sidekiq-encrypted_args 1.2.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bcde4f8a47a8b5b7e5a4c0d6fe8f351a5d62ec8b9390caac4697359b7efe0912
-  data.tar.gz: 135e9fd5a910bf450812fa8406b25579857bcd320c93ea6b6660ce4242376650
+  metadata.gz: aed8d03eeb0b589556b436823f85c13331ab6c1703d732d425321b4cc1b2bc71
+  data.tar.gz: 2f2a42257c669731f97ee25cfc52da48a4cbdbe18b59e0fd84bcebbe50820e89
 SHA512:
-  metadata.gz: 1cb7e169a1dd94f2c081e75147a467984d1e9d0457ca0337b44a8b6cfd4db5e6217a1d41261f52f7a81ed1f9dbcfa837a7ef1d9a4498d694472e4df43289f321
-  data.tar.gz: e238bdd98f374db76e6363b46abd0b8ea2269723d780e30e8150fbb9aca958410fb759f12148abae4ffd418323fa58005b6229ed063db1bbbe02d59cd916e9e0
+  metadata.gz: cbdd4e2d8144eddf2e3699ac30ab52114de6ab8e09b97e75909e2e67defc81f5c4cd71e43efb22c404ac4890213abd6c300ee45117ae7e1428cf5b2b1794595c
+  data.tar.gz: 6644bca285087c5de5b2c68aba368f4192b2061f3f5f6095125d8ca7e16888b40214e2ce7b9a3c2a2ec39b808be6ccadefc7a1c7777c0bd3edecf1ef935f7a18

data/CHANGE_LOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 2.0.0
+
+### Changed
+
+- A secret key is now required to be set. Previously the code would silently fail if no key was set. This change improves security by protecting against misconfiguration leaking data into Redis.
+- Bumped minimum required Ruby version to 2.7 and Sidekiq to 6.3.
+
 ## 1.2.0
 
 ### Removed

data/README.md

@@ -22,7 +22,7 @@ To use the gem, you will need to specify a secret that will be used to encrypt t
 Sidekiq::EncryptedArgs.configure!(secret: "YourSecretKey")
 ```
 
-If the secret is not set, the value of the `SIDEKIQ_ENCRYPTED_ARGS_SECRET` environment variable will be used as the secret. If this variable is not set, job arguments will not be encrypted.
+If the secret is not set explicitly, the value of the `SIDEKIQ_ENCRYPTED_ARGS_SECRET` environment variable will be used as the secret. If you call `configure!` without setting a secret (either explicitly or via the environment variable), an error will be raised.
 
 The call to `Sidekiq::EncryptedArgs.configure!` will **prepend** the client encryption middleware and **append** server decryption middleware. By doing this, any other middleware you register will only receive the encrypted parameters (e.g. logging middleware will receive the encrypted parameters).
 
@@ -42,7 +42,8 @@ Sidekiq.configure_server do |config|
     chain.add Sidekiq::EncryptedArgs::ServerMiddleware
   end
 
-  # register client middleware on the server so that starting jobs in a Sidekiq::Worker also get encrypted args
+  # Register client middleware on the server so that starting jobs from within
+  # another also get encrypted args.
   # https://github.com/mperham/sidekiq/wiki/Middleware#client-middleware-registered-in-both-places
   config.client_middleware do |chain|
     chain.prepend Sidekiq::EncryptedArgs::ClientMiddleware
@@ -58,7 +59,7 @@ Setting the option to `true` will encrypt all the arguments passed to the `perfo
 
 ```ruby
 class SecretWorker
-  include Sidekiq::Worker
+  include Sidekiq::Job
 
   sidekiq_options encrypted_args: true
 
@@ -67,20 +68,24 @@ class SecretWorker
 end
 ```
 
-You can also choose to only encrypt specific arguments with an array of either argument names (symbols or strings) or indexes. This is useful to preserve visibility into non-sensitive arguments for troubleshooting or other reasons. Both of these examples encrypt just the second argument to the `perform` method.
+You can also choose to only encrypt specific arguments by specifying either argument names (as symbols or strings) or argument positions (as integers). This is useful to preserve visibility into non-sensitive arguments for troubleshooting or other reasons. All of these examples encrypt just the second argument to the `perform` method.
 
 ```ruby
-# Pass in a list of argument names that should be encrypted
+# Pass in a single argument name
+sidekiq_options encrypted_args: :arg_2
+# or as a string
+sidekiq_options encrypted_args: "arg_2"
+# or as an array
 sidekiq_options encrypted_args: [:arg_2]
-# or
-sidekiq_options encrypted_args: ["arg_2"]
 
 def perform(arg_1, arg_2, arg_3)
 end
 ```
 
 ```ruby
-# Pass in an array of integers indicating which argument positions should be encrypted
+# Pass in an integer indicating which argument position should be encrypted (0-indexed)
+sidekiq_options encrypted_args: 1
+# or as an array
 sidekiq_options encrypted_args: [1]
 
 def perform(arg_1, arg_2, arg_3)
@@ -99,7 +104,7 @@ Sidekiq::EncryptedArgs.secret = ["CurrentSecret", "OldSecret", "EvenOlderSecret"
 
 The first (left most) key will be considered the current key, and is used for encrypting arguments. When decrypting, we iterate over the secrets list until we find the correct one. This allows you to switch you secret keys without breaking jobs already enqueued in Redis.
 
-If you are using the `SIDEKIQ_ENCRYPTED_ARGS_SECRET` environment variable to specify your secret, you can delimit multiple keys with a spaces.
+If you are using the `SIDEKIQ_ENCRYPTED_ARGS_SECRET` environment variable to specify your secret, you can separate multiple keys with whitespace (spaces or tabs).
 
 You can also safely add encryption to an existing worker. Any jobs that are already enqueued will still run even without having the arguments encrypted in Redis.
 

data/VERSION

@@ -1 +1 @@
-1.2.0
+2.0.0

data/lib/sidekiq/encrypted_args/client_middleware.rb

@@ -10,7 +10,16 @@ module Sidekiq
     #
     # @see ServerMiddleware
     class ClientMiddleware
-      # Encrypt specified arguments before they're sent off to the queue
+      include Sidekiq::ClientMiddleware if defined?(Sidekiq::ClientMiddleware)
+
+      # Encrypt specified arguments before they're sent off to the queue.
+      #
+      # @param [String, Class] worker_class The worker class or class name
+      # @param [Hash] job The Sidekiq job hash containing arguments and metadata
+      # @param [String] queue The name of the queue
+      # @param [Object, nil] redis_pool Optional Redis connection pool (legacy parameter)
+      # @return [void]
+      # @yield Passes control to the next middleware in the chain
       def call(worker_class, job, queue, redis_pool = nil)
         if job.include?("encrypted_args")
           encrypted_args = EncryptedArgs.encrypted_args_option(worker_class, job)

data/lib/sidekiq/encrypted_args/server_middleware.rb

@@ -10,11 +10,20 @@ module Sidekiq
     #
     # @see ClientMiddleware
     class ServerMiddleware
-      # Wrap the server process to decrypt incoming arguments
+      include Sidekiq::ServerMiddleware if defined?(Sidekiq::ServerMiddleware)
+
+      # Wrap the server process to decrypt incoming arguments.
+      #
+      # @param [Object] worker The worker instance that will process the job
+      # @param [Hash] job The Sidekiq job hash containing arguments and metadata
+      # @param [String] queue The name of the queue
+      # @return [void]
+      # @yield Passes control to the worker's perform method
       def call(worker, job, queue)
         encrypted_args = job["encrypted_args"]
+
         if encrypted_args
-          encrypted_args = backward_compatible_encrypted_args(encrypted_args, worker.class, job)
+          encrypted_args = EncryptedArgs.encrypted_args_option(worker.class, job)
           job_args = job["args"]
           encrypted_args.each do |position|
             value = job_args[position]
@@ -24,17 +33,6 @@ module Sidekiq
 
         yield
       end
-
-      private
-
-      # Ensure that the encrypted args is an array of integers. If not re-read it from the class
-      # definition since gem version 1.0.2 and earlier did not update the encrypted_args on the job.
-      def backward_compatible_encrypted_args(encrypted_args, worker_class, job)
-        unless encrypted_args.is_a?(Array) && encrypted_args.all? { |position| position.is_a?(Integer) }
-          encrypted_args = EncryptedArgs.encrypted_args_option(worker_class, job)
-        end
-        encrypted_args
-      end
     end
   end
 end

data/lib/sidekiq/encrypted_args/version.rb

@@ -2,6 +2,7 @@
 
 module Sidekiq
   module EncryptedArgs
+    # The current version of the sidekiq-encrypted_args gem.
     VERSION = File.read(File.join(__dir__, "..", "..", "..", "VERSION")).chomp.freeze
   end
 end

data/lib/sidekiq/encrypted_args.rb

@@ -11,11 +11,10 @@ module Sidekiq
   # in Redis to protect sensitive information like API keys, passwords, or
   # personally identifiable information.
   module EncryptedArgs
+    @encryptors = nil
+
     # Error thrown when the secret is invalid
     class InvalidSecretError < StandardError
-      def initialize
-        super("Cannot decrypt. Invalid secret provided.")
-      end
     end
 
     class << self
@@ -39,7 +38,7 @@ module Sidekiq
       # @param [String, Array<String>] value One or more secrets to use for encrypting arguments.
       # @return [void]
       def secret=(value)
-        @encryptors = make_encryptors(value)
+        @encryptors = make_encryptors(value).freeze
       end
 
       # Add the client and server middleware to the default Sidekiq
@@ -58,6 +57,7 @@ module Sidekiq
       # @param [String] secret optionally set the secret here. See {.secret=}
       def configure!(secret: nil)
         self.secret = secret unless secret.nil?
+        encryptors # Calling encryptors will validate that a secret is set.
 
         Sidekiq.configure_client do |config|
           config.client_middleware do |chain|
@@ -127,7 +127,10 @@ module Sidekiq
       # can be `true` or an array indicating if each positional argument should be encrypted, or a hash
       # with keys for the argument position and true as the value.
       #
-      # @private
+      # @param [String, Class] worker_class The worker class or class name
+      # @param [Hash] job The Sidekiq job hash containing arguments and metadata
+      # @return [Array<Integer>, nil] Array of argument positions to encrypt, or nil if encryption is not configured
+      # @api private
       def encrypted_args_option(worker_class, job)
         option = job["encrypted_args"]
         return nil if option.nil?
@@ -154,7 +157,7 @@ module Sidekiq
               raise ArgumentError.new("Encrypted args must be specified as integers or symbols.")
             end
 
-            if array_type && current_type
+            if array_type && current_type != array_type
               raise ArgumentError.new("Encrypted args cannot mix integers and symbols.")
             else
               array_type ||= current_type
@@ -173,34 +176,47 @@ module Sidekiq
       def encrypt_string(value)
         encryptor = encryptors.first
         return value if encryptor.nil?
+
         encryptor.encrypt(value)
       end
 
       def decrypt_string(value)
-        return value if encryptors == [nil]
         encryptors.each do |encryptor|
-          begin
-            return encryptor.decrypt(value) if encryptor
-          rescue OpenSSL::Cipher::CipherError
-            # Not the right key, try the next one
-          end
+          return encryptor.decrypt(value)
+        rescue OpenSSL::Cipher::CipherError
+          # Not the right key, try the next one
         end
-        raise InvalidSecretError
+
+        # None of the keys worked
+        raise InvalidSecretError.new("Cannot decrypt. Invalid secret provided.")
       end
 
       def encryptors
-        if !defined?(@encryptors) || @encryptors.empty?
-          @encryptors = make_encryptors(ENV["SIDEKIQ_ENCRYPTED_ARGS_SECRET"].to_s.split)
+        if @encryptors.nil?
+          secret = ENV.fetch("SIDEKIQ_ENCRYPTED_ARGS_SECRET", "").strip
+          if secret.empty?
+            raise InvalidSecretError.new("Secret not set. Call Sidekiq::EncryptedArgs.secret= or set the SIDEKIQ_ENCRYPTED_ARGS_SECRET environment variable.")
+          end
+
+          @encryptors = make_encryptors(secret.split).freeze
         end
         @encryptors
       end
 
+      # Create encryptors from secrets.
+      #
+      # @param [String, Array<String>] secrets One or more secrets to create encryptors from
+      # @return [Array<SecretKeys::Encryptor>, nil] Array of encryptors or nil if no secrets provided
       def make_encryptors(secrets)
-        Array(secrets).map { |val| val.nil? ? nil : SecretKeys::Encryptor.from_password(val, SALT) }
+        return nil if secrets.nil?
+
+        Array(secrets).map { |val| SecretKeys::Encryptor.from_password(val, SALT) }
       end
 
-      # @param [String] class_name name of a class
-      # @return [Class] class that was referenced by name
+      # Convert a string class name into the actual class constant.
+      #
+      # @param [String] class_name Name of a class (e.g., "MyModule::MyClass")
+      # @return [Class] The class constant that was referenced by name
       def constantize(class_name)
         names = class_name.split("::")
         # Clear leading :: for root namespace since we're already calling from object
@@ -210,21 +226,11 @@ module Sidekiq
         names.inject(Object) { |constant, name| constant.const_get(name, false) }
       end
 
-      def replace_argument_positions(worker_class, encrypt_option_hash)
-        encrypted_indexes = []
-        encrypt_option_hash.each do |key, value|
-          next unless value
-
-          if key.is_a?(Integer) || (key.is_a?(String) && key.match?(INTEGER_PATTERN))
-            encrypted_indexes << key.to_i
-          elsif key.is_a?(Symbol) || key.is_a?(String)
-            position = perform_method_parameter_index(worker_class, key)
-            encrypted_indexes << position if position
-          end
-        end
-        encrypted_indexes
-      end
-
+      # Get the index of a parameter in the worker's perform method.
+      #
+      # @param [Class] worker_class The worker class to inspect
+      # @param [String, Symbol] parameter The parameter name to find
+      # @return [Integer, nil] The zero-based index of the parameter, or nil if not found
       def perform_method_parameter_index(worker_class, parameter)
         if worker_class
           parameter = parameter.to_sym

data/sidekiq-encrypted_args.gemspec

@@ -21,6 +21,7 @@ Gem::Specification.new do |spec|
     Appraisals
     Gemfile
     Gemfile.lock
+    benchmark.rb
     Rakefile
     gemfiles/
     spec/
@@ -33,10 +34,10 @@ Gem::Specification.new do |spec|
   spec.bindir = "bin"
   spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
 
-  spec.required_ruby_version = ">= 2.4"
+  spec.required_ruby_version = ">= 2.7"
 
-  spec.add_dependency "sidekiq", ">= 4.0"
+  spec.add_dependency "sidekiq", ">= 6.3"
   spec.add_dependency "secret_keys"
 
-  spec.add_development_dependency "bundler", "~>2.0"
+  spec.add_development_dependency "bundler"
 end

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sidekiq-encrypted_args
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Brian Durand
 - Winston Durand
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-08-30 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sidekiq
@@ -17,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '6.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '6.3'
 - !ruby/object:Gem::Dependency
   name: secret_keys
   requirement: !ruby/object:Gem::Requirement
@@ -43,17 +42,16 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
-description:
+        version: '0'
 email:
 - bbdurand@gmail.com
 - me@winstondurand.com
@@ -65,7 +63,6 @@ files:
 - MIT_LICENSE.txt
 - README.md
 - VERSION
-- benchmark.rb
 - lib/sidekiq-encrypted_args.rb
 - lib/sidekiq/encrypted_args.rb
 - lib/sidekiq/encrypted_args/client_middleware.rb
@@ -79,7 +76,6 @@ metadata:
   homepage_uri: https://github.com/bdurand/sidekiq-encrypted_args
   source_code_uri: https://github.com/bdurand/sidekiq-encrypted_args
   changelog_uri: https://github.com/bdurand/sidekiq-encrypted_args/blob/main/CHANGE_LOG.md
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -87,15 +83,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Support for encrypting arguments that contain sensitive information in sidekiq
   jobs.

data/benchmark.rb

@@ -1,38 +0,0 @@
-# frozen_string_literal: true
-
-require "bundler/setup"
-
-require "benchmark"
-require "sidekiq"
-require_relative "lib/sidekiq/encrypted_args"
-
-class WorkerWithoutEncryption
-  include Sidekiq::Worker
-
-  def perform(arg_1, arg_2, arg_3)
-  end
-end
-
-class WorkerWithEncryption
-  include Sidekiq::Worker
-
-  sidekiq_options encrypted_args: [true, true, true]
-
-  def perform(arg_1, arg_2, arg_3)
-  end
-end
-
-middleware = ->(worker_class) {
-  job = {"args" => ["foo", "bar", "baz"]}
-  Sidekiq::EncryptedArgs::ClientMiddleware.new.call(worker_class, job, "default") do
-    worker = worker_class.new
-    Sidekiq::EncryptedArgs::ServerMiddleware.new.call(worker, job, "default") do
-      worker.perform(*job["args"])
-    end
-  end
-}
-
-Benchmark.bm do |benchmark|
-  benchmark.report("No Encryption:  ") { 10000.times { middleware.call(WorkerWithoutEncryption) } }
-  benchmark.report("With Encryption:") { 10000.times { middleware.call(WorkerWithEncryption) } }
-end