symmetric-encryption 4.1.0.beta1 → 4.1.0

data/lib/symmetric_encryption/railtie.rb

@@ -29,8 +29,13 @@ module SymmetricEncryption #:nodoc:
     config.before_configuration do
       # Check if already configured
       unless ::SymmetricEncryption.cipher?
-        app_name    = Rails::Application.subclasses.first.parent.to_s.underscore
-        config_file = Rails.root.join('config', 'symmetric-encryption.yml')
+        app_name      = Rails::Application.subclasses.first.parent.to_s.underscore
+        config_file   =
+          if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
+            Pathname.new File.expand_path(env_var)
+          else
+            Rails.root.join('config', 'symmetric-encryption.yml')
+          end
         if config_file.file?
           begin
             ::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV['SYMMETRIC_ENCRYPTION_ENV'] || Rails.env)

data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb

@@ -14,6 +14,7 @@
 class SymmetricEncryptionValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     return if value.blank? || SymmetricEncryption.encrypted?(value)
+
     record.errors.add(attribute, 'must be a value encrypted using SymmetricEncryption.encrypt')
   end
 end

data/lib/symmetric_encryption/reader.rb

@@ -76,7 +76,7 @@ module SymmetricEncryption
     # Notes:
     # * Do not use this method for reading large files.
     def self.read(file_name_or_stream, **args)
-      self.open(file_name_or_stream, **args, &:read)
+      Reader.open(file_name_or_stream, **args, &:read)
     end
 
     # Decrypt an entire file.
@@ -90,22 +90,10 @@ module SymmetricEncryption
     #   target: [String|IO]
     #     Target file_name or IOStream
     #
-    #   block_size: [Integer]
-    #     Number of bytes to read into memory for each read.
-    #     For very large files using a larger block size is faster.
-    #     Default: 65535
-    #
     # Notes:
     # * The file contents are streamed so that the entire file is _not_ loaded into memory.
-    def self.decrypt(source:, target:, block_size: 65_535, **args)
-      target_ios    = target.is_a?(String) ? ::File.open(target, 'wb') : target
-      bytes_written = 0
-      self.open(source, **args) do |input_ios|
-        bytes_written += target_ios.write(input_ios.read(block_size)) until input_ios.eof?
-      end
-      bytes_written
-    ensure
-      target_ios.close if target_ios&.respond_to?(:closed?) && !target_ios.closed?
+    def self.decrypt(source:, target:, **args)
+      Reader.open(source, **args) { |input_file| IO.copy_stream(input_file, target) }
     end
 
     # Returns [true|false] whether the file or stream contains any data
@@ -132,6 +120,7 @@ module SymmetricEncryption
       @version        = version
       @header_present = false
       @closed         = false
+      @read_buffer    = ''.b
 
       raise(ArgumentError, 'Buffer size cannot be smaller than 128') unless @buffer_size >= 128
 
@@ -170,6 +159,7 @@ module SymmetricEncryption
     # ensure that the encrypted stream is closed before the stream itself is closed
     def close(close_child_stream = true)
       return if closed?
+
       @ios.close if close_child_stream
       @closed = true
     end
@@ -194,35 +184,25 @@ module SymmetricEncryption
     #
     # At end of file, it returns nil if no more data is available, or the last
     # remaining bytes
-    def read(length = nil)
-      data = nil
-      if length
-        return '' if length.zero?
-        return nil if eof?
-        # Read length bytes
-        read_block while (@read_buffer.length < length) && !@ios.eof?
-        if @read_buffer.empty?
-          data = nil
-        elsif @read_buffer.length > length
-          data = @read_buffer.slice!(0..length - 1)
+    def read(length = nil, outbuf = nil)
+      data             = outbuf.to_s.clear
+      remaining_length = length
+
+      until remaining_length == 0 || eof?
+        read_block(remaining_length) if @read_buffer.empty?
+
+        if remaining_length && remaining_length < @read_buffer.length
+          data << @read_buffer.slice!(0, remaining_length)
         else
-          data         = @read_buffer
-          @read_buffer = ''
-        end
-      else
-        # Capture anything already in the buffer
-        data         = @read_buffer
-        @read_buffer = ''
-
-        unless @ios.eof?
-          # Read entire file
-          buf = @ios.read || ''
-          data << @stream_cipher.update(buf) if buf && !buf.empty?
-          data << @stream_cipher.final
+          data << @read_buffer
+          @read_buffer.clear
         end
+
+        remaining_length = length - data.length if length
       end
+
       @pos += data.length
-      data
+      data unless data.empty? && length && length.positive?
     end
 
     # Reads a single decrypted line from the file up to and including the optional sep_string.
@@ -242,12 +222,14 @@ module SymmetricEncryption
       # Read more data until we get the sep_string
       while (index = @read_buffer.index(sep_string)).nil? && !@ios.eof?
         break if length && @read_buffer.length >= length
+
         read_block
       end
       index ||= -1
-      data  = @read_buffer.slice!(0..index)
-      @pos  += data.length
+      data    = @read_buffer.slice!(0..index)
+      @pos   += data.length
       return nil if data.empty? && eof?
+
       data
     end
 
@@ -272,7 +254,7 @@ module SymmetricEncryption
 
     # Rewind back to the beginning of the file
     def rewind
-      @read_buffer = ''
+      @read_buffer.clear
       @ios.rewind
       read_header
     end
@@ -307,10 +289,10 @@ module SymmetricEncryption
         # Read and decrypt entire file a block at a time to get its total
         # unencrypted size
         size = 0
-        until eof
+        until eof?
           read_block
-          size         += @read_buffer.size
-          @read_buffer = ''
+          size += @read_buffer.size
+          @read_buffer.clear
         end
         rewind
         offset = size + amount
@@ -328,7 +310,7 @@ module SymmetricEncryption
       @pos = 0
 
       # Read first block and check for the header
-      buf = @ios.read(@buffer_size)
+      buf = @ios.read(@buffer_size, @output_buffer ||= ''.b)
 
       # Use cipher specified in header, or global cipher if it has no header
       iv, key, cipher_name, cipher = nil
@@ -353,20 +335,30 @@ module SymmetricEncryption
       @stream_cipher.key = key || cipher.send(:key)
       @stream_cipher.iv  = iv || cipher.iv
 
-      # First call to #update should return an empty string anyway
-      if buf && !buf.empty?
-        @read_buffer = @stream_cipher.update(buf)
-        @read_buffer << @stream_cipher.final if @ios.eof?
-      else
-        @read_buffer = ''
-      end
+      decrypt(buf)
     end
 
     # Read a block of data and append the decrypted data in the read buffer
-    def read_block
-      buf = @ios.read(@buffer_size)
-      @read_buffer << @stream_cipher.update(buf) if buf && !buf.empty?
-      @read_buffer << @stream_cipher.final if @ios.eof?
+    def read_block(length = nil)
+      buf = @ios.read(length || @buffer_size, @output_buffer ||= ''.b)
+      decrypt(buf)
+    end
+
+    # Decrypts the given chunk of data and returns the result
+    if defined?(JRuby)
+      def decrypt(buf)
+        return if buf.nil? || buf.empty?
+
+        @read_buffer << @stream_cipher.update(buf)
+        @read_buffer << @stream_cipher.final if @ios.eof?
+      end
+    else
+      def decrypt(buf)
+        return if buf.nil? || buf.empty?
+
+        @read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= ''.b)
+        @read_buffer << @stream_cipher.final if @ios.eof?
+      end
     end
 
     def closed?

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -55,6 +55,7 @@ module SymmetricEncryption
     end
 
     return @@cipher if version.nil? || (@@cipher.version == version)
+
     secondary_ciphers.find { |c| c.version == version } || (@@cipher if version.zero?)
   end
 
@@ -264,7 +265,7 @@ module SymmetricEncryption
   #     encoded_str.end_with?("\n") ? SymmetricEncryption.cipher(0) : SymmetricEncryption.cipher
   #   end
   def self.select_cipher(&block)
-    @@select_cipher = block ? block : nil
+    @@select_cipher = block || nil
   end
 
   # Load the Encryption Configuration from a YAML file

data/lib/symmetric_encryption/utils/aws.rb

@@ -15,7 +15,7 @@ module SymmetricEncryption
       AWS_KEY_SPEC_MAP = {
         'aes-256-cbc' => 'AES_256',
         'aes-128-cbc' => 'AES_128'
-      }
+      }.freeze
 
       # TODO: Move to Keystore::Aws
       # Rotate the Customer Master key in each of the supplied regions.
@@ -68,6 +68,7 @@ module SymmetricEncryption
       def key_spec(cipher_name)
         key_spec = AWS_KEY_SPEC_MAP[cipher_name]
         raise("OpenSSL Cipher: #{cipher_name} has not yet been mapped to an AWS key spec.") unless key_spec
+
         key_spec
       end
 
@@ -112,9 +113,9 @@ module SymmetricEncryption
         resp = client.create_key(
           description: 'Symmetric Encryption for Ruby Customer Masker Key',
           tags:        [
-                         {tag_key: 'CreatedAt', tag_value: Time.now.to_s},
-                         {tag_key: 'CreatedBy', tag_value: whoami}
-                       ]
+            {tag_key: 'CreatedAt', tag_value: Time.now.to_s},
+            {tag_key: 'CreatedBy', tag_value: whoami}
+          ]
         )
         resp.key_metadata.key_id
       end
@@ -130,6 +131,7 @@ module SymmetricEncryption
         yield
       rescue ::Aws::KMS::Errors::NotFoundException
         raise if attempt >= 2
+
         create_master_key
         attempt += 1
         retry

data/lib/symmetric_encryption/utils/re_encrypt_files.rb

@@ -68,8 +68,8 @@ module SymmetricEncryption
           line.force_encoding(SymmetricEncryption::UTF8_ENCODING)
           output_lines <<
             if line.valid_encoding? && (result = line.match(r))
-              encrypted = result[0]
-              new_value = re_encrypt(encrypted)
+              encrypted                        = result[0]
+              new_value                        = re_encrypt(encrypted)
               if new_value != encrypted
                 hits += 1
                 line.gsub(encrypted, new_value)

data/lib/symmetric_encryption/version.rb

@@ -1,3 +1,3 @@
 module SymmetricEncryption
-  VERSION = '4.1.0.beta1'.freeze
+  VERSION = '4.1.0'.freeze
 end

data/lib/symmetric_encryption/writer.rb

@@ -21,7 +21,7 @@ module SymmetricEncryption
     #   compress: [true|false]
     #     Uses Zlib to compress the data before it is encrypted and
     #     written to the file/stream.
-    #     Default: false
+    #     Default: true, unless the file_name extension indicates it is already compressed.
     #
     # Note: Compression occurs before encryption
     #
@@ -47,11 +47,16 @@ module SymmetricEncryption
     #  ensure
     #    csv.close if csv
     #  end
-    def self.open(file_name_or_stream, compress: false, **args)
-      ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, 'wb') : file_name_or_stream
+    def self.open(file_name_or_stream, compress: nil, **args)
+      if file_name_or_stream.is_a?(String)
+        file_name_or_stream = ::File.open(file_name_or_stream, 'wb')
+        compress            = !(/\.(zip|gz|gzip|xls.|)\z/i === file_name_or_stream) if compress.nil?
+      else
+        compress = true if compress.nil?
+      end
 
       begin
-        file = new(ios, compress: compress, **args)
+        file = new(file_name_or_stream, compress: compress, **args)
         file = Zlib::GzipWriter.new(file) if compress
         block_given? ? yield(file) : file
       ensure
@@ -64,7 +69,7 @@ module SymmetricEncryption
     # Notes:
     # * Do not use this method for writing large files.
     def self.write(file_name_or_stream, data, **args)
-      self.open(file_name_or_stream, **args) { |f| f.write(data) }
+      Writer.open(file_name_or_stream, **args) { |f| f.write(data) }
     end
 
     # Encrypt an entire file.
@@ -82,22 +87,10 @@ module SymmetricEncryption
     #     Whether to compress the target file prior to encryption.
     #     Default: false
     #
-    #   block_size: [Integer]
-    #     Number of bytes to read into memory for each read.
-    #     For very large files using a larger block size is faster.
-    #     Default: 65535
-    #
     # Notes:
     # * The file contents are streamed so that the entire file is _not_ loaded into memory.
-    def self.encrypt(source:, target:, block_size: 65_535, **args)
-      source_ios    = source.is_a?(String) ? ::File.open(source, 'rb') : source
-      bytes_written = 0
-      self.open(target, **args) do |output_file|
-        bytes_written += output_file.write(source_ios.read(block_size)) until source_ios.eof?
-      end
-      bytes_written
-    ensure
-      source_ios.close if source_ios&.respond_to?(:closed?) && !source_ios.closed?
+    def self.encrypt(source:, target:, **args)
+      Writer.open(target, **args) { |output_file| IO.copy_stream(source, output_file) }
     end
 
     # Encrypt data before writing to the supplied stream
@@ -149,6 +142,7 @@ module SymmetricEncryption
     # ensure that the encrypted stream is closed before the stream itself is closed.
     def close(close_child_stream = true)
       return if closed?
+
       if size.positive?
         final = @stream_cipher.final
         @ios.write(final) unless final.empty?
@@ -160,14 +154,26 @@ module SymmetricEncryption
     # Write to the IO Stream as encrypted data.
     #
     # Returns [Integer] the number of bytes written.
-    def write(data)
-      return unless data
-
-      bytes   = data.to_s
-      @size   += bytes.size
-      partial = @stream_cipher.update(bytes)
-      @ios.write(partial) unless partial.empty?
-      data.length
+    if defined?(JRuby)
+      def write(data)
+        return unless data
+
+        bytes   = data.to_s
+        @size  += bytes.size
+        partial = @stream_cipher.update(bytes)
+        @ios.write(partial) unless partial.empty?
+        data.length
+      end
+    else
+      def write(data)
+        return unless data
+
+        bytes   = data.to_s
+        @size  += bytes.size
+        partial = @stream_cipher.update(bytes, @cipher_buffer ||= ''.b)
+        @ios.write(partial) unless partial.empty?
+        data.length
+      end
     end
 
     # Write to the IO Stream as encrypted data.

data/lib/symmetric_encryption.rb

@@ -29,12 +29,33 @@ end
 # @formatter:on
 
 # Add support for other libraries only if they have already been loaded
-require 'symmetric_encryption/railtie' if defined?(Rails)
-if defined?(ActiveRecord::Base) && !defined?(AttrEncrypted::Version)
-  require 'symmetric_encryption/extensions/active_record/base'
+
+begin
+  require 'rails/railtie'
+  require 'symmetric_encryption/railtie' if defined?(Rails)
+rescue LoadError
 end
-require 'symmetric_encryption/railties/symmetric_encryption_validator' if defined?(ActiveModel)
-require 'symmetric_encryption/extensions/mongoid/encrypted' if defined?(Mongoid)
+
+begin
+  require 'active_record'
+  if defined?(ActiveRecord::Base) && !defined?(AttrEncrypted::Version)
+    require 'symmetric_encryption/extensions/active_record/base'
+  end
+rescue LoadError
+end
+
+begin
+  require 'active_model'
+  require 'symmetric_encryption/railties/symmetric_encryption_validator' if defined?(ActiveModel)
+rescue LoadError
+end
+
+begin
+  require 'mongoid'
+  require 'symmetric_encryption/extensions/mongoid/encrypted' if defined?(Mongoid)
+rescue LoadError
+end
+
 if defined?(MongoMapper)
   warn 'MongoMapper support is deprecated. Upgrade to Mongoid.'
   require 'symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key'

data/test/active_record_test.rb

@@ -119,26 +119,26 @@ class ActiveRecordTest < Minitest::Test
     let :user do
       User.new(
         # Encrypted Attribute
-        bank_account_number: bank_account_number,
+        bank_account_number:    bank_account_number,
         # Encrypted Attribute
         social_security_number: social_security_number,
         name:                   person_name,
         # data type specific fields
-        string_value:        STRING_VALUE,
-        long_string_value:   LONG_STRING_VALUE,
-        binary_string_value: BINARY_STRING_VALUE,
-        integer_value:       INTEGER_VALUE,
-        float_value:         FLOAT_VALUE,
-        decimal_value:       DECIMAL_VALUE,
-        datetime_value:      DATETIME_VALUE,
-        time_value:          TIME_VALUE,
-        date_value:          DATE_VALUE,
-        true_value:          true,
-        false_value:         false,
-        data_yaml:           hash_data.dup,
-        data_json:           hash_data.dup,
-        text:                'hello',
-        number:              '21'
+        string_value:           STRING_VALUE,
+        long_string_value:      LONG_STRING_VALUE,
+        binary_string_value:    BINARY_STRING_VALUE,
+        integer_value:          INTEGER_VALUE,
+        float_value:            FLOAT_VALUE,
+        decimal_value:          DECIMAL_VALUE,
+        datetime_value:         DATETIME_VALUE,
+        time_value:             TIME_VALUE,
+        date_value:             DATE_VALUE,
+        true_value:             true,
+        false_value:            false,
+        data_yaml:              hash_data.dup,
+        data_json:              hash_data.dup,
+        text:                   'hello',
+        number:                 '21'
       )
     end
 
@@ -167,17 +167,17 @@ class ActiveRecordTest < Minitest::Test
     describe ':random_iv' do
       it 'false' do
         user.social_security_number = social_security_number
-        assert first_value = user.social_security_number
+        assert first_value          = user.social_security_number
         # Assign the same value
         user.social_security_number = social_security_number
         assert_equal first_value, user.social_security_number
       end
 
       it 'true' do
-        user.string_value = STRING_VALUE
+        user.string_value  = STRING_VALUE
         assert first_value = user.encrypted_string_value
-        user.string_value = 'blah'
-        user.string_value = STRING_VALUE
+        user.string_value  = 'blah'
+        user.string_value  = STRING_VALUE
         refute_equal first_value, user.encrypted_string_value
       end
 
@@ -200,7 +200,7 @@ class ActiveRecordTest < Minitest::Test
 
         it 'does not change when equal' do
           user.save!
-          before             = user.encrypted_string_value
+          before            = user.encrypted_string_value
           user.string_value = STRING_VALUE
           refute user.string_value_changed?
           assert_equal before, user.encrypted_string_value
@@ -405,7 +405,7 @@ class ActiveRecordTest < Minitest::Test
 
       describe '#reload' do
         it 'reverts changes' do
-          new_bank_account_number   = '444444444'
+          new_bank_account_number  = '444444444'
           user.bank_account_number = new_bank_account_number
           assert_equal new_bank_account_number, user.bank_account_number
 
@@ -416,8 +416,8 @@ class ActiveRecordTest < Minitest::Test
         end
 
         it 'reverts changes to encrypted field' do
-          new_bank_account_number             = '111111111'
-          new_encrypted_bank_account_number   = SymmetricEncryption.encrypt(new_bank_account_number)
+          new_bank_account_number            = '111111111'
+          new_encrypted_bank_account_number  = SymmetricEncryption.encrypt(new_bank_account_number)
           user.encrypted_bank_account_number = new_encrypted_bank_account_number
           assert_equal new_encrypted_bank_account_number, user.encrypted_bank_account_number
           assert_equal new_bank_account_number, user.bank_account_number
@@ -591,7 +591,7 @@ class ActiveRecordTest < Minitest::Test
         UniqueUser.destroy_all
         @email      = 'whatever@not-unique.com'
         @username   = 'gibby007'
-        user       = UniqueUser.create!(email: @email)
+        user        = UniqueUser.create!(email: @email)
         @email_user = UniqueUser.create!(username: @username)
       end