powerhome-attr_encrypted 1.0.1

data/test/compatibility_test.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+# -*- encoding: utf-8 -*-
+require_relative 'test_helper'
+
+# Test to ensure that existing representations in database do not break on
+# migrating to new versions of this gem. This ensures that future versions of
+# this gem will retain backwards compatibility with data generated by earlier
+# versions.
+class CompatibilityTest < Minitest::Test
+  class NonmarshallingPet < ActiveRecord::Base
+    PET_NICKNAME_SALT = Digest::SHA256.hexdigest('my-really-really-secret-pet-nickname-salt')
+    PET_NICKNAME_KEY = 'my-really-really-secret-pet-nickname-key'
+    PET_BIRTHDATE_SALT = Digest::SHA256.hexdigest('my-really-really-secret-pet-birthdate-salt')
+    PET_BIRTHDATE_KEY = 'my-really-really-secret-pet-birthdate-key'
+
+    self.attr_encrypted_options[:mode] = :per_attribute_iv_and_salt
+    self.attr_encrypted_options[:algorithm] = 'aes-256-cbc'
+    self.attr_encrypted_options[:insecure_mode] = true
+
+    attr_encrypted :nickname,
+      :key => proc { Encryptor.encrypt(:value => PET_NICKNAME_SALT, :key => PET_NICKNAME_KEY, insecure_mode: true, algorithm: 'aes-256-cbc') }
+    attr_encrypted :birthdate,
+      :key => proc { Encryptor.encrypt(:value => PET_BIRTHDATE_SALT, :key => PET_BIRTHDATE_KEY, insecure_mode: true, algorithm: 'aes-256-cbc') }
+  end
+
+  class MarshallingPet < ActiveRecord::Base
+    PET_NICKNAME_SALT = Digest::SHA256.hexdigest('my-really-really-secret-pet-nickname-salt')
+    PET_NICKNAME_KEY = 'my-really-really-secret-pet-nickname-key'
+    PET_BIRTHDATE_SALT = Digest::SHA256.hexdigest('my-really-really-secret-pet-birthdate-salt')
+    PET_BIRTHDATE_KEY = 'my-really-really-secret-pet-birthdate-key'
+
+    self.attr_encrypted_options[:mode] = :per_attribute_iv_and_salt
+    self.attr_encrypted_options[:algorithm] = 'aes-256-cbc'
+    self.attr_encrypted_options[:insecure_mode] = true
+
+    attr_encrypted :nickname,
+      :key => proc { Encryptor.encrypt(:value => PET_NICKNAME_SALT, :key => PET_NICKNAME_KEY, insecure_mode: true, algorithm: 'aes-256-cbc') },
+      :marshal => true
+    attr_encrypted :birthdate,
+      :key => proc { Encryptor.encrypt(:value => PET_BIRTHDATE_SALT, :key => PET_BIRTHDATE_KEY, insecure_mode: true, algorithm: 'aes-256-cbc') },
+      :marshal => true
+  end
+
+  def setup
+    drop_all_tables
+    create_tables
+  end
+
+  def test_nonmarshalling_backwards_compatibility
+    pet = NonmarshallingPet.create!(
+      :name => 'Fido',
+      :encrypted_nickname => 'E4lJTxFG/EfkfPg5MpnriQ==',
+      :encrypted_nickname_iv => 'z4Q8deE4h7f6S8NNZcbPNg==',
+      :encrypted_nickname_salt => 'adcd833001a873db',
+      :encrypted_birthdate => '6uKEAiFVdJw+N5El+U6Gow==',
+      :encrypted_birthdate_iv => 'zxtc1XPssL4s2HwA69nORQ==',
+      :encrypted_birthdate_salt => '4f879270045eaad7'
+    )
+
+    assert_equal 'Fido', pet.name
+    assert_equal 'Fido the Dog', pet.nickname
+    assert_equal '2011-07-09', pet.birthdate
+  end
+
+  def test_marshalling_backwards_compatibility
+    pet = MarshallingPet.create!(
+      :name => 'Fido',
+      :encrypted_nickname => 'EsQScJYkPw80vVGvKWkE37Px99HHpXPFjoEPTNa4rbs=',
+      :encrypted_nickname_iv => 'fNq1OZcGvty4KfcvGTcFSw==',
+      :encrypted_nickname_salt => '733b459b7d34c217',
+      :encrypted_birthdate => '+VUlKQGfNWkOgCwI4hv+3qlGIwh9h6cJ/ranJlaxvU+xxQdL3H3cOzTcI2rkYkdR',
+      :encrypted_birthdate_iv => 'Ka+zF/SwEYZKwVa24lvFfA==',
+      :encrypted_birthdate_salt => 'd5e892d5bbd81566'
+    )
+
+    assert_equal 'Fido', pet.name
+    assert_equal 'Mummy\'s little helper', pet.nickname
+
+    assert_equal Date.new(2011, 7, 9), pet.birthdate
+  end
+
+  private
+
+  def create_tables
+    ActiveRecord::Schema.define(:version => 1) do
+      create_table :nonmarshalling_pets do |t|
+        t.string :name
+        t.string :encrypted_nickname
+        t.string :encrypted_nickname_iv
+        t.string :encrypted_nickname_salt
+        t.string :encrypted_birthdate
+        t.string :encrypted_birthdate_iv
+        t.string :encrypted_birthdate_salt
+      end
+      create_table :marshalling_pets do |t|
+        t.string :name
+        t.string :encrypted_nickname
+        t.string :encrypted_nickname_iv
+        t.string :encrypted_nickname_salt
+        t.string :encrypted_birthdate
+        t.string :encrypted_birthdate_iv
+        t.string :encrypted_birthdate_salt
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => ':memory:'

data/test/data_mapper_test.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require_relative 'test_helper'
+
+DataMapper.setup(:default, 'sqlite3::memory:')
+
+class Client
+  include DataMapper::Resource
+
+  property :id, Serial
+  property :encrypted_email, String
+  property :encrypted_email_iv, String
+  property :encrypted_email_salt, String
+
+  property :encrypted_credentials, Text
+  property :encrypted_credentials_iv, Text
+  property :encrypted_credentials_salt, Text
+
+  self.attr_encrypted_options[:mode] = :per_attribute_iv_and_salt
+
+  attr_encrypted :email, :key => SECRET_KEY
+  attr_encrypted :credentials, :key => SECRET_KEY, :marshal => true
+
+  def initialize(attrs = {})
+    super attrs
+    self.credentials ||= { :username => 'example', :password => 'test' }
+  end
+end
+
+DataMapper.auto_migrate!
+
+class DataMapperTest < Minitest::Test
+
+  def setup
+    Client.all.each(&:destroy)
+  end
+
+  def test_should_encrypt_email
+    @client = Client.new :email => 'test@example.com'
+    assert @client.save
+    refute_nil @client.encrypted_email
+    refute_equal @client.email, @client.encrypted_email
+    assert_equal @client.email, Client.first.email
+  end
+
+  def test_should_marshal_and_encrypt_credentials
+    @client = Client.new
+    assert @client.save
+    refute_nil @client.encrypted_credentials
+    refute_equal @client.credentials, @client.encrypted_credentials
+    assert_equal @client.credentials, Client.first.credentials
+    assert Client.first.credentials.is_a?(Hash)
+  end
+
+  def test_should_encode_by_default
+    assert Client.attr_encrypted_options[:encode]
+  end
+
+end

data/test/legacy_active_record_test.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+# -*- encoding: utf-8 -*-
+require_relative 'test_helper'
+
+ActiveRecord::Base.establish_connection :adapter => 'sqlite3', :database => ':memory:'
+
+def create_people_table
+  ActiveRecord::Schema.define(:version => 1) do
+    create_table :legacy_people do |t|
+      t.string   :encrypted_email
+      t.string   :password
+      t.string   :encrypted_credentials
+      t.string   :salt
+    end
+  end
+end
+
+# The table needs to exist before defining the class
+create_people_table
+
+ActiveRecord::MissingAttributeError = ActiveModel::MissingAttributeError unless defined?(ActiveRecord::MissingAttributeError)
+
+class LegacyPerson < ActiveRecord::Base
+  self.attr_encrypted_options[:insecure_mode] = true
+  self.attr_encrypted_options[:algorithm] = 'aes-256-cbc'
+  self.attr_encrypted_options[:mode] = :single_iv_and_salt
+
+  attr_encrypted :email, :key => 'a secret key'
+  attr_encrypted :credentials, :key => Proc.new { |user| Encryptor.encrypt(:value => user.salt, :key => 'some private key', insecure_mode: true, algorithm: 'aes-256-cbc') }, :marshal => true
+
+  ActiveSupport::Deprecation.silenced = true
+  def after_initialize; end
+  ActiveSupport::Deprecation.silenced = false
+
+  after_initialize :initialize_salt_and_credentials
+
+  protected
+
+    def initialize_salt_and_credentials
+      self.salt ||= Digest::SHA256.hexdigest((Time.now.to_i * rand(5)).to_s)
+      self.credentials ||= { :username => 'example', :password => 'test' }
+    rescue ActiveRecord::MissingAttributeError
+    end
+end
+
+class LegacyPersonWithValidation < LegacyPerson
+  validates_presence_of :email
+  validates_uniqueness_of :encrypted_email
+end
+
+class LegacyActiveRecordTest < Minitest::Test
+
+  def setup
+    drop_all_tables
+    create_people_table
+  end
+
+  def test_should_decrypt_with_correct_encoding
+    if defined?(Encoding)
+      @person = LegacyPerson.create :email => 'test@example.com'
+      assert_equal 'UTF-8', LegacyPerson.first.email.encoding.name
+    end
+  end
+
+  def test_should_encrypt_email
+    @person = LegacyPerson.create :email => 'test@example.com'
+    refute_nil @person.encrypted_email
+    refute_equal @person.email, @person.encrypted_email
+    assert_equal @person.email, LegacyPerson.first.email
+  end
+
+  def test_should_marshal_and_encrypt_credentials
+    @person = LegacyPerson.create
+    refute_nil @person.encrypted_credentials
+    refute_equal @person.credentials, @person.encrypted_credentials
+    assert_equal @person.credentials, LegacyPerson.first.credentials
+  end
+
+  def test_should_find_by_email
+    @person = LegacyPerson.create(:email => 'test@example.com')
+    assert_equal @person, LegacyPerson.find_by_email('test@example.com')
+  end
+
+  def test_should_find_by_email_and_password
+    LegacyPerson.create(:email => 'test@example.com', :password => 'invalid')
+    @person = LegacyPerson.create(:email => 'test@example.com', :password => 'test')
+    assert_equal @person, LegacyPerson.find_by_email_and_password('test@example.com', 'test')
+  end
+
+  def test_should_scope_by_email
+    @person = LegacyPerson.create(:email => 'test@example.com')
+    assert_equal @person, LegacyPerson.scoped_by_email('test@example.com').first rescue NoMethodError
+  end
+
+  def test_should_scope_by_email_and_password
+    LegacyPerson.create(:email => 'test@example.com', :password => 'invalid')
+    @person = LegacyPerson.create(:email => 'test@example.com', :password => 'test')
+    assert_equal @person, LegacyPerson.scoped_by_email_and_password('test@example.com', 'test').first rescue NoMethodError
+  end
+
+  def test_should_encode_by_default
+    assert LegacyPerson.attr_encrypted_options[:encode]
+  end
+
+  def test_should_validate_presence_of_email
+    @person = LegacyPersonWithValidation.new
+    assert !@person.valid?
+    assert !@person.errors[:email].empty? || @person.errors.on(:email)
+  end
+
+  def test_should_validate_uniqueness_of_email
+    @person = LegacyPersonWithValidation.new :email => 'test@example.com'
+    assert @person.save
+    @person2 = LegacyPersonWithValidation.new :email => @person.email
+    assert !@person2.valid?
+    assert !@person2.errors[:encrypted_email].empty? || @person2.errors.on(:encrypted_email)
+  end
+
+end

data/test/legacy_attr_encrypted_test.rb

@@ -0,0 +1,300 @@
+# frozen_string_literal: true
+
+# -*- encoding: utf-8 -*-
+require_relative 'test_helper'
+
+class LegacySillyEncryptor
+  def self.silly_encrypt(options)
+    (options[:value] + options[:some_arg]).reverse
+  end
+
+  def self.silly_decrypt(options)
+    options[:value].reverse.gsub(/#{options[:some_arg]}$/, '')
+  end
+end
+
+class LegacyUser
+  extend AttrEncrypted
+  self.attr_encrypted_options[:key] = Proc.new { |user| user.class.to_s } # default key
+  self.attr_encrypted_options[:insecure_mode] = true
+  self.attr_encrypted_options[:algorithm] = 'aes-256-cbc'
+  self.attr_encrypted_options[:mode] = :single_iv_and_salt
+
+  attr_encrypted :email, :without_encoding, :key => 'secret key'
+  attr_encrypted :password, :prefix => 'crypted_', :suffix => '_test'
+  attr_encrypted :ssn, :key => :salt, :attribute => 'ssn_encrypted'
+  attr_encrypted :credit_card, :encryptor => LegacySillyEncryptor, :encrypt_method => :silly_encrypt, :decrypt_method => :silly_decrypt, :some_arg => 'test'
+  attr_encrypted :with_encoding, :key => 'secret key', :encode => true
+  attr_encrypted :with_custom_encoding, :key => 'secret key', :encode => 'm'
+  attr_encrypted :with_marshaling, :key => 'secret key', :marshal => true
+  attr_encrypted :with_true_if, :key => 'secret key', :if => true
+  attr_encrypted :with_false_if, :key => 'secret key', :if => false
+  attr_encrypted :with_true_unless, :key => 'secret key', :unless => true
+  attr_encrypted :with_false_unless, :key => 'secret key', :unless => false
+  attr_encrypted :with_if_changed, :key => 'secret key', :if => :should_encrypt
+
+  attr_encryptor :aliased, :key => 'secret_key'
+
+  attr_accessor :salt
+  attr_accessor :should_encrypt
+
+  def initialize
+    self.salt = Time.now.to_i.to_s
+    self.should_encrypt = true
+  end
+end
+
+class LegacyAdmin < LegacyUser
+  attr_encrypted :testing
+end
+
+class LegacySomeOtherClass
+  extend AttrEncrypted
+  def self.call(object)
+    object.class
+  end
+end
+
+class LegacyAttrEncryptedTest < Minitest::Test
+
+  def test_should_store_email_in_encrypted_attributes
+    assert LegacyUser.encrypted_attributes.include?(:email)
+  end
+
+  def test_should_not_store_salt_in_encrypted_attributes
+    assert !LegacyUser.encrypted_attributes.include?(:salt)
+  end
+
+  def test_attr_encrypted_should_return_true_for_email
+    assert LegacyUser.attr_encrypted?('email')
+  end
+
+  def test_attr_encrypted_should_not_use_the_same_attribute_name_for_two_attributes_in_the_same_line
+    refute_equal LegacyUser.encrypted_attributes[:email][:attribute], LegacyUser.encrypted_attributes[:without_encoding][:attribute]
+  end
+
+  def test_attr_encrypted_should_return_false_for_salt
+    assert !LegacyUser.attr_encrypted?('salt')
+  end
+
+  def test_should_generate_an_encrypted_attribute
+    assert LegacyUser.new.respond_to?(:encrypted_email)
+  end
+
+  def test_should_generate_an_encrypted_attribute_with_a_prefix_and_suffix
+    assert LegacyUser.new.respond_to?(:crypted_password_test)
+  end
+
+  def test_should_generate_an_encrypted_attribute_with_the_attribute_option
+    assert LegacyUser.new.respond_to?(:ssn_encrypted)
+  end
+
+  def test_should_not_encrypt_nil_value
+    assert_nil LegacyUser.encrypt_email(nil)
+  end
+
+  def test_should_not_encrypt_empty_string
+    assert_equal '', LegacyUser.encrypt_email('')
+  end
+
+  def test_should_encrypt_email
+    refute_nil LegacyUser.encrypt_email('test@example.com')
+    refute_equal 'test@example.com', LegacyUser.encrypt_email('test@example.com')
+  end
+
+  def test_should_encrypt_email_when_modifying_the_attr_writer
+    @user = LegacyUser.new
+    assert_nil @user.encrypted_email
+    @user.email = 'test@example.com'
+    refute_nil @user.encrypted_email
+    assert_equal LegacyUser.encrypt_email('test@example.com'), @user.encrypted_email
+  end
+
+  def test_should_not_decrypt_nil_value
+    assert_nil LegacyUser.decrypt_email(nil)
+  end
+
+  def test_should_not_decrypt_empty_string
+    assert_equal '', LegacyUser.decrypt_email('')
+  end
+
+  def test_should_decrypt_email
+    encrypted_email = LegacyUser.encrypt_email('test@example.com')
+    refute_equal 'test@test.com', encrypted_email
+    assert_equal 'test@example.com', LegacyUser.decrypt_email(encrypted_email)
+  end
+
+  def test_should_decrypt_email_when_reading
+    @user = LegacyUser.new
+    assert_nil @user.email
+    @user.encrypted_email = LegacyUser.encrypt_email('test@example.com')
+    assert_equal 'test@example.com', @user.email
+  end
+
+  def test_should_encrypt_with_encoding
+    assert_equal LegacyUser.encrypt_with_encoding('test'), [LegacyUser.encrypt_without_encoding('test')].pack('m')
+  end
+
+  def test_should_decrypt_with_encoding
+    encrypted = LegacyUser.encrypt_with_encoding('test')
+    assert_equal 'test', LegacyUser.decrypt_with_encoding(encrypted)
+    assert_equal LegacyUser.decrypt_with_encoding(encrypted), LegacyUser.decrypt_without_encoding(encrypted.unpack('m').first)
+  end
+
+  def test_should_decrypt_utf8_with_encoding
+    encrypted = LegacyUser.encrypt_with_encoding("test\xC2\xA0utf-8\xC2\xA0text")
+    assert_equal "test\xC2\xA0utf-8\xC2\xA0text", LegacyUser.decrypt_with_encoding(encrypted)
+    assert_equal LegacyUser.decrypt_with_encoding(encrypted), LegacyUser.decrypt_without_encoding(encrypted.unpack('m').first)
+  end
+
+  def test_should_encrypt_with_custom_encoding
+    assert_equal LegacyUser.encrypt_with_custom_encoding('test'), [LegacyUser.encrypt_without_encoding('test')].pack('m')
+  end
+
+  def test_should_decrypt_with_custom_encoding
+    encrypted = LegacyUser.encrypt_with_custom_encoding('test')
+    assert_equal 'test', LegacyUser.decrypt_with_custom_encoding(encrypted)
+    assert_equal LegacyUser.decrypt_with_custom_encoding(encrypted), LegacyUser.decrypt_without_encoding(encrypted.unpack('m').first)
+  end
+
+  def test_should_encrypt_with_marshaling
+    @user = LegacyUser.new
+    @user.with_marshaling = [1, 2, 3]
+    refute_nil @user.encrypted_with_marshaling
+    assert_equal LegacyUser.encrypt_with_marshaling([1, 2, 3]), @user.encrypted_with_marshaling
+  end
+
+  def test_should_decrypt_with_marshaling
+    encrypted = LegacyUser.encrypt_with_marshaling([1, 2, 3])
+    @user = LegacyUser.new
+    assert_nil @user.with_marshaling
+    @user.encrypted_with_marshaling = encrypted
+    assert_equal [1, 2, 3], @user.with_marshaling
+  end
+
+  def test_should_use_custom_encryptor_and_crypt_method_names_and_arguments
+    assert_equal LegacySillyEncryptor.silly_encrypt(:value => 'testing', :some_arg => 'test'), LegacyUser.encrypt_credit_card('testing')
+  end
+
+  def test_should_evaluate_a_key_passed_as_a_symbol
+    @user = LegacyUser.new
+    assert_nil @user.ssn_encrypted
+    @user.ssn = 'testing'
+    refute_nil @user.ssn_encrypted
+    assert_equal Encryptor.encrypt(:value => 'testing', :key => @user.salt, insecure_mode: true, algorithm: 'aes-256-cbc'), @user.ssn_encrypted
+  end
+
+  def test_should_evaluate_a_key_passed_as_a_proc
+    @user = LegacyUser.new
+    assert_nil @user.crypted_password_test
+    @user.password = 'testing'
+    refute_nil @user.crypted_password_test
+    assert_equal Encryptor.encrypt(:value => 'testing', :key => 'LegacyUser', insecure_mode: true, algorithm: 'aes-256-cbc'), @user.crypted_password_test
+  end
+
+  def test_should_use_options_found_in_the_attr_encrypted_options_attribute
+    @user = LegacyUser.new
+    assert_nil @user.crypted_password_test
+    @user.password = 'testing'
+    refute_nil @user.crypted_password_test
+    assert_equal Encryptor.encrypt(:value => 'testing', :key => 'LegacyUser', insecure_mode: true, algorithm: 'aes-256-cbc'), @user.crypted_password_test
+  end
+
+  def test_should_inherit_encrypted_attributes
+    assert_equal [LegacyUser.encrypted_attributes.keys, :testing].flatten.collect { |key| key.to_s }.sort, LegacyAdmin.encrypted_attributes.keys.collect { |key| key.to_s }.sort
+  end
+
+  def test_should_inherit_attr_encrypted_options
+    assert !LegacyUser.attr_encrypted_options.empty?
+    assert_equal LegacyUser.attr_encrypted_options, LegacyAdmin.attr_encrypted_options
+  end
+
+  def test_should_not_inherit_unrelated_attributes
+    assert LegacySomeOtherClass.attr_encrypted_options.empty?
+    assert LegacySomeOtherClass.encrypted_attributes.empty?
+  end
+
+  def test_should_evaluate_a_symbol_option
+    assert_equal LegacySomeOtherClass, LegacySomeOtherClass.new.send(:evaluate_attr_encrypted_option, :class)
+  end
+
+  def test_should_evaluate_a_proc_option
+    assert_equal LegacySomeOtherClass, LegacySomeOtherClass.new.send(:evaluate_attr_encrypted_option, proc { |object| object.class })
+  end
+
+  def test_should_evaluate_a_lambda_option
+    assert_equal LegacySomeOtherClass, LegacySomeOtherClass.new.send(:evaluate_attr_encrypted_option, lambda { |object| object.class })
+  end
+
+  def test_should_evaluate_a_method_option
+    assert_equal LegacySomeOtherClass, LegacySomeOtherClass.new.send(:evaluate_attr_encrypted_option, LegacySomeOtherClass.method(:call))
+  end
+
+  def test_should_return_a_string_option
+    class_string = 'LegacySomeOtherClass'
+    assert_equal class_string, LegacySomeOtherClass.new.send(:evaluate_attr_encrypted_option, class_string)
+  end
+
+  def test_should_encrypt_with_true_if
+    @user = LegacyUser.new
+    assert_nil @user.encrypted_with_true_if
+    @user.with_true_if = 'testing'
+    refute_nil @user.encrypted_with_true_if
+    assert_equal Encryptor.encrypt(:value => 'testing', :key => 'secret key', insecure_mode: true, algorithm: 'aes-256-cbc'), @user.encrypted_with_true_if
+  end
+
+  def test_should_not_encrypt_with_false_if
+    @user = LegacyUser.new
+    assert_nil @user.encrypted_with_false_if
+    @user.with_false_if = 'testing'
+    refute_nil @user.encrypted_with_false_if
+    assert_equal 'testing', @user.encrypted_with_false_if
+  end
+
+  def test_should_encrypt_with_false_unless
+    @user = LegacyUser.new
+    assert_nil @user.encrypted_with_false_unless
+    @user.with_false_unless = 'testing'
+    refute_nil @user.encrypted_with_false_unless
+    assert_equal Encryptor.encrypt(:value => 'testing', :key => 'secret key', insecure_mode: true, algorithm: 'aes-256-cbc'), @user.encrypted_with_false_unless
+  end
+
+  def test_should_not_encrypt_with_true_unless
+    @user = LegacyUser.new
+    assert_nil @user.encrypted_with_true_unless
+    @user.with_true_unless = 'testing'
+    refute_nil @user.encrypted_with_true_unless
+    assert_equal 'testing', @user.encrypted_with_true_unless
+  end
+
+  def test_should_work_with_aliased_attr_encryptor
+    assert LegacyUser.encrypted_attributes.include?(:aliased)
+  end
+
+  def test_should_always_reset_options
+    @user = LegacyUser.new
+    @user.with_if_changed = "encrypt_stuff"
+
+    @user = LegacyUser.new
+    @user.should_encrypt = false
+    @user.with_if_changed = "not_encrypted_stuff"
+    assert_equal "not_encrypted_stuff", @user.with_if_changed
+    assert_equal "not_encrypted_stuff", @user.encrypted_with_if_changed
+  end
+
+  def test_should_cast_values_as_strings_before_encrypting
+    string_encrypted_email = LegacyUser.encrypt_email('3')
+    assert_equal string_encrypted_email, LegacyUser.encrypt_email(3)
+    assert_equal '3', LegacyUser.decrypt_email(string_encrypted_email)
+  end
+
+  def test_should_create_query_accessor
+    @user = LegacyUser.new
+    assert !@user.email?
+    @user.email = ''
+    assert !@user.email?
+    @user.email = 'test@example.com'
+    assert @user.email?
+  end
+
+end