lockbox 1.3.3 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a238a9d70f5c46cabf8824957f739beb662730a2039696da29b6bc2f7a23462
-  data.tar.gz: eaebb7f1bd209792eee41166c6b5878b99ea0ee9436d030bf76ff13c8c56e4e2
+  metadata.gz: b4771553bf23214b514e9a4a5c94ce665d234d34969f9a3941ea68bdc6729ed4
+  data.tar.gz: a921894d4f3f43d5245a91941e06f79ea652f09c9c77ccf8dc7e442d1dbda0e5
 SHA512:
-  metadata.gz: cc5a1953cbc1493d5eba15ef0d0aed760ee6bd5d0f50e9810d522d57e46e2426f1a8573284834b262208fb6b20638ce15f0f52b5eb1c74dd9f5cc79c9124d6d1
-  data.tar.gz: ab01a6601a0317e0182f49bff4410ab232f88a88a5e65b68d20c6b761a38c3777a527d66c6c1fc0896ce23fdeacb493ec5487a494bf310760581f0ab511c3be3
+  metadata.gz: 90fef82d743a0172a61728fd9f314eca597d43820e87aeb9cb77330e4ec824919d354b81cf4c6c9c2b1c8cedcebb8916425fed5e469b24ea11b6a2e8730feb6f
+  data.tar.gz: fe874ec6aa3f563927f2ea1743d34a795468846ce74cc9e1a0467e41757721d40c8449d7093b158f63f92b8566ea578cf88e5f2b0a8caefc9facee2a8b731afa

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.4.1 (2024-09-09)
+
+- Fixed error message for previews for Active Storage 7.1.4
+
+## 1.4.0 (2024-08-09)
+
+- Added support for Active Record 7.2
+- Added support for Mongoid 9
+- Fixed error when `decryption_key` option is a proc or symbol and returns `nil`
+
 ## 1.3.3 (2024-02-07)
 
 - Added warning for encrypting store attributes

data/README.md

@@ -72,7 +72,7 @@ Then follow the instructions below for the data you want to encrypt.
 Create a migration with:
 
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[7.1]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[7.2]
   def change
     add_column :users, :email_ciphertext, :text
   end
@@ -194,7 +194,7 @@ class User < ApplicationRecord
   has_encrypted :email
 
   # remove this line after dropping email column
-  self.ignored_columns = ["email"]
+  self.ignored_columns += ["email"]
 end
 ```
 
@@ -251,7 +251,7 @@ User.decrypt_email_ciphertext(user.email_ciphertext)
 Create a migration with:
 
 ```ruby
-class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[7.1]
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[7.2]
   def change
     add_column :action_text_rich_texts, :body_ciphertext, :text
   end
@@ -382,7 +382,7 @@ Encryption is applied to all versions after processing.
 You can mount the uploader [as normal](https://github.com/carrierwaveuploader/carrierwave#activerecord). With Active Record, this involves creating a migration:
 
 ```ruby
-class AddLicenseToUsers < ActiveRecord::Migration[7.1]
+class AddLicenseToUsers < ActiveRecord::Migration[7.2]
   def change
     add_column :users, :license, :string
   end
@@ -910,7 +910,7 @@ end
 You can use `binary` columns for the ciphertext instead of `text` columns.
 
 ```ruby
-class AddEmailCiphertextToUsers < ActiveRecord::Migration[7.1]
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[7.2]
   def change
     add_column :users, :email_ciphertext, :binary
   end
@@ -961,7 +961,7 @@ end
 Create a migration with:
 
 ```ruby
-class MigrateToLockbox < ActiveRecord::Migration[7.1]
+class MigrateToLockbox < ActiveRecord::Migration[7.2]
   def change
     add_column :users, :name_ciphertext, :text
     add_column :users, :email_ciphertext, :text
@@ -994,7 +994,7 @@ end
 Then remove the previous gem from your Gemfile and drop its columns.
 
 ```ruby
-class RemovePreviousEncryptedColumns < ActiveRecord::Migration[7.1]
+class RemovePreviousEncryptedColumns < ActiveRecord::Migration[7.2]
   def change
     remove_column :users, :encrypted_name, :text
     remove_column :users, :encrypted_name_iv, :text
@@ -1016,21 +1016,6 @@ class User < ApplicationRecord
 end
 ```
 
-### 0.6.0
-
-0.6.0 adds `encrypted: true` to Active Storage metadata for new files. This field is informational, but if you prefer to add it to existing files, use:
-
-```ruby
-User.with_attached_license.find_each do |user|
-  next unless user.license.attached?
-
-  metadata = user.license.metadata
-  unless metadata["encrypted"]
-    user.license.blob.update!(metadata: metadata.merge("encrypted" => true))
-  end
-end
-```
-
 ## History
 
 View the [changelog](https://github.com/ankane/lockbox/blob/master/CHANGELOG.md)

data/lib/lockbox/active_storage_extensions.rb

@@ -124,6 +124,13 @@ module Lockbox
         super
       end
 
+      if ActiveStorage::VERSION::STRING.to_f == 7.1 && ActiveStorage.version >= "7.1.4"
+        def transform_variants_later
+          blob.instance_variable_set(:@lockbox_encrypted, true) if Utils.encrypted_options(record, name)
+          super
+        end
+      end
+
       if ActiveStorage::VERSION::MAJOR >= 6
         def open(**options)
           blob.open(**options) do |file|
@@ -150,6 +157,12 @@ module Lockbox
     end
 
     module Blob
+      if ActiveStorage::VERSION::STRING.to_f == 7.1 && ActiveStorage.version >= "7.1.4"
+        def preview_image_needed_before_processing_variants?
+          !instance_variable_defined?(:@lockbox_encrypted) && super
+        end
+      end
+
       private
 
       def extract_content_type(io)

data/lib/lockbox/carrier_wave_extensions.rb

@@ -79,7 +79,7 @@ module Lockbox
             while uploader.parent_version
               uploader = uploader.parent_version
             end
-            uploader.class.name.sub(/Uploader\z/, "").underscore
+            uploader.class.name.delete_suffix("Uploader").underscore
           end
         end
 

data/lib/lockbox/migrator.rb

@@ -2,7 +2,7 @@ module Lockbox
   class Migrator
     def initialize(relation, batch_size:)
       @relation = relation
-      @transaction = @relation.respond_to?(:transaction)
+      @transaction = @relation.respond_to?(:transaction) && !mongoid_relation?(base_relation)
       @batch_size = batch_size
     end
 

data/lib/lockbox/model.rb

@@ -137,13 +137,16 @@ module Lockbox
                 # essentially a no-op if already loaded
                 # an exception is thrown if decryption fails
                 self.class.lockbox_attributes.each do |_, lockbox_attribute|
-                  # don't try to decrypt if no decryption key given
-                  next if lockbox_attribute[:algorithm] == "hybrid" && lockbox_attribute[:decryption_key].nil?
-
                   # it is possible that the encrypted attribute is not loaded, eg.
                   # if the record was fetched partially (`User.select(:id).first`).
                   # accessing a not loaded attribute raises an `ActiveModel::MissingAttributeError`.
-                  send(lockbox_attribute[:attribute]) if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                  if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                    begin
+                      send(lockbox_attribute[:attribute])
+                    rescue ArgumentError => e
+                      raise e if e.message != "No decryption key set"
+                    end
+                  end
                 end
                 super
               end
@@ -230,6 +233,20 @@ module Lockbox
               end
 
               if ActiveRecord::VERSION::MAJOR >= 6
+                if ActiveRecord::VERSION::STRING.to_f >= 7.2
+                  def self.insert(attributes, **options)
+                    super(lockbox_map_record_attributes(attributes), **options)
+                  end
+
+                  def self.insert!(attributes, **options)
+                    super(lockbox_map_record_attributes(attributes), **options)
+                  end
+
+                  def self.upsert(attributes, **options)
+                    super(lockbox_map_record_attributes(attributes, check_readonly: true), **options)
+                  end
+                end
+
                 def self.insert_all(attributes, **options)
                   super(lockbox_map_attributes(attributes), **options)
                 end
@@ -248,30 +265,37 @@ module Lockbox
                   return records unless records.is_a?(Array)
 
                   records.map do |attributes|
-                    # transform keys like Active Record
-                    attributes = attributes.transform_keys do |key|
-                      n = key.to_s
-                      attribute_aliases[n] || n
-                    end
+                    lockbox_map_record_attributes(attributes, check_readonly: false)
+                  end
+                end
 
-                    lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
-                    lockbox_attributes.each do |key, lockbox_attribute|
-                      attribute = key.to_s
-                      # check read only
-                      # users should mark both plaintext and ciphertext columns
-                      if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
-                        warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
-                      end
-
-                      message = attributes[attribute]
-                      attributes.delete(attribute) unless lockbox_attribute[:migrating]
-                      encrypted_attribute = lockbox_attribute[:encrypted_attribute]
-                      ciphertext = send("generate_#{encrypted_attribute}", message)
-                      attributes[encrypted_attribute] = ciphertext
+                # private
+                def self.lockbox_map_record_attributes(attributes, check_readonly: false)
+                  return attributes unless attributes.is_a?(Hash)
+
+                  # transform keys like Active Record
+                  attributes = attributes.transform_keys do |key|
+                    n = key.to_s
+                    attribute_aliases[n] || n
+                  end
+
+                  lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
+                  lockbox_attributes.each do |key, lockbox_attribute|
+                    attribute = key.to_s
+                    # check read only
+                    # users should mark both plaintext and ciphertext columns
+                    if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
+                      warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
                     end
 
-                    attributes
+                    message = attributes[attribute]
+                    attributes.delete(attribute) unless lockbox_attribute[:migrating]
+                    encrypted_attribute = lockbox_attribute[:encrypted_attribute]
+                    ciphertext = send("generate_#{encrypted_attribute}", message)
+                    attributes[encrypted_attribute] = ciphertext
                   end
+
+                  attributes
                 end
               end
             else
@@ -295,7 +319,12 @@ module Lockbox
             end
 
             # warn on default attributes
-            if attributes_to_define_after_schema_loads.key?(name.to_s)
+            if ActiveRecord::VERSION::STRING.to_f >= 7.2
+              # TODO improve
+              if pending_attribute_modifications.any? { |v| v.is_a?(ActiveModel::AttributeRegistration::ClassMethods::PendingDefault) && v.name == name.to_s }
+                warn "[lockbox] WARNING: attributes with `:default` option are not supported. Use `after_initialize` instead."
+              end
+            elsif attributes_to_define_after_schema_loads.key?(name.to_s)
               opt = attributes_to_define_after_schema_loads[name.to_s][1]
 
               has_default =
@@ -347,6 +376,26 @@ module Lockbox
                   serialize name, Array
                 end
               end
+            elsif ActiveRecord::VERSION::STRING.to_f >= 7.2
+              decorate_attributes([name]) do |attr_name, cast_type|
+                if cast_type.instance_of?(ActiveRecord::Type::Value)
+                  original_type = pending_attribute_modifications.find { |v| v.is_a?(ActiveModel::AttributeRegistration::ClassMethods::PendingType) && v.name == original_name.to_s && !v.type.nil? }&.type
+                  if original_type
+                    original_type
+                  elsif options[:migrating]
+                    cast_type
+                  else
+                    ActiveRecord::Type::String.new
+                  end
+                elsif cast_type.is_a?(ActiveRecord::Type::Serialized) && cast_type.subtype.instance_of?(ActiveModel::Type::Value)
+                  # hack to set string type after serialize
+                  # otherwise, type gets set to ActiveModel::Type::Value
+                  # which always returns false for changed_in_place?
+                  ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, cast_type.coder)
+                else
+                  cast_type
+                end
+              end
             elsif !attributes_to_define_after_schema_loads.key?(name.to_s)
               # when migrating it's best to specify the type directly
               # however, we can try to use the original type if its already defined
@@ -360,8 +409,7 @@ module Lockbox
                 attribute name, :string
               end
             else
-              # hack for Active Record 6.1
-              # to set string type after serialize
+              # hack for Active Record 6.1+ to set string type after serialize
               # otherwise, type gets set to ActiveModel::Type::Value
               # which always returns false for changed_in_place?
               # earlier versions of Active Record take the previous code path
@@ -447,12 +495,12 @@ module Lockbox
             # decrypt first for dirty tracking
             # don't raise error if can't decrypt previous
             # don't try to decrypt if no decryption key given
-            unless options[:algorithm] == "hybrid" && options[:decryption_key].nil?
-              begin
-                send(name)
-              rescue Lockbox::DecryptionError
-                warn "[lockbox] Decrypting previous value failed"
-              end
+            begin
+              send(name)
+            rescue Lockbox::DecryptionError
+              warn "[lockbox] Decrypting previous value failed"
+            rescue ArgumentError => e
+              raise e if e.message != "No decryption key set"
             end
 
             send("lockbox_direct_#{name}=", message)
@@ -669,7 +717,8 @@ module Lockbox
     end
 
     def lockbox_encrypts(*attributes, **options)
-      ActiveSupport::Deprecation.warn("`#{__callee__}` is deprecated in favor of `has_encrypted`")
+      deprecator = ActiveSupport::VERSION::STRING.to_f >= 7.2 ? ActiveSupport.deprecator : ActiveSupport::Deprecation
+      deprecator.warn("`#{__callee__}` is deprecated in favor of `has_encrypted`")
       has_encrypted(*attributes, **options)
     end
 

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "1.3.3"
+  VERSION = "1.4.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 1.3.3
+  version: 1.4.1
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-07 00:00:00.000000000 Z
+date: 2024-09-09 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -58,7 +58,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
+rubygems_version: 3.5.16
 signing_key:
 specification_version: 4
 summary: Modern encryption for Ruby and Rails