spec/integration/rails_spec.rb in vault-rails-0.6.0 vs spec/integration/rails_spec.rb in vault-rails-0.7.0
- old
+ new
@@ -40,43 +40,53 @@
expect(person.ssn_was).to eq("123-45-6789")
end
it "allows attributes to be unset" do
person = Person.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to be(nil)
end
+ it "allows dirty attributes to be unset" do
+ person = Person.create!(ssn: "123-45-6789")
+ person.ssn = nil
+ expect(person.ssn).to be_nil
+
+ person2 = Person.create!(ssn: "123-45-6789")
+ person2.assign_attributes(ssn: nil)
+ expect(person2.ssn).to be_nil
+ end
+
it "allows saving without validations" do
person = Person.new(ssn: "123-456-7890")
person.save(validate: false)
expect(person.ssn_encrypted).to match("vault:")
end
it "allows attributes to be unset after reload" do
person = Person.create!(ssn: "123-45-6789")
person.reload
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to be(nil)
end
it "allows attributes to be blank" do
person = Person.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: "")
+ person.update!(ssn: "")
person.reload
expect(person.ssn).to eq("")
expect(person.ssn_encrypted).to eq("")
end
it "allows attributes to be null" do
person = Person.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to eq(nil)
expect(person.ssn_encrypted).to eq(nil)
end
@@ -95,10 +105,22 @@
expect(Vault::Rails).to_not receive(:encrypt)
person.name = "Cinderella"
person.save!
end
+
+ it "does not register a Vault attribute as necessarily being backed by a column" do
+ expect(Person.attribute_names).to include("ssn")
+ expect(Person.column_names).not_to include("ssn")
+ end
+
+ it "does not reload encrypted attributes on destroy" do
+ person = Person.create!(ssn: "123-45-6789")
+
+ expect(Vault::Rails).to_not receive(:decrypt)
+ person.destroy
+ end
end
context "lazy decrypt" do
before(:all) do
Vault::Rails.logical.write("transit/keys/dummy_people_ssn")
@@ -138,38 +160,55 @@
person.ssn = "111-11-1111"
expect(person.ssn_changed?).to be(true)
expect(person.ssn_change).to eq(["123-45-6789", "111-11-1111"])
expect(person.ssn_was).to eq("123-45-6789")
+
+ person.assign_attributes(ssn: "222-22-2222")
+
+ expect(person.ssn_changed?).to be(true)
+ expect(person.ssn_change).to eq(["123-45-6789", "222-22-2222"])
+ expect(person.ssn_was).to eq("123-45-6789")
end
it "allows attributes to be unset" do
person = LazyPerson.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to be(nil)
end
+ it "allows dirty attributes to be unset" do
+ person = LazyPerson.create!(ssn: "123-45-6789")
+ person.ssn = nil
+ expect(person.ssn).to be_nil
+
+ person2 = LazyPerson.create!(ssn: "123-45-6789")
+ person2.assign_attributes(ssn: nil)
+ expect(person2.ssn).to be_nil
+ end
+
+
it "allows saving without validations" do
person = LazyPerson.new(ssn: "123-456-7890")
expect(person.save(validate: false)).to be(true)
expect(person.ssn_encrypted).to match("vault:")
end
it "allows attributes to be unset after reload" do
person = LazyPerson.create!(ssn: "123-45-6789")
person.reload
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to be(nil)
end
it "allows attributes to be blank" do
person = LazyPerson.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: "")
+ person.update!(ssn: "")
person.reload
expect(person.ssn).to eq("")
end
@@ -188,10 +227,17 @@
expect(Vault::Rails).to_not receive(:encrypt)
person.name = "Cinderella"
person.save!
end
+
+ it "allows attributes to be accessed after a destroy" do
+ person = LazyPerson.create!(ssn: "123-45-6789")
+
+ person.destroy
+ expect { person.ssn }.not_to raise_error
+ end
end
context "lazy single decrypt" do
before(:all) do
Vault::Rails.logical.write("transit/keys/dummy_people_ssn")
@@ -222,11 +268,11 @@
expect(p2.ssn).to eq("123-45-6789")
end
it "does not decrypt all attributes on single read" do
person = LazySinglePerson.create!(ssn: "123-45-6789")
- person.update_attributes!(credit_card: "abcd-efgh-hijk-lmno")
+ person.update!(credit_card: "abcd-efgh-hijk-lmno")
expect(person.credit_card).to eq("abcd-efgh-hijk-lmno")
person.reload
p2 = LazySinglePerson.find(person.id)
@@ -237,11 +283,11 @@
expect(p2.credit_card).to eq("abcd-efgh-hijk-lmno")
end
it "does not decrypt all attributes on single write" do
person = LazySinglePerson.create!(ssn: "123-45-6789")
- person.update_attributes!(credit_card: "abcd-efgh-hijk-lmno")
+ person.update!(credit_card: "abcd-efgh-hijk-lmno")
expect(person.credit_card).to eq("abcd-efgh-hijk-lmno")
person.reload
p2 = LazySinglePerson.find(person.id)
@@ -267,11 +313,11 @@
expect(person.ssn_was).to eq("123-45-6789")
end
it "allows attributes to be unset" do
person = LazySinglePerson.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to be(nil)
end
@@ -282,19 +328,19 @@
end
it "allows attributes to be unset after reload" do
person = LazySinglePerson.create!(ssn: "123-45-6789")
person.reload
- person.update_attributes!(ssn: nil)
+ person.update!(ssn: nil)
person.reload
expect(person.ssn).to be(nil)
end
it "allows attributes to be blank" do
person = LazySinglePerson.create!(ssn: "123-45-6789")
- person.update_attributes!(ssn: "")
+ person.update!(ssn: "")
person.reload
expect(person.ssn).to eq("")
end
@@ -313,10 +359,17 @@
expect(Vault::Rails).to_not receive(:encrypt)
person.name = "Cinderella"
person.save!
end
+
+ it "allows attributes to be accessed after a destroy" do
+ person = LazyPerson.create!(ssn: "123-45-6789")
+
+ person.destroy
+ expect { person.ssn }.not_to raise_error
+ end
end
context "with custom options" do
before(:all) do
Vault::Rails.sys.mount("credit-secrets", :transit)
@@ -351,19 +404,19 @@
expect(person.credit_card_was).to eq("1234567890111213")
end
it "allows attributes to be unset" do
person = Person.create!(credit_card: "1234567890111213")
- person.update_attributes!(credit_card: nil)
+ person.update!(credit_card: nil)
person.reload
expect(person.credit_card).to be(nil)
end
it "allows attributes to be blank" do
person = Person.create!(credit_card: "1234567890111213")
- person.update_attributes!(credit_card: "")
+ person.update!(credit_card: "")
person.reload
expect(person.credit_card).to eq("")
end
end
@@ -402,19 +455,19 @@
expect(person.non_ascii_was).to eq("dás ümlaut")
end
it "allows attributes to be unset" do
person = Person.create!(non_ascii: "dás ümlaut")
- person.update_attributes!(non_ascii: nil)
+ person.update!(non_ascii: nil)
person.reload
expect(person.non_ascii).to be(nil)
end
it "allows attributes to be blank" do
person = Person.create!(non_ascii: "dás ümlaut")
- person.update_attributes!(non_ascii: "")
+ person.update!(non_ascii: "")
person.reload
expect(person.non_ascii).to eq("")
end
end
@@ -623,9 +676,49 @@
expect {
Vault::Rails.decrypt(
"transit", "dummy_people_context_proc",
person.context_proc_encrypted)
}.to raise_error(Vault::HTTPClientError, /context/)
+ end
+ end
+
+ context 'with transform_secret', ent_vault: ">= 1.4" do
+ before(:all) do
+ Vault::Rails.sys.mount("transform", :transform)
+ Vault::Rails.client.transform.create_transformation(
+ "social_sec",
+ template: "builtin/socialsecuritynumber",
+ tweak_source: "internal",
+ type: "fpe",
+ allowed_roles: [Vault::Rails.application]
+ )
+ Vault::Rails.client.transform.create_role(Vault::Rails.application, transformations: ["social_sec"])
+ Vault::Rails.client.transform.create_role("foobar_role", transformations: ["social_sec"])
+ end
+
+ it "encrypts the attribute using the given transformation" do
+ person = Person.create!(transform_ssn: "123-45-6789")
+ expect(person[:transform_ssn_encrypted]).not_to eq("123-45-6789")
+ expect(person[:transform_ssn_encrypted]).to match(/\d{3}-\d{2}-\d{4}/)
+ expect(person.transform_ssn).to eq("123-45-6789")
+ end
+
+ it "raises an error if the format is incorrect" do
+ expect{ Person.create!(transform_ssn: "1234-5678-90") }.to(
+ raise_error(Vault::HTTPClientError, /unable to find matching expression/)
+ )
+ end
+
+ it "raises an error if the transformation does not exist" do
+ expect{ Person.create!(bad_transform: "nope") }.to(
+ raise_error(Vault::HTTPClientError, /unable to find transformation/)
+ )
+ end
+
+ it "raises an error if the provided role doesn't have the ability to use the transformation" do
+ expect{ Person.create!(bad_role_transform: "123-45-6789") }.to(
+ raise_error(Vault::HTTPClientError, /is not an allowed role for the transformation/)
+ )
end
end
context 'with errors' do
it 'raises the appropriate exception' do