lockbox 0.3.7 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72291291d3b8ac532d4c309bde141febf41d40b5228ce4d4b2541248702fe08d
-  data.tar.gz: d184e486e64cf5f0ecc882cf453fa76b18ce69b03f34d93335da7b1f70c12a01
+  metadata.gz: 6b1676e34ca9367ec4cfd3c655d263d23082243196abe8f0a174318383f7d4b1
+  data.tar.gz: cdda6ac4e9dccc4ab48a67e3628212fdde369a99639cc93e569d0d623f5ab8f3
 SHA512:
-  metadata.gz: 4badf3561effc1d381ae5ddfcdd3ce64a5bfb70e586c140df4795a392d36e5440a3d3930921f14732b349c2f93246a6f4ddfbe62ef508c2a2ad503b5f52d28f8
-  data.tar.gz: 12e48eab11c6f1aefc7a1ea8656e8d1e0cdceebe54147e573e1beb13f635149d99a5bfea0402595a8a6d53403bb498b2f404bb3a70a684908bc87decbd39c365
+  metadata.gz: 9e747bb720312daedcb2db5458d919cb50e554b03ee04d219a3b1c2f40ca917815a066dfd767b075046f29e387d5d48a734c193a3a2c48927b5abf6e0daaa099
+  data.tar.gz: 2a456f05d61ecc75dfdc76aca15df194b58f91d701a28d12d3b27cc40f93f301244e4f60d506f7deae7a1b6a53afab087205aaced37a54af75f81810934ed8af

data/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 0.4.4 (2020-06-23)
+
+- Added support for `pluck`
+
+## 0.4.3 (2020-05-26)
+
+- Improved error message for bad key length
+- Fixed missing attribute error
+
+## 0.4.2 (2020-05-11)
+
+- Added experimental support for migrating Active Storage files
+- Fixed `metadata` support for Active Storage
+
+## 0.4.1 (2020-05-08)
+
+- Added support for Action Text
+- Added warning if unencrypted column exists and not migrating
+
+## 0.4.0 (2020-05-03)
+
+- Load encrypted attributes when `attributes` called
+- Added support for migrating and rotating relations
+- Removed deprecated `attached_encrypted` method
+- Removed legacy `attr_encrypted` encryptor
+
 ## 0.3.7 (2020-04-20)
 
 - Added Active Support notifications for Active Storage and Carrierwave

data/README.md

@@ -47,6 +47,7 @@ Then follow the instructions below for the data you want to encrypt.
 #### Database Fields
 
 - [Active Record](#active-record)
+- [Action Text](#action-text)
 - [Mongoid](#mongoid)
 
 #### Files
@@ -150,7 +151,9 @@ Be sure to include the `inspect` at the end or it won’t be encoded properly in
 
 #### Migrating Existing Data
 
-Lockbox makes it easy to encrypt an existing column. Add a new column for the ciphertext, then add to your model:
+Lockbox makes it easy to encrypt an existing column without downtime.
+
+Add a new column for the ciphertext, then add to your model:
 
 ```ruby
 class User < ApplicationRecord
@@ -185,6 +188,38 @@ class User < ApplicationRecord
 end
 ```
 
+## Action Text
+
+Create a migration with:
+
+```ruby
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.0]
+  def change
+    add_column :action_text_rich_texts, :body_ciphertext, :text
+  end
+end
+```
+
+Create `config/initializers/lockbox.rb` with:
+
+```ruby
+Lockbox.encrypts_action_text_body(migrating: true)
+```
+
+Migrate existing data:
+
+```ruby
+Lockbox.migrate(ActionText::RichText)
+```
+
+Update the initializer:
+
+```ruby
+Lockbox.encrypts_action_text_body
+```
+
+And drop the unencrypted column.
+
 ## Mongoid
 
 Add to your model:
@@ -205,6 +240,8 @@ User.create!(email: "hi@example.org")
 
 If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
 
+You can [migrate existing data](#migrating-existing-data) similarly to Active Record.
+
 ## Active Storage
 
 Add to your model:
@@ -239,6 +276,34 @@ def license
 end
 ```
 
+#### Migrating Existing Files [experimental]
+
+**Note:** This feature is experimental. Please try it in a non-production environment and [share](https://github.com/ankane/lockbox/issues/44) how it goes.
+
+Lockbox makes it easy to encrypt existing files without downtime.
+
+Add to your model:
+
+```ruby
+class User < ApplicationRecord
+  encrypts_attached :license, migrating: true
+end
+```
+
+Migrate existing files:
+
+```ruby
+Lockbox.migrate(User)
+```
+
+Then update the model to the desired state:
+
+```ruby
+class User < ApplicationRecord
+  encrypts_attached :license
+end
+```
+
 ## CarrierWave
 
 Add to your uploader:
@@ -278,6 +343,51 @@ def license
 end
 ```
 
+#### Migrating Existing Files
+
+Encrypt existing files without downtime. Create a new encrypted uploader:
+
+```ruby
+class LicenseV2Uploader < CarrierWave::Uploader::Base
+  encrypt key: Lockbox.attribute_key(table: "users", attribute: "license")
+end
+```
+
+Add a new column for the uploader, then add to your model:
+
+```ruby
+class User < ApplicationRecord
+  mount_uploader :license_v2, LicenseV2Uploader
+
+  before_save :migrate_license, if: :license_changed?
+
+  def migrate_license
+    self.license_v2 = license
+  end
+end
+```
+
+Migrate existing files:
+
+```ruby
+User.find_each do |user|
+  if user.license? && !user.license_v2?
+    user.migrate_license
+    user.save!
+  end
+end
+```
+
+Then update the model to the desired state:
+
+```ruby
+class User < ApplicationRecord
+  mount_uploader :license, LicenseV2Uploader, mount_on: :license_v2
+end
+```
+
+Finally, delete the unencrypted files and drop the column for the original uploader. You can also remove the `key` option from the uploader.
+
 ## Shrine
 
 Generate a key
@@ -378,7 +488,7 @@ Use `decrypt_str` get the value as UTF-8
 
 To make key rotation easy, you can pass previous versions of keys that can decrypt.
 
-### Active Record
+### Active Record & Mongoid
 
 Update your model:
 
@@ -398,26 +508,6 @@ Lockbox.rotate(User, attributes: [:email])
 
 Once all records are rotated, you can remove `previous_versions` from the model.
 
-### Mongoid
-
-Update your model:
-
-```ruby
-class User
-  encrypts :email, previous_versions: [{key: previous_key}]
-end
-```
-
-Use `master_key` instead of `key` if passing the master key.
-
-To rotate existing records, use:
-
-```ruby
-Lockbox.rotate(User, attributes: [:email])
-```
-
-Once all records are rotated, you can remove `previous_versions` from the model.
-
 ### Active Storage
 
 Update your model:
@@ -433,7 +523,7 @@ Use `master_key` instead of `key` if passing the master key.
 To rotate existing files, use:
 
 ```ruby
-User.find_each do |user|
+User.with_attached_license.find_each do |user|
   user.license.rotate_encryption!
 end
 ```
@@ -462,9 +552,9 @@ end
 
 Once all files are rotated, you can remove `previous_versions` from the model.
 
-### Strings
+### Local Files & Strings
 
-For strings, use:
+For local files and strings, use:
 
 ```ruby
 Lockbox.new(key: key, previous_versions: [{key: previous_key}])
@@ -557,7 +647,7 @@ Heroku [comes with libsodium](https://devcenter.heroku.com/articles/stack-packag
 
 ##### Ubuntu
 
-For Ubuntu 18.04, use:
+For Ubuntu 20.04 and 18.04, use:
 
 ```sh
 sudo apt-get install libsodium23
@@ -875,3 +965,5 @@ cd lockbox
 bundle install
 bundle exec rake test
 ```
+
+For security issues, send an email to the address on [this page](https://github.com/ankane).

data/SECURITY.md

@@ -0,0 +1,3 @@
+# Security Policy
+
+For security issues, send an email to the address on [this page](https://github.com/ankane).

data/lib/lockbox.rb

@@ -5,6 +5,7 @@ require "securerandom"
 
 # modules
 require "lockbox/box"
+require "lockbox/calculations"
 require "lockbox/encryptor"
 require "lockbox/key_generator"
 require "lockbox/io"
@@ -25,12 +26,11 @@ if defined?(ActiveSupport)
   ActiveSupport.on_load(:active_record) do
     extend Lockbox::Model
     extend Lockbox::Model::Attached
+    ActiveRecord::Calculations.prepend Lockbox::Calculations
   end
 
   ActiveSupport.on_load(:mongoid) do
     Mongoid::Document::ClassMethods.include(Lockbox::Model)
-    # TODO remove in 0.4.0
-    Mongoid::Document::ClassMethods.include(Lockbox::Model::Attached)
   end
 end
 
@@ -95,4 +95,10 @@ module Lockbox
   def self.new(**options)
     Encryptor.new(**options)
   end
+
+  def self.encrypts_action_text_body(**options)
+    ActiveSupport.on_load(:action_text_rich_text) do
+      ActionText::RichText.encrypts :body, **options
+    end
+  end
 end

data/lib/lockbox/active_storage_extensions.rb

@@ -16,14 +16,6 @@ module Lockbox
       def encrypt_attachable(attachable)
         Utils.encrypt_attachable(record, name, attachable)
       end
-
-      def rebuild_attachable(attachment)
-        {
-          io: StringIO.new(attachment.download),
-          filename: attachment.filename,
-          content_type: attachment.content_type
-        }
-      end
     end
 
     module AttachedOne
@@ -37,7 +29,7 @@ module Lockbox
       def rotate_encryption!
         raise "Not encrypted" unless encrypted?
 
-        attach(rebuild_attachable(self)) if attached?
+        attach(Utils.rebuild_attachable(self)) if attached?
 
         true
       end
@@ -65,7 +57,7 @@ module Lockbox
 
         attachables =
           previous_attachments.map do |attachment|
-            rebuild_attachable(attachment)
+            Utils.rebuild_attachable(attachment)
           end
 
         ActiveStorage::Attachment.transaction do
@@ -88,13 +80,15 @@ module Lockbox
     end
 
     module Attachment
-      extend ActiveSupport::Concern
-
       def download
         result = super
 
         options = Utils.encrypted_options(record, name)
-        if options
+        # only trust the metadata when migrating
+        # as earlier versions of Lockbox won't have it
+        # and it's not a good practice to trust modifiable data
+        encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
+        if encrypted
           result = Utils.decrypt_result(record, name, options, result)
         end
 
@@ -105,7 +99,11 @@ module Lockbox
         def open(**options)
           blob.open(**options) do |file|
             options = Utils.encrypted_options(record, name)
-            if options
+            # only trust the metadata when migrating
+            # as earlier versions of Lockbox won't have it
+            # and it's not a good practice to trust modifiable data
+            encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
+            if encrypted
               result = Utils.decrypt_result(record, name, options, file.read)
               file.rewind
               # truncate may not be available on all platforms
@@ -120,16 +118,6 @@ module Lockbox
           end
         end
       end
-
-      def mark_analyzed
-        if Utils.encrypted_options(record, name)
-          blob.update!(metadata: blob.metadata.merge(analyzed: true))
-        end
-      end
-
-      included do
-        after_save :mark_analyzed
-      end
     end
 
     module Blob

data/lib/lockbox/calculations.rb

@@ -0,0 +1,36 @@
+module Lockbox
+  module Calculations
+    def pluck(*column_names)
+      return super unless model.respond_to?(:lockbox_attributes)
+
+      lockbox_columns = column_names.map.with_index { |c, i| [model.lockbox_attributes[c.to_sym], i] }.select(&:first)
+      return super unless lockbox_columns.any?
+
+      # replace column with ciphertext column
+      lockbox_columns.each do |la, i|
+        column_names[i] = la[:encrypted_attribute]
+      end
+
+      # pluck
+      result = super(*column_names)
+
+      # decrypt result
+      # handle pluck to single columns and multiple
+      #
+      # we can't pass context to decrypt method
+      # so this won't work if any options are a symbol or proc
+      if column_names.size == 1
+        la = lockbox_columns.first.first
+        result.map! { |v| model.send("decrypt_#{la[:encrypted_attribute]}", v) }
+      else
+        lockbox_columns.each do |la, i|
+          result.each do |v|
+            v[i] = model.send("decrypt_#{la[:encrypted_attribute]}", v[i])
+          end
+        end
+      end
+
+      result
+    end
+  end
+end

data/lib/lockbox/carrier_wave_extensions.rb

@@ -5,13 +5,13 @@ module Lockbox
         before :cache, :encrypt
 
         def encrypt(file)
-          @file = CarrierWave::SanitizedFile.new(with_notification("encrypt_file") { lockbox.encrypt_io(file) })
+          @file = CarrierWave::SanitizedFile.new(lockbox_notify("encrypt_file") { lockbox.encrypt_io(file) })
         end
 
         # TODO safe to memoize?
         def read
           r = super
-          with_notification("decrypt_file") { lockbox.decrypt(r) } if r
+          lockbox_notify("decrypt_file") { lockbox.decrypt(r) } if r
         end
 
         def size
@@ -58,7 +58,7 @@ module Lockbox
           end
         end
 
-        def with_notification(type)
+        def lockbox_notify(type)
           if defined?(ActiveSupport::Notifications)
             name = lockbox_name
 

data/lib/lockbox/encryptor.rb

@@ -82,25 +82,5 @@ module Lockbox
       target.content_type = source.content_type if source.respond_to?(:content_type)
       target.set_encoding(source.external_encoding) if source.respond_to?(:external_encoding)
     end
-
-    # TODO remove in 0.4.0
-    # legacy for attr_encrypted
-    def self.encrypt(options)
-      box(options).encrypt(options[:value])
-    end
-
-    # TODO remove in 0.4.0
-    # legacy for attr_encrypted
-    def self.decrypt(options)
-      box(options).decrypt(options[:value])
-    end
-
-    # TODO remove in 0.4.0
-    # legacy for attr_encrypted
-    def self.box(options)
-      options = options.slice(:key, :encryption_key, :decryption_key, :algorithm, :previous_versions)
-      options[:algorithm] = "aes-gcm" if options[:algorithm] == "aes-256-gcm"
-      Lockbox.new(options)
-    end
   end
 end

data/lib/lockbox/key_generator.rb

@@ -11,7 +11,7 @@ module Lockbox
       raise ArgumentError, "Missing attribute for key generation" if attribute.to_s.empty?
 
       c = "\xB4"*32
-      hkdf(Lockbox::Utils.decode_key(@master_key), salt: table.to_s, info: "#{c}#{attribute}", length: 32, hash: "sha384")
+      hkdf(Lockbox::Utils.decode_key(@master_key, name: "Master key"), salt: table.to_s, info: "#{c}#{attribute}", length: 32, hash: "sha384")
     end
 
     private

data/lib/lockbox/migrator.rb

@@ -24,29 +24,49 @@ module Lockbox
 
     # TODO add attributes option
     def migrate(restart:)
-      fields = model.lockbox_attributes.select { |k, v| v[:migrating] }
+      fields = model.respond_to?(:lockbox_attributes) ? model.lockbox_attributes.select { |k, v| v[:migrating] } : {}
 
       # need blind indexes for building relation
       blind_indexes = model.respond_to?(:blind_indexes) ? model.blind_indexes.select { |k, v| v[:migrating] } : {}
 
-      perform(fields: fields, blind_indexes: blind_indexes, restart: restart)
+      attachments = model.respond_to?(:lockbox_attachments) ? model.lockbox_attachments.select { |k, v| v[:migrating] } : {}
+
+      perform(fields: fields, blind_indexes: blind_indexes, restart: restart) if fields.any? || blind_indexes.any?
+      perform_attachments(attachments: attachments, restart: restart) if attachments.any?
     end
 
     private
 
-    def perform(fields:, blind_indexes: [], restart: true, rotate: false)
-      relation = @relation
+    def perform_attachments(attachments:, restart:)
+      relation = base_relation
 
-      # unscope if passed a model
-      unless ar_relation?(relation) || mongoid_relation?(relation)
-        relation = relation.unscoped
-      else
-        # TODO remove in 0.4.0
-        relation = relation.unscoped
+      # eager load attachments
+      attachments.each_key do |k|
+        relation = relation.send("with_attached_#{k}")
       end
 
-      # convert from possible class to ActiveRecord::Relation or Mongoid::Criteria
-      relation = relation.all
+      each_batch(relation) do |records|
+        records.each do |record|
+          attachments.each_key do |k|
+            attachment = record.send(k)
+            if attachment.attached?
+              if attachment.is_a?(ActiveStorage::Attached::One)
+                unless attachment.metadata["encrypted"]
+                  attachment.rotate_encryption!
+                end
+              else
+                unless attachment.all? { |a| a.metadata["encrypted"] }
+                  attachment.rotate_encryption!
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+
+    def perform(fields:, blind_indexes: [], restart: true, rotate: false)
+      relation = base_relation
 
       unless restart
         attributes = fields.map { |_, v| v[:encrypted_attribute] }
@@ -141,6 +161,18 @@ module Lockbox
       end
     end
 
+    def base_relation
+      relation = @relation
+
+      # unscope if passed a model
+      unless ar_relation?(relation) || mongoid_relation?(relation)
+        relation = relation.unscoped
+      end
+
+      # convert from possible class to ActiveRecord::Relation or Mongoid::Criteria
+      relation.all
+    end
+
     def ar_relation?(relation)
       defined?(ActiveRecord::Relation) && relation.is_a?(ActiveRecord::Relation)
     end

data/lib/lockbox/model.rb

@@ -81,6 +81,20 @@ module Lockbox
             end
 
             if activerecord
+              # TODO wrap in module?
+              def attributes
+                # load attributes
+                # essentially a no-op if already loaded
+                # an exception is thrown if decryption fails
+                self.class.lockbox_attributes.each do |_, lockbox_attribute|
+                  # it is possible that the encrypted attribute is not loaded, eg.
+                  # if the record was fetched partially (`User.select(:id).first`).
+                  # accessing a not loaded attribute raises an `ActiveModel::MissingAttributeError`.
+                  send(lockbox_attribute[:attribute]) if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                end
+                super
+              end
+
               # needed for in-place modifications
               # assigned attributes are encrypted on assignment
               # and then again here
@@ -212,6 +226,20 @@ module Lockbox
 
             send("lockbox_direct_#{name}=", message)
 
+            # warn every time, as this should be addressed
+            # maybe throw an error in the future
+            if !options[:migrating]
+              if activerecord
+                if self.class.columns_hash.key?(name.to_s)
+                  warn "[lockbox] WARNING: Unencrypted column with same name: #{name}. Set `ignored_columns` or remove it to protect the data."
+                end
+              else
+                if self.class.fields.key?(name.to_s)
+                  warn "[lockbox] WARNING: Unencrypted field with same name: #{name}. Remove it to protect the data."
+                end
+              end
+            end
+
             super(message)
           end
 
@@ -242,7 +270,7 @@ module Lockbox
                 # cache
                 # decrypt method does type casting
                 if respond_to?(:write_attribute_without_type_cast, true)
-                  write_attribute_without_type_cast(name, message) if !@attributes.frozen?
+                  write_attribute_without_type_cast(name.to_s, message) if !@attributes.frozen?
                 else
                   raw_write_attribute(name, message) if !@attributes.frozen?
                 end
@@ -259,7 +287,7 @@ module Lockbox
             table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
-              # TODO use attribute type class in 0.4.0
+              # TODO use attribute type class in 0.5.0
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
@@ -313,7 +341,7 @@ module Lockbox
               end
 
             unless message.nil?
-              # TODO use attribute type class in 0.4.0
+              # TODO use attribute type class in 0.5.0
               case options[:type]
               when :boolean
                 message = message == "t"
@@ -391,12 +419,6 @@ module Lockbox
           end
         end
       end
-
-      # TODO remove in future version
-      def attached_encrypted(attribute, **options)
-        warn "[lockbox] DEPRECATION WARNING: Use encrypts_attached instead"
-        encrypts_attached(attribute, **options)
-      end
     end
   end
 end

data/lib/lockbox/railtie.rb

@@ -5,18 +5,27 @@ module Lockbox
 
       if defined?(ActiveStorage)
         require "lockbox/active_storage_extensions"
+
         ActiveStorage::Attached.prepend(Lockbox::ActiveStorageExtensions::Attached)
         if ActiveStorage::VERSION::MAJOR >= 6
           ActiveStorage::Attached::Changes::CreateOne.prepend(Lockbox::ActiveStorageExtensions::CreateOne)
         end
         ActiveStorage::Attached::One.prepend(Lockbox::ActiveStorageExtensions::AttachedOne)
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
-      end
 
-      app.config.to_prepare do
-        if defined?(ActiveStorage)
-          ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
-          ActiveStorage::Blob.prepend(Lockbox::ActiveStorageExtensions::Blob)
+        # use load hooks when possible
+        if ActiveStorage::VERSION::MAJOR >= 6
+          ActiveSupport.on_load(:active_storage_attachment) do
+            include Lockbox::ActiveStorageExtensions::Attachment
+          end
+          ActiveSupport.on_load(:active_storage_blob) do
+            prepend Lockbox::ActiveStorageExtensions::Blob
+          end
+        else
+          app.config.to_prepare do
+            ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
+            ActiveStorage::Blob.prepend(Lockbox::ActiveStorageExtensions::Blob)
+          end
         end
       end
     end

data/lib/lockbox/utils.rb

@@ -4,9 +4,13 @@ module Lockbox
       options = options.except(:attribute, :encrypted_attribute, :migrating, :attached, :type)
       options[:encode] = false unless options.key?(:encode)
       options.each do |k, v|
-        if v.is_a?(Proc)
-          options[k] = context.instance_exec(&v) if v.respond_to?(:call)
+        if v.respond_to?(:call)
+          # context not present for pluck
+          # still possible to use if not dependent on context
+          options[k] = context ? context.instance_exec(&v) : v.call
         elsif v.is_a?(Symbol)
+          # context not present for pluck
+          raise Error, "Not available since :#{k} depends on record" unless context
           options[k] = context.send(v)
         end
       end
@@ -31,13 +35,13 @@ module Lockbox
       record.class.respond_to?(:lockbox_attachments) ? record.class.lockbox_attachments[name.to_sym] : nil
     end
 
-    def self.decode_key(key, size: 32)
+    def self.decode_key(key, size: 32, name: "Key")
       if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{#{size * 2}}\z/i
         key = [key].pack("H*")
       end
 
-      raise Lockbox::Error, "Key must use binary encoding" if key.encoding != Encoding::BINARY
-      raise Lockbox::Error, "Key must be 32 bytes" if key.bytesize != size
+      raise Lockbox::Error, "#{name} must be 32 bytes (64 hex digits)" if key.bytesize != size
+      raise Lockbox::Error, "#{name} must use binary encoding" if key.encoding != Encoding::BINARY
 
       key
     end
@@ -63,14 +67,17 @@ module Lockbox
           }
         when Hash
           io = attachable[:io]
-          attachable = {
-            io: box.encrypt_io(io),
-            filename: attachable[:filename],
-            content_type: attachable[:content_type]
-          }
+          attachable = attachable.dup
+          attachable[:io] = box.encrypt_io(io)
         else
-          raise NotImplementedError, "Not supported"
+          # TODO raise ArgumentError
+          raise NotImplementedError, "Could not find or build blob: expected attachable, got #{attachable.inspect}"
         end
+
+        # don't analyze encrypted data
+        metadata = {"analyzed" => true}
+        metadata["encrypted"] = true if options[:migrating]
+        attachable[:metadata] = (attachable[:metadata] || {}).merge(metadata)
       end
 
       # set content type based on unencrypted data
@@ -85,5 +92,13 @@ module Lockbox
         Utils.build_box(record, options, record.class.table_name, name).decrypt(result)
       end
     end
+
+    def self.rebuild_attachable(attachment)
+      {
+        io: StringIO.new(attachment.download),
+        filename: attachment.filename,
+        content_type: attachment.content_type
+      }
+    end
   end
 end

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.3.7"
+  VERSION = "0.4.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.3.7
+  version: 0.4.4
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-20 00:00:00.000000000 Z
+date: 2020-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -173,6 +173,7 @@ files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
+- SECURITY.md
 - lib/generators/lockbox/audits_generator.rb
 - lib/generators/lockbox/templates/migration.rb.tt
 - lib/generators/lockbox/templates/model.rb.tt
@@ -180,6 +181,7 @@ files:
 - lib/lockbox/active_storage_extensions.rb
 - lib/lockbox/aes_gcm.rb
 - lib/lockbox/box.rb
+- lib/lockbox/calculations.rb
 - lib/lockbox/carrier_wave_extensions.rb
 - lib/lockbox/encryptor.rb
 - lib/lockbox/io.rb