RubyGems - hash_redactor - Versions diffs - 0.2.1 → 0.3.0 - Mend

hash_redactor 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +48 -1
data/lib/hash_redactor/hash_redactor.rb +47 -6
data/lib/hash_redactor/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 21c05c3393cf49eaf7ebd8b45b872724bbb2344c
-  data.tar.gz: 11cf069f14be218a178bebb0acb646f0d293b4d1
+  metadata.gz: 1475a0799bf0c7185a9c8e00d68258518bfe98af
+  data.tar.gz: 3f15bda52a73b7ef212dcc9b47196ca86adf0979
 SHA512:
-  metadata.gz: cfb79ccabcef173c20cdaa045ae685215890df0559276f0915387abaa203088fd834d87d4c0973e8123466de8264fa0482d547b8f969722e90442da2b8e90645
-  data.tar.gz: 840f2ce58bec117ec31afebf3bc91f6001eb4647c400d8f2a724caea4349c7da8182dcd9ecb1ee39b66b33c85564f3cd6c7503111835b7ebec3ed4b6e1edf3fe
+  metadata.gz: c632a1359f36fe0e9595397c7cd4e00210ecd9bb860e6ece61b7ceb6b2a39759d48add5c0ce7a1b67d00565305bc2f28ecb49ff1d5e62092e4f6b2b716e3a38c
+  data.tar.gz: ac247318fd969ac4fddeb6d1993590847c2d6a83aec9e980a9d1326d4a84e6bb4aa5ad5e923f62353f89a749d68c670db2c7b14bcd4a4341c8b8d7f25321b227

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,9 @@
 # hash_redactor #
+##0.3.0 ##
+* Added: Whitelist mode (@chrisjensen)
+* Fixed: redact + decrypt loop specs should check result is not empty (@chrisjensen)
 ##0.2.1 ##
 * Fixed: Add support for string keys (@chrisjensen)

data/README.md CHANGED Viewed

@@ -34,6 +34,7 @@ Initialize the HashRedactor with a set of fields that you want to redact in hash
 You can choose 3 ways to redact each field:
++ `:keep` - The field is untouched (for use in `:whitelist` mode)
 + `:remove` - The field is simply deleted
 + `:digest` - The field is passed through a one way hash function (SHA256)
 + `:encrypt` - The field is encrypted
@@ -121,7 +122,8 @@ Default options are:
 		  encryption_key:	 nil,
 		  encode:            true,
 		  encode_iv:         true,
-		  default_encoding:  'm'
+		  default_encoding:  'm',
+		  filter_mode:		 :blacklist
 ```
 ### :digest_salt
@@ -138,6 +140,51 @@ Determines how (if at all) to encode the encrypted data and it's iv
 The default encoding is m (base64). You can change this by setting encode: `'some encoding'`. See [Arrary#pack](http://ruby-doc.org/core-2.3.0/Array.html#method-i-pack) for more encoding options.
+### filter_mode
+Filter mode determines how keys that are not included in the redact option are handled.
+It can be either `:whitelist` or `:blacklist`
+In `:blacklist` mode the default, it will leave unspecified keys untouched.
+In `:whitelist` mode any keys not specified will be removes.
+```ruby
+redactor = HashRedactor::HashRedactor.new({
+	redact: { :id => :keep, :ssn => :remove, :history => :encrypt, :email => :digest" },
+	encryption_key: 'a really secure key no one will ever guess it',
+	digest_salt: 'a secret salt'
+})
+data = {
+  id: 42,
+  ssn: 'my ssn number',
+  history: 'Intriguing"
+  email: 'personal@email.com',
+  age: "that's personal"
+}
+result = reactor.redact data
+result[:id]					# 42
+result[:ssn]				# nil
+result[:encrypted_history]  # encrypted value
+result[:email_digest]		# digest of email
+result[:age]				# "that's personal"
+result = reactor.redact data, :filter_mode => :whitelist
+result[:id]					# 42 (because of :id => :keep)
+result[:ssn]				# nil
+result[:encrypted_history]  # encrypted value
+result[:email_digest]		# digest of email
+result[:age]				# nil (because it wasn't explicitly whitelisted)
+```
+*Note:* To prevent accidental deletion of digest information during repeated loading and unloading data, the digest of all values is implicitly assumed to be :keep.
+eg If your redact hash includes `:email => :digest`, it is assumed to also contain `:email_digest => :keep`
 ## Development
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.

data/lib/hash_redactor/hash_redactor.rb CHANGED Viewed

@@ -7,6 +7,8 @@ module HashRedactor
 		@options[:encode] = @options[:default_encoding] if @options[:encode] == true
 		@options[:encode_iv] = @options[:default_encoding] if @options[:encode_iv] == true
+		raise "unknown filter mode #{@options[:filter_mode]}" unless [:blacklist,:whitelist].include? @options[:filter_mode]
 	  end
   	  def default_options
@@ -15,9 +17,14 @@ module HashRedactor
 		  encryption_key:	 nil,
 		  encode:            true,
 		  encode_iv:         true,
-		  default_encoding:  'm'
+		  default_encoding:  'm',
+		  filter_mode:		 :blacklist
   	  	}
   	  end
+  	  def options
+  	  	@options
+  	  end
 	  # Removes, digests or encrypts fields in a hash
 	  # NOTE: This should NOT be used to protect password fields or similar
@@ -35,9 +42,22 @@ module HashRedactor
 		result = data.clone
-		redact_hash.each do |hash_key,how|
+  		# If it's blacklist mode, just go over our redact keys
+  		# Otherwise, we have to go through and remove all keys that aren't :keep
+  		if (options[:filter_mode] == :whitelist)
+  		  keys = data.keys
+		  redact_hash = whitelist_redact_hash redact_hash
+  		else
+  		  keys = redact_hash.keys
+  		end
+		keys.each do |hash_key,how|
+		  how = redact_hash[hash_key] || :remove
 		  if data.has_key? hash_key
 			case how
+			  when :keep
+			    nil
 			  when :remove
 				nil
 			  when :digest
@@ -48,7 +68,7 @@ module HashRedactor
 				raise "redact called with unknown operation on #{hash_key}: #{how}"
 			end
-			result.delete hash_key
+			result.delete hash_key unless how == :keep
 		  end
 		end
@@ -56,10 +76,9 @@ module HashRedactor
 	  end
 	  def digest(hash, hash_key, options)
-	  	digest_key = hash_key.to_s + '_digest'
-	  	digest_key = digest_key.to_sym if hash_key.is_a? Symbol
+	    dig_key = digest_key hash_key
-		hash[digest_key] = Digest::SHA256.base64digest(
+		hash[dig_key] = Digest::SHA256.base64digest(
 									hash[hash_key].to_s + options[:digest_salt])
 	  end
@@ -134,6 +153,28 @@ module HashRedactor
 		  result.delete iv_key
 		end
 	  end
+	  def digest_key hash_key
+	  	dig_key = hash_key.to_s + '_digest'
+	  	dig_key = dig_key.to_sym if hash_key.is_a? Symbol
+	  	dig_key
+	  end
+	  # Calculate all keys that should be kept in whitelist mode
+	  # In multiple iterations of redact -> decrypt - digest keys will remain
+	  # and then get deleted in the second iteration, so we have to
+	  # add the digest keys so they're not wiped out on later iteration
+  	  def whitelist_redact_hash redact_hash
+  	    digest_hash = {}
+  	  	redact_hash.each do |key,how|
+  	  	  if (how == :digest)
+  	  	    digest_hash[digest_key(key)] = :keep
+  	  	  end
+  	  	end
+  	  	digest_hash.merge redact_hash
+	  end
   end
   class EncryptorInterface

data/lib/hash_redactor/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module HashRedactor
-  VERSION = "0.2.1"
+  VERSION = "0.3.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hash_redactor
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Chris Jensen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-07-10 00:00:00.000000000 Z
+date: 2016-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: attr_encrypted