vault-rails 0.3.2 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/README.md +144 -11
- data/Rakefile +5 -2
- data/lib/vault/encrypted_model.rb +177 -59
- data/lib/vault/rails.rb +75 -27
- data/lib/vault/rails/configurable.rb +27 -7
- data/lib/vault/rails/errors.rb +8 -0
- data/lib/vault/rails/{serializer.rb → json_serializer.rb} +4 -5
- data/lib/vault/rails/version.rb +1 -1
- data/spec/dummy/app/models/lazy_person.rb +20 -0
- data/spec/dummy/app/models/lazy_single_person.rb +18 -0
- data/spec/dummy/app/models/person.rb +36 -1
- data/spec/dummy/config/environments/development.rb +5 -3
- data/spec/dummy/config/environments/test.rb +5 -3
- data/spec/dummy/db/migrate/20150428220101_create_people.rb +7 -1
- data/spec/dummy/db/schema.rb +21 -16
- data/spec/integration/rails_spec.rb +397 -17
- data/spec/lib/vault/rails/json_serializer_spec.rb +42 -0
- data/spec/spec_helper.rb +27 -0
- data/spec/unit/encrypted_model_spec.rb +9 -4
- data/spec/unit/rails/configurable_spec.rb +75 -0
- data/spec/unit/vault/rails_spec.rb +33 -0
- metadata +29 -24
|
@@ -42,12 +42,22 @@ describe Vault::Rails do
|
|
|
42
42
|
|
|
43
43
|
it "allows attributes to be unset" do
|
|
44
44
|
person = Person.create!(ssn: "123-45-6789")
|
|
45
|
-
person.
|
|
45
|
+
person.update!(ssn: nil)
|
|
46
46
|
person.reload
|
|
47
47
|
|
|
48
48
|
expect(person.ssn).to be(nil)
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
+
it "allows dirty attributes to be unset" do
|
|
52
|
+
person = Person.create!(ssn: "123-45-6789")
|
|
53
|
+
person.ssn = nil
|
|
54
|
+
expect(person.ssn).to be_nil
|
|
55
|
+
|
|
56
|
+
person2 = Person.create!(ssn: "123-45-6789")
|
|
57
|
+
person2.assign_attributes(ssn: nil)
|
|
58
|
+
expect(person2.ssn).to be_nil
|
|
59
|
+
end
|
|
60
|
+
|
|
51
61
|
it "allows saving without validations" do
|
|
52
62
|
person = Person.new(ssn: "123-456-7890")
|
|
53
63
|
person.save(validate: false)
|
|
@@ -57,7 +67,7 @@ describe Vault::Rails do
|
|
|
57
67
|
it "allows attributes to be unset after reload" do
|
|
58
68
|
person = Person.create!(ssn: "123-45-6789")
|
|
59
69
|
person.reload
|
|
60
|
-
person.
|
|
70
|
+
person.update!(ssn: nil)
|
|
61
71
|
person.reload
|
|
62
72
|
|
|
63
73
|
expect(person.ssn).to be(nil)
|
|
@@ -65,10 +75,20 @@ describe Vault::Rails do
|
|
|
65
75
|
|
|
66
76
|
it "allows attributes to be blank" do
|
|
67
77
|
person = Person.create!(ssn: "123-45-6789")
|
|
68
|
-
person.
|
|
78
|
+
person.update!(ssn: "")
|
|
69
79
|
person.reload
|
|
70
80
|
|
|
71
81
|
expect(person.ssn).to eq("")
|
|
82
|
+
expect(person.ssn_encrypted).to eq("")
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
it "allows attributes to be null" do
|
|
86
|
+
person = Person.create!(ssn: "123-45-6789")
|
|
87
|
+
person.update!(ssn: nil)
|
|
88
|
+
person.reload
|
|
89
|
+
|
|
90
|
+
expect(person.ssn).to eq(nil)
|
|
91
|
+
expect(person.ssn_encrypted).to eq(nil)
|
|
72
92
|
end
|
|
73
93
|
|
|
74
94
|
it "reloads instance variables on reload" do
|
|
@@ -87,6 +107,18 @@ describe Vault::Rails do
|
|
|
87
107
|
person.name = "Cinderella"
|
|
88
108
|
person.save!
|
|
89
109
|
end
|
|
110
|
+
|
|
111
|
+
it "does not register a Vault attribute as necessarily being backed by a column" do
|
|
112
|
+
expect(Person.attribute_names).to include("ssn")
|
|
113
|
+
expect(Person.column_names).not_to include("ssn")
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
it "does not reload encrypted attributes on destroy" do
|
|
117
|
+
person = Person.create!(ssn: "123-45-6789")
|
|
118
|
+
|
|
119
|
+
expect(Vault::Rails).to_not receive(:decrypt)
|
|
120
|
+
person.destroy
|
|
121
|
+
end
|
|
90
122
|
end
|
|
91
123
|
|
|
92
124
|
context "lazy decrypt" do
|
|
@@ -130,16 +162,33 @@ describe Vault::Rails do
|
|
|
130
162
|
expect(person.ssn_changed?).to be(true)
|
|
131
163
|
expect(person.ssn_change).to eq(["123-45-6789", "111-11-1111"])
|
|
132
164
|
expect(person.ssn_was).to eq("123-45-6789")
|
|
165
|
+
|
|
166
|
+
person.assign_attributes(ssn: "222-22-2222")
|
|
167
|
+
|
|
168
|
+
expect(person.ssn_changed?).to be(true)
|
|
169
|
+
expect(person.ssn_change).to eq(["123-45-6789", "222-22-2222"])
|
|
170
|
+
expect(person.ssn_was).to eq("123-45-6789")
|
|
133
171
|
end
|
|
134
172
|
|
|
135
173
|
it "allows attributes to be unset" do
|
|
136
174
|
person = LazyPerson.create!(ssn: "123-45-6789")
|
|
137
|
-
person.
|
|
175
|
+
person.update!(ssn: nil)
|
|
138
176
|
person.reload
|
|
139
177
|
|
|
140
178
|
expect(person.ssn).to be(nil)
|
|
141
179
|
end
|
|
142
180
|
|
|
181
|
+
it "allows dirty attributes to be unset" do
|
|
182
|
+
person = LazyPerson.create!(ssn: "123-45-6789")
|
|
183
|
+
person.ssn = nil
|
|
184
|
+
expect(person.ssn).to be_nil
|
|
185
|
+
|
|
186
|
+
person2 = LazyPerson.create!(ssn: "123-45-6789")
|
|
187
|
+
person2.assign_attributes(ssn: nil)
|
|
188
|
+
expect(person2.ssn).to be_nil
|
|
189
|
+
end
|
|
190
|
+
|
|
191
|
+
|
|
143
192
|
it "allows saving without validations" do
|
|
144
193
|
person = LazyPerson.new(ssn: "123-456-7890")
|
|
145
194
|
expect(person.save(validate: false)).to be(true)
|
|
@@ -149,7 +198,7 @@ describe Vault::Rails do
|
|
|
149
198
|
it "allows attributes to be unset after reload" do
|
|
150
199
|
person = LazyPerson.create!(ssn: "123-45-6789")
|
|
151
200
|
person.reload
|
|
152
|
-
person.
|
|
201
|
+
person.update!(ssn: nil)
|
|
153
202
|
person.reload
|
|
154
203
|
|
|
155
204
|
expect(person.ssn).to be(nil)
|
|
@@ -157,7 +206,7 @@ describe Vault::Rails do
|
|
|
157
206
|
|
|
158
207
|
it "allows attributes to be blank" do
|
|
159
208
|
person = LazyPerson.create!(ssn: "123-45-6789")
|
|
160
|
-
person.
|
|
209
|
+
person.update!(ssn: "")
|
|
161
210
|
person.reload
|
|
162
211
|
|
|
163
212
|
expect(person.ssn).to eq("")
|
|
@@ -180,6 +229,145 @@ describe Vault::Rails do
|
|
|
180
229
|
person.name = "Cinderella"
|
|
181
230
|
person.save!
|
|
182
231
|
end
|
|
232
|
+
|
|
233
|
+
it "allows attributes to be accessed after a destroy" do
|
|
234
|
+
person = LazyPerson.create!(ssn: "123-45-6789")
|
|
235
|
+
|
|
236
|
+
person.destroy
|
|
237
|
+
expect { person.ssn }.not_to raise_error
|
|
238
|
+
end
|
|
239
|
+
end
|
|
240
|
+
|
|
241
|
+
context "lazy single decrypt" do
|
|
242
|
+
before(:all) do
|
|
243
|
+
Vault::Rails.logical.write("transit/keys/dummy_people_ssn")
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
it "encrypts attributes" do
|
|
247
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
248
|
+
expect(person.ssn_encrypted.length).to eq(61)
|
|
249
|
+
expect(person.ssn_encrypted).to start_with("vault:v1:")
|
|
250
|
+
expect(person.ssn_encrypted.encoding).to eq(Encoding::UTF_8)
|
|
251
|
+
end
|
|
252
|
+
|
|
253
|
+
it "decrypts attributes" do
|
|
254
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
255
|
+
person.reload
|
|
256
|
+
|
|
257
|
+
expect(person.ssn).to eq("123-45-6789")
|
|
258
|
+
expect(person.ssn.encoding).to eq(Encoding::UTF_8)
|
|
259
|
+
end
|
|
260
|
+
|
|
261
|
+
it "does not decrypt on initialization" do
|
|
262
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
263
|
+
person.reload
|
|
264
|
+
|
|
265
|
+
p2 = LazySinglePerson.find(person.id)
|
|
266
|
+
|
|
267
|
+
expect(p2.instance_variable_get("@ssn")).to eq(nil)
|
|
268
|
+
expect(p2.ssn).to eq("123-45-6789")
|
|
269
|
+
end
|
|
270
|
+
|
|
271
|
+
it "does not decrypt all attributes on single read" do
|
|
272
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
273
|
+
person.update!(credit_card: "abcd-efgh-hijk-lmno")
|
|
274
|
+
expect(person.credit_card).to eq("abcd-efgh-hijk-lmno")
|
|
275
|
+
|
|
276
|
+
person.reload
|
|
277
|
+
|
|
278
|
+
p2 = LazySinglePerson.find(person.id)
|
|
279
|
+
|
|
280
|
+
expect(p2.instance_variable_get("@ssn")).to eq(nil)
|
|
281
|
+
expect(p2.ssn).to eq("123-45-6789")
|
|
282
|
+
expect(p2.instance_variable_get("@credit_card")).to eq(nil)
|
|
283
|
+
expect(p2.credit_card).to eq("abcd-efgh-hijk-lmno")
|
|
284
|
+
end
|
|
285
|
+
|
|
286
|
+
it "does not decrypt all attributes on single write" do
|
|
287
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
288
|
+
person.update!(credit_card: "abcd-efgh-hijk-lmno")
|
|
289
|
+
expect(person.credit_card).to eq("abcd-efgh-hijk-lmno")
|
|
290
|
+
|
|
291
|
+
person.reload
|
|
292
|
+
|
|
293
|
+
p2 = LazySinglePerson.find(person.id)
|
|
294
|
+
|
|
295
|
+
expect(p2.instance_variable_get("@ssn")).to eq(nil)
|
|
296
|
+
expect(p2.ssn).to eq("123-45-6789")
|
|
297
|
+
person.ssn = "111-11-1111"
|
|
298
|
+
expect(p2.instance_variable_get("@credit_card")).to eq(nil)
|
|
299
|
+
expect(p2.credit_card).to eq("abcd-efgh-hijk-lmno")
|
|
300
|
+
end
|
|
301
|
+
|
|
302
|
+
it "tracks dirty attributes" do
|
|
303
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
304
|
+
|
|
305
|
+
expect(person.ssn_changed?).to be(false)
|
|
306
|
+
expect(person.ssn_change).to be(nil)
|
|
307
|
+
expect(person.ssn_was).to eq("123-45-6789")
|
|
308
|
+
|
|
309
|
+
person.ssn = "111-11-1111"
|
|
310
|
+
|
|
311
|
+
expect(person.ssn_changed?).to be(true)
|
|
312
|
+
expect(person.ssn_change).to eq(["123-45-6789", "111-11-1111"])
|
|
313
|
+
expect(person.ssn_was).to eq("123-45-6789")
|
|
314
|
+
end
|
|
315
|
+
|
|
316
|
+
it "allows attributes to be unset" do
|
|
317
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
318
|
+
person.update!(ssn: nil)
|
|
319
|
+
person.reload
|
|
320
|
+
|
|
321
|
+
expect(person.ssn).to be(nil)
|
|
322
|
+
end
|
|
323
|
+
|
|
324
|
+
it "allows saving without validations" do
|
|
325
|
+
person = LazySinglePerson.new(ssn: "123-456-7890")
|
|
326
|
+
expect(person.save(validate: false)).to be(true)
|
|
327
|
+
expect(person.ssn_encrypted).to match("vault:")
|
|
328
|
+
end
|
|
329
|
+
|
|
330
|
+
it "allows attributes to be unset after reload" do
|
|
331
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
332
|
+
person.reload
|
|
333
|
+
person.update!(ssn: nil)
|
|
334
|
+
person.reload
|
|
335
|
+
|
|
336
|
+
expect(person.ssn).to be(nil)
|
|
337
|
+
end
|
|
338
|
+
|
|
339
|
+
it "allows attributes to be blank" do
|
|
340
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
341
|
+
person.update!(ssn: "")
|
|
342
|
+
person.reload
|
|
343
|
+
|
|
344
|
+
expect(person.ssn).to eq("")
|
|
345
|
+
end
|
|
346
|
+
|
|
347
|
+
it "reloads instance variables on reload" do
|
|
348
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
349
|
+
expect(person.instance_variable_get(:@ssn)).to eq("123-45-6789")
|
|
350
|
+
|
|
351
|
+
person.ssn = "111-11-1111"
|
|
352
|
+
person.reload
|
|
353
|
+
|
|
354
|
+
expect(person.ssn).to eq("123-45-6789")
|
|
355
|
+
end
|
|
356
|
+
|
|
357
|
+
it "does not try to encrypt unchanged attributes" do
|
|
358
|
+
person = LazySinglePerson.create!(ssn: "123-45-6789")
|
|
359
|
+
|
|
360
|
+
expect(Vault::Rails).to_not receive(:encrypt)
|
|
361
|
+
person.name = "Cinderella"
|
|
362
|
+
person.save!
|
|
363
|
+
end
|
|
364
|
+
|
|
365
|
+
it "allows attributes to be accessed after a destroy" do
|
|
366
|
+
person = LazyPerson.create!(ssn: "123-45-6789")
|
|
367
|
+
|
|
368
|
+
person.destroy
|
|
369
|
+
expect { person.ssn }.not_to raise_error
|
|
370
|
+
end
|
|
183
371
|
end
|
|
184
372
|
|
|
185
373
|
context "with custom options" do
|
|
@@ -218,7 +406,7 @@ describe Vault::Rails do
|
|
|
218
406
|
|
|
219
407
|
it "allows attributes to be unset" do
|
|
220
408
|
person = Person.create!(credit_card: "1234567890111213")
|
|
221
|
-
person.
|
|
409
|
+
person.update!(credit_card: nil)
|
|
222
410
|
person.reload
|
|
223
411
|
|
|
224
412
|
expect(person.credit_card).to be(nil)
|
|
@@ -226,7 +414,7 @@ describe Vault::Rails do
|
|
|
226
414
|
|
|
227
415
|
it "allows attributes to be blank" do
|
|
228
416
|
person = Person.create!(credit_card: "1234567890111213")
|
|
229
|
-
person.
|
|
417
|
+
person.update!(credit_card: "")
|
|
230
418
|
person.reload
|
|
231
419
|
|
|
232
420
|
expect(person.credit_card).to eq("")
|
|
@@ -269,7 +457,7 @@ describe Vault::Rails do
|
|
|
269
457
|
|
|
270
458
|
it "allows attributes to be unset" do
|
|
271
459
|
person = Person.create!(non_ascii: "dás ümlaut")
|
|
272
|
-
person.
|
|
460
|
+
person.update!(non_ascii: nil)
|
|
273
461
|
person.reload
|
|
274
462
|
|
|
275
463
|
expect(person.non_ascii).to be(nil)
|
|
@@ -277,26 +465,80 @@ describe Vault::Rails do
|
|
|
277
465
|
|
|
278
466
|
it "allows attributes to be blank" do
|
|
279
467
|
person = Person.create!(non_ascii: "dás ümlaut")
|
|
280
|
-
person.
|
|
468
|
+
person.update!(non_ascii: "")
|
|
281
469
|
person.reload
|
|
282
470
|
|
|
283
471
|
expect(person.non_ascii).to eq("")
|
|
284
472
|
end
|
|
285
473
|
end
|
|
286
474
|
|
|
475
|
+
context "with a default" do
|
|
476
|
+
%i[new create].each do |creation_method|
|
|
477
|
+
context "on #{creation_method}" do
|
|
478
|
+
context "without an initial attribute" do
|
|
479
|
+
it "sets the default" do
|
|
480
|
+
person = Person.public_send(creation_method)
|
|
481
|
+
expect(person.default).to eq("abc123")
|
|
482
|
+
person.save!
|
|
483
|
+
person.reload
|
|
484
|
+
expect(person.default).to eq("abc123")
|
|
485
|
+
end
|
|
486
|
+
end
|
|
487
|
+
|
|
488
|
+
context "with an initial attribute" do
|
|
489
|
+
it "does not set the default" do
|
|
490
|
+
person = Person.public_send(creation_method, default: "another")
|
|
491
|
+
expect(person.default).to eq("another")
|
|
492
|
+
person.save!
|
|
493
|
+
person.reload
|
|
494
|
+
expect(person.default).to eq("another")
|
|
495
|
+
end
|
|
496
|
+
end
|
|
497
|
+
end
|
|
498
|
+
end
|
|
499
|
+
end
|
|
500
|
+
|
|
501
|
+
context "with a default and serializer" do
|
|
502
|
+
%i[new create].each do |creation_method|
|
|
503
|
+
context "on #{creation_method}" do
|
|
504
|
+
context "without an initial attribute" do
|
|
505
|
+
it "sets the default" do
|
|
506
|
+
person = Person.public_send(creation_method)
|
|
507
|
+
expect(person.default_with_serializer).to eq({})
|
|
508
|
+
person.save!
|
|
509
|
+
person.reload
|
|
510
|
+
expect(person.default_with_serializer).to eq({})
|
|
511
|
+
end
|
|
512
|
+
end
|
|
513
|
+
|
|
514
|
+
context "with an initial attribute" do
|
|
515
|
+
it "does not set the default" do
|
|
516
|
+
person = Person.public_send(
|
|
517
|
+
creation_method,
|
|
518
|
+
default_with_serializer: { "foo" => "bar" }
|
|
519
|
+
)
|
|
520
|
+
|
|
521
|
+
expect(person.default_with_serializer).to eq({ "foo" => "bar" })
|
|
522
|
+
person.save!
|
|
523
|
+
person.reload
|
|
524
|
+
expect(person.default_with_serializer).to eq({ "foo" => "bar" })
|
|
525
|
+
end
|
|
526
|
+
end
|
|
527
|
+
end
|
|
528
|
+
end
|
|
529
|
+
end
|
|
530
|
+
|
|
287
531
|
context "with the :json serializer" do
|
|
288
532
|
before(:all) do
|
|
289
533
|
Vault::Rails.logical.write("transit/keys/dummy_people_details")
|
|
290
534
|
end
|
|
291
535
|
|
|
292
|
-
it "
|
|
536
|
+
it "does not default to a hash" do
|
|
293
537
|
person = Person.new
|
|
294
|
-
expect(person.details).to eq(
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
person = Person.create!
|
|
299
|
-
expect(person.details).to eq({})
|
|
538
|
+
expect(person.details).to eq(nil)
|
|
539
|
+
person.save!
|
|
540
|
+
person.reload
|
|
541
|
+
expect(person.details).to eq(nil)
|
|
300
542
|
end
|
|
301
543
|
|
|
302
544
|
it "tracks dirty attributes" do
|
|
@@ -356,6 +598,129 @@ describe Vault::Rails do
|
|
|
356
598
|
end
|
|
357
599
|
end
|
|
358
600
|
|
|
601
|
+
context "with context" do
|
|
602
|
+
it "encodes and decodes with a string context" do
|
|
603
|
+
person = Person.create!(context_string: "foobar")
|
|
604
|
+
person.reload
|
|
605
|
+
|
|
606
|
+
raw = Vault::Rails.decrypt(
|
|
607
|
+
"transit", "dummy_people_context_string",
|
|
608
|
+
person.context_string_encrypted, context: "production")
|
|
609
|
+
|
|
610
|
+
expect(raw).to eq("foobar")
|
|
611
|
+
|
|
612
|
+
expect(person.context_string).to eq("foobar")
|
|
613
|
+
|
|
614
|
+
# Decrypting without the correct context fails
|
|
615
|
+
expect {
|
|
616
|
+
Vault::Rails.decrypt(
|
|
617
|
+
"transit", "dummy_people_context_string",
|
|
618
|
+
person.context_string_encrypted, context: "wrongcontext")
|
|
619
|
+
}.to raise_error(Vault::HTTPClientError, /invalid ciphertext/)
|
|
620
|
+
|
|
621
|
+
# Decrypting without a context fails
|
|
622
|
+
expect {
|
|
623
|
+
Vault::Rails.decrypt(
|
|
624
|
+
"transit", "dummy_people_context_string",
|
|
625
|
+
person.context_string_encrypted)
|
|
626
|
+
}.to raise_error(Vault::HTTPClientError, /context/)
|
|
627
|
+
end
|
|
628
|
+
|
|
629
|
+
it "encodes and decodes with a symbol context" do
|
|
630
|
+
person = Person.create!(context_symbol: "foobar")
|
|
631
|
+
person.reload
|
|
632
|
+
|
|
633
|
+
raw = Vault::Rails.decrypt(
|
|
634
|
+
"transit", "dummy_people_context_symbol",
|
|
635
|
+
person.context_symbol_encrypted, context: person.encryption_context)
|
|
636
|
+
|
|
637
|
+
expect(raw).to eq("foobar")
|
|
638
|
+
|
|
639
|
+
expect(person.context_symbol).to eq("foobar")
|
|
640
|
+
|
|
641
|
+
# Decrypting without the correct context fails
|
|
642
|
+
expect {
|
|
643
|
+
Vault::Rails.decrypt(
|
|
644
|
+
"transit", "dummy_people_context_symbol",
|
|
645
|
+
person.context_symbol_encrypted, context: "wrongcontext")
|
|
646
|
+
}.to raise_error(Vault::HTTPClientError, /invalid ciphertext/)
|
|
647
|
+
|
|
648
|
+
# Decrypting without a context fails
|
|
649
|
+
expect {
|
|
650
|
+
Vault::Rails.decrypt(
|
|
651
|
+
"transit", "dummy_people_context_symbol",
|
|
652
|
+
person.context_symbol_encrypted)
|
|
653
|
+
}.to raise_error(Vault::HTTPClientError, /context/)
|
|
654
|
+
end
|
|
655
|
+
|
|
656
|
+
it "encodes and decodes with a proc context" do
|
|
657
|
+
person = Person.create!(context_proc: "foobar")
|
|
658
|
+
person.reload
|
|
659
|
+
|
|
660
|
+
raw = Vault::Rails.decrypt(
|
|
661
|
+
"transit", "dummy_people_context_proc",
|
|
662
|
+
person.context_proc_encrypted, context: person.encryption_context)
|
|
663
|
+
|
|
664
|
+
expect(raw).to eq("foobar")
|
|
665
|
+
|
|
666
|
+
expect(person.context_proc).to eq("foobar")
|
|
667
|
+
|
|
668
|
+
# Decrypting without the correct context fails
|
|
669
|
+
expect {
|
|
670
|
+
Vault::Rails.decrypt(
|
|
671
|
+
"transit", "dummy_people_context_proc",
|
|
672
|
+
person.context_proc_encrypted, context: "wrongcontext")
|
|
673
|
+
}.to raise_error(Vault::HTTPClientError, /invalid ciphertext/)
|
|
674
|
+
|
|
675
|
+
# Decrypting without a context fails
|
|
676
|
+
expect {
|
|
677
|
+
Vault::Rails.decrypt(
|
|
678
|
+
"transit", "dummy_people_context_proc",
|
|
679
|
+
person.context_proc_encrypted)
|
|
680
|
+
}.to raise_error(Vault::HTTPClientError, /context/)
|
|
681
|
+
end
|
|
682
|
+
end
|
|
683
|
+
|
|
684
|
+
context 'with transform_secret', ent_vault: ">= 1.4" do
|
|
685
|
+
before(:all) do
|
|
686
|
+
Vault::Rails.sys.mount("transform", :transform)
|
|
687
|
+
Vault::Rails.client.transform.create_transformation(
|
|
688
|
+
"social_sec",
|
|
689
|
+
template: "builtin/socialsecuritynumber",
|
|
690
|
+
tweak_source: "internal",
|
|
691
|
+
type: "fpe",
|
|
692
|
+
allowed_roles: [Vault::Rails.application]
|
|
693
|
+
)
|
|
694
|
+
Vault::Rails.client.transform.create_role(Vault::Rails.application, transformations: ["social_sec"])
|
|
695
|
+
Vault::Rails.client.transform.create_role("foobar_role", transformations: ["social_sec"])
|
|
696
|
+
end
|
|
697
|
+
|
|
698
|
+
it "encrypts the attribute using the given transformation" do
|
|
699
|
+
person = Person.create!(transform_ssn: "123-45-6789")
|
|
700
|
+
expect(person[:transform_ssn_encrypted]).not_to eq("123-45-6789")
|
|
701
|
+
expect(person[:transform_ssn_encrypted]).to match(/\d{3}-\d{2}-\d{4}/)
|
|
702
|
+
expect(person.transform_ssn).to eq("123-45-6789")
|
|
703
|
+
end
|
|
704
|
+
|
|
705
|
+
it "raises an error if the format is incorrect" do
|
|
706
|
+
expect{ Person.create!(transform_ssn: "1234-5678-90") }.to(
|
|
707
|
+
raise_error(Vault::HTTPClientError, /unable to find matching expression/)
|
|
708
|
+
)
|
|
709
|
+
end
|
|
710
|
+
|
|
711
|
+
it "raises an error if the transformation does not exist" do
|
|
712
|
+
expect{ Person.create!(bad_transform: "nope") }.to(
|
|
713
|
+
raise_error(Vault::HTTPClientError, /unable to find transformation/)
|
|
714
|
+
)
|
|
715
|
+
end
|
|
716
|
+
|
|
717
|
+
it "raises an error if the provided role doesn't have the ability to use the transformation" do
|
|
718
|
+
expect{ Person.create!(bad_role_transform: "123-45-6789") }.to(
|
|
719
|
+
raise_error(Vault::HTTPClientError, /is not an allowed role for the transformation/)
|
|
720
|
+
)
|
|
721
|
+
end
|
|
722
|
+
end
|
|
723
|
+
|
|
359
724
|
context 'with errors' do
|
|
360
725
|
it 'raises the appropriate exception' do
|
|
361
726
|
expect {
|
|
@@ -363,4 +728,19 @@ describe Vault::Rails do
|
|
|
363
728
|
}.to raise_error(Vault::HTTPClientError)
|
|
364
729
|
end
|
|
365
730
|
end
|
|
731
|
+
|
|
732
|
+
context "without a server" do
|
|
733
|
+
it "encrypts attributes with a dev prefix" do
|
|
734
|
+
allow(Vault::Rails).to receive(:enabled?).and_return(false)
|
|
735
|
+
person = Person.create!(credit_card: "1234567890111213")
|
|
736
|
+
expect(person.cc_encrypted).to start_with(Vault::Rails::DEV_PREFIX)
|
|
737
|
+
end
|
|
738
|
+
|
|
739
|
+
it "decrypts attributes" do
|
|
740
|
+
allow(Vault::Rails).to receive(:enabled?).and_return(false)
|
|
741
|
+
person = Person.create!(credit_card: "1234567890111213")
|
|
742
|
+
person.reload
|
|
743
|
+
expect(person.credit_card).to eq("1234567890111213")
|
|
744
|
+
end
|
|
745
|
+
end
|
|
366
746
|
end
|