RubyGems - lockbox - Versions diffs - 0.4.7 → 0.4.8 - Mend

lockbox 0.4.7 → 0.4.8

Files changed (8) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f8c447dd90537203a1a3038c347c10de0e48f5b29795b382a2a77019e6e5764
-  data.tar.gz: 9133e9eb0c2132b7c77c39f8c24a3c27ea9b3cbb1d3d82f7f069b2db9992198f
+  metadata.gz: a560c020c3adf21952f81767ffc9b5b4586784f62d748f484e7bacbd4076a64a
+  data.tar.gz: 59d05b405b4cd46da679ef4f03a53fae03cc78d7cdfe89bab13cd6981b76a4da
 SHA512:
-  metadata.gz: 4396ee4ead0de0592e7a3574b563f98d58f0402198dd8662cbdc374cc5f8a39e629f6397414b498456c665e8a635518db3a532056ecd42154206fde4ab938e5c
-  data.tar.gz: 6057ea6f43db261580a0ee0ae13f1303251d2ee8ef2b1bcdba8399b6a858dca1fdf6c84e25f5da85a059a6d260be7094969e2118ff11a8c1d2565617c48f74cd
+  metadata.gz: 8d6217f47cc9c38ad8cf3db11b2a3a2936950b97f91ea168c5f2e4f8a1d9a5916c832286f08156869fbecf89d05dfc9bd7c4ecade9b9b4384488c936a292a1a6
+  data.tar.gz: 3ddf36244c68b6b0bebad62801366d9827e6bee520717f1d544cfc6a18e798c644a158b68ac295fa87cef45ce5b922f37e89c5e39a5882ccb9fe512e725e778b

data/CHANGELOG.md CHANGED

@@ -1,3 +1,9 @@
+## 0.4.8 (2020-08-30)
+- Added `key_table` and `key_attribute` options
+- Added warning when no attributes specified
+- Fixed error when Active Support partially loaded
 ## 0.4.7 (2020-08-18)
 - Added `lockbox_options` method to encrypted CarrierWave uploaders

data/README.md CHANGED

@@ -2,12 +2,10 @@
 :package: Modern encryption for Rails
-- Uses state-of-the-art algorithms
 - Works with database fields, files, and strings
+- Maximizes compatibility with existing code and libraries
 - Makes migrating existing data and key rotation easy
-Lockbox aims to make encryption as friendly and intuitive as possible. Encrypted fields and files behave just like unencrypted ones for maximum compatibility with 3rd party libraries and existing code.
 Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails with Devise](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails).
 [![Build Status](https://travis-ci.org/ankane/lockbox.svg?branch=master)](https://travis-ci.org/ankane/lockbox)
@@ -89,6 +87,16 @@ User.create!(email: "hi@example.org")
 If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
+#### Multiple Fields
+You can specify multiple fields in single line.
+```ruby
+class User < ApplicationRecord
+  encrypts :email, :phone, :city
+end
+```
 #### Types
 Fields are strings by default. Specify the type of a field with:
@@ -188,6 +196,14 @@ class User < ApplicationRecord
 end
 ```
+#### Decryption
+To decrypt data outside the model, use:
+```ruby
+User.decrypt_email_ciphertext(user.email_ciphertext)
+```
 ## Action Text
 **Note:** Action Text uses direct uploads for files, which cannot be encrypted with application-level encryption like Lockbox. This only encrypts the database field.
@@ -222,6 +238,10 @@ Lockbox.encrypts_action_text_body
 And drop the unencrypted column.
+#### Options
+You can pass any Lockbox options to the `encrypts_action_text_body` method.
 ## Mongoid
 Add to your model:
@@ -743,15 +763,41 @@ Make sure `decryption_key` is `nil` on servers that shouldn’t decrypt.
 This uses X25519 for key exchange and XSalsa20 for encryption.
-## Key Separation
+## Key Configuration
+Lockbox supports a few different ways to set keys for database fields and files.
+1. Master key
+2. Per field/uploader
+3. Per record
+### Master Key
-The master key is used to generate unique keys for each column. This technique comes from [CipherSweet](https://ciphersweet.paragonie.com/internals/key-hierarchy). The table name and column name are both used in this process. If you need to rename a table with encrypted columns, or an encrypted column itself, get the key:
+By default, the master key is used to generate unique keys for each field/uploader. This technique comes from [CipherSweet](https://ciphersweet.paragonie.com/internals/key-hierarchy). The table name and column/uploader name are both used in this process. You can get an individual key with:
 ```ruby
 Lockbox.attribute_key(table: "users", attribute: "email_ciphertext")
 ```
-And set it directly before renaming:
+To rename a table with encrypted columns/uploaders, use:
+```ruby
+class User < ApplicationRecord
+  encrypts :email, key_table: "original_table"
+end
+```
+To rename an encrypted column itself, use:
+```ruby
+class User < ApplicationRecord
+  encrypts :email, key_attribute: "original_column"
+end
+```
+### Per Field/Uploader
+To set a key for an individual field/uploader, use a string:
 ```ruby
 class User < ApplicationRecord
@@ -759,6 +805,28 @@ class User < ApplicationRecord
 end
 ```
+Or a proc:
+```ruby
+class User < ApplicationRecord
+  encrypts :email, key: -> { code }
+end
+```
+### Per Record
+To use a different key for each record, use a symbol:
+```ruby
+class User < ApplicationRecord
+  encrypts :email, key: :some_method
+  def some_method
+    # code to get key
+  end
+end
+```
 ## Key Management
 You can use a key management service to manage your keys with [KMS Encrypted](https://github.com/ankane/kms_encrypted).

data/lib/lockbox.rb CHANGED

@@ -19,10 +19,12 @@ require "lockbox/version"
 require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
 require "lockbox/railtie" if defined?(Rails)
-if defined?(ActiveSupport)
+if defined?(ActiveSupport::LogSubscriber)
   require "lockbox/log_subscriber"
   Lockbox::LogSubscriber.attach_to :lockbox
+end
+if defined?(ActiveSupport.on_load)
   ActiveSupport.on_load(:active_record) do
     extend Lockbox::Model
     extend Lockbox::Model::Attached

data/lib/lockbox/model.rb CHANGED

@@ -27,6 +27,11 @@ module Lockbox
       activerecord = defined?(ActiveRecord::Base) && self < ActiveRecord::Base
       raise ArgumentError, "Type not supported yet with Mongoid" if options[:type] && !activerecord
+      # TODO raise ArgumentError in 0.5.0
+      warn "[lockbox] WARNING: No attributes specified" if attributes.empty?
+      raise ArgumentError, "Cannot use key_attribute with multiple attributes" if options[:key_attribute] && attributes.size > 1
       attributes.each do |name|
         # add default options
         encrypted_attribute = "#{name}_ciphertext"

data/lib/lockbox/utils.rb CHANGED

@@ -16,7 +16,13 @@ module Lockbox
       end
       unless options[:key] || options[:encryption_key] || options[:decryption_key]
-        options[:key] = Lockbox.attribute_key(table: table, attribute: attribute, master_key: options.delete(:master_key), encode: false)
+        options[:key] =
+          Lockbox.attribute_key(
+            table: options.delete(:key_table) || table,
+            attribute: options.delete(:key_attribute) || attribute,
+            master_key: options.delete(:master_key),
+            encode: false
+          )
       end
       if options[:previous_versions].is_a?(Array)

data/lib/lockbox/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.4.7"
+  VERSION = "0.4.8"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.4.7
+  version: 0.4.8
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-19 00:00:00.000000000 Z
+date: 2020-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler