encrypted_attributes 0.3.0 → 0.4.0

data/CHANGELOG.rdoc

@@ -1,5 +1,14 @@
 == master
 
+== 0.4.0 / 2009-05-02
+
+* Replace dynamic :salt option with :embed_salt option and utilizing the #encrypts block 
+* Allow a block to be used for dynamically defining encryption options
+* Add :before / :after callbacks for hooking into the encryption process
+* Allow the callback when encryption occurs to be customized [Sergio Salvatore]
+* Define source attribute accessor if different than target and not defined [Sergio Salvatore]
+* Update tests to work with Rails 2.3
+
 == 0.3.0 / 2008-12-14
 
 * Remove the PluginAWeek namespace

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2006-2008 Aaron Pfeifer
+Copyright (c) 2006-2009 Aaron Pfeifer
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -25,7 +25,7 @@ Source
 
 Encrypting attributes can be repetitive especially when doing so throughout
 various models and various projects.  encrypted_attributes, in association
-with the encrypted_strings plugin, helps make encrypting ActiveRecord
+with the encrypted_strings library, helps make encrypting ActiveRecord
 attributes easier by automating the process.
 
 The options that +encrypts+ takes includes all of the encryption options for
@@ -35,46 +35,46 @@ into the +encrypts+ method.  Examples of this are show in the Usage section.
 
 == Usage
 
-=== SHA Encryption
+=== Encryption Modes
 
-For SHA encryption, you can either use the default salt, a custom salt, or
-generate one based on the attributes of the model.
+SHA, symmetric, and asymmetric encryption modes are supported (default is SHA):
 
-With the default salt:
   class User < ActiveRecord::Base
-    encrypts :password
+    encrypts :password, :salt => 'secret'
+    # encrypts :password, :mode => :symmetric, :password => 'secret'
+    # encrypts :password, :mode => :asymmetric, :public_key_file => '/keys/public', :private_key_file => '/keys/private'
   end
 
-With a custom salt based on the record's values:
-  class User < ActiveRecord::Base
-    encrypts :password, :salt => :create_salt
-    
-    private
-      def create_salt
-        "#{login}_salt"
-      end
-  end
+=== Dynamic Configuration
 
-The salt and password values are combined and stored in the attribute being
-encrypted.  Therefore, there's no need to add a second column for storing the
-salt value.
-
-=== Symmetric Encryption
+The encryption configuration can be dynamically set like so:
 
   class User < ActiveRecord::Base
-    encrypts :password, :mode => :symmetric, :password => 'secret'
+    encrypts :password, :mode => :sha do |user|
+      {:salt => "#{user.login}-#{Time.now}", :embed_salt => true}
+    end
   end
 
-=== Asymmetric Encryption
+In this case, the salt and password values are combined and stored in the
+attribute being encrypted.  Therefore, there's no need to add a second column
+for storing the salt value.
+
+To store the dynamic salt in a separate column:
 
   class User < ActiveRecord::Base
-    encrypts :password, :mode => :asymmetric, :public_key_file => '/keys/public', :private_key_file => '/keys/private'
+    encrypts :password, :mode => :sha, :before => :create_salt do |user|
+      {:salt => user.salt}
+    end
+    
+    def create_salt
+      self.salt = "#{login}-#{Time.now}"
+    end
   end
 
 === Targeted Encryption
 
 If you want to store the encrypted value in a different attribute than the
-attribute being encrypted, you can do so like so:
+attribute being encrypted:
 
   class User < ActiveRecord::Base
     encrypts :password, :to => :crypted_password

data/Rakefile

@@ -5,9 +5,10 @@ require 'rake/contrib/sshpublisher'
 
 spec = Gem::Specification.new do |s|
   s.name              = 'encrypted_attributes'
-  s.version           = '0.3.0'
+  s.version           = '0.4.0'
   s.platform          = Gem::Platform::RUBY
   s.summary           = 'Adds support for automatically encrypting ActiveRecord attributes'
+  s.description       = s.summary
   
   s.files             = FileList['{lib,test}/**/*'] + %w(CHANGELOG.rdoc init.rb LICENSE Rakefile README.rdoc) - FileList['test/app_root/{log,log/*,script,script/*}']
   s.require_path      = 'lib'

data/lib/encrypted_attributes/sha_cipher.rb

@@ -1,47 +1,29 @@
 module EncryptedAttributes
-  # Adds support for dynamically generated salts
+  # Adds support for embedding salts in the encrypted value
   class ShaCipher < EncryptedStrings::ShaCipher
     # Encrypts a string using a Secure Hash Algorithm (SHA), specifically SHA-1.
     # 
-    # The <tt>:salt</tt> configuration option can be any one of the following types:
-    # * +symbol+ - Calls the method on the object whose value is being encrypted
-    # * +proc+ - A block that will be invoked, providing it with the object whose value is being encrypted
-    # * +string+ - The actual salt value to use
-    def initialize(object, value, operation, options = {}) #:nodoc:
-      if operation == :write
-        # Figure out the actual salt value
-        if salt = options[:salt]
-          options[:salt] =
-            case salt
-            when Symbol
-              object.send(salt)
-            when Proc
-              salt.call(object)
-            else
-              salt
-            end
-        end
-        
-        # Track whether or not the salt was generated dynamically
-        @dynamic_salt = salt != options[:salt]
-        
-        super(options)
-      else
-        # The salt is at the end of the value if it's dynamic
+    # Configuration options:
+    # * <tt>:salt</tt> - Random bytes used as one of the inputs for generating
+    #   the encrypted string
+    # * <tt>:embed_salt</tt> - Whether to embed the salt directly within the
+    #   encrypted value.  Default is false.  This is useful for storing both
+    #   the salt and the encrypted value in the same attribute.
+    def initialize(value, options = {}) #:nodoc:
+      if @embed_salt = options.delete(:embed_salt)
+        # The salt is at the end of the value
         salt = value[40..-1]
-        if @dynamic_salt = !salt.blank?
-          options[:salt] = salt 
-        end
-        
-        super(options)
+        options[:salt] = salt unless salt.blank?
       end
+      
+      super(options)
     end
     
-    # Encrypts the data, appending the salt to the end of the string if it
-    # was created dynamically
+    # Encrypts the data, embedding the salt at the end of the string if
+    # configured to do so
     def encrypt(data)
       encrypted_data = super
-      encrypted_data << salt if @dynamic_salt
+      encrypted_data << salt if @embed_salt
       encrypted_data
     end
   end

data/lib/encrypted_attributes.rb

@@ -3,24 +3,37 @@ require 'encrypted_attributes/sha_cipher'
 
 module EncryptedAttributes
   module MacroMethods
-    # Encrypts the specified attribute.
+    # Encrypts the given attribute.
     # 
     # Configuration options:
-    # * +mode+ - The mode of encryption to use.  Default is sha. See EncryptedStrings for other possible modes.
-    # * +to+ - The attribute to write the encrypted value to. Default is the same attribute being encrypted.
-    # * +if+ - Specifies a method, proc or string to call to determine if the encryption should occur. The method, proc or string should return or evaluate to a true or false value.
-    # * +unless+ - Specifies a method, proc or string to call to determine if the encryption should not occur. The method, proc or string should return or evaluate to a true or false value. 
+    # * <tt>:mode</tt> - The mode of encryption to use.  Default is <tt>:sha</tt>.
+    #   See EncryptedStrings for other possible modes.
+    # * <tt>:to</tt> - The attribute to write the encrypted value to. Default
+    #   is the same attribute being encrypted.
+    # * <tt>:before</tt> - The callback to invoke every time *before* the
+    #   attribute is encrypted
+    # * <tt>:after</tt> - The callback to invoke every time *after* the
+    #   attribute is encrypted
+    # * <tt>:on</tt> - The ActiveRecord callback to use when triggering the
+    #   encryption.  By default, this will encrypt on <tt>before_validation</tt>.
+    #   See ActiveRecord::Callbacks for a list of possible callbacks.
+    # * <tt>:if</tt> - Specifies a method, proc or string to call to determine
+    #   if the encryption should occur. The method, proc or string should return
+    #   or evaluate to a true or false value.
+    # * <tt>:unless</tt> - Specifies a method, proc or string to call to
+    #   determine if the encryption should not occur. The method, proc or string
+    #   should return or evaluate to a true or false value. 
     # 
     # For additional configuration options used during the actual encryption,
     # see the individual cipher class for the specified mode.
     # 
     # == Encryption timeline
     # 
-    # Attributes are encrypted immediately before a record is validated.
-    # This means that you can still validate the presence of the encrypted
-    # attribute, but other things like password length cannot be validated
-    # without either (a) decrypting the value first or (b) using a different
-    # encryption target.  For example,
+    # By default, attributes are encrypted immediately before a record is
+    # validated.  This means that you can still validate the presence of the
+    # encrypted attribute, but other things like password length cannot be
+    # validated without either (a) decrypting the value first or (b) using a
+    # different encryption target.  For example,
     # 
     #   class User < ActiveRecord::Base
     #     encrypts :password, :to => :crypted_password
@@ -50,7 +63,7 @@ module EncryptedAttributes
     # 
     #   class User < ActiveRecord::Base
     #     encrypts :password
-    #     # encrypts :password, :salt => :create_salt
+    #     # encrypts :password, :salt => 'secret'
     #   end
     # 
     # Symmetric encryption:
@@ -66,9 +79,34 @@ module EncryptedAttributes
     #     encrypts :password, :mode => :asymmetric
     #     # encrypts :password, :mode => :asymmetric, :public_key_file => '/keys/public', :private_key_file => '/keys/private'
     #   end
-    def encrypts(attr_name, options = {})
+    # 
+    # == Dynamic configuration
+    # 
+    # For better security, the encryption options (such as the salt value)
+    # can be based on values in each individual record.  In order to
+    # dynamically configure the encryption options so that individual records
+    # can be referenced, an optional block can be specified.
+    # 
+    # For example,
+    # 
+    #   class User < ActiveRecord::Base
+    #     encrypts :password, :mode => :sha, :before => :create_salt do |user|
+    #       {:salt => user.salt}
+    #     end
+    #     
+    #     private
+    #       def create_salt
+    #         self.salt = "#{login}-#{Time.now}"
+    #       end
+    #   end
+    # 
+    # In the above example, the SHA encryption's <tt>salt</tt> is configured
+    # dynamically based on the user's login and the time at which it was
+    # encrypted.  This helps improve the security of the user's password.
+    def encrypts(attr_name, options = {}, &config)
+      config ||= options
       attr_name = attr_name.to_s
-      to_attr_name = options.delete(:to) || attr_name
+      to_attr_name = (options.delete(:to) || attr_name).to_s
       
       # Figure out what cipher is being configured for the attribute
       mode = options.delete(:mode) || :sha
@@ -79,15 +117,27 @@ module EncryptedAttributes
         cipher_class = EncryptedStrings.const_get(class_name)
       end
       
-      # Set the encrypted value right before validation takes place
-      before_validation(:if => options.delete(:if), :unless => options.delete(:unless)) do |record|
-        record.send(:write_encrypted_attribute, attr_name, to_attr_name, cipher_class, options)
+      # Define encryption hooks
+      define_callbacks("before_encrypt_#{attr_name}", "after_encrypt_#{attr_name}")
+      send("before_encrypt_#{attr_name}", options.delete(:before)) if options.include?(:before)
+      send("after_encrypt_#{attr_name}", options.delete(:after)) if options.include?(:after)
+      
+      # Set the encrypted value on the configured callback
+      callback = options.delete(:on) || :before_validation
+      send(callback, :if => options.delete(:if), :unless => options.delete(:unless)) do |record|
+        record.send(:write_encrypted_attribute, attr_name, to_attr_name, cipher_class, config)
         true
       end
       
+      # Define virtual source attribute
+      if attr_name != to_attr_name && !column_names.include?(attr_name)
+        attr_reader attr_name unless method_defined?(attr_name)
+        attr_writer attr_name unless method_defined?("#{attr_name}=")
+      end
+      
       # Define the reader when reading the encrypted attribute from the database
       define_method(to_attr_name) do
-        read_encrypted_attribute(to_attr_name, cipher_class, options)
+        read_encrypted_attribute(to_attr_name, cipher_class, config)
       end
       
       unless included_modules.include?(EncryptedAttributes::InstanceMethods)
@@ -106,8 +156,10 @@ module EncryptedAttributes
         # Only encrypt values that actually have content and have not already
         # been encrypted
         unless value.blank? || value.encrypted?
+          callback("before_encrypt_#{attr_name}")
+          
           # Create the cipher configured for this attribute
-          cipher = create_cipher(cipher_class, options, :write, value)
+          cipher = create_cipher(cipher_class, options, value)
           
           # Encrypt the value
           value = cipher.encrypt(value)
@@ -115,6 +167,8 @@ module EncryptedAttributes
           
           # Update the value based on the target attribute
           send("#{to_attr_name}=", value)
+          
+          callback("after_encrypt_#{attr_name}")
         end
       end
       
@@ -132,21 +186,18 @@ module EncryptedAttributes
         # don't want to encrypt when a new value has been set)
         unless value.blank? || value.encrypted? || attribute_changed?(to_attr_name)
           # Create the cipher configured for this attribute
-          value.cipher = create_cipher(cipher_class, options, :read, value)
+          value.cipher = create_cipher(cipher_class, options, value)
         end
         
         value
       end
       
-      # Creates a new cipher with the given configuration options. The
-      # operator defines the context in which the cipher will be used.
-      def create_cipher(klass, options, operator, value)
-        if klass.parent == EncryptedAttributes
-          # Only use the contextual information for ciphers defined in this plugin
-          klass.new(self, value, operator, options.dup)
-        else
-          klass.new(options.dup)
-        end
+      # Creates a new cipher with the given configuration options
+      def create_cipher(klass, options, value)
+        options = options.is_a?(Proc) ? options.call(self) : options.dup
+        
+        # Only use the contextual information for this plugin's ciphers
+        klass.parent == EncryptedAttributes ? klass.new(value, options) : klass.new(options)
       end
   end
 end

data/test/app_root/config/environment.rb

@@ -5,4 +5,5 @@ Rails::Initializer.run do |config|
   config.plugins = %w(encrypted_strings encrypted_attributes)
   config.cache_classes = false
   config.whiny_nils = true
+  config.action_controller.session = {:key => 'rails_session', :secret => 'd229e4d22437432705ab3985d4d246'}
 end

data/test/app_root/db/migrate/001_create_users.rb

@@ -1,9 +1,7 @@
 class CreateUsers < ActiveRecord::Migration
   def self.up
     create_table :users do |t|
-      t.string :login
-      t.string :password
-      t.string :crypted_password
+      t.string :login, :password, :crypted_password, :salt
     end
   end
   

data/test/unit/encrypted_attributes_test.rb

@@ -1,6 +1,6 @@
 require File.dirname(__FILE__) + '/../test_helper'
 
-class EncryptedAttributesTest < Test::Unit::TestCase
+class EncryptedAttributesTest < ActiveSupport::TestCase
   def setup
     User.encrypts :password
   end
@@ -61,7 +61,7 @@ class EncryptedAttributesTest < Test::Unit::TestCase
   end
 end
 
-class EncryptedAttributesWithDifferentTargetTest < Test::Unit::TestCase
+class EncryptedAttributesWithDifferentTargetTest < ActiveSupport::TestCase
   def setup
     User.encrypts :password, :to => :crypted_password
   end
@@ -113,27 +113,115 @@ class EncryptedAttributesWithDifferentTargetTest < Test::Unit::TestCase
   end
 end
 
-class EncryptedAttributesWithConditionalsTest < Test::Unit::TestCase
+class EncryptedAttributesWithVirtualAttributeSourceTest < ActiveSupport::TestCase
+  def setup
+    User.encrypts :raw_password, :to => :crypted_password
+  end
+  
+  def test_should_define_source_reader
+    assert User.method_defined?(:raw_password)
+  end
+  
+  def test_should_define_source_writer
+    assert User.method_defined?(:raw_password=)
+  end
+  
+  def test_should_encrypt_from_virtual_attribute
+    user = create_user(:login => 'admin', :raw_password => 'secret')
+    assert user.crypted_password.encrypted?
+    assert_equal '8152bc582f58c854f580cb101d3182813dec4afe', "#{user.crypted_password}"
+  end
+  
+  def teardown
+    User.class_eval do
+      @before_validation_callbacks = nil
+      
+      remove_method(:raw_password)
+      remove_method(:raw_password=)
+    end
+  end
+end
+
+class EncryptedAttributesWithConflictingVirtualAttributeSourceTest < ActiveSupport::TestCase
+  def setup
+    User.class_eval do
+      def raw_password
+        'raw_password'
+      end
+      
+      def raw_password=(value)
+        self.password = value
+      end
+    end
+    
+    User.encrypts :raw_password, :to => :crypted_password
+    @user = User.new
+  end
+  
+  def test_should_not_define_source_reader
+    assert_equal 'raw_password', @user.raw_password
+  end
+  
+  def test_should_not_define_source_writer
+    @user.raw_password = 'raw_password'
+    assert_equal 'raw_password', @user.password
+  end
+  
+  def teardown
+    User.class_eval do
+      @before_validation_callbacks = nil
+      
+      remove_method(:raw_password)
+      remove_method(:raw_password=)
+    end
+  end
+end
+
+class EncryptedAttributesWithCustomCallbackTest < ActiveSupport::TestCase
+  def setup
+    User.encrypts :password, :on => :before_save
+  end
+  
+  def test_should_not_encrypt_on_validation
+    user = new_user(:login => 'admin', :password => 'secret')
+    user.valid?
+    assert_equal 'secret', user.password
+  end
+  
+  def test_should_encrypt_on_create
+    user = new_user(:login => 'admin', :password => 'secret')
+    user.save
+    assert_equal '8152bc582f58c854f580cb101d3182813dec4afe', "#{user.password}"
+  end
+  
+  def teardown
+    User.class_eval do
+      @before_save_callbacks = nil
+    end
+  end
+end
+
+class EncryptedAttributesWithConditionalsTest < ActiveSupport::TestCase
   def test_should_not_encrypt_if_if_conditional_is_false
-    User.encrypts :password, :if => lambda {false}
+    User.encrypts :password, :if => lambda {|user| false}
     user = create_user(:login => 'admin', :password => 'secret')
     assert_equal 'secret', user.password
   end
   
   def test_should_encrypt_if_if_conditional_is_true
-    User.encrypts :password, :if => lambda {true}
+    User.encrypts :password, :if => lambda {|user| true}
     user = create_user(:login => 'admin', :password => 'secret')
     assert_equal '8152bc582f58c854f580cb101d3182813dec4afe', "#{user.password}"
   end
   
   def test_should_not_encrypt_if_unless_conditional_is_true
-    User.encrypts :password, :unless => lambda {true}
+    User.encrypts :password, :unless => lambda {|user| true}
     user = create_user(:login => 'admin', :password => 'secret')
     assert_equal 'secret', user.password
   end
   
   def test_should_encrypt_if_unless_conditional_is_false
-    User.encrypts :password, :unless => lambda {false}
+    User.encrypts :password, :unless => lambda {|user| false}
     user = create_user(:login => 'admin', :password => 'secret')
     assert_equal '8152bc582f58c854f580cb101d3182813dec4afe', "#{user.password}"
   end
@@ -145,7 +233,88 @@ class EncryptedAttributesWithConditionalsTest < Test::Unit::TestCase
   end
 end
 
-class ShaEncryptionTest < Test::Unit::TestCase
+class EncryptedAttributesWithBeforeCallbacksTest < ActiveSupport::TestCase
+  def setup
+    @password = nil
+    @ran_callback = false
+    User.encrypts :password, :before => lambda {|user| @ran_callback = true; @password = user.password.to_s}
+    
+    create_user(:login => 'admin', :password => 'secret')
+  end
+  
+  def test_should_run_callback
+    assert @ran_callback
+  end
+  
+  def test_should_not_have_encrypted_yet
+    assert_equal 'secret', @password
+  end
+  
+  def teardown
+    User.class_eval do
+      @before_validation_callbacks = nil
+      @before_encrypt_password_callbacks = nil
+    end
+  end
+end
+
+class EncryptedAttributesWithAfterCallbacksTest < ActiveSupport::TestCase
+  def setup
+    @password = nil
+    @ran_callback = false
+    User.encrypts :password, :after => lambda {|user| @ran_callback = true; @password = user.password.to_s}
+    
+    create_user(:login => 'admin', :password => 'secret')
+  end
+  
+  def test_should_run_callback
+    assert @ran_callback
+  end
+  
+  def test_should_have_encrypted_already
+    assert_equal '8152bc582f58c854f580cb101d3182813dec4afe', @password
+  end
+  
+  def teardown
+    User.class_eval do
+      @before_validation_callbacks = nil
+      @after_encrypt_password_callbacks = nil
+    end
+  end
+end
+
+class EncryptedAttributesWithDynamicConfigurationTest < ActiveSupport::TestCase
+  def setup
+    @salt = nil
+    User.encrypts :password, :before => lambda {|user| user.salt = user.login} do |user|
+      {:salt => @salt = user.salt}
+    end
+    
+    @user = create_user(:login => 'admin', :password => 'secret')
+  end
+  
+  def test_should_use_dynamic_configuration_during_write
+    assert_equal 'a55d037f385cad22efe7862e07b805938d150154', "#{@user[:password]}"
+  end
+  
+  def test_should_use_dynamic_configuration_during_read
+    user = User.find(@user.id)
+    assert_equal 'a55d037f385cad22efe7862e07b805938d150154', "#{user.password}"
+  end
+  
+  def test_should_build_configuration_after_before_callbacks_invoked
+    assert_equal 'admin', @salt
+  end
+  
+  def teardown
+    User.class_eval do
+      @before_validation_callbacks = nil
+      @before_encrypt_password_callbacks = nil
+    end
+  end
+end
+
+class ShaEncryptionTest < ActiveSupport::TestCase
   def setup
     User.encrypts :password, :mode => :sha
     @user = create_user(:login => 'admin', :password => 'secret')
@@ -168,7 +337,7 @@ class ShaEncryptionTest < Test::Unit::TestCase
   end
   
   def test_should_be_able_to_check_password
-    assert_equal 'secret', @user.password
+    assert_equal 'secret', @user. password
   end
   
   def teardown
@@ -178,9 +347,9 @@ class ShaEncryptionTest < Test::Unit::TestCase
   end
 end
 
-class ShaWithCustomSaltEncryptionTest < Test::Unit::TestCase
+class ShaWithEmbeddedSaltEncryptionTest < ActiveSupport::TestCase
   def setup
-    User.encrypts :password, :mode => :sha, :salt => :login
+    User.encrypts :password, :mode => :sha, :salt => 'admin', :embed_salt => true
     @user = create_user(:login => 'admin', :password => 'secret')
   end
   
@@ -211,7 +380,7 @@ class ShaWithCustomSaltEncryptionTest < Test::Unit::TestCase
   end
 end
 
-class SymmetricEncryptionTest < Test::Unit::TestCase
+class SymmetricEncryptionTest < ActiveSupport::TestCase
   def setup
     User.encrypts :password, :mode => :symmetric, :password => 'key'
     @user = create_user(:login => 'admin', :password => 'secret')
@@ -244,7 +413,7 @@ class SymmetricEncryptionTest < Test::Unit::TestCase
   end
 end
 
-class AsymmetricEncryptionTest < Test::Unit::TestCase
+class AsymmetricEncryptionTest < ActiveSupport::TestCase
   def setup
     User.encrypts :password, :mode => :asymmetric,
       :private_key_file => File.dirname(__FILE__) + '/../keys/private',

data/test/unit/sha_cipher_test.rb

@@ -1,56 +1,43 @@
 require File.dirname(__FILE__) + '/../test_helper'
 
-class ShaCipherOnWriteTest < Test::Unit::TestCase
+class ShaCipherWithoutEmbeddingTest < Test::Unit::TestCase
   def setup
-    @user = create_user(:login => 'admin')
+    @cipher = EncryptedAttributes::ShaCipher.new('dc0fc7c07bba982a8d8f18fe138dbea912df5e0e', :salt => 'custom_salt')
   end
   
-  def test_should_allow_symbolic_salt
-    cipher = EncryptedAttributes::ShaCipher.new(@user, 'password', :write, :salt => :login)
-    assert_equal 'admin', cipher.salt
-  end
-  
-  def test_should_allow_stringified_salt
-    cipher = EncryptedAttributes::ShaCipher.new(@user, 'password', :write, :salt => 'custom_salt')
-    assert_equal 'custom_salt', cipher.salt
+  def test_should_use_configured_salt
+    assert_equal 'custom_salt', @cipher.salt
   end
   
-  def test_should_allow_block_salt
-    dynamic_salt = lambda {|user| user.login}
-    cipher = EncryptedAttributes::ShaCipher.new(@user, 'password', :write, :salt => dynamic_salt)
-    assert_equal 'admin', cipher.salt
+  def test_should_not_embed_salt_in_encrypted_string
+    assert_equal 'dc0fc7c07bba982a8d8f18fe138dbea912df5e0e', @cipher.encrypt('secret')
   end
-  
-  def test_should_allow_dynamic_nil_salt
-    dynamic_salt = lambda {|user| nil}
-    cipher = EncryptedAttributes::ShaCipher.new(@user, 'password', :write, :salt => dynamic_salt)
-    assert_equal '', cipher.salt
+end
+
+class ShaCipherWithNoSaltEmbeddedTest < Test::Unit::TestCase
+  def setup
+    @cipher = EncryptedAttributes::ShaCipher.new('dc0fc7c07bba982a8d8f18fe138dbea912df5e0e', :embed_salt => true, :salt => 'custom_salt')
   end
   
-  def test_should_append_salt_to_encrypted_value_if_dynamic
-    cipher = EncryptedAttributes::ShaCipher.new(@user, 'password', :write, :salt => :login)
-    assert_equal 'a55d037f385cad22efe7862e07b805938d150154admin', cipher.encrypt('secret')
+  def test_should_use_configured_salt
+    assert_equal 'custom_salt', @cipher.salt
   end
   
-  def test_should_not_append_salt_to_encrypted_value_if_static
-    cipher = EncryptedAttributes::ShaCipher.new(@user, 'password', :write, :salt => 'custom_salt')
-    assert_equal 'dc0fc7c07bba982a8d8f18fe138dbea912df5e0e', cipher.encrypt('secret')
+  def test_should_embed_salt_in_encrypted_string
+    assert_equal 'dc0fc7c07bba982a8d8f18fe138dbea912df5e0ecustom_salt', @cipher.encrypt('secret')
   end
 end
 
-class ShaCipherOnReadTest < Test::Unit::TestCase
+class ShaCipherWithSaltEmbeddedTest < Test::Unit::TestCase
   def setup
-    @user = create_user(:login => 'admin')
-    @cipher = EncryptedAttributes::ShaCipher.new(@user, 'dc0fc7c07bba982a8d8f18fe138dbea912df5e0ecustom_salt', :read)
+    @cipher = EncryptedAttributes::ShaCipher.new('dc0fc7c07bba982a8d8f18fe138dbea912df5e0ecustom_salt', :embed_salt => true, :salt => 'ignored_salt')
   end
   
-  def test_should_should_use_remaining_characters_after_password_for_salt
+  def test_should_use_remaining_characters_after_password_for_salt
     assert_equal 'custom_salt', @cipher.salt
   end
   
-  def test_should_be_able_to_perform_equality_on_encrypted_strings
-    password = 'dc0fc7c07bba982a8d8f18fe138dbea912df5e0ecustom_salt'
-    password.cipher = @cipher
-    assert_equal 'secret', password
+  def test_should_embed_salt_in_encrypted_string
+    assert_equal 'dc0fc7c07bba982a8d8f18fe138dbea912df5e0ecustom_salt', @cipher.encrypt('secret')
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: encrypted_attributes
 version: !ruby/object:Gem::Version 
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors: 
 - Aaron Pfeifer
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-12-14 00:00:00 -05:00
+date: 2009-05-02 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -22,7 +22,7 @@ dependencies:
       - !ruby/object:Gem::Version 
         version: 0.3.0
     version: 
-description: 
+description: Adds support for automatically encrypting ActiveRecord attributes
 email: aaron@pluginaweek.org
 executables: []
 
@@ -78,7 +78,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: pluginaweek
-rubygems_version: 1.2.0
+rubygems_version: 1.3.1
 signing_key: 
 specification_version: 2
 summary: Adds support for automatically encrypting ActiveRecord attributes