RubyGems - lockbox - Versions diffs - 0.6.2 → 0.6.6 - Mend

lockbox 0.6.2 → 0.6.6

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -1
data/README.md +12 -22
data/lib/lockbox/carrier_wave_extensions.rb +4 -1
data/lib/lockbox/model.rb +54 -10
data/lib/lockbox/railtie.rb +8 -1
data/lib/lockbox/version.rb +1 -1
data/lib/lockbox.rb +6 -2
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ba37bc916c02e18555640f29e47483898a96e04b75639b49ce9a0003fbaa443
-  data.tar.gz: 750a53ca3201e51b6dc0221305d4c021d64716a163a2e0cfc98c11ec8d1b6af8
+  metadata.gz: 71efd55022975063c04c0a0588532e1bdd5167c7f2e6df5c8cf442362b4d52d6
+  data.tar.gz: b823faa4b637c300367032b625972f7d41d0e3e12595921d7474140a955c64c7
 SHA512:
-  metadata.gz: b4e23752c311bf6b161e6817ab204ba0b5936594db5c2509c3f5ef6e354c169097a1c799d7b5147daa0d68982f072d1d22363019c6881566403517f97a5f2c45
-  data.tar.gz: 51ab913facdc34aea3e3ef263dab2fa5c3852aa052de80804ec29019c2517df9244eefb8c15e6f2c1ca0059bfd4f9cc020ce00fff543874f6461faeec1e78443
+  metadata.gz: 0d7fd7b285c51ac3f80657ec8956d7cd4692481d33710be69dfa567da02dd2f38de7bef9e4b43962395d9241d7d8c452d01f156e2124d957f52ea9026c0ea14f
+  data.tar.gz: 5d62ccbb565e9a3a6e76c1b6df617377bdcd1003289634cd16a2ba4b0e1d1a1ec72966c2a98dae27959e471fdf9ca77fd0755d25bd75ce6bd1e0cd7755819162

data/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,22 @@
-## 0.6.2 (2020-02-08)
+## 0.6.6 (2021-09-27)
+- Fixed `attribute?` method for `boolean` and `integer` types
+## 0.6.5 (2021-07-07)
+- Fixed issue with `pluck` extension not loading in some cases
+## 0.6.4 (2021-04-05)
+- Fixed in place changes in callbacks
+- Fixed `[]` method for encrypted attributes
+## 0.6.3 (2021-03-30)
+- Fixed empty arrays and hashes
+- Fixed content type for CarrierWave 2.2.1
+## 0.6.2 (2021-02-08)
 - Added `inet` type
 - Fixed error when `lockbox` key in Rails credentials has a string value

data/README.md CHANGED Viewed

@@ -72,7 +72,7 @@ Then follow the instructions below for the data you want to encrypt.
 Create a migration with:
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :email_ciphertext, :text
   end
@@ -248,7 +248,7 @@ User.decrypt_email_ciphertext(user.email_ciphertext)
 Create a migration with:
 ```ruby
-class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.0]
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.1]
   def change
     add_column :action_text_rich_texts, :body_ciphertext, :text
   end
@@ -336,9 +336,7 @@ def license
 end
 ```
-#### Migrating Existing Files [experimental]
-**Note:** This feature is experimental. Please try it in a non-production environment and [share](https://github.com/ankane/lockbox/issues/44) how it goes.
+#### Migrating Existing Files
 Lockbox makes it easy to encrypt existing files without downtime.
@@ -379,7 +377,7 @@ Encryption is applied to all versions after processing.
 You can mount the uploader [as normal](https://github.com/carrierwaveuploader/carrierwave#activerecord). With Active Record, this involves creating a migration:
 ```ruby
-class AddLicenseToUsers < ActiveRecord::Migration[6.0]
+class AddLicenseToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :license, :string
   end
@@ -568,12 +566,10 @@ Update your model:
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, previous_versions: [{key: previous_key}]
+  encrypts :email, previous_versions: [{master_key: previous_key}]
 end
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing records, use:
 ```ruby
@@ -587,11 +583,9 @@ Once all records are rotated, you can remove `previous_versions` from the model.
 Update your initializer:
 ```ruby
-Lockbox.encrypts_action_text_body(previous_versions: [{key: previous_key}])
+Lockbox.encrypts_action_text_body(previous_versions: [{master_key: previous_key}])
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing records, use:
 ```ruby
@@ -606,12 +600,10 @@ Update your model:
 ```ruby
 class User < ApplicationRecord
-  encrypts_attached :license, previous_versions: [{key: previous_key}]
+  encrypts_attached :license, previous_versions: [{master_key: previous_key}]
 end
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing files, use:
 ```ruby
@@ -628,12 +620,10 @@ Update your model:
 ```ruby
 class LicenseUploader < CarrierWave::Uploader::Base
-  encrypt previous_versions: [{key: previous_key}]
+  encrypt previous_versions: [{master_key: previous_key}]
 end
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing files, use:
 ```ruby
@@ -708,7 +698,7 @@ This is the default algorithm. It’s:
 Lockbox uses 256-bit keys.
-**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
+**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the authentication key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
 ### XSalsa20
@@ -997,7 +987,7 @@ lockbox.decrypt(ciphertext, associated_data: "othercontext") # fails
 You can use `binary` columns for the ciphertext instead of `text` columns.
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :email_ciphertext, :binary
   end
@@ -1042,7 +1032,7 @@ end
 Create a migration with:
 ```ruby
-class MigrateToLockbox < ActiveRecord::Migration[6.0]
+class MigrateToLockbox < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :name_ciphertext, :text
     add_column :users, :email_ciphertext, :text
@@ -1075,7 +1065,7 @@ end
 Then remove the previous gem from your Gemfile and drop its columns.
 ```ruby
-class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.0]
+class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.1]
   def change
     remove_column :users, :encrypted_name, :text
     remove_column :users, :encrypted_name_iv, :text

data/lib/lockbox/carrier_wave_extensions.rb CHANGED Viewed

@@ -33,7 +33,10 @@ module Lockbox
         end
         def content_type
-          if CarrierWave::VERSION.to_i >= 2
+          if Gem::Version.new(CarrierWave::VERSION) >= Gem::Version.new("2.2.1")
+            # based on CarrierWave::SanitizedFile#marcel_magic_content_type
+            Marcel::Magic.by_magic(read).try(:type) || "invalid/invalid"
+          elsif CarrierWave::VERSION.to_i >= 2
             # based on CarrierWave::SanitizedFile#mime_magic_content_type
             MimeMagic.by_magic(read).try(:type) || "invalid/invalid"
           else

data/lib/lockbox/model.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module Lockbox
   module Model
-    def encrypts(*attributes, **options)
+    def lockbox_encrypts(*attributes, **options)
       # support objects
       # case options[:type]
       # when Date
@@ -149,16 +149,38 @@ module Lockbox
               # needed for in-place modifications
               # assigned attributes are encrypted on assignment
               # and then again here
-              before_save do
+              def lockbox_sync_attributes
                 self.class.lockbox_attributes.each do |_, lockbox_attribute|
                   attribute = lockbox_attribute[:attribute]
-                  if attribute_changed_in_place?(attribute)
+                  if attribute_changed_in_place?(attribute) || (send("#{attribute}_changed?") && !send("#{lockbox_attribute[:encrypted_attribute]}_changed?"))
                     send("#{attribute}=", send(attribute))
                   end
                 end
               end
+              # safety check
+              [:_create_record, :_update_record].each do |method_name|
+                unless private_method_defined?(method_name) || method_defined?(method_name)
+                  raise Lockbox::Error, "Expected #{method_name} to be defined. Please report an issue."
+                end
+              end
+              def _create_record(*)
+                lockbox_sync_attributes
+                super
+              end
+              def _update_record(*)
+                lockbox_sync_attributes
+                super
+              end
+              def [](attr_name)
+                send(attr_name) if self.class.lockbox_attributes.any? { |_, la| la[:attribute] == attr_name.to_s }
+                super
+              end
               def update_columns(attributes)
                 return super unless attributes.is_a?(Hash)
@@ -194,8 +216,11 @@ module Lockbox
                 attributes_to_set.each do |k, v|
                   if respond_to?(:write_attribute_without_type_cast, true)
                     write_attribute_without_type_cast(k, v)
-                  else
+                  elsif respond_to?(:raw_write_attribute, true)
                     raw_write_attribute(k, v)
+                  else
+                    @attributes.write_cast_value(k, v)
+                    clear_attribute_change(k)
                   end
                 end
@@ -254,7 +279,12 @@ module Lockbox
               # otherwise, type gets set to ActiveModel::Type::Value
               # which always returns false for changed_in_place?
               # earlier versions of Active Record take the previous code path
-              if ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+              if ActiveRecord::VERSION::STRING.to_f >= 7.0 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call(nil)
+                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
+                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
+                end
+              elsif ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
                 attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call
                 if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
                   attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
@@ -279,6 +309,11 @@ module Lockbox
                 super()
               end
             end
+            define_method("#{name}?") do
+              # uses public_send, so we don't need to preload attribute
+              query_attribute(name)
+            end
           else
             # keep this module dead simple
             # Mongoid uses changed_attributes to calculate keys to update
@@ -318,10 +353,10 @@ module Lockbox
               send("reset_#{encrypted_attribute}_to_default!")
               send(name)
             end
-          end
-          define_method("#{name}?") do
-            send("#{encrypted_attribute}?")
+            define_method("#{name}?") do
+              send("#{encrypted_attribute}?")
+            end
           end
           define_method("#{name}=") do |message|
@@ -371,7 +406,11 @@ module Lockbox
             # check for this explicitly as a layer of safety
             if message.nil? || ((message == {} || message == []) && activerecord && @attributes[name.to_s].value_before_type_cast.nil?)
               ciphertext = send(encrypted_attribute)
-              message = self.class.send(decrypt_method_name, ciphertext, context: self)
+              # keep original message for empty hashes and arrays
+              unless ciphertext.nil?
+                message = self.class.send(decrypt_method_name, ciphertext, context: self)
+              end
               if activerecord
                 # set previous attribute so changes populate correctly
@@ -383,8 +422,13 @@ module Lockbox
                 # decrypt method does type casting
                 if respond_to?(:write_attribute_without_type_cast, true)
                   write_attribute_without_type_cast(name.to_s, message) if !@attributes.frozen?
-                else
+                elsif respond_to?(:raw_write_attribute, true)
                   raw_write_attribute(name, message) if !@attributes.frozen?
+                else
+                  if !@attributes.frozen?
+                    @attributes.write_cast_value(name.to_s, message)
+                    clear_attribute_change(name)
+                  end
                 end
               else
                 instance_variable_set("@#{name}", message)

data/lib/lockbox/railtie.rb CHANGED Viewed

@@ -19,7 +19,14 @@ module Lockbox
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
         # use load hooks when possible
-        if ActiveStorage::VERSION::MAJOR >= 6
+        if ActiveStorage::VERSION::MAJOR >= 7
+          ActiveSupport.on_load(:active_storage_attachment) do
+            prepend Lockbox::ActiveStorageExtensions::Attachment
+          end
+          ActiveSupport.on_load(:active_storage_blob) do
+            prepend Lockbox::ActiveStorageExtensions::Blob
+          end
+        elsif ActiveStorage::VERSION::MAJOR >= 6
           ActiveSupport.on_load(:active_storage_attachment) do
             include Lockbox::ActiveStorageExtensions::Attachment
           end

data/lib/lockbox/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.6.2"
+  VERSION = "0.6.6"
 end

data/lib/lockbox.rb CHANGED Viewed

@@ -34,11 +34,15 @@ if defined?(ActiveSupport.on_load)
     extend Lockbox::Model
     extend Lockbox::Model::Attached
-    ActiveRecord::Calculations.prepend Lockbox::Calculations
+    # alias_method is private in Ruby < 2.5
+    singleton_class.send(:alias_method, :encrypts, :lockbox_encrypts) if ActiveRecord::VERSION::MAJOR < 7
+    ActiveRecord::Relation.prepend Lockbox::Calculations
   end
   ActiveSupport.on_load(:mongoid) do
     Mongoid::Document::ClassMethods.include(Lockbox::Model)
+    # alias_method is private in Ruby < 2.5
+    Mongoid::Document::ClassMethods.send(:alias_method, :encrypts, :lockbox_encrypts)
   end
 end
@@ -106,7 +110,7 @@ module Lockbox
   def self.encrypts_action_text_body(**options)
     ActiveSupport.on_load(:action_text_rich_text) do
-      ActionText::RichText.encrypts :body, **options
+      ActionText::RichText.lockbox_encrypts :body, **options
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.6.6
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-08 00:00:00.000000000 Z
+date: 2021-09-28 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -58,7 +58,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails