Module: EncryptedStore::ActiveRecord::Mixin

Defined in:

lib/encrypted_store/active_record/mixin.rb

Defined Under Namespace

Modules: ClassMethods

Class Method Summary

• .descendants ⇒ Object
• .descendants? ⇒ Boolean
• .included(base) ⇒ Object

Instance Method Summary

• #_crypto_hash ⇒ Object
• #_decrypt_encrypted_store ⇒ Object
• #_decrypted_key ⇒ Object
• #_encrypt_encrypted_store ⇒ Object
• #_encrypted_store_data ⇒ Object
• #_encrypted_store_get(field) ⇒ Object
• #_encrypted_store_save ⇒ Object
• #_encrypted_store_set(field, value) ⇒ Object
• #_encrypted_store_sync_key ⇒ Object

  Locks the record (although doesn’t reload the attributes) and updates the encryption_key_id if it has changed since the record was originally loaded.

• #_encryption_key_id ⇒ Object
• #encrypted_attributes_changed? ⇒ Boolean

  Checks if any of the encrypted attributes are in the list of changed attributes.

• #purge_encrypted_data ⇒ Object

  Completely purges encrypted data for a record.

• #reencrypt(encryption_key) ⇒ Object

  Instance Methods.

Class Method Details

.descendants ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 14

def descendants
  Rails.application.eager_load! if defined?(Rails) && Rails.application
  ::ActiveRecord::Base.descendants.select { |model| model < Mixin }
end

.descendants? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/encrypted_store/active_record/mixin.rb', line 19

def descendants?
  !descendants.empty?
end

.included(base) ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 7

def included(base)
  base.before_save(:_encrypted_store_save,
    if: :encrypted_attributes_changed?)

  base.extend(ClassMethods)
end

Instance Method Details

#_crypto_hash ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 71

def _crypto_hash
  @_crypto_hash || _decrypt_encrypted_store
end

#_decrypt_encrypted_store ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 75

def _decrypt_encrypted_store
  @_crypto_hash = CryptoHash.decrypt(_decrypted_key, self.encrypted_store)
end

#_decrypted_key ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 91

def _decrypted_key
  EncryptedStore.retrieve_dek(EncryptionKey, _encryption_key_id)
end

#_encrypt_encrypted_store ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 79

def _encrypt_encrypted_store
  iter_mag = EncryptedStore.config.iteration_magnitude? ?
             EncryptedStore.config.iteration_magnitude  :
             -1

  self.encrypted_store = _crypto_hash.encrypt(
    _decrypted_key,
    EncryptionKeySalt.generate_salt(_encryption_key_id),
    iter_mag
  )
end

#_encrypted_store_data ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 63

def _encrypted_store_data
  self.class._encrypted_store_data
end

#_encrypted_store_get(field) ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 95

def _encrypted_store_get(field)
  _crypto_hash[field]
end

#_encrypted_store_save ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 112

def _encrypted_store_save
  _crypto_hash # make sure we have a cached copy of the decrypted data.
  _encrypted_store_sync_key
  _encrypt_encrypted_store
end

#_encrypted_store_set(field, value) ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 99

def _encrypted_store_set(field, value)
  attribute_will_change!(field)
  _crypto_hash[field] = value
end

#_encrypted_store_sync_key ⇒ Object

Locks the record (although doesn’t reload the attributes) and updates the encryption_key_id if it has changed since the record was originally loaded.

# File 'lib/encrypted_store/active_record/mixin.rb', line 122

def _encrypted_store_sync_key
  unless new_record?
    # Obtain a lock without overriding attribute values for this
    # instance. Here `record` will be an updated version of this instance.
    record = self.class.unscoped { self.class.lock.find(id) }

    if record && record.encryption_key_id
      self.encryption_key_id = record.encryption_key_id
    end
  end
end

#_encryption_key_id ⇒ Object

# File 'lib/encrypted_store/active_record/mixin.rb', line 67

def _encryption_key_id
  self.encryption_key_id ||= EncryptionKey.primary_encryption_key.id
end

#encrypted_attributes_changed? ⇒ Boolean

Checks if any of the encrypted attributes are in the list of changed attributes

Returns:

• (Boolean)

# File 'lib/encrypted_store/active_record/mixin.rb', line 107

def encrypted_attributes_changed?
  !(changed.map(&:to_sym) & _encrypted_store_data[:encrypted_attributes])
    .empty?
end

#purge_encrypted_data ⇒ Object

Completely purges encrypted data for a record

# File 'lib/encrypted_store/active_record/mixin.rb', line 56

def purge_encrypted_data
  self.encrypted_store = nil
  self.encryption_key_id = nil
  @_crypto_hash = nil
  save!(validate: false)
end

#reencrypt(encryption_key) ⇒ Object

Instance Methods

# File 'lib/encrypted_store/active_record/mixin.rb', line 43

def reencrypt(encryption_key)
  with_lock do
    # Must decrypt any changes made to the encrypted data, before updating
    # the encryption_key_id.
    _decrypt_encrypted_store
    self.encryption_key_id = encryption_key.id
    _encrypt_encrypted_store
    save!(validate: false)
  end
end