lockbox 0.5.0 → 0.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '00428f366a284e5e69806c18ef64a7bb66cdc0b2c1cb3e19528aa6bca99becea'
-  data.tar.gz: b5235c68771e0cb39653780dd4e08bdb27218f914b3889cecf959bc02efec3a8
+  metadata.gz: 06b9f5c13a4cbdab22a46664beaf453bffa923a7bbebd918adecea008ecbc797
+  data.tar.gz: 42c68577c2f4b8b4d1b068c01f314893a069b6fd361bd06d87a0de6531636c94
 SHA512:
-  metadata.gz: cd44c7b55ea270aa02fa5a4eda5aa38bde97eca39ce54093b6fc4907abe90e946827b4c12a8f5f43f21b6503ea9d1c713f505a86c9a6ea4075b1407b5630aeca
-  data.tar.gz: 0eba333d509de09a92cd1af74427cce30eca35d7eab41abddada5718227c5a1f3f013b3ad031f8015ca5e13c4b47f5aebe75c09d83f6bd91926ad7d55db6a1e4
+  metadata.gz: 138df2feafe849bfc5ba80818e1b3695eb107e1f37b0d6654467383bc1788d5803bc00cb753bd7d3a8d3f30773ef4ed3d05f0945a896529d8b685df55b0e10ae
+  data.tar.gz: 29ad6a9cb2248489caec35bdc56fdbcb6d1d251a0833ec1d597e1e955ac17ccc07626f59ce92683843658fc45311571f495d044f6219075abfcef8b2783dd6a8

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## 0.6.4 (2021-04-05)
+
+- Fixed in place changes in callbacks
+- Fixed `[]` method for encrypted attributes
+
+## 0.6.3 (2021-03-30)
+
+- Fixed empty arrays and hashes
+- Fixed content type for CarrierWave 2.2.1
+
+## 0.6.2 (2021-02-08)
+
+- Added `inet` type
+- Fixed error when `lockbox` key in Rails credentials has a string value
+- Fixed deprecation warning with Active Record 6.1
+
+## 0.6.1 (2020-12-03)
+
+- Added integration with Rails credentials
+- Fixed in place changes for Active Record 6.1
+- Fixed error with `content_type` method for CarrierWave < 2
+
+## 0.6.0 (2020-12-03)
+
+- Added `encrypted` flag to Active Storage metadata
+- Added encrypted columns to `filter_attributes`
+- Improved `inspect` method
+
 ## 0.5.0 (2020-11-22)
 
 - Improved error messages for hybrid cryptography

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2020 Andrew Kane
+Copyright (c) 2018-2021 Andrew Kane
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -27,7 +27,7 @@ Generate a key
 Lockbox.generate_key
 ```
 
-Store the key with your other secrets. This is typically Rails credentials or an environment variable ([dotenv](https://github.com/bkeepers/dotenv) is great for this). Be sure to use different keys in development and production. Keys don’t need to be hex-encoded, but it’s often easier to store them this way.
+Store the key with your other secrets. This is typically Rails credentials or an environment variable ([dotenv](https://github.com/bkeepers/dotenv) is great for this). Be sure to use different keys in development and production.
 
 Set the following environment variable with your key (you can use this one in development)
 
@@ -35,10 +35,17 @@ Set the following environment variable with your key (you can use this one in de
 LOCKBOX_MASTER_KEY=0000000000000000000000000000000000000000000000000000000000000000
 ```
 
+or add it to your credentials for each environment (`rails credentials:edit --environment <env>` for Rails 6+)
+
+```yml
+lockbox:
+  master_key: "0000000000000000000000000000000000000000000000000000000000000000"
+```
+
 or create `config/initializers/lockbox.rb` with something like
 
 ```ruby
-Lockbox.master_key = Rails.application.credentials.lockbox_master_key
+Lockbox.master_key = Rails.application.credentials.lockbox[:master_key]
 ```
 
 Then follow the instructions below for the data you want to encrypt.
@@ -65,7 +72,7 @@ Then follow the instructions below for the data you want to encrypt.
 Create a migration with:
 
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :email_ciphertext, :text
   end
@@ -114,6 +121,7 @@ class User < ApplicationRecord
   encrypts :properties, type: :json
   encrypts :settings, type: :hash
   encrypts :messages, type: :array
+  encrypts :ip, type: :inet
 end
 ```
 
@@ -197,6 +205,34 @@ class User < ApplicationRecord
 end
 ```
 
+#### Model Changes
+
+If tracking changes to model attributes, be sure to remove or redact encrypted attributes.
+
+PaperTrail
+
+```ruby
+class User < ApplicationRecord
+  # for an encrypted history (still tracks ciphertext changes)
+  has_paper_trail skip: [:email]
+
+  # for no history (add blind indexes as well)
+  has_paper_trail skip: [:email, :email_ciphertext]
+end
+```
+
+Audited
+
+```ruby
+class User < ApplicationRecord
+  # for an encrypted history (still tracks ciphertext changes)
+  audited except: [:email]
+
+  # for no history (add blind indexes as well)
+  audited except: [:email, :email_ciphertext]
+end
+```
+
 #### Decryption
 
 To decrypt data outside the model, use:
@@ -212,7 +248,7 @@ User.decrypt_email_ciphertext(user.email_ciphertext)
 Create a migration with:
 
 ```ruby
-class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.0]
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.1]
   def change
     add_column :action_text_rich_texts, :body_ciphertext, :text
   end
@@ -300,9 +336,7 @@ def license
 end
 ```
 
-#### Migrating Existing Files [experimental]
-
-**Note:** This feature is experimental. Please try it in a non-production environment and [share](https://github.com/ankane/lockbox/issues/44) how it goes.
+#### Migrating Existing Files
 
 Lockbox makes it easy to encrypt existing files without downtime.
 
@@ -343,7 +377,7 @@ Encryption is applied to all versions after processing.
 You can mount the uploader [as normal](https://github.com/carrierwaveuploader/carrierwave#activerecord). With Active Record, this involves creating a migration:
 
 ```ruby
-class AddLicenseToUsers < ActiveRecord::Migration[6.0]
+class AddLicenseToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :license, :string
   end
@@ -532,12 +566,10 @@ Update your model:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, previous_versions: [{key: previous_key}]
+  encrypts :email, previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing records, use:
 
 ```ruby
@@ -551,11 +583,9 @@ Once all records are rotated, you can remove `previous_versions` from the model.
 Update your initializer:
 
 ```ruby
-Lockbox.encrypts_action_text_body(previous_versions: [{key: previous_key}])
+Lockbox.encrypts_action_text_body(previous_versions: [{master_key: previous_key}])
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing records, use:
 
 ```ruby
@@ -570,12 +600,10 @@ Update your model:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts_attached :license, previous_versions: [{key: previous_key}]
+  encrypts_attached :license, previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing files, use:
 
 ```ruby
@@ -592,12 +620,10 @@ Update your model:
 
 ```ruby
 class LicenseUploader < CarrierWave::Uploader::Base
-  encrypt previous_versions: [{key: previous_key}]
+  encrypt previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing files, use:
 
 ```ruby
@@ -672,7 +698,7 @@ This is the default algorithm. It’s:
 
 Lockbox uses 256-bit keys.
 
-**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
+**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the authentication key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
 
 ### XSalsa20
 
@@ -731,14 +757,14 @@ For Ubuntu 20.04 and 18.04, use:
 
 ```yml
     - name: Install Libsodium
-      run: sudo apt-get install libsodium23
+      run: sudo apt-get update && sudo apt-get install libsodium23
 ```
 
 For Ubuntu 16.04, use:
 
 ```yml
     - name: Install Libsodium
-      run: sudo apt-get install libsodium18
+      run: sudo apt-get update && sudo apt-get install libsodium18
 ```
 
 ##### Travis CI
@@ -961,7 +987,7 @@ lockbox.decrypt(ciphertext, associated_data: "othercontext") # fails
 You can use `binary` columns for the ciphertext instead of `text` columns.
 
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :email_ciphertext, :binary
   end
@@ -1006,7 +1032,7 @@ end
 Create a migration with:
 
 ```ruby
-class MigrateToLockbox < ActiveRecord::Migration[6.0]
+class MigrateToLockbox < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :name_ciphertext, :text
     add_column :users, :email_ciphertext, :text
@@ -1039,7 +1065,7 @@ end
 Then remove the previous gem from your Gemfile and drop its columns.
 
 ```ruby
-class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.0]
+class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.1]
   def change
     remove_column :users, :encrypted_name, :text
     remove_column :users, :encrypted_name_iv, :text
@@ -1051,12 +1077,29 @@ end
 
 ## Upgrading
 
+### 0.6.0
+
+0.6.0 adds `encrypted: true` to Active Storage metadata for new files. This field is informational, but if you prefer to add it to existing files, use:
+
+```ruby
+User.with_attached_license.find_each do |user|
+  next unless user.license.attached?
+
+  metadata = user.license.metadata
+  unless metadata["encrypted"]
+    user.license.blob.update!(metadata: metadata.merge("encrypted" => true))
+  end
+end
+```
+
 ### 0.3.6
 
 0.3.6 makes content type detection more reliable for Active Storage. You can check and update the content type of existing files with:
 
 ```ruby
-User.find_each do |user|
+User.with_attached_license.find_each do |user|
+  next unless user.license.attached?
+
   license = user.license
   content_type = Marcel::MimeType.for(license.download, name: license.filename.to_s)
   if content_type != license.content_type

data/lib/generators/lockbox/audits_generator.rb

@@ -16,9 +16,7 @@ module Lockbox
       end
 
       def data_type
-        # use connection_config instead of connection.adapter
-        # so database connection isn't needed
-        case ActiveRecord::Base.connection_config[:adapter].to_s
+        case adapter
         when /postg/i # postgres, postgis
           "jsonb"
         when /mysql/i
@@ -27,6 +25,16 @@ module Lockbox
           "text"
         end
       end
+
+      # use connection_config instead of connection.adapter
+      # so database connection isn't needed
+      def adapter
+        if ActiveRecord::VERSION::STRING.to_f >= 6.1
+          ActiveRecord::Base.connection_db_config.adapter.to_s
+        else
+          ActiveRecord::Base.connection_config[:adapter].to_s
+        end
+      end
     end
   end
 end

data/lib/lockbox.rb

@@ -27,13 +27,22 @@ end
 
 if defined?(ActiveSupport.on_load)
   ActiveSupport.on_load(:active_record) do
+    # TODO raise error in 0.7.0
+    if ActiveRecord::VERSION::STRING.to_f <= 5.0
+      warn "Active Record version (#{ActiveRecord::VERSION::STRING}) not supported in this version of Lockbox (#{Lockbox::VERSION})"
+    end
+
     extend Lockbox::Model
     extend Lockbox::Model::Attached
+    # alias_method is private in Ruby < 2.5
+    singleton_class.send(:alias_method, :encrypts, :lockbox_encrypts) if ActiveRecord::VERSION::MAJOR < 7
     ActiveRecord::Calculations.prepend Lockbox::Calculations
   end
 
   ActiveSupport.on_load(:mongoid) do
     Mongoid::Document::ClassMethods.include(Lockbox::Model)
+    # alias_method is private in Ruby < 2.5
+    Mongoid::Document::ClassMethods.send(:alias_method, :encrypts, :lockbox_encrypts)
   end
 end
 
@@ -101,7 +110,7 @@ module Lockbox
 
   def self.encrypts_action_text_body(**options)
     ActiveSupport.on_load(:action_text_rich_text) do
-      ActionText::RichText.encrypts :body, **options
+      ActionText::RichText.lockbox_encrypts :body, **options
     end
   end
 end

data/lib/lockbox/active_storage_extensions.rb

@@ -89,6 +89,10 @@ module Lockbox
     module CreateOne
       def initialize(name, record, attachable)
         # this won't encrypt existing blobs
+        # ideally we'd check metadata for the encrypted flag
+        # and disallow unencrypted blobs
+        # since they'll raise an error on decryption
+        # but earlier versions of Lockbox won't have it
         attachable = Lockbox::Utils.encrypt_attachable(record, name, attachable) if Lockbox::Utils.encrypted?(record, name) && !attachable.is_a?(ActiveStorage::Blob)
         super(name, record, attachable)
       end

data/lib/lockbox/carrier_wave_extensions.rb

@@ -32,9 +32,17 @@ module Lockbox
           read.bytesize
         end
 
-        # based on CarrierWave::SanitizedFile#mime_magic_content_type
         def content_type
-          MimeMagic.by_magic(read).try(:type) || "invalid/invalid"
+          if Gem::Version.new(CarrierWave::VERSION) >= Gem::Version.new("2.2.1")
+            # based on CarrierWave::SanitizedFile#marcel_magic_content_type
+            Marcel::Magic.by_magic(read).try(:type) || "invalid/invalid"
+          elsif CarrierWave::VERSION.to_i >= 2
+            # based on CarrierWave::SanitizedFile#mime_magic_content_type
+            MimeMagic.by_magic(read).try(:type) || "invalid/invalid"
+          else
+            # uses filename
+            super
+          end
         end
 
         # disable processing since already processed
@@ -97,4 +105,11 @@ module Lockbox
   end
 end
 
+if CarrierWave::VERSION.to_i > 2
+  raise "CarrierWave version (#{CarrierWave::VERSION}) not supported in this version of Lockbox (#{Lockbox::VERSION})"
+elsif CarrierWave::VERSION.to_i < 1
+  # TODO raise error in 0.7.0
+  warn "CarrierWave version (#{CarrierWave::VERSION}) not supported in this version of Lockbox (#{Lockbox::VERSION})"
+end
+
 CarrierWave::Uploader::Base.extend(Lockbox::CarrierWaveExtensions)

data/lib/lockbox/model.rb

@@ -1,6 +1,6 @@
 module Lockbox
   module Model
-    def encrypts(*attributes, **options)
+    def lockbox_encrypts(*attributes, **options)
       # support objects
       # case options[:type]
       # when Date
@@ -22,7 +22,8 @@ module Lockbox
       # end
 
       custom_type = options[:type].respond_to?(:serialize) && options[:type].respond_to?(:deserialize)
-      raise ArgumentError, "Unknown type: #{options[:type]}" unless custom_type || [nil, :string, :boolean, :date, :datetime, :time, :integer, :float, :binary, :json, :hash, :array].include?(options[:type])
+      valid_types = [nil, :string, :boolean, :date, :datetime, :time, :integer, :float, :binary, :json, :hash, :array, :inet]
+      raise ArgumentError, "Unknown type: #{options[:type]}" unless custom_type || valid_types.include?(options[:type])
 
       activerecord = defined?(ActiveRecord::Base) && self < ActiveRecord::Base
       raise ArgumentError, "Type not supported yet with Mongoid" if options[:type] && !activerecord
@@ -55,6 +56,15 @@ module Lockbox
         decrypt_method_name = "decrypt_#{encrypted_attribute}"
 
         class_eval do
+          # Lockbox uses custom inspect
+          # but this could be useful for other gems
+          if activerecord && ActiveRecord::VERSION::MAJOR >= 6
+            # only add virtual attribute
+            # need to use regexp since strings do partial matching
+            # also, need to use += instead of <<
+            self.filter_attributes += [/\A#{Regexp.escape(options[:attribute])}\z/]
+          end
+
           @lockbox_attributes ||= {}
 
           if @lockbox_attributes.empty?
@@ -79,15 +89,40 @@ module Lockbox
               super(options)
             end
 
-            # use same approach as devise
+            # maintain order
+            # replace ciphertext attributes w/ virtual attributes (filtered)
             def inspect
-              inspection =
-                serializable_hash.map do |k,v|
-                  "#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}"
+              lockbox_attributes = {}
+              lockbox_encrypted_attributes = {}
+              self.class.lockbox_attributes.each do |_, lockbox_attribute|
+                lockbox_attributes[lockbox_attribute[:attribute]] = true
+                lockbox_encrypted_attributes[lockbox_attribute[:encrypted_attribute]] = lockbox_attribute[:attribute]
+              end
+
+              inspection = []
+              # use serializable_hash like Devise
+              values = serializable_hash
+              self.class.attribute_names.each do |k|
+                next if !has_attribute?(k) || lockbox_attributes[k]
+
+                # check for lockbox attribute
+                if lockbox_encrypted_attributes[k]
+                  # check if ciphertext attribute nil to avoid loading attribute
+                  v = send(k).nil? ? "nil" : "[FILTERED]"
+                  k = lockbox_encrypted_attributes[k]
+                elsif values.key?(k)
+                  v = respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : values[k].inspect
+
+                  # fix for https://github.com/rails/rails/issues/40725
+                  # TODO only apply to Active Record 6.0
+                  if respond_to?(:inspection_filter, true) && v != "nil"
+                    v = inspection_filter.filter_param(k, v)
+                  end
+                else
+                  next
                 end
 
-              self.class.lockbox_attributes.map do |_, lockbox_attribute|
-                inspection << "#{lockbox_attribute[:attribute]}: [FILTERED]" if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                inspection << "#{k}: #{v}"
               end
 
               "#<#{self.class} #{inspection.join(", ")}>"
@@ -114,16 +149,38 @@ module Lockbox
               # needed for in-place modifications
               # assigned attributes are encrypted on assignment
               # and then again here
-              before_save do
+              def lockbox_sync_attributes
                 self.class.lockbox_attributes.each do |_, lockbox_attribute|
                   attribute = lockbox_attribute[:attribute]
 
-                  if attribute_changed_in_place?(attribute)
+                  if attribute_changed_in_place?(attribute) || (send("#{attribute}_changed?") && !send("#{lockbox_attribute[:encrypted_attribute]}_changed?"))
                     send("#{attribute}=", send(attribute))
                   end
                 end
               end
 
+              # safety check
+              [:_create_record, :_update_record].each do |method_name|
+                unless private_method_defined?(method_name) || method_defined?(method_name)
+                  raise Lockbox::Error, "Expected #{method_name} to be defined. Please report an issue."
+                end
+              end
+
+              def _create_record(*)
+                lockbox_sync_attributes
+                super
+              end
+
+              def _update_record(*)
+                lockbox_sync_attributes
+                super
+              end
+
+              def [](attr_name)
+                send(attr_name) if self.class.lockbox_attributes.any? { |_, la| la[:attribute] == attr_name.to_s }
+                super
+              end
+
               def update_columns(attributes)
                 return super unless attributes.is_a?(Hash)
 
@@ -159,8 +216,11 @@ module Lockbox
                 attributes_to_set.each do |k, v|
                   if respond_to?(:write_attribute_without_type_cast, true)
                     write_attribute_without_type_cast(k, v)
-                  else
+                  elsif respond_to?(:raw_write_attribute, true)
                     raw_write_attribute(k, v)
+                  else
+                    @attributes.write_cast_value(k, v)
+                    clear_attribute_change(k)
                   end
                 end
 
@@ -213,6 +273,23 @@ module Lockbox
               else
                 attribute name, :string
               end
+            else
+              # hack for Active Record 6.1
+              # to set string type after serialize
+              # otherwise, type gets set to ActiveModel::Type::Value
+              # which always returns false for changed_in_place?
+              # earlier versions of Active Record take the previous code path
+              if ActiveRecord::VERSION::STRING.to_f >= 7.0 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call(nil)
+                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
+                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
+                end
+              elsif ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call
+                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
+                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
+                end
+              end
             end
 
             define_method("#{name}_was") do
@@ -324,7 +401,11 @@ module Lockbox
             # check for this explicitly as a layer of safety
             if message.nil? || ((message == {} || message == []) && activerecord && @attributes[name.to_s].value_before_type_cast.nil?)
               ciphertext = send(encrypted_attribute)
-              message = self.class.send(decrypt_method_name, ciphertext, context: self)
+
+              # keep original message for empty hashes and arrays
+              unless ciphertext.nil?
+                message = self.class.send(decrypt_method_name, ciphertext, context: self)
+              end
 
               if activerecord
                 # set previous attribute so changes populate correctly
@@ -336,8 +417,13 @@ module Lockbox
                 # decrypt method does type casting
                 if respond_to?(:write_attribute_without_type_cast, true)
                   write_attribute_without_type_cast(name.to_s, message) if !@attributes.frozen?
-                else
+                elsif respond_to?(:raw_write_attribute, true)
                   raw_write_attribute(name, message) if !@attributes.frozen?
+                else
+                  if !@attributes.frozen?
+                    @attributes.write_cast_value(name.to_s, message)
+                    clear_attribute_change(name)
+                  end
                 end
               else
                 instance_variable_set("@#{name}", message)
@@ -352,7 +438,7 @@ module Lockbox
             table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
-              # TODO use attribute type class in 0.6.0
+              # TODO use attribute type class in 0.7.0
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
@@ -380,6 +466,14 @@ module Lockbox
                 message = ActiveRecord::Type::Float.new.serialize(message)
                 # double precision, big endian
                 message = [message].pack("G") unless message.nil?
+              when :inet
+                unless message.nil?
+                  ip = message.is_a?(IPAddr) ? message : (IPAddr.new(message) rescue nil)
+                  # same format as Postgres, with ipv4 padded to 16 bytes
+                  # family, netmask, ip
+                  # return nil for invalid IP like Active Record
+                  message = ip ? [ip.ipv4? ? 0 : 1, ip.prefix, ip.hton].pack("CCa16") : nil
+                end
               when :string, :binary
                 # do nothing
                 # encrypt will convert to binary
@@ -407,7 +501,7 @@ module Lockbox
               end
 
             unless message.nil?
-              # TODO use attribute type class in 0.6.0
+              # TODO use attribute type class in 0.7.0
               case options[:type]
               when :boolean
                 message = message == "t"
@@ -426,6 +520,11 @@ module Lockbox
               when :binary
                 # do nothing
                 # decrypt returns binary string
+              when :inet
+                family, prefix, addr = message.unpack("CCa16")
+                len = family == 0 ? 4 : 16
+                message = IPAddr.new_ntoh(addr.first(len))
+                message.prefix = prefix
               else
                 # use original name for serialized attributes
                 type = (try(:attribute_types) || {})[original_name.to_s]

data/lib/lockbox/railtie.rb

@@ -1,6 +1,11 @@
 module Lockbox
   class Railtie < Rails::Railtie
     initializer "lockbox" do |app|
+      if defined?(Rails.application.credentials)
+        # needs to work when lockbox key has a string value
+        Lockbox.master_key ||= Rails.application.credentials.try(:lockbox).try(:fetch, :master_key, nil)
+      end
+
       require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
 
       if defined?(ActiveStorage)
@@ -14,7 +19,14 @@ module Lockbox
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
 
         # use load hooks when possible
-        if ActiveStorage::VERSION::MAJOR >= 6
+        if ActiveStorage::VERSION::MAJOR >= 7
+          ActiveSupport.on_load(:active_storage_attachment) do
+            prepend Lockbox::ActiveStorageExtensions::Attachment
+          end
+          ActiveSupport.on_load(:active_storage_blob) do
+            prepend Lockbox::ActiveStorageExtensions::Blob
+          end
+        elsif ActiveStorage::VERSION::MAJOR >= 6
           ActiveSupport.on_load(:active_storage_attachment) do
             include Lockbox::ActiveStorageExtensions::Attachment
           end

data/lib/lockbox/utils.rb

@@ -93,8 +93,7 @@ module Lockbox
         end
 
         # don't analyze encrypted data
-        metadata = {"analyzed" => true}
-        metadata["encrypted"] = true if options[:migrating]
+        metadata = {"analyzed" => true, "encrypted" => true}
         attachable[:metadata] = (attachable[:metadata] || {}).merge(metadata)
       end
 

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.5.0"
+  VERSION = "0.6.4"
 end

metadata

@@ -1,199 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.4
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-22 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: carrierwave
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: combustion
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: rails
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '5'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rbnacl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '6'
-- !ruby/object:Gem::Dependency
-  name: sqlite3
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: pg
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: mysql2
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: shrine
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: shrine-mongoid
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: benchmark-ips
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+date: 2021-04-06 00:00:00.000000000 Z
+dependencies: []
 description:
-email: andrew@chartkick.com
+email: andrew@ankane.org
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -240,7 +58,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails