jcnnghm-acts_as_secure 1.0.6

data/CHANGELOG

@@ -0,0 +1,39 @@
+rel_1_0_5:
+  date: 2011-2-20
+  notes:
+    - Fixed Rails 3 deprecations
+
+rel_1_0_1:
+  date: 2009-12-20
+  notes:
+    - Fixed AR serialization - now adds "serialize" to the model when adding callbacks
+    -- Added secure_column_symbols to return an array of columns to be secured, as symbols. Not very DRY, but works for now 
+    - Defaulting to :text fields instead of binary for :storage type. To allow storing base64 encoded encrypted data
+    - Need to verify :only and :except returns a valid set of columns to secure - haven't tested this much at the moment.
+
+rel_1_0_0:
+  date: 2009-12-20
+  notes:
+    - Updates to use AR serialization to manage storage of data to the DB
+    - Added acts_as_secure :only => [] option to allow specifying specific columns to be secured
+    - Added update_pk_password class method to allow setting the private key password
+    - Added gemspec
+rel_0_0_4:
+  date: 2008-09-06
+  notes:
+    - No decryption for NULL fields
+
+rel_0_0_3:
+  date: 2007-06-26
+  notes:
+    - Added support for nested crypto blocks
+
+rel_0_0_2:
+  date: 2007-06-18
+  notes:
+    - Added support for model inheritance
+
+rel_0_0_1:
+  date: 2005-04-26
+  notes:
+    - Initial release

data/Gemfile

@@ -0,0 +1,4 @@
+source :gemcutter
+
+# Specify your gem's dependencies in acts_as_secure.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,42 @@
+PATH
+  remote: .
+  specs:
+    jcnnghm-acts_as_secure (1.0.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.0.4)
+      activesupport (= 3.0.4)
+      builder (~> 2.1.2)
+      i18n (~> 0.4)
+    activerecord (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+      arel (~> 2.0.2)
+      tzinfo (~> 0.3.23)
+    activesupport (3.0.4)
+    arel (2.0.8)
+    builder (2.1.2)
+    diff-lcs (1.1.2)
+    i18n (0.5.0)
+    rspec (2.5.0)
+      rspec-core (~> 2.5.0)
+      rspec-expectations (~> 2.5.0)
+      rspec-mocks (~> 2.5.0)
+    rspec-core (2.5.1)
+    rspec-expectations (2.5.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.5.0)
+    sqlite3 (1.3.3)
+    tzinfo (0.3.24)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord (~> 3.0.4)
+  bundler (>= 1.0.0)
+  jcnnghm-acts_as_secure!
+  rspec (~> 2.4)
+  sqlite3

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2007 Revolution Health Group LLC. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,152 @@
+== Introduction
+
+ActsAsSecure adds an ability to store ActiveRecord model's fields encrypted in a DB. When a model is marked with acts_as_secure, the :binary type fields are recognized as needed to be stored encrypted. The plugin does before_save/after_save/after_find encryption/decryption thus making it transparent for a code using the secure models.
+
+The plugin supports a master key approach as well as individual records encryption keys. It does not contain any crypto provider but allows to plug in any external one as long as it supports encrypt/decrypt methods.
+
+The fields are converted to a YAML form before encryption. After description they are restored via YAML.load. Since fields are stored encrypted, the find usage is very limited.
+
+== Compatibility
+
+This is only compatible with Rails 3.
+
+== Installation
+
+As gem, add the following to your gemfile.
+
+  gem 'jcnnghm-acts_as_secure'
+
+== Usage
+
+=== Master Key Provider Usage
+
+  class SecureModel < ActiveRecord::Base
+    acts_as_secure :crypto_provider => MasterKeyProviderClassOrInstance
+  end
+
+  SecureModel.create()
+  SecureModel.find(:first)
+
+=== Individual Keys Provider Usage
+
+  class SecureModel < ActiveRecord::Base
+    acts_as_secure
+  end
+
+  SecureModel.with_crypto_provider(SomeProvider.new(some_param)) { SecureModel.find(:first) }
+  SecureModel.with_crypto_provider(SomeProvider.new(some_param)) { SecureModel.create() }
+
+=== Other Options
+
+  acts_as_secure :storage_type => :text  -- changes the secure storage type from :binary to the supplied one
+  acts_as_secure :except => [:field1, :field2] -- disables the secure behavior for the :binary type fields in a supplied list
+
+== Example
+
+Let's define three models: Fruit (not secure), SecretFruit (uses the master key approach), and UberSecretFruit (uses the individual key approach).
+
+Rot13CryptoProvider represents a master key provider. SaltedRot13CryptoProvider depends on a salt individual for each record.
+
+
+=== Models
+
+  class Fruit < ActiveRecord::Base
+    has_one :secret_fruit
+    has_one :uber_secret_fruit
+  end
+
+  class CreateFruits < ActiveRecord::Migration
+    def self.up
+      create_table :fruits do |t|
+        t.column :name, :string
+      end
+    end
+  end
+
+  class Rot13CryptoProvider
+    class << self
+      def encrypt(arg)
+        arg.tr("A-Za-z", "N-ZA-Mn-za-m")
+      end
+      alias_method :decrypt, :encrypt
+    end
+  end
+
+  class SecretFruit < ActiveRecord::Base
+    acts_as_secure :crypto_provider => Rot13CryptoProvider
+    belongs_to :fruit
+  end
+
+  class CreateSecretFruits < ActiveRecord::Migration
+    def self.up
+      create_table :secret_fruits do |t|
+        t.column :name, :binary
+        t.column :fruit_id, :integer
+      end
+    end
+  end
+
+  class SaltedRot13CryptoProvider
+    def initialize(salt)
+      @salt = salt
+    end
+    def encrypt(arg)
+      @salt + arg.tr("A-Za-z", "N-ZA-Mn-za-m")
+    end
+    def decrypt(arg)
+      arg[@salt.size .. -1].tr("A-Za-z", "N-ZA-Mn-za-m")
+    end
+  end
+
+  class UberSecretFruit < ActiveRecord::Base
+    acts_as_secure
+    belongs_to :fruit
+  end
+
+  class CreateUberSecretFruits < ActiveRecord::Migration
+    def self.up
+      create_table :uber_secret_fruits do |t|
+        t.column :name, :binary
+        t.column :fruit_id, :integer
+      end
+    end
+  end
+
+=== Usage
+
+  >> f = Fruit.create(:name => 'passion fruit')
+  >> SecretFruit.create(:name => 'maracuya', :fruit => f)
+  >> puts f.secret_fruit.name
+  maracuya
+  >> secret = readline.chomp
+  uber_secret
+  >> crypto_provider = SaltedRot13CryptoProvider.new(secret)
+  >> UberSecretFruit.with_crypto_provider(crypto_provider) { UberSecretFruit.create(:name => 'Passiflora edulis', :fruit => f) }
+  >> UberSecretFruit.with_crypto_provider(crypto_provider) { puts f.uber_secret_fruit.name }
+  Passiflora edulis
+
+=== DB
+
+  > select * from secret_fruits;
+  +----+---------------+----------+
+  | id | name          | fruit_id |
+  +----+---------------+----------+
+  |  1 | --- znenphln  |        1 |
+  +----+---------------+----------+
+
+  > select * from uber_secret_fruits;
+  +----+-----------------------------------+----------+
+  | id | name                              | fruit_id |
+  +----+-----------------------------------+----------+
+  |  1 | uber_secret--- Cnffvsyben rqhyvf  |        1 |
+  +----+-----------------------------------+----------+
+
+
+== Running Tests
+
+  bundle exec rspec spec
+
+== License
+
+ActsAsSecure released under the MIT license.
+

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/acts_as_secure.gemspec

@@ -0,0 +1,27 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path("../lib/acts_as_secure/version", __FILE__)
+
+Gem::Specification.new do |s|
+  s.name        = "jcnnghm-acts_as_secure"
+  s.version     = ActsAsSecure::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ['Justin Cunningham' , '2007 Revolution Health Group LLC.']
+  s.email       = ['justin@compucatedsolutions.com']
+  s.homepage    = "http://rubygems.org/gems/jcnnghm-acts_as_secure"
+  s.summary     = "ActsAsSecure adds an ability to store ActiveRecord model's fields encrypted in a DB."
+  s.description = "When a model is marked with acts_as_secure, the :binary type fields are recognized as needed to be stored encrypted.
+    The plugin does before_save/after_save/after_find encryption/decryption thus making it transparent for a
+    code using the secure models."
+
+  s.required_rubygems_version = ">= 1.3.6"
+  s.rubyforge_project         = "jcnnghm-acts_as_secure"
+
+  s.add_development_dependency "bundler", ">= 1.0.0"
+  s.add_development_dependency "rspec", "~> 2.4"
+  s.add_development_dependency "activerecord", '~> 3.0.4'
+  s.add_development_dependency "sqlite3"
+
+  s.files        = `git ls-files`.split("\n")
+  s.executables  = `git ls-files`.split("\n").map{|f| f =~ /^bin\/(.*)/ ? $1 : nil}.compact
+  s.require_path = 'lib'
+end

data/lib/acts_as_secure.rb

@@ -0,0 +1 @@
+require 'acts_as_secure/acts_as_secure'

data/lib/acts_as_secure/acts_as_secure.rb

@@ -0,0 +1,120 @@
+module ActiveRecord; module Acts; end; end 
+
+module ActiveRecord::Acts::ActsAsSecure
+  
+  require 'yaml'
+    
+  def self.included(base)
+    base.extend(ClassMethods)
+  end
+  
+  module ClassMethods
+            
+    def acts_as_secure(options = {})
+      parse_options!(options)
+      add_callbacks
+      extend(ActsAsSecureClassMethods)
+      send(:include, InstanceMethods)
+    end
+      
+  private
+            
+    def parse_options!(options)
+      @secure_except = unsecure_columns(options.delete(:except))
+      @secure_storage_type = options.delete(:storage_type) || :binary
+      @secure_crypto_provider = options.delete(:crypto_provider)
+      fail("Unknown option(s): #{ options.keys.join(', ') }") unless options.empty?
+    end
+    
+    def add_callbacks
+      before_save :encrypt_secure_columns
+      after_save :decrypt_secure_columns
+      after_find :decrypt_secure_columns
+    end
+
+    def unsecure_columns(*names)
+      names.flatten.collect(&:to_s)
+    end
+        
+    module ActsAsSecureClassMethods
+      
+      def inherited(sub)
+
+        [:secure_except, :secure_storage_type, :secure_crypto_provider].each do |p|
+          sub.instance_variable_set("@#{ p }", instance_variable_get("@#{ p }"))
+        end
+
+        super
+
+      end
+      
+      def with_crypto_provider(provider)
+        begin
+          original_provider = @secure_crypto_provider
+          @secure_crypto_provider = provider
+          yield
+        ensure
+          @secure_crypto_provider = original_provider
+        end
+      end
+
+      def secure_columns
+        columns.reject { |col| (col.type != @secure_storage_type) || @secure_except.include?(col.name) }
+      end
+
+      def secure_crypto_provider
+        @secure_crypto_provider
+      end
+      
+    end
+    
+    
+    module InstanceMethods
+
+      def encrypt_secure_columns
+        self.class.secure_columns.each do |col|
+          self[col.name] = secure_encrypt(self[col.name])
+        end
+      end
+      
+      def decrypt_secure_columns
+        @encrypted_attributes = {}
+        self.class.secure_columns.each do |col|
+          @encrypted_attributes[col.name] = send("#{ col.name }_before_type_cast")
+          self[col.name] = secure_decrypt(send("#{ col.name }_before_type_cast")) unless self[col.name].nil?
+        end
+      end
+
+      def read_attribute_before_decryption(attr_name)
+        if @encrypted_attributes[attr_name.to_s].nil?
+          self[attr_name]
+        else
+          @encrypted_attributes[attr_name.to_s]
+        end
+      end
+      
+    private
+      
+      def secure_encrypt(arg)
+        secure_crypto_provider.encrypt(arg.to_yaml)
+      end 
+           
+      def secure_decrypt(arg)
+        begin
+          YAML.load(secure_crypto_provider.decrypt(arg))
+        rescue Exception => ex
+          raise "Failed to decode the field. Incorrect key?"
+        end
+      end
+      
+      def secure_crypto_provider
+        self.class.secure_crypto_provider || fail('No crypto provider defined')
+      end
+      
+    end
+    
+  end
+  
+end
+
+ActiveRecord::Base.send(:include, ActiveRecord::Acts::ActsAsSecure)

data/lib/acts_as_secure/version.rb

@@ -0,0 +1,3 @@
+module ActsAsSecure
+  VERSION = "1.0.6"
+end

data/lib/jcnnghm-acts_as_secure.rb

@@ -0,0 +1 @@
+require 'acts_as_secure'

data/spec/.gitignore

@@ -0,0 +1 @@
+active_record.log

data/spec/acts_as_secure_spec.rb

@@ -0,0 +1,55 @@
+require 'test_in_memory'
+
+describe "acts_as_secure" do
+  it "should make sure README works" do
+    f = Fruit.create(:name => 'passion fruit')
+    SecretFruit.create(:name => 'maracuya', :fruit => f)
+    f.secret_fruit.name.should eql('maracuya')
+
+    secret = 'uber_secret'
+    crypto_provider = SaltedRot13CryptoProvider.new(secret)
+    UberSecretFruit.with_crypto_provider(crypto_provider) { UberSecretFruit.create(:name => 'Passiflora edulis', :fruit => f) }
+    UberSecretFruit.with_crypto_provider(crypto_provider) { f.uber_secret_fruit.name.should eql('Passiflora edulis') }
+  end
+
+  it "should allow you to read attributes before encryption" do
+    f = Fruit.create(:name => 'passion fruit')
+    SecretFruit.create(:name => 'maracuya', :fruit => f)
+
+    f.secret_fruit.read_attribute_before_decryption(:name).should eql('znenphln'.to_yaml)
+    f.secret_fruit.name.should eql('maracuya')
+  end
+
+  it "should encrypt properly" do
+    f = Fruit.create(:name => 'passion fruit')
+    SecretFruit.create(:name => 'maracuya', :fruit => f)
+
+    f.secret_fruit.read_attribute_before_decryption(:name).should eql(f.secret_fruit.send(:secure_encrypt, 'maracuya'))
+  end
+
+  it "should test secure columns" do
+    SecretFruit.secure_columns.map(&:name).should_not include('id')
+    SecretFruit.secure_columns.map(&:name).should_not include('fruit_id')
+    SecretFruit.secure_columns.map(&:name).should include('name')
+  end
+
+  it "should test except" do
+    class SecretFruit < ActiveRecord::Base
+      acts_as_secure :crypto_provider => Rot13CryptoProvider, :except => [:name]
+      belongs_to :fruit
+    end
+
+    SecretFruit.secure_columns.should be_blank
+  end
+
+  it "should allow the storage type to be selected" do
+    class SecretFruit < ActiveRecord::Base
+      acts_as_secure :crypto_provider => Rot13CryptoProvider, :storage_type => :integer
+      belongs_to :fruit
+    end
+
+    SecretFruit.secure_columns.map(&:name).should include('id')
+    SecretFruit.secure_columns.map(&:name).should include('fruit_id')
+    SecretFruit.secure_columns.map(&:name).should_not include('name')
+  end
+end