Class: Lockbox::Utils

Inherits:

Object

Object
Lockbox::Utils

Defined in:: lib/lockbox/utils.rb

Class Method Summary collapse

Class Method Details

.build_box(context, options, table, attribute) ⇒ `Object`

# File 'lib/lockbox/utils.rb', line 3

def self.build_box(context, options, table, attribute)
  options = options.except(:attribute, :encrypted_attribute, :migrating, :attached, :type)
  options[:encode] = false unless options.key?(:encode)
  options.each do |k, v|
    if v.respond_to?(:call)
      # context not present for pluck
      # still possible to use if not dependent on context
      options[k] = context ? context.instance_exec(&v) : v.call
    elsif v.is_a?(Symbol)
      # context not present for pluck
      raise Error, "Not available since :#{k} depends on record" unless context
      options[k] = context.send(v)
    end
  end

  unless options[:key] || options[:encryption_key] || options[:decryption_key]
    options[:key] =
      Lockbox.attribute_key(
        table: options.delete(:key_table) || table,
        attribute: options.delete(:key_attribute) || attribute,
        master_key: options.delete(:master_key),
        encode: false
      )
  end

  if options[:previous_versions].is_a?(Array)
    options[:previous_versions] = options[:previous_versions].dup
    options[:previous_versions].each_with_index do |version, i|
      if !(version[:key] || version[:encryption_key] || version[:decryption_key]) && version[:master_key]
        options[:previous_versions][i] = version.merge(key: Lockbox.attribute_key(table: table, attribute: attribute, master_key: version.delete(:master_key), encode: false))
      end
    end
  end

  Lockbox.new(**options)
end

.decode_key(key, size: 32, name: "Key") ⇒ `Object`

Raises:

(Lockbox::Error)

# File 'lib/lockbox/utils.rb', line 44

def self.decode_key(key, size: 32, name: "Key")
  if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{#{size * 2}}\z/i
    key = [key].pack("H*")
  end

  raise Lockbox::Error, "#{name} must be 32 bytes (64 hex digits)" if key.bytesize != size
  raise Lockbox::Error, "#{name} must use binary encoding" if key.encoding != Encoding::BINARY

  key
end

.decrypt_result(record, name, options, result) ⇒ `Object`

# File 'lib/lockbox/utils.rb', line 96

def self.decrypt_result(record, name, options, result)
  ActiveSupport::Notifications.instrument("decrypt_file.lockbox", {name: name}) do
    Utils.build_box(record, options, record.class.table_name, name).decrypt(result)
  end
end

.encrypt_attachable(record, name, attachable) ⇒ `Object`

# File 'lib/lockbox/utils.rb', line 59

def self.encrypt_attachable(record, name, attachable)
  io = nil

  ActiveSupport::Notifications.instrument("encrypt_file.lockbox", {name: name}) do
    options = encrypted_options(record, name)
    box = build_box(record, options, record.class.table_name, name)

    case attachable
    when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
      io = attachable
      attachable = {
        io: box.encrypt_io(io),
        filename: attachable.original_filename,
        content_type: attachable.content_type
      }
    when Hash
      io = attachable[:io]
      attachable = attachable.dup
      attachable[:io] = box.encrypt_io(io)
    else
      # TODO raise ArgumentError
      raise NotImplementedError, "Could not find or build blob: expected attachable, got #{attachable.inspect}"
    end

    # don't analyze encrypted data
    metadata = {"analyzed" => true}
    metadata["encrypted"] = true if options[:migrating]
    attachable[:metadata] = (attachable[:metadata] || {}).merge(metadata)
  end

  # set content type based on unencrypted data
  # keep synced with ActiveStorage::Blob#extract_content_type
  attachable[:io].extracted_content_type = Marcel::MimeType.for(io, name: attachable[:filename].to_s, declared_type: attachable[:content_type])

  attachable
end

.encrypted?(record, name) ⇒ `Boolean`

Returns:

(Boolean)



55
56
57

# File 'lib/lockbox/utils.rb', line 55

def self.encrypted?(record, name)
  !encrypted_options(record, name).nil?
end

.encrypted_options(record, name) ⇒ `Object`



40
41
42

# File 'lib/lockbox/utils.rb', line 40

def self.encrypted_options(record, name)
  record.class.respond_to?(:lockbox_attachments) ? record.class.lockbox_attachments[name.to_sym] : nil
end

.rebuild_attachable(attachment) ⇒ `Object`

# File 'lib/lockbox/utils.rb', line 102

def self.rebuild_attachable(attachment)
  {
    io: StringIO.new(attachment.download),
    filename: attachment.filename,
    content_type: attachment.content_type
  }
end

Class: Lockbox::Utils

Class Method Summary collapse

Class Method Details

.build_box(context, options, table, attribute) ⇒ Object

.decode_key(key, size: 32, name: "Key") ⇒ Object

.decrypt_result(record, name, options, result) ⇒ Object

.encrypt_attachable(record, name, attachable) ⇒ Object

.encrypted?(record, name) ⇒ Boolean

.encrypted_options(record, name) ⇒ Object

.rebuild_attachable(attachment) ⇒ Object

.build_box(context, options, table, attribute) ⇒ `Object`

.decode_key(key, size: 32, name: "Key") ⇒ `Object`

.decrypt_result(record, name, options, result) ⇒ `Object`

.encrypt_attachable(record, name, attachable) ⇒ `Object`

.encrypted?(record, name) ⇒ `Boolean`

.encrypted_options(record, name) ⇒ `Object`

.rebuild_attachable(attachment) ⇒ `Object`