lockbox 0.6.2 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ba37bc916c02e18555640f29e47483898a96e04b75639b49ce9a0003fbaa443
-  data.tar.gz: 750a53ca3201e51b6dc0221305d4c021d64716a163a2e0cfc98c11ec8d1b6af8
+  metadata.gz: 1a8a7995008cdd49c48d95e0a968e45666276fb095de76954ef949800080d40b
+  data.tar.gz: da7d7796776c325ce1871a2755f6cc012c060f16293cbe28a31f2547c92ec0ad
 SHA512:
-  metadata.gz: b4e23752c311bf6b161e6817ab204ba0b5936594db5c2509c3f5ef6e354c169097a1c799d7b5147daa0d68982f072d1d22363019c6881566403517f97a5f2c45
-  data.tar.gz: 51ab913facdc34aea3e3ef263dab2fa5c3852aa052de80804ec29019c2517df9244eefb8c15e6f2c1ca0059bfd4f9cc020ce00fff543874f6461faeec1e78443
+  metadata.gz: d97e45d14fbc7f452eef5e09c2b2d8d3b2c2f5d4b8a42645c0138849b21ef61194f7cf2e36158f4e920b7cc5709cef63a9769310f97cdd40c3f78790415100d0
+  data.tar.gz: f04c5264be1ec1e69c406593bdc143f10f846776a34744d38a368ba0e0d2662c874315b9387c5e7c53a47621cbabb2da146114008d1b5963dcc3e8b845a86ff2

data/CHANGELOG.md

@@ -1,4 +1,48 @@
-## 0.6.2 (2020-02-08)
+## 1.1.1 (2022-12-08)
+
+- Fixed error when `StringIO` not loaded
+
+## 1.1.0 (2022-10-09)
+
+- Added support for `insert`, `insert_all`, `insert_all!`, `upsert`, and `upsert_all`
+
+## 1.0.0 (2022-06-11)
+
+- Deprecated `encrypts` in favor of `has_encrypted` to avoid conflicting with Active Record encryption
+- Deprecated `lockbox_encrypts` in favor of `has_encrypted`
+- Fixed error with `pluck`
+- Restored warning for attributes with `default` option
+- Dropped support for Active Record < 5.2 and Ruby < 2.6
+
+## 0.6.8 (2022-01-25)
+
+- Fixed issue with `encrypts` loading model schema early
+- Removed warning for attributes with `default` option
+
+## 0.6.7 (2022-01-25)
+
+- Added warning for attributes with `default` option
+- Removed warning for Active Record 5.0 (still supported)
+
+## 0.6.6 (2021-09-27)
+
+- Fixed `attribute?` method for `boolean` and `integer` types
+
+## 0.6.5 (2021-07-07)
+
+- Fixed issue with `pluck` extension not loading in some cases
+
+## 0.6.4 (2021-04-05)
+
+- Fixed in place changes in callbacks
+- Fixed `[]` method for encrypted attributes
+
+## 0.6.3 (2021-03-30)
+
+- Fixed empty arrays and hashes
+- Fixed content type for CarrierWave 2.2.1
+
+## 0.6.2 (2021-02-08)
 
 - Added `inet` type
 - Fixed error when `lockbox` key in Rails credentials has a string value
@@ -7,6 +51,7 @@
 ## 0.6.1 (2020-12-03)
 
 - Added integration with Rails credentials
+- Added warning for unsupported versions of Active Record
 - Fixed in place changes for Active Record 6.1
 - Fixed error with `content_type` method for CarrierWave < 2
 

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2021 Andrew Kane
+Copyright (c) 2018-2022 Andrew Kane
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -16,7 +16,7 @@ Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [h
 Add this line to your application’s Gemfile:
 
 ```ruby
-gem 'lockbox'
+gem "lockbox"
 ```
 
 ## Key Generation
@@ -72,7 +72,7 @@ Then follow the instructions below for the data you want to encrypt.
 Create a migration with:
 
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[7.0]
   def change
     add_column :users, :email_ciphertext, :text
   end
@@ -83,7 +83,7 @@ Add to your model:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email
+  has_encrypted :email
 end
 ```
 
@@ -101,7 +101,7 @@ You can specify multiple fields in single line.
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, :phone, :city
+  has_encrypted :email, :phone, :city
 end
 ```
 
@@ -111,17 +111,17 @@ Fields are strings by default. Specify the type of a field with:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :born_on, type: :date
-  encrypts :signed_at, type: :datetime
-  encrypts :opens_at, type: :time
-  encrypts :active, type: :boolean
-  encrypts :salary, type: :integer
-  encrypts :latitude, type: :float
-  encrypts :video, type: :binary
-  encrypts :properties, type: :json
-  encrypts :settings, type: :hash
-  encrypts :messages, type: :array
-  encrypts :ip, type: :inet
+  has_encrypted :birthday, type: :date
+  has_encrypted :signed_at, type: :datetime
+  has_encrypted :opens_at, type: :time
+  has_encrypted :active, type: :boolean
+  has_encrypted :salary, type: :integer
+  has_encrypted :latitude, type: :float
+  has_encrypted :video, type: :binary
+  has_encrypted :properties, type: :json
+  has_encrypted :settings, type: :hash
+  has_encrypted :messages, type: :array
+  has_encrypted :ip, type: :inet
 end
 ```
 
@@ -135,7 +135,7 @@ class User < ApplicationRecord
   store :settings, accessors: [:color, :homepage]
   attribute :configuration, CustomType.new
 
-  encrypts :properties, :settings, :configuration
+  has_encrypted :properties, :settings, :configuration
 end
 ```
 
@@ -143,7 +143,7 @@ For [StoreModel](https://github.com/DmitryTsepelev/store_model), use:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :configuration, type: Configuration.to_type
+  has_encrypted :configuration, type: Configuration.to_type
 
   after_initialize do
     self.configuration ||= {}
@@ -174,7 +174,7 @@ Add a new column for the ciphertext, then add to your model:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, migrating: true
+  has_encrypted :email, migrating: true
 end
 ```
 
@@ -188,7 +188,7 @@ Then update the model to the desired state:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email
+  has_encrypted :email
 
   # remove this line after dropping email column
   self.ignored_columns = ["email"]
@@ -248,7 +248,7 @@ User.decrypt_email_ciphertext(user.email_ciphertext)
 Create a migration with:
 
 ```ruby
-class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.0]
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[7.0]
   def change
     add_column :action_text_rich_texts, :body_ciphertext, :text
   end
@@ -287,7 +287,7 @@ Add to your model:
 class User
   field :email_ciphertext, type: String
 
-  encrypts :email
+  has_encrypted :email
 end
 ```
 
@@ -336,9 +336,9 @@ def license
 end
 ```
 
-#### Migrating Existing Files [experimental]
+Use `filename` to specify a filename or `disposition: "inline"` to show inline.
 
-**Note:** This feature is experimental. Please try it in a non-production environment and [share](https://github.com/ankane/lockbox/issues/44) how it goes.
+#### Migrating Existing Files
 
 Lockbox makes it easy to encrypt existing files without downtime.
 
@@ -379,7 +379,7 @@ Encryption is applied to all versions after processing.
 You can mount the uploader [as normal](https://github.com/carrierwaveuploader/carrierwave#activerecord). With Active Record, this involves creating a migration:
 
 ```ruby
-class AddLicenseToUsers < ActiveRecord::Migration[6.0]
+class AddLicenseToUsers < ActiveRecord::Migration[7.0]
   def change
     add_column :users, :license, :string
   end
@@ -403,6 +403,8 @@ def license
 end
 ```
 
+Use `filename` to specify a filename or `disposition: "inline"` to show inline.
+
 #### Migrating Existing Files
 
 Encrypt existing files without downtime. Create a new encrypted uploader:
@@ -478,6 +480,8 @@ def license
 end
 ```
 
+Use `filename` to specify a filename or `disposition: "inline"` to show inline.
+
 #### Non-Models
 
 Generate a key
@@ -568,12 +572,10 @@ Update your model:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, previous_versions: [{key: previous_key}]
+  has_encrypted :email, previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing records, use:
 
 ```ruby
@@ -587,11 +589,9 @@ Once all records are rotated, you can remove `previous_versions` from the model.
 Update your initializer:
 
 ```ruby
-Lockbox.encrypts_action_text_body(previous_versions: [{key: previous_key}])
+Lockbox.encrypts_action_text_body(previous_versions: [{master_key: previous_key}])
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing records, use:
 
 ```ruby
@@ -606,12 +606,10 @@ Update your model:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts_attached :license, previous_versions: [{key: previous_key}]
+  encrypts_attached :license, previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing files, use:
 
 ```ruby
@@ -628,12 +626,10 @@ Update your model:
 
 ```ruby
 class LicenseUploader < CarrierWave::Uploader::Base
-  encrypt previous_versions: [{key: previous_key}]
+  encrypt previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Use `master_key` instead of `key` if passing the master key.
-
 To rotate existing files, use:
 
 ```ruby
@@ -708,105 +704,45 @@ This is the default algorithm. It’s:
 
 Lockbox uses 256-bit keys.
 
-**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
+**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the authentication key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
 
 ### XSalsa20
 
-You can also use XSalsa20, which uses an extended nonce so you don’t have to worry about nonce collisions. First, [install Libsodium](https://github.com/crypto-rb/rbnacl/wiki/Installing-libsodium). For Homebrew, use:
+You can also use XSalsa20, which uses an extended nonce so you don’t have to worry about nonce collisions. First, [install Libsodium](https://github.com/crypto-rb/rbnacl/wiki/Installing-libsodium). It comes preinstalled on [Heroku](https://devcenter.heroku.com/articles/stack-packages). For Homebrew, use:
 
 ```sh
 brew install libsodium
 ```
 
-And add to your Gemfile:
+And for Ubuntu, use:
+
+```sh
+sudo apt-get install libsodium23
+```
+
+Then add to your Gemfile:
 
 ```ruby
-gem 'rbnacl'
+gem "rbnacl"
 ```
 
-Then add to your model:
+And add to your model:
 
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, algorithm: "xsalsa20"
+  has_encrypted :email, algorithm: "xsalsa20"
 end
 ```
 
 Make it the default with:
 
 ```ruby
-Lockbox.default_options = {algorithm: "xsalsa20"}
+Lockbox.default_options[:algorithm] = "xsalsa20"
 ```
 
 You can also pass an algorithm to `previous_versions` for key rotation.
 
-#### XSalsa20 Deployment
-
-##### Heroku
-
-Heroku [comes with libsodium](https://devcenter.heroku.com/articles/stack-packages) preinstalled.
-
-##### Ubuntu
-
-For Ubuntu 20.04 and 18.04, use:
-
-```sh
-sudo apt-get install libsodium23
-```
-
-For Ubuntu 16.04, use:
-
-```sh
-sudo apt-get install libsodium18
-```
-
-##### GitHub Actions
-
-For Ubuntu 20.04 and 18.04, use:
-
-```yml
-    - name: Install Libsodium
-      run: sudo apt-get update && sudo apt-get install libsodium23
-```
-
-For Ubuntu 16.04, use:
-
-```yml
-    - name: Install Libsodium
-      run: sudo apt-get update && sudo apt-get install libsodium18
-```
-
-##### Travis CI
-
-On Bionic, add to `.travis.yml`:
-
-```yml
-addons:
-  apt:
-    packages:
-      - libsodium23
-```
-
-On Xenial, add to `.travis.yml`:
-
-```yml
-addons:
-  apt:
-    packages:
-      - libsodium18
-```
-
-##### CircleCI
-
-Add a step to `.circleci/config.yml`:
-
-```yml
-- run:
-    name: install Libsodium
-    command: sudo apt-get install -y libsodium18
-```
-
 ## Hybrid Cryptography
 
 [Hybrid cryptography](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) allows servers to encrypt data without being able to decrypt it.
@@ -823,7 +759,7 @@ Store the keys with your other secrets. Then use:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, algorithm: "hybrid", encryption_key: encryption_key, decryption_key: decryption_key
+  has_encrypted :email, algorithm: "hybrid", encryption_key: encryption_key, decryption_key: decryption_key
 end
 ```
 
@@ -853,7 +789,7 @@ To rename a table with encrypted columns/uploaders, use:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key_table: "original_table"
+  has_encrypted :email, key_table: "original_table"
 end
 ```
 
@@ -861,7 +797,7 @@ To rename an encrypted column itself, use:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key_attribute: "original_column"
+  has_encrypted :email, key_attribute: "original_column"
 end
 ```
 
@@ -871,7 +807,7 @@ To set a key for an individual field/uploader, use a string:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key: ENV["USER_EMAIL_ENCRYPTION_KEY"]
+  has_encrypted :email, key: ENV["USER_EMAIL_ENCRYPTION_KEY"]
 end
 ```
 
@@ -879,7 +815,7 @@ Or a proc:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key: -> { code }
+  has_encrypted :email, key: -> { code }
 end
 ```
 
@@ -889,7 +825,7 @@ To use a different key for each record, use a symbol:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key: :some_method
+  has_encrypted :email, key: :some_method
 end
 ```
 
@@ -897,7 +833,7 @@ Or a proc:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key: -> { some_method }
+  has_encrypted :email, key: -> { some_method }
 end
 ```
 
@@ -909,7 +845,7 @@ For Active Record and Mongoid, use:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, key: :kms_key
+  has_encrypted :email, key: :kms_key
 end
 ```
 
@@ -997,7 +933,7 @@ lockbox.decrypt(ciphertext, associated_data: "othercontext") # fails
 You can use `binary` columns for the ciphertext instead of `text` columns.
 
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[7.0]
   def change
     add_column :users, :email_ciphertext, :binary
   end
@@ -1008,7 +944,7 @@ Disable Base64 encoding to save space.
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :email, encode: false
+  has_encrypted :email, encode: false
 end
 ```
 
@@ -1042,7 +978,7 @@ end
 Create a migration with:
 
 ```ruby
-class MigrateToLockbox < ActiveRecord::Migration[6.0]
+class MigrateToLockbox < ActiveRecord::Migration[7.0]
   def change
     add_column :users, :name_ciphertext, :text
     add_column :users, :email_ciphertext, :text
@@ -1050,11 +986,11 @@ class MigrateToLockbox < ActiveRecord::Migration[6.0]
 end
 ```
 
-And add `encrypts` to your model with the `migrating` option:
+And add `has_encrypted` to your model with the `migrating` option:
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :name, :email, migrating: true
+  has_encrypted :name, :email, migrating: true
 end
 ```
 
@@ -1068,14 +1004,14 @@ Once all records are migrated, remove the `migrating` option and the previous mo
 
 ```ruby
 class User < ApplicationRecord
-  encrypts :name, :email
+  has_encrypted :name, :email
 end
 ```
 
 Then remove the previous gem from your Gemfile and drop its columns.
 
 ```ruby
-class RemovePreviousEncryptedColumns < ActiveRecord::Migration[6.0]
+class RemovePreviousEncryptedColumns < ActiveRecord::Migration[7.0]
   def change
     remove_column :users, :encrypted_name, :text
     remove_column :users, :encrypted_name_iv, :text
@@ -1087,81 +1023,31 @@ end
 
 ## Upgrading
 
-### 0.6.0
+### 1.0.0
 
-0.6.0 adds `encrypted: true` to Active Storage metadata for new files. This field is informational, but if you prefer to add it to existing files, use:
+`encrypts` is now deprecated in favor of `has_encrypted` to avoid conflicting with Active Record encryption.
 
 ```ruby
-User.with_attached_license.find_each do |user|
-  next unless user.license.attached?
-
-  metadata = user.license.metadata
-  unless metadata["encrypted"]
-    user.license.blob.update!(metadata: metadata.merge("encrypted" => true))
-  end
+class User < ApplicationRecord
+  has_encrypted :email
 end
 ```
 
-### 0.3.6
+### 0.6.0
 
-0.3.6 makes content type detection more reliable for Active Storage. You can check and update the content type of existing files with:
+0.6.0 adds `encrypted: true` to Active Storage metadata for new files. This field is informational, but if you prefer to add it to existing files, use:
 
 ```ruby
 User.with_attached_license.find_each do |user|
   next unless user.license.attached?
 
-  license = user.license
-  content_type = Marcel::MimeType.for(license.download, name: license.filename.to_s)
-  if content_type != license.content_type
-    license.update!(content_type: content_type)
+  metadata = user.license.metadata
+  unless metadata["encrypted"]
+    user.license.blob.update!(metadata: metadata.merge("encrypted" => true))
   end
 end
 ```
 
-### 0.2.0
-
-0.2.0 brings a number of improvements. Here are a few to be aware of:
-
-- Added `encrypts` method for database fields
-- Added support for XSalsa20
-- `attached_encrypted` is deprecated in favor of `encrypts_attached`.
-
-#### Optional
-
-To switch to a master key, generate a key:
-
-```ruby
-Lockbox.generate_key
-```
-
-And set `ENV["LOCKBOX_MASTER_KEY"]` or `Lockbox.master_key`.
-
-Update your model:
-
-```ruby
-class User < ApplicationRecord
-  encrypts_attached :license, previous_versions: [{key: key}]
-end
-```
-
-New uploads will be encrypted with the new key.
-
-You can rotate existing records with:
-
-```ruby
-User.unscoped.find_each do |user|
-  user.license.rotate_encryption!
-end
-```
-
-Once that’s complete, update your model:
-
-```ruby
-class User < ApplicationRecord
-  encrypts_attached :license
-end
-```
-
 ## History
 
 View the [changelog](https://github.com/ankane/lockbox/blob/master/CHANGELOG.md)

data/lib/lockbox/calculations.rb

@@ -3,7 +3,12 @@ module Lockbox
     def pluck(*column_names)
       return super unless model.respond_to?(:lockbox_attributes)
 
-      lockbox_columns = column_names.map.with_index { |c, i| [model.lockbox_attributes[c.to_sym], i] }.select { |la, _i| la && !la[:migrating] }
+      lockbox_columns = column_names.map.with_index do |c, i|
+        next unless c.respond_to?(:to_sym)
+        [model.lockbox_attributes[c.to_sym], i]
+      end.select do |la, _i|
+        la && !la[:migrating]
+      end
 
       return super unless lockbox_columns.any?
 

data/lib/lockbox/carrier_wave_extensions.rb

@@ -33,7 +33,10 @@ module Lockbox
         end
 
         def content_type
-          if CarrierWave::VERSION.to_i >= 2
+          if Gem::Version.new(CarrierWave::VERSION) >= Gem::Version.new("2.2.1")
+            # based on CarrierWave::SanitizedFile#marcel_magic_content_type
+            Marcel::Magic.by_magic(read).try(:type) || "invalid/invalid"
+          elsif CarrierWave::VERSION.to_i >= 2
             # based on CarrierWave::SanitizedFile#mime_magic_content_type
             MimeMagic.by_magic(read).try(:type) || "invalid/invalid"
           else
@@ -103,10 +106,9 @@ module Lockbox
 end
 
 if CarrierWave::VERSION.to_i > 2
-  raise "CarrierWave version (#{CarrierWave::VERSION}) not supported in this version of Lockbox (#{Lockbox::VERSION})"
+  raise Lockbox::Error, "CarrierWave #{CarrierWave::VERSION} not supported in this version of Lockbox"
 elsif CarrierWave::VERSION.to_i < 1
-  # TODO raise error in 0.7.0
-  warn "CarrierWave version (#{CarrierWave::VERSION}) not supported in this version of Lockbox (#{Lockbox::VERSION})"
+  raise Lockbox::Error, "CarrierWave #{CarrierWave::VERSION} not supported"
 end
 
 CarrierWave::Uploader::Base.extend(Lockbox::CarrierWaveExtensions)

data/lib/lockbox/model.rb

@@ -1,6 +1,6 @@
 module Lockbox
   module Model
-    def encrypts(*attributes, **options)
+    def has_encrypted(*attributes, **options)
       # support objects
       # case options[:type]
       # when Date
@@ -149,16 +149,38 @@ module Lockbox
               # needed for in-place modifications
               # assigned attributes are encrypted on assignment
               # and then again here
-              before_save do
+              def lockbox_sync_attributes
                 self.class.lockbox_attributes.each do |_, lockbox_attribute|
                   attribute = lockbox_attribute[:attribute]
 
-                  if attribute_changed_in_place?(attribute)
+                  if attribute_changed_in_place?(attribute) || (send("#{attribute}_changed?") && !send("#{lockbox_attribute[:encrypted_attribute]}_changed?"))
                     send("#{attribute}=", send(attribute))
                   end
                 end
               end
 
+              # safety check
+              [:_create_record, :_update_record].each do |method_name|
+                unless private_method_defined?(method_name) || method_defined?(method_name)
+                  raise Lockbox::Error, "Expected #{method_name} to be defined. Please report an issue."
+                end
+              end
+
+              def _create_record(*)
+                lockbox_sync_attributes
+                super
+              end
+
+              def _update_record(*)
+                lockbox_sync_attributes
+                super
+              end
+
+              def [](attr_name)
+                send(attr_name) if self.class.lockbox_attributes.any? { |_, la| la[:attribute] == attr_name.to_s }
+                super
+              end
+
               def update_columns(attributes)
                 return super unless attributes.is_a?(Hash)
 
@@ -194,13 +216,62 @@ module Lockbox
                 attributes_to_set.each do |k, v|
                   if respond_to?(:write_attribute_without_type_cast, true)
                     write_attribute_without_type_cast(k, v)
-                  else
+                  elsif respond_to?(:raw_write_attribute, true)
                     raw_write_attribute(k, v)
+                  else
+                    @attributes.write_cast_value(k, v)
+                    clear_attribute_change(k)
                   end
                 end
 
                 result
               end
+
+              if ActiveRecord::VERSION::MAJOR >= 6
+                def self.insert_all(attributes, **options)
+                  super(lockbox_map_attributes(attributes), **options)
+                end
+
+                def self.insert_all!(attributes, **options)
+                  super(lockbox_map_attributes(attributes), **options)
+                end
+
+                def self.upsert_all(attributes, **options)
+                  super(lockbox_map_attributes(attributes, check_readonly: true), **options)
+                end
+
+                # private
+                # does not try to handle :returning option for simplicity
+                def self.lockbox_map_attributes(records, check_readonly: false)
+                  return records unless records.is_a?(Array)
+
+                  records.map do |attributes|
+                    # transform keys like Active Record
+                    attributes = attributes.transform_keys do |key|
+                      n = key.to_s
+                      attribute_aliases[n] || n
+                    end
+
+                    lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
+                    lockbox_attributes.each do |key, lockbox_attribute|
+                      attribute = key.to_s
+                      # check read only
+                      # users should mark both plaintext and ciphertext columns
+                      if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
+                        warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
+                      end
+
+                      message = attributes[attribute]
+                      attributes.delete(attribute) unless lockbox_attribute[:migrating]
+                      encrypted_attribute = lockbox_attribute[:encrypted_attribute]
+                      ciphertext = send("generate_#{encrypted_attribute}", message)
+                      attributes[encrypted_attribute] = ciphertext
+                    end
+
+                    attributes
+                  end
+                end
+              end
             else
               def reload
                 self.class.lockbox_attributes.each do |_, v|
@@ -216,6 +287,23 @@ module Lockbox
           @lockbox_attributes[original_name] = options
 
           if activerecord
+            # warn on default attributes
+            if attributes_to_define_after_schema_loads.key?(name.to_s)
+              opt = attributes_to_define_after_schema_loads[name.to_s][1]
+
+              has_default =
+                if ActiveRecord::VERSION::MAJOR >= 7
+                  # not ideal, since NO_DEFAULT_PROVIDED is private
+                  opt != ActiveRecord::Attributes::ClassMethods.const_get(:NO_DEFAULT_PROVIDED)
+                else
+                  opt.is_a?(Hash) && opt.key?(:default)
+                end
+
+              if has_default
+                warn "[lockbox] WARNING: attributes with `:default` option are not supported. Use `after_initialize` instead."
+              end
+            end
+
             # preference:
             # 1. type option
             # 2. existing virtual attribute
@@ -254,7 +342,12 @@ module Lockbox
               # otherwise, type gets set to ActiveModel::Type::Value
               # which always returns false for changed_in_place?
               # earlier versions of Active Record take the previous code path
-              if ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+              if ActiveRecord::VERSION::STRING.to_f >= 7.0 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
+                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call(nil)
+                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
+                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
+                end
+              elsif ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
                 attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call
                 if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
                   attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
@@ -273,11 +366,14 @@ module Lockbox
               send("restore_#{encrypted_attribute}!")
             end
 
-            if ActiveRecord::VERSION::STRING >= "5.1"
-              define_method("#{name}_in_database") do
-                send(name) # writes attribute when not already set
-                super()
-              end
+            define_method("#{name}_in_database") do
+              send(name) # writes attribute when not already set
+              super()
+            end
+
+            define_method("#{name}?") do
+              # uses public_send, so we don't need to preload attribute
+              query_attribute(name)
             end
           else
             # keep this module dead simple
@@ -318,10 +414,10 @@ module Lockbox
               send("reset_#{encrypted_attribute}_to_default!")
               send(name)
             end
-          end
 
-          define_method("#{name}?") do
-            send("#{encrypted_attribute}?")
+            define_method("#{name}?") do
+              send("#{encrypted_attribute}?")
+            end
           end
 
           define_method("#{name}=") do |message|
@@ -371,7 +467,11 @@ module Lockbox
             # check for this explicitly as a layer of safety
             if message.nil? || ((message == {} || message == []) && activerecord && @attributes[name.to_s].value_before_type_cast.nil?)
               ciphertext = send(encrypted_attribute)
-              message = self.class.send(decrypt_method_name, ciphertext, context: self)
+
+              # keep original message for empty hashes and arrays
+              unless ciphertext.nil?
+                message = self.class.send(decrypt_method_name, ciphertext, context: self)
+              end
 
               if activerecord
                 # set previous attribute so changes populate correctly
@@ -383,8 +483,13 @@ module Lockbox
                 # decrypt method does type casting
                 if respond_to?(:write_attribute_without_type_cast, true)
                   write_attribute_without_type_cast(name.to_s, message) if !@attributes.frozen?
-                else
+                elsif respond_to?(:raw_write_attribute, true)
                   raw_write_attribute(name, message) if !@attributes.frozen?
+                else
+                  if !@attributes.frozen?
+                    @attributes.write_cast_value(name.to_s, message)
+                    clear_attribute_change(name)
+                  end
                 end
               else
                 instance_variable_set("@#{name}", message)
@@ -399,7 +504,6 @@ module Lockbox
             table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
-              # TODO use attribute type class in 0.7.0
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
@@ -462,7 +566,6 @@ module Lockbox
               end
 
             unless message.nil?
-              # TODO use attribute type class in 0.7.0
               case options[:type]
               when :boolean
                 message = message == "t"
@@ -520,6 +623,11 @@ module Lockbox
       end
     end
 
+    def lockbox_encrypts(*attributes, **options)
+      ActiveSupport::Deprecation.warn("`#{__callee__}` is deprecated in favor of `has_encrypted`")
+      has_encrypted(*attributes, **options)
+    end
+
     module Attached
       def encrypts_attached(*attributes, **options)
         attributes.each do |name|

data/lib/lockbox/railtie.rb

@@ -19,7 +19,14 @@ module Lockbox
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
 
         # use load hooks when possible
-        if ActiveStorage::VERSION::MAJOR >= 6
+        if ActiveStorage::VERSION::MAJOR >= 7
+          ActiveSupport.on_load(:active_storage_attachment) do
+            prepend Lockbox::ActiveStorageExtensions::Attachment
+          end
+          ActiveSupport.on_load(:active_storage_blob) do
+            prepend Lockbox::ActiveStorageExtensions::Blob
+          end
+        elsif ActiveStorage::VERSION::MAJOR >= 6
           ActiveSupport.on_load(:active_storage_attachment) do
             include Lockbox::ActiveStorageExtensions::Attachment
           end

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.6.2"
+  VERSION = "1.1.1"
 end

data/lib/lockbox.rb

@@ -2,6 +2,7 @@
 require "base64"
 require "openssl"
 require "securerandom"
+require "stringio"
 
 # modules
 require "lockbox/aes_gcm"
@@ -16,32 +17,6 @@ require "lockbox/padding"
 require "lockbox/utils"
 require "lockbox/version"
 
-# integrations
-require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
-require "lockbox/railtie" if defined?(Rails)
-
-if defined?(ActiveSupport::LogSubscriber)
-  require "lockbox/log_subscriber"
-  Lockbox::LogSubscriber.attach_to :lockbox
-end
-
-if defined?(ActiveSupport.on_load)
-  ActiveSupport.on_load(:active_record) do
-    # TODO raise error in 0.7.0
-    if ActiveRecord::VERSION::STRING.to_f <= 5.0
-      warn "Active Record version (#{ActiveRecord::VERSION::STRING}) not supported in this version of Lockbox (#{Lockbox::VERSION})"
-    end
-
-    extend Lockbox::Model
-    extend Lockbox::Model::Attached
-    ActiveRecord::Calculations.prepend Lockbox::Calculations
-  end
-
-  ActiveSupport.on_load(:mongoid) do
-    Mongoid::Document::ClassMethods.include(Lockbox::Model)
-  end
-end
-
 module Lockbox
   class Error < StandardError; end
   class DecryptionError < Error; end
@@ -106,7 +81,39 @@ module Lockbox
 
   def self.encrypts_action_text_body(**options)
     ActiveSupport.on_load(:action_text_rich_text) do
-      ActionText::RichText.encrypts :body, **options
+      ActionText::RichText.has_encrypted :body, **options
     end
   end
 end
+
+# integrations
+require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
+require "lockbox/railtie" if defined?(Rails)
+
+if defined?(ActiveSupport::LogSubscriber)
+  require "lockbox/log_subscriber"
+  Lockbox::LogSubscriber.attach_to :lockbox
+end
+
+if defined?(ActiveSupport.on_load)
+  ActiveSupport.on_load(:active_record) do
+    ar_version = ActiveRecord::VERSION::STRING.to_f
+    if ar_version < 5.2
+      if ar_version >= 5
+        raise Lockbox::Error, "Active Record #{ActiveRecord::VERSION::STRING} requires Lockbox < 0.7"
+      else
+        raise Lockbox::Error, "Active Record #{ActiveRecord::VERSION::STRING} not supported"
+      end
+    end
+
+    extend Lockbox::Model
+    extend Lockbox::Model::Attached
+    singleton_class.alias_method(:encrypts, :lockbox_encrypts) if ActiveRecord::VERSION::MAJOR < 7
+    ActiveRecord::Relation.prepend Lockbox::Calculations
+  end
+
+  ActiveSupport.on_load(:mongoid) do
+    Mongoid::Document::ClassMethods.include(Lockbox::Model)
+    Mongoid::Document::ClassMethods.alias_method(:encrypts, :lockbox_encrypts)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 1.1.1
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-08 00:00:00.000000000 Z
+date: 2022-12-08 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -51,14 +51,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails