lockbox 0.2.5 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 33199b663aaa289ff221bd83278063e366501185112f9aea61ea52997c6646fb
-  data.tar.gz: 3d8556b252b574c69cd50244cc752302825cae423daf6bcbac5a0f07b6a83d9d
+  metadata.gz: 6ba8d72d01b0dd6f8562bfb0980f9131e3670378299de01762cfefb6dd808857
+  data.tar.gz: ace013580f48bb9c0950f2393726ff8a05923e626babdc9102a89bc6bd5c5043
 SHA512:
-  metadata.gz: 9246245fe128a27292ee9a365ab04fcb0acfd3336b838aeef5756353d35add2248911916e6dec4ed46cb0adf01576ac8fb98066cb6a35aec7827144d5d208d40
-  data.tar.gz: 98273c362d05eca1b66cc578264c18db1a66007fd461ae0d3d8919305f9c34b9af70450a5fe3b318357fe296fc0455b52f52d7b2313a04269101fdf50b408df4
+  metadata.gz: 29c1efa284ef09cb81e30bbc26b0f53a29793412e5f6983dd47af8a2b4258c56449cfd9f3410218b354abf56f655cbde33e60f6f5b2ef03037c32cfa258685f2
+  data.tar.gz: a8d52b8a2a650bfe6c792c68b89dade741913081f10cda760dd76ccf74bbf5c6ac282b87fd02380eb4eff2899caba591fec1a95e325819f7688baa7cedfc081f

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.3.0 (2019-12-22)
+
+- Added support for custom types
+- Added support for virtual attributes
+- Made many Mongoid methods consistent with unencrypted columns
+- Made `was` and `in_database` methods consistent with unencrypted columns before an update
+- Made `restore` methods restore ciphertext
+- Fixed virtual attribute being saved with `nil` for Mongoid
+- Changed `Lockbox` to module
+
 ## 0.2.5 (2019-12-14)
 
 - Made `model.attribute?` consistent with unencrypted columns

data/README.md

@@ -5,7 +5,7 @@
 - Uses state-of-the-art algorithms
 - Works with database fields, files, and strings
 - Stores encrypted data in a single field
-- Requires you to only manage a single encryption key
+- Requires you to only manage a single encryption key (with the option to have more)
 - Makes migrating existing data and key rotation easy
 
 Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails)
@@ -117,10 +117,22 @@ Lockbox automatically works with serialized fields for maximum compatibility wit
 ```ruby
 class User < ApplicationRecord
   serialize :properties, JSON
-  encrypts :properties
-
   store :settings, accessors: [:color, :homepage]
-  encrypts :settings
+  attribute :configuration, CustomType.new
+
+  encrypts :properties, :settings, :configuration
+end
+```
+
+For [StoreModel](https://github.com/DmitryTsepelev/store_model), use:
+
+```ruby
+class User < ApplicationRecord
+  encrypts :configuration, type: Configuration.to_type
+
+  after_initialize do
+    self.configuration ||= {}
+  end
 end
 ```
 
@@ -307,6 +319,8 @@ Finally, drop the unencrypted column.
 
 To make key rotation easy, you can pass previous versions of keys that can decrypt.
 
+### Active Record
+
 For Active Record, use:
 
 ```ruby
@@ -321,6 +335,24 @@ To rotate, use:
 user.update!(email: user.email)
 ```
 
+### Mongoid
+
+For Mongoid, use:
+
+```ruby
+class User
+  encrypts :email, previous_versions: [{key: previous_key}]
+end
+```
+
+To rotate, use:
+
+```ruby
+user.update!(email: user.email)
+```
+
+### Active Storage
+
 For Active Storage use:
 
 ```ruby
@@ -335,6 +367,8 @@ To rotate existing files, use:
 user.license.rotate_encryption!
 ```
 
+### CarrierWave
+
 For CarrierWave, use:
 
 ```ruby
@@ -349,6 +383,8 @@ To rotate existing files, use:
 user.license.rotate_encryption!
 ```
 
+### Strings
+
 For strings, use:
 
 ```ruby

data/lib/lockbox/active_storage_extensions.rb

@@ -2,7 +2,7 @@
 # however, there isn't really a great place to define encryption settings there
 # instead, we encrypt and decrypt at the attachment level,
 # and we define encryption settings at the model level
-class Lockbox
+module Lockbox
   module ActiveStorageExtensions
     module Attached
       protected

data/lib/lockbox/aes_gcm.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   class AES_GCM
     def initialize(key)
       raise ArgumentError, "Key must be 32 bytes" unless key && key.bytesize == 32

data/lib/lockbox/box.rb

@@ -1,11 +1,11 @@
-class Lockbox
+module Lockbox
   class Box
     def initialize(key: nil, algorithm: nil, encryption_key: nil, decryption_key: nil, padding: false)
       raise ArgumentError, "Cannot pass both key and public/private key" if key && (encryption_key || decryption_key)
 
       key = Lockbox::Utils.decode_key(key) if key
-      encryption_key = Lockbox::Utils.decode_key(encryption_key) if encryption_key
-      decryption_key = Lockbox::Utils.decode_key(decryption_key) if decryption_key
+      encryption_key = Lockbox::Utils.decode_key(encryption_key, size: 64) if encryption_key
+      decryption_key = Lockbox::Utils.decode_key(decryption_key, size: 64) if decryption_key
 
       algorithm ||= "aes-gcm"
 
@@ -44,6 +44,7 @@ class Lockbox
         nonce = generate_nonce(@encryption_box)
         ciphertext = @encryption_box.encrypt(nonce, message)
       when "xsalsa20"
+        raise ArgumentError, "Associated data not supported with this algorithm" if associated_data
         nonce = generate_nonce(@box)
         ciphertext = @box.encrypt(nonce, message)
       else
@@ -62,6 +63,7 @@ class Lockbox
           nonce, ciphertext = extract_nonce(@decryption_box, ciphertext)
           @decryption_box.decrypt(nonce, ciphertext)
         when "xsalsa20"
+          raise ArgumentError, "Associated data not supported with this algorithm" if associated_data
           nonce, ciphertext = extract_nonce(@box, ciphertext)
           @box.decrypt(nonce, ciphertext)
         else

data/lib/lockbox/carrier_wave_extensions.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   module CarrierWaveExtensions
     def encrypt(**options)
       class_eval do

data/lib/lockbox/encryptor.rb

@@ -1,13 +1,92 @@
-class Lockbox
+module Lockbox
   class Encryptor
+    def initialize(**options)
+      options = Lockbox.default_options.merge(options)
+      previous_versions = options.delete(:previous_versions)
+
+      @boxes =
+        [Box.new(options)] +
+        Array(previous_versions).map { |v| Box.new({key: options[:key]}.merge(v)) }
+    end
+
+    def encrypt(message, **options)
+      message = check_string(message, "message")
+      @boxes.first.encrypt(message, **options)
+    end
+
+    def decrypt(ciphertext, **options)
+      ciphertext = check_string(ciphertext, "ciphertext")
+
+      # ensure binary
+      if ciphertext.encoding != Encoding::BINARY
+        # dup to prevent mutation
+        ciphertext = ciphertext.dup.force_encoding(Encoding::BINARY)
+      end
+
+      @boxes.each_with_index do |box, i|
+        begin
+          return box.decrypt(ciphertext, **options)
+        rescue => e
+          # returning DecryptionError instead of PaddingError
+          # is for end-user convenience, not for security
+          error_classes = [DecryptionError, PaddingError]
+          error_classes << RbNaCl::LengthError if defined?(RbNaCl::LengthError)
+          error_classes << RbNaCl::CryptoError if defined?(RbNaCl::CryptoError)
+          if error_classes.any? { |ec| e.is_a?(ec) }
+            raise DecryptionError, "Decryption failed" if i == @boxes.size - 1
+          else
+            raise e
+          end
+        end
+      end
+    end
+
+    def encrypt_io(io, **options)
+      new_io = Lockbox::IO.new(encrypt(io.read, **options))
+      copy_metadata(io, new_io)
+      new_io
+    end
+
+    def decrypt_io(io, **options)
+      new_io = Lockbox::IO.new(decrypt(io.read, **options))
+      copy_metadata(io, new_io)
+      new_io
+    end
+
+    def decrypt_str(ciphertext, **options)
+      message = decrypt(ciphertext, **options)
+      message.force_encoding(Encoding::UTF_8)
+    end
+
+    private
+
+    def check_string(str, name)
+      str = str.read if str.respond_to?(:read)
+      raise TypeError, "can't convert #{name} to string" unless str.respond_to?(:to_str)
+      str.to_str
+    end
+
+    def copy_metadata(source, target)
+      target.original_filename =
+        if source.respond_to?(:original_filename)
+          source.original_filename
+        elsif source.respond_to?(:path)
+          File.basename(source.path)
+        end
+      target.content_type = source.content_type if source.respond_to?(:content_type)
+    end
+
+    # legacy for attr_encrypted
     def self.encrypt(options)
       box(options).encrypt(options[:value])
     end
 
+    # legacy for attr_encrypted
     def self.decrypt(options)
       box(options).decrypt(options[:value])
     end
 
+    # legacy for attr_encrypted
     def self.box(options)
       options = options.slice(:key, :encryption_key, :decryption_key, :algorithm, :previous_versions)
       options[:algorithm] = "aes-gcm" if options[:algorithm] == "aes-256-gcm"

data/lib/lockbox/io.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   class IO < StringIO
     attr_accessor :original_filename, :content_type
   end

data/lib/lockbox/key_generator.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   class KeyGenerator
     def initialize(master_key)
       @master_key = master_key

data/lib/lockbox/migrator.rb

@@ -0,0 +1,58 @@
+module Lockbox
+  class Migrator
+    def initialize(model)
+      @model = model
+    end
+
+    def migrate(restart:)
+      model = @model
+
+      # get fields
+      fields = model.lockbox_attributes.select { |k, v| v[:migrating] }
+
+      # get blind indexes
+      blind_indexes = model.respond_to?(:blind_indexes) ? model.blind_indexes.select { |k, v| v[:migrating] } : {}
+
+      # build relation
+      relation = model.unscoped
+
+      unless restart
+        attributes = fields.map { |_, v| v[:encrypted_attribute] }
+        attributes += blind_indexes.map { |_, v| v[:bidx_attribute] }
+
+        if defined?(ActiveRecord::Base) && model.is_a?(ActiveRecord::Base)
+          attributes.each_with_index do |attribute, i|
+            relation =
+              if i == 0
+                relation.where(attribute => nil)
+              else
+                relation.or(model.unscoped.where(attribute => nil))
+              end
+          end
+        end
+      end
+
+      if relation.respond_to?(:find_each)
+        relation.find_each do |record|
+          migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
+        end
+      else
+        relation.all.each do |record|
+          migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
+        end
+      end
+    end
+
+    private
+
+    def migrate_record(record, fields:, blind_indexes:, restart:)
+      fields.each do |k, v|
+        record.send("#{v[:attribute]}=", record.send(k)) if restart || !record.send(v[:encrypted_attribute])
+      end
+      blind_indexes.each do |k, v|
+        record.send("compute_#{k}_bidx") if restart || !record.send(v[:bidx_attribute])
+      end
+      record.save(validate: false) if record.changed?
+    end
+  end
+end

data/lib/lockbox/model.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   module Model
     def attached_encrypted(attribute, **options)
       warn "[lockbox] DEPRECATION WARNING: Use encrypts_attached instead"
@@ -12,7 +12,7 @@ class Lockbox
         class_eval do
           @lockbox_attachments ||= {}
 
-          unless respond_to?(:lockbox_attachments)
+          if @lockbox_attachments.empty?
             def self.lockbox_attachments
               parent_attachments =
                 if superclass.respond_to?(:lockbox_attachments)
@@ -31,7 +31,7 @@ class Lockbox
       end
     end
 
-    def encrypts(*attributes, encode: true, **options)
+    def encrypts(*attributes, **options)
       # support objects
       # case options[:type]
       # when Date
@@ -50,17 +50,11 @@ class Lockbox
       #   options[:type] = :float
       # end
 
-      raise ArgumentError, "Unknown type: #{options[:type]}" unless [nil, :string, :boolean, :date, :datetime, :time, :integer, :float, :binary, :json, :hash].include?(options[:type])
+      custom_type = options[:type].respond_to?(:serialize) && options[:type].respond_to?(:deserialize)
+      raise ArgumentError, "Unknown type: #{options[:type]}" unless custom_type || [nil, :string, :boolean, :date, :datetime, :time, :integer, :float, :binary, :json, :hash].include?(options[:type])
 
-      attribute_type =
-        case options[:type]
-        when nil, :json, :hash
-          :string
-        when :integer
-          ActiveModel::Type::Integer.new(limit: 8)
-        else
-          options[:type]
-        end
+      activerecord = defined?(ActiveRecord::Base) && self < ActiveRecord::Base
+      raise ArgumentError, "Type not supported yet with Mongoid" if options[:type] && !activerecord
 
       attributes.each do |name|
         # add default options
@@ -76,18 +70,15 @@ class Lockbox
 
         options[:attribute] = name.to_s
         options[:encrypted_attribute] = encrypted_attribute
-        class_method_name = "generate_#{encrypted_attribute}"
+        options[:encode] = true unless options.key?(:encode)
 
-        class_eval do
-          if options[:migrating]
-            before_validation do
-              send("#{name}=", send(original_name)) if send("#{original_name}_changed?")
-            end
-          end
+        encrypt_method_name = "generate_#{encrypted_attribute}"
+        decrypt_method_name = "decrypt_#{encrypted_attribute}"
 
+        class_eval do
           @lockbox_attributes ||= {}
 
-          unless respond_to?(:lockbox_attributes)
+          if @lockbox_attributes.empty?
             def self.lockbox_attributes
               parent_attributes =
                 if superclass.respond_to?(:lockbox_attributes)
@@ -98,12 +89,7 @@ class Lockbox
 
               parent_attributes.merge(@lockbox_attributes || {})
             end
-          end
 
-          raise "Duplicate encrypted attribute: #{original_name}" if lockbox_attributes[original_name]
-          @lockbox_attributes[original_name] = options.merge(encode: encode)
-
-          if @lockbox_attributes.size == 1
             # use same approach as activerecord serialization
             def serializable_hash(options = nil)
               options = options.try(:dup) || {}
@@ -123,23 +109,20 @@ class Lockbox
               "#<#{self.class} #{inspection.join(", ")}>"
             end
 
-            # needed for in-place modifications
-            # assigned attributes are encrypted on assignment
-            # and then again here
-            before_save do
-              self.class.lockbox_attributes.each do |_, lockbox_attribute|
-                attribute = lockbox_attribute[:attribute]
+            if activerecord
+              # needed for in-place modifications
+              # assigned attributes are encrypted on assignment
+              # and then again here
+              before_save do
+                self.class.lockbox_attributes.each do |_, lockbox_attribute|
+                  attribute = lockbox_attribute[:attribute]
 
-                if changes.include?(attribute)
-                  type = (self.class.try(:attribute_types) || {})[attribute]
-                  if type && type.is_a?(ActiveRecord::Type::Serialized)
+                  if attribute_changed_in_place?(attribute)
                     send("#{attribute}=", send(attribute))
                   end
                 end
               end
-            end
-
-            if defined?(Mongoid::Document) && included_modules.include?(Mongoid::Document)
+            else
               def reload
                 self.class.lockbox_attributes.each do |_, v|
                   instance_variable_set("@#{v[:attribute]}", nil)
@@ -149,27 +132,56 @@ class Lockbox
             end
           end
 
-          serialize name, JSON if options[:type] == :json
-          serialize name, Hash if options[:type] == :hash
+          raise "Duplicate encrypted attribute: #{original_name}" if lockbox_attributes[original_name]
+          @lockbox_attributes[original_name] = options
+
+          if activerecord
+            # preference:
+            # 1. type option
+            # 2. existing virtual attribute
+            # 3. default to string (which can later be overridden)
+            if options[:type]
+              attribute_type =
+                case options[:type]
+                when :json, :hash
+                  :string
+                when :integer
+                  ActiveModel::Type::Integer.new(limit: 8)
+                else
+                  options[:type]
+                end
+
+              attribute name, attribute_type
+
+              serialize name, JSON if options[:type] == :json
+              serialize name, Hash if options[:type] == :hash
+            elsif !attributes_to_define_after_schema_loads.key?(name.to_s)
+              attribute name, :string
+            end
+
+            define_method("#{name}_was") do
+              send(name) # writes attribute when not already set
+              super()
+            end
 
-          if respond_to?(:attribute)
-            attribute name, attribute_type
+            # restore ciphertext as well
+            define_method("restore_#{name}!") do
+              super()
+              send("restore_#{encrypted_attribute}!")
+            end
 
-            define_method("#{name}?") do
-              send("#{encrypted_attribute}?")
+            if ActiveRecord::VERSION::STRING >= "5.1"
+              define_method("#{name}_in_database") do
+                send(name) # writes attribute when not already set
+                super()
+              end
             end
           else
+            # keep this module dead simple
+            # Mongoid uses changed_attributes to calculate keys to update
+            # so we shouldn't mess with it
             m = Module.new do
               define_method("#{name}=") do |val|
-                prev_val = instance_variable_get("@#{name}")
-
-                unless val == prev_val
-                  # custom attribute_will_change! method
-                  unless changed_attributes.key?(name.to_s)
-                    changed_attributes[name.to_s] = prev_val.__deep_copy__
-                  end
-                end
-
                 instance_variable_set("@#{name}", val)
               end
 
@@ -183,10 +195,32 @@ class Lockbox
             alias_method "#{name}_changed?", "#{encrypted_attribute}_changed?"
 
             define_method "#{name}_was" do
-              attribute_was(name.to_s)
+              ciphertext = send("#{encrypted_attribute}_was")
+              self.class.send(decrypt_method_name, ciphertext, context: self)
+            end
+
+            define_method "#{name}_change" do
+              ciphertexts = send("#{encrypted_attribute}_change")
+              ciphertexts.map { |v| self.class.send(decrypt_method_name, v, context: self) } if ciphertexts
+            end
+
+            define_method "reset_#{name}!" do
+              instance_variable_set("@#{name}", nil)
+              send("reset_#{encrypted_attribute}!")
+              send(name)
+            end
+
+            define_method "reset_#{name}_to_default!" do
+              instance_variable_set("@#{name}", nil)
+              send("reset_#{encrypted_attribute}_to_default!")
+              send(name)
             end
           end
 
+          define_method("#{name}?") do
+            send("#{encrypted_attribute}?")
+          end
+
           define_method("#{name}=") do |message|
             original_message = message
 
@@ -199,7 +233,7 @@ class Lockbox
             end
 
             # set ciphertext
-            ciphertext = self.class.send(class_method_name, message, context: self)
+            ciphertext = self.class.send(encrypt_method_name, message, context: self)
             send("#{encrypted_attribute}=", ciphertext)
 
             super(original_message)
@@ -210,53 +244,20 @@ class Lockbox
 
             unless message
               ciphertext = send(encrypted_attribute)
-              message =
-                if ciphertext.nil? || (ciphertext == "" && !options[:padding])
-                  ciphertext
-                else
-                  ciphertext = Base64.decode64(ciphertext) if encode
-                  table = self.class.respond_to?(:table_name) ? self.class.table_name : self.class.collection_name.to_s
-                  Lockbox::Utils.build_box(self, options, table, encrypted_attribute).decrypt(ciphertext)
+              message = self.class.send(decrypt_method_name, ciphertext, context: self)
+
+              if activerecord
+                # set previous attribute on first decrypt
+                if @attributes[name.to_s]
+                  @attributes[name.to_s].instance_variable_set("@value_before_type_cast", message)
                 end
 
-              unless message.nil?
-                case options[:type]
-                when :boolean
-                  message = message == "t"
-                when :date
-                  message = ActiveRecord::Type::Date.new.deserialize(message)
-                when :datetime
-                  message = ActiveRecord::Type::DateTime.new.deserialize(message)
-                when :time
-                  message = ActiveRecord::Type::Time.new.deserialize(message)
-                when :integer
-                  message = ActiveRecord::Type::Integer.new(limit: 8).deserialize(message.unpack("q>").first)
-                when :float
-                  message = ActiveRecord::Type::Float.new.deserialize(message.unpack("G").first)
-                when :string
-                  message.force_encoding(Encoding::UTF_8)
-                when :binary
-                  # do nothing
-                  # decrypt returns binary string
+                # cache
+                if respond_to?(:_write_attribute, true)
+                  _write_attribute(name, message) if !@attributes.frozen?
                 else
-                  type = (self.class.try(:attribute_types) || {})[name.to_s]
-                  if type && type.is_a?(ActiveRecord::Type::Serialized)
-                    message = type.deserialize(message)
-                  else
-                    # default to string if not serialized
-                    message.force_encoding(Encoding::UTF_8)
-                  end
+                  raw_write_attribute(name, message) if !@attributes.frozen?
                 end
-              end
-
-              # set previous attribute on first decrypt
-              @attributes[name.to_s].instance_variable_set("@value_before_type_cast", message) if @attributes[name.to_s]
-
-              # cache
-              if respond_to?(:_write_attribute, true)
-                _write_attribute(name, message)
-              elsif respond_to?(:raw_write_attribute)
-                raw_write_attribute(name, message)
               else
                 instance_variable_set("@#{name}", message)
               end
@@ -266,8 +267,8 @@ class Lockbox
           end
 
           # for fixtures
-          define_singleton_method class_method_name do |message, **opts|
-            table = respond_to?(:table_name) ? table_name : collection_name.to_s
+          define_singleton_method encrypt_method_name do |message, **opts|
+            table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
               case options[:type]
@@ -302,9 +303,7 @@ class Lockbox
                 # encrypt will convert to binary
               else
                 type = (try(:attribute_types) || {})[name.to_s]
-                if type && type.is_a?(ActiveRecord::Type::Serialized)
-                  message = type.serialize(message)
-                end
+                message = type.serialize(message) if type
               end
             end
 
@@ -312,10 +311,55 @@ class Lockbox
               message
             else
               ciphertext = Lockbox::Utils.build_box(opts[:context], options, table, encrypted_attribute).encrypt(message)
-              ciphertext = Base64.strict_encode64(ciphertext) if encode
+              ciphertext = Base64.strict_encode64(ciphertext) if options[:encode]
               ciphertext
             end
           end
+
+          define_singleton_method decrypt_method_name do |ciphertext, **opts|
+            message =
+              if ciphertext.nil? || (ciphertext == "" && !options[:padding])
+                ciphertext
+              else
+                ciphertext = Base64.decode64(ciphertext) if options[:encode]
+                table = activerecord ? table_name : collection_name.to_s
+                Lockbox::Utils.build_box(opts[:context], options, table, encrypted_attribute).decrypt(ciphertext)
+              end
+
+            unless message.nil?
+              case options[:type]
+              when :boolean
+                message = message == "t"
+              when :date
+                message = ActiveRecord::Type::Date.new.deserialize(message)
+              when :datetime
+                message = ActiveRecord::Type::DateTime.new.deserialize(message)
+              when :time
+                message = ActiveRecord::Type::Time.new.deserialize(message)
+              when :integer
+                message = ActiveRecord::Type::Integer.new(limit: 8).deserialize(message.unpack("q>").first)
+              when :float
+                message = ActiveRecord::Type::Float.new.deserialize(message.unpack("G").first)
+              when :string
+                message.force_encoding(Encoding::UTF_8)
+              when :binary
+                # do nothing
+                # decrypt returns binary string
+              else
+                type = (try(:attribute_types) || {})[name.to_s]
+                message = type.deserialize(message) if type
+                message.force_encoding(Encoding::UTF_8) if !type || type.is_a?(ActiveModel::Type::String)
+              end
+            end
+
+            message
+          end
+
+          if options[:migrating]
+            before_validation do
+              send("#{name}=", send(original_name)) if send("#{original_name}_changed?")
+            end
+          end
         end
       end
     end

data/lib/lockbox/padding.rb

@@ -0,0 +1,52 @@
+module Lockbox
+  module Padding
+    PAD_FIRST_BYTE = "\x80".b
+    PAD_ZERO_BYTE = "\x00".b
+
+    # ISO/IEC 7816-4
+    # same as Libsodium
+    # https://libsodium.gitbook.io/doc/padding
+    # apply prior to encryption
+    # note: current implementation does not
+    # try to minimize side channels
+    def pad(str, size: 16)
+      raise ArgumentError, "Invalid size" if size < 1
+
+      str = str.dup.force_encoding(Encoding::BINARY)
+
+      pad_length = size - 1
+      pad_length -= str.bytesize % size
+
+      str << PAD_FIRST_BYTE
+      pad_length.times do
+        str << PAD_ZERO_BYTE
+      end
+
+      str
+    end
+
+    # note: current implementation does not
+    # try to minimize side channels
+    def unpad(str, size: 16)
+      raise ArgumentError, "Invalid size" if size < 1
+
+      if str.encoding != Encoding::BINARY
+        str = str.dup.force_encoding(Encoding::BINARY)
+      end
+
+      i = 1
+      while i <= size
+        case str[-i]
+        when PAD_ZERO_BYTE
+          i += 1
+        when PAD_FIRST_BYTE
+          return str[0..-(i + 1)]
+        else
+          break
+        end
+      end
+
+      raise Lockbox::PaddingError, "Invalid padding"
+    end
+  end
+end

data/lib/lockbox/railtie.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   class Railtie < Rails::Railtie
     initializer "lockbox" do |app|
       require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)

data/lib/lockbox/utils.rb

@@ -1,4 +1,4 @@
-class Lockbox
+module Lockbox
   class Utils
     def self.build_box(context, options, table, attribute)
       options = options.except(:attribute, :encrypted_attribute, :migrating, :attached, :type, :encode)
@@ -21,10 +21,14 @@ class Lockbox
       record.class.respond_to?(:lockbox_attachments) ? record.class.lockbox_attachments[name.to_sym] : nil
     end
 
-    def self.decode_key(key)
-      if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{64,128}\z/i
+    def self.decode_key(key, size: 32)
+      if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{#{size * 2}}\z/i
         key = [key].pack("H*")
       end
+
+      raise Lockbox::Error, "Key must use binary encoding" if key.encoding != Encoding::BINARY
+      raise Lockbox::Error, "Key must be 32 bytes" if key.bytesize != size
+
       key
     end
 
@@ -37,24 +41,20 @@ class Lockbox
       box = build_box(record, options, record.class.table_name, name)
 
       case attachable
-      when ActiveStorage::Blob
-        raise NotImplementedError, "Not supported"
       when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
         attachable = {
-          io: StringIO.new(box.encrypt(attachable.read)),
+          io: box.encrypt_io(attachable),
           filename: attachable.original_filename,
           content_type: attachable.content_type
         }
       when Hash
         attachable = {
-          io: StringIO.new(box.encrypt(attachable[:io].read)),
+          io: box.encrypt_io(attachable[:io]),
           filename: attachable[:filename],
           content_type: attachable[:content_type]
         }
-      when String
-        raise NotImplementedError, "Not supported"
       else
-        nil
+        raise NotImplementedError, "Not supported"
       end
 
       attachable

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
-class Lockbox
-  VERSION = "0.2.5"
+module Lockbox
+  VERSION = "0.3.0"
 end

data/lib/lockbox.rb

@@ -7,7 +7,9 @@ require "lockbox/box"
 require "lockbox/encryptor"
 require "lockbox/key_generator"
 require "lockbox/io"
+require "lockbox/migrator"
 require "lockbox/model"
+require "lockbox/padding"
 require "lockbox/utils"
 require "lockbox/version"
 
@@ -25,11 +27,13 @@ if defined?(ActiveSupport)
   end
 end
 
-class Lockbox
+module Lockbox
   class Error < StandardError; end
   class DecryptionError < Error; end
   class PaddingError < Error; end
 
+  extend Padding
+
   class << self
     attr_accessor :default_options
     attr_writer :master_key
@@ -41,109 +45,7 @@ class Lockbox
   end
 
   def self.migrate(model, restart: false)
-    # get fields
-    fields = model.lockbox_attributes.select { |k, v| v[:migrating] }
-
-    # get blind indexes
-    blind_indexes = model.respond_to?(:blind_indexes) ? model.blind_indexes.select { |k, v| v[:migrating] } : {}
-
-    # build relation
-    relation = model.unscoped
-
-    unless restart
-      attributes = fields.map { |_, v| v[:encrypted_attribute] }
-      attributes += blind_indexes.map { |_, v| v[:bidx_attribute] }
-
-      if defined?(ActiveRecord::Base) && model.is_a?(ActiveRecord::Base)
-        attributes.each_with_index do |attribute, i|
-          relation =
-            if i == 0
-              relation.where(attribute => nil)
-            else
-              relation.or(model.unscoped.where(attribute => nil))
-            end
-        end
-      end
-    end
-
-    if relation.respond_to?(:find_each)
-      relation.find_each do |record|
-        migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
-      end
-    else
-      relation.all.each do |record|
-        migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
-      end
-    end
-  end
-
-  # private
-  def self.migrate_record(record, fields:, blind_indexes:, restart:)
-    fields.each do |k, v|
-      record.send("#{v[:attribute]}=", record.send(k)) if restart || !record.send(v[:encrypted_attribute])
-    end
-    blind_indexes.each do |k, v|
-      record.send("compute_#{k}_bidx") if restart || !record.send(v[:bidx_attribute])
-    end
-    record.save(validate: false) if record.changed?
-  end
-
-  def initialize(**options)
-    options = self.class.default_options.merge(options)
-    previous_versions = options.delete(:previous_versions)
-
-    @boxes =
-      [Box.new(options)] +
-      Array(previous_versions).map { |v| Box.new({key: options[:key]}.merge(v)) }
-  end
-
-  def encrypt(message, **options)
-    message = check_string(message, "message")
-    @boxes.first.encrypt(message, **options)
-  end
-
-  def decrypt(ciphertext, **options)
-    ciphertext = check_string(ciphertext, "ciphertext")
-
-    # ensure binary
-    if ciphertext.encoding != Encoding::BINARY
-      # dup to prevent mutation
-      ciphertext = ciphertext.dup.force_encoding(Encoding::BINARY)
-    end
-
-    @boxes.each_with_index do |box, i|
-      begin
-        return box.decrypt(ciphertext, **options)
-      rescue => e
-        # returning DecryptionError instead of PaddingError
-        # is for end-user convenience, not for security
-        error_classes = [DecryptionError, PaddingError]
-        error_classes << RbNaCl::LengthError if defined?(RbNaCl::LengthError)
-        error_classes << RbNaCl::CryptoError if defined?(RbNaCl::CryptoError)
-        if error_classes.any? { |ec| e.is_a?(ec) }
-          raise DecryptionError, "Decryption failed" if i == @boxes.size - 1
-        else
-          raise e
-        end
-      end
-    end
-  end
-
-  def encrypt_io(io, **options)
-    new_io = Lockbox::IO.new(encrypt(io.read, **options))
-    copy_metadata(io, new_io)
-    new_io
-  end
-
-  def decrypt_io(io, **options)
-    new_io = Lockbox::IO.new(decrypt(io.read, **options))
-    copy_metadata(io, new_io)
-    new_io
-  end
-
-  def decrypt_str(ciphertext, **options)
-    message = decrypt(ciphertext, **options)
-    message.force_encoding(Encoding::UTF_8)
+    Migrator.new(model).migrate(restart: restart)
   end
 
   def self.generate_key
@@ -177,70 +79,8 @@ class Lockbox
     str.unpack("H*").first
   end
 
-  PAD_FIRST_BYTE = "\x80".b
-  PAD_ZERO_BYTE = "\x00".b
-
-  # ISO/IEC 7816-4
-  # same as Libsodium
-  # https://libsodium.gitbook.io/doc/padding
-  # apply prior to encryption
-  # note: current implementation does not
-  # try to minimize side channels
-  def self.pad(str, size: 16)
-    raise ArgumentError, "Invalid size" if size < 1
-
-    str = str.dup.force_encoding(Encoding::BINARY)
-
-    pad_length = size - 1
-    pad_length -= str.bytesize % size
-
-    str << PAD_FIRST_BYTE
-    pad_length.times do
-      str << PAD_ZERO_BYTE
-    end
-
-    str
-  end
-
-  # note: current implementation does not
-  # try to minimize side channels
-  def self.unpad(str, size: 16)
-    raise ArgumentError, "Invalid size" if size < 1
-
-    if str.encoding != Encoding::BINARY
-      str = str.dup.force_encoding(Encoding::BINARY)
-    end
-
-    i = 1
-    while i <= size
-      case str[-i]
-      when PAD_ZERO_BYTE
-        i += 1
-      when PAD_FIRST_BYTE
-        return str[0..-(i + 1)]
-      else
-        break
-      end
-    end
-
-    raise Lockbox::PaddingError, "Invalid padding"
-  end
-
-  private
-
-  def check_string(str, name)
-    str = str.read if str.respond_to?(:read)
-    raise TypeError, "can't convert #{name} to string" unless str.respond_to?(:to_str)
-    str.to_str
-  end
-
-  def copy_metadata(source, target)
-    target.original_filename =
-      if source.respond_to?(:original_filename)
-        source.original_filename
-      elsif source.respond_to?(:path)
-        File.basename(source.path)
-      end
-    target.content_type = source.content_type if source.respond_to?(:content_type)
+  # legacy
+  def self.new(**options)
+    Encryptor.new(**options)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.3.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-14 00:00:00.000000000 Z
+date: 2019-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -195,7 +195,9 @@ files:
 - lib/lockbox/encryptor.rb
 - lib/lockbox/io.rb
 - lib/lockbox/key_generator.rb
+- lib/lockbox/migrator.rb
 - lib/lockbox/model.rb
+- lib/lockbox/padding.rb
 - lib/lockbox/railtie.rb
 - lib/lockbox/utils.rb
 - lib/lockbox/version.rb