lockbox 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '00428f366a284e5e69806c18ef64a7bb66cdc0b2c1cb3e19528aa6bca99becea'
-  data.tar.gz: b5235c68771e0cb39653780dd4e08bdb27218f914b3889cecf959bc02efec3a8
+  metadata.gz: 77945cdf065bda9282a4a9cbffd77ebe518bcbe11c3e3ccaa91768bd1579f94c
+  data.tar.gz: ab052f812a91e1620dcc52ac578006b55e84d5aae1770ecb5c6c89c5119f9073
 SHA512:
-  metadata.gz: cd44c7b55ea270aa02fa5a4eda5aa38bde97eca39ce54093b6fc4907abe90e946827b4c12a8f5f43f21b6503ea9d1c713f505a86c9a6ea4075b1407b5630aeca
-  data.tar.gz: 0eba333d509de09a92cd1af74427cce30eca35d7eab41abddada5718227c5a1f3f013b3ad031f8015ca5e13c4b47f5aebe75c09d83f6bd91926ad7d55db6a1e4
+  metadata.gz: 8223d89af7efa1e4192c48512a45177d877df2c1878da425b05bf4e2b066c1f3a413b57f8f0fbdc73a04f000db191bfde2ef8bb0319c4bce7eee6a1985a3771f
+  data.tar.gz: 7bcb4b647f4abdc8141c571441ce1c8e47b5864aee3e043cd7f620ca7f9abc208ddb1134ac6f35700c73a30f934c56169ff5bca235ba32faba4a0d2325bc926a

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.6.0 (2020-12-03)
+
+- Added `encrypted` flag to Active Storage metadata
+- Added encrypted columns to `filter_attributes`
+- Improved `inspect` method
+
 ## 0.5.0 (2020-11-22)
 
 - Improved error messages for hybrid cryptography

data/README.md

@@ -197,6 +197,34 @@ class User < ApplicationRecord
 end
 ```
 
+#### Model Changes
+
+If tracking changes to model attributes, be sure to remove or redact encrypted attributes.
+
+PaperTrail
+
+```ruby
+class User < ApplicationRecord
+  # for an encrypted history (still tracks ciphertext changes)
+  has_paper_trail skip: [:email]
+
+  # for no history (add blind indexes as well)
+  has_paper_trail skip: [:email, :email_ciphertext]
+end
+```
+
+Audited
+
+```ruby
+class User < ApplicationRecord
+  # for an encrypted history (still tracks ciphertext changes)
+  audited except: [:email]
+
+  # for no history (add blind indexes as well)
+  audited except: [:email, :email_ciphertext]
+end
+```
+
 #### Decryption
 
 To decrypt data outside the model, use:
@@ -731,14 +759,14 @@ For Ubuntu 20.04 and 18.04, use:
 
 ```yml
     - name: Install Libsodium
-      run: sudo apt-get install libsodium23
+      run: sudo apt-get update && sudo apt-get install libsodium23
 ```
 
 For Ubuntu 16.04, use:
 
 ```yml
     - name: Install Libsodium
-      run: sudo apt-get install libsodium18
+      run: sudo apt-get update && sudo apt-get install libsodium18
 ```
 
 ##### Travis CI

data/lib/lockbox/active_storage_extensions.rb

@@ -89,6 +89,10 @@ module Lockbox
     module CreateOne
       def initialize(name, record, attachable)
         # this won't encrypt existing blobs
+        # ideally we'd check metadata for the encrypted flag
+        # and disallow unencrypted blobs
+        # since they'll raise an error on decryption
+        # but earlier versions of Lockbox won't have it
         attachable = Lockbox::Utils.encrypt_attachable(record, name, attachable) if Lockbox::Utils.encrypted?(record, name) && !attachable.is_a?(ActiveStorage::Blob)
         super(name, record, attachable)
       end

data/lib/lockbox/carrier_wave_extensions.rb

@@ -97,4 +97,8 @@ module Lockbox
   end
 end
 
+if CarrierWave::VERSION.to_i > 2
+  raise "CarrierWave version not supported in this version of Lockbox: #{CarrierWave::VERSION}"
+end
+
 CarrierWave::Uploader::Base.extend(Lockbox::CarrierWaveExtensions)

data/lib/lockbox/model.rb

@@ -55,6 +55,15 @@ module Lockbox
         decrypt_method_name = "decrypt_#{encrypted_attribute}"
 
         class_eval do
+          # Lockbox uses custom inspect
+          # but this could be useful for other gems
+          if activerecord && ActiveRecord::VERSION::MAJOR >= 6
+            # only add virtual attribute
+            # need to use regexp since strings do partial matching
+            # also, need to use += instead of <<
+            self.filter_attributes += [/\A#{Regexp.escape(options[:attribute])}\z/]
+          end
+
           @lockbox_attributes ||= {}
 
           if @lockbox_attributes.empty?
@@ -79,15 +88,40 @@ module Lockbox
               super(options)
             end
 
-            # use same approach as devise
+            # maintain order
+            # replace ciphertext attributes w/ virtual attributes (filtered)
             def inspect
-              inspection =
-                serializable_hash.map do |k,v|
-                  "#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}"
+              lockbox_attributes = {}
+              lockbox_encrypted_attributes = {}
+              self.class.lockbox_attributes.each do |_, lockbox_attribute|
+                lockbox_attributes[lockbox_attribute[:attribute]] = true
+                lockbox_encrypted_attributes[lockbox_attribute[:encrypted_attribute]] = lockbox_attribute[:attribute]
+              end
+
+              inspection = []
+              # use serializable_hash like Devise
+              values = serializable_hash
+              self.class.attribute_names.each do |k|
+                next if !has_attribute?(k) || lockbox_attributes[k]
+
+                # check for lockbox attribute
+                if lockbox_encrypted_attributes[k]
+                  # check if ciphertext attribute nil to avoid loading attribute
+                  v = send(k).nil? ? "nil" : "[FILTERED]"
+                  k = lockbox_encrypted_attributes[k]
+                elsif values.key?(k)
+                  v = respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : values[k].inspect
+
+                  # fix for https://github.com/rails/rails/issues/40725
+                  # TODO only apply to Active Record 6.0
+                  if respond_to?(:inspection_filter, true) && v != "nil"
+                    v = inspection_filter.filter_param(k, v)
+                  end
+                else
+                  next
                 end
 
-              self.class.lockbox_attributes.map do |_, lockbox_attribute|
-                inspection << "#{lockbox_attribute[:attribute]}: [FILTERED]" if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                inspection << "#{k}: #{v}"
               end
 
               "#<#{self.class} #{inspection.join(", ")}>"
@@ -352,7 +386,7 @@ module Lockbox
             table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
-              # TODO use attribute type class in 0.6.0
+              # TODO use attribute type class in 0.7.0
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
@@ -407,7 +441,7 @@ module Lockbox
               end
 
             unless message.nil?
-              # TODO use attribute type class in 0.6.0
+              # TODO use attribute type class in 0.7.0
               case options[:type]
               when :boolean
                 message = message == "t"

data/lib/lockbox/utils.rb

@@ -93,8 +93,7 @@ module Lockbox
         end
 
         # don't analyze encrypted data
-        metadata = {"analyzed" => true}
-        metadata["encrypted"] = true if options[:migrating]
+        metadata = {"analyzed" => true, "encrypted" => true}
         attachable[:metadata] = (attachable[:metadata] || {}).merge(metadata)
       end
 

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.5.0"
+  VERSION = "0.6.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-22 00:00:00.000000000 Z
+date: 2020-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler