module ActiveRecord::Encryption::EncryptableRecord
This is the concern mixed in Active Record models to make them encryptable. It adds the encrypts attribute declaration, as well as the API to encrypt and decrypt records.
Constants
- ORIGINAL_ATTRIBUTE_PREFIX
Public Instance Methods
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 129
def add_length_validation_for_encrypted_columns
encrypted_attributes&.each do |attribute_name|
validate_column_size attribute_name
end
end# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 148
def ciphertext_for(attribute_name)
read_attribute_before_type_cast(attribute_name)
endReturns the ciphertext for attribute_name.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 158
def decrypt
decrypt_attributes if has_encrypted_attributes?
endDecrypts all the encryptable attributes and saves the changes.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 58
def deterministic_encrypted_attributes
@deterministic_encrypted_attributes ||= encrypted_attributes&.find_all do |attribute_name|
type_for_attribute(attribute_name).deterministic?
end
endReturns the list of deterministic encryptable attributes in the model class.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 153
def encrypt
encrypt_attributes if has_encrypted_attributes?
endEncrypts all the encryptable attributes and saves the changes.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 84
def encrypt_attribute(name, attribute_scheme)
encrypted_attributes << name.to_sym
attribute name do |cast_type|
ActiveRecord::Encryption::EncryptedAttributeType.new scheme: attribute_scheme, cast_type: cast_type
end
preserve_original_encrypted(name) if attribute_scheme.ignore_case?
ActiveRecord::Encryption.encrypted_attribute_was_declared(self, name)
end# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 143
def encrypted_attribute?(attribute_name)
ActiveRecord::Encryption.encryptor.encrypted? ciphertext_for(attribute_name)
endReturns whether a given attribute is encrypted or not.
encrypts(*names, key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties) Show source
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 47
def encrypts(*names, key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties)
self.encrypted_attributes ||= Set.new # not using :default because the instance would be shared across classes
scheme = scheme_for key_provider: key_provider, key: key, deterministic: deterministic, downcase: downcase, \
ignore_case: ignore_case, previous: previous, **context_properties
names.each do |name|
encrypt_attribute name, scheme
end
endEncrypts the name attribute.
Options
:key_provider- Configure aKeyProviderfor serving the keys to encrypt and decrypt this attribute. If not provided, it will default toActiveRecord::Encryption.key_provider.:key- A password to derive the key from. It's a shorthand for a:key_providerthat serves derivated keys. Both options can't be used at the same time.:key_provider- Set a:key_providerto provide encryption and decryption keys. If not provided, it will default to the key provider set with `config.key_provider`.:deterministic- By default, encryption is not deterministic. It will use a random initialization vector for each encryption operation. This means that encrypting the same content with the same key twice will generate different ciphertexts. When set totrue, it will generate the initialization vector based on the encrypted content. This means that the same content will generate the same ciphertexts. This enables querying encrypted text with Active Record. Deterministic encryption will use the oldest encryption scheme to encrypt new data by default. You can change this by setting +deterministic: { fixed: false }+. That will make it use the newest encryption scheme for encrypting new data.:downcase- When true, it converts the encrypted content to downcase automatically. This allows to effectively ignore case when querying data. Notice that the case is lost. Use:ignore_caseif you are interested in preserving it.:ignore_case- When true, it behaves like:downcasebut, it also preserves the original case in a specially designated column +original_<name>+. When reading the encrypted content, the version with the original case is served. But you can still execute queries that will ignore the case. This option can only be used when:deterministicis true.:context_properties- Additional properties that will overrideContextsettings when this attribute is encrypted and decrypted. E.g:encryptor:,cipher:,message_serializer:, etc.:previous- List of previous encryption schemes. When provided, they will be used in order when trying to read the attribute. Each entry of the list can contain the properties supported byencrypts. Also, when deterministic encryption is used, they will be used to generate additional ciphertexts to check in the queries.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 78
def global_previous_schemes_for(scheme)
ActiveRecord::Encryption.config.previous_schemes.collect do |previous_scheme|
scheme.merge(previous_scheme)
end
end# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 123
def load_schema!
super
add_length_validation_for_encrypted_columns if ActiveRecord::Encryption.config.validate_column_size
end
Calls superclass method
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 106
def override_accessors_to_preserve_original(name, original_attribute_name)
include(Module.new do
define_method name do
if ((value = super()) && encrypted_attribute?(name)) || !ActiveRecord::Encryption.config.support_unencrypted_data
send(original_attribute_name)
else
value
end
end
define_method "#{name}=" do |value|
self.send "#{original_attribute_name}=", value
super(value)
end
end)
end# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 95
def preserve_original_encrypted(name)
original_attribute_name = "#{ORIGINAL_ATTRIBUTE_PREFIX}#{name}".to_sym
if !ActiveRecord::Encryption.config.support_unencrypted_data && !column_names.include?(original_attribute_name.to_s)
raise Errors::Configuration, "To use :ignore_case for '#{name}' you must create an additional column named '#{original_attribute_name}'"
end
encrypts original_attribute_name
override_accessors_to_preserve_original name, original_attribute_name
endscheme_for(key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties) Show source
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 70
def scheme_for(key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties)
ActiveRecord::Encryption::Scheme.new(key_provider: key_provider, key: key, deterministic: deterministic,
downcase: downcase, ignore_case: ignore_case, **context_properties).tap do |scheme|
scheme.previous_schemes = global_previous_schemes_for(scheme) +
Array.wrap(previous).collect { |scheme_config| ActiveRecord::Encryption::Scheme.new(**scheme_config) }
end
end# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 65
def source_attribute_from_preserved_attribute(attribute_name)
attribute_name.to_s.sub(ORIGINAL_ATTRIBUTE_PREFIX, "") if /^#{ORIGINAL_ATTRIBUTE_PREFIX}/.match?(attribute_name)
endGiven a attribute name, it returns the name of the source attribute when it's a preserved one.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 135
def validate_column_size(attribute_name)
if limit = columns_hash[attribute_name.to_s]&.limit
validates_length_of attribute_name, maximum: limit
end
end© 2004–2021 David Heinemeier Hansson
Licensed under the MIT License.