RubyGems - encrypted_store - Versions diffs - 0.2.1 → 0.2.8 - Mend

encrypted_store 0.2.1 → 0.2.8

Files changed (16) hide show

checksums.yaml +4 -4
data/lib/encrypted_store/active_record/encryption_key.rb +69 -0
data/lib/encrypted_store/active_record/encryption_key_salt.rb +26 -0
data/lib/encrypted_store/active_record/mixin.rb +135 -0
data/lib/encrypted_store/active_record.rb +27 -0
data/lib/encrypted_store/instance.rb +8 -4
data/lib/encrypted_store/version.rb +1 -1
data/lib/encrypted_store.rb +8 -8
data/lib/generators/encrypted_store/install/install_generator.rb +1 -1
data/lib/generators/encrypted_store/upgrade/ZeroOneFive/zero_one_five_generator.rb +1 -1
data/lib/tasks/encrypted_store.rake +3 -3
metadata +6 -6
data/lib/encrypted_store/mixins/active_record_mixin/encryption_key.rb +0 -77
data/lib/encrypted_store/mixins/active_record_mixin/encryption_key_salt.rb +0 -28
data/lib/encrypted_store/mixins/active_record_mixin.rb +0 -108
data/lib/encrypted_store/mixins.rb +0 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1f550704fe41a4ad0a8c31b2fe2090ee30100908
-  data.tar.gz: fdb84fa8b34644b1b1119d42e342760309873db2
+  metadata.gz: f335b927bb6141ecfa80e561d2c7f4c60abd38d9
+  data.tar.gz: c9d1a897816ae257551563934e5ba07a3641302c
 SHA512:
-  metadata.gz: e331f4483533fbf576989aeb3ef96ed5e3c6a43fc6d2d022501cdad49016a9e63d306add78701e4f19a0c014acb97283d99893064440ac98dc84fd6d55cdcfff
-  data.tar.gz: 1e64b1d0861ad3881d914411b79afe9b6e10467ea6b6a441981f3fe7d427219cc47e69fa258a2c3260fbb9383154ea28dfa5ae0b30a93e3928cb077da15d66b3
+  metadata.gz: 752d8eca03c32d852c471613baf5000871583f5743c23ed1672c1b176142bfd2bd2ae989a344370327f7b679c4f76e351dc234af255617a11ef34cb14dc0da61
+  data.tar.gz: 5392938102083c6fa18b9b948065ca00324ebe8b064db1633254e9a0a27ba4a9da1a09fb63172484d766452f7ebbe0e50a441e695e7fbc2c93ca03d100ecd8e2

data/lib/encrypted_store/active_record/encryption_key.rb ADDED Viewed

@@ -0,0 +1,69 @@
+require 'securerandom'
+require 'base64'
+module EncryptedStore
+  module ActiveRecord
+    class EncryptionKey < ::ActiveRecord::Base
+      validates_uniqueness_of :primary, if: :primary
+      class << self
+        def primary_encryption_key
+          new_key unless _has_primary?
+          where(primary: true).last || last
+        end
+        def new_key(custom_key = nil)
+          dek = custom_key || SecureRandom.random_bytes(32)
+          transaction {
+            _has_primary? && where(primary: true).first.update_attributes(primary: false)
+            _create_primary_key(dek)
+          }
+        end
+        def retire_keys(key_ids = [])
+          pkey = primary_encryption_key
+          ActiveRecord::Mixin.descendants.each { |model|
+            records = key_ids.empty? ? model.where("encryption_key_id != ?", pkey.id)
+                                     : model.where("encryption_key_id IN (?)", key_ids)
+            records.find_in_batches do |batch|
+              batch.each { |record| record.reencrypt(pkey) }
+            end
+          }
+          pkey
+        end
+        ##
+        # Preload the most recent `amount` keys.
+        def preload(amount)
+          primary_encryption_key # Ensure there's at least a primary key
+          order('id DESC').limit(amount)
+        end
+        def rotate_keys
+          new_key
+          retire_keys
+        end
+        def _has_primary?
+          where(primary: true).exists?
+        end
+        def _create_primary_key(dek)
+          self.new.tap { |key|
+            key.dek = EncryptedStore.encrypt_key(dek, true)
+            key.primary = true
+            key.save!
+          }
+        end
+      end # Class Methods
+      def decrypted_key
+        EncryptedStore.decrypt_key(self.dek, self.primary)
+      end
+    end # EncryptionKey
+  end # ActiveRecord
+end # EncryptedStore

data/lib/encrypted_store/active_record/encryption_key_salt.rb ADDED Viewed

@@ -0,0 +1,26 @@
+require 'securerandom'
+module EncryptedStore
+  module ActiveRecord
+    class EncryptionKeySalt < ::ActiveRecord::Base
+      validates :salt, uniqueness: { scope: :encryption_key_id }
+      class << self
+        def generate_salt(encryption_key_id)
+          loop do
+            salt = SecureRandom.random_bytes(16)
+            begin
+              salt_record = self.new
+              salt_record.encryption_key_id = encryption_key_id
+              salt_record.salt = salt
+              salt_record.save!
+              return salt
+            rescue ::ActiveRecord::RecordNotUnique => e
+              next
+            end
+          end
+        end
+      end # Class Methods
+    end # EncryptionKeySalt
+  end # ActiveRecord
+end # EncryptedStore

data/lib/encrypted_store/active_record/mixin.rb ADDED Viewed

@@ -0,0 +1,135 @@
+require 'securerandom'
+module EncryptedStore
+  module ActiveRecord
+    module Mixin
+      class << self
+        def included(base)
+          base.before_save(:_encrypted_store_save,
+            if: :encrypted_attributes_changed?)
+          base.extend(ClassMethods)
+        end
+        def descendants
+          Rails.application.eager_load! if defined?(Rails) && Rails.application
+          ::ActiveRecord::Base.descendants.select { |model| model < Mixin }
+        end
+        def descendants?
+          !descendants.empty?
+        end
+      end # Class Methods
+      module ClassMethods
+        def _encrypted_store_data
+          @_encrypted_store_data ||= {}
+        end
+        def attr_encrypted(*args)
+          # Store attrs in class data
+          _encrypted_store_data[:encrypted_attributes] = args.map(&:to_sym)
+          args.each { |arg|
+            define_method(arg) { _encrypted_store_get(arg) }
+            define_method("#{arg}=") { |value| _encrypted_store_set(arg, value) }
+          }
+        end
+      end # ClassMethods
+      ##
+      # Instance Methods
+      ##
+      def reencrypt(encryption_key)
+        with_lock do
+          # Must decrypt any changes made to the encrypted data, before updating
+          # the encryption_key_id.
+          _decrypt_encrypted_store
+          self.encryption_key_id = encryption_key.id
+          _encrypt_encrypted_store
+          save!(validate: false)
+        end
+      end
+      ##
+      # Completely purges encrypted data for a record
+      def purge_encrypted_data
+        self.encrypted_store = nil
+        self.encryption_key_id = nil
+        @_crypto_hash = nil
+        save!(validate: false)
+      end
+      def _encrypted_store_data
+        self.class._encrypted_store_data
+      end
+      def _encryption_key_id
+        self.encryption_key_id ||= EncryptionKey.primary_encryption_key.id
+      end
+      def _crypto_hash
+        @_crypto_hash || _decrypt_encrypted_store
+      end
+      def _decrypt_encrypted_store
+        @_crypto_hash = CryptoHash.decrypt(_decrypted_key, self.encrypted_store)
+      end
+      def _encrypt_encrypted_store
+        iter_mag = EncryptedStore.config.iteration_magnitude? ?
+                   EncryptedStore.config.iteration_magnitude  :
+                   -1
+        self.encrypted_store = _crypto_hash.encrypt(
+          _decrypted_key,
+          EncryptionKeySalt.generate_salt(_encryption_key_id),
+          iter_mag
+        )
+      end
+      def _decrypted_key
+        EncryptedStore.retrieve_dek(EncryptionKey, _encryption_key_id)
+      end
+      def _encrypted_store_get(field)
+        _crypto_hash[field]
+      end
+      def _encrypted_store_set(field, value)
+        attribute_will_change!(field)
+        _crypto_hash[field] = value
+      end
+      ##
+      # Checks if any of the encrypted attributes are in the list of changed
+      # attributes
+      def encrypted_attributes_changed?
+        !(changed.map(&:to_sym) & _encrypted_store_data[:encrypted_attributes])
+          .empty?
+      end
+      def _encrypted_store_save
+        _crypto_hash # make sure we have a cached copy of the decrypted data.
+        _encrypted_store_sync_key
+        _encrypt_encrypted_store
+      end
+      ##
+      # Locks the record (although doesn't reload the attributes) and updates
+      # the encryption_key_id if it has changed since the record was originally
+      # loaded.
+      def _encrypted_store_sync_key
+        unless new_record?
+          # Obtain a lock without overriding attribute values for this
+          # instance. Here `record` will be an updated version of this instance.
+          record = self.class.unscoped { self.class.lock.find(id) }
+          if record && record.encryption_key_id
+            self.encryption_key_id = record.encryption_key_id
+          end
+        end
+      end
+    end # Mixin
+  end # ActiveRecord
+end # EncryptedStore

data/lib/encrypted_store/active_record.rb ADDED Viewed

@@ -0,0 +1,27 @@
+module EncryptedStore
+  module ActiveRecord
+    autoload(:Mixin,             'encrypted_store/active_record/mixin')
+    autoload(:EncryptionKeySalt, 'encrypted_store/active_record/encryption_key_salt')
+    autoload(:EncryptionKey,     'encrypted_store/active_record/encryption_key')
+    class << self
+      ##
+      # Preloads the most recent `amount` keys.
+      def preload_keys(amount)
+        EncryptionKey.preload(amount) if Mixin.descendants?
+      end
+      def new_key(custom_key = nil)
+        EncryptionKey.new_key(custom_key) if Mixin.descendants?
+      end
+      def retire_keys(key_ids = [])
+        EncryptionKey.retire_keys(key_ids) if Mixin.descendants?
+      end
+      def rotate_keys
+        EncryptionKey.rotate_keys if Mixin.descendants?
+      end
+    end # Class Methods
+  end # ActiveRecord
+end # EncryptedStore

data/lib/encrypted_store/instance.rb CHANGED Viewed

@@ -8,18 +8,22 @@ module EncryptedStore
       }
     end
+    def rotate_keys
+      EncryptedStore::ActiveRecord.rotate_keys
+    end
     ##
     # Preloads the most recent `amount` keys.
-    def preload_keys(amount=12)
-      keys = Mixins::ActiveRecordMixin.preload_keys(amount)
+    def preload_keys(amount = 12)
+      keys = EncryptedStore::ActiveRecord.preload_keys(amount)
       keys.each { |k| (@_decrypted_keys ||= {})[k.id] = k.decrypted_key }
     end
-    def decrypt_key(dek, primary=false)
+    def decrypt_key(dek, primary = false)
       config.decrypt_key? ? config.decrypt_key.last.call(dek, primary) : dek
     end
-    def encrypt_key(dek, primary=false)
+    def encrypt_key(dek, primary = false)
       config.encrypt_key? ? config.encrypt_key.last.call(dek, primary) : dek
     end

data/lib/encrypted_store/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module EncryptedStore
-  VERSION = '0.2.1'
+  VERSION = '0.2.8'
 end # EncryptedStore

data/lib/encrypted_store.rb CHANGED Viewed

@@ -2,18 +2,18 @@ require 'encrypted_store/version'
 module EncryptedStore
   require 'encrypted_store/railtie' if defined?(Rails)
-  autoload(:Config,     'encrypted_store/config')
-  autoload(:CryptoHash, 'encrypted_store/crypto_hash')
-  autoload(:Instance,   'encrypted_store/instance')
-  autoload(:Errors,     'encrypted_store/errors')
-  autoload(:Mixins,     'encrypted_store/mixins')
+  autoload(:Config,       'encrypted_store/config')
+  autoload(:CryptoHash,   'encrypted_store/crypto_hash')
+  autoload(:Instance,     'encrypted_store/instance')
+  autoload(:Errors,       'encrypted_store/errors')
+  autoload(:ActiveRecord, 'encrypted_store/active_record')
   class << self
     def included(base)
-      if defined?(ActiveRecord) && base < ActiveRecord::Base
-        base.send(:include, Mixins::ActiveRecordMixin)
+      if defined?(::ActiveRecord) && base < ::ActiveRecord::Base
+        base.send(:include, ActiveRecord::Mixin)
       else
-        raise Errors::UnsupportedModelError
+        fail Errors::UnsupportedModelError
       end
     end

data/lib/generators/encrypted_store/install/install_generator.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module EncryptedStore
       class << self
         def next_migration_number(*args)
-          ActiveRecord::Generators::Base.next_migration_number(*args)
+          ::ActiveRecord::Generators::Base.next_migration_number(*args)
         end
       end # Class Methods

data/lib/generators/encrypted_store/upgrade/ZeroOneFive/zero_one_five_generator.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module EncryptedStore
         class << self
           def next_migration_number(*args)
-            ActiveRecord::Generators::Base.next_migration_number(*args)
+            ::ActiveRecord::Generators::Base.next_migration_number(*args)
           end
         end # Class Methods

data/lib/tasks/encrypted_store.rake CHANGED Viewed

@@ -2,18 +2,18 @@ require 'encrypted_store'
 namespace :encrypted_store do
   task :new_key, [:custom_key] => :environment do |t, args|
-    new_key = EncryptedStore::Mixins::ActiveRecordMixin::EncryptionKey.new_key(args[:custom_key])
+    new_key = EncryptedStore::ActiveRecord.new_key(args[:custom_key])
     puts "Created new primary key: #{new_key.id}"
   end
   task :retire_keys, [:key_ids] => :environment do |t, args|
     key_ids = (args[:key_ids] && args[:key_ids].split(" ")) || []
-    new_primary_key = EncryptedStore::Mixins::ActiveRecordMixin::EncryptionKey.retire_keys(key_ids)
+    new_primary_key = EncryptedStore::ActiveRecord.retire_keys(key_ids)
     puts "Retired key_ids: #{key_ids} and reencrypted records with primary key: #{new_primary_key.id}"
   end
   task :rotate_keys => :environment do |t, args|
-    new_primary_key = EncryptedStore::Mixins::ActiveRecordMixin::EncryptionKey.rotate_keys
+    new_primary_key = EncryptedStore::ActiveRecord.rotate_keys
     puts "Retired all key_ids and reencrypted records with new primary key: #{new_primary_key.id}"
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: encrypted_store
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.8
 platform: ruby
 authors:
 - Robert Honer
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-01-13 00:00:00.000000000 Z
+date: 2016-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -110,14 +110,14 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/encrypted_store.rb
+- lib/encrypted_store/active_record.rb
+- lib/encrypted_store/active_record/encryption_key.rb
+- lib/encrypted_store/active_record/encryption_key_salt.rb
+- lib/encrypted_store/active_record/mixin.rb
 - lib/encrypted_store/config.rb
 - lib/encrypted_store/crypto_hash.rb
 - lib/encrypted_store/errors.rb
 - lib/encrypted_store/instance.rb
-- lib/encrypted_store/mixins.rb
-- lib/encrypted_store/mixins/active_record_mixin.rb
-- lib/encrypted_store/mixins/active_record_mixin/encryption_key.rb
-- lib/encrypted_store/mixins/active_record_mixin/encryption_key_salt.rb
 - lib/encrypted_store/railtie.rb
 - lib/encrypted_store/version.rb
 - lib/generators/encrypted_store/encrypt_table/encrypt_table_generator.rb

data/lib/encrypted_store/mixins/active_record_mixin/encryption_key.rb DELETED Viewed

@@ -1,77 +0,0 @@
-require 'securerandom'
-require 'base64'
-module EncryptedStore
-  module Mixins
-    module ActiveRecordMixin
-      class EncryptionKey < ActiveRecord::Base
-        validates_uniqueness_of :primary, if: :primary
-        class << self
-          def primary_encryption_key
-            new_key unless _has_primary?
-            where(primary: true).last || last
-          end
-          def new_key(custom_key=nil)
-            dek = custom_key || SecureRandom.random_bytes(32)
-            transaction {
-              _has_primary? && where(primary: true).first.update_attributes(primary: false)
-              _create_primary_key(dek)
-            }
-          end
-          def retire_keys(key_ids=[])
-            pkey = primary_encryption_key
-            ActiveRecordMixin.descendants.each { |model|
-              records = key_ids.empty? ? model.where("encryption_key_id != ?", pkey.id)
-                                       : model.where("encryption_key_id IN (?)", key_ids)
-              records.each { |record| record.reencrypt!(pkey) }
-            }
-            pkey
-          end
-          ##
-          # Preload the most recent `amount` keys.
-          def preload(amount)
-            primary_encryption_key # Ensure there's at least a primary key
-            order(:created_at).limit(amount)
-          end
-          def rotate_keys
-            new_key
-            retire_keys
-          end
-          def _has_primary?
-            where(primary: true).exists?
-          end
-          def _get_table_models
-            Rails.application.eager_load! if defined?(Rails) && Rails.application
-            ActiveRecord::Base.descendants
-          end
-          def _get_models_with_encrypted_store
-            _get_table_models.select { |model| model < Mixins::ActiveRecordMixin }
-          end
-          def _create_primary_key(dek)
-            self.new.tap { |key|
-              key.dek = EncryptedStore.encrypt_key(dek, true)
-              key.primary = true
-              key.save!
-            }
-          end
-        end # Class Methods
-        def decrypted_key
-          EncryptedStore.decrypt_key(self.dek, self.primary)
-        end
-      end # EncryptionKey
-    end # ActiveRecordMixin
-  end # Mixins
-end # EncryptedStore

data/lib/encrypted_store/mixins/active_record_mixin/encryption_key_salt.rb DELETED Viewed

@@ -1,28 +0,0 @@
-require 'securerandom'
-module EncryptedStore
-  module Mixins
-    module ActiveRecordMixin
-      class EncryptionKeySalt < ActiveRecord::Base
-        validates :salt, uniqueness: {scope: :encryption_key_id}
-        class << self
-          def generate_salt(encryption_key_id)
-            loop do
-              salt = SecureRandom.random_bytes(16)
-              begin
-                salt_record = self.new
-                salt_record.encryption_key_id = encryption_key_id
-                salt_record.salt = salt
-                salt_record.save!
-                return salt
-              rescue ActiveRecord::RecordNotUnique => e
-                next
-              end
-            end
-          end
-        end # Class Methods
-      end # EncryptionKeySalt
-    end # ActiveRecordMixin
-  end # Mixins
-end # EncryptedStore

data/lib/encrypted_store/mixins/active_record_mixin.rb DELETED Viewed

@@ -1,108 +0,0 @@
-require 'securerandom'
-module EncryptedStore
-  module Mixins
-    module ActiveRecordMixin
-      autoload(:EncryptionKeySalt, 'encrypted_store/mixins/active_record_mixin/encryption_key_salt')
-      autoload(:EncryptionKey,     'encrypted_store/mixins/active_record_mixin/encryption_key')
-      class << self
-        def included(base)
-          base.before_save(:_encrypted_store_save)
-          base.extend(ClassMethods)
-        end
-        def descendants
-          Rails.application.eager_load! if defined?(Rails) && Rails.application
-          ActiveRecord::Base.descendants.select { |model| model < Mixins::ActiveRecordMixin }
-        end
-        def descendants?
-          !descendants.empty?
-        end
-        ##
-        # Preloads the most recent `amount` keys.
-        def preload_keys(amount)
-          EncryptionKey.preload(amount) if descendants?
-        end
-      end # Module Methods
-      module ClassMethods
-        def _encrypted_store_data
-          @_encrypted_store_data ||= {}
-        end
-        def attr_encrypted(*args)
-          # Store attrs in class data
-          _encrypted_store_data[:encrypted_attributes] = args.map(&:to_sym)
-          args.each { |arg|
-            define_method(arg) { _encrypted_store_get(arg) }
-            define_method("#{arg}=") { |value| _encrypted_store_set(arg, value) }
-          }
-        end
-      end # ClassMethods
-      ##
-      # Instance Methods
-      ##
-      def reencrypt(encryption_key)
-        _crypto_hash
-        self.encryption_key_id = encryption_key.id
-        @_reencrypting = true
-      end
-      def reencrypt!(encryption_key)
-        reencrypt(encryption_key).tap { save! }
-      end
-      def _encrypted_store_data
-        self.class._encrypted_store_data
-      end
-      def _encryption_key_id
-        self.encryption_key_id ||= EncryptionKey.primary_encryption_key.id
-      end
-      def _crypto_hash
-        @_crypto_hash ||= CryptoHash.decrypt(_decrypted_key, self.encrypted_store)
-      end
-      def _decrypted_key
-        EncryptedStore.retrieve_dek(EncryptionKey, _encryption_key_id)
-      end
-      def _encrypted_store_get(field)
-        _crypto_hash[field]
-      end
-      def _encrypted_store_set(field, value)
-        attribute_will_change!(field)
-        _crypto_hash[field] = value
-      end
-      def _encrypted_store_save
-        if !(self.changed.map(&:to_sym) & _encrypted_store_data[:encrypted_attributes]).empty? || @_reencrypting
-          # Obtain a lock without overriding attribute values for this record.
-          record = self.class.unscoped { self.class.lock.find(id) } unless new_record?
-          unless @_reencrypting
-            self.encryption_key_id = record.encryption_key_id if record && record.encryption_key_id
-          end
-          iter_mag = EncryptedStore.config.iteration_magnitude? ?
-                     EncryptedStore.config.iteration_magnitude  :
-                     -1
-          @_reencrypting = false
-          self.encrypted_store = _crypto_hash.encrypt(
-            _decrypted_key,
-            EncryptionKeySalt.generate_salt(_encryption_key_id),
-            iter_mag
-          )
-        end
-      end
-    end # ActiveRecordMixin
-  end # Mixins
-end # EncryptedStore

data/lib/encrypted_store/mixins.rb DELETED Viewed

@@ -1,5 +0,0 @@
-module EncryptedStore
-  module Mixins
-    autoload(:ActiveRecordMixin, 'encrypted_store/mixins/active_record_mixin')
-  end # Mixins
-end # EncryptedStore