familia 2.0.0.pre4 → 2.0.0.pre6

data/try/debugging/debug_test_design.rb

@@ -0,0 +1,80 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Understanding the test design and expected behavior..."
+
+# Setup encryption keys
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+class TestModelA < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+class TestModelB < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+# Clean database
+Familia.dbclient.flushdb
+
+model_a = TestModelA.new(id: 'same-id')
+model_b = TestModelB.new(id: 'same-id')
+
+model_a.api_key = 'secret-key'
+model_b.api_key = 'secret-key'
+
+cipher_a = model_a.instance_variable_get(:@api_key)
+cipher_b = model_b.instance_variable_get(:@api_key)
+
+puts "cipher_a class: #{cipher_a.class}"
+puts "cipher_b class: #{cipher_b.class}"
+
+# What the current tests do:
+puts "\n=== Current test approach ==="
+model_a.instance_variable_set(:@api_key, cipher_b)
+result = model_a.api_key
+puts "After setting cipher_b into model_a:"
+puts "  api_key returns: #{result.class}"
+puts "  This should be ConcealedString and succeed"
+
+# What would test ACTUAL cross-context isolation:
+puts "\n=== Testing actual cross-context isolation ==="
+puts "The REAL test should be trying to decrypt:"
+begin
+  result.reveal do |plain|
+    puts "  Cross-context decryption succeeded: #{plain} (BAD)"
+  end
+rescue => e
+  puts "  Cross-context decryption failed: #{e.class} (GOOD)"
+end
+
+# Try with raw encrypted JSON to see if that behaves differently:
+puts "\n=== Testing with raw encrypted JSON ==="
+raw_encrypted_b = cipher_b.encrypted_value
+puts "Raw encrypted from B: #{raw_encrypted_b}"
+
+# Try to set raw encrypted JSON and see what happens
+model_a.api_key = raw_encrypted_b  # This should wrap it in ConcealedString
+result2 = model_a.api_key
+puts "After setting raw encrypted JSON:"
+puts "  api_key returns: #{result2.class}"
+
+begin
+  result2.reveal do |plain|
+    puts "  Raw JSON decryption result: #{plain}"
+  end
+rescue => e
+  puts "  Raw JSON decryption failed: #{e.class}: #{e.message}"
+end

data/try/debugging/encryption_method_tracer.rb

@@ -0,0 +1,138 @@
+#!/usr/bin/env ruby
+# Debug script to trace encryption method calls and data flow
+
+require 'base64'
+require 'bundler/setup'
+require_relative '../helpers/test_helpers'
+
+puts "=== Encryption Method Call Tracer ==="
+puts
+
+# Monkey patch to add detailed tracing
+module Familia
+  module Encryption
+    class << self
+      # Store original methods
+      alias_method :orig_encrypt, :encrypt
+      alias_method :orig_decrypt, :decrypt
+
+      def encrypt(plaintext, context:, additional_data: nil)
+        puts "📤 ENCRYPT called:"
+        puts "   Context: #{context}"
+        puts "   Plaintext length: #{plaintext&.length} chars"
+        puts "   AAD: #{additional_data ? 'present' : 'none'}"
+
+        start_time = Time.now
+        result = orig_encrypt(plaintext, context: context, additional_data: additional_data)
+        elapsed = ((Time.now - start_time) * 1000).round(2)
+
+        puts "   Result length: #{result ? result.length : 'nil'} chars"
+        puts "   Elapsed: #{elapsed}ms"
+        puts
+        result
+      end
+
+      def decrypt(encrypted_json, context:, additional_data: nil)
+        puts "📥 DECRYPT called:"
+        puts "   Context: #{context}"
+        puts "   Encrypted length: #{encrypted_json&.length} chars"
+        puts "   AAD: #{additional_data ? 'present' : 'none'}"
+
+        start_time = Time.now
+        begin
+          result = orig_decrypt(encrypted_json, context: context, additional_data: additional_data)
+          elapsed = ((Time.now - start_time) * 1000).round(2)
+
+          puts "   Result length: #{result ? result.length : 'nil'} chars"
+          puts "   Elapsed: #{elapsed}ms"
+          puts
+          result
+        rescue => e
+          elapsed = ((Time.now - start_time) * 1000).round(2)
+          puts "   ERROR: #{e.class}: #{e.message}"
+          puts "   Elapsed: #{elapsed}ms"
+          puts
+          raise
+        end
+      end
+    end
+
+    class Manager
+      alias_method :orig_derive_key_with_provider, :derive_key_with_provider
+
+      def derive_key_with_provider(provider, context, version: nil)
+        puts "🔑 DERIVE_KEY called:"
+        puts "   Provider: #{provider.class.name}"
+        puts "   Context: #{context}"
+        puts "   Version: #{version || 'current'}"
+
+        cache = Thread.current[:familia_key_cache] ||= {}
+        cache_key = "#{version || current_key_version}:#{context}"
+        puts "   Cache key: #{cache_key}"
+        puts "   Cache before: #{cache.keys.inspect}"
+
+        start_time = Time.now
+        result = orig_derive_key_with_provider(provider, context, version: version)
+        elapsed = ((Time.now - start_time) * 1000).round(2)
+
+        cache_after = Thread.current[:familia_key_cache] || {}
+        puts "   Cache after: #{cache_after.keys.inspect}"
+        puts "   Derived key: [#{result.bytesize} bytes]"
+        puts "   Elapsed: #{elapsed}ms"
+        puts
+        result
+      end
+    end
+  end
+end
+
+# Setup test configuration
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+# Clear cache
+Thread.current[:familia_key_cache] = nil
+
+# Define test model
+class TraceTestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :user_id
+
+  field :user_id
+  encrypted_field :password
+  encrypted_field :api_key, aad_fields: [:user_id]
+end
+
+puts "=== Test Scenario: Field Operations ==="
+puts
+
+puts "Creating model and setting encrypted fields..."
+user = TraceTestModel.new(user_id: 'trace-user-1')
+
+puts "Setting password (no AAD)..."
+user.password = 'secret-password-123'
+
+puts "Setting api_key (with AAD)..."
+user.api_key = 'api-key-xyz-789'
+
+puts "Reading password..."
+retrieved_password = user.password
+puts "Final password value: #{retrieved_password}"
+
+puts "Reading api_key..."
+retrieved_api_key = user.api_key
+puts "Final api_key value: #{retrieved_api_key}"
+
+puts
+puts "=== Test Scenario: Cross-Algorithm Decryption ==="
+puts
+
+# Test cross-algorithm compatibility
+aes_encrypted = Familia::Encryption.encrypt_with('aes-256-gcm', 'cross-test-data', context: 'cross-test')
+puts "Decrypting AES-GCM data with default manager..."
+cross_decrypted = Familia::Encryption.decrypt(aes_encrypted, context: 'cross-test')
+puts "Cross-algorithm result: #{cross_decrypted}"
+
+puts
+puts "=== Method Tracing Complete ==="

data/try/debugging/provider_diagnostics.rb

@@ -0,0 +1,110 @@
+#!/usr/bin/env ruby
+# Debug script for testing encryption providers and diagnosing issues
+
+require 'base64'
+require_relative '../helpers/test_helpers'
+
+puts "=== Familia Encryption Provider Diagnostics ==="
+puts
+
+# Check encryption system status
+puts "1. Encryption System Status:"
+puts "   Status: #{Familia::Encryption.status.inspect}"
+puts
+
+# Check registry setup
+puts "2. Registry Providers:"
+require_relative '../../lib/familia/encryption/registry'
+Familia::Encryption::Registry.setup!
+Familia::Encryption::Registry.providers.each do |algo, provider_class|
+  puts "   #{algo}: #{provider_class.name}"
+  puts "     Available: #{provider_class.available?}"
+  puts "     Priority: #{provider_class.priority}"
+end
+puts
+
+# Setup test keys
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+# Test each provider individually
+['xchacha20poly1305', 'aes-256-gcm'].each do |algorithm|
+  puts "3. Testing #{algorithm.upcase} Provider:"
+
+  begin
+    manager = Familia::Encryption::Manager.new(algorithm: algorithm)
+    provider = manager.provider
+
+    puts "   Provider class: #{provider.class.name}"
+    puts "   Algorithm: #{provider.algorithm}"
+    puts "   Nonce size: #{provider.nonce_size} bytes"
+    puts "   Auth tag size: #{provider.auth_tag_size} bytes"
+
+    # Test encryption/decryption
+    test_data = "diagnostic test data for #{algorithm}"
+    encrypted = manager.encrypt(test_data, context: 'diagnostics')
+    puts "   Encryption: SUCCESS (#{encrypted.length} chars)"
+
+    decrypted = manager.decrypt(encrypted, context: 'diagnostics')
+    success = decrypted == test_data
+    puts "   Decryption: #{success ? 'SUCCESS' : 'FAILED'}"
+
+    if !success
+      puts "   Expected: #{test_data.inspect}"
+      puts "   Got: #{decrypted.inspect}"
+    end
+
+  rescue => e
+    puts "   ERROR: #{e.class}: #{e.message}"
+    puts "   Backtrace: #{e.backtrace.first(3).join(', ')}"
+  end
+
+  puts
+end
+
+# Test cross-algorithm compatibility
+puts "4. Cross-Algorithm Compatibility Test:"
+begin
+  xchacha_manager = Familia::Encryption::Manager.new(algorithm: 'xchacha20poly1305')
+  aes_manager = Familia::Encryption::Manager.new(algorithm: 'aes-256-gcm')
+  default_manager = Familia::Encryption::Manager.new
+
+  test_data = "cross-algorithm test"
+
+  # Encrypt with XChaCha20Poly1305
+  xchacha_encrypted = xchacha_manager.encrypt(test_data, context: 'cross-test')
+  xchacha_decrypted = default_manager.decrypt(xchacha_encrypted, context: 'cross-test')
+  puts "   XChaCha20Poly1305 -> Default: #{xchacha_decrypted == test_data ? 'SUCCESS' : 'FAILED'}"
+
+  # Encrypt with AES-GCM
+  aes_encrypted = aes_manager.encrypt(test_data, context: 'cross-test')
+  aes_decrypted = default_manager.decrypt(aes_encrypted, context: 'cross-test')
+  puts "   AES-GCM -> Default: #{aes_decrypted == test_data ? 'SUCCESS' : 'FAILED'}"
+
+rescue => e
+  puts "   ERROR: #{e.class}: #{e.message}"
+end
+puts
+
+# Test high-level API
+puts "5. High-Level API Test:"
+begin
+  encrypted_high = Familia::Encryption.encrypt_with('aes-256-gcm', 'high-level test', context: 'api-test')
+  puts "   encrypt_with: SUCCESS"
+
+  # Parse encrypted data to verify structure
+  require 'json'
+  parsed = JSON.parse(encrypted_high, symbolize_names: true)
+  puts "   Algorithm stored: #{parsed[:algorithm]}"
+  puts "   Key version: #{parsed[:key_version]}"
+
+  decrypted_high = Familia::Encryption.decrypt(encrypted_high, context: 'api-test')
+  puts "   decrypt: #{decrypted_high == 'high-level test' ? 'SUCCESS' : 'FAILED'}"
+
+rescue => e
+  puts "   ERROR: #{e.class}: #{e.message}"
+end
+
+puts
+puts "=== Diagnostics Complete ==="

data/try/edge_cases/hash_symbolization_try.rb

@@ -4,7 +4,6 @@
 # bug in Tryouts 3.1 that prevents the setup instance vars from
 # being available to the testcases.
 
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 
 Familia.debug = false

data/try/edge_cases/json_serialization_try.rb

@@ -1,6 +1,5 @@
 # try/edge_cases/json_serialization_try.rb
 
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 
 Familia.debug = false

data/try/edge_cases/reserved_keywords_try.rb

@@ -17,7 +17,7 @@ result
 #=!> StandardError
 
 ## prefixed field names work as expected
-TestClass2 = Class.new(Familia::Horreum) do
+ExampleTestClass = Class.new(Familia::Horreum) do
   identifier_field :email
   field :email
   field :secret_ttl
@@ -25,7 +25,7 @@ TestClass2 = Class.new(Familia::Horreum) do
   field :dbclient_config
 end
 
-user = TestClass2.new(email: 'test@example.com')
+user = ExampleTestClass.new(email: 'test@example.com')
 user.secret_ttl = 3600
 user.user_db = 5
 user.dbclient_config = { host: 'localhost' }
@@ -39,7 +39,7 @@ user.delete!
 result
 #=> true
 
-## reserved methods still work normally
+## Reserved methods still work normally
 TestClass3 = Class.new(Familia::Horreum) do
   # Note: Does not enable expiration feature
   identifier_field :email
@@ -55,20 +55,51 @@ user
 #==> _.respond_to?(:logical_database)
 #==> _.respond_to?(:dbclient)
 
+## Attempting to pass default_expiration as a field value when instantiating,
+## when expiration feature is enabled. It doesn't actually change the default
+## expiration for the instance b/c "default_expiration" is not a regular field.
+TestClassWithExpirationEnabled1 = Class.new(Familia::Horreum) do
+  feature :expiration
+  identifier_field :email
+  field :email
+end
+
+user = TestClassWithExpirationEnabled1.new(email: 'test@example.com', default_expiration: 3600)
+user.default_expiration
+#=> 0
 
-## Attempting to set default_expiration on an instance with expiration feature enabled
-TestClass4 = Class.new(Familia::Horreum) do
+## Attempting to set default_expiration for an instance when
+## the feature is enabled should work
+TestClassWithExpirationEnabled2 = Class.new(Familia::Horreum) do
   feature :expiration
   identifier_field :email
   field :email
-  field :default_expiration
 end
 
-user = TestClass4.new(email: 'test@example.com', default_expiration: 3600)
-user.save
-user.delete!
-user
-#==> _.default_expiration == 3600
+user = TestClassWithExpirationEnabled2.new(email: 'test@example.com')
+user.default_expiration = 3601
+user.default_expiration
+#=> 3601
+
+## Attempting to pass default_expiration as a field value when instantiating,
+## when expiration feature is disabled and then trying to access that value
+## simply raises a NoMethodError error.
+TestClassWithExpirationDisabled = Class.new(Familia::Horreum) do
+  identifier_field :email
+  field :email
+end
+
+user = TestClassWithExpirationDisabled.new(email: 'test@example.com', default_expiration: 3600)
+user.default_expiration
+#=!> NoMethodError
+
+## Attempting to add a field with a reserved name should raise an error
+TestClassWithExpirationDisabled = Class.new(Familia::Horreum) do
+  identifier_field :email
+  field :email
+  field :default_expiration
+end
+##=!> NoMethodError
 
 ## prefixed field names work as expected
 TestClass5 = Class.new(Familia::Horreum) do

data/try/encryption/config_persistence_try.rb

@@ -0,0 +1,192 @@
+# try/encryption/debug2_try.rb
+
+# - Tests configuration persistence between test sections
+# - Validates that config can be set and accessed in tryouts
+
+require 'base64'
+
+require_relative '../helpers/test_helpers'
+require 'familia/encryption/providers/xchacha20_poly1305_provider'
+
+# SETUP
+Familia.config.encryption_keys = {
+  v1: Base64.strict_encode64('a' * 32)
+}
+Familia.config.current_key_version = :v1
+
+## Check config in test
+keys = Familia.config.encryption_keys
+version = Familia.config.current_key_version
+[keys.nil?, version.nil?]
+#=> [false, false]
+
+## Try basic encryption in test
+Familia.config.encryption_keys = {v1: Base64.strict_encode64('a' * 32)}
+Familia.config.current_key_version = :v1
+result = Familia::Encryption.encrypt('test', context: 'test')
+result.nil?
+#=> false
+
+## XChaCha20Poly1305Provider is available when RbNaCl is loaded
+@provider_class = Familia::Encryption::Providers::XChaCha20Poly1305Provider
+@provider_class.available?
+#=> true
+
+## Provider has highest priority
+@provider_class.priority
+#=> 100
+
+## derive_key generates 32-byte key from master key and context
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+derived_key = provider.derive_key(master_key, context)
+derived_key.bytesize
+#=> 32
+
+## derive_key with same inputs produces same output
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+key1 = provider.derive_key(master_key, context)
+key2 = provider.derive_key(master_key, context)
+key1 == key2
+#=> true
+
+## derive_key with different contexts produces different keys
+provider = @provider_class.new
+master_key = 'a' * 32
+context1 = 'TestModel:field:user123'
+context2 = 'TestModel:field:user456'
+key1 = provider.derive_key(master_key, context1)
+key2 =
+ provider.derive_key(master_key, context2)
+key1 != key2
+#=> true
+
+## derive_key with custom personalization works
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+personal = 'custom_app_v2'
+derived_key = provider.derive_key(master_key, context, personal: personal)
+derived_key.bytesize
+#=> 32
+
+## derive_key rejects personalization string with null bytes
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+personal_with_null = "app\0version"
+begin
+  provider.derive_key(master_key, context, personal: personal_with_null)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message
+end
+#=> "Personalization string must not contain null bytes"
+
+## derive_key rejects config personalization with null bytes
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+# Set config with null byte
+original_personal = Familia.config.encryption_personalization
+Familia.config.encryption_personalization = "bad\0config"
+begin
+  provider.derive_key(master_key, context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message
+ensure
+  Familia.config.encryption_personalization = original_personal
+end
+#=> "Personalization string must not contain null bytes"
+
+## derive_key validates master key length
+provider = @provider_class.new
+short_key = 'a' * 16  # Too short
+context = 'TestModel:field:user123'
+begin
+  provider.derive_key(short_key, context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message
+end
+#=> "Key must be at least 32 bytes"
+
+## derive_key rejects nil master key
+provider = @provider_class.new
+context = 'TestModel:field:user123'
+begin
+  provider.derive_key(nil, context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message
+end
+#=> "Key cannot be nil"
+
+## encrypt/decrypt round trip with derived key works
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+derived_key = provider.derive_key(master_key, context)
+plaintext = 'sensitive data'
+encrypted_data = provider.encrypt(plaintext, derived_key)
+decrypted = provider.decrypt(
+  encrypted_data[:ciphertext],
+  derived_key,
+  encrypted_data[:nonce],
+  encrypted_data[:auth_tag]
+)
+decrypted
+#=> "sensitive data"
+
+## encrypt with additional data and derived key
+provider = @provider_class.new
+master_key = 'a' * 32
+context = 'TestModel:field:user123'
+derived_key = provider.derive_key(master_key, context)
+plaintext = 'sensitive data'
+additional_data = 'user_id:123'
+encrypted_data = provider.encrypt(plaintext, derived_key, additional_data)
+decrypted = provider.decrypt(
+  encrypted_data[:ciphertext],
+  derived_key,
+  encrypted_data[:nonce],
+  encrypted_data[:auth_tag],
+  additional_data
+)
+decrypted
+#=> "sensitive data"
+
+## generate_nonce produces correct size
+provider = @provider_class.new
+nonce = provider.generate_nonce
+nonce.bytesize
+#=> 24
+
+## generate_nonce produces unique values
+provider = @provider_class.new
+nonce1 = provider.generate_nonce
+nonce2 = provider.generate_nonce
+nonce1 != nonce2
+#=> true
+
+## secure_wipe works with valid key
+provider = @provider_class.new
+key = 'a' * 32
+provider.secure_wipe(key)
+# Should not raise error
+true
+#=> true
+
+## secure_wipe handles nil key gracefully
+provider = @provider_class.new
+provider.secure_wipe(nil)
+# Should not raise error
+true
+#=> true
+
+# TEARDOWN
+Thread.current[:familia_key_cache]&.clear if Thread.current[:familia_key_cache]