mongoid-encrypted-fields 1.0.0

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+#Ignore IDEA directory
+/.idea

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.rvmrc

@@ -0,0 +1 @@
+rvm use 1.9.3@mongoid-encrypted-fields --create

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in mongoid-encrypted-fields.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Koan Health
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,50 @@
+mongoid-encrypted-fields
+========================
+
+A library for storing encrypted data in Mongo using Mongoid.  We looked at a few alternatives, but wanted something that stored the values securely and unobtrusively.
+
+Mongoid 3 supports [custom types](http://mongoid.org/en/mongoid/docs/documents.html) that need to only provide a simple interface - allowing us to extend core Ruby types to secure any type while providing a clean interface for developers.
+
+Queries encrypt data before searching the database, so equality matches work automatically.
+
+## Prerequisites
+* Ruby 1.9.3
+* [Mongoid](http://mongoid.org) 3.0
+* [Encrypted-Strings](https://github.com/pluginaweek/encrypted_strings)
+
+## Install
+    gem 'mongoid-encrypted-fields'
+
+## Usage
+* Configure the cipher to be used for encrypting field values:
+    ```Ruby
+    Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: ENV['MY_PASSWORD']) # find a secure way to get your password
+    ```
+* Use encrypted types for fields in your models:
+    ```Ruby
+    class Person
+        include Mongoid::Document
+
+        field :name, type: String
+        field :ssn, type: Mongoid::EncryptedString
+    end
+    ```
+* The field getter returns the unencrypted value:
+    ```Ruby
+    person = Person.new(ssn: '123456789')
+    person.ssn # => '123456789'
+    ```
+* The encrypted value is accessible with the "encrypted" attribute
+    ```Ruby
+    person.ssn.encrypted # => <encrypted string>
+    ```
+* Finding a model by an encrypted field works automatically (equality only):
+    ```Ruby
+    Person.where(ssn: '123456789').count() # ssn is encrypted before querying the database
+    ```
+
+## Known Limitations
+* Single cipher for all encrypted fields
+
+## Copyright
+(c) 2012 Koan Health. See LICENSE.txt for further details.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/mongoid-encrypted-fields.rb

@@ -0,0 +1,23 @@
+require 'encrypted_strings'
+
+require 'mongoid-encrypted-fields/version'
+require 'mongoid-encrypted-fields/logging'
+require 'mongoid-encrypted-fields/ciphers/cipher'
+require 'mongoid-encrypted-fields/ciphers/asymmetric_cipher'
+require 'mongoid-encrypted-fields/ciphers/symmetric_cipher'
+require 'mongoid-encrypted-fields/fields/encrypted_field'
+require 'mongoid-encrypted-fields/fields/encrypted_string'
+require 'mongoid-encrypted-fields/fields/encrypted_date'
+require 'mongoid-encrypted-fields/fields/encrypted_date_time'
+require 'mongoid-encrypted-fields/fields/encrypted_time'
+
+module Mongoid
+  module EncryptedFields
+
+    class << self
+      # Set cipher used for all field encryption/decryption
+      attr_accessor :cipher
+    end
+
+  end
+end

data/lib/mongoid-encrypted-fields/ciphers/asymmetric_cipher.rb

@@ -0,0 +1,22 @@
+module Mongoid
+  module Ciphers
+    class AsymmetricCipher < Cipher
+
+      attr_reader :algorithm, :password, :public_key_file, :private_key_file
+
+      def initialize(options = {})
+        @options = options
+        @options.each { |key, value| instance_variable_set "@#{key}", value }
+      end
+
+      def encrypt(data)
+        data.encrypt(:asymmetric, @options)
+      end
+
+      def decrypt(data)
+        data.decrypt(:asymmetric, @options)
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/ciphers/cipher.rb

@@ -0,0 +1,15 @@
+module Mongoid
+  module Ciphers
+    class Cipher
+
+      def encrypt(data)
+        raise NotImplementedError.new('encrypt must be implemented')
+      end
+
+      def decrypt(data)
+        raise NotImplementedError.new('decrypt must be implemented')
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/ciphers/symmetric_cipher.rb

@@ -0,0 +1,22 @@
+module Mongoid
+  module Ciphers
+    class SymmetricCipher < Cipher
+
+      attr_reader :algorithm, :password
+
+      def initialize(options = { })
+        @options = options
+        @options.each { |key, value| instance_variable_set "@#{key}", value }
+      end
+
+      def encrypt(data)
+        data.encrypt(:symmetric, @options)
+      end
+
+      def decrypt(data)
+        data.decrypt(:symmetric, @options)
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/fields/encrypted_date.rb

@@ -0,0 +1,33 @@
+#
+# Used to store an encrypted date in Mongo
+#
+# Usage:
+# field :birth_date, type: Mongoid::EncryptedDate
+#
+# Set with an unencrypted date
+# p = Person.new()
+# p.birth_date = Date.new(2000, 1, 1)
+#
+# Get returns the unencrypted date
+# puts p.birth_date -> 'Jan 1, 2000'
+#
+# Use the encrypted property to see the encrypted value
+# puts p.birth_date.encrypted -> '....'
+#
+module Mongoid
+  class EncryptedDate < ::Date
+    include Mongoid::EncryptedField
+
+    class << self
+
+      def from_date(date)
+        parse(date.to_s)
+      end
+
+      def convert(object)
+        from_date(object.to_datetime)
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/fields/encrypted_date_time.rb

@@ -0,0 +1,33 @@
+#
+# Used to store an encrypted datetime in Mongo
+#
+# Usage:
+# field :birth_date, type: Mongoid::EncryptedDate
+#
+# Set with an unencrypted date
+# p = Person.new()
+# p.birth_date = Date.new(2000, 1, 1)
+#
+# Get returns the unencrypted date
+# puts p.birth_date -> 'Jan 1, 2000'
+#
+# Use the encrypted property to see the encrypted value
+# puts p.birth_date.encrypted -> '....'
+#
+module Mongoid
+  class EncryptedDateTime < ::DateTime
+    include Mongoid::EncryptedField
+
+    class << self
+
+      def from_datetime(d)
+        parse(d.to_s)
+      end
+
+      def convert(object)
+        from_datetime(object.to_datetime)
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/fields/encrypted_field.rb

@@ -0,0 +1,75 @@
+require "base64"
+
+module Mongoid
+  module EncryptedField
+    extend ActiveSupport::Concern
+
+    def encrypted
+      if frozen?
+        @encrypted ||= self.class.encrypt(to_s)
+      else
+        # We are mutable - need to encrypt whenever asked
+        self.class.encrypt(to_s)
+      end
+    end
+
+    # Converts an object of this instance into a database friendly value.
+    def mongoize
+      encrypted
+    end
+
+    module ClassMethods
+
+      # Get the object as it was stored in the database, and instantiate this custom class from it.
+      def demongoize(object)
+        #EncryptedFields.logger.debug "#{name}##{__method__.to_s}: #{object.inspect}"
+        case
+          when object.is_a?(self.class) || object.blank?
+            object
+          else
+            decrypted = is_encrypted?(object) ? decrypt(object) : object
+            convert(decrypted)
+        end
+      end
+
+      # Takes any possible object and converts it to how it would be stored in the database.
+      def mongoize(object)
+        #EncryptedFields.logger.debug "#{name}##{__method__.to_s}: #{object.inspect}"
+        case
+          when object.is_a?(self.class)
+            object.mongoize
+          when object.blank? || is_encrypted?(object)
+            object
+          else
+            convert(object).mongoize
+        end
+      end
+
+      # Converts the object that was supplied to a criteria and converts it into a database friendly form.
+      alias_method :evolve, :mongoize
+
+      def convert(object)
+        raise NotImplementedError.new("convert must be implemented")
+      end
+
+      # Used to identify encrypted strings
+      MARKER = Base64.encode64('\x02`{~MeF~}`\x03').chomp
+
+      def encrypt(plaintext)
+        encrypted = EncryptedFields.cipher.encrypt(plaintext).chomp
+        MARKER + encrypted
+      end
+
+      def decrypt(encrypted)
+        unmarked = encrypted.slice(MARKER.size..-1)
+        EncryptedFields.cipher.decrypt(unmarked)
+      end
+
+      def is_encrypted?(object)
+        object.is_a?(::String) && object.start_with?(MARKER)
+      end
+
+    end
+
+  end
+end

data/lib/mongoid-encrypted-fields/fields/encrypted_string.rb

@@ -0,0 +1,30 @@
+# encoding: utf-8
+#
+# Used to store an encrypted string in Mongo
+#
+# Usage:
+# field :social_security_number, type: Mongoid::EncryptedString
+#
+# Set with an unencrypted string
+# p = Person.new()
+# p.social_security_number = '123456789'
+#
+# Get returns the unencrypted string
+# puts p.social_security_number -> '123456789'
+#
+# Use the encrypted property to see the encrypted value
+# puts p.social_security_number.encrypted -> '....'
+#
+module Mongoid
+  class EncryptedString < ::String
+    include Mongoid::EncryptedField
+
+    class << self
+
+      def convert(object)
+        new(object)
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/fields/encrypted_time.rb

@@ -0,0 +1,33 @@
+#
+# Used to store an encrypted time in Mongo
+#
+# Usage:
+# field :birth_date, type: Mongoid::EncryptedDate
+#
+# Set with an unencrypted date
+# p = Person.new()
+# p.birth_date = Date.new(2000, 1, 1)
+#
+# Get returns the unencrypted date
+# puts p.birth_date -> 'Jan 1, 2000'
+#
+# Use the encrypted property to see the encrypted value
+# puts p.birth_date.encrypted -> '....'
+#
+module Mongoid
+  class EncryptedTime < ::Time
+    include Mongoid::EncryptedField
+
+    class << self
+
+      def from_time(time)
+        parse(time.to_s)
+      end
+
+      def convert(object)
+        from_time(object.to_time)
+      end
+
+    end
+  end
+end

data/lib/mongoid-encrypted-fields/logging.rb

@@ -0,0 +1,59 @@
+module Mongoid
+  module EncryptedFields
+    # Contains behavior for logging.
+    module Logging
+
+      # Get the logger.
+      #
+      # @example Get the logger.
+      #   Logging.logger
+      #
+      # @return [ Logger ] The logger.
+      #
+      # @since 1.0.0
+      def logger
+        return @logger if defined?(@logger)
+        @logger = rails_logger || default_logger
+      end
+
+      # Get the rails logger.
+      #
+      # @example Get the rails logger.
+      #   Logging.rails_logger
+      #
+      # @return [ Logger ] The Rails logger.
+      #
+      # @since 1.0.0
+      def rails_logger
+        defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+      end
+
+      # Get the default logger.
+      #
+      # @example Get the default logger.
+      #   Logging.default_logger
+      #
+      # @return [ Logger ] The default logger.
+      #
+      # @since 1.0.0
+      def default_logger
+        logger = Logger.new(STDOUT)
+        logger.level = Logger::INFO
+        logger
+      end
+
+      # Set the logger.
+      #
+      # @example Set the logger.
+      #   Logging.logger = logger
+      #
+      # @return [ Logger ] The logger.
+      #
+      # @since 1.0.0
+      def logger=(logger)
+        @logger = logger
+      end
+    end
+    extend Logging
+  end
+end

data/lib/mongoid-encrypted-fields/version.rb

@@ -0,0 +1,5 @@
+module Mongoid
+  module EncryptedFields
+      VERSION = "1.0.0"
+  end
+end

data/mongoid-encrypted-fields.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'mongoid-encrypted-fields/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "mongoid-encrypted-fields"
+  gem.version       = Mongoid::EncryptedFields::VERSION
+  gem.authors       = ["Koan Health"]
+  gem.email         = ["development@koanhealth.com"]
+  gem.description   = "A library for storing encrypted data in Mongo"
+  gem.summary       = "Custom types for storing encrypted data"
+  gem.homepage      = "https://github.com/KoanHealth/mongoid-encrypted-fields"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency "rake"
+  gem.add_dependency "mongoid", "~> 3"
+  gem.add_dependency "encrypted_strings", "~> 0.3"
+
+  gem.add_development_dependency "rspec"
+end

data/spec/config/mongoid.yml

@@ -0,0 +1,9 @@
+test:
+  sessions:
+    default:
+      database: mongoid_encrypted_fields_test
+      hosts:
+        - localhost:27017
+      options:
+        safe: true
+        consistency: :strong

data/spec/mongoid-encrypted-fields/fields/encrypted_date_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+module Mongoid
+  describe EncryptedDate do
+
+    before(:all) do
+      Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: 'my test password')
+    end
+
+    subject { Mongoid::EncryptedDate }
+    let(:raw) { Date.today }
+    let(:encrypted) { Mongoid::EncryptedDate.mongoize(Date.today) }
+
+    it "returns the same date" do
+      subject.from_date(raw).should eq(raw)
+    end
+
+    it "should encrypt the date" do
+      subject.from_date(raw).encrypted.should eq(encrypted)
+    end
+
+    it "nil should fail" do
+      -> { subject.from_date(nil) }.should raise_error()
+    end
+
+    describe "demongoize" do
+
+      it "nil should return nil" do
+        subject.demongoize(nil).should be_nil
+      end
+
+      it "blank should return itself" do
+        subject.demongoize('').should eq('')
+      end
+
+      it "invalid date should fail" do
+        -> { subject.demongoize('not a date') }.should raise_error
+      end
+
+      it "encrypted date should return unencrypted date" do
+        decrypted = subject.demongoize(encrypted)
+        decrypted.is_a?(subject).should be_true
+        decrypted.should eq(raw)
+      end
+
+    end
+
+    describe "mongoize" do
+
+      it "encrypted date should return encrypted" do
+        subject.mongoize(subject.from_date(raw)).should eq(encrypted)
+      end
+
+      it "encrypted date should return itself" do
+        subject.mongoize(encrypted).should eq(encrypted)
+      end
+
+      it "nil should return nil" do
+        subject.mongoize(nil).should eq(nil)
+      end
+
+      it "non empty date should return encrypted" do
+        subject.mongoize(raw).should eq(encrypted)
+      end
+
+    end
+
+  end
+end

data/spec/mongoid-encrypted-fields/fields/encrypted_datetime_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+module Mongoid
+  describe EncryptedDateTime do
+
+    before(:all) do
+      Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: 'my test password')
+    end
+
+    subject { Mongoid::EncryptedDateTime }
+    let(:raw) { DateTime.new(2010, 6, 15, 1, 2, 3) }
+    let(:encrypted) { Mongoid::EncryptedDateTime.mongoize(DateTime.new(2010, 6, 15, 1, 2, 3)) }
+
+    it "returns the same datetime" do
+      subject.from_datetime(raw).should eq(raw)
+    end
+
+    it "should encrypt the datetime" do
+      subject.from_datetime(raw).encrypted.should eq(encrypted)
+    end
+
+    it "nil should fail" do
+      -> { subject.from_datetime(nil) }.should raise_error()
+    end
+
+    describe "demongoize" do
+
+      it "nil should return nil" do
+        subject.demongoize(nil).should be_nil
+      end
+
+      it "blank string should return blank string" do
+        subject.demongoize('').should eq('')
+      end
+
+      it "invalid datetime should fail" do
+        -> { subject.demongoize('not a date') }.should raise_error
+      end
+
+      it "encrypted datetime should return unencrypted datetime" do
+        decrypted = subject.demongoize(encrypted)
+        decrypted.is_a?(subject).should be_true
+        decrypted.should eq(raw)
+      end
+
+    end
+
+    describe "mongoize" do
+
+      it "encrypted datetime should return encrypted" do
+        subject.mongoize(subject.from_datetime(raw)).should eq(encrypted)
+      end
+
+      it "encrypted datetime should return itself" do
+        subject.mongoize(encrypted).should eq(encrypted)
+      end
+
+      it "nil should return nil" do
+        subject.mongoize(nil).should eq(nil)
+      end
+
+      it "valid datetime should return encrypted" do
+        subject.mongoize(raw).should eq(encrypted)
+      end
+
+    end
+
+  end
+end

data/spec/mongoid-encrypted-fields/fields/encrypted_field_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+module Mongoid
+  describe EncryptedField do
+
+    before(:all) do
+      Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: 'my test password')
+    end
+
+    it "should encrypt and decrypt a string" do
+      plaintext = "this is a test!"
+      encrypted = Mongoid::EncryptedString.encrypt(plaintext)
+      unencrypted = Mongoid::EncryptedString.decrypt(encrypted)
+
+      unencrypted.should eq(plaintext)
+    end
+
+    it "should be able to identify an encrypted string" do
+      plaintext = "this is a test!"
+      Mongoid::EncryptedString.is_encrypted?(plaintext).should be_false
+
+      encrypted = Mongoid::EncryptedString.encrypt(plaintext)
+      Mongoid::EncryptedString.is_encrypted?(encrypted).should be_true
+
+      unencrypted = Mongoid::EncryptedString.decrypt(encrypted)
+      Mongoid::EncryptedString.is_encrypted?(unencrypted).should be_false
+    end
+
+  end
+end

data/spec/mongoid-encrypted-fields/fields/encrypted_string_spec.rb

@@ -0,0 +1,79 @@
+require 'spec_helper'
+
+module Mongoid
+  describe EncryptedString do
+
+    before(:all) do
+      Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: 'my test password')
+    end
+
+    let(:raw) { "abc123" }
+    let(:encrypted) { Mongoid::EncryptedString.new("abc123").encrypted }
+
+    it "returns the same string" do
+      Mongoid::EncryptedString.new(raw).should eq(raw)
+    end
+
+    it "should encrypt the string" do
+      Mongoid::EncryptedString.new(raw).encrypted.should eq(encrypted)
+    end
+
+    it "nil should fail" do
+      -> { Mongoid::EncryptedString.new(nil) }.should raise_error()
+    end
+
+    it "modified string automatically encrypts after change" do
+      str = "this is a test"
+      es = Mongoid::EncryptedString.new(str)
+      es.encrypted.should eq(Mongoid::EncryptedString.encrypt(str))
+
+      es.chop!
+      es.encrypted.should eq(Mongoid::EncryptedString.encrypt(str.chop))
+    end
+
+    describe "demongoize" do
+
+      it "nil should return nil" do
+        Mongoid::EncryptedString.demongoize(nil).should be_nil
+      end
+
+      it "empty string should return empty string" do
+        Mongoid::EncryptedString.demongoize('').should eq('')
+      end
+
+      it "encrypted string should return instance of Mongoid::EncryptedString" do
+        Mongoid::EncryptedString.demongoize(encrypted).is_a?(Mongoid::EncryptedString).should be_true
+      end
+
+      it "encrypted string should return unencrypted string" do
+        Mongoid::EncryptedString.demongoize(encrypted).should eq(raw)
+      end
+
+    end
+
+    describe "mongoize" do
+
+      it "encrypted string should return encrypted" do
+        Mongoid::EncryptedString.mongoize(Mongoid::EncryptedString.new(raw)).should eq(encrypted)
+      end
+
+      it "encrypted string should return itself" do
+        Mongoid::EncryptedString.mongoize(encrypted).should eq(encrypted)
+      end
+
+      it "nil should return nil" do
+        Mongoid::EncryptedString.mongoize(nil).should eq(nil)
+      end
+
+      it "empty string should return empty string" do
+        Mongoid::EncryptedString.mongoize('').should eq('')
+      end
+
+      it "non empty string should return encrypted" do
+        Mongoid::EncryptedString.mongoize(raw).should eq(encrypted)
+      end
+
+    end
+
+  end
+end

data/spec/mongoid-encrypted-fields/fields/encrypted_time_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+module Mongoid
+  describe EncryptedTime do
+
+    before(:all) do
+      Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: 'my test password')
+    end
+
+    subject { Mongoid::EncryptedTime }
+    let(:raw) { Time.at(946702800) }
+    let(:encrypted) { Mongoid::EncryptedTime.mongoize(Time.at(946702800)) }
+
+    it "returns the same time" do
+      subject.from_time(raw).should eq(raw)
+    end
+
+    it "should encrypt the time" do
+      subject.from_time(raw).encrypted.should eq(encrypted)
+    end
+
+    it "nil should fail" do
+      -> { subject.from_time(nil) }.should raise_error()
+    end
+
+    describe "demongoize" do
+
+      it "nil should return nil" do
+        subject.demongoize(nil).should be_nil
+      end
+
+      it "blank should return itself" do
+        subject.demongoize('').should eq('')
+      end
+
+      it "invalid time should fail" do
+        -> { subject.demongoize('not a time') }.should raise_error
+      end
+
+      it "encrypted time should return unencrypted time" do
+        decrypted = subject.demongoize(encrypted)
+        decrypted.is_a?(subject).should be_true
+        decrypted.should eq(raw)
+      end
+
+    end
+
+    describe "mongoize" do
+
+      it "encrypted time should return encrypted" do
+        subject.mongoize(subject.from_time(raw)).should eq(encrypted)
+      end
+
+      it "encrypted time should return itself" do
+        subject.mongoize(encrypted).should eq(encrypted)
+      end
+
+      it "nil should return nil" do
+        subject.mongoize(nil).should eq(nil)
+      end
+
+      it "non empty time should return encrypted" do
+        subject.mongoize(raw).should eq(encrypted)
+      end
+
+    end
+
+  end
+end

data/spec/mongoid-encrypted-fields/fields/model_spec.rb

@@ -0,0 +1,74 @@
+require 'spec_helper'
+
+describe 'Single model' do
+
+  before(:all) do
+    Mongoid::EncryptedFields.cipher = Mongoid::Ciphers::SymmetricCipher.new(algorithm: 'aes-256-cbc', password: 'my test password')
+  end
+
+  let (:ssn) { '123456789' }
+  let (:ssn_encrypted) { Mongoid::EncryptedString.mongoize('123456789') }
+  let (:birth_date) { 20.years.ago.to_date }
+  let (:birth_date_encrypted) { Mongoid::EncryptedDate.mongoize(20.years.ago.to_date) }
+  let (:person) { Person.new(name: 'John Doe', ssn: '123456789', birth_date: 20.years.ago.to_date) }
+
+  it "model stores encrypted ssn" do
+    person.attributes['ssn'].should eq(ssn_encrypted)
+  end
+
+  it "model stores encrypted birth_date" do
+    person.attributes['birth_date'].should eq(birth_date_encrypted)
+  end
+
+  it "ssn getter returns raw value" do
+    person.ssn.should eq(ssn)
+  end
+
+  it "birth_date getter returns raw value" do
+    person.birth_date.should eq(birth_date)
+  end
+
+  describe "after save" do
+
+    before(:each) do
+      Mongoid.purge!
+      person.save!
+      @persisted = Person.find(person.id)
+    end
+
+    it "encrypted ssn is persisted" do
+      @persisted.attributes['ssn'].should eq(ssn_encrypted)
+    end
+
+    it "encrypted birth_date is persisted" do
+      @persisted.attributes['birth_date'].should eq(birth_date_encrypted)
+    end
+
+    it "encrypted ssn getter returns raw value" do
+      @persisted.ssn.should eq(ssn)
+    end
+
+    it "encrypted birth_date getter returns raw value" do
+      @persisted.birth_date.should eq(birth_date)
+    end
+
+  end
+
+  describe "find model by encrypted field" do
+
+    before(:each) do
+      Mongoid.purge!
+      person.save!
+    end
+
+    it "ssn matches equality" do
+      Person.where(ssn: ssn).count.should eq(1)
+    end
+
+    it "birth date matches equality" do
+      Person.where(birth_date: birth_date).count.should eq(1)
+    end
+
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,20 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'mongoid'
+require 'encrypted_strings'
+require 'rspec'
+
+require 'mongoid-encrypted-fields'
+
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+ENV['MONGOID_ENV'] ||= 'test'
+Mongoid.load!("#{File.dirname(__FILE__)}/config/mongoid.yml")
+
+Mongoid::EncryptedFields.logger.level = Logger::DEBUG
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+end

data/spec/support/models/person.rb

@@ -0,0 +1,8 @@
+class Person
+  include Mongoid::Document
+
+  field :name, type: String
+  field :ssn, type: Mongoid::EncryptedString
+  field :birth_date, type: Mongoid::EncryptedDate
+
+end

metadata

@@ -0,0 +1,152 @@
+--- !ruby/object:Gem::Specification
+name: mongoid-encrypted-fields
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Koan Health
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-12-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mongoid
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: encrypted_strings
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A library for storing encrypted data in Mongo
+email:
+- development@koanhealth.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .rvmrc
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/mongoid-encrypted-fields.rb
+- lib/mongoid-encrypted-fields/ciphers/asymmetric_cipher.rb
+- lib/mongoid-encrypted-fields/ciphers/cipher.rb
+- lib/mongoid-encrypted-fields/ciphers/symmetric_cipher.rb
+- lib/mongoid-encrypted-fields/fields/encrypted_date.rb
+- lib/mongoid-encrypted-fields/fields/encrypted_date_time.rb
+- lib/mongoid-encrypted-fields/fields/encrypted_field.rb
+- lib/mongoid-encrypted-fields/fields/encrypted_string.rb
+- lib/mongoid-encrypted-fields/fields/encrypted_time.rb
+- lib/mongoid-encrypted-fields/logging.rb
+- lib/mongoid-encrypted-fields/version.rb
+- mongoid-encrypted-fields.gemspec
+- spec/config/mongoid.yml
+- spec/mongoid-encrypted-fields/fields/encrypted_date_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_datetime_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_field_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_string_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_time_spec.rb
+- spec/mongoid-encrypted-fields/fields/model_spec.rb
+- spec/spec_helper.rb
+- spec/support/models/person.rb
+homepage: https://github.com/KoanHealth/mongoid-encrypted-fields
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3554219364353199264
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3554219364353199264
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Custom types for storing encrypted data
+test_files:
+- spec/config/mongoid.yml
+- spec/mongoid-encrypted-fields/fields/encrypted_date_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_datetime_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_field_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_string_spec.rb
+- spec/mongoid-encrypted-fields/fields/encrypted_time_spec.rb
+- spec/mongoid-encrypted-fields/fields/model_spec.rb
+- spec/spec_helper.rb
+- spec/support/models/person.rb