lockbox 1.4.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b4771553bf23214b514e9a4a5c94ce665d234d34969f9a3941ea68bdc6729ed4
-  data.tar.gz: a921894d4f3f43d5245a91941e06f79ea652f09c9c77ccf8dc7e442d1dbda0e5
+  metadata.gz: 15860ff6f0c444491002e98231bb32785c05d2f6f73be85e34ecb7a53ad43888
+  data.tar.gz: 026be73917780e5bea3fc7178d404d2d4a2320378f94dc98c7dca0b180e40a83
 SHA512:
-  metadata.gz: 90fef82d743a0172a61728fd9f314eca597d43820e87aeb9cb77330e4ec824919d354b81cf4c6c9c2b1c8cedcebb8916425fed5e469b24ea11b6a2e8730feb6f
-  data.tar.gz: fe874ec6aa3f563927f2ea1743d34a795468846ce74cc9e1a0467e41757721d40c8449d7093b158f63f92b8566ea578cf88e5f2b0a8caefc9facee2a8b731afa
+  metadata.gz: 5cef3979e21483caaa9a860d2e6301c29dbc6c58a44be765da92970981695eb813d09a6c0b43dbd3a53fe3b30dc48dc212436be63dcbeac303d566064095e36b
+  data.tar.gz: 9a7378720dcfb6a1a07687a42d957b3d4abfae349cbef0678a98e6b0f458d4726087c1ee69457624c13f8342ef67687232ccab25d6e2e339561e5603d98b9ea3

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 2.0.0 (2024-10-26)
+
+- Improved `attributes`, `attribute_names`, and `has_attribute?` when ciphertext attributes not loaded
+- Removed deprecated `lockbox_encrypts` (use `has_encrypted` instead)
+- Dropped support for Active Record < 7 and Ruby < 3.1
+- Dropped support for Mongoid < 8
+
 ## 1.4.1 (2024-09-09)
 
 - Fixed error message for previews for Active Storage 7.1.4

data/README.md

@@ -35,7 +35,7 @@ Set the following environment variable with your key (you can use this one in de
 LOCKBOX_MASTER_KEY=0000000000000000000000000000000000000000000000000000000000000000
 ```
 
-or add it to your credentials for each environment (`rails credentials:edit --environment <env>` for Rails 6+)
+or add it to your credentials for each environment (`rails credentials:edit --environment <env>`)
 
 ```yml
 lockbox:
@@ -1004,18 +1004,6 @@ class RemovePreviousEncryptedColumns < ActiveRecord::Migration[7.2]
 end
 ```
 
-## Upgrading
-
-### 1.0.0
-
-`encrypts` is now deprecated in favor of `has_encrypted` to avoid conflicting with Active Record encryption.
-
-```ruby
-class User < ApplicationRecord
-  has_encrypted :email
-end
-```
-
 ## History
 
 View the [changelog](https://github.com/ankane/lockbox/blob/master/CHANGELOG.md)

data/lib/generators/lockbox/audits_generator.rb

@@ -29,11 +29,7 @@ module Lockbox
       # use connection_config instead of connection.adapter
       # so database connection isn't needed
       def adapter
-        if ActiveRecord::VERSION::STRING.to_f >= 6.1
-          ActiveRecord::Base.connection_db_config.adapter.to_s
-        else
-          ActiveRecord::Base.connection_config[:adapter].to_s
-        end
+        ActiveRecord::Base.connection_db_config.adapter.to_s
       end
     end
   end

data/lib/lockbox/active_storage_extensions.rb

@@ -34,13 +34,6 @@ module Lockbox
     end
 
     module AttachedOne
-      if ActiveStorage::VERSION::MAJOR < 6
-        def attach(attachable)
-          attachable = encrypt_attachable(attachable) if encrypted?
-          super(attachable)
-        end
-      end
-
       def rotate_encryption!
         raise "Not encrypted" unless encrypted?
 
@@ -51,19 +44,6 @@ module Lockbox
     end
 
     module AttachedMany
-      if ActiveStorage::VERSION::MAJOR < 6
-        def attach(*attachables)
-          if encrypted?
-            attachables =
-              attachables.flatten.collect do |attachable|
-                encrypt_attachable(attachable)
-              end
-          end
-
-          super(attachables)
-        end
-      end
-
       def rotate_encryption!
         raise "Not encrypted" unless encrypted?
 
@@ -131,27 +111,25 @@ module Lockbox
         end
       end
 
-      if ActiveStorage::VERSION::MAJOR >= 6
-        def open(**options)
-          blob.open(**options) do |file|
-            options = Utils.encrypted_options(record, name)
-            # only trust the metadata when migrating
-            # as earlier versions of Lockbox won't have it
-            # and it's not a good practice to trust modifiable data
-            encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
-            if encrypted
-              result = Utils.decrypt_result(record, name, options, file.read)
-              file.rewind
-              # truncate may not be available on all platforms
-              # according to the Ruby docs
-              # may need to create a new temp file instead
-              file.truncate(0)
-              file.write(result)
-              file.rewind
-            end
-
-            yield file
+      def open(**options)
+        blob.open(**options) do |file|
+          options = Utils.encrypted_options(record, name)
+          # only trust the metadata when migrating
+          # as earlier versions of Lockbox won't have it
+          # and it's not a good practice to trust modifiable data
+          encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
+          if encrypted
+            result = Utils.decrypt_result(record, name, options, file.read)
+            file.rewind
+            # truncate may not be available on all platforms
+            # according to the Ruby docs
+            # may need to create a new temp file instead
+            file.truncate(0)
+            file.write(result)
+            file.rewind
           end
+
+          yield file
         end
       end
     end

data/lib/lockbox/model.rb

@@ -60,7 +60,7 @@ module Lockbox
         class_eval do
           # Lockbox uses custom inspect
           # but this could be useful for other gems
-          if activerecord && ActiveRecord::VERSION::MAJOR >= 6
+          if activerecord
             # only add virtual attribute
             # need to use regexp since strings do partial matching
             # also, need to use += instead of <<
@@ -114,12 +114,6 @@ module Lockbox
                   k = lockbox_encrypted_attributes[k]
                 elsif values.key?(k)
                   v = respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : values[k].inspect
-
-                  # fix for https://github.com/rails/rails/issues/40725
-                  # TODO only apply to Active Record 6.0
-                  if respond_to?(:inspection_filter, true) && v != "nil"
-                    v = inspection_filter.filter_param(k, v)
-                  end
                 else
                   next
                 end
@@ -148,7 +142,40 @@ module Lockbox
                     end
                   end
                 end
-                super
+
+                # remove attributes that do not have a ciphertext attribute
+                attributes = super
+                self.class.lockbox_attributes.each do |k, lockbox_attribute|
+                  if !attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
+                    attributes.delete(k.to_s)
+                    attributes.delete(lockbox_attribute[:attribute])
+                  end
+                end
+                attributes
+              end
+
+              # remove attribute names that do not have a ciphertext attribute
+              def attribute_names
+                # hash preserves key order
+                names_set = super.to_h { |v| [v, true] }
+                self.class.lockbox_attributes.each do |k, lockbox_attribute|
+                  if !names_set.include?(lockbox_attribute[:encrypted_attribute].to_s)
+                    names_set.delete(k.to_s)
+                    names_set.delete(lockbox_attribute[:attribute])
+                  end
+                end
+                names_set.keys
+              end
+
+              # check the ciphertext attribute for encrypted attributes
+              def has_attribute?(attr_name)
+                attr_name = attr_name.to_s
+                _, lockbox_attribute = self.class.lockbox_attributes.find { |_, la| la[:attribute] == attr_name }
+                if lockbox_attribute
+                  super(lockbox_attribute[:encrypted_attribute])
+                else
+                  super
+                end
               end
 
               # needed for in-place modifications
@@ -232,71 +259,69 @@ module Lockbox
                 result
               end
 
-              if ActiveRecord::VERSION::MAJOR >= 6
-                if ActiveRecord::VERSION::STRING.to_f >= 7.2
-                  def self.insert(attributes, **options)
-                    super(lockbox_map_record_attributes(attributes), **options)
-                  end
-
-                  def self.insert!(attributes, **options)
-                    super(lockbox_map_record_attributes(attributes), **options)
-                  end
-
-                  def self.upsert(attributes, **options)
-                    super(lockbox_map_record_attributes(attributes, check_readonly: true), **options)
-                  end
+              if ActiveRecord::VERSION::STRING.to_f >= 7.2
+                def self.insert(attributes, **options)
+                  super(lockbox_map_record_attributes(attributes), **options)
                 end
 
-                def self.insert_all(attributes, **options)
-                  super(lockbox_map_attributes(attributes), **options)
+                def self.insert!(attributes, **options)
+                  super(lockbox_map_record_attributes(attributes), **options)
                 end
 
-                def self.insert_all!(attributes, **options)
-                  super(lockbox_map_attributes(attributes), **options)
+                def self.upsert(attributes, **options)
+                  super(lockbox_map_record_attributes(attributes, check_readonly: true), **options)
                 end
+              end
 
-                def self.upsert_all(attributes, **options)
-                  super(lockbox_map_attributes(attributes, check_readonly: true), **options)
-                end
+              def self.insert_all(attributes, **options)
+                super(lockbox_map_attributes(attributes), **options)
+              end
 
-                # private
-                # does not try to handle :returning option for simplicity
-                def self.lockbox_map_attributes(records, check_readonly: false)
-                  return records unless records.is_a?(Array)
+              def self.insert_all!(attributes, **options)
+                super(lockbox_map_attributes(attributes), **options)
+              end
 
-                  records.map do |attributes|
-                    lockbox_map_record_attributes(attributes, check_readonly: false)
-                  end
-                end
+              def self.upsert_all(attributes, **options)
+                super(lockbox_map_attributes(attributes, check_readonly: true), **options)
+              end
 
-                # private
-                def self.lockbox_map_record_attributes(attributes, check_readonly: false)
-                  return attributes unless attributes.is_a?(Hash)
+              # private
+              # does not try to handle :returning option for simplicity
+              def self.lockbox_map_attributes(records, check_readonly: false)
+                return records unless records.is_a?(Array)
 
-                  # transform keys like Active Record
-                  attributes = attributes.transform_keys do |key|
-                    n = key.to_s
-                    attribute_aliases[n] || n
-                  end
+                records.map do |attributes|
+                  lockbox_map_record_attributes(attributes, check_readonly: false)
+                end
+              end
 
-                  lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
-                  lockbox_attributes.each do |key, lockbox_attribute|
-                    attribute = key.to_s
-                    # check read only
-                    # users should mark both plaintext and ciphertext columns
-                    if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
-                      warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
-                    end
+              # private
+              def self.lockbox_map_record_attributes(attributes, check_readonly: false)
+                return attributes unless attributes.is_a?(Hash)
 
-                    message = attributes[attribute]
-                    attributes.delete(attribute) unless lockbox_attribute[:migrating]
-                    encrypted_attribute = lockbox_attribute[:encrypted_attribute]
-                    ciphertext = send("generate_#{encrypted_attribute}", message)
-                    attributes[encrypted_attribute] = ciphertext
+                # transform keys like Active Record
+                attributes = attributes.transform_keys do |key|
+                  n = key.to_s
+                  attribute_aliases[n] || n
+                end
+
+                lockbox_attributes = self.lockbox_attributes.slice(*attributes.keys.map(&:to_sym))
+                lockbox_attributes.each do |key, lockbox_attribute|
+                  attribute = key.to_s
+                  # check read only
+                  # users should mark both plaintext and ciphertext columns
+                  if check_readonly && readonly_attributes.include?(attribute) && !readonly_attributes.include?(lockbox_attribute[:encrypted_attribute].to_s)
+                    warn "[lockbox] WARNING: Mark attribute as readonly: #{lockbox_attribute[:encrypted_attribute]}"
                   end
 
-                  attributes
+                  message = attributes[attribute]
+                  attributes.delete(attribute) unless lockbox_attribute[:migrating]
+                  encrypted_attribute = lockbox_attribute[:encrypted_attribute]
+                  ciphertext = send("generate_#{encrypted_attribute}", message)
+                  attributes[encrypted_attribute] = ciphertext
                 end
+
+                attributes
               end
             else
               def reload
@@ -327,13 +352,8 @@ module Lockbox
             elsif attributes_to_define_after_schema_loads.key?(name.to_s)
               opt = attributes_to_define_after_schema_loads[name.to_s][1]
 
-              has_default =
-                if ActiveRecord::VERSION::MAJOR >= 7
-                  # not ideal, since NO_DEFAULT_PROVIDED is private
-                  opt != ActiveRecord::Attributes::ClassMethods.const_get(:NO_DEFAULT_PROVIDED)
-                else
-                  opt.is_a?(Hash) && opt.key?(:default)
-                end
+              # not ideal, since NO_DEFAULT_PROVIDED is private
+              has_default = opt != ActiveRecord::Attributes::ClassMethods.const_get(:NO_DEFAULT_PROVIDED)
 
               if has_default
                 warn "[lockbox] WARNING: attributes with `:default` option are not supported. Use `after_initialize` instead."
@@ -408,21 +428,14 @@ module Lockbox
               else
                 attribute name, :string
               end
-            else
+            elsif attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
               # hack for Active Record 6.1+ to set string type after serialize
               # otherwise, type gets set to ActiveModel::Type::Value
               # which always returns false for changed_in_place?
               # earlier versions of Active Record take the previous code path
-              if ActiveRecord::VERSION::STRING.to_f >= 7.0 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
-                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call(nil)
-                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
-                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
-                end
-              elsif ActiveRecord::VERSION::STRING.to_f >= 6.1 && attributes_to_define_after_schema_loads[name.to_s].first.is_a?(Proc)
-                attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call
-                if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
-                  attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
-                end
+              attribute_type = attributes_to_define_after_schema_loads[name.to_s].first.call(nil)
+              if attribute_type.is_a?(ActiveRecord::Type::Serialized) && attribute_type.subtype.nil?
+                attribute name, ActiveRecord::Type::Serialized.new(ActiveRecord::Type::String.new, attribute_type.coder)
               end
             end
 
@@ -581,7 +594,6 @@ module Lockbox
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
-                message = nil if message == "" # for Active Record < 5.2
                 message = message ? "t" : "f" unless message.nil?
               when :date
                 message = ActiveRecord::Type::Date.new.serialize(message)
@@ -589,7 +601,6 @@ module Lockbox
                 message = message.strftime("%Y-%m-%d") unless message.nil?
               when :datetime
                 message = ActiveRecord::Type::DateTime.new.serialize(message)
-                message = nil unless message.respond_to?(:iso8601) # for Active Record < 5.2
                 message = message.iso8601(9) unless message.nil?
               when :time
                 message = ActiveRecord::Type::Time.new.serialize(message)
@@ -606,14 +617,7 @@ module Lockbox
                 # double precision, big endian
                 message = [message].pack("G") unless message.nil?
               when :decimal
-                message =
-                  if ActiveRecord::VERSION::MAJOR >= 6
-                    ActiveRecord::Type::Decimal.new.serialize(message)
-                  else
-                    # issue with serialize in Active Record < 6
-                    # https://github.com/rails/rails/commit/a741208f80dd33420a56486bd9ed2b0b9862234a
-                    ActiveRecord::Type::Decimal.new.cast(message)
-                  end
+                message = ActiveRecord::Type::Decimal.new.serialize(message)
                 # Postgres stores 4 decimal digits in 2 bytes
                 # plus 3 to 8 bytes of overhead
                 # but use string for simplicity
@@ -716,12 +720,6 @@ module Lockbox
       end
     end
 
-    def lockbox_encrypts(*attributes, **options)
-      deprecator = ActiveSupport::VERSION::STRING.to_f >= 7.2 ? ActiveSupport.deprecator : ActiveSupport::Deprecation
-      deprecator.warn("`#{__callee__}` is deprecated in favor of `has_encrypted`")
-      has_encrypted(*attributes, **options)
-    end
-
     module Attached
       def encrypts_attached(*attributes, **options)
         attributes.each do |name|

data/lib/lockbox/railtie.rb

@@ -12,32 +12,15 @@ module Lockbox
         require "lockbox/active_storage_extensions"
 
         ActiveStorage::Attached.prepend(Lockbox::ActiveStorageExtensions::Attached)
-        if ActiveStorage::VERSION::MAJOR >= 6
-          ActiveStorage::Attached::Changes::CreateOne.prepend(Lockbox::ActiveStorageExtensions::CreateOne)
-        end
+        ActiveStorage::Attached::Changes::CreateOne.prepend(Lockbox::ActiveStorageExtensions::CreateOne)
         ActiveStorage::Attached::One.prepend(Lockbox::ActiveStorageExtensions::AttachedOne)
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
 
-        # use load hooks when possible
-        if ActiveStorage::VERSION::MAJOR >= 7
-          ActiveSupport.on_load(:active_storage_attachment) do
-            prepend Lockbox::ActiveStorageExtensions::Attachment
-          end
-          ActiveSupport.on_load(:active_storage_blob) do
-            prepend Lockbox::ActiveStorageExtensions::Blob
-          end
-        elsif ActiveStorage::VERSION::MAJOR >= 6
-          ActiveSupport.on_load(:active_storage_attachment) do
-            include Lockbox::ActiveStorageExtensions::Attachment
-          end
-          ActiveSupport.on_load(:active_storage_blob) do
-            prepend Lockbox::ActiveStorageExtensions::Blob
-          end
-        else
-          app.config.to_prepare do
-            ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
-            ActiveStorage::Blob.prepend(Lockbox::ActiveStorageExtensions::Blob)
-          end
+        ActiveSupport.on_load(:active_storage_attachment) do
+          prepend Lockbox::ActiveStorageExtensions::Attachment
+        end
+        ActiveSupport.on_load(:active_storage_blob) do
+          prepend Lockbox::ActiveStorageExtensions::Blob
         end
       end
     end

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "1.4.1"
+  VERSION = "2.0.0"
 end

data/lib/lockbox.rb

@@ -99,8 +99,10 @@ end
 if defined?(ActiveSupport.on_load)
   ActiveSupport.on_load(:active_record) do
     ar_version = ActiveRecord::VERSION::STRING.to_f
-    if ar_version < 5.2
-      if ar_version >= 5
+    if ar_version < 7
+      if ar_version >= 5.2
+        raise Lockbox::Error, "Active Record #{ActiveRecord::VERSION::STRING} requires Lockbox < 2"
+      elsif ar_version >= 5
         raise Lockbox::Error, "Active Record #{ActiveRecord::VERSION::STRING} requires Lockbox < 0.7"
       else
         raise Lockbox::Error, "Active Record #{ActiveRecord::VERSION::STRING} not supported"
@@ -109,12 +111,19 @@ if defined?(ActiveSupport.on_load)
 
     extend Lockbox::Model
     extend Lockbox::Model::Attached
-    singleton_class.alias_method(:encrypts, :lockbox_encrypts) if ActiveRecord::VERSION::MAJOR < 7
     ActiveRecord::Relation.prepend Lockbox::Calculations
   end
 
   ActiveSupport.on_load(:mongoid) do
+    mongoid_version = Mongoid::VERSION.to_i
+    if mongoid_version < 8
+      if mongoid_version >= 6
+        raise Lockbox::Error, "Mongoid #{Mongoid::VERSION} requires Lockbox < 2"
+      else
+        raise Lockbox::Error, "Mongoid #{Mongoid::VERSION} not supported"
+      end
+    end
+
     Mongoid::Document::ClassMethods.include(Lockbox::Model)
-    Mongoid::Document::ClassMethods.alias_method(:encrypts, :lockbox_encrypts)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-09 00:00:00.000000000 Z
+date: 2024-10-27 00:00:00.000000000 Z
 dependencies: []
 description:
 email: andrew@ankane.org
@@ -51,7 +51,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.6'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="