RubyGems - rom-encrypted_attribute - Versions diffs - 0.0.4 → 0.0.5 - Mend

rom-encrypted_attribute 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/lib/rom/encrypted_attribute/decryptor.rb +11 -4
data/lib/rom/encrypted_attribute/encryptor.rb +2 -0
data/lib/rom/encrypted_attribute/rom_sql_patch.rb +53 -0
data/lib/rom/encrypted_attribute/version.rb +1 -1
data/lib/rom/encrypted_attribute.rb +9 -4
data/lib/rom/plugins/schema/encrypted_attributes.rb +2 -1
metadata +4 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7799a80222e1784ae54379331e44b52035d1fea0544723ab3ad69aac8d0416a
-  data.tar.gz: 1418ca1c2a31c539fec10c0c118c305216a439a19c19cdf1662ad1b158bed892
+  metadata.gz: edac4dc1b09b3b903aefc265d78a56a7fafd2f6d28f1b503d3f4fbe64eede9c6
+  data.tar.gz: c7de7fd6c2bc5c6de81ef0bf3f804f7cda02df4d5687156647155dd77e5c358e
 SHA512:
-  metadata.gz: e1854858926a001395967f06fc4dcce28ef066e2e3819d4a3f45375abc1e55c671000de7ff3f7431d6641f31b68d92f012f75532db2cc137e35e9939b61b745a
-  data.tar.gz: 5f8cf5402568abc7d46dd5cd96bf7443ed59d2bf74d69191349ff10ab0c41d89d1f9f154d180890d2344e1d973801c1f2294fae0d8aa2619cdfddf963135c77e
+  metadata.gz: d603a67e727a2079904ed7f45629fcc2fabe185297ea26f479b9573c8d8b1bb366c6a404ca3720176769890b70d280490cb198b7798731b8efbbe92a47d68581
+  data.tar.gz: dd4d03515ab81bbd335793688f202e73b21f9ad815d9881700e8cf99ff6dc69bc95aebe8c15a74440283b80c19c7c17850133770b98a06a19df54e61476f568f

data/README.md CHANGED Viewed

@@ -66,6 +66,7 @@ class SecretNotes < ::ROM::Relation[:sql]
     use :encrypted_attributes
     encrypt :content
     encrypt :title, :hash_digest_class: OpenSSL::Digest::SHA256
+    encrypt :maybe_encrypted, support_unencrypted_data: true
   end
 end
@@ -113,7 +114,7 @@ end
 ### Caveats
-* Due to [a bug](https://github.com/rom-rb/rom-sql/issues/423) in `rom-sql`, reading unencrypted data is always supported, which means that if there's a plain not-encrypted data in your database already, it will be read correctly. This might or might not be desirable, but for the time being there's no choice in configuring this behaviour.
+* Due to [a bug](https://github.com/rom-rb/rom-sql/issues/423) in `rom-sql`, reading unencrypted data requires a monkey patch to ROM. Since this is quite aggressive, you are expected to opt-in to this by calling `ROM::SQL::Patch432.install!`.
 * Support for deterministic encryption from `ActiveRecord::Encryption` is not (yet) implemented
 * Support for key rotation is not (yet) implemented

data/lib/rom/encrypted_attribute/decryptor.rb CHANGED Viewed

@@ -7,11 +7,16 @@ require_relative "payload"
 module ROM
   module EncryptedAttribute
     class Decryptor
-      def initialize(derivator:)
+      UnencryptedDataNotAllowed = Class.new(RuntimeError)
+      def initialize(derivator:, support_unencrypted_data: false)
         @derivator = derivator
+        @support_unencrypted_data = support_unencrypted_data
       end
       def decrypt(message)
+        return nil if message.nil?
         payload = ROM::EncryptedAttribute::Payload.decode(message)
         cipher = OpenSSL::Cipher.new("aes-256-gcm")
@@ -25,9 +30,11 @@ module ROM
         cipher.auth_data = ""
         cipher.update(payload.message) + cipher.final
       rescue JSON::ParserError
-        # we need to unconditionally support of reading unencrypted data due to a bug in rom-sql
-        # https://github.com/rom-rb/rom-sql/issues/423
-        message
+        if @support_unencrypted_data
+          message
+        else
+          raise UnencryptedDataNotAllowed
+        end
       end
     end
   end

data/lib/rom/encrypted_attribute/encryptor.rb CHANGED Viewed

@@ -13,6 +13,8 @@ module ROM
       end
       def encrypt(message)
+        return nil if message.nil?
         cipher = OpenSSL::Cipher.new("aes-256-gcm")
         key = @derivator.derive(cipher.key_len)
         iv = cipher.random_iv

data/lib/rom/encrypted_attribute/rom_sql_patch.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+# this is used to silence the redefinition warnings
+require "warning"
+# This provides a patch for rom-sql while https://github.com/rom-rb/rom-sql/pull/432
+# is pending merge. It allows to block reading unencrypted values from the database.
+# You need to opt-in for this patch yourself by calling:
+#
+#     ROM::SQL::Patch432.install!
+#
+# The patch can be reverted with
+#     ROM::SQL::Patch432.uninstall!
+#
+# Note: that you don't need this if you are using PostgreSQL.
+# Also note that this will emit a warning of overwriting a method.
+module ROM
+  module SQL
+    module Patch432
+      def self.install!
+        Warning.ignore(:method_redefined)
+        ROM::SQL::Commands::Create.class_eval do
+          def insert(tuples)
+            pks = tuples.map { |tuple| relation.insert(tuple) }
+            relation.dataset.where(relation.primary_key => pks).to_a
+          end
+          def multi_insert(tuples)
+            pks = relation.multi_insert(tuples, return: :primary_key)
+            relation.dataset.where(relation.primary_key => pks).to_a
+          end
+        end
+        Warning.ignore(:method_redefined, false)
+      end
+      def self.uninstall!
+        Warning.ignore(:method_redefined)
+        ROM::SQL::Commands::Create.class_eval do
+          def insert(tuples)
+            pks = tuples.map { |tuple| relation.insert(tuple) }
+            relation.where(relation.primary_key => pks).to_a
+          end
+          def multi_insert(tuples)
+            pks = relation.multi_insert(tuples, return: :primary_key)
+            relation.where(relation.primary_key => pks).to_a
+          end
+        end
+        Warning.ignore(:method_redefined, false)
+      end
+    end
+  end
+end

data/lib/rom/encrypted_attribute/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module ROM
   module EncryptedAttribute
-    VERSION = "0.0.4"
+    VERSION = "0.0.5"
   end
 end

data/lib/rom/encrypted_attribute.rb CHANGED Viewed

@@ -12,19 +12,24 @@ module ROM
   module EncryptedAttribute
     extend Dry::Configurable
+    module Types
+      include Dry.Types()
+    end
     setting :primary_key
     setting :key_derivation_salt
     setting :hash_digest_class, default: OpenSSL::Digest::SHA1
+    setting :support_unencrypted_data, default: false
-    def self.define_encrypted_attribute_types(primary_key:, key_derivation_salt:, hash_digest_class: OpenSSL::Digest::SHA1)
+    def self.define_encrypted_attribute_types(primary_key:, key_derivation_salt:, hash_digest_class: OpenSSL::Digest::SHA1, support_unencrypted_data: false)
       key_derivator = KeyDerivator.new(salt: key_derivation_salt, secret: primary_key,
         hash_digest_class: hash_digest_class)
-      reader_type = Dry.Types.Constructor(String) do |value|
-        ROM::EncryptedAttribute::Decryptor.new(derivator: key_derivator).decrypt(value)
+      reader_type = Dry.Types.Constructor(Types::String.optional) do |value|
+        ROM::EncryptedAttribute::Decryptor.new(derivator: key_derivator, support_unencrypted_data: support_unencrypted_data).decrypt(value)
       end
-      writer_type = Dry.Types.Constructor(String) do |value|
+      writer_type = Dry.Types.Constructor(Types::String.optional) do |value|
         ROM::EncryptedAttribute::Encryptor.new(derivator: key_derivator).encrypt(value)
       end

data/lib/rom/plugins/schema/encrypted_attributes.rb CHANGED Viewed

@@ -11,10 +11,11 @@ module ROM
           primary_key = options.fetch(:primary_key, ROM::EncryptedAttribute.config.primary_key)
           key_derivation_salt = options.fetch(:key_derivation_salt, ROM::EncryptedAttribute.config.key_derivation_salt)
           hash_digest_class = options.fetch(:hash_digest_class, ROM::EncryptedAttribute.config.hash_digest_class)
+          support_unencrypted_data = options.fetch(:support_unencrypted_data, EncryptedAttribute.config.support_unencrypted_data)
           encrypted_string, encrypted_string_reader =
             ROM::EncryptedAttribute.define_encrypted_attribute_types(
-              primary_key: primary_key, key_derivation_salt: key_derivation_salt, hash_digest_class: hash_digest_class
+              primary_key: primary_key, key_derivation_salt: key_derivation_salt, hash_digest_class: hash_digest_class, support_unencrypted_data: support_unencrypted_data
             )
           attrs =

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rom-encrypted_attribute
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Paweł Świątkowski
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-10-26 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-types
@@ -66,7 +65,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.0'
-description:
 email:
 - katafrakt@vivaldi.net
 executables: []
@@ -83,14 +81,13 @@ files:
 - lib/rom/encrypted_attribute/encryptor.rb
 - lib/rom/encrypted_attribute/key_derivator.rb
 - lib/rom/encrypted_attribute/payload.rb
+- lib/rom/encrypted_attribute/rom_sql_patch.rb
 - lib/rom/encrypted_attribute/version.rb
 - lib/rom/plugins/schema/encrypted_attributes.rb
 - rom-encrypted_attribute.gemspec
-homepage:
 licenses: []
 metadata:
   source_code_uri: https://github.com/katafrakt/rom-encrypted_attribute
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -105,8 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.16
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Encrypted attributes for ROM
 test_files: []