vault-rails 0.4.0 → 0.5.0

data/spec/integration/rails_spec.rb

@@ -69,6 +69,16 @@ describe Vault::Rails do
       person.reload
 
       expect(person.ssn).to eq("")
+      expect(person.ssn_encrypted).to eq("")
+    end
+
+    it "allows attributes to be null" do
+      person = Person.create!(ssn: "123-45-6789")
+      person.update_attributes!(ssn: nil)
+      person.reload
+
+      expect(person.ssn).to eq(nil)
+      expect(person.ssn_encrypted).to eq(nil)
     end
 
     it "reloads instance variables on reload" do
@@ -284,19 +294,73 @@ describe Vault::Rails do
     end
   end
 
+  context "with a default" do
+    %i[new create].each do |creation_method|
+      context "on #{creation_method}" do
+        context "without an initial attribute" do
+          it "sets the default" do
+            person = Person.public_send(creation_method)
+            expect(person.default).to eq("abc123")
+            person.save!
+            person.reload
+            expect(person.default).to eq("abc123")
+          end
+        end
+
+        context "with an initial attribute" do
+          it "does not set the default" do
+            person = Person.public_send(creation_method, default: "another")
+            expect(person.default).to eq("another")
+            person.save!
+            person.reload
+            expect(person.default).to eq("another")
+          end
+        end
+      end
+    end
+  end
+
+  context "with a default and serializer" do
+    %i[new create].each do |creation_method|
+      context "on #{creation_method}" do
+        context "without an initial attribute" do
+          it "sets the default" do
+            person = Person.public_send(creation_method)
+            expect(person.default_with_serializer).to eq({})
+            person.save!
+            person.reload
+            expect(person.default_with_serializer).to eq({})
+          end
+        end
+
+        context "with an initial attribute" do
+          it "does not set the default" do
+            person = Person.public_send(
+              creation_method,
+              default_with_serializer: { "foo" => "bar" }
+            )
+
+            expect(person.default_with_serializer).to eq({ "foo" => "bar" })
+            person.save!
+            person.reload
+            expect(person.default_with_serializer).to eq({ "foo" => "bar" })
+          end
+        end
+      end
+    end
+  end
+
   context "with the :json serializer"  do
     before(:all) do
       Vault::Rails.logical.write("transit/keys/dummy_people_details")
     end
 
-    it "has a default value for unpersisted records" do
+    it "does not default to a hash" do
       person = Person.new
-      expect(person.details).to eq({})
-    end
-
-    it "has a default value for persisted records" do
-      person = Person.create!
-      expect(person.details).to eq({})
+      expect(person.details).to eq(nil)
+      person.save!
+      person.reload
+      expect(person.details).to eq(nil)
     end
 
     it "tracks dirty attributes" do
@@ -356,6 +420,89 @@ describe Vault::Rails do
     end
   end
 
+  context "with context" do
+    it "encodes and decodes with a string context" do
+      person = Person.create!(context_string: "foobar")
+      person.reload
+
+      raw = Vault::Rails.decrypt(
+        "transit", "dummy_people_context_string",
+        person.context_string_encrypted, context: "production")
+
+      expect(raw).to eq("foobar")
+
+      expect(person.context_string).to eq("foobar")
+
+      # Decrypting without the correct context fails
+      expect {
+        Vault::Rails.decrypt(
+          "transit", "dummy_people_context_string",
+          person.context_string_encrypted, context: "wrongcontext")
+      }.to raise_error(Vault::HTTPClientError, /invalid ciphertext/)
+
+      # Decrypting without a context fails
+      expect {
+        Vault::Rails.decrypt(
+          "transit", "dummy_people_context_string",
+          person.context_string_encrypted)
+      }.to raise_error(Vault::HTTPClientError, /context/)
+    end
+
+    it "encodes and decodes with a symbol context" do
+      person = Person.create!(context_symbol: "foobar")
+      person.reload
+
+      raw = Vault::Rails.decrypt(
+        "transit", "dummy_people_context_symbol",
+        person.context_symbol_encrypted, context: person.encryption_context)
+
+      expect(raw).to eq("foobar")
+
+      expect(person.context_symbol).to eq("foobar")
+
+      # Decrypting without the correct context fails
+      expect {
+        Vault::Rails.decrypt(
+          "transit", "dummy_people_context_symbol",
+          person.context_symbol_encrypted, context: "wrongcontext")
+      }.to raise_error(Vault::HTTPClientError, /invalid ciphertext/)
+
+      # Decrypting without a context fails
+      expect {
+        Vault::Rails.decrypt(
+          "transit", "dummy_people_context_symbol",
+          person.context_symbol_encrypted)
+      }.to raise_error(Vault::HTTPClientError, /context/)
+    end
+
+    it "encodes and decodes with a proc context" do
+      person = Person.create!(context_proc: "foobar")
+      person.reload
+
+      raw = Vault::Rails.decrypt(
+        "transit", "dummy_people_context_proc",
+        person.context_proc_encrypted, context: person.encryption_context)
+
+      expect(raw).to eq("foobar")
+
+      expect(person.context_proc).to eq("foobar")
+
+      # Decrypting without the correct context fails
+      expect {
+        Vault::Rails.decrypt(
+          "transit", "dummy_people_context_proc",
+          person.context_proc_encrypted, context: "wrongcontext")
+      }.to raise_error(Vault::HTTPClientError, /invalid ciphertext/)
+
+      # Decrypting without a context fails
+      expect {
+        Vault::Rails.decrypt(
+          "transit", "dummy_people_context_proc",
+          person.context_proc_encrypted)
+      }.to raise_error(Vault::HTTPClientError, /context/)
+    end
+  end
+
   context 'with errors' do
     it 'raises the appropriate exception' do
       expect {

data/spec/lib/vault/rails/json_serializer_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+RSpec.describe Vault::Rails::JSONSerializer do
+  [
+    nil,
+    false,
+    true,
+    "",
+    "foo",
+    {},
+    { "foo" => "bar" },
+    [],
+    ["foo", "bar"],
+    0,
+    123,
+    0.0,
+    0.123,
+    0xff,
+    123e123
+  ].each do |object|
+    it "encodes and decodes #{object.inspect}" do
+      encoded = described_class.encode(object)
+      expect(encoded).to be_a(String)
+      decoded = described_class.decode(encoded)
+      expect(decoded).to eq(object)
+    end
+  end
+
+  describe ".decode" do
+    subject(:decoded) { described_class.decode(raw) }
+
+    context "with nil" do
+      let(:raw) { nil }
+      it { is_expected.to eq(nil) }
+    end
+
+    context "with an empty string (only possible if column has a default)" do
+      let(:raw) { "" }
+      it { is_expected.to eq(nil) }
+    end
+  end
+end

data/spec/unit/encrypted_model_spec.rb

@@ -20,6 +20,12 @@ describe Vault::EncryptedModel do
       }.to raise_error(Vault::Rails::ValidationFailedError)
     end
 
+    it "raises an exception if a proc is passed to :context without an arity of 1" do
+      expect {
+        klass.vault_attribute(:foo, context: ->() { })
+      }.to raise_error(Vault::Rails::ValidationFailedError, /1 argument/i)
+    end
+
     it "defines a getter" do
       klass.vault_attribute(:foo)
       expect(klass.instance_methods).to include(:foo)

data/spec/unit/vault/rails_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+RSpec.describe Vault::Rails do
+  describe "#memory_key_for" do
+    input_examples = [
+      ["path", "key"],
+      ["path", "key", "context"],
+      ["a_really_long_path", "a_really_long_key"],
+      ["a_really_long_path", "a_really_long_key", "a_really_long_context"],
+    ]
+
+    input_examples.each do |path, key, encryption_context|
+      context "with path=#{path}, key=#{key}, context=#{encryption_context}" do
+        it "returns exactly 16 bytes as required by OpenSSL AES 128" do
+          memory_key = Vault::Rails.send(
+            :memory_key_for, path, key, context: encryption_context
+          )
+          expect(memory_key.bytesize).to eq(16)
+        end
+      end
+    end
+
+    it "returns unique keys for different paths, keys, and contexts" do
+      memory_keys = input_examples.map { |path, key, encryption_context|
+        Vault::Rails.send(
+          :memory_key_for, path, key, context: encryption_context
+        )
+      }
+
+      expect(memory_keys).to match_array(memory_keys.uniq)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vault-rails
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Seth Vargo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-09 00:00:00.000000000 Z
+date: 2019-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -17,9 +17,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '4.1'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -27,9 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '4.1'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: vault
   requirement: !ruby/object:Gem::Requirement
@@ -118,16 +112,16 @@ dependencies:
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.3.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.3.0
 description: Official Vault plugin for Rails
 email:
 - sethvargo@gmail.com
@@ -142,7 +136,7 @@ files:
 - lib/vault/rails.rb
 - lib/vault/rails/configurable.rb
 - lib/vault/rails/errors.rb
-- lib/vault/rails/serializer.rb
+- lib/vault/rails/json_serializer.rb
 - lib/vault/rails/version.rb
 - spec/dummy/Rakefile
 - spec/dummy/app/models/lazy_person.rb
@@ -169,19 +163,25 @@ files:
 - spec/dummy/config/locales/en.yml
 - spec/dummy/config/routes.rb
 - spec/dummy/config/secrets.yml
+- spec/dummy/db/development.sqlite3
 - spec/dummy/db/migrate/20150428220101_create_people.rb
 - spec/dummy/db/schema.rb
+- spec/dummy/db/test.sqlite3
 - spec/dummy/lib/binary_serializer.rb
+- spec/dummy/log/development.log
+- spec/dummy/log/test.log
 - spec/dummy/public/404.html
 - spec/dummy/public/422.html
 - spec/dummy/public/500.html
 - spec/dummy/public/favicon.ico
 - spec/integration/rails_spec.rb
+- spec/lib/vault/rails/json_serializer_spec.rb
 - spec/spec_helper.rb
 - spec/support/vault_server.rb
 - spec/unit/encrypted_model_spec.rb
 - spec/unit/rails/configurable_spec.rb
 - spec/unit/rails_spec.rb
+- spec/unit/vault/rails_spec.rb
 homepage: https://github.com/hashicorp/vault-rails
 licenses:
 - MPL-2.0
@@ -202,46 +202,52 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.6.14.3
 signing_key: 
 specification_version: 4
 summary: Official Vault plugin for Rails
 test_files:
+- spec/spec_helper.rb
+- spec/unit/encrypted_model_spec.rb
+- spec/unit/rails_spec.rb
+- spec/unit/vault/rails_spec.rb
+- spec/unit/rails/configurable_spec.rb
 - spec/dummy/app/models/lazy_person.rb
 - spec/dummy/app/models/person.rb
+- spec/dummy/bin/rake
 - spec/dummy/bin/bundle
 - spec/dummy/bin/rails
-- spec/dummy/bin/rake
-- spec/dummy/config/application.rb
-- spec/dummy/config/boot.rb
-- spec/dummy/config/database.yml
-- spec/dummy/config/environment.rb
+- spec/dummy/config/secrets.yml
+- spec/dummy/config/routes.rb
+- spec/dummy/config/locales/en.yml
 - spec/dummy/config/environments/development.rb
 - spec/dummy/config/environments/test.rb
-- spec/dummy/config/initializers/assets.rb
+- spec/dummy/config/environment.rb
+- spec/dummy/config/application.rb
+- spec/dummy/config/database.yml
+- spec/dummy/config/boot.rb
 - spec/dummy/config/initializers/backtrace_silencers.rb
-- spec/dummy/config/initializers/cookies_serializer.rb
-- spec/dummy/config/initializers/filter_parameter_logging.rb
-- spec/dummy/config/initializers/inflections.rb
 - spec/dummy/config/initializers/mime_types.rb
+- spec/dummy/config/initializers/filter_parameter_logging.rb
 - spec/dummy/config/initializers/session_store.rb
-- spec/dummy/config/initializers/vault.rb
 - spec/dummy/config/initializers/wrap_parameters.rb
-- spec/dummy/config/locales/en.yml
-- spec/dummy/config/routes.rb
-- spec/dummy/config/secrets.yml
+- spec/dummy/config/initializers/assets.rb
+- spec/dummy/config/initializers/cookies_serializer.rb
+- spec/dummy/config/initializers/vault.rb
+- spec/dummy/config/initializers/inflections.rb
 - spec/dummy/config.ru
-- spec/dummy/db/migrate/20150428220101_create_people.rb
-- spec/dummy/db/schema.rb
-- spec/dummy/lib/binary_serializer.rb
-- spec/dummy/public/404.html
+- spec/dummy/Rakefile
+- spec/dummy/public/favicon.ico
 - spec/dummy/public/422.html
 - spec/dummy/public/500.html
-- spec/dummy/public/favicon.ico
-- spec/dummy/Rakefile
+- spec/dummy/public/404.html
+- spec/dummy/lib/binary_serializer.rb
+- spec/dummy/db/schema.rb
+- spec/dummy/db/test.sqlite3
+- spec/dummy/db/migrate/20150428220101_create_people.rb
+- spec/dummy/db/development.sqlite3
+- spec/dummy/log/test.log
+- spec/dummy/log/development.log
 - spec/integration/rails_spec.rb
-- spec/spec_helper.rb
 - spec/support/vault_server.rb
-- spec/unit/encrypted_model_spec.rb
-- spec/unit/rails/configurable_spec.rb
-- spec/unit/rails_spec.rb
+- spec/lib/vault/rails/json_serializer_spec.rb