rails-panda-sensitive-data 3.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d553ba5052f74136215c8702a875806544e112cdb010d819d485ee0788d10ab5
+  data.tar.gz: bc7a5fdb96003b1db4b913a4d1aecff11c85f41f9216612e267d44ab498d364b
+SHA512:
+  metadata.gz: d37df001f8e66168694da9b8984f05794acd1fd1e25e051b62db95262463fe3b3e98d846ee40de22844cba199eba1e8991d8d1d3c7a7979fc29cf066f91887a9
+  data.tar.gz: 4228dec6ceea4da6fca90014248c1868ac1e2f895f8d9570a383d5321145915c51d40664d21cd6b98aa7d0e8a06368227316a4c3fbc4c86ee0248232e439cd18

data/CHANGELOG.md

@@ -0,0 +1,108 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [3.0.0] - 2025-11-26
+
+### Added
+- Comprehensive RSpec test suite
+- SimpleCov integration for test coverage tracking
+- `nil_visible_in_db` option to control whether nil values are visible in the database or encrypted
+- `whitespace_visible_in_db` option to control whether whitespace-only strings are visible in the database or encrypted
+- `rails_default` option to `encrypts` to bypass custom logic and use Rails' standard behavior
+- Full dirty tracking support for `has_sensitive_data` attributes:
+  - `#{field}_changed?` - Check if field has changed but not saved
+  - `#{field}_in_database` - Get value currently in database
+  - `#{field}_before_last_save` - Get value before last save
+  - `saved_change_to_#{field}?` - Check if field changed in last save
+  - `saved_change_to_#{field}` - Get `[before, after]` array of last save change
+  - `will_save_change_to_#{field}?` - Check if field will change on next save
+  - `#{field}_change_to_be_saved` - Get `[current_db_value, new_value]` array of pending changes
+- Auto-inclusion of module in all ActiveRecord::Base models via `ActiveSupport.on_load`
+- ArgumentError raised when `encrypts` or `has_sensitive_data` are called without attributes
+
+### Changed
+- Module is now automatically included in all ActiveRecord::Base models (no manual inclusion needed)
+- Removed custom `KeyProvider` and `Key` classes - now uses Rails' default key management
+- Renamed `store_nil_as_empty_string` to `nil_visible_in_db` for clarity
+- `empty_string_visible_in_db` now defaults to `true` (was `false` in previous versions)
+- `nil_visible_in_db` now defaults to `true` (nil values stored as nil, not encrypted)
+- Improved code safety and type checking in Encryptor
+- All dirty tracking methods match Rails' standard behavior exactly
+- Improved `attribute_before_last_save` implementation to use Rails' built-in `attribute_before_last_save` method instead of manual method calls
+- Improved `saved_change_to_attribute?` to correctly handle `nil` values (returns `false` when `before_last_save` is `nil` after reload, matching Rails' behavior)
+
+### Fixed
+- Fixed Encryptor to properly pass options to parent class methods
+- Fixed type checking for empty string handling in Encryptor
+
+## [2.0.6] - 2025-10-06
+
+### Changed
+- Fixed loading issues - gem now loads correctly
+- Added frozen string literal comments to all files
+
+### Fixed
+- Fixed module loading and initialization issues
+
+## [2.0.5] - 2025-10-05
+
+### Changed
+- Removed a useless module
+
+## [2.0.4] - 2023-10-10
+
+### Changed
+- Various improvements and bug fixes
+
+## [2.0.2] - 2023-10-08
+
+### Changed
+- Various improvements and bug fixes
+
+## [2.0.1] - 2023-10-06
+
+### Changed
+- Various improvements and bug fixes
+
+## [2.0.0] - 2023-03-18
+
+### Changed
+- Removed `attr_encrypted` dependency
+- Migrated to use ActiveRecord::Encryption (Rails 7.0+)
+- Major refactoring to use Rails' built-in encryption framework
+
+## [1.0.2] - 2023-03-11
+
+### Changed
+- Various improvements and bug fixes
+
+## [1.0.1] - 2022-03-23
+
+### Changed
+- Various improvements and bug fixes
+
+## [1.0.0] - 2018-02-20
+
+### Added
+- Initial release
+- Module to handle encryption for GDPR compliance
+- Support for encrypting sensitive data in ActiveRecord models
+- Support for storing multiple sensitive fields in a single encrypted attribute
+
+[Unreleased]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v2.0.6...v3.0.0
+[2.0.6]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v2.0.5...v2.0.6
+[2.0.5]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v2.0.4...v2.0.5
+[2.0.4]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v2.0.2...v2.0.4
+[2.0.2]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v2.0.1...v2.0.2
+[2.0.1]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v2.0.0...v2.0.1
+[2.0.0]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v1.0.2...v2.0.0
+[1.0.2]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data/releases/tag/v1.0.0

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright 2015 bigbadpanda.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,248 @@
+# Rails Panda Sensitive Data
+
+A Rails gem that provides enhanced encryption capabilities for handling (and encrypting) sensitive data in ActiveRecord models.
+
+## Features
+
+- **Enhanced ActiveRecord encryption** - Extends Rails' built-in `encrypts` method with additional options
+- **Multiple sensitive fields in one attribute** - Store multiple sensitive data fields in a single encrypted attribute using `has_sensitive_data`
+- **Customizable empty string handling** - Control whether empty strings are visible in the database or encrypted
+- **Nil value handling** - Option to control whether nil values are visible in the database or encrypted
+- **Whitespace-only string handling** - Option to store whitespace-only strings as-is (space-saving for non-PII data)
+- **Full dirty tracking support** - Complete ActiveRecord dirty tracking methods for sensitive data fields
+- **Auto-inclusion** - Automatically included in all ActiveRecord::Base models
+- **Rails 7.0+ compatible** - Built on top of ActiveRecord::Encryption
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem "rails-panda-sensitive-data"
+```
+
+And then execute:
+
+```bash
+$ bundle install
+```
+
+## Requirements
+
+- Ruby >= 3.2
+- Rails >= 7.0 (required for ActiveRecord::Encryption support)
+- ActiveRecord::Encryption must be configured in your Rails application
+
+## Configuration
+
+### ActiveRecord::Encryption Setup
+
+First, configure ActiveRecord::Encryption in your Rails application:
+
+```ruby
+# config/application.rb
+config.active_record.encryption.primary_key = "your-primary-key-here"
+config.active_record.encryption.deterministic_key = "your-deterministic-key-here"
+config.active_record.encryption.key_derivation_salt = "your-key-derivation-salt-here"
+```
+
+I don't mention including this in `config/initializers/active_record_encryption.rb` because I've often run into problems with this approach. Namely that ActiveRecord was already initialized (read: had fetched these encryption keys) by the time the initializers started running.
+
+## Usage
+
+### Basic Setup
+
+The module is automatically included in all ActiveRecord::Base models. No manual inclusion needed!
+
+### Using `encrypts`
+
+The `encrypts` method works like Rails' built-in method but with additional options:
+
+```ruby
+class User < ApplicationRecord
+  encrypts :email
+  encrypts :phone_number
+end
+```
+
+#### Options
+
+- `nil_visible_in_db` (default: `true`) - If `true`, nil values are stored as nil in the database (saves space, but visible). If `false`, nil values are encrypted using a sentinel value (`\0`) to distinguish them from encrypted empty strings.
+- `empty_string_visible_in_db` (default: `true`) - If `true`, empty strings are stored as empty strings in the database (saves space, but visible). If `false`, they are encrypted.
+- `whitespace_visible_in_db` (default: `true`) - If `true`, whitespace-only strings (e.g., "   ", "\t\n") are stored as-is in the database (saves space, no PII). If `false`, they are encrypted.
+- `rails_default` (default: `false`) - If `true`, bypasses all custom logic and uses Rails' standard `encrypts` behavior.
+- `encryptor` - Custom encryptor instance (if provided, custom encryptor won't be created automatically)
+- All standard Rails `encrypts` options are also supported (e.g., `deterministic`, `key_provider`, etc.)
+
+**Example:**
+
+```ruby
+class User < ApplicationRecord
+  # Encrypt empty strings instead of storing them as-is
+  encrypts :email, empty_string_visible_in_db: false
+
+  # Encrypt nil values instead of storing them as nil
+  encrypts :phone_number, nil_visible_in_db: false
+
+  # Encrypt whitespace-only strings
+  encrypts :notes, whitespace_visible_in_db: false
+
+  # Use Rails' standard behavior (bypass custom logic)
+  encrypts :backup_email, rails_default: true
+end
+```
+
+**Trade-offs:**
+
+- **Visible in DB (`true`)**: Saves space, faster queries, but values are visible in the database
+- **Encrypted (`false`)**: More secure, but takes more space. Note: Encrypted empty/nil values can still be inferred from their shorter encrypted blob size.
+
+### Using `has_sensitive_data`
+
+Store multiple sensitive data fields in a single encrypted attribute:
+
+```ruby
+class User < ApplicationRecord
+  has_sensitive_data :ssn, :credit_card, :bank_account
+end
+```
+
+This will:
+- Store all fields in a single `sensitive_data` encrypted attribute
+- Provide accessor methods for each field (`ssn`, `credit_card`, `bank_account`)
+- Automatically encrypt/decrypt the entire hash
+
+**Example:**
+
+```ruby
+user = User.new
+user.ssn = "123-45-6789"
+user.credit_card = "4111-1111-1111-1111"
+user.bank_account = "1234567890"
+user.save!
+
+# Reading values
+user.ssn # => "123-45-6789"
+user.credit_card # => "4111-1111-1111-1111"
+
+# The sensitive_data attribute is encrypted
+user.read_attribute(:sensitive_data) # => encrypted value, not plain hash
+```
+
+#### Options
+
+- `in` (default: `:sensitive_data`) - The attribute name to store the encrypted hash
+- All options from `encrypts` are also supported
+
+**Example with custom attribute name:**
+
+```ruby
+class User < ApplicationRecord
+  has_sensitive_data :ssn, :credit_card, in: :encrypted_pii
+end
+```
+
+### Change Tracking
+
+The gem provides change tracking methods for sensitive data fields:
+
+```ruby
+user = User.new
+user.ssn = "123-45-6789"
+user.save!
+
+user.ssn = "999-99-9999"
+user.ssn_changed? # => true
+user.ssn_in_database # => "123-45-6789"
+
+user.save!
+user.saved_change_to_ssn? # => true
+user.ssn_before_last_save # => "123-45-6789"
+```
+
+Available methods (matching Rails' standard dirty tracking API):
+- `#{field}_changed?` - Returns true if the field has been changed but not saved
+- `#{field}_in_database` - Returns the value currently stored in the database
+- `#{field}_before_last_save` - Returns the value before the last save (nil until after a save, and nil after reload)
+- `saved_change_to_#{field}?` - Returns true if the field was changed in the last save
+- `saved_change_to_#{field}` - Returns `[before, after]` array if changed, or `nil`
+- `will_save_change_to_#{field}?` - Returns true if the field will change on the next save
+- `#{field}_change_to_be_saved` - Returns `[current_db_value, new_value]` array if there are pending changes, or `nil`
+
+### Combining `encrypts` and `has_sensitive_data`
+
+You can use both methods in the same model:
+
+```ruby
+class User < ApplicationRecord
+  encrypts :email
+  has_sensitive_data :ssn, :credit_card
+end
+```
+
+## Advanced Usage
+
+### Custom Encryptor
+
+```ruby
+custom_encryptor = RailsPanda::SensitiveData::Encryption::Encryptor.new(
+  empty_string_visible_in_db: false,
+  nil_visible_in_db: false,
+  whitespace_visible_in_db: false
+)
+
+class User < ApplicationRecord
+  encrypts :email, encryptor: custom_encryptor
+end
+```
+
+**Note:** If you provide a custom `encryptor`, the gem will not automatically create a custom encryptor based on the visibility options. The provided encryptor will be used as-is.
+
+### Key Management
+
+The gem uses Rails' default key provider from your ActiveRecord::Encryption configuration. This supports deterministic encryption and follows Rails' standard key management practices. You can also provide a custom key provider if needed:
+
+```ruby
+# Uses Rails' default key provider (recommended)
+class User < ApplicationRecord
+  encrypts :email
+end
+
+# Or provide a custom key provider
+custom_key_provider = ActiveRecord::Encryption::KeyProvider.new(primary_key: "your-key")
+
+class User < ApplicationRecord
+  encrypts :email, key_provider: custom_key_provider
+end
+```
+
+## How It Works
+
+### `encrypts`
+
+This method extends Rails' built-in `encrypts` method with additional options for handling nil values, empty strings, and whitespace-only strings. It uses a custom `Encryptor` that wraps `ActiveRecord::Encryption::Encryptor` and provides space-saving options for non-sensitive values.
+
+The custom encryptor is automatically created when visibility options are set to their default values (`true`). You can bypass custom logic entirely by passing `rails_default: true`.
+
+### `has_sensitive_data`
+
+This method:
+1. Serializes multiple fields into a single Hash using YAML
+2. Encrypts the entire Hash using `encrypts`
+3. Provides accessor methods for each field
+4. Handles nil values by removing them from the hash
+5. Provides full dirty tracking support matching Rails' standard API
+
+The encrypted hash is stored in a single database column, reducing the number of encrypted columns needed. All dirty tracking methods work exactly like Rails' built-in methods for regular attributes.
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then, run `bundle exec rspec` to run the tests.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/bigbadpanda-tech/rails-panda-sensitive-data.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE).

data/lib/rails/panda/sensitive/data.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "rails_panda_sensitive_data"

data/lib/rails_panda_sensitive_data/config.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module RailsPanda
+  module SensitiveData
+    class Config # rubocop:disable Lint/EmptyClass
+    end
+
+    class << self
+      def configure
+        yield config
+      end
+
+      def config
+        @config ||= Config.new
+      end
+    end
+  end
+end

data/lib/rails_panda_sensitive_data/encryption/active_record__encrypted_attribute_type.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+# :nocov:
+# We do not collect coverage for this file because the coverage tool cannot correctly analyze the coverage in this file, due to the way these methods are (re)implemented.
+
+module ActiveRecord
+  module Encryption
+    class EncryptedAttributeType
+      alias_method :deserialize_original, :deserialize
+      alias_method :serialize_with_current_original, :serialize_with_current
+
+      # Override deserialize to ensure our custom decryptor converts the sentinel back to nil
+      def deserialize(value)
+        deserialize_original(value).then do |result|
+          # Check special values
+          if result == RailsPanda::SensitiveData::Encryption::Encryptor::NIL_SENTINEL
+            rails_panda_encryptor&.then do |enc|
+              return nil if !enc.instance_variable_get(:@nil_visible_in_db)
+            end
+          end
+          result
+        end
+      end
+
+      private
+
+      # Override serialize_with_current to handle nil values when nil_visible_in_db is false
+      # Rails' EncryptedAttributeType checks for nil before calling encrypt, so we need to convert nil to our sentinel value before Rails processes it
+      def serialize_with_current(value)
+        if value.nil?
+          rails_panda_encryptor&.then do |enc|
+            return nil if enc.instance_variable_get(:@nil_visible_in_db)
+
+            # Convert nil to sentinel value and encrypt it directly
+            # We need to encrypt it ourselves because Rails' serialize_with_current might store single-byte values directly without encryption
+            # Get the key_provider from the scheme or use the default
+            key_provider = scheme&.key_provider
+            key_provider ||= scheme&.instance_variable_get(:@key_provider_param)
+            key_provider ||= ActiveRecord::Encryption.config.then do |config|
+              config.is_a?(ActiveRecord::Encryption::KeyProvider) ? config : nil
+            end
+
+            encrypted_sentinel = enc.encrypt(
+              RailsPanda::SensitiveData::Encryption::Encryptor::NIL_SENTINEL,
+              key_provider: key_provider
+            )
+            return encrypted_sentinel
+          end
+        end
+
+        serialize_with_current_original(value)
+      end
+
+      def rails_panda_encryptor
+        scheme&.instance_variable_get(:@context_properties)&.then do |props|
+          if props.is_a?(Hash)
+            # Get the encryptor from the scheme's context_properties
+            enc = props[:encryptor]
+            enc.is_a?(RailsPanda::SensitiveData::Encryption::Encryptor) ? enc : nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rails_panda_sensitive_data/encryption/encryptor.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module RailsPanda
+  module SensitiveData
+    module Encryption
+      class Encryptor < ::ActiveRecord::Encryption::Encryptor
+        # Sentinel value to distinguish encrypted nil from encrypted empty string.
+        # When nil_visible_in_db is false, we encrypt nil using this sentinel value (\0) instead of an empty string, allowing us to distinguish between encrypted nil and encrypted empty string during decryption.
+        NIL_SENTINEL = "\0"
+
+        # Custom encryptor that provides control over how nil, empty strings, and whitespace-only strings are stored.
+        #
+        # @param nil_visible_in_db [Boolean] When true (default), stores nil as nil in the database.
+        #   This saves space and allows nil values to be queried directly, but makes them visible.
+        #   When false, encrypts nil using a sentinel value. This hides nil values but takes more space.
+        #   Note: Encrypted empty values can still be inferred from their shorter encrypted blob size.
+        #
+        # @param empty_string_visible_in_db [Boolean] When true (default), stores empty strings as ""
+        #   in the database. This saves space and allows empty strings to be queried directly, but makes them visible. When false, encrypts empty strings normally. This hides empty strings but takes more space. Note: Encrypted empty values can still be inferred from their shorter encrypted blob size.
+        #
+        # @param whitespace_visible_in_db [Boolean] When true (default), stores whitespace-only strings (e.g., "   ", "\t\n") as-is in the database. This saves space since whitespace-only strings contain no PII or sensitive data. When false, encrypts whitespace-only strings normally.
+        #
+        # Trade-offs:
+        # - true: Saves space, faster queries, but values are visible in the database
+        # - false: Encrypts values (more secure), but takes more space and encrypted blobs can be inferred as empty/nil from their size
+        def initialize(
+          nil_visible_in_db: true,
+          empty_string_visible_in_db: true,
+          whitespace_visible_in_db: true
+        )
+          super()
+
+          @nil_visible_in_db = nil_visible_in_db
+          @empty_string_visible_in_db = empty_string_visible_in_db
+          @whitespace_visible_in_db = whitespace_visible_in_db
+        end
+
+        def encrypt(clear_text, **options)
+          if clear_text.nil?
+            if @nil_visible_in_db
+              nil
+            else
+              # When nil_visible_in_db is false, encrypt nil using a sentinel value
+              # This allows us to distinguish encrypted nil from encrypted empty string
+              # Rails' encryptor only accepts strings, so we use a null byte as sentinel
+              super(NIL_SENTINEL, **options)
+            end
+          elsif clear_text.is_a?(String)
+            if @empty_string_visible_in_db && clear_text == ""
+              ""
+            elsif @whitespace_visible_in_db && whitespace_only?(clear_text)
+              clear_text
+            else
+              super
+            end
+          else
+            super
+          end
+        end
+
+        def decrypt(encrypted_text, **options)
+          if @nil_visible_in_db && encrypted_text.nil?
+            nil
+          elsif @empty_string_visible_in_db && encrypted_text.is_a?(String) && encrypted_text == ""
+            ""
+          elsif @whitespace_visible_in_db && encrypted_text.is_a?(String) && whitespace_only?(encrypted_text)
+            encrypted_text
+          else
+            decrypted = super
+            # If decrypted value is the nil sentinel, return nil instead
+            if decrypted == NIL_SENTINEL && !@nil_visible_in_db
+              nil
+            else
+              decrypted
+            end
+          end
+        end
+
+        private
+
+        # Check if a string contains only whitespace characters (spaces, tabs, newlines, etc.) but is not empty (empty strings are handled separately)
+        def whitespace_only?(str)
+          !str.empty? && str.strip.empty?
+        end
+      end
+    end
+  end
+end

data/lib/rails_panda_sensitive_data/models/active_record.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "active_support"
+require "active_support/concern"
+
+module RailsPanda
+  module SensitiveData
+    module Models
+      module ActiveRecord
+        extend ActiveSupport::Concern
+
+        class_methods do
+          def encrypts(*attributes, **options)
+            raise ArgumentError, "encrypts must be called with at least one attribute" if attributes.blank?
+
+            super_options = options.dup
+
+            # If rails_default is true, skip our custom logic and use Rails' standard behavior
+            unless super_options.delete(:rails_default)
+              nil_visible_in_db = super_options.delete(:nil_visible_in_db) != false
+              empty_string_visible_in_db = super_options.delete(:empty_string_visible_in_db) != false
+              whitespace_visible_in_db = super_options.delete(:whitespace_visible_in_db) != false
+              needs_custom_encryptor =
+                nil_visible_in_db ||
+                empty_string_visible_in_db ||
+                whitespace_visible_in_db
+
+              # Pass encryptor as a keyword argument - Rails stores it in context_properties internally and retrieves it from there when needed
+              if needs_custom_encryptor && !super_options[:encryptor]
+                super_options[:encryptor] =
+                  ::RailsPanda::SensitiveData::Encryption::Encryptor.new(
+                    empty_string_visible_in_db:,
+                    nil_visible_in_db:,
+                    whitespace_visible_in_db:
+                  )
+              end
+            end
+
+            super(*attributes, **super_options)
+          end
+
+          def has_sensitive_data(*attributes, **options)
+            raise ArgumentError, "has_sensitive_data must be called with at least one attribute" if attributes.blank?
+
+            super_options = options.dup
+
+            in_attribute = super_options.delete(:in)&.to_sym || :sensitive_data
+
+            unless @__has_registered_sensitive_data_encrypted_attribute
+              serialize(in_attribute, type: Hash, coder: YAML)
+              encrypts(in_attribute, **super_options)
+
+              @__has_registered_sensitive_data_encrypted_attribute = true
+            end
+
+            attributes.each do |attr|
+              attr = attr.to_sym
+
+              define_method attr do
+                the_hash = send(in_attribute)
+                return if the_hash.blank?
+                the_hash[attr]
+              end
+
+              define_method "#{attr}=" do |the_value|
+                the_hash = send(in_attribute)
+                the_hash ||= {}
+
+                if the_value.nil?
+                  the_hash.delete attr
+                else
+                  the_hash[attr] = the_value
+                end
+
+                send("#{in_attribute}=", the_hash)
+              end
+
+              attr_in_database = :"#{attr}_in_database"
+              attr_before_last_save = :"#{attr}_before_last_save"
+              saved_change_to_attr = :"saved_change_to_#{attr}"
+
+              define_method attr_in_database do
+                attribute_in_database(in_attribute)&.dig(attr)
+              end
+
+              # Returns nil until after a save, and nil after reload (Rails clears mutations_before_last_save on reload)
+              define_method attr_before_last_save do
+                attribute_before_last_save(in_attribute)&.dig(attr)
+              end
+
+              # attribute_changed? - Has this attribute changed from the database value?
+              define_method "#{attr}_changed?" do
+                send(attr) != send(attr_in_database)
+              end
+
+              # saved_change_to_attribute - Returns the change to an attribute during the last save
+              define_method saved_change_to_attr do
+                before = send(attr_before_last_save)
+                current = send(attr)
+                return nil if before.nil? || before == current
+                [before, current]
+              end
+
+              # saved_change_to_attribute? - Did this attribute change when we last saved?
+              # Returns false if before_last_save is nil (e.g., after reload or before any save)
+              define_method "#{saved_change_to_attr}?" do
+                before = send(attr_before_last_save)
+                !before.nil? && send(attr) != before # No saved change if before_last_save is nil
+              end
+
+              # will_save_change_to_attribute? - Will this attribute change the next time we save?
+              define_method "will_save_change_to_#{attr}?" do
+                send(attr) != send(attr_in_database)
+              end
+
+              # attribute_change_to_be_saved - Returns the change to an attribute that will be persisted during the next save
+              define_method "#{attr}_change_to_be_saved" do
+                in_db = send(attr_in_database)
+                current = send(attr)
+                return nil if in_db.nil? || in_db == current
+                [in_db, current]
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+# Auto-include the module in all ActiveRecord::Base models
+ActiveSupport.on_load(:active_record) do
+  include RailsPanda::SensitiveData::Models::ActiveRecord
+end

data/lib/rails_panda_sensitive_data/models/mongoid.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require "active_support"
+require "active_support/concern"
+
+module RailsPanda
+  module SensitiveData
+    module Models
+      module Mongoid
+        extend ActiveSupport::Concern
+
+        included do
+          extend ::AttrEncrypted
+
+          before_save :set_encryption_key
+
+          field :encryption_key, type: String
+        end
+
+        def set_encryption_key
+          encr_key = encryption_key
+          if encr_key.nil? || encr_key == ""
+            # 8 chars
+            self.encryption_key = SecureRandom.hex(4)
+          end
+        end
+
+        def sensitive_data_encryption_key
+          set_encryption_key
+          encryption_key + ::RailsPanda::SensitiveData.application_sensitive_data_encryption_key
+        end
+
+        class_methods do
+          def add_encrypted_attribute(attribute_name, opts = {})
+            treat_nil_as_empty_value =
+              opts.delete(:treat_nil_as_empty_value) ? true : false
+
+            empty_value_visible_in_db =
+              opts.delete(:empty_value_visible_in_db) ? true : false
+
+            nil_value_visible_in_db =
+              (opts.delete(:nil_value_visible_in_db) ? true : false) ||
+              (treat_nil_as_empty_value && empty_value_visible_in_db)
+
+            prefix = opts[:prefix] || "encrypted_"
+            suffix = opts[:suffix] || ""
+
+            db_attribute_name = [prefix, attribute_name, suffix].join
+
+            attribute_name = opts.delete(:as) || attribute_name
+
+            field_name =
+              opts[:attribute] ||
+              [prefix, attribute_name, suffix].join
+
+            field db_attribute_name, as: field_name, type: String
+            field "#{db_attribute_name}_iv", as: "#{field_name}_iv", type: String
+
+            attr_encryptor(
+              attribute_name,
+              key: :sensitive_data_encryption_key,
+              marshal: true,
+              encode: true,
+              allow_empty_value: true,
+              **opts
+            )
+
+            encryptor_getter_method_name = "__encryptor_#{attribute_name}"
+            encryptor_setter_method_name = "__encryptor_#{attribute_name}="
+            mem_value_attr = "@#{attribute_name}"
+
+            attribute_name_before_last_save = :"#{attribute_name}_before_last_save"
+
+            alias_method encryptor_getter_method_name, attribute_name
+            alias_method encryptor_setter_method_name, "#{attribute_name}="
+
+            attr_reader attribute_name_before_last_save
+            after_initialize do
+              if respond_to? encrypted_attribute_name
+                instance_variable_set(
+                  "@#{attribute_name_before_last_save}",
+                  Marshal.load(Marshal.dump(send(attribute_name)))
+                )
+              end
+            end
+
+            define_method "saved_change_to_#{attribute_name}?" do
+              send(attribute_name) != send(attribute_name_before_last_save)
+            end
+
+            define_method attribute_name do
+              unless (value = instance_variable_get(mem_value_attr))
+
+                db_value = send(encrypted_attribute_name)
+
+                if nil_value_visible_in_db && db_value.nil?
+                  return "" if treat_nil_as_empty_value
+                  return nil
+                end
+
+                if empty_value_visible_in_db && db_value == ""
+                  return ""
+                end
+
+                value = send(encryptor_getter_method_name)
+              end
+
+              return "" if treat_nil_as_empty_value && value.nil?
+              value
+            end
+
+            define_method "#{attribute_name}=" do |the_value|
+              encrypted_attribute_name__set = "#{field_name}="
+              encrypted_attribute_iv_name__set = "#{field_name}_iv="
+
+              if nil_value_visible_in_db && the_value.nil? && !treat_nil_as_empty_value
+                send(encrypted_attribute_name__set, nil)
+                send(encrypted_attribute_iv_name__set, nil)
+                instance_variable_set(mem_value_attr, nil)
+                return nil
+              end
+
+              if empty_value_visible_in_db &&
+                  (
+                    the_value == "" ||
+                    (treat_nil_as_empty_value && the_value.nil?)
+                  )
+                send(encrypted_attribute_name__set, "")
+                send(encrypted_attribute_iv_name__set, "")
+                instance_variable_set(mem_value_attr, "")
+                return ""
+              end
+
+              the_value = "" if treat_nil_as_empty_value && the_value.nil?
+
+              send(encryptor_setter_method_name, the_value)
+            end
+          end
+
+          def add_sensitive_attribute_accessors(attribute_name, opts = {})
+            in_attribute = opts.delete(:in) || :sensitive_data
+            in_attribute_before_last_save = :"#{in_attribute}_before_last_save"
+            in_field_name =
+              opts[:attribute] ||
+              opts.delete(:in_db) ||
+              [prefix, in_attribute, suffix].join
+
+            mem_value_attr = "@#{in_attribute}"
+
+            unless respond_to? in_attribute
+              field in_field_name, type: String
+              field "#{in_field_name}_iv", type: String
+
+              attr_encryptor(
+                in_attribute,
+                key: :sensitive_data_encryption_key,
+                marshal: true,
+                encode: true,
+                allow_empty_value: true,
+                attribute: in_field_name,
+                **opts
+              )
+
+              attr_reader in_attribute_before_last_save
+              after_initialize do
+                if respond_to?(in_field_name)
+                  instance_variable_set(
+                    "@#{in_attribute_before_last_save}",
+                    Marshal.load(Marshal.dump(send(in_attribute)))
+                  )
+                end
+              end
+            end
+
+            define_method "saved_change_to_#{attribute_name}?" do
+              send(attribute_name) != send(attribute_name_before_last_save)
+            end
+
+            define_method "#{attribute_name}_before_last_save" do
+              send(in_attribute_before_last_save)&.dig(attribute_name)
+            end
+
+            define_method attribute_name do
+              unless (the_hash = instance_variable_get(mem_value_attr))
+                db_value = send(in_field_name)
+                return nil if db_value.nil? || db_value == ""
+
+                the_hash = send(in_attribute)
+              end
+              return nil if the_hash.nil? || the_hash == ""
+
+              the_hash.dig(attribute_name)
+            end
+
+            define_method "#{attribute_name}=" do |the_value|
+              unless (the_hash = instance_variable_get(mem_value_attr))
+                db_value = send(in_field_name)
+                unless db_value.nil? || db_value == ""
+                  the_hash = send(in_attribute)
+                end
+              end
+              the_hash = {} if the_hash.nil? || the_hash == ""
+
+              if the_value.nil?
+                the_hash.delete attribute_name
+              else
+                the_hash[attribute_name] = the_value
+              end
+
+              send("#{in_attribute}=", the_hash)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rails_panda_sensitive_data/sensitive_data.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "rails_panda_sensitive_data/config"
+
+module RailsPanda
+  module SensitiveData
+    class << self # rubocop:disable Lint/EmptyClass
+    end
+  end
+end

data/lib/rails_panda_sensitive_data/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RailsPanda
+  module SensitiveData
+    VERSION = "3.0.0"
+  end
+end

data/lib/rails_panda_sensitive_data.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "rails_panda_sensitive_data/sensitive_data"
+require "rails_panda_sensitive_data/encryption/encryptor"
+require "rails_panda_sensitive_data/encryption/active_record__encrypted_attribute_type"
+require "rails_panda_sensitive_data/models/active_record"
+# require "rails_panda_sensitive_data/models/mongoid"
+
+module RailsPanda
+  module SensitiveData
+  end
+end

data/rails_panda_sensitive_data.gemspec

@@ -0,0 +1,44 @@
+$LOAD_PATH.push File.expand_path("lib", __dir__)
+
+require "rails_panda_sensitive_data/version"
+
+Gem::Specification.new do |spec|
+  spec.required_ruby_version = ">= 3.2"
+
+  spec.name = "rails-panda-sensitive-data"
+  spec.version = RailsPanda::SensitiveData::VERSION
+  spec.authors = ["João Saraiva"]
+  spec.email = ["panda@bigbadpanda.com"]
+  spec.homepage = "https://github.com/bigbadpanda-tech/rails-panda-sensitive-data"
+  spec.summary = "Code that Rails applications use for dealing with sensitive data (e.g., GDPR)."
+  spec.description = "Code that Rails applications use for dealing with sensitive data (e.g., GDPR)."
+  spec.license = "MIT"
+  spec.metadata["rubygems_mfa_required"] = "true"
+
+  spec.files = Dir[
+    "lib/**/*",
+    "rails_panda_sensitive_data.gemspec",
+    "Gemfile",
+    # "Rakefile",
+    "LICENSE",
+    "CHANGELOG.md",
+    "README.md"
+  ]
+
+  spec.add_dependency "rails", ">= 7.0.0"
+
+  # spec.add_development_dependency "combustion"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rspec-rails"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "rubocop"
+  spec.add_development_dependency "rubocop-rails"
+  spec.add_development_dependency "rubocop-rspec"
+  spec.add_development_dependency "rubocop-rspec_rails"
+  spec.add_development_dependency "rubocop-rake"
+  spec.add_development_dependency "rubocop-performance"
+  spec.add_development_dependency "standard"
+  spec.add_development_dependency "standard-rails"
+  spec.add_development_dependency "sqlite3"
+end

metadata

@@ -0,0 +1,252 @@
+--- !ruby/object:Gem::Specification
+name: rails-panda-sensitive-data
+version: !ruby/object:Gem::Version
+  version: 3.0.0
+platform: ruby
+authors:
+- João Saraiva
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: standard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: standard-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Code that Rails applications use for dealing with sensitive data (e.g.,
+  GDPR).
+email:
+- panda@bigbadpanda.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- lib/rails/panda/sensitive/data.rb
+- lib/rails_panda_sensitive_data.rb
+- lib/rails_panda_sensitive_data/config.rb
+- lib/rails_panda_sensitive_data/encryption/active_record__encrypted_attribute_type.rb
+- lib/rails_panda_sensitive_data/encryption/encryptor.rb
+- lib/rails_panda_sensitive_data/models/active_record.rb
+- lib/rails_panda_sensitive_data/models/mongoid.rb
+- lib/rails_panda_sensitive_data/sensitive_data.rb
+- lib/rails_panda_sensitive_data/version.rb
+- rails_panda_sensitive_data.gemspec
+homepage: https://github.com/bigbadpanda-tech/rails-panda-sensitive-data
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.2
+specification_version: 4
+summary: Code that Rails applications use for dealing with sensitive data (e.g., GDPR).
+test_files: []