RubyGems - lockbox - Versions diffs - 0.6.2 → 0.6.6 - Mend

lockbox 0.6.2 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +19 -1
data/README.md +12 -22
data/lib/lockbox/carrier_wave_extensions.rb +4 -1
data/lib/lockbox/model.rb +54 -10
data/lib/lockbox/railtie.rb +8 -1
data/lib/lockbox/version.rb +1 -1
data/lib/lockbox.rb +6 -2
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ba37bc916c02e18555640f29e47483898a96e04b75639b49ce9a0003fbaa443
-  data.tar.gz: 750a53ca3201e51b6dc0221305d4c021d64716a163a2e0cfc98c11ec8d1b6af8
+  metadata.gz: 71efd55022975063c04c0a0588532e1bdd5167c7f2e6df5c8cf442362b4d52d6
+  data.tar.gz: b823faa4b637c300367032b625972f7d41d0e3e12595921d7474140a955c64c7
 SHA512:
-  metadata.gz: b4e23752c311bf6b161e6817ab204ba0b5936594db5c2509c3f5ef6e354c169097a1c799d7b5147daa0d68982f072d1d22363019c6881566403517f97a5f2c45
-  data.tar.gz: 51ab913facdc34aea3e3ef263dab2fa5c3852aa052de80804ec29019c2517df9244eefb8c15e6f2c1ca0059bfd4f9cc020ce00fff543874f6461faeec1e78443
+  metadata.gz: 0d7fd7b285c51ac3f80657ec8956d7cd4692481d33710be69dfa567da02dd2f38de7bef9e4b43962395d9241d7d8c452d01f156e2124d957f52ea9026c0ea14f
+  data.tar.gz: 5d62ccbb565e9a3a6e76c1b6df617377bdcd1003289634cd16a2ba4b0e1d1a1ec72966c2a98dae27959e471fdf9ca77fd0755d25bd75ce6bd1e0cd7755819162

data/CHANGELOG.md CHANGED Viewed

@@ -1,4 +1,22 @@
-## 0.6.2 (2020-02-08)
+## 0.6.6 (2021-09-27)
+- Fixed `attribute?` method for `boolean` and `integer` types
+## 0.6.5 (2021-07-07)
+- Fixed issue with `pluck` extension not loading in some cases
+## 0.6.4 (2021-04-05)
+- Fixed in place changes in callbacks
+- Fixed `[]` method for encrypted attributes
+## 0.6.3 (2021-03-30)
+- Fixed empty arrays and hashes
+- Fixed content type for CarrierWave 2.2.1
+## 0.6.2 (2021-02-08)
 - Added `inet` type
 - Fixed error when `lockbox` key in Rails credentials has a string value

data/README.md CHANGED Viewed

@@ -72,7 +72,7 @@ Then follow the instructions below for the data you want to encrypt.
 Create a migration with:
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :email_ciphertext, :text
   end
@@ -248,7 +248,7 @@ User.decrypt_email_ciphertext(user.email_ciphertext)
 Create a migration with:
 ```ruby
-class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.0]
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.1]
   def change
     add_column :action_text_rich_texts, :body_ciphertext, :text
   end
@@ -336,9 +336,7 @@ def license
 end
 ```
-#### Migrating Existing Files [experimental]
-**Note:** This feature is experimental. Please try it in a non-production environment and [share](https://github.com/ankane/lockbox/issues/44) how it goes.
+#### Migrating Existing Files
 Lockbox makes it easy to encrypt existing files without downtime.
@@ -379,7 +377,7 @@ Encryption is applied to all versions after processing.
 You can mount the uploader [as normal](https://github.com/carrierwaveuploader/carrierwave#activerecord). With Active Record, this involves creating a migration:
 ```ruby
-class AddLicenseToUsers < ActiveRecord::Migration[6.0]
+class AddLicenseToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :license, :string
   end
@@ -568,12 +566,10 @@ Update your model:
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, previous_versions: [{key: previous_key}]
+  encrypts :email, previous_versions: [{master_key: previous_key}]
 end
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing records, use:
 ```ruby
@@ -587,11 +583,9 @@ Once all records are rotated, you can remove `previous_versions` from the model.
 Update your initializer:
 ```ruby
-Lockbox.encrypts_action_text_body(previous_versions: [{key: previous_key}])
+Lockbox.encrypts_action_text_body(previous_versions: [{master_key: previous_key}])
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing records, use:
 ```ruby
@@ -606,12 +600,10 @@ Update your model:
 ```ruby
 class User < ApplicationRecord
-  encrypts_attached :license, previous_versions: [{key: previous_key}]
+  encrypts_attached :license, previous_versions: [{master_key: previous_key}]
 end
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing files, use:
 ```ruby
@@ -628,12 +620,10 @@ Update your model:
 ```ruby
 class LicenseUploader < CarrierWave::Uploader::Base
-  encrypt previous_versions: [{key: previous_key}]
+  encrypt previous_versions: [{master_key: previous_key}]
 end
 ```
-Use `master_key` instead of `key` if passing the master key.
 To rotate existing files, use:
 ```ruby
@@ -708,7 +698,7 @@ This is the default algorithm. It’s:
 Lockbox uses 256-bit keys.
-**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
+**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the authentication key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
 ### XSalsa20
@@ -997,7 +987,7 @@ lockbox.decrypt(ciphertext, associated_data: "othercontext") # fails
 You can use `binary` columns for the ciphertext instead of `text` columns.
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :email_ciphertext, :binary
   end
@@ -1042,7 +1032,7 @@ end
 Create a migration with:
 ```ruby
-class MigrateToLockbox < ActiveRecord::Migration[6.0]
+class MigrateToLockbox < ActiveRecord::Migration[6.1]
   def change
     add_column :users, :name_ciphertext, :text
     add_column :users, :email_ciphertext, :text
@@ -1075,7 +1065,7 @@ end
 Then remove the previous gem from your Gemfile and drop its columns.
 ```ruby
-class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.0]
+class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.1]
   def change
     remove_column :users, :encrypted_name, :text
     remove_column :users, :encrypted_name_iv, :text

data/lib/lockbox/carrier_wave_extensions.rb CHANGED Viewed

@@ -33,7 +33,10 @@ module Lockbox
         end
         def content_type
-          if CarrierWave::VERSION.to_i >= 2
+          if Gem::Version.new(CarrierWave::VERSION) >= Gem::Version.new("2.2.1")
+            # based on CarrierWave::SanitizedFile#marcel_magic_content_type
+            Marcel::Magic.by_magic(read).try(:type) || "invalid/invalid"
+          elsif CarrierWave::VERSION.to_i >= 2
             # based on CarrierWave::SanitizedFile#mime_magic_content_type
             MimeMagic.by_magic(read).try(:type) || "invalid/invalid"
           else

data/lib/lockbox/model.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module Lockbox
   module Model
-    def encrypts(*attributes, **options)
+    def lockbox_encrypts(*attributes, **options)
       # support objects
       # case options[:type]
       # when Date
@@ -149,16 +149,38 @@ module Lockbox
               # needed for in-place modifications
               # assigned attributes are encrypted on assignment
               # and then again here
-              before_save do
+              def lockbox_sync_attributes
                 self.class.lockbox_attributes.each do |_, lockbox_attribute|
                   attribute = lockbox_attribute[:attribute]
-                  if attribute_changed_in_place?(attribute)
+                  if attribute_changed_in_place?(attribute) || (send("#{attribute}_changed?") && !send("#{lockbox_attribute[:encrypted_attribute]}_changed?"))
                     send("#{attribute}=", send(attribute))
                   end
                 end
               end
+              # safety check
+              [:_create_record, :_update_record].each do |method_name|
+                unless private_method_defined?(method_name) || method_defined?(method_name)
+                  raise Lockbox::Error, "Expected #{method_name} to be defined. Please report an issue."
+                end
+              end
+              def _create_record(*)
+                lockbox_sync_attributes
+                super
+              end
+              def _update_record(*)
+                lockbox_sync_attributes
+                super
+              end
+              def [](attr_name)
+                send(attr_name) if self.class.lockbox_attributes.any? { |_, la| la[:attribute] == attr_name.to_s }
+                super
+              end
               def update_columns(attributes)
                 return super unless attributes.is_a?(Hash)
@@ -194,8 +216,11 @@ module Lockbox
                 attributes_to_set.each do |k, v|
                   if respond_to?(:write_attribute_without_type_cast, true)
                     write_attribute_without_type_cast(k, v)
-                  else
+                  elsif respond_to?(:raw_write_attribute, true)
                     raw_write_attribute(k, v)
+                  else
+                    @attributes.write_cast_value(k, v)
+                    clear_attribute_change(k)
                   end
                 end
@@ -254,7 +279,12 @@ module Lockbox
               # otherwise, type gets set to ActiveModel::Type::Value
               # which always returns false for changed_in_place?
               # earlier versions of Active Record take the previous code path
-              if ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+              if ActiveRecord::VERSION::STRING.to_f >= 7.0 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call(nil)
+                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
+                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
+                end
+              elsif ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
                 attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call
                 if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
                   attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
@@ -279,6 +309,11 @@ module Lockbox
                 super()
               end
             end
+            define_method("#{name}?") do
+              # uses public_send, so we don't need to preload attribute
+              query_attribute(name)
+            end
           else
             # keep this module dead simple
             # Mongoid uses changed_attributes to calculate keys to update
@@ -318,10 +353,10 @@ module Lockbox
               send("reset_#{encrypted_attribute}_to_default!")
               send(name)
             end
-          end
-          define_method("#{name}?") do
-            send("#{encrypted_attribute}?")
+            define_method("#{name}?") do
+              send("#{encrypted_attribute}?")
+            end
           end
           define_method("#{name}=") do |message|
@@ -371,7 +406,11 @@ module Lockbox
             # check for this explicitly as a layer of safety
             if message.nil? || ((message == {} || message == []) && activerecord && @attributes[name.to_s].value_before_type_cast.nil?)
               ciphertext = send(encrypted_attribute)
-              message = self.class.send(decrypt_method_name, ciphertext, context: self)
+              # keep original message for empty hashes and arrays
+              unless ciphertext.nil?
+                message = self.class.send(decrypt_method_name, ciphertext, context: self)
+              end
               if activerecord
                 # set previous attribute so changes populate correctly
@@ -383,8 +422,13 @@ module Lockbox
                 # decrypt method does type casting
                 if respond_to?(:write_attribute_without_type_cast, true)
                   write_attribute_without_type_cast(name.to_s, message) if !@attributes.frozen?
-                else
+                elsif respond_to?(:raw_write_attribute, true)
                   raw_write_attribute(name, message) if !@attributes.frozen?
+                else
+                  if !@attributes.frozen?
+                    @attributes.write_cast_value(name.to_s, message)
+                    clear_attribute_change(name)
+                  end
                 end
               else
                 instance_variable_set("@#{name}", message)

data/lib/lockbox/railtie.rb CHANGED Viewed

@@ -19,7 +19,14 @@ module Lockbox
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
         # use load hooks when possible
-        if ActiveStorage::VERSION::MAJOR >= 6
+        if ActiveStorage::VERSION::MAJOR >= 7
+          ActiveSupport.on_load(:active_storage_attachment) do
+            prepend Lockbox::ActiveStorageExtensions::Attachment
+          end
+          ActiveSupport.on_load(:active_storage_blob) do
+            prepend Lockbox::ActiveStorageExtensions::Blob
+          end
+        elsif ActiveStorage::VERSION::MAJOR >= 6
           ActiveSupport.on_load(:active_storage_attachment) do
             include Lockbox::ActiveStorageExtensions::Attachment
           end

data/lib/lockbox/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.6.2"
+  VERSION = "0.6.6"
 end

data/lib/lockbox.rb CHANGED Viewed

@@ -34,11 +34,15 @@ if defined?(ActiveSupport.on_load)
     extend Lockbox::Model
     extend Lockbox::Model::Attached
-    ActiveRecord::Calculations.prepend Lockbox::Calculations
+    # alias_method is private in Ruby < 2.5
+    singleton_class.send(:alias_method, :encrypts, :lockbox_encrypts) if ActiveRecord::VERSION::MAJOR < 7
+    ActiveRecord::Relation.prepend Lockbox::Calculations
   end
   ActiveSupport.on_load(:mongoid) do
     Mongoid::Document::ClassMethods.include(Lockbox::Model)
+    # alias_method is private in Ruby < 2.5
+    Mongoid::Document::ClassMethods.send(:alias_method, :encrypts, :lockbox_encrypts)
   end
 end
@@ -106,7 +110,7 @@ module Lockbox
   def self.encrypts_action_text_body(**options)
     ActiveSupport.on_load(:action_text_rich_text) do
-      ActionText::RichText.encrypts :body, **options
+      ActionText::RichText.lockbox_encrypts :body, **options
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.6.6
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-08 00:00:00.000000000 Z
+date: 2021-09-28 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -58,7 +58,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails