle.com/), an Edmonton-based shop that specializes in building custom web applications with Ruby on Rails.
+
+
+## Credits
+
+This project was inspired by
+
+ObfuscateID (https://github.com/namick/obfuscate_id)
+
+and uses the same (simply genius!) underlying algorithm
+
+ScatterSwap (https://github.com/namick/scatter_swap)
+
+
+## Testing
+
+The test suite for this gem is unfortunately not yet complete.
+
+Run tests by:
+
+```ruby
+rake spec
+```
+
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Bonus points for test coverage
+6. Create new Pull Request
+

data/Rakefile

@@ -0,0 +1,20 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+# Testing tasks
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+desc "Run all specs in spec directory (excluding plugin specs)"
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare')
+
+task :default => :spec

data/app/models/concerns/acts_as_obfuscated.rb

@@ -0,0 +1,174 @@
+# ActsAsObfuscated
+#
+# This module automatically obfuscates IDs
+
+# Mark your model with 'acts_as_obfuscated'
+
+module ActsAsObfuscated
+  extend ActiveSupport::Concern
+
+  module ActiveRecord
+    def acts_as_obfuscated(options = nil)
+      @acts_as_obfuscated_opts = options || {}
+
+      # Guard against an improperly passed :format => '...' option
+      if @acts_as_obfuscated_opts[:format]
+        if @acts_as_obfuscated_opts[:format].to_s.count('#') != 10
+          raise Exception.new("acts_as_obfuscated :format => '...' value must contain exactly 10 # characters. Use something like :format => '###-####-###'")
+        end
+
+        format = @acts_as_obfuscated_opts[:format].gsub('#', '0')
+
+        if format.parameterize != format
+          raise Exception.new("acts_as_obfuscated :format => '...' value must contain only String.parameterize-able characters and the # character. Use something like :format => '###-####-###'")
+        end
+      end
+
+      include ::ActsAsObfuscated
+    end
+  end
+
+  included do
+    cattr_accessor :acts_as_obfuscated_opts
+    self.acts_as_obfuscated_opts = @acts_as_obfuscated_opts
+
+    # Set the spin based on model name if not explicity defined
+    self.acts_as_obfuscated_opts[:spin] ||= (
+      alphabet = Array('a'..'z')
+      self.name.split('').map { |char| alphabet.index(char) }.first(12).join.to_i
+    )
+
+    # We need to track the Maximum ID of this Table
+    self.acts_as_obfuscated_opts[:max_id] ||= (self.unscoped.maximum(:id) rescue 2147483647)
+
+    after_commit :on => :create do
+      self.class.acts_as_obfuscated_opts[:max_id] = nil
+    end
+
+    # Work with Ransack if available
+    if self.respond_to?(:ransacker)
+      ransacker :id, :formatter => Proc.new { |v| deobfuscate(v) } { |parent| parent.table[:id] }
+    end
+  end
+
+  module ClassMethods
+    def obfuscate(original)
+      obfuscated = EffectiveObfuscation.hide(original, acts_as_obfuscated_opts[:spin])
+
+      if acts_as_obfuscated_opts[:format] # Transform 1234567890 from ###-####-### into 123-4567-890 as per :format option
+        acts_as_obfuscated_opts[:format].dup.tap do |formatted|
+          10.times { |x| formatted.sub!('#', obfuscated[x]) }
+        end
+      else
+        obfuscated
+      end
+    end
+
+    # If rescue_with_original_id is set to true the original ID will be returned when its Obfuscated Id is not found
+    #
+    # We use this as the default behaviour on everything except Class.find()
+    def deobfuscate(original, rescue_with_original_id = true)
+      if original.kind_of?(Array)
+        return original.map { |value| deobfuscate(value, true) } # Always rescue with original ID
+      elsif !(original.kind_of?(Integer) || original.kind_of?(String))
+        return original
+      end
+
+      if acts_as_obfuscated_opts[:format]
+        obfuscated_id = original.to_s.delete('^0-9')
+      else
+        obfuscated_id = original.to_s
+      end
+
+      # 2147483647 is PostgreSQL's Integer Max Value.  If we return a value higher than this, we get weird DB errors
+      revealed = [EffectiveObfuscation.show(obfuscated_id, acts_as_obfuscated_opts[:spin]).to_i, 2147483647].min
+
+      if rescue_with_original_id && (revealed >= 2147483647 || revealed > deobfuscated_maximum_id)
+        original
+      else
+        revealed
+      end
+    end
+
+    def deobfuscator(left)
+      acts_as_obfuscated_opts[:deobfuscators] ||= Hash.new().tap do |deobfuscators|
+        deobfuscators['id'] = Proc.new { |right| self.deobfuscate(right) }
+
+        reflect_on_all_associations(:belongs_to).each do |reflection|
+          if reflection.klass.respond_to?(:deobfuscate)
+            deobfuscators[reflection.foreign_key] = Proc.new { |right| reflection.klass.deobfuscate(right) }
+          end
+        end
+      end
+
+      acts_as_obfuscated_opts[:deobfuscators][left.to_s]
+    end
+
+    def deobfuscated_maximum_id
+      acts_as_obfuscated_opts[:max_id] ||= (self.unscoped.maximum(:id) rescue 2147483647)
+    end
+
+    def relation
+      super.tap { |relation| relation.extend(FinderMethods) }
+    end
+  end
+
+  module FinderMethods
+    def find(*args)
+      super(deobfuscate(args.first, false))
+    end
+
+    def exists?(*args)
+      super(deobfuscate(args.first))
+    end
+
+    def find_by_id(*args)
+      super(deobfuscate(args.first))
+    end
+
+    def find_by(*args)
+      if args.first.kind_of?(Hash)
+        args.first.each do |left, right|
+          next unless (d = deobfuscator(left))
+          args.first[left] = d.call(right)
+        end
+      end
+
+      super(*args)
+    end
+
+    def where(*args)
+      if args.first.kind_of?(Hash)
+        args.first.each do |left, right|
+          next unless (d = deobfuscator(left))
+          args.first[left] = d.call(right)
+        end
+      elsif args.first.class.parent == Arel::Nodes
+        deobfuscate_arel!(args.first)
+      end
+
+      super(*args)
+    end
+
+    def deobfuscate_arel!(node)
+      nodes = node.kind_of?(Array) ? node : [node]
+
+      nodes.each do |node|
+        if node.respond_to?(:children)
+          deobfuscate_arel!(node.children)
+        elsif node.respond_to?(:expr)
+          deobfuscate_arel!(node.expr)
+        elsif node.respond_to?(:left)
+          next unless (d = deobfuscator(node.left.name))
+          node.right = d.call(node.right) unless (node.right.kind_of?(String) && node.right.include?('$'))
+        end
+      end
+    end
+  end
+
+  def to_param
+    self.class.obfuscate(self.id)
+  end
+
+end
+

data/lib/effective_obfuscation/engine.rb

@@ -0,0 +1,12 @@
+module EffectiveObfuscation
+  class Engine < ::Rails::Engine
+    config.autoload_paths += Dir["#{config.root}/app/models/concerns"]
+
+    # Include acts_as_addressable concern and allow any ActiveRecord object to call it
+    initializer 'effective_obfuscation.active_record' do |app|
+      ActiveSupport.on_load :active_record do
+        ActiveRecord::Base.extend(ActsAsObfuscated::ActiveRecord)
+      end
+    end
+  end
+end

data/lib/effective_obfuscation/version.rb

@@ -0,0 +1,3 @@
+module EffectiveObfuscation
+  VERSION = '1.0.0'.freeze
+end

data/lib/effective_obfuscation.rb

@@ -0,0 +1,13 @@
+require "effective_obfuscation/engine"
+require "effective_obfuscation/version"
+require 'scatter_swap'
+
+module EffectiveObfuscation
+  def self.hide(id, spin)
+    ::ScatterSwap.hash(id, spin)
+  end
+
+  def self.show(id, spin)
+    ::ScatterSwap.reverse_hash(id, spin).to_i
+  end
+end

data/spec/effective_obfuscation_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe EffectiveObfuscation do
+  it 'should be a module' do
+    assert_kind_of Module, EffectiveObfuscation
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,33 @@
+ENV["RAILS_ENV"] ||= 'test'
+
+require File.expand_path("../dummy/config/environment", __FILE__)
+
+require 'rspec/rails'
+require 'rspec/autorun'
+
+# Requires supporting ruby files with custom matchers and macros, etc,
+# in spec/support/ and its subdirectories.
+Dir[Rails.root.join("spec/support/**/*.rb")].each {|f| require f }
+
+RSpec.configure do |config|
+  config.fixture_path = "#{::Rails.root}/spec/fixtures"
+
+  Rails.logger.level = 4    # Output only minimal stuff to test.log
+
+  config.use_transactional_fixtures = true   # Make this false to once again use DatabaseCleaner
+  config.infer_base_class_for_anonymous_controllers = false
+  config.order = 'random'
+end
+
+class ActiveRecord::Base
+  mattr_accessor :shared_connection
+  @@shared_connection = nil
+
+  def self.connection
+    @@shared_connection || retrieve_connection
+  end
+end
+
+# Forces all threads to share the same connection. This works on
+# Capybara because it starts the web server in a thread.
+ActiveRecord::Base.shared_connection = ActiveRecord::Base.connection

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: effective_obfuscation
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Code and Effect
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-12-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: scatter_swap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+description: Display unique 10-digit numbers instead of ActiveRecord IDs.  Hides the
+  ID param so curious website visitors are unable to determine your user or order
+  count.
+email:
+- info@codeandeffect.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/models/concerns/acts_as_obfuscated.rb
+- lib/effective_obfuscation.rb
+- lib/effective_obfuscation/engine.rb
+- lib/effective_obfuscation/version.rb
+- spec/effective_obfuscation_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/code-and-effect/effective_obfuscation
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.3
+signing_key: 
+specification_version: 4
+summary: Display unique 10-digit numbers instead of ActiveRecord IDs.  Hides the ID
+  param so curious website visitors are unable to determine your user or order count.
+test_files:
+- spec/effective_obfuscation_spec.rb
+- spec/spec_helper.rb