lockbox 0.2.3 → 0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10f6fa1f09a73c4fb740dce62478c0abc65dbfa6ed5434801429bf5d990e2e38
-  data.tar.gz: b6975e18f7f9c28ce7397f982a6f3900fc6af7938883e0631afbd72e32d5caec
+  metadata.gz: d4bf60bca21cbcbf37397b2431401a56191b2a8a2b311ddd12bbe8f94d43a259
+  data.tar.gz: '09969a1e9c7904fe69e017dd6aa8a0d5e1a50573fc5937994ad2c0eab63f499b'
 SHA512:
-  metadata.gz: 322b03e672c6e389f26311e57625b6f6e633c64dbd27904a6c5c59105b809b295edd2d49171965ad6c6f6707e8a7d4ddf191b2612b7563326a9c867cabcc9b57
-  data.tar.gz: 2a4cec96d5b0388bae885cb817aba5ada8ac1c65d74f3fc310800a207f500eba15d5de475c7b94e81027f7b4f09599c9a4b5c65145b6996e6ca9eda7215704a4
+  metadata.gz: 5b513fb92e0074f10a5044acbcd9a06bba8f90af473cdc52ae7d981e5432e77afedca887372246afbbb16df7c72cc099ad12a59312e909ef36203c9678b2d987
+  data.tar.gz: 1ab527b1cad1a112b1ce43a3e2745faff13289dfa9dabcd15d7e0ca856cfec801b41112faa09ca312dd57537f3ac5a32d5882fb369d2bb0e262f8bd2bd20d8b4

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.2.4
+
+- Added support for Mongoid
+- Added `encrypt_io` and `decrypt_io` methods
+- Made it easier to rotate algorithms with master key
+- Fixed error with migrate and default scope
+- Fixed encryption with Active Storage 6 and `record.create!`
+
 ## 0.2.3
 
 - Added time type

data/README.md

@@ -46,6 +46,8 @@ Alternatively, you can use a [key management service](#key-management) to manage
 
 ## Database Fields
 
+### Active Record
+
 Create a migration with:
 
 ```ruby
@@ -72,7 +74,7 @@ User.create!(email: "hi@example.org")
 
 If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
 
-### Types
+#### Types
 
 Specify the type of a field with:
 
@@ -101,10 +103,30 @@ class User < ApplicationRecord
 end
 ```
 
-### Validations
+#### Validations
 
 Validations work as expected with the exception of uniqueness. Uniqueness validations require a [blind index](https://github.com/ankane/blind_index).
 
+### Mongoid
+
+Add to your model:
+
+```ruby
+class User
+  field :email_ciphertext, type: String
+
+  encrypts :email
+end
+```
+
+You can use `email` just like any other attribute.
+
+```ruby
+User.create!(email: "hi@example.org")
+```
+
+If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
+
 ## Files
 
 ### Active Storage
@@ -140,37 +162,58 @@ def license
 end
 ```
 
-**Note:** With Rails 6, attachments are not encrypted with:
+### CarrierWave
+
+Add to your uploader:
+
+```ruby
+class LicenseUploader < CarrierWave::Uploader::Base
+  encrypt
+end
+```
+
+Encryption is applied to all versions after processing.
+
+To serve encrypted files, use a controller action.
 
 ```ruby
-User.create!(avatar: params[:avatar])
+def license
+  send_data @user.license.read, type: @user.license.content_type
+end
 ```
 
-Until this is addressed, use:
+### Shrine
+
+Create a box
 
 ```ruby
-user = User.new
-user.attach(params[:avatar])
-user.save!
+box = Lockbox.new(key: key)
 ```
 
-### CarrierWave
+Encrypt files before passing them to Shrine
 
-Add to your uploader:
+```ruby
+LicenseUploader.upload(box.encrypt_io(file), :store)
+```
+
+And decrypt them after reading
 
 ```ruby
-class LicenseUploader < CarrierWave::Uploader::Base
-  encrypt
-end
+box.decrypt(uploaded_file.read)
 ```
 
-Encryption is applied to all versions after processing.
+For models, encrypt with:
+
+```ruby
+license = params.require(:user).fetch(:license)
+@user.license = box.encrypt_io(license)
+```
 
 To serve encrypted files, use a controller action.
 
 ```ruby
 def license
-  send_data @user.license.read, type: @user.license.content_type
+  send_data box.decrypt(@user.license.read), type: @user.license.mime_type
 end
 ```
 

data/lib/lockbox.rb

@@ -6,6 +6,8 @@ require "securerandom"
 require "lockbox/box"
 require "lockbox/encryptor"
 require "lockbox/key_generator"
+require "lockbox/io"
+require "lockbox/model"
 require "lockbox/utils"
 require "lockbox/version"
 
@@ -15,9 +17,12 @@ require "lockbox/railtie" if defined?(Rails)
 
 if defined?(ActiveSupport)
   ActiveSupport.on_load(:active_record) do
-    require "lockbox/model"
     extend Lockbox::Model
   end
+
+  ActiveSupport.on_load(:mongoid) do
+    Mongoid::Document::ClassMethods.include(Lockbox::Model)
+  end
 end
 
 class Lockbox
@@ -49,35 +54,47 @@ class Lockbox
       attributes = fields.map { |_, v| v[:encrypted_attribute] }
       attributes += blind_indexes.map { |_, v| v[:bidx_attribute] }
 
-      attributes.each_with_index do |attribute, i|
-        relation =
-          if i == 0
-            relation.where(attribute => nil)
-          else
-            relation.or(model.where(attribute => nil))
-          end
+      if defined?(ActiveRecord::Base) && model.is_a?(ActiveRecord::Base)
+        attributes.each_with_index do |attribute, i|
+          relation =
+            if i == 0
+              relation.where(attribute => nil)
+            else
+              relation.or(model.unscoped.where(attribute => nil))
+            end
+        end
       end
     end
 
-    # migrate
-    relation.find_each do |record|
-      fields.each do |k, v|
-        record.send("#{v[:attribute]}=", record.send(k)) if restart || !record.send(v[:encrypted_attribute])
+    if relation.respond_to?(:find_each)
+      relation.find_each do |record|
+        migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
       end
-      blind_indexes.each do |k, v|
-        record.send("compute_#{k}_bidx") if restart || !record.send(v[:bidx_attribute])
+    else
+      relation.all.each do |record|
+        migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
       end
-      record.save(validate: false) if record.changed?
     end
   end
 
+  # private
+  def self.migrate_record(record, fields:, blind_indexes:, restart:)
+    fields.each do |k, v|
+      record.send("#{v[:attribute]}=", record.send(k)) if restart || !record.send(v[:encrypted_attribute])
+    end
+    blind_indexes.each do |k, v|
+      record.send("compute_#{k}_bidx") if restart || !record.send(v[:bidx_attribute])
+    end
+    record.save(validate: false) if record.changed?
+  end
+
   def initialize(**options)
     options = self.class.default_options.merge(options)
     previous_versions = options.delete(:previous_versions)
 
     @boxes =
       [Box.new(options)] +
-      Array(previous_versions).map { |v| Box.new(v) }
+      Array(previous_versions).map { |v| Box.new({key: options[:key]}.merge(v)) }
   end
 
   def encrypt(message, **options)
@@ -112,6 +129,18 @@ class Lockbox
     end
   end
 
+  def encrypt_io(io, **options)
+    new_io = Lockbox::IO.new(encrypt(io.read, **options))
+    copy_metadata(io, new_io)
+    new_io
+  end
+
+  def decrypt_io(io, **options)
+    new_io = Lockbox::IO.new(decrypt(io.read, **options))
+    copy_metadata(io, new_io)
+    new_io
+  end
+
   def self.generate_key
     SecureRandom.hex(32)
   end
@@ -199,4 +228,14 @@ class Lockbox
     raise TypeError, "can't convert #{name} to string" unless str.respond_to?(:to_str)
     str.to_str
   end
+
+  def copy_metadata(source, target)
+    target.original_filename =
+      if source.respond_to?(:original_filename)
+        source.original_filename
+      elsif source.respond_to?(:path)
+        File.basename(source.path)
+      end
+    target.content_type = source.content_type if source.respond_to?(:content_type)
+  end
 end

data/lib/lockbox/active_storage_extensions.rb

@@ -10,35 +10,11 @@ class Lockbox
       def encrypted?
         # could use record_type directly
         # but record should already be loaded most of the time
-        !Utils.encrypted_options(record, name).nil?
+        Utils.encrypted?(record, name)
       end
 
       def encrypt_attachable(attachable)
-        options = Utils.encrypted_options(record, name)
-        box = Utils.build_box(record, options, record.class.table_name, name)
-
-        case attachable
-        when ActiveStorage::Blob
-          raise NotImplementedError, "Not supported"
-        when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
-          attachable = {
-            io: StringIO.new(box.encrypt(attachable.read)),
-            filename: attachable.original_filename,
-            content_type: attachable.content_type
-          }
-        when Hash
-          attachable = {
-            io: StringIO.new(box.encrypt(attachable[:io].read)),
-            filename: attachable[:filename],
-            content_type: attachable[:content_type]
-          }
-        when String
-          raise NotImplementedError, "Not supported"
-        else
-          nil
-        end
-
-        attachable
+        Utils.encrypt_attachable(record, name, attachable)
       end
 
       def rebuild_attachable(attachment)
@@ -51,9 +27,11 @@ class Lockbox
     end
 
     module AttachedOne
-      def attach(attachable)
-        attachable = encrypt_attachable(attachable) if encrypted?
-        super(attachable)
+      if ActiveStorage::VERSION::MAJOR < 6
+        def attach(attachable)
+          attachable = encrypt_attachable(attachable) if encrypted?
+          super(attachable)
+        end
       end
 
       def rotate_encryption!
@@ -66,15 +44,17 @@ class Lockbox
     end
 
     module AttachedMany
-      def attach(*attachables)
-        if encrypted?
-          attachables =
-            attachables.flatten.collect do |attachable|
-              encrypt_attachable(attachable)
-            end
-        end
+      if ActiveStorage::VERSION::MAJOR < 6
+        def attach(*attachables)
+          if encrypted?
+            attachables =
+              attachables.flatten.collect do |attachable|
+                encrypt_attachable(attachable)
+              end
+          end
 
-        super(attachables)
+          super(attachables)
+        end
       end
 
       def rotate_encryption!
@@ -99,6 +79,14 @@ class Lockbox
       end
     end
 
+    module CreateOne
+      def initialize(name, record, attachable)
+        # this won't encrypt existing blobs
+        attachable = Lockbox::Utils.encrypt_attachable(record, name, attachable) if Lockbox::Utils.encrypted?(record, name) && !attachable.is_a?(ActiveStorage::Blob)
+        super(name, record, attachable)
+      end
+    end
+
     module Attachment
       extend ActiveSupport::Concern
 

data/lib/lockbox/carrier_wave_extensions.rb

@@ -1,15 +1,11 @@
 class Lockbox
   module CarrierWaveExtensions
-    class FileIO < StringIO
-      attr_accessor :original_filename
-    end
-
     def encrypt(**options)
       class_eval do
         before :cache, :encrypt
 
         def encrypt(file)
-          @file = CarrierWave::SanitizedFile.new(StringIO.new(lockbox.encrypt(file.read)))
+          @file = CarrierWave::SanitizedFile.new(lockbox.encrypt_io(file))
         end
 
         def read
@@ -22,7 +18,7 @@ class Lockbox
         end
 
         def rotate_encryption!
-          io = FileIO.new(read)
+          io = Lockbox::IO.new(read)
           io.original_filename = file.filename
           previous_value = enable_processing
           begin

data/lib/lockbox/io.rb

@@ -0,0 +1,5 @@
+class Lockbox
+  class IO < StringIO
+    attr_accessor :original_filename, :content_type
+  end
+end

data/lib/lockbox/model.rb

@@ -107,7 +107,7 @@ class Lockbox
             def serializable_hash(options = nil)
               options = options.try(:dup) || {}
               options[:except] = Array(options[:except])
-              options[:except] += self.class.lockbox_attributes.values.reject { |v| v[:attached] }.flat_map { |v| [v[:attribute], v[:encrypted_attribute]] }
+              options[:except] += self.class.lockbox_attributes.values.flat_map { |v| [v[:attribute], v[:encrypted_attribute]] }
               super(options)
             end
 
@@ -127,9 +127,21 @@ class Lockbox
               self.class.lockbox_attributes.each do |_, lockbox_attribute|
                 attribute = lockbox_attribute[:attribute]
 
-                if changes.include?(attribute) && self.class.attribute_types[attribute].is_a?(ActiveRecord::Type::Serialized)
-                  send("#{attribute}=", send(attribute))
+                if changes.include?(attribute)
+                  type = (self.class.try(:attribute_types) || {})[attribute]
+                  if type && type.is_a?(ActiveRecord::Type::Serialized)
+                    send("#{attribute}=", send(attribute))
+                  end
+                end
+              end
+            end
+
+            if defined?(Mongoid::Document) && included_modules.include?(Mongoid::Document)
+              def reload
+                self.class.lockbox_attributes.each do |_, v|
+                  instance_variable_set("@#{v[:attribute]}", nil)
                 end
+                super
               end
             end
           end
@@ -137,7 +149,36 @@ class Lockbox
           serialize name, JSON if options[:type] == :json
           serialize name, Hash if options[:type] == :hash
 
-          attribute name, attribute_type
+          if respond_to?(:attribute)
+            attribute name, attribute_type
+          else
+            m = Module.new do
+              define_method("#{name}=") do |val|
+                prev_val = instance_variable_get("@#{name}")
+
+                unless val == prev_val
+                  # custom attribute_will_change! method
+                  unless changed_attributes.key?(name.to_s)
+                    changed_attributes[name.to_s] = prev_val.__deep_copy__
+                  end
+                end
+
+                instance_variable_set("@#{name}", val)
+              end
+
+              define_method(name) do
+                instance_variable_get("@#{name}")
+              end
+            end
+
+            include m
+
+            alias_method "#{name}_changed?", "#{encrypted_attribute}_changed?"
+
+            define_method "#{name}_was" do
+              attribute_was(name.to_s)
+            end
+          end
 
           define_method("#{name}=") do |message|
             original_message = message
@@ -174,8 +215,8 @@ class Lockbox
                 # do nothing
                 # encrypt will convert to binary
               else
-                type = self.class.attribute_types[name.to_s]
-                if type.is_a?(ActiveRecord::Type::Serialized)
+                type = (self.class.try(:attribute_types) || {})[name.to_s]
+                if type && type.is_a?(ActiveRecord::Type::Serialized)
                   message = type.serialize(message)
                 end
               end
@@ -195,6 +236,7 @@ class Lockbox
               else
                 self.class.send(class_method_name, message, context: self)
               end
+
             send("#{encrypted_attribute}=", ciphertext)
 
             super(original_message)
@@ -210,7 +252,8 @@ class Lockbox
                   ciphertext
                 else
                   ciphertext = Base64.decode64(ciphertext) if encode
-                  Lockbox::Utils.build_box(self, options, self.class.table_name, encrypted_attribute).decrypt(ciphertext)
+                  table = self.class.respond_to?(:table_name) ? self.class.table_name : self.class.collection_name.to_s
+                  Lockbox::Utils.build_box(self, options, table, encrypted_attribute).decrypt(ciphertext)
                 end
 
               unless message.nil?
@@ -233,8 +276,8 @@ class Lockbox
                   # do nothing
                   # decrypt returns binary string
                 else
-                  type = self.class.attribute_types[name.to_s]
-                  if type.is_a?(ActiveRecord::Type::Serialized)
+                  type = (self.class.try(:attribute_types) || {})[name.to_s]
+                  if type && type.is_a?(ActiveRecord::Type::Serialized)
                     message = type.deserialize(message)
                   else
                     # default to string if not serialized
@@ -244,13 +287,15 @@ class Lockbox
               end
 
               # set previous attribute on first decrypt
-              @attributes[name.to_s].instance_variable_set("@value_before_type_cast", message)
+              @attributes[name.to_s].instance_variable_set("@value_before_type_cast", message) if @attributes[name.to_s]
 
               # cache
               if respond_to?(:_write_attribute, true)
                 _write_attribute(name, message)
-              else
+              elsif respond_to?(:raw_write_attribute)
                 raw_write_attribute(name, message)
+              else
+                instance_variable_set("@#{name}", message)
               end
             end
 
@@ -259,7 +304,8 @@ class Lockbox
 
           # for fixtures
           define_singleton_method class_method_name do |message, **opts|
-            ciphertext = Lockbox::Utils.build_box(opts[:context], options, table_name, encrypted_attribute).encrypt(message)
+            table = respond_to?(:table_name) ? table_name : collection_name.to_s
+            ciphertext = Lockbox::Utils.build_box(opts[:context], options, table, encrypted_attribute).encrypt(message)
             ciphertext = Base64.strict_encode64(ciphertext) if encode
             ciphertext
           end

data/lib/lockbox/railtie.rb

@@ -6,6 +6,9 @@ class Lockbox
       if defined?(ActiveStorage)
         require "lockbox/active_storage_extensions"
         ActiveStorage::Attached.prepend(Lockbox::ActiveStorageExtensions::Attached)
+        if ActiveStorage::VERSION::MAJOR >= 6
+          ActiveStorage::Attached::Changes::CreateOne.prepend(Lockbox::ActiveStorageExtensions::CreateOne)
+        end
         ActiveStorage::Attached::One.prepend(Lockbox::ActiveStorageExtensions::AttachedOne)
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
       end

data/lib/lockbox/utils.rb

@@ -27,5 +27,37 @@ class Lockbox
       end
       key
     end
+
+    def self.encrypted?(record, name)
+      !encrypted_options(record, name).nil?
+    end
+
+    def self.encrypt_attachable(record, name, attachable)
+      options = encrypted_options(record, name)
+      box = build_box(record, options, record.class.table_name, name)
+
+      case attachable
+      when ActiveStorage::Blob
+        raise NotImplementedError, "Not supported"
+      when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
+        attachable = {
+          io: StringIO.new(box.encrypt(attachable.read)),
+          filename: attachable.original_filename,
+          content_type: attachable.content_type
+        }
+      when Hash
+        attachable = {
+          io: StringIO.new(box.encrypt(attachable[:io].read)),
+          filename: attachable[:filename],
+          content_type: attachable[:content_type]
+        }
+      when String
+        raise NotImplementedError, "Not supported"
+      else
+        nil
+      end
+
+      attachable
+    end
   end
 end

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 class Lockbox
-  VERSION = "0.2.3"
+  VERSION = "0.2.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.2.4
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-31 00:00:00.000000000 Z
+date: 2019-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -164,6 +164,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: mongoid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email: andrew@chartkick.com
 executables: []
@@ -179,6 +193,7 @@ files:
 - lib/lockbox/box.rb
 - lib/lockbox/carrier_wave_extensions.rb
 - lib/lockbox/encryptor.rb
+- lib/lockbox/io.rb
 - lib/lockbox/key_generator.rb
 - lib/lockbox/model.rb
 - lib/lockbox/railtie.rb