mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
f78a480818
This implements several changes to encourage deterministic encryption to
remain unchanged. The main motivation is letting you define unique
indexes on deterministically-encrypted columns:
- By default, deterministic encryption will always use the oldest
encryption scheme to encrypt new data, when there are many.
- You can skip this default behavior and make it always use the current
encryption scheme with:
```ruby
deterministic: { fixed: false } # using this should be a rare need
```
- Deterministic encryption still supports previous encryption schemes
normally. So they will be used to add additional values to queries, for
example.
- You can't rotate deterministic encryption keys anymore. We can add
support for that in the future.
This makes for reasonable defaults:
- People using "deterministic: true" will get unique indexes working out
of the box.
- The system will encourage keeping deterministic encryption stable:
- By always using oldest encryption schemes
- By forbidding configuring multiple keys
But you can still opt-out of the default if you need to.
43 lines
1.5 KiB
Ruby
43 lines
1.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "cases/encryption/helper"
|
|
|
|
class ActiveRecord::Encryption::MessageTest < ActiveRecord::EncryptionTestCase
|
|
test "add_header lets you add headers" do
|
|
message = ActiveRecord::Encryption::Message.new
|
|
message.headers[:header_1] = "value 1"
|
|
|
|
assert_equal "value 1", message.headers[:header_1]
|
|
end
|
|
|
|
test "add_headers lets you add multiple headers" do
|
|
message = ActiveRecord::Encryption::Message.new
|
|
message.headers.add(header_1: "value 1", header_2: "value 2")
|
|
assert_equal "value 1", message.headers[:header_1]
|
|
assert_equal "value 2", message.headers[:header_2]
|
|
end
|
|
|
|
test "headers can't be overridden" do
|
|
message = ActiveRecord::Encryption::Message.new
|
|
message.headers.add(header_1: "value 1")
|
|
|
|
assert_raises(ActiveRecord::Encryption::Errors::EncryptedContentIntegrity) do
|
|
message.headers.add(header_1: "value 1")
|
|
end
|
|
|
|
assert_raises(ActiveRecord::Encryption::Errors::EncryptedContentIntegrity) do
|
|
message.headers.add(header_1: "value 1")
|
|
end
|
|
end
|
|
|
|
test "validates that payloads are either nil or strings" do
|
|
assert_raises ActiveRecord::Encryption::Errors::ForbiddenClass do
|
|
ActiveRecord::Encryption::Message.new(payload: Date.new)
|
|
ActiveRecord::Encryption::Message.new(payload: [])
|
|
end
|
|
|
|
ActiveRecord::Encryption::Message.new
|
|
ActiveRecord::Encryption::Message.new(payload: "")
|
|
ActiveRecord::Encryption::Message.new(payload: "Some payload")
|
|
end
|
|
end
|