symmetric-encryption 3.4.0 → 3.6.0

data/lib/symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key.rb

@@ -0,0 +1,129 @@
+# Support Encryption and decryption of fields in MongoMapper
+module MongoMapper
+  module Plugins
+    module EncryptedKey
+      extend ActiveSupport::Concern
+
+      COERCION_MAP = {
+        String     => :string,
+        Integer    => :integer,
+        Float      => :float,
+        BigDecimal => :decimal,
+        DateTime   => :datetime,
+        Time       => :time,
+        Date       => :date,
+        Boolean    => :boolean,
+        Hash       => :json
+      }
+
+      module ClassMethods
+        # MongoMapper::Document.encrypted_key
+        #
+        # Support automatic encryption and decryption of fields in MongoMapper
+        #
+        # Example:
+        #
+        #  class Person
+        #    include MongoMapper::Document
+        #
+        #    key           :name,                   String
+        #    encrypted_key :social_security_number, String
+        #    key           :date_of_birth,          Date
+        #    encrypted_key :life_history,           String, encrypted: { compress: true, random_iv: true }
+        #
+        #    # Encrypted fields are _always_ stored in Mongo as a String
+        #    # By specifying a type other than String, Symmetric Encryption will
+        #    # perform the necessary conversions
+        #    #
+        #    # The following types are supported:
+        #    #   String
+        #    #   Integer
+        #    #   Float
+        #    #   BigDecimal
+        #    #   DateTime
+        #    #   Time
+        #    #   Date
+        #    #   Hash - (Stored as encrypted JSON in MongoDB)
+        #    encrypted_key :age,                    Integer, encrypted: { random_iv: true }
+        #  end
+        #
+        # The above document results in the following document in the Mongo collection 'persons':
+        # {
+        #   "name" : "Joe",
+        #   "encrypted_social_security_number" : "...",
+        #   "age"  : 21
+        #   "encrypted_life_history" : "...",
+        # }
+        #
+        # Symmetric Encryption creates the getters and setters to be able to work with the field
+        # in it's decrypted form. For example
+        #
+        # Example:
+        #   person = Person.where(encrypted_social_security_number: '...').first
+        #
+        #   puts "Decrypted Social Security Number is: #{person.social_security_number}"
+        #
+        #   # Or is the same as
+        #   puts "Decrypted Social Security Number is: #{SymmetricEncryption.decrypt(person.encrypted_social_security_number)}"
+        #
+        #   # Sets the encrypted_social_security_number to encrypted version
+        #   person.social_security_number = "123456789"
+        #
+        #   # Or, is equivalent to:
+        #   person.encrypted_social_security_number = SymmetricEncryption.encrypt("123456789")
+        #
+        # Note: Only "String" types are currently supported for encryption
+        #
+        # Note: Unlike attr_encrypted finders must use the encrypted field name
+        #   Invalid Example, does not work:
+        #     person = Person.where(social_security_number: '123456789').first
+        #
+        #   Valid Example:
+        #     person = Person.where(encrypted_social_security_number: SymmetricEncryption.encrypt('123456789')).first
+        #
+        # Defines all the fields that are accessible on the Document
+        # For each field that is defined, a getter and setter will be
+        # added as an instance method to the Document.
+        #
+        # @example Define an encrypted key
+        #   encrypted_key :social_security_number, String, encrypted: {compress: false, random_iv: false}
+        #   encrypted_key :sensitive_text,         String, encrypted: {compress: true, random_iv: true}
+        #
+        # @param [ Symbol ] name The name of the key.
+        # @param [ Object ] type The type of the key.
+        # @param [ Hash ] options The options to pass to the field, including any MongoMapper specific options
+        #
+        # @option options [ Hash ] :encrypted consists of:
+        #     @option options [ Boolean ] :random_iv  Whether the encrypted value should use a random IV every time the field is encrypted.
+        #     @option options [ Boolean ] :compress   Whether to compress this encrypted field
+        #     @option options [ Symbol ]  :encrypt_as Name of the encypted field in Mongo
+        #
+        #     Some of the other regular MongoMapper options:
+        #       :default, :alias, :field_name, :accessors, :abbr
+        #
+        # Note:
+        #   Use MongoMapper's built-in support for :field_name to specify a different
+        #   field name in MongoDB for the encrypted field from what is used via the model
+        #
+        def encrypted_key(key_name, type, full_options={})
+          full_options       = full_options.is_a?(Hash) ? full_options.dup : {}
+          options            = full_options.delete(:encrypted) || {}
+          # Support overriding the name of the decrypted attribute
+          encrypted_key_name = options.delete(:encrypt_as) || "encrypted_#{key_name}"
+          options[:type]     = COERCION_MAP[type] unless [:yaml, :json].include?(options[:type])
+
+          raise "Invalid type: #{type.inspect}. Valid types: #{COERCION_MAP.keys.join(',')}" unless options[:type]
+
+          SymmetricEncryption::Generator.generate_decrypted_accessors(self, key_name, encrypted_key_name, options)
+
+          key(encrypted_key_name, String, full_options)
+        end
+
+      end
+
+    end
+  end
+end
+
+MongoMapper::Document.plugin(MongoMapper::Plugins::EncryptedKey)
+MongoMapper::EmbeddedDocument.plugin(MongoMapper::Plugins::EncryptedKey)

data/lib/symmetric_encryption/{mongoid.rb → extensions/mongoid/encrypted.rb}

@@ -15,17 +15,17 @@
 #  class Person
 #    include Mongoid::Document
 #
-#    field :name,                             :type => String
-#    field :encrypted_social_security_number, :type => String, :encrypted => true
-#    field :date_of_birth,                    :type => Date
-#    field :encrypted_life_history,           :type => String, :encrypted => {:compress => true, :random_iv => true}
+#    field :name,                             type: String
+#    field :encrypted_social_security_number, type: String, encrypted: true
+#    field :date_of_birth,                    type: Date
+#    field :encrypted_life_history,           type: String, encrypted: {compress: true, random_iv: true}
 #
 #    # Encrypted fields are _always_ stored in Mongo as a String
 #    # To get the result back as an Integer, Symmetric Encryption can do the
 #    # necessary conversions by specifying the internal type as an option
 #    # to :encrypted
 #    # #see SymmetricEncryption::COERCION_TYPES for full list of types
-#    field :encrypted_age,                    :type => String, :encrypted => {:type => :integer, :random_iv => true}
+#    field :encrypted_age,                    type: String, encrypted: {type: :integer, random_iv: true}
 #  end
 #
 # The above document results in the following document in the Mongo collection 'persons':
@@ -40,7 +40,7 @@
 # in it's unencrypted form. For example
 #
 # Example:
-#   person = Person.where(:encrypted_social_security_number => '...').first
+#   person = Person.where(encrypted_social_security_number: '...').first
 #
 #   puts "Decrypted Social Security Number is: #{person.social_security_number}"
 #
@@ -57,18 +57,18 @@
 #
 # Note: Unlike attr_encrypted finders must use the encrypted field name
 #   Invalid Example, does not work:
-#     person = Person.where(:social_security_number => '123456789').first
+#     person = Person.where(social_security_number: '123456789').first
 #
 #   Valid Example:
-#     person = Person.where(:encrypted_social_security_number => SymmetricEncryption.encrypt('123456789')).first
+#     person = Person.where(encrypted_social_security_number: SymmetricEncryption.encrypt('123456789')).first
 #
 # Defines all the fields that are accessible on the Document
 # For each field that is defined, a getter and setter will be
 # added as an instance method to the Document.
 #
 # @example Define a field.
-#   field :social_security_number, :type => String, :encrypted => {:compress => false, :random_iv => false}
-#   field :sensitive_text, :type => String, :encrypted => {:compress => true, :random_iv => true}
+#   field :social_security_number, type: String, encrypted: {compress: false, random_iv: false}
+#   field :sensitive_text, type: String, encrypted: {compress: true, random_iv: true}
 #
 # @param [ Symbol ] name The name of the field.
 # @param [ Hash ] options The options to pass to the field.
@@ -92,6 +92,7 @@ Mongoid::Fields.option :encrypted do |model, field, options|
     options = options.is_a?(Hash) ? options.dup : {}
     encrypted_field_name = field.name
 
+    # Support overriding the name of the decrypted attribute
     decrypted_field_name = options.delete(:decrypt_as)
     if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?('encrypted_')
       decrypted_field_name = encrypted_field_name.to_s['encrypted_'.length..-1]
@@ -101,42 +102,7 @@ Mongoid::Fields.option :encrypted do |model, field, options|
       raise "SymmetricEncryption for Mongoid. Encryption enabled for field #{encrypted_field_name}. It must either start with 'encrypted_' or the option :decrypt_as must be supplied"
     end
 
-    random_iv = options.delete(:random_iv) || false
-    compress  = options.delete(:compress) || false
-    type      = options.delete(:type) || :string
-    raise "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}" unless SymmetricEncryption::COERCION_TYPES.include?(type)
-
-    options.each {|option| warn "Ignoring unknown option #{option.inspect} supplied to Mongoid :encrypted for #{model}##{field}"}
-
-    if model.const_defined?(:EncryptedAttributes, _search_ancestors = false)
-      mod = model.const_get(:EncryptedAttributes)
-    else
-      mod = model.const_set(:EncryptedAttributes, Module.new)
-      model.send(:include, mod)
-    end
-
-    # Generate getter and setter methods
-    mod.module_eval(<<-EOS, __FILE__, __LINE__ + 1)
-      # Set the un-encrypted field
-      # Also updates the encrypted field with the encrypted value
-      # Freeze the decrypted field value so that it is not modified directly
-      def #{decrypted_field_name}=(value)
-        v = SymmetricEncryption::coerce(value, :#{type})
-        self.#{encrypted_field_name} = @stored_#{encrypted_field_name} = ::SymmetricEncryption.encrypt(v,#{random_iv},#{compress},:#{type})
-        @#{decrypted_field_name} = v.freeze
-      end
-
-      # Returns the decrypted value for the encrypted field
-      # The decrypted value is cached and is only decrypted if the encrypted value has changed
-      # If this method is not called, then the encrypted value is never decrypted
-      def #{decrypted_field_name}
-        if @stored_#{encrypted_field_name} != self.#{encrypted_field_name}
-          @#{decrypted_field_name} = ::SymmetricEncryption.decrypt(self.#{encrypted_field_name},version=nil,:#{type}).freeze
-          @stored_#{encrypted_field_name} = self.#{encrypted_field_name}
-        end
-        @#{decrypted_field_name}
-      end
-    EOS
+    SymmetricEncryption::Generator.generate_decrypted_accessors(model, decrypted_field_name, encrypted_field_name, options)
   end
 end
 

data/lib/symmetric_encryption/generator.rb

@@ -0,0 +1,54 @@
+module SymmetricEncryption
+  module Generator
+    # Common internal method for generating accessors for decrypted accessors
+    # Primarily used by extensions
+    def self.generate_decrypted_accessors(model, decrypted_name, encrypted_name, options)
+
+      random_iv      = options.delete(:random_iv) || false
+      compress       = options.delete(:compress) || false
+      type           = options.delete(:type) || :string
+
+      # For backward compatibility
+      if options.delete(:marshal) == true
+        warn("The :marshal option has been deprecated in favor of :type. For example: attr_encrypted name, type: :yaml")
+        raise "Marshal is depreacted and cannot be used in conjunction with :type, just use :type. For #{params.inspect}" if type != :string
+        type = :yaml
+      end
+
+      options.each {|option| warn "Ignoring unknown option #{option.inspect} supplied when encrypting #{decrypted_name} with #{params.inspect}"}
+
+      raise "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}" unless SymmetricEncryption::COERCION_TYPES.include?(type)
+
+      if model.const_defined?(:EncryptedAttributes, _search_ancestors = false)
+        mod = model.const_get(:EncryptedAttributes)
+      else
+        mod = model.const_set(:EncryptedAttributes, Module.new)
+        model.send(:include, mod)
+      end
+
+      # Generate getter and setter methods
+      mod.module_eval(<<-EOS, __FILE__, __LINE__ + 1)
+      # Set the un-encrypted field
+      # Also updates the encrypted field with the encrypted value
+      # Freeze the decrypted field value so that it is not modified directly
+      def #{decrypted_name}=(value)
+        v = SymmetricEncryption::coerce(value, :#{type})
+        self.#{encrypted_name} = @stored_#{encrypted_name} = ::SymmetricEncryption.encrypt(v,#{random_iv},#{compress},:#{type})
+        @#{decrypted_name} = v.freeze
+      end
+
+      # Returns the decrypted value for the encrypted field
+      # The decrypted value is cached and is only decrypted if the encrypted value has changed
+      # If this method is not called, then the encrypted value is never decrypted
+      def #{decrypted_name}
+        if @stored_#{encrypted_name} != self.#{encrypted_name}
+          @#{decrypted_name} = ::SymmetricEncryption.decrypt(self.#{encrypted_name},version=nil,:#{type}).freeze
+          @stored_#{encrypted_name} = self.#{encrypted_name}
+        end
+        @#{decrypted_name}
+      end
+
+      EOS
+    end
+  end
+end

data/lib/symmetric_encryption/railtie.rb

@@ -8,9 +8,9 @@ module SymmetricEncryption #:nodoc:
     #   module MyApplication
     #     class Application < Rails::Application
     #       config.symmetric_encryption.cipher = SymmetricEncryption::Cipher.new(
-    #         :key    => '1234567890ABCDEF1234567890ABCDEF',
-    #         :iv     => '1234567890ABCDEF',
-    #         :cipher_name => 'aes-128-cbc'
+    #         key:    '1234567890ABCDEF1234567890ABCDEF',
+    #         iv:     '1234567890ABCDEF',
+    #         cipher_name: 'aes-128-cbc'
     #       )
     #     end
     #   end

data/lib/symmetric_encryption/railties/symmetric_encryption.rake

@@ -66,7 +66,7 @@ namespace :symmetric_encryption do
     if input_filename && output_filename
       puts "\nEncrypting file: #{input_filename} and writing to: #{output_filename}\n\n"
       ::File.open(input_filename, 'rb') do |input_file|
-        SymmetricEncryption::Writer.open(output_filename, :compress => compress) do |output_file|
+        SymmetricEncryption::Writer.open(output_filename, compress: compress) do |output_file|
           while !input_file.eof?
             output_file.write(input_file.read(block_size))
           end

data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb

@@ -2,7 +2,7 @@
 #
 # Example:
 #  class MyModel < ActiveRecord::Base
-#    validates :encrypted_ssn, :symmetric_encryption => true
+#    validates :encrypted_ssn, symmetric_encryption: true
 #  end
 #
 #  m = MyModel.new

data/lib/symmetric_encryption/reader.rb

@@ -63,15 +63,15 @@ module SymmetricEncryption
     # end
     #
     # # Example: Read, Unencrypt and decompress data in a file
-    # SymmetricEncryption::Reader.open('encrypted_compressed.zip', :compress => true) do |file|
+    # SymmetricEncryption::Reader.open('encrypted_compressed.zip', compress: true) do |file|
     #   file.each_line {|line| p line }
     # end
     #
     # # Example: Reading from a CSV file
     #
-    # require 'fastercsv'
+    # require 'csv'
     # begin
-    #   csv = FasterCSV.new(SymmetricEncryption::Reader.open('csv_encrypted'))
+    #   csv = CSV.new(SymmetricEncryption::Reader.open('csv_encrypted'))
     #   csv.each {|row| p row}
     # ensure
     #   csv.close if csv

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -33,9 +33,9 @@ module SymmetricEncryption
   # Example: For testing purposes the following test cipher can be used:
   #
   #   SymmetricEncryption.cipher = SymmetricEncryption::Cipher.new(
-  #     :key    => '1234567890ABCDEF1234567890ABCDEF',
-  #     :iv     => '1234567890ABCDEF',
-  #     :cipher => 'aes-128-cbc'
+  #     key:    '1234567890ABCDEF1234567890ABCDEF',
+  #     iv:     '1234567890ABCDEF',
+  #     cipher: 'aes-128-cbc'
   #   )
   def self.cipher=(cipher)
     raise "Cipher must be similar to SymmetricEncryption::Ciphers" unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
@@ -311,7 +311,7 @@ module SymmetricEncryption
     elsif !cipher_cfg[:iv]
       iv = rsa_key.public_encrypt(key_pair[:iv])
       puts "Generated new Symmetric Key for encryption. Set the IV environment variable in #{environment} to:"
-      puts ::Base64.encode64(key)
+      puts ::Base64.encode64(iv)
     end
   end
 
@@ -413,7 +413,7 @@ module SymmetricEncryption
     if key_filename = config.delete(:key_filename)
       raise "Missing mandatory config parameter :private_rsa_key when :key_filename is supplied" unless rsa
       encrypted_key = begin
-        File.read(key_filename, :open_args => ['rb'])
+        File.open(key_filename, 'rb'){|f| f.read}
       rescue Errno::ENOENT
         puts "\nSymmetric Encryption key file: '#{key_filename}' not found or readable."
         puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
@@ -425,7 +425,7 @@ module SymmetricEncryption
     if iv_filename = config.delete(:iv_filename)
       raise "Missing mandatory config parameter :private_rsa_key when :iv_filename is supplied" unless rsa
       encrypted_iv = begin
-        File.read(iv_filename, :open_args => ['rb']) if iv_filename
+        File.open(iv_filename, 'rb'){|f| f.read} if iv_filename
       rescue Errno::ENOENT
         puts "\nSymmetric Encryption initialization vector file: '#{iv_filename}' not found or readable."
         puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
@@ -438,6 +438,11 @@ module SymmetricEncryption
       raise "Missing mandatory config parameter :private_rsa_key when :encrypted_key is supplied" unless rsa
       # Decode value first using encoding specified
       encrypted_key = ::Base64.decode64(encrypted_key)
+      if !encrypted_key || encrypted_key.empty?
+        puts "\nSymmetric Encryption encrypted_key not found."
+        puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
+        return
+      end
       config[:key] = rsa.private_decrypt(encrypted_key)
     end
 
@@ -445,6 +450,11 @@ module SymmetricEncryption
       raise "Missing mandatory config parameter :private_rsa_key when :encrypted_iv is supplied" unless rsa
       # Decode value first using encoding specified
       encrypted_iv = ::Base64.decode64(encrypted_iv)
+      if !encrypted_key || encrypted_key.empty?
+        puts "\nSymmetric Encryption encrypted_iv not found."
+        puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
+        return
+      end
       config[:iv] = rsa.private_decrypt(encrypted_iv)
     end
 
@@ -460,7 +470,7 @@ module SymmetricEncryption
   # Coerce given value into given type
   # Does not coerce json or yaml values
   def self.coerce(value, type, from_type=nil)
-    return if value.nil?
+    return if value.nil? || (value.is_a?(String) && (value !~ /[^[:space:]]/))
 
     from_type ||= value.class
     case type
@@ -519,13 +529,13 @@ module SymmetricEncryption
   end
 
   COERCION_TYPE_MAP = {
-    :string => String,
-    :integer => Integer,
-    :float => Float,
-    :decimal => BigDecimal,
-    :datetime => DateTime,
-    :time => Time,
-    :date => Date
+    string:   String,
+    integer:  Integer,
+    float:    Float,
+    decimal:  BigDecimal,
+    datetime: DateTime,
+    time:     Time,
+    date:     Date
   }
 
   # With Ruby 1.9 strings have encodings
@@ -534,4 +544,4 @@ module SymmetricEncryption
     UTF8_ENCODING = Encoding.find("UTF-8")
   end
 
-end
+end

data/lib/symmetric_encryption/version.rb

@@ -1,3 +1,3 @@
 module SymmetricEncryption #:nodoc
-  VERSION = "3.4.0"
+  VERSION = "3.6.0"
 end

data/lib/symmetric_encryption/writer.rb

@@ -83,17 +83,17 @@ module SymmetricEncryption
     # end
     #
     # # Example: Compress, Encrypt and write data to a file
-    # SymmetricEncryption::Writer.open('encrypted_compressed.zip', :compress => true) do |file|
+    # SymmetricEncryption::Writer.open('encrypted_compressed.zip', compress: true) do |file|
     #   file.write "Hello World\n"
     #   file.write "Compress this\n"
     #   file.write "Keep this safe and secure\n"
     # end
     #
     # # Example: Writing to a CSV file
-    #  require 'fastercsv'
+    #  require 'csv'
     #  begin
-    #    # Must supply :row_sep for FasterCSV otherwise it will attempt to read from and then rewind the file
-    #    csv = FasterCSV.new(SymmetricEncryption::Writer.open('csv_encrypted'), :row_sep => "\n")
+    #    # Must supply :row_sep for CSV otherwise it will attempt to read from and then rewind the file
+    #    csv = CSV.new(SymmetricEncryption::Writer.open('csv_encrypted'), row_sep: "\n")
     #    csv << [1,2,3,4,5]
     #  ensure
     #    csv.close if csv