lockbox 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a8a7995008cdd49c48d95e0a968e45666276fb095de76954ef949800080d40b
-  data.tar.gz: da7d7796776c325ce1871a2755f6cc012c060f16293cbe28a31f2547c92ec0ad
+  metadata.gz: f26c45499c84a35d3a4aaeb7043853a4090dd63b2268e128fc0f2713dfc25b09
+  data.tar.gz: 697626daf2a92ecf69eabc56390074f497ba51a31d1ee24a2a5644c9437d0f09
 SHA512:
-  metadata.gz: d97e45d14fbc7f452eef5e09c2b2d8d3b2c2f5d4b8a42645c0138849b21ef61194f7cf2e36158f4e920b7cc5709cef63a9769310f97cdd40c3f78790415100d0
-  data.tar.gz: f04c5264be1ec1e69c406593bdc143f10f846776a34744d38a368ba0e0d2662c874315b9387c5e7c53a47621cbabb2da146114008d1b5963dcc3e8b845a86ff2
+  metadata.gz: 1b0832e473ba43bb36cc9b11398d20385eae5f94b3a2d13f66a5cc4322605f28bf93a22b9fcb9ac5e171e7004b909b59e0f26d5a75d1be6561c61bbdf054c65e
+  data.tar.gz: 77995606e64719168bb0688215721e89c84b7ce9b758e49dbbb1beeecd460ca85c129089c8f1f160320ead16cbe64bd7eb2fb72491d7e9575ac392ef11ca492b

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 1.2.0 (2023-03-20)
+
+- Made it easier to rotate master key
+- Added `associated_data` option for database fields and files
+- Added `decimal` type
+- Added `encode_attributes` option
+- Fixed deprecation warnings with Rails 7.1
+
+## 1.1.2 (2023-02-01)
+
+- Fixed error when migrating to `array`, `hash`, and `json` types
+
 ## 1.1.1 (2022-12-08)
 
 - Fixed error when `StringIO` not loaded

data/README.md

@@ -117,6 +117,7 @@ class User < ApplicationRecord
   has_encrypted :active, type: :boolean
   has_encrypted :salary, type: :integer
   has_encrypted :latitude, type: :float
+  has_encrypted :longitude, type: :decimal
   has_encrypted :video, type: :binary
   has_encrypted :properties, type: :json
   has_encrypted :settings, type: :hash
@@ -566,51 +567,25 @@ Use `decrypt_str` get the value as UTF-8
 
 To make key rotation easy, you can pass previous versions of keys that can decrypt.
 
-### Active Record & Mongoid
-
-Update your model:
+Create `config/initializers/lockbox.rb` with:
 
 ```ruby
-class User < ApplicationRecord
-  has_encrypted :email, previous_versions: [{master_key: previous_key}]
-end
+Lockbox.default_options[:previous_versions] = [{master_key: previous_key}]
 ```
 
-To rotate existing records, use:
+To rotate existing Active Record & Mongoid records, use:
 
 ```ruby
 Lockbox.rotate(User, attributes: [:email])
 ```
 
-Once all records are rotated, you can remove `previous_versions` from the model.
-
-### Action Text
-
-Update your initializer:
-
-```ruby
-Lockbox.encrypts_action_text_body(previous_versions: [{master_key: previous_key}])
-```
-
-To rotate existing records, use:
+To rotate existing Action Text records, use:
 
 ```ruby
 Lockbox.rotate(ActionText::RichText, attributes: [:body])
 ```
 
-Once all records are rotated, you can remove `previous_versions` from the initializer.
-
-### Active Storage
-
-Update your model:
-
-```ruby
-class User < ApplicationRecord
-  encrypts_attached :license, previous_versions: [{master_key: previous_key}]
-end
-```
-
-To rotate existing files, use:
+To rotate existing Active Storage files, use:
 
 ```ruby
 User.with_attached_license.find_each do |user|
@@ -618,39 +593,31 @@ User.with_attached_license.find_each do |user|
 end
 ```
 
-Once all files are rotated, you can remove `previous_versions` from the model.
-
-### CarrierWave
-
-Update your model:
-
-```ruby
-class LicenseUploader < CarrierWave::Uploader::Base
-  encrypt previous_versions: [{master_key: previous_key}]
-end
-```
-
-To rotate existing files, use:
+To rotate existing CarrierWave files, use:
 
 ```ruby
 User.find_each do |user|
   user.license.rotate_encryption!
+  # or for multiple files
+  user.licenses.map(&:rotate_encryption!)
 end
 ```
 
-For multiple files, use:
+Once everything is rotated, you can remove `previous_versions` from the initializer.
+
+### Individual Fields & Files
+
+You can also pass previous versions to individual fields and files.
 
 ```ruby
-User.find_each do |user|
-  user.licenses.map(&:rotate_encryption!)
+class User < ApplicationRecord
+  has_encrypted :email, previous_versions: [{master_key: previous_key}]
 end
 ```
 
-Once all files are rotated, you can remove `previous_versions` from the model.
-
 ### Local Files & Strings
 
-For local files and strings, use:
+To rotate local files and strings, use:
 
 ```ruby
 Lockbox.new(key: key, previous_versions: [{key: previous_key}])
@@ -948,6 +915,12 @@ class User < ApplicationRecord
 end
 ```
 
+or set it globally:
+
+```ruby
+Lockbox.encode_attributes = false
+```
+
 ## Compatibility
 
 It’s easy to read encrypted data in another language if needed.

data/lib/lockbox/box.rb

@@ -1,6 +1,8 @@
 module Lockbox
   class Box
-    def initialize(key: nil, algorithm: nil, encryption_key: nil, decryption_key: nil, padding: false)
+    NOT_SET = Object.new
+
+    def initialize(key: nil, algorithm: nil, encryption_key: nil, decryption_key: nil, padding: false, associated_data: nil)
       raise ArgumentError, "Cannot pass both key and encryption/decryption key" if key && (encryption_key || decryption_key)
 
       key = Lockbox::Utils.decode_key(key) if key
@@ -32,9 +34,11 @@ module Lockbox
 
       @algorithm = algorithm
       @padding = padding == true ? 16 : padding
+      @associated_data = associated_data
     end
 
-    def encrypt(message, associated_data: nil)
+    def encrypt(message, associated_data: NOT_SET)
+      associated_data = @associated_data if associated_data == NOT_SET
       message = Lockbox.pad(message, size: @padding) if @padding
       case @algorithm
       when "hybrid"
@@ -53,7 +57,8 @@ module Lockbox
       nonce + ciphertext
     end
 
-    def decrypt(ciphertext, associated_data: nil)
+    def decrypt(ciphertext, associated_data: NOT_SET)
+      associated_data = @associated_data if associated_data == NOT_SET
       message =
         case @algorithm
         when "hybrid"

data/lib/lockbox/encryptor.rb

@@ -9,7 +9,7 @@ module Lockbox
 
       @boxes =
         [Box.new(**options)] +
-        Array(previous_versions).map { |v| Box.new(key: options[:key], **v) }
+        Array(previous_versions).reject { |v| v.key?(:master_key) }.map { |v| Box.new(key: options[:key], **v) }
     end
 
     def encrypt(message, **options)

data/lib/lockbox/log_subscriber.rb

@@ -6,7 +6,7 @@ module Lockbox
       payload = event.payload
       name = "Encrypt File (#{event.duration.round(1)}ms)"
 
-      debug "  #{color(name, YELLOW, true)} Encrypted #{payload[:name]}"
+      debug "  #{color(name, YELLOW, bold: true)} Encrypted #{payload[:name]}"
     end
 
     def decrypt_file(event)
@@ -15,7 +15,7 @@ module Lockbox
       payload = event.payload
       name = "Decrypt File (#{event.duration.round(1)}ms)"
 
-      debug "  #{color(name, YELLOW, true)} Decrypted #{payload[:name]}"
+      debug "  #{color(name, YELLOW, bold: true)} Decrypted #{payload[:name]}"
     end
   end
 end

data/lib/lockbox/model.rb

@@ -19,10 +19,12 @@ module Lockbox
       #   options[:type] = :integer
       # when Float
       #   options[:type] = :float
+      # when BigDecimal
+      #   options[:type] = :decimal
       # end
 
       custom_type = options[:type].respond_to?(:serialize) && options[:type].respond_to?(:deserialize)
-      valid_types = [nil, :string, :boolean, :date, :datetime, :time, :integer, :float, :binary, :json, :hash, :array, :inet]
+      valid_types = [nil, :string, :boolean, :date, :datetime, :time, :integer, :float, :decimal, :binary, :json, :hash, :array, :inet]
       raise ArgumentError, "Unknown type: #{options[:type]}" unless custom_type || valid_types.include?(options[:type])
 
       activerecord = defined?(ActiveRecord::Base) && self < ActiveRecord::Base
@@ -50,7 +52,7 @@ module Lockbox
 
         options[:attribute] = name.to_s
         options[:encrypted_attribute] = encrypted_attribute
-        options[:encode] = true unless options.key?(:encode)
+        options[:encode] = Lockbox.encode_attributes unless options.key?(:encode)
 
         encrypt_method_name = "generate_#{encrypted_attribute}"
         decrypt_method_name = "decrypt_#{encrypted_attribute}"
@@ -321,9 +323,15 @@ module Lockbox
 
               attribute name, attribute_type
 
-              serialize name, JSON if options[:type] == :json
-              serialize name, Hash if options[:type] == :hash
-              serialize name, Array if options[:type] == :array
+              if ActiveRecord::VERSION::STRING.to_f >= 7.1
+                serialize name, coder: JSON if options[:type] == :json
+                serialize name, type: Hash if options[:type] == :hash
+                serialize name, type: Array if options[:type] == :array
+              else
+                serialize name, JSON if options[:type] == :json
+                serialize name, Hash if options[:type] == :hash
+                serialize name, Array if options[:type] == :array
+              end
             elsif !attributes_to_define_after_schema_loads.key?(name.to_s)
               # when migrating it's best to specify the type directly
               # however, we can try to use the original type if its already defined
@@ -531,6 +539,19 @@ module Lockbox
                 message = ActiveRecord::Type::Float.new.serialize(message)
                 # double precision, big endian
                 message = [message].pack("G") unless message.nil?
+              when :decimal
+                message =
+                  if ActiveRecord::VERSION::MAJOR >= 6
+                    ActiveRecord::Type::Decimal.new.serialize(message)
+                  else
+                    # issue with serialize in Active Record < 6
+                    # https://github.com/rails/rails/commit/a741208f80dd33420a56486bd9ed2b0b9862234a
+                    ActiveRecord::Type::Decimal.new.cast(message)
+                  end
+                # Postgres stores 4 decimal digits in 2 bytes
+                # plus 3 to 8 bytes of overhead
+                # but use string for simplicity
+                message = message.to_s("F") unless message.nil?
               when :inet
                 unless message.nil?
                   ip = message.is_a?(IPAddr) ? message : (IPAddr.new(message) rescue nil)
@@ -543,8 +564,8 @@ module Lockbox
                 # do nothing
                 # encrypt will convert to binary
               else
-                # use original name for serialized attributes
-                type = (try(:attribute_types) || {})[original_name.to_s]
+                # use original name for serialized attributes if no type specified
+                type = (try(:attribute_types) || {})[(options[:type] ? name : original_name).to_s]
                 message = type.serialize(message) if type
               end
             end
@@ -576,9 +597,11 @@ module Lockbox
               when :time
                 message = ActiveRecord::Type::Time.new.deserialize(message)
               when :integer
-                message = ActiveRecord::Type::Integer.new(limit: 8).deserialize(message.unpack("q>").first)
+                message = ActiveRecord::Type::Integer.new(limit: 8).deserialize(message.unpack1("q>"))
               when :float
-                message = ActiveRecord::Type::Float.new.deserialize(message.unpack("G").first)
+                message = ActiveRecord::Type::Float.new.deserialize(message.unpack1("G"))
+              when :decimal
+                message = ActiveRecord::Type::Decimal.new.deserialize(message)
               when :string
                 message.force_encoding(Encoding::UTF_8)
               when :binary
@@ -590,8 +613,8 @@ module Lockbox
                 message = IPAddr.new_ntoh(addr.first(len))
                 message.prefix = prefix
               else
-                # use original name for serialized attributes
-                type = (try(:attribute_types) || {})[original_name.to_s]
+                # use original name for serialized attributes if no type specified
+                type = (try(:attribute_types) || {})[(options[:type] ? name : original_name).to_s]
                 message = type.deserialize(message) if type
                 message.force_encoding(Encoding::UTF_8) if !type || type.is_a?(ActiveModel::Type::String)
               end

data/lib/lockbox/utils.rb

@@ -26,6 +26,10 @@ module Lockbox
           )
       end
 
+      unless options.key?(:previous_versions)
+        options[:previous_versions] = Lockbox.default_options[:previous_versions]
+      end
+
       if options[:previous_versions].is_a?(Array)
         # dup previous versions array (with map) since elements are updated
         # dup each version (with dup) since keys are sometimes deleted

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "1.1.1"
+  VERSION = "1.2.0"
 end

data/lib/lockbox.rb

@@ -27,10 +27,11 @@ module Lockbox
   extend Padding
 
   class << self
-    attr_accessor :default_options
+    attr_accessor :default_options, :encode_attributes
     attr_writer :master_key
   end
   self.default_options = {}
+  self.encode_attributes = true
 
   def self.master_key
     @master_key ||= ENV["LOCKBOX_MASTER_KEY"]
@@ -72,7 +73,7 @@ module Lockbox
   end
 
   def self.to_hex(str)
-    str.unpack("H*").first
+    str.unpack1("H*")
   end
 
   def self.new(**options)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-08 00:00:00.000000000 Z
+date: 2023-03-20 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -58,7 +58,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails