rom_encrypted_attribute 0.0.1 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4fa68f6b6119a75fb160eed6c69ecb341f0966e09b2e1e2d234d0ce20e1f2a1c
-  data.tar.gz: 4f33329807bc3337d001ebe8c4840ae10ed70272db064343588fc38c444f0452
+  metadata.gz: d8f15d21dd70764715c289e7a5c6bc687066517b188b3457a94fc1913f0d09fd
+  data.tar.gz: e3b106612840731afffb3ea6fc6df41d142e1f68e5f0f3f349a81b8e89338006
 SHA512:
-  metadata.gz: 3ca2ba7ffdb4b96fdc97ca403100bd996593724953a9938483619f82916d62ac7a2c7161e19401fef5cad66837ea6571235dc8064cdb0a7aace0aae3a1776453
-  data.tar.gz: cc3dc7e8b45d235d5fdf10cd069b84c9ee8a590fcc9247d6df36fedf3529634980c95a32b5978030294cd36ed26858aea4ca4ad97b5debcf1f957dffacfe0957
+  metadata.gz: 4a11a62105323e121bad0b230267ad796233dc7638e2f570bf290ec4c427572db0f93c9f20d8ee44e18984bba32a40b6daedbc5c36ea10efc581c8f272172669
+  data.tar.gz: 4d74d25778f535512b170cfbce064f0fe38861f4e66fd6b86feda8530e981180ca1fe63db24b57125556e18d61c550f8564cc9038df52908f9932da8e2c42dca

data/README.md

@@ -1,12 +1,12 @@
 # RomEncryptedAttribute
 
-This gem adds support for encrypted fields using [ROM](https://rom-rb.org/).
+This gem adds support for encrypted attributes to [ROM](https://rom-rb.org/).
 
-Traditionally ROM suggested to put encryption logic in repository code (more precisely, in the mapper from database struct to an entity). I personally think this is not the greatest idea. Repository lies logically in application layer (or even domain layer), while encryption and decryption of data is a purely infrastructure concern. As such, it should be as low-level and hidden as possible.
+Traditionally ROM team [suggested](https://discourse.rom-rb.org/t/question-encryption-support-thoughts/387) to put encryption logic in repository code (more precisely, in the mapper from database struct to an entity). I personally think this is not the greatest idea. Repository lies logically in the application layer (or even domain layer), while encryption and decryption of data is a purely infrastructure concern. As such, it should be as low-level and hidden as possible.
 
-In ROM terms it means doing it in a relation. This gem uses custom types to achieve encryption and decryption.
+In ROM terms it means doing it in a relation. The gem leverages custom types to achieve encryption and decryption.
 
-The scheme is compatible with Rails' default settings for ActiveRecord encryption, so you can still read encrypted records as long as you provide the same primary key and salt derivation key.
+The scheme is compatible with Rails' default settings for ActiveRecord encryption, so you can still read records encrypted with ActiveRecord from ROM (and vice versa) as long as you provide the same primary key and key derivation salt.
 
 ## Installation
 
@@ -27,7 +27,7 @@ class SecretNotes < ROM::Relation[:sql]
   EncryptedString, EncryptedStringReader =
     RomEncryptedAttribute.define_encrypted_attribute_types(
       primary_key: ENV["ENCRYPTION_PRIMARY_KEY"],
-      derivation_salt: ENV["ENCRYPTION_DERIVATION_SALT"]
+      key_derivation_salt: ENV["ENCRYPTION_KEY_DERIVATION_SALT"]
     )
     
   schema(:secret_notes, infer: true) do
@@ -36,13 +36,29 @@ class SecretNotes < ROM::Relation[:sql]
 end
 ```
 
-Of course, you can define it somewhere else and just `include` in the relation or use your custom types code organization.
+By default the gem uses SHA1 for key derivation (same as Rails' default), but you can configure it by passing custom `has_digest_class` option.
+
+``` ruby
+class SecretNotes < ROM::Relation[:sql]
+  EncryptedString, EncryptedStringReader =
+    RomEncryptedAttribute.define_encrypted_attribute_types(
+      primary_key: ENV["ENCRYPTION_PRIMARY_KEY"],
+      key_derivation_salt: ENV["ENCRYPTION_KEY_DERIVATION_SALT"],
+      hash_digest_class: OpenSSL::Digest::SHA256
+    )
+    
+  schema(:secret_notes, infer: true) do
+    attribute :content, EncryptedString, read: EncryptedStringReader
+  end
+end
+
+```
 
 ### Caveats
 
-* Due to a bug in `rom-sql`, reading unencrypted data is turned on by default
-* The gem uses SHA256 for key derivation and it's currently not configurable
-* Support for deterministic encryption from `ActiveRecord::Entryption` is not implemented
+* Due to [a bug](https://github.com/rom-rb/rom-sql/issues/423) in `rom-sql`, reading unencrypted data is always supported, which means that if there's a plain not-encrypted data in your database already, it will be read correctly. This might or might not be desirable, but for the time being there's no choice in cofiguring this behaviour.
+* Support for deterministic encryption from `ActiveRecord::Encryption` is not implemented
+* Support for key rotation is not implemented
 
 ## Contributing
 

data/lib/rom_encrypted_attribute/decryptor.rb

@@ -2,19 +2,16 @@
 
 require "base64"
 require "json"
-require_relative "key_derivator"
+require_relative "payload"
 
 module RomEncryptedAttribute
   class Decryptor
-    def initialize(secret:, salt:)
-      @derivator = KeyDerivator.new(secret: secret, salt: salt)
+    def initialize(derivator:)
+      @derivator = derivator
     end
 
     def decrypt(message)
-      message = JSON.parse(message)
-      data = Base64.strict_decode64(message["p"])
-      iv = Base64.strict_decode64(message["h"]["iv"])
-      auth_tag = Base64.strict_decode64(message["h"]["at"])
+      payload = RomEncryptedAttribute::Payload.decode(message)
 
       cipher = OpenSSL::Cipher.new("aes-256-gcm")
       key = @derivator.derive(cipher.key_len)
@@ -22,10 +19,10 @@ module RomEncryptedAttribute
       cipher.decrypt
       cipher.padding = 0
       cipher.key = key
-      cipher.iv = iv
-      cipher.auth_tag = auth_tag
+      cipher.iv = payload.initialization_vector
+      cipher.auth_tag = payload.auth_tag
       cipher.auth_data = ""
-      cipher.update(data) + cipher.final
+      cipher.update(payload.message) + cipher.final
     rescue JSON::ParserError
       # we need to unconditionally support of reading unencrypted data due to a bug in rom-sql
       # https://github.com/rom-rb/rom-sql/issues/423

data/lib/rom_encrypted_attribute/encryptor.rb

@@ -3,12 +3,12 @@
 require "base64"
 require "json"
 require "openssl"
-require_relative "key_derivator"
+require_relative "payload"
 
 module RomEncryptedAttribute
   class Encryptor
-    def initialize(secret:, salt:)
-      @derivator = KeyDerivator.new(secret: secret, salt: salt)
+    def initialize(derivator:)
+      @derivator = derivator
     end
 
     def encrypt(message)
@@ -20,22 +20,7 @@ module RomEncryptedAttribute
       cipher.key = key
       cipher.iv = iv
       encrypted = cipher.update(message) + cipher.final
-      serialize(encrypted, cipher: cipher, iv: iv)
-    end
-
-    private
-
-    def serialize(encrypted, iv:, cipher:)
-      payload =
-        {
-          "p" => Base64.strict_encode64(encrypted),
-          "h" => {
-            "iv" => Base64.strict_encode64(iv),
-            "at" => Base64.strict_encode64(cipher.auth_tag)
-          }
-        }
-
-      JSON.dump(payload)
+      Payload.new(message: encrypted, initialization_vector: iv, auth_tag: cipher.auth_tag).encode
     end
   end
 end

data/lib/rom_encrypted_attribute/key_derivator.rb

@@ -4,16 +4,17 @@ require "openssl"
 
 module RomEncryptedAttribute
   class KeyDerivator
-    DIGEST_CLASS = OpenSSL::Digest::SHA256
+    DEFAULT_DIGEST_CLASS = OpenSSL::Digest::SHA1
     ITERATIONS = 2**16
 
-    def initialize(secret:, salt:)
+    def initialize(secret:, salt:, hash_digest_class: DEFAULT_DIGEST_CLASS)
       @secret = secret
       @salt = salt
+      @hash_digest_class = hash_digest_class
     end
 
     def derive(size)
-      OpenSSL::PKCS5.pbkdf2_hmac(@secret, @salt, ITERATIONS, size, DIGEST_CLASS.new)
+      OpenSSL::PKCS5.pbkdf2_hmac(@secret, @salt, ITERATIONS, size, @hash_digest_class.new)
     end
   end
 end

data/lib/rom_encrypted_attribute/payload.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "dry/types"
+require "dry/struct"
+require "base64"
+
+class RomEncryptedAttribute::Payload < Dry::Struct
+  class Types
+    include Dry.Types()
+  end
+
+  attribute :message, Types::Strict::String
+  attribute :initialization_vector, Types::Strict::String
+  attribute :auth_tag, Types::Strict::String
+
+  def self.decode(database_value)
+    payload = JSON.parse(database_value)
+    new(
+      message: decode64(payload["p"]),
+      initialization_vector: decode64(payload.dig("h", "iv")),
+      auth_tag: decode64(payload.dig("h", "at"))
+    )
+  end
+
+  def self.decode64(value)
+    Base64.strict_decode64(value)
+  end
+
+  def encode
+    payload =
+      {
+        "p" => encode64(message),
+        "h" => {
+          "iv" => encode64(initialization_vector),
+          "at" => encode64(auth_tag)
+        }
+      }
+
+    JSON.dump(payload)
+  end
+
+  private
+
+  def encode64(value)
+    Base64.strict_encode64(value)
+  end
+end

data/lib/rom_encrypted_attribute/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RomEncryptedAttribute
-  VERSION = "0.0.1"
+  VERSION = "0.0.3"
 end

data/lib/rom_encrypted_attribute.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative "rom_encrypted_attribute/key_derivator"
 require_relative "rom_encrypted_attribute/decryptor"
 require_relative "rom_encrypted_attribute/encryptor"
 require_relative "rom_encrypted_attribute/version"
@@ -7,13 +8,15 @@ require_relative "rom_encrypted_attribute/version"
 require "dry/types"
 
 module RomEncryptedAttribute
-  def self.define_encrypted_attribute_types(primary_key:, derivation_salt:)
+  def self.define_encrypted_attribute_types(primary_key:, key_derivation_salt:, hash_digest_class: OpenSSL::Digest::SHA1)
+    key_derivator = KeyDerivator.new(salt: key_derivation_salt, secret: primary_key, hash_digest_class: hash_digest_class)
+
     reader_type = Dry.Types.Constructor(String) do |value|
-      RomEncryptedAttribute::Decryptor.new(secret: primary_key, salt: derivation_salt).decrypt(value)
+      RomEncryptedAttribute::Decryptor.new(derivator: key_derivator).decrypt(value)
     end
 
     writer_type = Dry.Types.Constructor(String) do |value|
-      RomEncryptedAttribute::Encryptor.new(secret: primary_key, salt: derivation_salt).encrypt(value)
+      RomEncryptedAttribute::Encryptor.new(derivator: key_derivator).encrypt(value)
     end
 
     [writer_type, reader_type]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rom_encrypted_attribute
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.3
 platform: ruby
 authors:
 - Paweł Świątkowski
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-11-07 00:00:00.000000000 Z
+date: 2024-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-types
@@ -82,6 +82,7 @@ files:
 - lib/rom_encrypted_attribute/decryptor.rb
 - lib/rom_encrypted_attribute/encryptor.rb
 - lib/rom_encrypted_attribute/key_derivator.rb
+- lib/rom_encrypted_attribute/payload.rb
 - lib/rom_encrypted_attribute/version.rb
 - rom_encrypted_attribute.gemspec
 homepage:
@@ -103,7 +104,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.21
+rubygems_version: 3.5.6
 signing_key:
 specification_version: 4
 summary: Encrypted attributes for ROM