lockbox 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +78 -3
- data/lib/lockbox.rb +0 -1
- data/lib/lockbox/active_storage_extensions.rb +12 -24
- data/lib/lockbox/migrator.rb +44 -9
- data/lib/lockbox/railtie.rb +14 -5
- data/lib/lockbox/utils.rb +17 -6
- data/lib/lockbox/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cb4f05b7519d563c465c963893ded5f21063f666bdb41d4bfc69f23ea6b82374
|
4
|
+
data.tar.gz: 0f13b613b16b15ca6514de06fc57ec62d98b94a06a01eb6d8e77fdce9d23343b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bdb2f4cbf5977bd1e40c9055c6e166c819b8e13ccbdd2d870c80ee907608205f72f65faa9fe56e882fcf9eab155b506537f29bd7593c3fcf31e3a0f94740e0ec
|
7
|
+
data.tar.gz: ef966eff17c633ee5b590742c33a107bd58da4d262fbaf1bea458c2e5146dc16993f75b6d783118f3ff7f7fd827913423c71558bf1e8d60df66e3de35627e1a1
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -151,7 +151,9 @@ Be sure to include the `inspect` at the end or it won’t be encoded properly in
|
|
151
151
|
|
152
152
|
#### Migrating Existing Data
|
153
153
|
|
154
|
-
Lockbox makes it easy to encrypt an existing column
|
154
|
+
Lockbox makes it easy to encrypt an existing column without downtime.
|
155
|
+
|
156
|
+
Add a new column for the ciphertext, then add to your model:
|
155
157
|
|
156
158
|
```ruby
|
157
159
|
class User < ApplicationRecord
|
@@ -274,6 +276,34 @@ def license
|
|
274
276
|
end
|
275
277
|
```
|
276
278
|
|
279
|
+
#### Migrating Existing Files [experimental]
|
280
|
+
|
281
|
+
**Note:** This feature is experimental. Please try it in a non-production environment and let us know how it goes.
|
282
|
+
|
283
|
+
Lockbox makes it easy to encrypt existing files without downtime.
|
284
|
+
|
285
|
+
Add to your model:
|
286
|
+
|
287
|
+
```ruby
|
288
|
+
class User < ApplicationRecord
|
289
|
+
encrypts_attached :license, migrating: true
|
290
|
+
end
|
291
|
+
```
|
292
|
+
|
293
|
+
Migrate existing files:
|
294
|
+
|
295
|
+
```ruby
|
296
|
+
Lockbox.migrate(User)
|
297
|
+
```
|
298
|
+
|
299
|
+
Then update the model to the desired state:
|
300
|
+
|
301
|
+
```ruby
|
302
|
+
class User < ApplicationRecord
|
303
|
+
encrypts_attached :license
|
304
|
+
end
|
305
|
+
```
|
306
|
+
|
277
307
|
## CarrierWave
|
278
308
|
|
279
309
|
Add to your uploader:
|
@@ -313,6 +343,51 @@ def license
|
|
313
343
|
end
|
314
344
|
```
|
315
345
|
|
346
|
+
#### Migrating Existing Files
|
347
|
+
|
348
|
+
Encrypt existing files without downtime. Create a new encrypted uploader:
|
349
|
+
|
350
|
+
```ruby
|
351
|
+
class LicenseV2Uploader < CarrierWave::Uploader::Base
|
352
|
+
encrypt key: Lockbox.attribute_key(table: "users", attribute: "license")
|
353
|
+
end
|
354
|
+
```
|
355
|
+
|
356
|
+
Add a new column for the uploader, then add to your model:
|
357
|
+
|
358
|
+
```ruby
|
359
|
+
class User < ApplicationRecord
|
360
|
+
mount_uploader :license_v2, LicenseV2Uploader
|
361
|
+
|
362
|
+
before_save :migrate_license, if: :license_changed?
|
363
|
+
|
364
|
+
def migrate_license
|
365
|
+
self.license_v2 = license
|
366
|
+
end
|
367
|
+
end
|
368
|
+
```
|
369
|
+
|
370
|
+
Migrate existing files:
|
371
|
+
|
372
|
+
```ruby
|
373
|
+
User.find_each do |user|
|
374
|
+
if user.license? && !user.license_v2?
|
375
|
+
user.migrate_license
|
376
|
+
user.save!
|
377
|
+
end
|
378
|
+
end
|
379
|
+
```
|
380
|
+
|
381
|
+
Then update the model to the desired state:
|
382
|
+
|
383
|
+
```ruby
|
384
|
+
class User < ApplicationRecord
|
385
|
+
mount_uploader :license, LicenseV2Uploader, mount_on: :license_v2
|
386
|
+
end
|
387
|
+
```
|
388
|
+
|
389
|
+
Finally, delete the unencrypted files and drop the column for the original uploader. You can also remove the `key` option from the uploader.
|
390
|
+
|
316
391
|
## Shrine
|
317
392
|
|
318
393
|
Generate a key
|
@@ -448,7 +523,7 @@ Use `master_key` instead of `key` if passing the master key.
|
|
448
523
|
To rotate existing files, use:
|
449
524
|
|
450
525
|
```ruby
|
451
|
-
User.find_each do |user|
|
526
|
+
User.with_attached_license.find_each do |user|
|
452
527
|
user.license.rotate_encryption!
|
453
528
|
end
|
454
529
|
```
|
@@ -572,7 +647,7 @@ Heroku [comes with libsodium](https://devcenter.heroku.com/articles/stack-packag
|
|
572
647
|
|
573
648
|
##### Ubuntu
|
574
649
|
|
575
|
-
For Ubuntu 18.04, use:
|
650
|
+
For Ubuntu 20.04 and 18.04, use:
|
576
651
|
|
577
652
|
```sh
|
578
653
|
sudo apt-get install libsodium23
|
data/lib/lockbox.rb
CHANGED
@@ -16,14 +16,6 @@ module Lockbox
|
|
16
16
|
def encrypt_attachable(attachable)
|
17
17
|
Utils.encrypt_attachable(record, name, attachable)
|
18
18
|
end
|
19
|
-
|
20
|
-
def rebuild_attachable(attachment)
|
21
|
-
{
|
22
|
-
io: StringIO.new(attachment.download),
|
23
|
-
filename: attachment.filename,
|
24
|
-
content_type: attachment.content_type
|
25
|
-
}
|
26
|
-
end
|
27
19
|
end
|
28
20
|
|
29
21
|
module AttachedOne
|
@@ -37,7 +29,7 @@ module Lockbox
|
|
37
29
|
def rotate_encryption!
|
38
30
|
raise "Not encrypted" unless encrypted?
|
39
31
|
|
40
|
-
attach(rebuild_attachable(self)) if attached?
|
32
|
+
attach(Utils.rebuild_attachable(self)) if attached?
|
41
33
|
|
42
34
|
true
|
43
35
|
end
|
@@ -65,7 +57,7 @@ module Lockbox
|
|
65
57
|
|
66
58
|
attachables =
|
67
59
|
previous_attachments.map do |attachment|
|
68
|
-
rebuild_attachable(attachment)
|
60
|
+
Utils.rebuild_attachable(attachment)
|
69
61
|
end
|
70
62
|
|
71
63
|
ActiveStorage::Attachment.transaction do
|
@@ -88,13 +80,15 @@ module Lockbox
|
|
88
80
|
end
|
89
81
|
|
90
82
|
module Attachment
|
91
|
-
extend ActiveSupport::Concern
|
92
|
-
|
93
83
|
def download
|
94
84
|
result = super
|
95
85
|
|
96
86
|
options = Utils.encrypted_options(record, name)
|
97
|
-
|
87
|
+
# only trust the metadata when migrating
|
88
|
+
# as earlier versions of Lockbox won't have it
|
89
|
+
# and it's not a good practice to trust modifiable data
|
90
|
+
encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
|
91
|
+
if encrypted
|
98
92
|
result = Utils.decrypt_result(record, name, options, result)
|
99
93
|
end
|
100
94
|
|
@@ -105,7 +99,11 @@ module Lockbox
|
|
105
99
|
def open(**options)
|
106
100
|
blob.open(**options) do |file|
|
107
101
|
options = Utils.encrypted_options(record, name)
|
108
|
-
|
102
|
+
# only trust the metadata when migrating
|
103
|
+
# as earlier versions of Lockbox won't have it
|
104
|
+
# and it's not a good practice to trust modifiable data
|
105
|
+
encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
|
106
|
+
if encrypted
|
109
107
|
result = Utils.decrypt_result(record, name, options, file.read)
|
110
108
|
file.rewind
|
111
109
|
# truncate may not be available on all platforms
|
@@ -120,16 +118,6 @@ module Lockbox
|
|
120
118
|
end
|
121
119
|
end
|
122
120
|
end
|
123
|
-
|
124
|
-
def mark_analyzed
|
125
|
-
if Utils.encrypted_options(record, name)
|
126
|
-
blob.update!(metadata: blob.metadata.merge(analyzed: true))
|
127
|
-
end
|
128
|
-
end
|
129
|
-
|
130
|
-
included do
|
131
|
-
after_save :mark_analyzed
|
132
|
-
end
|
133
121
|
end
|
134
122
|
|
135
123
|
module Blob
|
data/lib/lockbox/migrator.rb
CHANGED
@@ -24,26 +24,49 @@ module Lockbox
|
|
24
24
|
|
25
25
|
# TODO add attributes option
|
26
26
|
def migrate(restart:)
|
27
|
-
fields = model.lockbox_attributes.select { |k, v| v[:migrating] }
|
27
|
+
fields = model.respond_to?(:lockbox_attributes) ? model.lockbox_attributes.select { |k, v| v[:migrating] } : {}
|
28
28
|
|
29
29
|
# need blind indexes for building relation
|
30
30
|
blind_indexes = model.respond_to?(:blind_indexes) ? model.blind_indexes.select { |k, v| v[:migrating] } : {}
|
31
31
|
|
32
|
-
|
32
|
+
attachments = model.respond_to?(:lockbox_attachments) ? model.lockbox_attachments.select { |k, v| v[:migrating] } : {}
|
33
|
+
|
34
|
+
perform(fields: fields, blind_indexes: blind_indexes, restart: restart) if fields.any? || blind_indexes.any?
|
35
|
+
perform_attachments(attachments: attachments, restart: restart) if attachments.any?
|
33
36
|
end
|
34
37
|
|
35
38
|
private
|
36
39
|
|
37
|
-
def
|
38
|
-
relation =
|
40
|
+
def perform_attachments(attachments:, restart:)
|
41
|
+
relation = base_relation
|
39
42
|
|
40
|
-
#
|
41
|
-
|
42
|
-
relation = relation.
|
43
|
+
# eager load attachments
|
44
|
+
attachments.each_key do |k|
|
45
|
+
relation = relation.send("with_attached_#{k}")
|
43
46
|
end
|
44
47
|
|
45
|
-
|
46
|
-
|
48
|
+
each_batch(relation) do |records|
|
49
|
+
records.each do |record|
|
50
|
+
attachments.each_key do |k|
|
51
|
+
attachment = record.send(k)
|
52
|
+
if attachment.attached?
|
53
|
+
if attachment.is_a?(ActiveStorage::Attached::One)
|
54
|
+
unless attachment.metadata["encrypted"]
|
55
|
+
attachment.rotate_encryption!
|
56
|
+
end
|
57
|
+
else
|
58
|
+
unless attachment.all? { |a| a.metadata["encrypted"] }
|
59
|
+
attachment.rotate_encryption!
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
def perform(fields:, blind_indexes: [], restart: true, rotate: false)
|
69
|
+
relation = base_relation
|
47
70
|
|
48
71
|
unless restart
|
49
72
|
attributes = fields.map { |_, v| v[:encrypted_attribute] }
|
@@ -138,6 +161,18 @@ module Lockbox
|
|
138
161
|
end
|
139
162
|
end
|
140
163
|
|
164
|
+
def base_relation
|
165
|
+
relation = @relation
|
166
|
+
|
167
|
+
# unscope if passed a model
|
168
|
+
unless ar_relation?(relation) || mongoid_relation?(relation)
|
169
|
+
relation = relation.unscoped
|
170
|
+
end
|
171
|
+
|
172
|
+
# convert from possible class to ActiveRecord::Relation or Mongoid::Criteria
|
173
|
+
relation.all
|
174
|
+
end
|
175
|
+
|
141
176
|
def ar_relation?(relation)
|
142
177
|
defined?(ActiveRecord::Relation) && relation.is_a?(ActiveRecord::Relation)
|
143
178
|
end
|
data/lib/lockbox/railtie.rb
CHANGED
@@ -5,18 +5,27 @@ module Lockbox
|
|
5
5
|
|
6
6
|
if defined?(ActiveStorage)
|
7
7
|
require "lockbox/active_storage_extensions"
|
8
|
+
|
8
9
|
ActiveStorage::Attached.prepend(Lockbox::ActiveStorageExtensions::Attached)
|
9
10
|
if ActiveStorage::VERSION::MAJOR >= 6
|
10
11
|
ActiveStorage::Attached::Changes::CreateOne.prepend(Lockbox::ActiveStorageExtensions::CreateOne)
|
11
12
|
end
|
12
13
|
ActiveStorage::Attached::One.prepend(Lockbox::ActiveStorageExtensions::AttachedOne)
|
13
14
|
ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
|
14
|
-
end
|
15
15
|
|
16
|
-
|
17
|
-
if
|
18
|
-
|
19
|
-
|
16
|
+
# use load hooks when possible
|
17
|
+
if ActiveStorage::VERSION::MAJOR >= 6
|
18
|
+
ActiveSupport.on_load(:active_storage_attachment) do
|
19
|
+
include Lockbox::ActiveStorageExtensions::Attachment
|
20
|
+
end
|
21
|
+
ActiveSupport.on_load(:active_storage_blob) do
|
22
|
+
prepend Lockbox::ActiveStorageExtensions::Blob
|
23
|
+
end
|
24
|
+
else
|
25
|
+
app.config.to_prepare do
|
26
|
+
ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
|
27
|
+
ActiveStorage::Blob.prepend(Lockbox::ActiveStorageExtensions::Blob)
|
28
|
+
end
|
20
29
|
end
|
21
30
|
end
|
22
31
|
end
|
data/lib/lockbox/utils.rb
CHANGED
@@ -63,14 +63,17 @@ module Lockbox
|
|
63
63
|
}
|
64
64
|
when Hash
|
65
65
|
io = attachable[:io]
|
66
|
-
attachable =
|
67
|
-
|
68
|
-
filename: attachable[:filename],
|
69
|
-
content_type: attachable[:content_type]
|
70
|
-
}
|
66
|
+
attachable = attachable.dup
|
67
|
+
attachable[:io] = box.encrypt_io(io)
|
71
68
|
else
|
72
|
-
|
69
|
+
# TODO raise ArgumentError
|
70
|
+
raise NotImplementedError, "Could not find or build blob: expected attachable, got #{attachable.inspect}"
|
73
71
|
end
|
72
|
+
|
73
|
+
# don't analyze encrypted data
|
74
|
+
metadata = {"analyzed" => true}
|
75
|
+
metadata["encrypted"] = true if options[:migrating]
|
76
|
+
attachable[:metadata] = (attachable[:metadata] || {}).merge(metadata)
|
74
77
|
end
|
75
78
|
|
76
79
|
# set content type based on unencrypted data
|
@@ -85,5 +88,13 @@ module Lockbox
|
|
85
88
|
Utils.build_box(record, options, record.class.table_name, name).decrypt(result)
|
86
89
|
end
|
87
90
|
end
|
91
|
+
|
92
|
+
def self.rebuild_attachable(attachment)
|
93
|
+
{
|
94
|
+
io: StringIO.new(attachment.download),
|
95
|
+
filename: attachment.filename,
|
96
|
+
content_type: attachment.content_type
|
97
|
+
}
|
98
|
+
end
|
88
99
|
end
|
89
100
|
end
|
data/lib/lockbox/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: lockbox
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Kane
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-05-
|
11
|
+
date: 2020-05-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|