rom-encrypted_attribute 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26555bd77c9580cd7889520b0cd9737065ac1be7b66572770ddae63cd4ffe5df
-  data.tar.gz: 5a7b73206a06cadec42c6ad584ad239a3f81bcb9e30790641d4bb1868fd75d22
+  metadata.gz: a7799a80222e1784ae54379331e44b52035d1fea0544723ab3ad69aac8d0416a
+  data.tar.gz: 1418ca1c2a31c539fec10c0c118c305216a439a19c19cdf1662ad1b158bed892
 SHA512:
-  metadata.gz: cf70faabb89dad5e071bae34ad030c87816656a27384c3aed6f4247f8d7d5eef9cb67ce365ec6d5e62a0e4341cc604ab8169e2a6fb641a31fbe71ffa7d02a1ae
-  data.tar.gz: 335fe66bfa7993e3a4dd22f2f40b86fd0e6ab85ec94e288804f3abad89a166036da8a62351b495f111437ea7084b46ad32b25d4ae86ab7ecd734fc80c3cf7784
+  metadata.gz: e1854858926a001395967f06fc4dcce28ef066e2e3819d4a3f45375abc1e55c671000de7ff3f7431d6641f31b68d92f012f75532db2cc137e35e9939b61b745a
+  data.tar.gz: 5f8cf5402568abc7d46dd5cd96bf7443ed59d2bf74d69191349ff10ab0c41d89d1f9f154d180890d2344e1d973801c1f2294fae0d8aa2619cdfddf963135c77e

data/README.md

@@ -20,6 +20,59 @@ If bundler is not being used to manage dependencies, install the gem by executin
 
 ## Usage
 
+There are two ways to use this library: via a ROM schema plugin or by a "bare metal" approach.
+
+### ROM plugin
+
+Somewhere in you code set the config for the gem. This is done using [`Dry::Configurable`](https://dry-rb.org/gems/dry-configurable/1.0/), so you can use all options available there. For example:
+
+``` ruby
+ROM::EncryptedAttribute.configure do |config|
+  config.primary_key = "your-primary-key" # required
+  config.key_derivation_salt = "your-derivation-salt" # required
+  config.hash_digest_class = OpenSSL::Digest::SHA256 # SHA1 by default
+end
+```
+
+Then use the plugin in your ROM relation:
+
+``` ruby
+class SecretNotes < ::ROM::Relation[:sql]
+  schema(:secret_notes, infer: true) do
+    use :encrypted_attributes
+    encrypt :content
+  end
+end
+```
+
+You can override individual configuration values if, for example, one database table uses different primary key:
+
+``` ruby
+class SecretNotes < ::ROM::Relation[:sql]
+  schema(:secret_notes, infer: true) do
+    use :encrypted_attributes, primary_key: ENV["SPECIAL_PRIMARY_KEY"]
+    encrypt :content
+  end
+end
+```
+
+If you specify all configuration options, or use defaults, you can skip setting the global config.
+
+You can also override global per-schema settings on a per-field level:
+
+``` ruby
+class SecretNotes < ::ROM::Relation[:sql]
+  schema(:secret_notes, infer: true) do
+    use :encrypted_attributes
+    encrypt :content
+    encrypt :title, :hash_digest_class: OpenSSL::Digest::SHA256
+  end
+end
+
+```
+
+### "Bare metal"
+
 In your relation, define custom types using a helper method from the gem. You need to provide the credentials to it somehow. This might be done via environmental variables, Hanami settings (if you're using Hanami) or any other means, really.
 
 ```ruby
@@ -36,7 +89,11 @@ class SecretNotes < ROM::Relation[:sql]
 end
 ```
 
-By default the gem uses SHA1 for key derivation (same as Rails' default), but you can configure it by passing custom `has_digest_class` option.
+With this approach you can define the types globally in your application and reuse it, without having to pass primary_key and key_derivation_salt every time in the schema.
+
+### Other considerations
+
+By default the gem uses SHA1 for key derivation (same as Rails' default), but you can configure it by passing custom `hash_digest_class` option.
 
 ``` ruby
 class SecretNotes < ROM::Relation[:sql]
@@ -56,9 +113,9 @@ end
 
 ### Caveats
 
-* Due to [a bug](https://github.com/rom-rb/rom-sql/issues/423) in `rom-sql`, reading unencrypted data is always supported, which means that if there's a plain not-encrypted data in your database already, it will be read correctly. This might or might not be desirable, but for the time being there's no choice in cofiguring this behaviour.
-* Support for deterministic encryption from `ActiveRecord::Encryption` is not implemented
-* Support for key rotation is not implemented
+* Due to [a bug](https://github.com/rom-rb/rom-sql/issues/423) in `rom-sql`, reading unencrypted data is always supported, which means that if there's a plain not-encrypted data in your database already, it will be read correctly. This might or might not be desirable, but for the time being there's no choice in configuring this behaviour.
+* Support for deterministic encryption from `ActiveRecord::Encryption` is not (yet) implemented
+* Support for key rotation is not (yet) implemented
 
 ## Contributing
 

data/lib/rom/encrypted_attribute/version.rb

@@ -2,6 +2,6 @@
 
 module ROM
   module EncryptedAttribute
-    VERSION = "0.0.3"
+    VERSION = "0.0.4"
   end
 end

data/lib/rom/encrypted_attribute.rb

@@ -4,11 +4,18 @@ require_relative "encrypted_attribute/key_derivator"
 require_relative "encrypted_attribute/decryptor"
 require_relative "encrypted_attribute/encryptor"
 require_relative "encrypted_attribute/version"
+require_relative "plugins/schema/encrypted_attributes"
 
 require "dry/types"
 
 module ROM
   module EncryptedAttribute
+    extend Dry::Configurable
+
+    setting :primary_key
+    setting :key_derivation_salt
+    setting :hash_digest_class, default: OpenSSL::Digest::SHA1
+
     def self.define_encrypted_attribute_types(primary_key:, key_derivation_salt:, hash_digest_class: OpenSSL::Digest::SHA1)
       key_derivator = KeyDerivator.new(salt: key_derivation_salt, secret: primary_key,
         hash_digest_class: hash_digest_class)

data/lib/rom/plugins/schema/encrypted_attributes.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require "rom"
+
+module ROM
+  module Plugins
+    module Schema
+      module EncryptedAttributes
+        def self.apply(schema, **options)
+          attributes = options.fetch(:attributes)
+          primary_key = options.fetch(:primary_key, ROM::EncryptedAttribute.config.primary_key)
+          key_derivation_salt = options.fetch(:key_derivation_salt, ROM::EncryptedAttribute.config.key_derivation_salt)
+          hash_digest_class = options.fetch(:hash_digest_class, ROM::EncryptedAttribute.config.hash_digest_class)
+
+          encrypted_string, encrypted_string_reader =
+            ROM::EncryptedAttribute.define_encrypted_attribute_types(
+              primary_key: primary_key, key_derivation_salt: key_derivation_salt, hash_digest_class: hash_digest_class
+            )
+
+          attrs =
+            attributes.map do |name|
+              ROM::Schema::DSL.new(schema.name).build_attribute_info(
+                name,
+                encrypted_string,
+                name: name, read: encrypted_string_reader
+              )
+            end
+
+          schema.attributes.concat(
+            schema.class.attributes(attrs, schema.attr_class)
+          )
+        end
+
+        module DSL
+          # @example
+          #   schema do
+          #     use :encrypted_attributes
+          #     encrypt :api_key, :ssn, hash_digest_class: OpenSSL::Digest::SHA256
+          #   end
+          def encrypt(*attributes, **opts)
+            options = plugin_options(:encrypted_attributes)
+            options.merge!(opts)
+            options[:attributes] ||= []
+            options[:attributes] += attributes
+            self
+          end
+        end
+      end
+    end
+  end
+end
+
+ROM.plugins do
+  register :encrypted_attributes, ROM::Plugins::Schema::EncryptedAttributes, type: :schema
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rom-encrypted_attribute
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Paweł Świątkowski
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-09-21 00:00:00.000000000 Z
+date: 2024-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-types
@@ -84,6 +84,7 @@ files:
 - lib/rom/encrypted_attribute/key_derivator.rb
 - lib/rom/encrypted_attribute/payload.rb
 - lib/rom/encrypted_attribute/version.rb
+- lib/rom/plugins/schema/encrypted_attributes.rb
 - rom-encrypted_attribute.gemspec
 homepage:
 licenses: []