familia 2.0.0.pre5 → 2.0.0.pre7

data/try/debugging/debug_concealed_reveal.rb

@@ -0,0 +1,61 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'  # Mark as test environment
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Testing ConcealedString.reveal error handling..."
+
+class TestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :secret
+end
+
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+# Clean database
+Familia.dbclient.flushdb
+
+puts "\n=== CONCEALED STRING REVEAL ERROR PATH ==="
+
+# Create and save model (encrypt with AAD = nil)
+model = TestModel.new(id: 'test1')
+model.secret = 'plaintext-secret'
+model.save
+
+# Load model from database (decrypt with AAD = "test1")
+loaded_model = TestModel.load('test1')
+
+puts "Loaded model secret class: #{loaded_model.secret.class}"
+
+# Test ConcealedString.reveal directly
+concealed_string = loaded_model.secret
+puts "ConcealedString object: #{concealed_string.inspect}"
+
+puts "\nTesting ConcealedString.reveal..."
+begin
+  result = concealed_string.reveal do |plaintext|
+    puts "Inside reveal block, plaintext: #{plaintext}"
+    plaintext  # Return the plaintext
+  end
+  puts "Reveal result: #{result}"
+  puts "Result class: #{result.class}"
+rescue => e
+  puts "Reveal ERROR: #{e.class}: #{e.message}"
+  puts e.backtrace.first(5)
+end
+
+puts "\nTesting ConcealedString.reveal_for_testing..."
+begin
+  result = concealed_string.reveal_for_testing
+  puts "reveal_for_testing result: #{result}"
+  puts "Result class: #{result.class}"
+rescue => e
+  puts "reveal_for_testing ERROR: #{e.class}: #{e.message}"
+  puts e.backtrace.first(5)
+end

data/try/debugging/debug_context_aad.rb

@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Debugging context and AAD generation..."
+
+# Setup encryption keys
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+class ModelA < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+class ModelB < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+model_a = ModelA.new(id: 'same-id')
+model_b = ModelB.new(id: 'same-id')
+
+# Get the field type for each model
+field_type_a = ModelA.fields[:api_key]
+field_type_b = ModelB.fields[:api_key]
+
+puts "=== Context and AAD Analysis ==="
+
+# Test context generation
+context_a = field_type_a.send(:build_context, model_a)
+context_b = field_type_b.send(:build_context, model_b)
+
+puts "ModelA context: #{context_a}"
+puts "ModelB context: #{context_b}"
+puts "Contexts match: #{context_a == context_b}"
+
+# Test AAD generation
+aad_a = field_type_a.send(:build_aad, model_a)
+aad_b = field_type_b.send(:build_aad, model_b)
+
+puts "\nModelA AAD: #{aad_a}"
+puts "ModelB AAD: #{aad_b}"
+puts "AADs match: #{aad_a == aad_b}"
+
+puts "\n=== Testing different identifiers ==="
+model_a2 = ModelA.new(id: 'different-id')
+model_b2 = ModelB.new(id: 'different-id')
+
+context_a2 = field_type_a.send(:build_context, model_a2)
+context_b2 = field_type_b.send(:build_context, model_b2)
+aad_a2 = field_type_a.send(:build_aad, model_a2)
+aad_b2 = field_type_b.send(:build_aad, model_b2)
+
+puts "ModelA2 context: #{context_a2}"
+puts "ModelB2 context: #{context_b2}"
+puts "A2-B2 contexts match: #{context_a2 == context_b2}"
+puts "ModelA2 AAD: #{aad_a2}"
+puts "ModelB2 AAD: #{aad_b2}"
+puts "A2-B2 AADs match: #{aad_a2 == aad_b2}"

data/try/debugging/debug_context_simple.rb

@@ -0,0 +1,80 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'
+require 'familia'
+
+puts "Understanding the issue with cross-context decryption..."
+
+# Setup encryption keys
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+class ModelA < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+class ModelB < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+model_a = ModelA.new(id: 'same-id')
+model_b = ModelB.new(id: 'same-id')
+
+puts "ModelA class: #{model_a.class}"
+puts "ModelB class: #{model_b.class}"
+puts "Same class?: #{model_a.class == model_b.class}"
+
+# Inspect what context would be built
+puts "\nContext analysis:"
+puts "ModelA identifier: #{model_a.identifier}"
+puts "ModelB identifier: #{model_b.identifier}"
+
+# Let's see what happens with the field types
+modelA_api_key_type = nil
+modelB_api_key_type = nil
+
+ModelA.field_types.each do |name, type|
+  if name == :api_key
+    modelA_api_key_type = type
+    break
+  end
+end
+
+ModelB.field_types.each do |name, type|
+  if name == :api_key
+    modelB_api_key_type = type
+    break
+  end
+end
+
+puts "ModelA api_key type: #{modelA_api_key_type}"
+puts "ModelB api_key type: #{modelB_api_key_type}"
+puts "Same type object?: #{modelA_api_key_type.object_id == modelB_api_key_type.object_id}"
+
+# Check what context and AAD would be generated
+if modelA_api_key_type && modelB_api_key_type
+  context_a = "#{model_a.class.name}:api_key:#{model_a.identifier}"
+  context_b = "#{model_b.class.name}:api_key:#{model_b.identifier}"
+
+  puts "\nExpected contexts:"
+  puts "ModelA context: #{context_a}"
+  puts "ModelB context: #{context_b}"
+  puts "Contexts should be different: #{context_a != context_b}"
+
+  # AAD should be identifier when no aad_fields
+  aad_a = model_a.identifier
+  aad_b = model_b.identifier
+
+  puts "\nExpected AADs:"
+  puts "ModelA AAD: #{aad_a}"
+  puts "ModelB AAD: #{aad_b}"
+  puts "AADs are same: #{aad_a == aad_b}"
+end

data/try/debugging/debug_cross_context.rb

@@ -0,0 +1,62 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Debugging cross-context validation..."
+
+# Setup encryption keys
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+class ModelA < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+class ModelB < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+# Clean database
+Familia.dbclient.flushdb
+
+model_a = ModelA.new(id: 'same-id')
+model_b = ModelB.new(id: 'same-id')
+
+model_a.api_key = 'secret-key'
+model_b.api_key = 'secret-key'
+
+cipher_a = model_a.instance_variable_get(:@api_key)
+cipher_b = model_b.instance_variable_get(:@api_key)
+
+puts "cipher_a: #{cipher_a.class} - #{cipher_a.encrypted_value}"
+puts "cipher_b: #{cipher_b.class} - #{cipher_b.encrypted_value}"
+
+# Now try cross-context access
+puts "\n=== Cross-context test ==="
+model_a.instance_variable_set(:@api_key, cipher_b)
+puts "Set cipher_b into model_a"
+
+begin
+  result = model_a.api_key
+  puts "Got result: #{result.class} - should be ConcealedString"
+
+  # Try to reveal it
+  result.reveal do |plaintext|
+    puts "Successfully revealed: #{plaintext}"
+  end
+  puts "ERROR: Cross-context decryption should have failed!"
+rescue Familia::EncryptionError => e
+  puts "SUCCESS: Got expected encryption error: #{e.message}"
+rescue => e
+  puts "Got unexpected error: #{e.class}: #{e.message}"
+end

data/try/debugging/debug_database_load.rb

@@ -0,0 +1,64 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'  # Mark as test environment
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Testing database load vs in-memory encryption..."
+
+class TestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  field :title
+  encrypted_field :secret
+end
+
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+# Clean database
+Familia.dbclient.flushdb
+
+puts "\n=== PHASE 1: In-memory object ==="
+model = TestModel.new(id: 'test1')
+model.title = 'Test Title'
+puts "PRE-ENCRYPT: model.exists? = #{model.exists?}"
+model.secret = 'plaintext-secret'
+
+puts "In-memory secret class: #{model.secret.class}"
+puts "In-memory secret value: #{model.secret}"
+
+model.secret.reveal do |plaintext|
+  puts "In-memory reveal: #{plaintext}"
+end
+
+puts "\n=== PHASE 2: Save to database ==="
+model.save
+
+puts "Keys in database: #{Familia.dbclient.keys('*')}"
+puts "Hash contents: #{Familia.dbclient.hgetall('testmodel:test1:object')}"
+
+raw_secret = Familia.dbclient.hget('testmodel:test1:object', 'secret')
+puts "Raw secret from DB: #{raw_secret}"
+
+puts "\n=== PHASE 3: Load from database ==="
+loaded_model = TestModel.load('test1')
+
+if loaded_model
+  puts "Loaded model exists: #{loaded_model.exists?}"
+  puts "Loaded secret class: #{loaded_model.secret.class}"
+  puts "Loaded secret value: #{loaded_model.secret}"
+
+  begin
+    loaded_model.secret.reveal do |plaintext|
+      puts "Loaded reveal: #{plaintext}"
+    end
+  rescue => e
+    puts "Loaded reveal ERROR: #{e.class}: #{e.message}"
+  end
+else
+  puts "Failed to load model"
+end

data/try/debugging/debug_encrypted_json_check.rb

@@ -0,0 +1,53 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'  # Mark as test environment
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Testing encrypted_json? method..."
+
+class TestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :secret
+end
+
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+field_type = TestModel.field_types[:secret]
+
+# Test with actual encrypted JSON from the load path
+encrypted_json = '{"algorithm":"xchacha20poly1305","nonce":"RDK0GSY3Vbrbv7OAgol10bHOmderAExt","ciphertext":"uo8j6Pm6tV68BcvqK5maXQ==","auth_tag":"5Cr1QgTnajnWIji0fsQP0g==","key_version":"v1"}'
+
+puts "Testing encrypted JSON: #{encrypted_json[0..80]}..."
+puts "String class: #{encrypted_json.class}"
+puts "Is string?: #{encrypted_json.is_a?(String)}"
+
+puts "\nManual JSON parsing:"
+begin
+  parsed = JSON.parse(encrypted_json)
+  puts "Parsed successfully: #{parsed.class}"
+  puts "Is hash?: #{parsed.is_a?(Hash)}"
+  puts "Has algorithm key?: #{parsed.key?('algorithm')}"
+  puts "Algorithm value: #{parsed['algorithm']}"
+rescue => e
+  puts "JSON parse error: #{e.class}: #{e.message}"
+end
+
+puts "\nTesting field_type.encrypted_json? method:"
+result = field_type.encrypted_json?(encrypted_json)
+puts "encrypted_json? result: #{result}"
+
+puts "\nTesting with symbol keys:"
+begin
+  parsed_sym = JSON.parse(encrypted_json, symbolize_names: true)
+  puts "Parsed with symbols: #{parsed_sym.class}"
+  puts "Has :algorithm key?: #{parsed_sym.key?(:algorithm)}"
+  puts "Has 'algorithm' key?: #{parsed_sym.key?('algorithm')}"
+rescue => e
+  puts "Symbol parse error: #{e.class}: #{e.message}"
+end

data/try/debugging/debug_encrypted_json_step_by_step.rb

@@ -0,0 +1,62 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'  # Mark as test environment
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Step-by-step debugging of encrypted_json? method..."
+
+class TestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :secret
+end
+
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+field_type = TestModel.field_types[:secret]
+
+# Monkey patch the encrypted_json? method to add debugging
+class Familia::EncryptedFieldType
+  def encrypted_json?(data)
+    puts "\n=== encrypted_json? DEBUG ==="
+    puts "Input data: #{data}"
+    puts "Data class: #{data.class}"
+    puts "Is String?: #{data.is_a?(String)}"
+
+    return false unless data.is_a?(String)
+    puts "Passed String check"
+
+    begin
+      puts "Attempting JSON.parse..."
+      parsed = JSON.parse(data)
+      puts "Parsed result: #{parsed}"
+      puts "Parsed class: #{parsed.class}"
+      puts "Is Hash?: #{parsed.is_a?(Hash)}"
+
+      if parsed.is_a?(Hash)
+        puts "Hash keys: #{parsed.keys}"
+        puts "Has 'algorithm' key?: #{parsed.key?('algorithm')}"
+        result = parsed.key?('algorithm')
+        puts "Final result: #{result}"
+        return result
+      else
+        puts "Not a hash, returning false"
+        return false
+      end
+    rescue JSON::ParserError => e
+      puts "JSON parse error: #{e.message}"
+      false
+    end
+  end
+end
+
+encrypted_json = '{"algorithm":"xchacha20poly1305","nonce":"RDK0GSY3Vbrbv7OAgol10bHOmderAExt","ciphertext":"uo8j6Pm6tV68BcvqK5maXQ==","auth_tag":"5Cr1QgTnajnWIji0fsQP0g==","key_version":"v1"}'
+
+puts "Calling field_type.encrypted_json?..."
+result = field_type.encrypted_json?(encrypted_json)
+puts "\nFINAL RESULT: #{result}"

data/try/debugging/debug_exists_lifecycle.rb

@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Investigating exists? lifecycle..."
+
+class TestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :secret
+end
+
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+# Clean database
+Familia.dbclient.flushdb
+
+# Override the exists? method to add logging
+class TestModel
+  alias_method :original_exists?, :exists?
+  def exists?
+    result = original_exists?
+    puts "EXISTS? called - result: #{result} (identifier: #{identifier})" if ENV['TEST']
+    result
+  end
+end
+
+puts "\n=== CREATION AND SAVE ==="
+model = TestModel.new(id: 'test1')
+puts "After new - exists?: #{model.exists?}"
+model.secret = 'plaintext-secret'
+puts "After setting secret - exists?: #{model.exists?}"
+model.save
+puts "After save - exists?: #{model.exists?}"
+
+puts "\n=== LOAD FROM DATABASE ==="
+puts "About to load..."
+loaded_model = TestModel.load('test1')
+puts "After load - exists?: #{loaded_model.exists?}"
+
+puts "\n=== TRYING TO ACCESS SECRET ==="
+begin
+  loaded_model.secret.reveal do |plaintext|
+    puts "Successfully revealed: #{plaintext}"
+  end
+rescue => e
+  puts "Failed to reveal: #{e.class}: #{e.message}"
+end

data/try/debugging/debug_field_decrypt.rb

@@ -0,0 +1,74 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'  # Mark as test environment
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Testing field-level decryption path..."
+
+class TestModel < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :secret
+end
+
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+# Clean database
+Familia.dbclient.flushdb
+
+puts "\n=== FIELD-LEVEL DECRYPTION PATH ==="
+
+# Create and save model
+model = TestModel.new(id: 'test1')
+model.secret = 'plaintext-secret'
+model.save
+
+# Load model from database
+loaded_model = TestModel.load('test1')
+
+# Get the field type and test direct decryption
+puts "Available field types: #{TestModel.field_types.inspect}"
+secret_field_type = TestModel.field_types[:secret]
+puts "Field type class: #{secret_field_type.class}"
+
+# Get the raw encrypted data
+raw_encrypted = Familia.dbclient.hget('testmodel:test1:object', 'secret')
+puts "Raw encrypted from DB: #{raw_encrypted}"
+
+puts "\n=== DIRECT FIELD TYPE DECRYPTION ==="
+
+# Test the field type decrypt_value method directly
+puts "Testing field_type.decrypt_value with loaded model..."
+begin
+  direct_decrypted = secret_field_type.decrypt_value(loaded_model, raw_encrypted)
+  puts "Direct field decrypt result: #{direct_decrypted}"
+  puts "Result class: #{direct_decrypted.class}"
+rescue => e
+  puts "Direct field decrypt ERROR: #{e.class}: #{e.message}"
+  puts e.backtrace.first(5)
+end
+
+puts "\n=== AAD INVESTIGATION ==="
+puts "loaded_model.exists?: #{loaded_model.exists?}"
+puts "loaded_model.identifier: #{loaded_model.identifier}"
+
+# Build the same context and AAD that the field type would use
+context = "TestModel:secret:#{loaded_model.identifier}"
+puts "Context: #{context}"
+
+# Build AAD using the same logic as EncryptedFieldType#build_aad
+aad = loaded_model.exists? ? loaded_model.identifier : nil
+puts "AAD: #{aad.inspect}"
+
+puts "\n=== MANUAL FAMILIA::ENCRYPTION CALL ==="
+begin
+  manual_decrypted = Familia::Encryption.decrypt(raw_encrypted, context: context, additional_data: aad)
+  puts "Manual decrypt result: #{manual_decrypted}"
+rescue => e
+  puts "Manual decrypt ERROR: #{e.class}: #{e.message}"
+end

data/try/debugging/debug_fresh_cross_context.rb

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path('lib', __dir__))
+ENV['TEST'] = 'true'
+require 'familia'
+require_relative 'try/helpers/test_helpers'
+
+puts "Testing cross-context validation with fresh encryption after AAD fix..."
+
+# Setup encryption keys
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+
+class FreshModelA < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+class FreshModelB < Familia::Horreum
+  feature :encrypted_fields
+  identifier_field :id
+  field :id
+  encrypted_field :api_key
+end
+
+# Clean database
+Familia.dbclient.flushdb
+
+model_a = FreshModelA.new(id: 'same-id')
+model_b = FreshModelB.new(id: 'same-id')
+
+puts "=== Fresh Encryption Test ==="
+model_a.api_key = 'secret-key'
+model_b.api_key = 'secret-key'
+
+cipher_a = model_a.instance_variable_get(:@api_key)
+cipher_b = model_b.instance_variable_get(:@api_key)
+
+puts "cipher_a encrypted: #{cipher_a.encrypted_value}"
+puts "cipher_b encrypted: #{cipher_b.encrypted_value}"
+
+# Now try cross-context access
+puts "\n=== Cross-context test ==="
+model_a.instance_variable_set(:@api_key, cipher_b)
+puts "Set cipher_b into model_a"
+
+begin
+  result = model_a.api_key
+  puts "Got result: #{result.class}"
+
+  # Try to reveal it - this should fail now
+  result.reveal do |plaintext|
+    puts "ERROR: Successfully revealed: #{plaintext} - should have failed!"
+  end
+rescue Familia::EncryptionError => e
+  puts "SUCCESS: Got expected encryption error: #{e.message}"
+rescue => e
+  puts "Got unexpected error: #{e.class}: #{e.message}"
+end
+
+puts "\n=== Same-context test (should work) ==="
+begin
+  model_a.instance_variable_set(:@api_key, cipher_a) # Back to original
+  result = model_a.api_key
+  result.reveal do |plaintext|
+    puts "SUCCESS: Same-context decryption worked: #{plaintext}"
+  end
+rescue => e
+  puts "ERROR: Same-context failed: #{e.class}: #{e.message}"
+end