lockbox 1.3.2 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 395cfb4c691d2ddb7280f6b0fe7e0e0bcc663c128a391751d6e2d03087c7c0f8
-  data.tar.gz: 964271ba8bc79f94c940daf2f90c88da800a03560dde7870d9e69da67eff9e5a
+  metadata.gz: c227a11280d70eaaa03e7c81649bee696c2c88ab9a1825503f7db4e9af5d2d12
+  data.tar.gz: 52a2969568229aefa391a093c93ae1771d021ddc2396d3e4f65ec2f509a82c41
 SHA512:
-  metadata.gz: 6833415a739d81b5570537616e8181a69d3b333d1f3ce3538e7a6f3f6c4a937611d07769d529f43c601bbf000c99cd55c89375b7a3be5915cb884df1785395ba
-  data.tar.gz: eb64b479c6564db53d8b02821c987dc391c4c424e52de708f1a7b48308bd6ad381a8a72cd25f85cdbbd32b941f0e634efaa759269db764b9fba9efd3a0e0eea0
+  metadata.gz: 1734e1db6d559ed4221e81b30ca6a13db348a6089f58581376ce4cf16019a5787f8dd1b80abd1534ef2c82e294db4db1d8cb30089413d4e2e009544d3185d350
+  data.tar.gz: d5bdb1947c5fac19038fe21651bf35d32d675eba024569ec085b015ad991a9c1ea5e65437df908f78e0083486726032571c6dee364fe92a95a7447e33495cf83

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.4.0 (2024-08-09)
+
+- Added support for Active Record 7.2
+- Added support for Mongoid 9
+- Fixed error when `decryption_key` option is a proc or symbol and returns `nil`
+
+## 1.3.3 (2024-02-07)
+
+- Added warning for encrypting store attributes
+
 ## 1.3.2 (2024-01-10)
 
 - Fixed issue with serialized attributes

data/README.md

@@ -140,6 +140,8 @@ class User < ApplicationRecord
 end
 ```
 
+For [Active Record Store](https://api.rubyonrails.org/classes/ActiveRecord/Store.html), encrypt the column rather than individual accessors.
+
 For [StoreModel](https://github.com/DmitryTsepelev/store_model), use:
 
 ```ruby
@@ -192,7 +194,7 @@ class User < ApplicationRecord
   has_encrypted :email
 
   # remove this line after dropping email column
-  self.ignored_columns = ["email"]
+  self.ignored_columns += ["email"]
 end
 ```
 
@@ -1014,21 +1016,6 @@ class User < ApplicationRecord
 end
 ```
 
-### 0.6.0
-
-0.6.0 adds `encrypted: true` to Active Storage metadata for new files. This field is informational, but if you prefer to add it to existing files, use:
-
-```ruby
-User.with_attached_license.find_each do |user|
-  next unless user.license.attached?
-
-  metadata = user.license.metadata
-  unless metadata["encrypted"]
-    user.license.blob.update!(metadata: metadata.merge("encrypted" => true))
-  end
-end
-```
-
 ## History
 
 View the [changelog](https://github.com/ankane/lockbox/blob/master/CHANGELOG.md)

data/lib/lockbox/carrier_wave_extensions.rb

@@ -79,7 +79,7 @@ module Lockbox
             while uploader.parent_version
               uploader = uploader.parent_version
             end
-            uploader.class.name.sub(/Uploader\z/, "").underscore
+            uploader.class.name.delete_suffix("Uploader").underscore
           end
         end
 

data/lib/lockbox/migrator.rb

@@ -2,7 +2,7 @@ module Lockbox
   class Migrator
     def initialize(relation, batch_size:)
       @relation = relation
-      @transaction = @relation.respond_to?(:transaction)
+      @transaction = @relation.respond_to?(:transaction) && !mongoid_relation?(base_relation)
       @batch_size = batch_size
     end
 

data/lib/lockbox/model.rb

@@ -137,13 +137,16 @@ module Lockbox
                 # essentially a no-op if already loaded
                 # an exception is thrown if decryption fails
                 self.class.lockbox_attributes.each do |_, lockbox_attribute|
-                  # don't try to decrypt if no decryption key given
-                  next if lockbox_attribute[:algorithm] == "hybrid" && lockbox_attribute[:decryption_key].nil?
-
                   # it is possible that the encrypted attribute is not loaded, eg.
                   # if the record was fetched partially (`User.select(:id).first`).
                   # accessing a not loaded attribute raises an `ActiveModel::MissingAttributeError`.
-                  send(lockbox_attribute[:attribute]) if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                  if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                    begin
+                      send(lockbox_attribute[:attribute])
+                    rescue ArgumentError => e
+                      raise e if e.message != "No decryption key set"
+                    end
+                  end
                 end
                 super
               end
@@ -230,6 +233,20 @@ module Lockbox
               end
 
               if ActiveRecord::VERSION::MAJOR >= 6
+                if ActiveRecord::VERSION::STRING.to_f >= 7.2
+                  def self.insert(attributes, **options)
+                    super(lockbox_map_record_attributes(attributes), **options)
+                  end
+
+                  def self.insert!(attributes, **options)
+                    super(lockbox_map_record_attributes(attributes), **options)
+                  end
+
+                  def self.upsert(attributes, **options)
+                    super(lockbox_map_record_attributes(attributes, check_readonly: true), **options)
+                  end
+                end
+
                 def self.insert_all(attributes, **options)
                   super(lockbox_map_attributes(attributes), **options)
                 end
@@ -248,30 +265,37 @@ module Lockbox
                   return records unless records.is_a?(Array)
 
                   records.map do |attributes|
-                    # transform keys like Active Record
-                    attributes = attributes.transform_keys do |key|
-                      n = key.to_s
-                      attribute_aliases[n] || n
-                    end
+                    lockbox_map_record_attributes(attributes, check_readonly: false)
+                  end
+                end
+
+                # private
+                def self.lockbox_map_record_attributes(attributes, check_readonly: false)
+                  return attributes unless attributes.is_a?(Hash)
 
-                    lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
-                    lockbox_attributes.each do |key, lockbox_attribute|
-                      attribute = key.to_s
-                      # check read only
-                      # users should mark both plaintext and ciphertext columns
-                      if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
-                        warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
-                      end
-
-                      message = attributes[attribute]
-                      attributes.delete(attribute) unless lockbox_attribute[:migrating]
-                      encrypted_attribute = lockbox_attribute[:encrypted_attribute]
-                      ciphertext = send("generate_#{encrypted_attribute}", message)
-                      attributes[encrypted_attribute] = ciphertext
+                  # transform keys like Active Record
+                  attributes = attributes.transform_keys do |key|
+                    n = key.to_s
+                    attribute_aliases[n] || n
+                  end
+
+                  lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
+                  lockbox_attributes.each do |key, lockbox_attribute|
+                    attribute = key.to_s
+                    # check read only
+                    # users should mark both plaintext and ciphertext columns
+                    if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
+                      warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
                     end
 
-                    attributes
+                    message = attributes[attribute]
+                    attributes.delete(attribute) unless lockbox_attribute[:migrating]
+                    encrypted_attribute = lockbox_attribute[:encrypted_attribute]
+                    ciphertext = send("generate_#{encrypted_attribute}", message)
+                    attributes[encrypted_attribute] = ciphertext
                   end
+
+                  attributes
                 end
               end
             else
@@ -289,8 +313,18 @@ module Lockbox
           @lockbox_attributes[original_name] = options
 
           if activerecord
+            # warn on store attributes
+            if stored_attributes.any? { |k, v| v.include?(name) }
+              warn "[lockbox] WARNING: encrypting store accessors is not supported. Encrypt the column instead."
+            end
+
             # warn on default attributes
-            if attributes_to_define_after_schema_loads.key?(name.to_s)
+            if ActiveRecord::VERSION::STRING.to_f >= 7.2
+              # TODO improve
+              if pending_attribute_modifications.any? { |v| v.is_a?(ActiveModel::AttributeRegistration::ClassMethods::PendingDefault) && v.name == name.to_s }
+                warn "[lockbox] WARNING: attributes with `:default` option are not supported. Use `after_initialize` instead."
+              end
+            elsif attributes_to_define_after_schema_loads.key?(name.to_s)
               opt = attributes_to_define_after_schema_loads[name.to_s][1]
 
               has_default =
@@ -342,6 +376,26 @@ module Lockbox
                   serialize name, Array
                 end
               end
+            elsif ActiveRecord::VERSION::STRING.to_f >= 7.2
+              decorate_attributes([name]) do |attr_name, cast_type|
+                if cast_type.instance_of?(ActiveRecord::Type::Value)
+                  original_type = pending_attribute_modifications.find { |v| v.is_a?(ActiveModel::AttributeRegistration::ClassMethods::PendingType) && v.name == original_name.to_s && !v.type.nil? }&.type
+                  if original_type
+                    original_type
+                  elsif options[:migrating]
+                    cast_type
+                  else
+                    ActiveRecord::Type::String.new
+                  end
+                elsif cast_type.is_a?(ActiveRecord::Type::Serialized) && cast_type.subtype.instance_of?(ActiveModel::Type::Value)
+                  # hack to set string type after serialize
+                  # otherwise, type gets set to ActiveModel::Type::Value
+                  # which always returns false for changed_in_place?
+                  ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, cast_type.coder)
+                else
+                  cast_type
+                end
+              end
             elsif !attributes_to_define_after_schema_loads.key?(name.to_s)
               # when migrating it's best to specify the type directly
               # however, we can try to use the original type if its already defined
@@ -355,8 +409,7 @@ module Lockbox
                 attribute name, :string
               end
             else
-              # hack for Active Record 6.1
-              # to set string type after serialize
+              # hack for Active Record 6.1+ to set string type after serialize
               # otherwise, type gets set to ActiveModel::Type::Value
               # which always returns false for changed_in_place?
               # earlier versions of Active Record take the previous code path
@@ -442,12 +495,12 @@ module Lockbox
             # decrypt first for dirty tracking
             # don't raise error if can't decrypt previous
             # don't try to decrypt if no decryption key given
-            unless options[:algorithm] == "hybrid" && options[:decryption_key].nil?
-              begin
-                send(name)
-              rescue Lockbox::DecryptionError
-                warn "[lockbox] Decrypting previous value failed"
-              end
+            begin
+              send(name)
+            rescue Lockbox::DecryptionError
+              warn "[lockbox] Decrypting previous value failed"
+            rescue ArgumentError => e
+              raise e if e.message != "No decryption key set"
             end
 
             send("lockbox_direct_#{name}=", message)
@@ -664,7 +717,8 @@ module Lockbox
     end
 
     def lockbox_encrypts(*attributes, **options)
-      ActiveSupport::Deprecation.warn("`#{__callee__}` is deprecated in favor of `has_encrypted`")
+      deprecator = ActiveSupport::VERSION::STRING.to_f >= 7.2 ? ActiveSupport.deprecator : ActiveSupport::Deprecation
+      deprecator.warn("`#{__callee__}` is deprecated in favor of `has_encrypted`")
       has_encrypted(*attributes, **options)
     end
 

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "1.3.2"
+  VERSION = "1.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.4.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-10 00:00:00.000000000 Z
+date: 2024-08-10 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -58,7 +58,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails